Add files via upload #32
Conversation
![cycode-security[bot]](https://avatars.githubusercontent.com/in/39308?s=60&v=4){kind=small}
jwr-low.php
Outdated
| // Check database | ||
| $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; | ||
| try { | ||
| $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ); // Removed 'or die' to suppress mysql errors |
There was a problem hiding this comment.
❗Cycode: SAST violation: 'Unsanitized external input in SQL query'.
Severity: Critical
Description
Using unsanitized data, such as user input or request data, or externally influenced data passed to a function, in SQL query exposes your application to SQL injection attacks. This vulnerability arises when externally controlled data is directly included in SQL statements without proper sanitation, allowing attackers to manipulate queries and access or modify data.
Cycode Remediation Guideline
✅ Do
- Do validate all external input to ensure it meets the expected format before including it in SQL queries.
$sortingOrder = $_GET['sortingOrder'] === 'DESC' ? 'DESC' : 'ASC';- Do use safe lists to validate external input, if dynamic input is required.
private function validatedTableName($table_name)
{
if in_array($table_name, $ALLOWED_TABLE_NAMES) {
return $table_name
}
// handle invalid table name
}- Do use prepared statements for database queries to separate SQL logic from external input, significantly reducing the risk of SQL injection.
$stmt = $pdo->prepare("SELECT * FROM products WHERE id LIKE ? ORDER BY price {$sortingOrder}");
$stmt->execute(["%{$productId}%"]);- Do escape all external input using appropriate database-specific escaping functions before including it in SQL queries.
$ok = mysqli_real_escape_string($conn, $_GET['ok']);❌ Don't
- Do not include raw external input in SQL queries. This practice can lead to SQL injection vulnerabilities.
$sortingOrder = $_GET['untrusted'];
$query = "SELECT id, name FROM products ORDER BY name LIMIT 20 $sortingOrder;"; // unsafe📋 References
🎥 Learning materials (by Secure Code Warrior)
Tell us what how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_sast_false_positive <reason> | Mark as false positive — applies to this violation only |
| #cycode_ai_remediation | Request remediation guidance using Cycode AI |
| #cycode_sast_ignore_here <reason> | Ignore this violation — applies to this violation only |
There was a problem hiding this comment.
#cycode_ai_remediation
There was a problem hiding this comment.
✅ Cycode is processing your request. This may take up to one minute. Please, wait...
There was a problem hiding this comment.
Vulnerability Explanation
The vulnerability is caused by directly including user input ($id) in the SQL query without proper sanitization. This allows an attacker to manipulate the query and potentially access or modify sensitive data. The issue is evident in the lines where the $query is constructed, specifically: $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";. By using user input directly in the query, the application is exposed to SQL injection attacks.
Remediation Instructions
To fix the vulnerability, we need to use prepared statements to separate the SQL logic from the external input. Here's a step-by-step guide:
- Validate the external input ($id) to ensure it meets the expected format.
- Use a prepared statement to construct the SQL query, leaving a placeholder for the $id variable.
- Bind the $id variable to the prepared statement, ensuring it's treated as a parameter rather than part of the SQL code.
- Execute the prepared statement, which will safely include the $id value in the query.
By following these steps, we can prevent SQL injection attacks and ensure the security of our application.
Suggested Fix
AI Confidence score ✨
🟢 100%
The Cycode AI Confidence Score estimates the quality of the suggested code fix. Please review it carefully before applying.
--- jwr-low.php
+++ jwr-low.php
@@ -1,3 +1,4 @@
+
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
@@ -8,9 +9,11 @@
switch ($_DVWA['SQLI_DB']) {
case MYSQL:
// Check database
- $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
+ $stmt = $GLOBALS["___mysqli_ston"]->prepare("SELECT first_name, last_name FROM users WHERE user_id = ?");
+ $stmt->bind_param("i", $id);
try {
- $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ); // Removed 'or die' to suppress mysql errors
+ $stmt->execute();
+ $result = $stmt->get_result();
} catch (Exception $e) {
print "There was an error.";
exit;
@@ -29,10 +32,11 @@
case SQLITE:
global $sqlite_db_connection;
- $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
+ $stmt = $sqlite_db_connection->prepare("SELECT first_name, last_name FROM users WHERE user_id = :id");
+ $stmt->bindValue(':id', $id, SQLITE3_INTEGER);
try {
- $results = $sqlite_db_connection->query($query);
- $row = $results->fetchArray();
+ $result = $stmt->execute();
+ $row = $result->fetchArray();
$exists = $row !== false;
} catch(Exception $e) {
$exists = false;
Tell us what to do with one of the following hashtags:
| Tag | Short Description |
|---|---|
| #cycode_fix_this_violation | Apply the proposed fix |
There was a problem hiding this comment.
| #cycode_fix_this_violation |
|---|
There was a problem hiding this comment.
👍 Cycode has finished processing your request. Please review your status checks.
No description provided.