New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use sprintf('%d') like in DB2, SQLServer and Oracle to harden against wrong limit and offset #4999
Use sprintf('%d') like in DB2, SQLServer and Oracle to harden against wrong limit and offset #4999
Conversation
src/Platforms/SqlitePlatform.php
Outdated
@@ -765,7 +765,7 @@ protected function getPostAlterTableIndexForeignKeySQL(TableDiff $diff) | |||
protected function doModifyLimitQuery($query, $limit, $offset) | |||
{ | |||
if ($limit === null && $offset > 0) { | |||
return $query . ' LIMIT -1 OFFSET ' . $offset; | |||
return $query . sprintf(' LIMIT -1 OFFSET %d', $offset); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should $query
also be moved under sprintf()
? This way, we'll have one variable / memory allocation fewer .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is in a return
line it shouldn't really matter anymore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It still does. In order to return a value, the interpreter needs to allocate a new zval, copy the value of $query
there, then append the value returned by sprintf()
, then return it. If it's just sprintf()
, this could be avoided.
We're of course not trying to save CPU ticks here but a combination of sprintf()
and .
on the same line looks dirty to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
What about the $query .= sprintf
in all the other platforms, they are okay?
Since it's not a bugfix but is more of an improvement, should this be retargeted against |
I can rebase on 3.2.x if you want, but since it's a hardening to a security related problem I thought it might make sense to have it there. |
The actual security problem is solved already, at least to my knowledge. So let's do the hardening on the next feature release. |
@nickvergessen please rebase on top of |
… wrong limit and offset Signed-off-by: Joas Schilling <coding@schilljs.com>
9e6d5c5
to
16de953
Compare
Rebased |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, the failing CI is unrelated to these changes.
Summary
In Oracle, SQLServer and DB2 the limit and offset are handled via a
%d
in a sprintf() call already, adding this to the other platforms here should prevent further issues in case #4984 is ever reverted by accident again.