SQL-Injection Attack for certain configurations

[CShark]

If you allow the '-Character for files (because you have an extensive folder structure already and do not want to change it), you can now inject SQL code using file or folder names.

It would be better to either use SQL parameters or - if that is too big of a refactor - escape all user input before it goes into an SQL statement.

Example config:

$conf['sync_chars_regex'] = '/^[-A-Za-zŽžÀ-ÿ0-9._\' ,)~(]+$/';

Error message:

Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for the right syntax to use near 
    's 50ter','Burkhard's 50ter','1','3','2,3,20','true','true','public','15'...' 
at line 21 in /volume1/web/include/dblayer/functions_mysqli.inc.php:132

Stack trace:
#0 /volume1/web/include/dblayer/functions_mysqli.inc.php(132): mysqli->query('\nINSERT INTO `...')
#1 /volume1/web/include/dblayer/functions_mysqli.inc.php(550): pwg_query('\nINSERT INTO `...')
#2 /volume1/web/admin/site_update.php(313): mass_inserts('categories', Array, Array)
#3 /volume1/web/admin.php(346): include('/volume1/web/ad...')
#4 {main} thrown in /volume1/web/include/dblayer/functions_mysqli.inc.php on line 132

[erAck]

Note that in include/config_default.inc.php the documentation for $conf['sync_chars_regex'] explicitly states to not add the ' apostrophe character:

// Do not add the ' U+0027 single quote apostrophe character, it WILL make some
// SQL queries fail.

[cmdremily]

I should note that prohibiting apostrophe is NOT how you secure your application against SQL injections.

One should escape and unescape any data wirtten to and read from the database using mysqli.real-escape-string or similar, or by using prepared statements.