This repository has been archived by the owner on Jul 31, 2019. It is now read-only.
SQL injection #2
Labels
Comments
|
I'll accept the pull request, however, I think the same issue exists in the other controllers (most of them have a list_items() method). |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Column sorting variables should use a switch statement to make sure they're valid.
Just skimming, and e.g.
in: controllers/invoice.php
$data['invoices'] = $this->invoice_model->select_multiple($this->session->userdata('company_id'), $page, $this->pref_user['per_page'], TRUE, $sort_col);
$sort_col appears to be just uri_segment 2 of list_items.
select_multiple() then calls:
$sql = "SELECT id, name, DATEDIFF(NOW(), duedate) AS past_due FROM invoice WHERE company_id = " . $this->db->escape($company_id) . " ORDER BY $sort_col";
$sort_col is left as-is. It is certainly more difficult, since '()' aren't permitted in the uri, and we're already in the ORDER BY clause, but I think it may still be doable to get some blindsql into there.
--mmmooo
The text was updated successfully, but these errors were encountered: