Welcome Guest, Not a member yet? Register   Sign In
Oracle SQL Injection
#1

[eluser]Unknown[/eluser]
Hello, maybe I read the documentation wrong but I was under the impression that bound variables are safe from sql injection. For example:

$query = 'SELECT * FROM users WHERE username = ? and password = ?';
$bound_variables = array($username, sha1($password));
$this->db->query($query, $bound_variables);

Should be safe according to the documentation. If I pass:

$username = "' or '1'='1";

as the username, I'm able to login without a password even using bound variables. Let me know if I'm doing something wrong.
#2

[eluser]WanWizard[/eluser]
Normally it does, but looking at the oci8 driver, it doesn't do more than remove invisible characters.

This might give some tips: http://www.orafaq.com/wiki/SQL_FAQ#How_d...queries.3F.

Maybe you could adapt and test the escape_str() method in the oci8_driver library, and propose your fix to Ellislab.




Theme © iAndrew 2016 - Forum software by © MyBB