[help]possible sqli injection in the codeigniter db core??

[eluser]thebillkidy[/eluser]
Now i don't know if this is a real exploit but when i do a simple db select like this:

$this->connection->select('*')->from($table)->where($column, $value);

then if it's an array then the complete system crashes and allows sql injection?????

now shouldn't this be filtered in the codeigniter core? since the documentation says it automatically checks for known sql injections... but shouldn't there be also a check on the datatype entered??

P.S. when the error is triggered this message appears:

<p>Error Number: 1054</p><p>Unknown column 'Array' in 'where clause'</p><p>SELECT *
FROM (`xxxx`)
WHERE `username` = Array</p><p>Filename: D:\xxxxxxxx\system\database\DB_driver.php</p><p>Line Number: 330</p> </div>

[eluser]CroNiX[/eluser]
How would that let you do an injection? It errors out no matter what the array contains (since mysql doesn't know anything about php arrays). Not sure why CI needs to check to see if your datatypes are correct. If you try to put a string in a date/time field should CI tell you about that too?
The manual doesn't state that the 2nd parameter can be an array.

You can:

Code:

db::where(key, value);

Code:

$values = array(key => value, key2 => value2);
db::where($values);

[eluser]thebillkidy[/eluser]
So then we have to manually check those datatype every time??

[eluser]InsiteFX[/eluser]
You should check and validate all incoming data from a user!

[eluser]skunkbad[/eluser]
The real danger here is that if you're asking a question like this, then you probably do have security vulnerabilities in your app.

[eluser]thebillkidy[/eluser]
Ye i don't really have a security issues it's just that one thing... already filtered it out