Skip to content

Fix SQL injection in hasDatabase() by quoting database name in adapters#2418

Merged
MasterOdin merged 5 commits into
0.xfrom
fix-adapter-sprintf
Jul 3, 2026
Merged

Fix SQL injection in hasDatabase() by quoting database name in adapters#2418
MasterOdin merged 5 commits into
0.xfrom
fix-adapter-sprintf

Conversation

@markstory

Copy link
Copy Markdown
Member

Update query generation for reflection methods in adapter layers to mitigate potential sql injection. While phinx should never have user controlled data provided to it, security researchers don't know that.

This will stay as a draft until I have more time to go through the rest of the sprintf() queries in each adapter.

Update query generation for reflection methods in adapter layers to
mitigate potential sql injection. While phinx should never have user
controlled data provided to it, security researchers don't know that.
@MasterOdin

Copy link
Copy Markdown
Member

A better solution might be to add an optional parameters argument to fetchRow and fetchAll that get routed through to query. A breaking change on the adapter interface, but allows for stronger usage without having to deal with quoting ourselves.

@MasterOdin MasterOdin changed the title Add missing escaping to adapters Fix SQL injection in hasDatabase() by quoting database name in adapters Jul 3, 2026
@MasterOdin MasterOdin marked this pull request as ready for review July 3, 2026 01:43
@MasterOdin MasterOdin merged commit c3014da into 0.x Jul 3, 2026
12 checks passed
@MasterOdin MasterOdin deleted the fix-adapter-sprintf branch July 3, 2026 01:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants