PHP PDO Bugs Expose Firebird SQL Injection and PostgreSQL DoS Risks


PHP has fixed two serious database-layer bugs in PDO that could expose some applications to SQL injection or denial-of-service risks. The issues affect how PHP handles quoted values and malformed input inside database drivers.

The first flaw affects pdo_firebird and allows SQL injection through NUL bytes inside quoted strings. The issue is tracked as CVE-2025-14179 in the PHP Firebird advisory.

The second flaw affects PDO quoting behavior and can lead to a null pointer dereference when PostgreSQL quoting returns a null value. It is tracked as CVE-2025-14180 in the PHP PDO advisory.

Why these PHP PDO flaws matter

PDO is the database abstraction layer many PHP applications use to connect to databases through a common interface. The official PHP PDO documentation describes it as an extension that provides a consistent way to access databases from PHP.

That design makes PDO powerful, but it also means driver-level mistakes can affect real applications even when developers believe they are using safe database patterns. A bug in quoting, parsing, or driver preprocessing can change how a query behaves after the application has already built it.

The latest confirmed fixes appear in the PHP 8 changelog, which lists the pdo_firebird SQL injection fix in the May 2026 releases and the PDO quoting null dereference fix in the December 2025 releases.

IssueCVEAffected areaImpactSeverity
NUL byte handling in Firebird quoted stringsCVE-2025-14179pdo_firebirdSQL injectionHigh
Null pointer dereference in PDO quotingCVE-2025-14180PDO quoting with PostgreSQLDenial of serviceModerate
Missing error checks during PostgreSQL escapingCVE-2025-1735pgsql extensionSQL injection or crash riskModerate

Firebird bug turns quoted input into SQL injection

The Firebird flaw shows how a safe-looking quoting step can break later in the driver pipeline. The vulnerable code reconstructs a SQL query token by token after values have already been quoted.

According to the Firebird SQL injection advisory, the driver used strncat() while rebuilding parts of the query. That C function stops at a NUL byte, which can cause the rebuilt query to lose the closing quote around a string.

When the quote boundary disappears, attacker-controlled data that should remain inside a string can become executable SQL. The advisory says this applies to several statement types, including SELECT, INSERT, UPDATE, DELETE, MERGE, WITH, and EXECUTE.

  • The vulnerable driver is pdo_firebird.
  • The issue involves NUL bytes inside quoted strings.
  • The bug can break intended string boundaries during query reconstruction.
  • Attackers may use the flaw to inject SQL if they control nearby input.
  • The issue was credited to Aleksey Solovev and Nikita Sveshnikov of Positive Technologies.

PostgreSQL path can crash PHP through PDO quoting

The PostgreSQL-related PDO issue is different. It does not create a direct data-theft path by itself, but it can crash the PHP process when a quoted value becomes null and PDO tries to read it as though it were valid.

The PDO null pointer advisory says the vulnerable code calls ZSTR_LEN on a quoted value inside PDO’s SQL parser. When PostgreSQL quoting returns null for a special character sequence, PDO can dereference a null pointer and trigger a segmentation fault.

The advisory specifically notes that enabling PDO::ATTR_EMULATE_PREPARES is key to reproducing the crash. That makes the issue especially relevant for applications that enable emulated prepared statements while accepting user-controlled text fields.

Risk areaFirebird issuePostgreSQL PDO issue
Main weaknessNUL byte handling in query reconstructionNull pointer dereference during quoting
Main impactSQL injectionPHP process crash
Attacker inputQuoted string containing a NUL byteSpecial invalid byte sequence
Likely resultUnexpected SQL executionDenial of service
Best fixUpgrade PHP to a patched buildUpgrade PHP and avoid unnecessary emulated prepares

A separate PHP PostgreSQL advisory from 2025 also matters here because it shows the same class of risk: PHP extensions must properly check errors returned by database client libraries.

In the pgsql escaping advisory, PHP maintainers said missing error checking could cause SQL injection and missing error handling could lead to crashes through null pointer dereferences. The advisory is tied to CVE-2025-1735.

Together, these bugs show that database safety depends on more than application-level prepared statements. It also depends on how language runtimes, extensions, and database client libraries handle unusual bytes, encoding errors, and null returns.

Fixed PHP versions administrators should install

The Firebird SQL injection fix landed in PHP 8.2.31, 8.3.31, 8.4.21, and 8.5.6. Older builds in those branches remain exposed if they include and use the pdo_firebird extension.

