Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Setting where() 3rd parameter false has security issues?
Setting where() 3rd parameter false has security issues?
  • El Forum
    Guest
  •  
#1
10-05-2009, 07:15 PM

[eluser]loonychune[/eluser]
Hi there,

I'm new to CI, will post my CI powered site in the intros forum once it's up and running..

Just wondering if anyone would please explain what security limitations there are by setting the third parameter of the where() function to false...

e.g.
Code:
$this->db->where('password', 'AES_ENCRYPT("' . $this->input->post("password") . '", @salt)', false);

Is this part of the code,
Code:
$this->input->post("password")
still going to be properly escaped and protected against SQL injection attacks?

My impression from the documentation is that setting to false just stops the second parameter from being placed in quotation marks -- is this a security issue?
  • El Forum
    Guest
  •  
#2
10-05-2009, 08:29 PM

[eluser]loonychune[/eluser]
Actually I just SQL injected myelf Smile

I think setting false in the third parameter does actually get rid of the protection inherent in using the active record class so i'll have to escape the value manually...

Any thoughts?
  • El Forum
    Guest
  •  
#3
10-05-2009, 08:32 PM

[eluser]bretticus[/eluser]
Try setting the second paramater of post() to true.

Code:
$this->db->where('`password` = AES_ENCRYPT("' . $this->input->post("password", TRUE) . '", @salt)', NULL, FALSE);
  • El Forum
    Guest
  •  
#4
10-05-2009, 09:25 PM

[eluser]loonychune[/eluser]
Thanks for that I hadn't looked much at the input class...

However, it's not very helpful in this scenario.

It has no effect on a string like:

Code:
a", 'b') or aes_encrypt("jim", @salt) = aes_encrypt("jim

which will break the SQL query I posted if entered into the password input box.

I guess I should have better known what I wanted to know -- and that's, does setting the third parameter to FALSE in the where() function have the effect of removing backticks AND NOT escaping quotes... the answer is yes

so it's escape_str() or escape() to clean up before querying
  • El Forum
    Guest
  •  
#5
10-05-2009, 10:07 PM

[eluser]bretticus[/eluser]
Actually, if you wanna keep it in the "Active Record family", there is an escape function in CI:
Code:
$this->db->escape();

However, you have platform specific code and AR really isn't neccessary in the case. The best way to inject variables to a query is probably query bindings. CI Supports them as well:
Code:
$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?";

$this->db->query($sql, array(3, 'live', 'Rick'));
  • El Forum
    Guest
  •  
#6
10-05-2009, 11:46 PM

[eluser]loonychune[/eluser]
Actually got a bit stuck on the idea of using the AR class...

This post makes a good deal of sense -- thank you!




Theme © iAndrew 2016 - Forum software by © MyBB