SQL queries in Redbeanphp
I was trying to execute the following code using redbeansphp (works at the top of the php pdo). The problem is that when I pass in a valid id in the format like: "id; DROP TABLE users"; if the id matches any id in the database then the result is returned. SQL injection doesn't work though. I have also tried other injection methods. None of them work. But why is it that I am getting the result even though the id is incorrect. Another thing is that if I add code before the ID, no results come. Any help?
$article = R::getAll( 'SELECT AVG(rating) FROM reviews WHERE id =?', array($Id));
//throwing an exception if the query is unsuccesful
if(!$article){
throw new Exception();
}
//response message
$arr=array('status' => 'successful', 'message' => 'Reviews found','Reviews'=> $article );
$app->response()->header('Content-Type', 'application/json');
$msg=json_encode($arr);
$app->response->body($msg );
source to share
After doing a lot of research and looking at the redbeans file, I came across this abs () function that was used when binding parameters. It basically returns the absolute value of any number input. So if you enter abs ("11; DROP TABLE users;"), the function converts it to 11.
So, this is the reason that even though invalid input is given (with a valid id preceding it), you are getting a valid result without any SQL injection.
source to share