Closed mrgiant closed 4 years ago
emptynick
commented
4 years ago You can do a lot to make Voyager fail, but as long as you can not manipulate the query to return data you are not allowed to see I don't consider this as a bug or security concern.
mrgiant
commented
4 years ago it's dangerous to pass the value directly to query without parameters
mrgiant
commented
4 years ago I like Voyage so much we here to improve not to make fail
MrCrayon
commented
4 years ago Appreciate any input but value is not passed directly to query, is passed to Laravel query builder that takes care of sanitization. You can join Voyager Slack group and if you have any proof that anything can be injected please contact us there.
mrgiant
commented
4 years ago ok I understood but can you make at least validation that makes sure if there any problem or any value or column wrong just return null it better than return error
thank you for your great work.
github-actions[bot]
commented
3 years ago This issue has been automatically locked since there has not been any recent activity after it was closed. If you have further questions please ask in our Slack group.
Version information
Description
there is SQL injection in all model bread
Steps To Reproduce
Steps to reproduce the behavior: 1- write link /admin/users 2- add parameters like that (/admin/countries?filter=contains&key=%5C&s=1) 3- it display SQLSTATE[42S22]: Column not found: 1054 Unknown column '\' in 'where clause' (SQL: select * from
countrieswhere\LIKE %1% order bycreated_atdesc)Additional context
Add any other context about the problem here.