Skip to content
Permalink
Browse files Browse the repository at this point in the history
Unauthenticated Blind SQL injection #908
  • Loading branch information
Fasse committed Apr 12, 2020
1 parent 4269400 commit ea5d6f1
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions adm_program/system/classes/TableAccess.php
Expand Up @@ -444,11 +444,11 @@ public function readDataByColumns(array $columnArray)
// add every array element as a sql condition to the condition string
foreach ($columnArray as $columnName => $columnValue)
{
$sqlWhereCondition .= ' AND ' . $columnName . ' = \'' . $columnValue . '\' ';
$sqlWhereCondition .= ' AND ' . $columnName . ' = ? ';
}

// call method to read data out of database
$returnCode = $this->readData($sqlWhereCondition);
$returnCode = $this->readData($sqlWhereCondition, array_values($columnArray));

// save the array fields in the object
if (!$returnCode)
Expand Down

0 comments on commit ea5d6f1

Please sign in to comment.