#88 MySQL inject issue

1.94
closed
security (1)
1
2013-03-05
2013-03-04
Ed S
No

Found by one of our users:
"I just want to let you know that "Secret Question Answers" inputs aren't being scrubbed before it is inserted into mySQL. An '(apostrophe) will force this error below on the insert, which could make the site prone in some cases: just looking out!"

Database error: Invalid SQL: INSERT INTO c_reg_users VALUES ('', '', 'cxxxxxxx', '', '620bf84a07fc3e9928e46caa7f6795d3', 'Cxxxxxx', 'Bxxxxxxx', 'United States', '', 'xxxxx@xxx.xxxxxx.edu', 0, 'user', '',1362265930, '', '1', '1', '', '', '', '', 'english', 'black', '', '1', ' a apos' breaks this -_- ', '', '', '', '', '1984-10-16', '', '', '')

MySQL error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'breaks this -_-', '', '', '', '', '1984-10-16', '', '', '')' at line 1)

Discussion

  • What version do you use? Latest 1.94-RC2?
    What is the security breach though? I need a code sample so I can test and protect it. Pls contact me directly at ciprianmp at yahoo dot com
    Thank you.

     
  • It should be fixed in the latest published version. Thank you for your report!

     


Anonymous


Cancel   Add attachments