A serious vulnerability has been discovered in PHP, potentially exposing websites and applications to SQL injection attacks. Users are strongly advised to update to the latest versions of PHP as soon as possible.
The flaw, identified as CVE-2022-31631 (CVSS 9.1), affects PHP versions 8.0.x before 8.0.27, 8.1.x before 8.1.15, and 8.2.x before 8.2.2. It resides within the PDO::quote() function when used with SQLite databases. This function is commonly used to sanitize user-supplied data before it’s used in database queries, a crucial step in preventing SQL injection.
The CVE-2022-31631 vulnerability stems from an integer overflow issue. When an excessively long string is passed to PDO::quote(), the function may fail to properly escape the input. This can lead to the creation of malformed SQL queries, allowing attackers to inject malicious code and potentially gain control of the database.
The core problem lies in how PHP handles string lengths. While the underlying SQLite function sqlite3_snprintf() uses a 32-bit integer for length parameters, PHP’s PDO::quote() uses a zend_long, which is typically 64-bit on modern systems. This discrepancy can lead to an integer overflow, where the length value wraps around, resulting in an improperly quoted string.
In specific scenarios, this overflow can even cause the function to return a single apostrophe, effectively neutralizing the intended sanitization and opening the door to SQL injection. While memory limits and post_max_size settings might offer some mitigation, they are not a reliable safeguard against this vulnerability.
While 32-bit systems are theoretically less susceptible due to the size parity between integers and zend_long, 64-bit architectures are particularly vulnerable. The provided test scripts demonstrate how this overflow can be exploited on these systems.
This vulnerability poses a significant risk to any application using the affected PHP versions with SQLite databases. SQL injection is a severe threat that can allow attackers to steal sensitive data, modify database content, or even take control of the server.
Therefore, it is absolutely critical that all PHP users immediately upgrade to the patched versions: PHP 8.0.27, 8.1.15, or 8.2.2 (or later). Website administrators and developers should thoroughly review their code to ensure proper data sanitization practices are in place, even after updating.
