Oracle SQL Injection |
[eluser]Unknown[/eluser]
Hello, maybe I read the documentation wrong but I was under the impression that bound variables are safe from sql injection. For example: $query = 'SELECT * FROM users WHERE username = ? and password = ?'; $bound_variables = array($username, sha1($password)); $this->db->query($query, $bound_variables); Should be safe according to the documentation. If I pass: $username = "' or '1'='1"; as the username, I'm able to login without a password even using bound variables. Let me know if I'm doing something wrong.
[eluser]WanWizard[/eluser]
Normally it does, but looking at the oci8 driver, it doesn't do more than remove invisible characters. This might give some tips: http://www.orafaq.com/wiki/SQL_FAQ#How_d...queries.3F. Maybe you could adapt and test the escape_str() method in the oci8_driver library, and propose your fix to Ellislab. |
Welcome Guest, Not a member yet? Register Sign In |