Skip to content

SQL Injection After Order clause #11148

New issue
New issue
Closed
Closed
SQL Injection After Order clause#11148
Assignees
markstory
Labels
ORMdatabasedocumentation
Milestone
3.5.3
@millancore

Description

@millancore
millancore
opened on Sep 4, 2017

  • bug

  • CakePHP Version: 3.1 to 3.5

  • Platform and Target: ORM

What you did

It is possible to execute SQL sentences after "order" clause
Examples:

   $query = $this->Assets->find('all',array(
           'contain' => array(
              'Attributes' => array(
                 'sort' => array(
                    'Attributes.name' => "DESC; UPDATE assets SET name = 'inject' WHERE id = 1"
                 )
              )
          ),
          'order' => array(
              'name' => "DESC; UPDATE assets SET name = 'inject' WHERE id = 1"
          )
        ));

What happened

SQL UPDATE executed!

What you expected to happen

I expected that it doesn't possible!

Metadata

Metadata

Assignees

Labels

ORMdatabasedocumentation

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions