* PHP-8.4:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.3:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.2:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
* PHP-8.1:
Update NEWS with info about security issues
Fix GHSA-www2-q4fc-65wf
Fix GHSA-h96m-rvf9-jgm2
Fix GHSA-8xr5-qppj-gvwj: PDO quoting result null deref
Fix GH-20584: Information Leak of Memory
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
This adds error checks for escape function is pgsql and pdo_pgsql
extensions. It prevents possibility of storing not properly escaped
data which could potentially lead to some security issues.
Make Pdo\PgSql accept Pdo::setAttribute(PDO::ATTR_PREFETCH, 0) to enter libpq's single row mode.
This avoids storing the whole result set in memory before being able to call the first fetch().
close GH-15750
PQclosePrepared allows the statement's name to be reused thus allowing
cache solutions to work properly ; whereas, for now, the `DEALLOCATE
<statement>` query is used which free entirely the statement's resources.
close GH-13316
A common convention is to name internal C header files as `*_int.h`.
Since a couple of these are actually installed, we add comments that
this is not supposed to happen, (a) to avoid installing further
internal headers, and (b) to pave the way to fix this in the next major
PHP version.
Somewhat special is php_gmp_int.h, where "int" is meant as abbreviation
for "interface".
Another common convention is appending `_priv` or `_private`, but since
there have not been any issues regarding these headers so far, we
refrain from adding respective comments to these headers.
Anyhow, it might be a good idea to introduce some common naming
convention for such internal/private headers.
This is, as the name and a comment in the header imply, an internal
header which is not supposed to be used by extensions other than PDO
(not even by drivers).
Since there is apparently no need to include this header in the parsers
of the drivers, we remove these includes, and no longer declare the
header to be installed. Given that the header is only exported for a
couple of weeks[1], this is not considered to be a BC break, because
it's unlikely that external drivers have already been adjusted to use
this header, and otherwise they can still be fixed; PHP 8.4 is still in
the pre-release stage.
[1] <https://github.com/php/php-src/pull/14797>
Closes GH-15688.
Currently, internal classes are registered with the following code:
INIT_CLASS_ENTRY(ce, "InternalClass", class_InternalClass_methods);
class_entry = zend_register_internal_class_ex(&ce, NULL);
class_entry->ce_flags |= ...;
This has worked well so far, except if InternalClass is readonly. It is because some inheritance checks are run by zend_register_internal_class_ex before ZEND_ACC_READONLY_CLASS is added to ce_flags.
The issue is fixed by adding a zend_register_internal_class_with_flags() zend API function that stubs can use from now on. This function makes sure to add the flags before running any checks. Since the new API is not available in lower PHP versions, gen_stub.php has to keep support for the existing API for PHP 8.3 and below.
Follow-up of GH-15344 (687eb9125a)
This removes the customized error messages in PDO extensions when PDO is
not enabled (--disable-all or --disable-pdo) in favor of the default
error done by PHP_ADD_EXTENSION_DEP.
