0

SQL injection, like { ' or 1=1# } can't seem to be avoided in Codeigniter.

In my Model:

    $username= $this->input->post('username');
    $password= $this->input->post('password');
    $this->db->where('username', $username);
    $this->db->where('password', $password);
    $query = $this->db->get('users');
    $num = $query->num_rows();
    if ($num == 1)
     {return 'Found.';}

I have read that using Active records, the input will be automatically escaped. If i input ' or 1=1# in my password, I will be granted access. I have tried: 1. Query binding, like: (making my adaptations to my query) 

 $qStr = "SELECT * FROM users WHERE id=?";
 $q = $this->db->query($qStr, array($id);

2. not using Active Records, rather the PHP mysqli_real_escape_string() Function. 3. Manually escaping my input 

$this->db->where('password', $this->db->escape($password));

4. XSS Filtering

every method, still grants me access to ma data if i input ' or 1=1# in my form.

A. Skeja
  • 61
  • 5
  • what about prepared statements...can these be used with codeigniter – Dimitris Papageorgiou Nov 10 '15 at 19:28
  • to my opinion this is not a duplicate of that question - it's about XSS. in short: step1 use the **xss_clean** function, step 2: output escaping, see OWASP – Kris Lamote Nov 10 '15 at 19:34
  • Yes, I tried those too after I posted, still grants me access. – A. Skeja Nov 10 '15 at 19:34
  • To Fred, I have tried query binding, the equivalent of prepared statements. GRANTED ACCESS! – A. Skeja Nov 10 '15 at 19:39
  • 1
    if you're attack vector still get's tru after xss_clean, then upgrade to the latest codeigniter. If you have done that post a bug report? Or maybe switch to a different framework ;) – Kris Lamote Nov 10 '15 at 19:39
  • When you said "4. XSS Filtering" did you mean you set the global config to true or that you filtered input like this `$username= $this->input->post('username', TRUE);` ? – DFriend Nov 10 '15 at 19:40
  • With XSS I meant I set the global config to true , then i also filtered my input wit $username= $this->input->post('username', TRUE); – A. Skeja Nov 10 '15 at 19:42
  • Time to move to CI version 3.0.x – DFriend Nov 10 '15 at 19:56
  • I have the latest version, downloaded it last week. Could it be something else causing this? – A. Skeja Nov 10 '15 at 20:04
  • @A.Skeja, CI v 3.0.3 was released on 31Oct so make sure that is what you recently downloaded. There was a fix to an XSS attack vector according to the changelog. – DFriend Nov 11 '15 at 00:01
  • After additional contemplation it's important to remember that XSS and SQL injection are two different exploits. That xss_clean lets `' or 1=1#` pass should not be surprising - that's not a XSS exploit. As long as values are escaped (prepared statements) there isn't a problem sending that string to your DB. It cannot function as a SQL statement if it is escaped. – DFriend Nov 11 '15 at 00:23

0 Answers0