Skip to Content Skip to Menu

🌟 CB Editor Assistant 1.0.0 is here! Discover our new AI Joomla Plugin that wrote its story! (and this banner!)
Start at just $12.50/month* or 💸 save 30% with our 🛍️ Intro Black Friday Offer for a lifetime*

Need expert advice: SQL injection in new component

  • Raj
  • Raj
  • OFFLINE
  • Posts: 191
  • Thanks: 0
  • Karma: 30
18 years 6 months ago #13745 by Raj
I'm working on a search component that takes an SQL query as input at the end of the URL...something like:

www.MySite.com?option=com_avatarmatrix?task=show&sqlquery=[whatever]

It outputs a matrix of user avatars. But...does this create an opportunity for SQL injection? In other words, could a mischievous user jigger the sqlquery passed to drop tables, etc.?

I don't know enough about this to know one way or another.

Roger

Please Log in or Create an account to join the conversation.

  • Caspar
  • Caspar
  • OFFLINE
  • Posts: 26
  • Thanks: 0
  • Karma: 19
18 years 6 months ago #13746 by Caspar
Why do you need to send a complete SQL?

Lets say you have this SQL statment:

SELECT name FROM addresses WHERE id=uid

just an example.

Then you could send:

&select=name&from=addresses&where=uid

and then reconstruct the SQL query...

This way you also should be save with attacks!

Do me a favour an go to www.st-sebastian-beckum.de and click on the green image, which says TOP 50 and vote for the page. Thanks!

Please Log in or Create an account to join the conversation.

  • Raj
  • Raj
  • OFFLINE
  • Posts: 191
  • Thanks: 0
  • Karma: 30
18 years 6 months ago #13821 by Raj
By passing the whole query at the end of the URL, you could say...

"Give me a list of all female optometrists in Los Angeles who specialize in dry eye conditions"

...for example.

I don't know how to translate that into an SQL statement, because I'm just starting to learn this.

My question is whether this approach is safe, or whether it exposes the site to SQL injections.

Roger

Please Log in or Create an account to join the conversation.

  • Caspar
  • Caspar
  • OFFLINE
  • Posts: 26
  • Thanks: 0
  • Karma: 19
18 years 6 months ago #13825 by Caspar
If you pass the whole sql string you of course expose the site to SQL injections. You could change the statment and delete something, add a user or whatever you like.
If you do it the way, I proposed you should be fine.
You also can hide the whole query by either using POST instead or GET. I am not sure which on, was the right on. Just give it a try.

Do me a favour an go to www.st-sebastian-beckum.de and click on the green image, which says TOP 50 and vote for the page. Thanks!

Please Log in or Create an account to join the conversation.

  • Raj
  • Raj
  • OFFLINE
  • Posts: 191
  • Thanks: 0
  • Karma: 30
18 years 6 months ago #13828 by Raj
Thanks Caspar, I'll follow your advice. :) I just released a beta of the module in another thread.

I want to turn it into a component, but apparently it's easy to construct the backend interface for a module through the XML setup file, but for a component, you have to build the backend interface through code.

Raj

Please Log in or Create an account to join the conversation.

Moderators: beatnantkrileon
Powered by Kunena Forum