CVE-2022-31631 - Critical PHP PDO::quote() Vulnerability Exposes SQLite to SQL Injection

CVE-2022-31631 is a severe vulnerability that affected many PHP applications using the popular PDO::quote() method with SQLite databases. If you are managing any system running on PHP versions 8. (before 8..27), 8.1 (before 8.1.15), or 8.2 (before 8.2.2), understanding and patching this issue is crucial for your application’s security.

This article explains the vulnerability in simple terms, how attackers can exploit it, and gives practical code examples—and resources—to help you verify if you’re affected.

What is PDO::quote()?

In PHP, PDO::quote() is used to safely escape user data before putting it into SQL queries. It’s supposed to prevent SQL injection, one of the most dangerous vulnerabilities in web applications.

Example

$user_input = "O'Reilly";
$quoted = $pdo->quote($user_input);
// $quoted becomes: 'O''Reilly'

But what if this safety net doesn’t always work as expected?

The Vulnerability: What Went Wrong?

Between PHP 8.. and versions prior to 8..27, 8.1.15, and 8.2.2, there was a critical bug in the SQLite driver’s implementation of PDO::quote().

If the function is passed an overly long string, instead of returning a properly quoted and escaped result, it may return false or an incomplete escaped string. If your code trusts this function and uses the broken output directly in your SQL statements, you end up injecting user-controlled data directly into your SQL, negating the security benefit.

Imagine a PHP application that uses PDO::quote() to build queries, like this

// User input via $_GET['username']
$sql = "SELECT * FROM users WHERE username = " . $pdo->quote($_GET['username']);
$stmt = $pdo->query($sql);

If a malicious user sends a very long string as ‘username’, and PDO::quote() returns false, the code above produces:

SELECT * FROM users WHERE username = 

Which makes the rest of the query open for injection.

Try this on a vulnerable version of PHP

<?php
$pdo = new PDO('sqlite::memory:');
$long_string = str_repeat("A", 100000); // overly long payload
$quoted = $pdo->quote($long_string);

if ($quoted === false) {
    echo "Quoting failed, possible vulnerability!";
} else {
    echo "Quoting success: $quoted";
}
?>

In a vulnerable version, this will echo:
Quoting failed, possible vulnerability!

Now, imagine if you used $quoted in a SQL string. With no value quoted, and if your code doesn’t check for false, you are open to SQL injection:

$sql = "SELECT * FROM users WHERE username = $quoted";

If $quoted === false, this becomes

SELECT * FROM users WHERE username = 

An attacker could supply input that causes syntax errors, or worse, craft subsequent input to manipulate the query structure.

Real World Impact

Many developers assume PDO::quote() is safe and do not check its return type. This opened the door for hostile users to break out of the query logic and inject arbitrary SQL commands, potentially compromising both data and database integrity.

Key risk: If your application allowed user-controlled input in SQL queries and relied solely on PDO::quote() with no error handling, you could be at risk.

Always use prepared statements instead of manually quoting data

$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
$stmt->execute([$_GET['username']]);

Prepared statements handle all the necessary escaping and cannot be bypassed by this bug.

Further Reading and References

- CVE-2022-31631 at MITRE
- PHP Security Change Log
- Red Hat Security Advisory
- NVD Record

Summary

CVE-2022-31631 exposed a serious hole for PHP projects using SQLite with PDO if they relied on PDO::quote() and handled large user input strings. If you cannot upgrade, audit your code for manual quoting, and always check PDO::quote()'s return value. Better yet: Use prepared statements for all queries—no exceptions.

Is your code safe?
Check today, and avoid being the next victim of this simple but disastrous bug.

Timeline

Published on: 02/12/2025 22:15:29 UTC