Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL is not properly escaped #144

Closed
temistokles opened this issue Oct 13, 2016 · 0 comments
Closed

SQL is not properly escaped #144

temistokles opened this issue Oct 13, 2016 · 0 comments

Comments

@temistokles
Copy link

@temistokles temistokles commented Oct 13, 2016

This issue is present in Nette 2.3.11.

How to reproduce the issue:

  1. Use Nette database
  2. Use MySQL
  3. Use table with non-numeric primary key column named 'id' - in my case varchar(50)
  4. Add some more columns, in my case datetime - validFrom, validTo

Use the following syntax:

$value = $context->table('table')->select('id')->fetch(); //result e.g. [id => 'not escaped']

$context->table('table')->where([
    'id' => $value,
    'validFrom <= ?' => '2016-10-13',
    'validTo >= ?' => '2016-10-13'
])->fetch();

The query gets executed without escaping the value in $value e.g. as:

SELECT ... FROM table WHERE (id not escaped) AND (validFrom <= '2016-10-13') AND (validTo >= '2016-10-13').

Problem obviously being the first parantheses.

Although such usage is not correct (you should not use the whole result, but its field instead), this is pretty hard to debug and has potentially fatal consequences (SQL injection).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.