× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SQL injection

after searching online for DB class SQL injection, DB class seems like safe from SQL injection perspective. Have anybody more experiences about this?

BTW I also foundĀ [[[OLD EXPLOIT LINK HERE]]] I don't realy understand everything on this site but I posted anyway.

Hi Jakob. I deleted your link to that exploit. While I appreciate the person sharing that exploit, the user needed admin access to do it. With admin access, you generally have full run of the database, so we don't really consider that an exploit. We did, however, work with that whitehat guy to close the hole.

PDO (the system userspice uses to interact with the database) is extremely resistant to SQL injection. There are 2 major things that are responsibility of the coder to do.
1. Never put $_POST data in the DB unsanitized. Usually the best way to do this is instead of doing $_POST['username'] do Input::get('username')

2. Never use POST or GET data in the db unbound. In other words, instead of doing
$username = Input::get('username');
$db->query("SELECT * FROM users WHERE username = $username");
$db->query("SELECT * FROM users WHERE username = ?",array($username));

Those two things will keep you very very safe overall.

The only other thing I can say is if you want the logged in user's id, don't do something like a hidden input with the user id in it. Especially if it is a user-facing feature. Do something like $id = $user->data()->id when processing $_POST
Hi mudmin,

great, thank you. Seems like I'm on the safe side.

Regards, Jakob

Forum Jump:

Users browsing this thread: 1 Guest(s)