SQL injection (security vulnerability)

Easily add a table editor for any table.

Brought to you by: williamconley

Milestone: v1.0_(example)

Status: open

Owner: TheSatinKnight

Labels: None

Priority: 5

Updated: 2016-02-24

Created: 2016-02-24

Private: No

It is trivial to perform SQL injection.

Example input data for search field
foo ' or 1=1 or '

Value of $SQL variable
select * from v_log WHERE id LIKE '%foo ' or 1=1 or '%' order by id desc limit 100

Of course a bad guy would injection something more interesting

This was tested with SVN r17

TheSatinKnight - 2016-02-24

Yep. Our later applications include variable cleansing. When the upgrade for this (to mysqli, among other things) comes up, we'll likely also clean it for injection. In theory, however, this is mostly used for "the boss wants to be able to edit this table ... but we don't want her to have access to the entire system ... so here's a simple way to allow her access to this one table/DB only". Avoiding phpMyAdmin access for the boss. 8-)

If you would like to refer to this comment somewhere else in this project, copy and paste the following link: