SQL injection is possible in too many places
Originally reported on Google Code with ID 93
What steps will reproduce the problem?
1. Modify selected get/post variables.
What is the expected output? What do you see instead?
I know that this tool shouldn't be accessible from the public, but come on...
Reported by decoy113101
on 2012-03-09 20:39:46
Comments (6)
-
-
Account Deleted ``` The problem is not a to-be attack. The problem is when fields contain data that contains sql characters that are not properly escaped (name fields especially) the whole query will fail or worse, be unpredictable. ```
Reported by `decoy113101` on 2012-05-10 00:06:30
-
``` I see what you mean. Can you provide an example of SQL injection through modifying a get/post variable? ```
Reported by `diracleo` on 2012-06-02 08:11:43 - Status changed: `Accepted`
-
``` I agree that phpLiteAdmin does a poor job escaping input correctly at several points. This is not a problem of security, as Dane wrote, but rather causes several bugs.
One example would be issue
#107: When you create a new table, field names are not escaped properly. This can cause several problems like more columns created than intended or strange types being used. This is fixed in SVN already.There are a lot of other situations like this as far as I can see. But I think we should treat these as individual bugs, just like issue
#107.So in case anybody stumbles across any particular situation like this, please open a new issue.
Moreover, to close this issue, we should go through the code and have a look at any SQL-statement where variables are being inserted. There, we should add the proper escaping (using our quote function). ```
Reported by `crazy4chrissi` on 2012-06-02 10:33:01
-
``` Lots of work has been done on this issue now. Check out the SVN version if you'd like to test it: https://phpliteadmin.googlecode.com/svn/source/1.9.3/phpliteadmin.php
I am not 100% sure it is fixed completely now, but a lot of progress has gone into this. I am still working on it, though. ```
Reported by `crazy4chrissi` on 2012-10-06 22:34:44 - Status changed: `Started`
-
With version 1.9.3, I declare this issue as "fixed" now. In case I overlooked some place where this is still an issue, please open a new issue with the concrete example.
Reported by
crazy4chrissi
on 2012-11-06 15:04:19 - Status changed:Fixed
- Log in to comment
``` The tool allows you to write your own custom SQL queries. Anything that can be "injected" through modifying the get/post variables in a guided GUI operation can more easily be injected by just writing a flat-out query. So, honestly, if you're going into the URL and modifying the get variables, you're wasting your time. The tool gives you the full capability to screw up your own database if that's your intention. ```
Reported by `diracleo` on 2012-03-20 22:40:38