Possible SQL Injection
PurHur opened this issue · 4 comments
PurHur commented
How do you want me to report an injection attack?
PurHur commented
I saw that you leaved a comment but i cant read it :(
mrcrypster commented
Can you please report the issue here?
PurHur commented
The issue is somewhere here: https://github.com/mrcrypster/mysqly/blob/main/mysqly.php#L26
Where the bind values are not escaped and passend into the prepared statement.
You can exploit this if you pass an unescaped $_GET parameter into the method which doesnt contain a single value but a http array to you can set the keys of that array.
mrcrypster commented
Actually, that foreach
generates placeholders in SQL ($in[] = ":{$k}_{$i}";
) and then uses prepared statement to pass actual values that are escaped automatically by Mysql ($params[":{$k}_{$i}"] = $sub_v;
).