Can you still get hacked using PDO::quote()?

Question

Checking my logs I noticed errors I would not have expected seeing while using PDO::quote() which I read is secured against sql injection.

Short extract of the error_log:

    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1267 Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='' in XXXXXXXXXXXXXXX.php:29
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(29): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 29
    [09-Sep-2018 Europe/Paris] PHP Warning:  PDO::quote() expects parameter 1 to be string, array given in XXXXXXXXXXXXXXX.php on line 29
    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND origine > 3 ORDER BY id_client DESC LIMIT 1' at line 1' in XXXXXXXXXXXXXXX.php:29
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(29): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 29
    [09-Sep-2018 Europe/Paris] PHP Warning:  PDO::quote() expects parameter 1 to be string, array given in XXXXXXXXXXXXXXX.php on line 35
    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 1' at line 1' in XXXXXXXXXXXXXXX.php:38
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(38): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 38
    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1267 Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='' in XXXXXXXXXXXXXXX.php:29
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(29): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 29
    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1267 Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='' in XXXXXXXXXXXXXXX.php:29
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(29): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 29
    [09-Sep-2018 Europe/Paris] PHP Warning:  PDO::quote() expects parameter 1 to be string, array given in XXXXXXXXXXXXXXX.php on line 29
    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND origine > 3 ORDER BY id_client DESC LIMIT 1' at line 1' in XXXXXXXXXXXXXXX.php:29
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(29): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 29
    [09-Sep-2018 Europe/Paris] PHP Warning:  PDO::quote() expects parameter 1 to be string, array given in XXXXXXXXXXXXXXX.php on line 35
    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 1' at line 1' in XXXXXXXXXXXXXXX.php:38
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(38): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 38
    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1267 Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='' in XXXXXXXXXXXXXXX.php:29
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(29): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 29

It seems like sql injection with unsecured variable or unexpected data. The chunk of PHP/SQL code where the errors are tossed is:

$email = $_REQUEST['email'];
$dataClients = $pdo->query('SELECT id_client, origine FROM clients WHERE email='.$pdo->quote($email).' ORDER BY id_client DESC LIMIT 1')->fetch();

Did the attacker bypass the safe use of $pdo->quote() here? Shouldn't this kind of error be impossible with the use of $pdo->quote()?

Answer 1

If you read this, you'll find a lot of encouragement to use prepared statements rather than PDO::quote. PDO::quote can help you construct a safe sql statement if used correctly, but doesn't prevent problems occurring - any time you construct a SQL statement without binding all of your inputs, you run the risk of overlooking an attack possibility. "Bind and ye shall conquer!" Without seeing your inputs, it's hard to really dissect what is exactly wrong. They appear to be programming errors rather than hackers. For example, it looks like some of your $_REQUEST values are arrays, and some are not in the default character sets - both of which will cause problems for you.

Maybe start by throwing some of your inputs into the error log so you can see why they are blowing up. Something like:

try {
    $email = $_REQUEST['email'];
    $dataClients = $pdo->query('SELECT id_client, origine FROM clients WHERE email='.$pdo->quote($email).' ORDER BY id_client DESC LIMIT 1')->fetch();
} catch (Exception $e) {
    error_log("email requests are: " . var_export($email, true));
    error_log($e->getmessage());
    exit(); // or recover, if you like
}

It's still not the right solution, but you will get a better handle on your inputs, at any rate.