Lack of parameterized queries allows SQL injection on count-update.php

VERIFIED FIXED

Status

--
critical
VERIFIED FIXED
8 years ago
6 years ago

People

(Reporter: ygjb, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [infrasec:sqlinject][ws:critical], URL)

(Reporter)

Description

8 years ago
Issue 
The file count-update.php constructs a dynamic SQL query from validated user supplied input.  In order to prevent SQL injection attacks it is important to use parameterized statements. 

Steps to Reproduce
The current version of count-update.php is not exploitable, but the following lines contain a call to mysql_query using a dynamic SQL query.
14-	$query = "UPDATE $table SET count=count+$grow WHERE id=$id";
15:	mysql_query($query, $connection) or throwException(mysql_error());
16-	print "ok";


Recommended Remediation
To prevent this from occurring, implement parameterized queries for each sql query in the application.  For additional guidance, please refer to https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Preventing_SQL_Injection
(Reporter)

Updated

8 years ago
Whiteboard: [infrasec:sqlinject][ws:critical]

Comment 1

8 years ago
I committed new code that uses PDO.
Please review again.
(Reporter)

Comment 2

8 years ago
SQL injection corrected.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED

Comment 3

8 years ago
Verified as fixed on staging. Parameterized queries are used, a non-numeric id results in an error message
Status: RESOLVED → VERIFIED
Group: websites-security
(Assignee)

Updated

6 years ago
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in before you can comment on or make changes to this bug.