Closed Bug 623979 Opened 14 years ago Closed 14 years ago

Lack of parameterized queries allows SQL injection on count-update.php

Categories

(www.mozilla.org :: General, defect)

Product:
www.mozilla.org
Component:
General
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: ygjb, Unassigned)

References

(
URL
)

Details

(Whiteboard: [infrasec:sqlinject][ws:critical]) 

Issue 
The file count-update.php constructs a dynamic SQL query from validated user supplied input.  In order to prevent SQL injection attacks it is important to use parameterized statements. 

Steps to Reproduce
The current version of count-update.php is not exploitable, but the following lines contain a call to mysql_query using a dynamic SQL query.
14-	$query = "UPDATE $table SET count=count+$grow WHERE id=$id";
15:	mysql_query($query, $connection) or throwException(mysql_error());
16-	print "ok";


Recommended Remediation
To prevent this from occurring, implement parameterized queries for each sql query in the application.  For additional guidance, please refer to https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Preventing_SQL_Injection
Whiteboard: [infrasec:sqlinject][ws:critical]
I committed new code that uses PDO.
Please review again.
SQL injection corrected.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Verified as fixed on staging. Parameterized queries are used, a non-numeric id results in an error message
Status: RESOLVED → VERIFIED
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in before you can comment on or make changes to this bug.