1. phpLiteAdmin Avatar phpLiteAdmin
  2. phpLiteAdmin
  3. public
  4. Issues

SQL injection is possible in too many places

Issue #93 resolved
Former user created an issue

Originally reported on Google Code with ID 93

What steps will reproduce the problem?
1. Modify selected get/post variables.

What is the expected output? What do you see instead?
I know that this tool shouldn't be accessible from the public, but come on...

Reported by decoy113101 on 2012-03-09 20:39:46

Comments (6)

  1. Dane Iracleous

    ``` The tool allows you to write your own custom SQL queries. Anything that can be "injected" through modifying the get/post variables in a guided GUI operation can more easily be injected by just writing a flat-out query. So, honestly, if you're going into the URL and modifying the get variables, you're wasting your time. The tool gives you the full capability to screw up your own database if that's your intention. ```

    Reported by `diracleo` on 2012-03-20 22:40:38

  2. Former user Account Deleted

    ``` The problem is not a to-be attack. The problem is when fields contain data that contains sql characters that are not properly escaped (name fields especially) the whole query will fail or worse, be unpredictable. ```

    Reported by `decoy113101` on 2012-05-10 00:06:30

  3. Dane Iracleous

    ``` I see what you mean. Can you provide an example of SQL injection through modifying a get/post variable? ```

    Reported by `diracleo` on 2012-06-02 08:11:43 - Status changed: `Accepted`

  4. Christopher Kramer

    ``` I agree that phpLiteAdmin does a poor job escaping input correctly at several points. This is not a problem of security, as Dane wrote, but rather causes several bugs.

    One example would be issue #107: When you create a new table, field names are not escaped properly. This can cause several problems like more columns created than intended or strange types being used. This is fixed in SVN already.

    There are a lot of other situations like this as far as I can see. But I think we should treat these as individual bugs, just like issue #107.

    So in case anybody stumbles across any particular situation like this, please open a new issue.

    Moreover, to close this issue, we should go through the code and have a look at any SQL-statement where variables are being inserted. There, we should add the proper escaping (using our quote function). ```

    Reported by `crazy4chrissi` on 2012-06-02 10:33:01

  6. Christopher Kramer 
    With version 1.9.3, I declare this issue as "fixed" now.

In case I overlooked some place where this is still an issue, please open a new issue
with the concrete example.

    Reported by crazy4chrissi on 2012-11-06 15:04:19 - Status changed: Fixed

  7. Log in to comment
Assignee
Type
bug
Priority
minor
Status
resolved
Component
Milestone
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!