SQL queries in Redbeanphp

Question

SQL queries in Redbeanphp

I was trying to execute the following code using redbeansphp (works at the top of the php pdo). The problem is that when I pass in a valid id in the format like: "id; DROP TABLE users"; if the id matches any id in the database then the result is returned. SQL injection doesn't work though. I have also tried other injection methods. None of them work. But why is it that I am getting the result even though the id is incorrect. Another thing is that if I add code before the ID, no results come. Any help?

$article =  R::getAll( 'SELECT AVG(rating) FROM reviews WHERE id =?', array($Id));

        //throwing an exception if the query is unsuccesful
        if(!$article){
            throw new Exception();
        }

        //response message 
        $arr=array('status' => 'successful', 'message' => 'Reviews found','Reviews'=> $article );
        $app->response()->header('Content-Type', 'application/json');
        $msg=json_encode($arr);
        $app->response->body($msg );

+3

php mysql pdo

Ashish 01 june '15 at 9:39

source to share

1 answer

Ashish · Accepted Answer · 2015-07-21T04:20:42+0000

After doing a lot of research and looking at the redbeans file, I came across this abs () function that was used when binding parameters. It basically returns the absolute value of any number input. So if you enter abs ("11; DROP TABLE users;"), the function converts it to 11.

So, this is the reason that even though invalid input is given (with a valid id preceding it), you are getting a valid result without any SQL injection.

SQL queries in Redbeanphp

More articles: