Details
-
New Feature
-
Status: Open (View Workflow)
-
Minor
-
Resolution: Unresolved
-
None
Description
A common security issue (SQL Injection) is when a developer wants to use the IN Operator:
https://mariadb.com/docs/server/reference/sql-structure/operators/comparison-operators/in
Rather than using a Prepared Statement, they find it easy to do something dangerous like this:
$sql .= 'WHERE id IN (' . implode(', ', $ids) . ')'; |
If the array of $ids comes from an un-trusted source (e.g. the query string in the web pages URL), then they have just created a security issue.
I've found this to be the most common source of SQL injection vulnerabilities, as it's harder (and less obvious) to write the code correctly; where they have to count the number of values they have, and then use "?" followed by 0 or more ", ?" in the SQL string, I've seen some complicated solutions to this, but I think the shortest/easiest is:
$sql = 'WHERE id IN (' . substr(str_repeat(', ?', count($ids)), 2) . ')'; |
It would be great if the developer could simply write:
$sql .= 'WHERE id IN (?)'; |
And pass in an array of values for that 1 parameter, when it comes to executing the query.
This will allow re-using the Prepared Statement with a different number of values with the IN operator, as the query hasn't really changed.
Also, it would be useful if the array could be empty (which would basically evaluate to false), as both of the examples above cause a syntax error if the $ids array is empty.
—
Also reported for MySQL:
https://bugs.mysql.com/118607