1

Is below query vulnerable to SQL Injection where $evilInput is from get/post request.

$this->db->select($evilInput); 
$this->db->where($evilInput2 ,"abc"); 
$query =  $this->db->get($evilInput3);
$count = $query->num_rows();

and

$this->db->where("a=$evilInput");
Danish
  • 13
  • 4
  • are you asking if it is as good as using binds or are you asking if the functions escape the data? – Alex Aug 06 '18 at 08:24

1 Answers1

0

I'd like to point out that all these are vulnerable to SQL injection on a default installation of CodeIgniter. The following results have been tested and verified.

1) $this->db->select($evilInput)

Here the input goes after the select keyword.

select evilInput from table_name where column_name = 1;

Here, if my evil input parameter contains something like:

updatexml(null,concat(0x3a,version()),null)-- -

The actual query will become:

select updatexml(null,concat(0x3a,version()),null)-- - from table_name where column_name = 1;

2) $this->db->where($evilInput ,"abc")

Here the input goes to the column name after WHERE clause.

select * from table_name where evilInput = 1;

CodeIgniter will not escape or filter this input. This can be easily exploited with something like:

1=1 and updatexml(null,concat(0x3a,version()),null)-- -

3) $query = $this->db->get($evilInput3)

Here the input goes in the table name.

select * from evilInput where column_name = 1;

CodeIgniter won't prevent SQL Injection if the user input is something like:

information_schema.tables where 1=1 and updatexml(null,concat(0x3a,version()),null)-- -

4) $this->db->where("a=$evilInput")

This is vulnerable to simple SQL Injection because the input is directly concatenated to the SQL query.

Mukarram Khalid
  • 2,115
  • 1
  • 16
  • 20