Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ensure $nrows and $offset parameters of SelectLimit are integers #311

Merged
merged 1 commit into from
Nov 25, 2017
Merged

ensure $nrows and $offset parameters of SelectLimit are integers #311

merged 1 commit into from
Nov 25, 2017

Conversation

nicoder
Copy link
Contributor

@nicoder nicoder commented Jan 16, 2017

as is done (at least for $nrows) in the SelectLimit method of Adodb/adodb.inc.php.

lowers the risk of SQL injection.

@nicoder
ensure $nrows and $offset parameters of SelectLimit are integers
3ba46b3 
as is done (at least for `$nrows`) in the `SelectLimit` method of `Adodb/adodb.inc.php`.

lowers the risk of SQL injection.
@dregad dregad added core ADOdb core (library and base classes) enhancement labels Nov 25, 2017
@dregad dregad added this to the v5.21 milestone Nov 25, 2017
@dregad dregad merged commit be1ecf8 into ADOdb:master Nov 25, 2017
dregad added a commit that referenced this pull request Nov 25, 2017
@dregad
Ensure SelectLimit $nrows and`$offset parameters are integers
7d43989 
The same is done (at least for `$nrows`) in the `SelectLimit` method of `Adodb/adodb.inc.php`.

This lowers the risk of SQL injection.

Fixes #311
@dregad
Copy link
Member

dregad commented Nov 25, 2017

Sorry I messed up while rewording the commit message and inadvertantly merged instead of squash. The actual fix is 7d43989

@jedi58
Copy link

jedi58 commented Mar 5, 2018

Doesn't this need doing for mysqli and the other drivers too?

@jedi58 jedi58 mentioned this pull request Mar 6, 2018
Closed
@dregad dregad added pdo The PHP PDO Driver (Tier 2) and removed core ADOdb core (library and base classes) labels Mar 6, 2018
@jedi58 jedi58 mentioned this pull request Mar 6, 2018
Closed
@dregad dregad modified the milestones: v5.21, v5.20.11 Mar 29, 2018
dregad added a commit to dregad/ADOdb that referenced this pull request Mar 30, 2018
@dregad
Ensure SelectLimit $nrows and`$offset parameters are integers
34788ce 
The same is done (at least for `$nrows`) in the `SelectLimit` method of `Adodb/adodb.inc.php`.

This lowers the risk of SQL injection.

Fixes ADOdb#311

(cherry picked from commit 7d43989)
dregad pushed a commit to dregad/ADOdb that referenced this pull request Mar 30, 2018
@jedi58 @dregad
Fix potential SQL injection in SelectLimit()
d29c23f 
The `SelectLimit` function has a potential SQL injection vulnerability
through the use of the `nrows` and `offset` parameters which are not
forced to integers.

This is a follow-up on ADOdb#311, and fixes all remaining drivers that do not
use ADOConnection::SelectLimit().

Fixes ADOdb#401

Signed-off-by: Damien Regad <dregad@mantisbt.org>

Original commits squashed, message reworded. Fixed whitespace.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement pdo The PHP PDO Driver (Tier 2) security
Projects
None yet
Milestone
v5.20.11
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nicoder @dregad @jedi58