CX SQL_Injection @ website/pictures/conflict.php [master]

[vish07]

SQL_Injection issue exists @ website/pictures/conflict.php in branch master

Method <?php at line 1 of website\pictures\conflict.php gets user input from the _GET element. This element’s value then flows through the code without being properly sanitized or validated, and is eventually used in a database query in method create_picture at line 144 of website\include\pictures.php. This may enable an SQL Injection attack.

Severity: High

CWE:89

Vulnerability details and guidance

Checkmarx

Lines: 16 25

---

Code (Line #16):

$conflict = Pictures::get_conflict($_GET['conflictid'], $user['id']);

---

Code (Line #25):

   $id = Pictures::delete_conflict($_GET['conflictid'], $_POST['choice'][0]);

---

[vish07]

Issue still exists.

[vish07]

Issue still exists.