-
Notifications
You must be signed in to change notification settings - Fork 70
Mysql injections #26
Comments
@justinfarmer14 Do we have details of where and when this is possible? |
There are many vulnerable queries littered throughout the source As an example: |
Would it be worth writing a SQL library to handle queries now or going through and patching all of these and saving that library for later? |
I would personally suggest overhauling database interaction. Maybe consider an ORM? I think reviewing interaction with the database will be important for securing the performance and scalability of the project. My current understanding is that you authenticate with the database on nearly every request - this is not the greatest idea. I have not worked with PHP for a couple of years now - but it will be important to ensure that only one connection/authentication is made to the database per request. If you wish to continue using the mysqli driver, consider exclusively using prepared statements, this should greatly reduce the chance of SQL injection vulnerable processes being present in the application. |
(Leaving this for reference) |
Looks good! |
I'm going to do a full security audit in the next few days |
We should consider having the integration of an ORM as a separate report. |
…PLETON/opencad-php:feature/OCPHP-184-ability-to-hide-leo-tools-from-fire-ems to release/development Approved by farmer 11:37 3/30/18 * commit '32bd70d73814392b0c3266b569275e130b2848f5': Fire/EMS can no longer see/use LEO tools #OCPHP-185 #comment Tweaked the documentation to be more verbose. Also added a "Feature Settings" section in oc-config.sample.php and moved all feature settings under that heading. #close"
i was notified by a member on discord mysql injection is possible assign to Anthony for security flaw
The text was updated successfully, but these errors were encountered: