Possible SQL Injection

Question

Possible SQL Injection

PurHur opened this issue 3 years ago · 4 comments

PurHur commented 3 years ago

How do you want me to report an injection attack?

Answer 1 · 2021-09-09T19:44:10.000Z

I saw that you leaved a comment but i cant read it :(

Answer 2 · 2021-11-30T18:33:38.000Z

Can you please report the issue here?

Answer 3 · 2021-12-01T14:05:07.000Z

The issue is somewhere here: https://github.com/mrcrypster/mysqly/blob/main/mysqly.php#L26
Where the bind values are not escaped and passend into the prepared statement.

You can exploit this if you pass an unescaped $_GET parameter into the method which doesnt contain a single value but a http array to you can set the keys of that array.

Answer 4 · 2021-12-06T14:19:44.000Z

Actually, that foreach generates placeholders in SQL ($in[] = ":{$k}_{$i}";) and then uses prepared statement to pass actual values that are escaped automatically by Mysql ($params[":{$k}_{$i}"] = $sub_v;).