SQL-injection in ORDER BY
Notice: This thread is very old.
- opupenko
- Member | 4
Hi!
I discovered the possibility of SQL-injection in
Database/Table/SqlBuilder.php. This is possible through using ‘ORDER BY’,
because insufficient filtration in it for parameters.
I understand, developers always must check and escape all parameters, but it
will be cool to have auto-escaping, for example:
preg_replace('/[^a-zA-Z0-9\._\- ]/i', '', $order)
Thanks for attention.
- Majkl578
- Moderator | 1364
Could you open an issue on GitHub and ideally provide a simple reproduce case as well? Thanks.