1.2.1137. Sqlite3 Requires Single Quotes¶
The escapeString() method from
SQLite3
doesn’t escape"
, but only'
.
To properly handle quotes and NUL
characters, use bindParam() instead.
Quote from the PHP manual comments : The reason this function doesn't escape double quotes is because double quotes are used with names (the equivalent of backticks in MySQL), as in table or column names, while single quotes are used for values.
<?php
// OK. escapeString is OK with '
$query = "SELECT * FROM table WHERE col = '".$sqlite->escapeString($x)."'";
// This is vulnerable to " in $x
$query = 'SELECT * FROM table WHERE col = "'.$sqlite->escapeString($x).'"';
?>
See also SQLite3::escapeString.
1.2.1137.1. Suggestions¶
Use prepared statements whenever possible
Switch the query to use single quote
1.2.1137.2. Specs¶
Short name |
Security/Sqlite3RequiresSingleQuotes |
Rulesets |
|
Exakat since |
1.0.10 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Slow (1 hour) |
Precision |
High |
Features |
sqlite3 |
Available in |