-
Notifications
You must be signed in to change notification settings - Fork 1.3k
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backdoor or security vulnerability? #823
Comments
thanks for your message.
this is looks like a missing cast to int. I'm not sure are you calling this a 'regular usage' while data sanitizing is a primary junior mistake. |
Type casting doesn't matter in MySQLiDB (Class). |
I strongly disagree, user input validation and sanitization is an additional measure, but not a replacement for parameterized queries. MySQLiDB class doesn't concatenate query parameters, but uses |
That's why I've written an extended class to use MySQLiDB |
clothing as not a bug |
so the problem that mysqlidb doesn't support parametrized queries, and not a security vulnerability. thanks for your time |
NP, the pleasure is mine.
It is written in the description of the project "Wrapper for a PHP MySQL class, which utilizes MySQLi and prepared statements." It might be naming misunderstanding, you do use bind parameters also known as "prepared statements" or "parameterized statement" and it is what I meant https://en.wikipedia.org/wiki/Prepared_statement It is a security vulnerability and your resistance to admit it may make some people believe it was introduced on purpose after all because the patch is just to remove the four lines of special treatment of arrays. |
Sorry for little delay. How can I share my extended class.. I've also other functions like drop_table, drop_column, is_mysql_table() etc. |
feel free to breakdown new features as 1 patch per feature, include test cases and documentation and feel free to send pull requests. |
I am sorry, But I don't know how to do it.. |
Anyway, here is my method in extended class. protected function replacePlaceHolders( $str, $vals ) {
|
No offence @satalways, but your suggestions have nothing to do with the injection. The library does call |
I think @JarLob 's point is valid... mysqli is meant to about binding to limit security problems like sql injection attacks etc... |
@JarLob , would you mind sharing the fix? |
Oh, @killua-eu, the fix is trivial, you delete: // forkaround for an old operation api
if (is_array($whereValue) && ($key = key($whereValue)) != "0") {
$operator = $key;
$whereValue = $whereValue[$key];
} from the |
I appologies, I have payed needed attention to the report since initially it was not full enough and i was not wise enough to think. |
PHP-MySQLi-Database-Class/MysqliDb.php
Lines 969 to 983 in eaf1f6c
Where()
because of the special "forkaround".If
$whereValue
happens to be an array, non parameterized$operator
value is extracted from it.However typical usage of the class looks like:
The
$whereValue
is usually untrusted and if there are no additional checks likeis_numeric($_POST['id'])
an attacker may inject his statements. For example:id[= ? or 1=1 --]=0
(Url encoded version for HTTP POST:id%5B%3D%20%3F%20or%201%3D1%20--%5D=0
)The text was updated successfully, but these errors were encountered: