nette/database

SQL is not properly escaped

Closed this issue · 0 comments

temistokles commented

This issue is present in Nette 2.3.11.

How to reproduce the issue:

  1. Use Nette database
  2. Use MySQL
  3. Use table with non-numeric primary key column named 'id' - in my case varchar(50)
  4. Add some more columns, in my case datetime - validFrom, validTo

Use the following syntax:

$value = $context->table('table')->select('id')->fetch(); //result e.g. [id => 'not escaped']

$context->table('table')->where([
    'id' => $value,
    'validFrom <= ?' => '2016-10-13',
    'validTo >= ?' => '2016-10-13'
])->fetch();

The query gets executed without escaping the value in $value e.g. as:

SELECT ... FROM table WHERE (id not escaped) AND (validFrom <= '2016-10-13') AND (validTo >= '2016-10-13').

Problem obviously being the first parantheses.

Although such usage is not correct (you should not use the whole result, but its field instead), this is pretty hard to debug and has potentially fatal consequences (SQL injection).