SQL injection attack possiblity #3

toddejohnson · 2016-04-13T14:06:25Z

There's a SQL Injection possiblity because $_GET['report'] isn't validated to be numeric or escaped.

echo tmpl_page( ""
    .tmpl_reportList($allowed_reports)
    .tmpl_reportData( (isset($_GET["report"]) ? $_GET["report"] : false ), $allowed_reports )
);
if (!$reportnumber) {
    return "";
}
$sql = "SELECT * FROM rptrecord where serial = $reportnumber";

I'd suggest adding validation:

if(isset($_GET['report']) && is_numeric($_GET['report'])){
        $reportid=$_GET['report'];
}elseif(!isset($_GET['report'])){
        $reportid=false;
}else{
        die('Invalid Report ID');
}
// Generate Page with report list and report data (if a report is selected).
echo tmpl_page( ""
        .tmpl_reportList($allowed_reports)
        .tmpl_reportData( $reportid, $allowed_reports )
);

Patch attached.
dmarcts-report-viewer.txt

The text was updated successfully, but these errors were encountered:

techsneeze · 2016-04-13T18:03:00Z

Thanks for the suggestion and the patch! The patch has been applied and posted!

a bit fancy stuff and make domain selectable

techsneeze added a commit that referenced this issue Apr 13, 2016

Added patch provided in Issue #3

64ddc06

techsneeze closed this as completed Apr 13, 2016

techsneeze pushed a commit that referenced this issue Oct 2, 2017

Merge pull request #3 from lwt-pressy/beautyfy

a747293

a bit fancy stuff and make domain selectable

spadazza mentioned this issue Sep 1, 2023

report page crash on loading large xml #91

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SQL injection attack possiblity #3

SQL injection attack possiblity #3

toddejohnson commented Apr 13, 2016

techsneeze commented Apr 13, 2016

SQL injection attack possiblity #3

SQL injection attack possiblity #3

Comments

toddejohnson commented Apr 13, 2016

techsneeze commented Apr 13, 2016