SQL Injection in Sample Code #27
Comments
|
I hope you realize that that was just a sample model. It just demonstrates the framework. Of course you'd want to use PDO's bindValue(). |
|
And that's a reason to have a vulnerability in your example code? If anything, the example code should be the most bullet-proof out there, since people will base their implementations off it... |
|
@volomike , i hope you realize that this is not how you use PDO's prepared statements. |
|
Okay, I'm incredibly busy guys. You would not believe how busy. I wish Faster were a community project, but so far it isn't yet, although there is definitely an interest in it. I will try to find the time to change this. Yes, yes, and more yes -- I should have made the sample model class not have a SQL injection looophole in it. My bad. I will never ever do that again. I guarantee it. |
The sample model that's provided has a pretty significant SQL injection vulnerability:
https://github.com/volomike/Faster/blob/master/app/_models/Sample/Test.php#L28
That variable must be bound as a parameter, not just included inline in the query...
The text was updated successfully, but these errors were encountered: