Skip to content


SQL injection #2

tlhunter opened this Issue · 2 comments

1 participant


Column sorting variables should use a switch statement to make sure they're valid.

Just skimming, and e.g.
in: controllers/invoice.php
$data['invoices'] = $this->invoice_model->select_multiple($this->session->userdata('company_id'), $page, $this->pref_user['per_page'], TRUE, $sort_col);
$sort_col appears to be just uri_segment 2 of list_items.
select_multiple() then calls:
$sql = "SELECT id, name, DATEDIFF(NOW(), duedate) AS past_due FROM invoice WHERE company_id = " . $this->db->escape($company_id) . " ORDER BY $sort_col";
$sort_col is left as-is. It is certainly more difficult, since '()' aren't permitted in the uri, and we're already in the ORDER BY clause, but I think it may still be doable to get some blindsql into there.



I'll accept the pull request, however, I think the same issue exists in the other controllers (most of them have a list_items() method).

@tlhunter tlhunter closed this in 501a9d5
@tlhunter tlhunter reopened this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.