Closed mrgiant closed 4 years ago
You can do a lot to make Voyager fail, but as long as you can not manipulate the query to return data you are not allowed to see I don't consider this as a bug or security concern.
it's dangerous to pass the value directly to query without parameters
I like Voyage so much we here to improve not to make fail
Appreciate any input but value is not passed directly to query, is passed to Laravel query builder that takes care of sanitization. You can join Voyager Slack group and if you have any proof that anything can be injected please contact us there.
ok I understood but can you make at least validation that makes sure if there any problem or any value or column wrong just return null it better than return error
thank you for your great work.
This issue has been automatically locked since there has not been any recent activity after it was closed. If you have further questions please ask in our Slack group.
Version information
Description
there is SQL injection in all model bread
Steps To Reproduce
Steps to reproduce the behavior: 1- write link /admin/users 2- add parameters like that (/admin/countries?filter=contains&key=%5C&s=1) 3- it display SQLSTATE[42S22]: Column not found: 1054 Unknown column '\' in 'where clause' (SQL: select * from
countries
where\
LIKE %1% order bycreated_at
desc)Additional context
Add any other context about the problem here.