240
switch ($type) {
241
case 'all':
242
1return $this->getAll($sql);
243
case 'keyval':
244
return $this->getKeyValue($sql);
245
case 'assoc':
246
return $this->getAssoc($sql, true);
247
default:
Description
This code is vulnerable to SQL injection because the application receives data from the user or a third-party service and inserts it into a database query without sanitizing it first. It's a critical vulnerability.
What is the potential impact?
The attacker can manipulate user input fields (such as a search bar or login form) to inject malicious SQL code into the backend database. This can allow them to gain unauthorized access to sensitive information, modify or delete data, and even take control of the entire system.
SQL Injection attacks are unfortunately very common, and this is due to two factors:
1-the significant prevalence of SQL injection vulnerabilities, and
2-the attractiveness of the target (i.e., the database typically contains all the interesting/critical data for your application).
It's crucial that you address the vulnerability as soon as possible to prevent any data breaches or unauthorized access.
Steps to Fix
The correct way to avoid SQL injection attacks is to separate the data from SQL, so that data remains just that and can never be interpreted as commands by the SQL parser:
If the code needs a number, change it to a number explicitly
If it's a string, use bind parameters
If it's an enum, double-check that the value is strictly from the enum string object
Use prepared statements and parameterized queries. These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL.
Using PDO (for any supported database driver):
$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);
foreach ($stmt as $row) {
// Do something with $row
}
Using MySQLi (for MySQL):
Since PHP 8.2+ we can make use of mysqli_execute_query() (or mysqli::execute_query()) which prepares, binds parameters, and executes SQL statement in one method:
$result = $dbConnection->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);
while ($row = $result->fetch_assoc()) {
// Do something with $row
}
Up to PHP 8.1
$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
// Do something with $row
}
If you're connecting to a database other than MySQL, there is a driver-specific second option that you can refer to (for example, pg_prepare() and pg_execute() for PostgreSQL). PDO is the universal option.
Subrion 4.2.1 is vulnerable SQL Injection
Vulnerable Line :
SQL Injection has been found. Change this code to no longer construct SQL queries directly from user-controlled data.
Calling method \iaDb,1::getAll(["var"]) in (216)\iaDb,1::_get(["row","MAX(
order
)","var","var","1"]) that outputs using tainted argument #1 ($sql
).Infected Line : 242
Description
This code is vulnerable to SQL injection because the application receives data from the user or a third-party service and inserts it into a database query without sanitizing it first. It's a critical vulnerability.
What is the potential impact? The attacker can manipulate user input fields (such as a search bar or login form) to inject malicious SQL code into the backend database. This can allow them to gain unauthorized access to sensitive information, modify or delete data, and even take control of the entire system.
SQL Injection attacks are unfortunately very common, and this is due to two factors: 1-the significant prevalence of SQL injection vulnerabilities, and 2-the attractiveness of the target (i.e., the database typically contains all the interesting/critical data for your application). It's crucial that you address the vulnerability as soon as possible to prevent any data breaches or unauthorized access.
Steps to Fix
The correct way to avoid SQL injection attacks is to separate the data from SQL, so that data remains just that and can never be interpreted as commands by the SQL parser:
If the code needs a number, change it to a number explicitly If it's a string, use bind parameters If it's an enum, double-check that the value is strictly from the enum string object Use prepared statements and parameterized queries. These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL.
Using PDO (for any supported database driver): $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name'); $stmt->execute([ 'name' => $name ]);
foreach ($stmt as $row) { // Do something with $row } Using MySQLi (for MySQL): Since PHP 8.2+ we can make use of mysqli_execute_query() (or mysqli::execute_query()) which prepares, binds parameters, and executes SQL statement in one method:
$result = $dbConnection->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);
while ($row = $result->fetch_assoc()) { // Do something with $row } Up to PHP 8.1
$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?'); $stmt->bind_param('s', $name); // 's' specifies the variable type => 'string' $stmt->execute();
$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { // Do something with $row } If you're connecting to a database other than MySQL, there is a driver-specific second option that you can refer to (for example, pg_prepare() and pg_execute() for PostgreSQL). PDO is the universal option.
Steps to Reproduce
curl -X POST -d "id=1%E2%80%98%20or%201%3D1--" https://site.com/includes/classes/ia.base.controller.admin.php