doutong1890 2015-06-01 09:39
浏览 40
已采纳

Redbeanphp中的SQL查询

I was trying to execute the following code using redbeansphp(works on the top of php pdo). The issue is that when I pass a valid id in a format like - "id;DROP TABLE users;" , if the id matches any id in the database then the result is returned. Although the sql injection doesnt work. I tried other methods of injection as well. None of them works. But why is it so that I get the result even though the ID is incorrect. One more thing is that that if I add any code in front of the id then results don't come. Any help ?

$article =  R::getAll( 'SELECT AVG(rating) FROM reviews WHERE id =?', array($Id));

        //throwing an exception if the query is unsuccesful
        if(!$article){
            throw new Exception();
        }

        //response message 
        $arr=array('status' => 'successful', 'message' => 'Reviews found','Reviews'=> $article );
        $app->response()->header('Content-Type', 'application/json');
        $msg=json_encode($arr);
        $app->response->body($msg );
  • 写回答

1条回答 默认 最新

  • dtj2ww9500 2015-07-21 04:20
    关注

    After a lot of research and going through the redbeans file I came across this abs() function that was being used in the binding the parameters.It basically returns the absolute value to any "number" input. So if one enters abs("11;DROP TABLE users;"), the function converts it to 11.

    So, this is the reason that even though an invalid input(with valid id preceeding it) is given, one gets a valid output without any sql injection.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 Mac系统vs code使用phpstudy如何配置debug来调试php
  • ¥15 目前主流的音乐软件,像网易云音乐,QQ音乐他们的前端和后台部分是用的什么技术实现的?求解!
  • ¥60 pb数据库修改与连接
  • ¥15 spss统计中二分类变量和有序变量的相关性分析可以用kendall相关分析吗?
  • ¥15 拟通过pc下指令到安卓系统,如果追求响应速度,尽可能无延迟,是不是用安卓模拟器会优于实体的安卓手机?如果是,可以快多少毫秒?
  • ¥20 神经网络Sequential name=sequential, built=False
  • ¥16 Qphython 用xlrd读取excel报错
  • ¥15 单片机学习顺序问题!!
  • ¥15 ikuai客户端多拨vpn,重启总是有个别重拨不上
  • ¥20 关于#anlogic#sdram#的问题,如何解决?(关键词-performance)