Cphalcon: Possible bug: SQL injection in tableExists(), viewExists()
Because table/column/index/etc names are never escaped (and the documentation does not whether it is up to the developer of framework to escape names), it is possible to inject an arbitrary SQL.
For example, for SQLite the following:
$dialect = new Phalcon\Db\Dialect\Sqlite();
echo $dialect->tableExists("test'; DROP TABLE test; SELECT * FROM sqlite_master WHERE '"), "\n";
produces
SELECT CASE WHEN COUNT(*) > 0 THEN 1 ELSE 0 END FROM sqlite_master WHERE type='table' AND tbl_name='test'; DROP TABLE test; SELECT * FROM sqlite_master WHERE ''
Whil I understand that these methods will almost never (hopefully) interact with untrusted data, it would be nice to make sure that there is no way for Little Bobby Tables out there.
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
ghost
All 4 comments
Or the documentation should be updated to tell that it is user's responsibility to pass sanitized data to those methods (I would, for example, assume that the framework takes care of these — and while for the PHP framework it may be easy to check the source to see what happens, this will be much more difficult for the C extension).
ghost
on 30 Jun 2013
The SQL dialect could return a string with positional placeholders, then execute fetchOne passing the parameters in an array.
phalcon
on 1 Jul 2013
Thank you for contributing to this issue. As it has been 90 days since the last activity, we are automatically closing the issue. This is often because the request was already solved in some way and it just wasn't updated or it's no longer applicable. If that's not the case, please feel free to either reopen this issue or open a new one. We will be more than happy to look at it again! You can read more here: https://blog.phalconphp.com/post/github-closing-old-issues
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 16 Apr 2018
This method was never designed to be used in areas where code can be injected into the tableExists or viewExists.
The only thing I can do right now is to use the escape method so that the schema and/or table names can be escaped.
The dialect is designed to return the SQL not execute it. It is up to the developer to make sure that the proper placeholders are used.
In 4.x we have plans to revisit the Db layer and offer additional checks for methods like the ones mentioned above.
niden
on 19 Oct 2018
Related issues
dimak08
·
3Comments
masood09
·
4Comments
sharptry
·
3Comments
TimurFlush
·
3Comments
fonqing
·
3Comments
Most helpful comment
This method was never designed to be used in areas where code can be injected into the
tableExistsorviewExists.The only thing I can do right now is to use the
escapemethod so that the schema and/or table names can be escaped.The dialect is designed to return the SQL not execute it. It is up to the developer to make sure that the proper placeholders are used.
In 4.x we have plans to revisit the Db layer and offer additional checks for methods like the ones mentioned above.