Propel icon indicating copy to clipboard operation
Propel copied to clipboard

Published 20 hours ago verified publisher icon propelorm

SQL Injection is possible on orderBy

Open TacticsJan opened this issue 9 months ago • 2 comments

When passing an orderby to the request there is an SQL Injection vulnerability.

For example /orderby/someTable.SOMEPROPERTY%20WAITFOR%20DELAY%20'0:0:10'-- will effectively delay the query.

I have fixed this in the symfony1 fork our company made ages ago. I will make a PR with my proposed fix for this issue here as well

TacticsJan avatar May 23 '24 13:05 TacticsJan