Found sql injection. How to close a hole?

A

andrey69rus2015-04-06 18:55:30

CodeIgniter

andrey69rus, 2015-04-06 18:55:30

mistake

DB error Error
Number: 1064
check the manual that corresponds to your MySQL server version for the right syntax to use near '-5, 5' at line 4
SELECT * FROM (`pages`) ORDER BY `id` desc LIMIT -5, 5
Filename: C:\ OpenServer\domains\shop\system\database\DB_driver.php
Line Number: 331

the code

public function get_bynum($count, $start = 0,$where=FALSE,$single=FALSE) {
$this->db->order_by("id", "desc");
$start = $start*$count;
if($where && is_array($where)) {
$this->db->where_in($where);
$res = $this->db->get($this->table_name,$count,$start,$single);
}
else
$res = $this->db->get($this->table_name,$count,$start,$single);
return $res->result();
}

get request with data "%40%40J4U6h"
help close the hole)

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

F

FanatPHP, 2015-04-06
@andrey69rus

I don't see injections here.
But I see here a stupid qveri builder, in which, indeed, there are a million potential holes. Both injections and logical errors.
Plus SQL syntax violation without injection.
To close this nonsense, you can write
$start = abs($start);
in the get() method or wherever it passes these parameters further.
But in an amicable way, this check should be done in the controller, since it has nothing to do with SQL - this is a problem of data validity. Negative starts should not be corrected, but shown for them 404

X

xmoonlight, 2015-04-06
@xmoonlight

regexp handler!

A

andrey69rus, 2015-04-06
@andrey69rus

found the solution
if(is_nan($start) == FALSE) $start = 0;