SQL injection weakness in PHP filter example

[voxinatorMember]

Hi JQWidgets!

I use PDO to build prepared SQL statements for my database queries. I’ve been experimenting with building JQGrid into a view and have the need to bind my large SQL based result set using virtual paging. I decided that adding filtering would be a good idea to aid in parsing through thousands of results, but as I was implementing it using your demo source located here:

http://www.jqwidgets.com/jquery-widgets-documentation/documentation/phpintegration/php-server-side-grid-filtering.htm

I noticed that you’re reading $_GET parameters directly into a variable and then concatenating those results into your query and executing them without PHP’s addslashes(). It seems to me that anyone copy-pasting your demo source to implement your filters for virtual paging would be opening themselves up to SQL injection attacks. Do you agree?

I modified the section of code where you’re populating your variable as follows, and I believe that this will remove the security issue:

// get the filter’s value.
$filtervalue = addslashes($_GET[“filtervalue” . $i]);
// get the filter’s condition.
$filtercondition = addslashes($_GET[“filtercondition” . $i]);
// get the filter’s column.
$filterdatafield = addslashes($_GET[“filterdatafield” . $i]);
// get the filter’s operator.
$filteroperator = addslashes($_GET[“filteroperator” . $i]);

Finally, your forums are a great resource, and you’re very good at responding to questions with answers – I really wish there was some sort of a search functionality for the thousands of threads in your forum, as flipping through page by page looking for an answer seems impractical. What are the chances that a search could be implemented?

Kind Regards,

Brian

[Peter StoevKeymaster]

Hi Brian,

The samples purpose is to be as simple as possible. They are implemented to show the basic concept and the important part in the samples is how to use the parameters passed by the Grid. Yes, we are aware that they could be done better and more secured and we will consider improving them in the future versions. Thank you very much for the valuable feedback which will definitely help us for improving the samples!

Best Regards,
Peter Stoev

jQWidgets Team
http://www.jqwidgets.com/

[voxinatorMember]

I can certainly appreciate the perspective, Peter. There’s a lot of copy paster’s out there!

Thank you for your kind response.

Brian

[Peter StoevKeymaster]

Hi Brian,

Actually, Search is already available and when you login, the Search button is on the top-right corner of your screen.

Best Regards,
Peter Stoev

jQWidgets Team
http://www.jqwidgets.com/

[luesakParticipant]

We have attempted to tackle this problem so many times I can’t recall how many!
It just seems to be an inherent problem with dynamic grids.

To date we still don’t have any solution for this… string checking is really not bullet proof. And there’s no library out there for this either.

Does anyone have a solution to this? If so please share!

Thanks

Kim

[luesakParticipant]

Anyone cracked this nut yet?

[Peter StoevKeymaster]

Hi Kim,

Use prepared statements and also this Topic is Old and Examples are Updated.

Best Regards,
Peter Stoev

jQWidgets Team
http://www.jqwidgets.com/

[Author]

Posts