getvivekv / PHP MySQLi Class / issues / #17 - Security of where in update — Bitbucket

Issue #17 resolved

nargotik created an issue 2014-06-04

IF we set where and id is not set or is null

$id = intval($_GET['id']);
$where = array("id"=>$id)

The executed SQL is

UPDATE table SET var='value' WHERE id

and not

UPDATE table SET var='value' WHERE id=''

This will cause update of another row if limit is 1 or of all rows if there is no limit

Comments (3)

nargotik reporter
- edited description
- 2014-06-04T10:07:04+00:00
Vivek N repo owner
Issue confirmed. The best solution possible at this time is to check the values before you pass it to where()
- 2014-09-18T16:19:44+00:00
Vivek N repo owner
- changed status to resolved
Version v1.4 fixes the issue. https://bitbucket.org/getvivekv/php-mysqli-class/commits/tag/v1.4
- 2014-09-21T05:31:48+00:00
Log in to comment

Assignee: –

Type: proposal

Priority: critical

Status: resolved

Votes: 0

Watchers: 2

Jira: the preferred issue tracker for Bitbucket. Join the team!