Issue The file count-update.php constructs a dynamic SQL query from validated user supplied input. In order to prevent SQL injection attacks it is important to use parameterized statements. Steps to Reproduce The current version of count-update.php is not exploitable, but the following lines contain a call to mysql_query using a dynamic SQL query. 14- $query = "UPDATE $table SET count=count+$grow WHERE id=$id"; 15: mysql_query($query, $connection) or throwException(mysql_error()); 16- print "ok"; Recommended Remediation To prevent this from occurring, implement parameterized queries for each sql query in the application. For additional guidance, please refer to https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Preventing_SQL_Injection
I committed new code that uses PDO. Please review again.
SQL injection corrected.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Verified as fixed on staging. Parameterized queries are used, a non-numeric id results in an error message
Status: RESOLVED → VERIFIED
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in before you can comment on or make changes to this bug.