Overall architecture of DBMS access in PHP (Source – PT Swarm)

The PDO quoting null pointer issue was fixed earlier in PHP 8.1.34, 8.2.30, 8.3.29, 8.4.16, and 8.5.1. Administrators can confirm the release entries in the PHP changelog.

Applications that use packaged PHP from Linux distributions should check vendor advisories as well. Distribution maintainers may backport security patches without changing the upstream PHP version number in the same way.

VulnerabilityPatched PHP versionsAction
CVE-2025-141798.2.31, 8.3.31, 8.4.21, 8.5.6Update if pdo_firebird is installed or used
CVE-2025-141808.1.34, 8.2.30, 8.3.29, 8.4.16, 8.5.1Update PHP and review emulated prepares
CVE-2025-17358.1.33, 8.2.29, 8.3.23, 8.4.10Update if using the pgsql extension

What developers should change in PHP database code

Developers should avoid building SQL by stitching quoted strings into query text where possible. Prepared statements with bound parameters remain the safer default for most database-backed applications.

The official PDO manual gives developers the common interface, but driver-specific behavior still matters. Applications should test database code with the exact drivers and PHP versions they run in production.

Teams should also review cases where PDO::ATTR_EMULATE_PREPARES is enabled. Native prepared statements can reduce exposure to some quoting and parsing edge cases, although compatibility requirements may still force emulation in specific environments.

  1. Upgrade PHP to a patched version or a vendor build that includes the fix.
  2. Check whether pdo_firebird, pdo_pgsql, or pgsql extensions are installed in production.
  3. Avoid manual SQL construction with quoted user input where prepared statements can be used.
  4. Disable emulated prepared statements unless the application specifically needs them.
  5. Validate and normalize binary or unusual encoded input before it reaches database code.
  6. Wrap financial, order, and inventory operations inside database transactions.
  7. Monitor PHP worker crashes, segmentation faults, and sudden spikes in 500 errors.

Why this is more than a niche driver problem

Some organizations may not use Firebird, but the broader lesson applies to every database-backed PHP application. A driver can turn unusual input into a security issue even when application developers believe their database code is protected.

The PostgreSQL escaping advisory also shows why extensions must treat library errors as security-sensitive events. If a database client library signals failure and PHP code does not handle it correctly, the result can be injection, a crash, or undefined behavior.

PHP worker process (Source – PT Swarm)

For production teams, the fix is straightforward but urgent: keep PHP current, understand which PDO drivers are enabled, and do not assume low-level database handling is automatically safe because the codebase is mature.

Bottom line

The confirmed PHP PDO issues show how small C-level assumptions can affect high-level web application security. Firebird users face a high-severity SQL injection risk in unpatched builds, while PostgreSQL-related PDO quoting behavior can crash PHP under specific conditions.

Administrators should update affected PHP branches, review enabled database extensions, and audit code paths that rely on quoting rather than bound parameters. Developers should also treat malformed binary and encoded input as dangerous before it enters database workflows.

FAQ

What are the PHP PDO vulnerabilities discussed here?

The two main confirmed issues are CVE-2025-14179, a pdo_firebird SQL injection flaw involving NUL bytes in quoted strings, and CVE-2025-14180, a PDO quoting null pointer dereference that can cause denial of service in PostgreSQL-related usage.

Which PHP versions fix the Firebird PDO SQL injection flaw?

CVE-2025-14179 is fixed in PHP 8.2.31, 8.3.31, 8.4.21, and 8.5.6. Systems using pdo_firebird should update to those versions or vendor builds that include the backported patch.

Which PHP versions fix the PDO quoting denial-of-service issue?

CVE-2025-14180 is fixed in PHP 8.1.34, 8.2.30, 8.3.29, 8.4.16, and 8.5.1. Administrators should update PHP and review whether applications rely on emulated prepared statements.

Does PDO::quote fully prevent SQL injection?

No. PDO::quote can help escape strings, but it should not replace prepared statements with bound parameters. The Firebird issue shows that driver-level processing can still create unsafe results in edge cases.

What should PHP developers do now?

Developers should update PHP, check enabled PDO drivers, prefer prepared statements with bound parameters, avoid unnecessary emulated prepares, validate unusual binary input, and monitor logs for PHP worker crashes or database errors.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages