How do you mitigate SQL injection?

  • Resolved awijasa

    (@awijasa)


    7 years, 5 months ago

    Hello,

    I found a telltale of a SQL Injection prone code in /erp/includes/functions-people.php > erp_get_peoples. However, based on my testing it’s probably secure. I want to bring it up just to make sure that it’s indeed secure.

    Here is the line of code I was concerned about in erp_get_peoples:

    $type_sql = ( $type != 'all' ) ? "and name = '" . $type ."'" : '';

    I thought that I could pass in anything into $type since it’s available on Accounting > Sales > Payment.

    To manipulate the value being passed into $type, I ran this code:

    jQuery( "#erp-ac-select-user-for-assign-contact" ).data( "type", "customer' and people.id = '2" )

    However, when I test the $final_query value, it was correctly escaped even though you don’t use $wpdb->prepare or any other SQL Injection mitigation technique that I am aware of. Here is what I got as the $final_query value:

    and name = 'customer\' and people.id = \'2'

    So, I am curious about what you did to escape the $type variable.

    Thanks,

    @awijasa

    • This topic was modified 7 years, 5 months ago by awijasa.
    • This topic was modified 7 years, 5 months ago by awijasa.
    • This topic was modified 7 years, 5 months ago by awijasa.

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Thread Starter awijasa

    (@awijasa)

    Hello,

    I think the AJAX requests are escaping the args. So, args that reach functions-people.php are never unescaped. Please confirm that this is indeed the case and that only AJAX requests can reach functions-people.php and mitigate the SQL Injection risks.

    Since args are being escaped by AJAX, there is a side effect. If I enter a Customer with Last Name: O’Brien, after creation his last name will be O\’Brien in the system.

    Steps to reproduce:
    1. Open /wp-admin > Accounting > Customers > Add New
    2. Enter First Name: Conan, Last Name: O’Brien, Email: [email protected]
    3. Click Add Customer
    4. The new Customer’s name on the list will be Conan O\’Brien instead of Conan O’Brien

    Workaround:
    Replace $main_fields[$key] = $value; in functions-people.php with:

    
if( is_string( $value ) ) {
	$main_fields[$key] = str_replace( "\'", "'", $value );
}
else {
	$main_fields[$key] = $value;
}

    Replace $meta_fields[$key] = $value; in functions-people.php with:

    
if( is_string( $value ) ) {
	$meta_fields[$key] = str_replace( "\'", "'", $value );
}
else {
	$meta_fields[$key] = $value;
}

    Please let me know if you have any question.

    Thanks,

    @awijasa

    • This reply was modified 7 years, 5 months ago by awijasa.
Viewing 1 replies (of 1 total)
  • The topic ‘How do you mitigate SQL injection?’ is closed to new replies.