insert-on-duplicate-key icon indicating copy to clipboard operation
insert-on-duplicate-key copied to clipboard

Published 20 hours ago verified publisher icon yadakhov

Possible SQL injection

Open bytestream opened this issue 6 years ago • 1 comments

Source: https://github.com/yadakhov/insert-on-duplicate-key/blob/master/src/InsertOnDuplicateKey.php#L207

Example: insertOnDuplicateKey(..., [ 'col' => 'value' ])

This just sticks 'value' straight into the SQL without sanitisation: ON DUPLICATE KEY UPDATE col = value

@yadakhov

bytestream avatar Feb 07 '19 13:02 bytestream

Doing some research it looks like the best solution is to use the mysql_real_escape_string https://stackoverflow.com/questions/6646731/how-does-sprintf-protect-against-sql-injection

I'll add it and do some testing.

yadakhov avatar Apr 25 '19 01:04 yadakhov