$table_name = $dbs->escape_string(trim($_POST['tableName']));
<--striped-->
// append table name
$sql_string .= " FROM $table_name ";
if ($criteria) { $sql_string .= " WHERE $criteria LIMIT $limit"; }
// send query to database
$query = $dbs->query($sql_string);
You have escaped the tableName string. But actually it just appends backslash \ before ', ", or \. Reference from PHP mysql_real_escape_string
So if my POST variable tableName will trigger sql injection if not contains these chars.
Example: tableName = user where 1=0 union select version()--
And also
$table_fields = trim($_POST['tableFields']);
<--striped-->
// explode table fields data
$fields = str_replace(':', ', ', $table_fields);
// set where criteria
$criteria = '';
foreach (explode(':', $table_fields) as $field) {
$criteria .= " $field LIKE '%$keywords%' OR";
}
// remove the last OR
$criteria = substr_replace($criteria, '', -2);
$sql_string = "SELECT $fields ";
Variable tableFields does not sanitize for sql query yet. So it'll trigger injection like this
Hi, I have found some critical bugs in Slims8 Akasia 8.3.1 (latest version).
First, There is a sql injection bug in this url:
You have escaped the
tableNamestring. But actually it just appends backslash\before',", or\. Reference from PHP mysql_real_escape_stringSo if my POST variable
tableNamewill trigger sql injection if not contains these chars.Example:
tableName = user where 1=0 union select version()--And also
Variable
tableFieldsdoes not sanitize for sql query yet. So it'll trigger injection like thisThese 2 urls have the same problems
This bug is excutable by everyone who has librarian role (single).
The text was updated successfully, but these errors were encountered: