New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL Injection in Sample Code #27
Comments
I hope you realize that that was just a sample model. It just demonstrates the framework. Of course you'd want to use PDO's bindValue(). |
And that's a reason to have a vulnerability in your example code? If anything, the example code should be the most bullet-proof out there, since people will base their implementations off it... |
@volomike , i hope you realize that this is not how you use PDO's prepared statements. |
Okay, I'm incredibly busy guys. You would not believe how busy. I wish Faster were a community project, but so far it isn't yet, although there is definitely an interest in it. I will try to find the time to change this. Yes, yes, and more yes -- I should have made the sample model class not have a SQL injection looophole in it. My bad. I will never ever do that again. I guarantee it. |
The sample model that's provided has a pretty significant SQL injection vulnerability:
https://github.com/volomike/Faster/blob/master/app/_models/Sample/Test.php#L28
That variable must be bound as a parameter, not just included inline in the query...
The text was updated successfully, but these errors were encountered: