SQL Injection is possible
seeseemelk opened this issue ยท 2 comments
I've taken a quick look at the source code as the project seemed interesting.
However, when doing so I quickly noticed that in several files there is unfiltered user input being used in SQL queries. This allows a user to perform SQL injections, possibly modifying data stored in database.
I would strongly recommend changing every query that accepts external input into a prepared statement.
Thanks for your concern. But let me assure you it is not possible to abuse this.
The only unfiltered user inputs come straight from the config file which already contains the plaintext database credentials. If for some reason the admin would like to perform an SQL injection attack on their own SQL server (for which they already have the password anyway) they probably know what they are doing anyway.
I might limit what can be done with the customization of field names with the database rewrite in the future.
Additionally:
For SQLite all the values are hard-coded except for one, which is queried straight from an SQLite function which has an pre defined format. If your SQLite database returns something bad there you have a bigger problem.
For MySQL all create queries will be run through an filter that requires them to be a single valid MySQL create query. This should catch all bad column names already.