CodeIgniter Forums
oci8 driver string escaping not working - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forum-6.html)
+--- Forum: Issues (https://forum.codeigniter.com/forum-19.html)
+--- Thread: oci8 driver string escaping not working (/thread-62161.html)



oci8 driver string escaping not working - tykobradyer - 06-14-2015

Hi Guys,

I am using CodeIgniter 2.x connected in Oracle Database. Recently, I just found out the when I tried to put single quote in the user-supplied input to check for sqli vulnerability (login page in my case). There was a database error. I was able to bypass the login using a simple sqli code the 'or 1=1;-- .

I changed the database config to postgre and mysql and the string escaping worked.

So I checked the core file inside the <my_application>/system/database/drivers/oci8/oci8_driver.php and checked the escape_str function. I seems that the bug is on the remove_invisible_characters() function used. I tried to change it in pg_escape_string just to test if the escaping will work and the escaping really worked.