SQL injection in api_user_id usage (?)
-
Hi,
in
lib/shortcode/shortcode.ajax.php
you get the api_user_id from the GET parameter.function Zotpress_shortcode_AJAX() { ... $zp_api_user_id = $_GET['api_user_id']; ... $zp_account = zp_get_account ($wpdb, $zp_api_user_id);You then use that api_user_id in the functions
zp_get_account,zp_get_accountsandzp_clear_cache_for_userinlib/request/request.function.phpwhich do SQL queries with thewpdb->get_resultsfunction but don’t dowpdb->prepareon the input.function zp_get_account ($wpdb, $api_user_id_incoming=false) { if ($api_user_id_incoming !== false) $zp_account = $wpdb->get_results("SELECT * FROM ".$wpdb->prefix."zotpress WHERE api_user_id='".$api_user _id_incoming."'");I might be mistaken but with a brief glimpse I don’t see where the api_user_id is validated/sanitized in which case there is an sql injection vulnerability. Am I missing something? Is some wordpress function escaping that user input?
Helpful resources:
https://developer.wordpress.org/plugins/security/securing-input/
http://ottopress.com/2013/better-know-a-vulnerability-sql-injection/
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
- The topic ‘SQL injection in api_user_id usage (?)’ is closed to new replies.