Skip to content

Add files via upload #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jeff-cycode wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add files via upload #32

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e98bdc8
Add files via upload
jeff-cycode Sep 8, 2024
71a7ff3
[Cycode] Fix for SAST detections - Unsanitized external input in SQL …
cycode-security[bot] Oct 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 57 additions & 0 deletions jwr-low.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
<?php

if( isset( $_GET[ 'Submit' ] ) ) {
// Get input
$id = $_GET[ 'id' ];
$exists = false;

switch ($_DVWA['SQLI_DB']) {
case MYSQL:
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
try {
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ); // Removed 'or die' to suppress mysql errors
Comment thread
cycode-security[bot] marked this conversation as resolved.
Outdated
Copy link
Copy Markdown
Contributor

@cycode-security cycode-security Bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: SAST violation: 'Unsanitized external input in SQL query'.

Severity: Critical

Description

Using unsanitized data, such as user input or request data, or externally influenced data passed to a function, in SQL query exposes your application to SQL injection attacks. This vulnerability arises when externally controlled data is directly included in SQL statements without proper sanitation, allowing attackers to manipulate queries and access or modify data.

Cycode Remediation Guideline

✅ Do

  • Do validate all external input to ensure it meets the expected format before including it in SQL queries.
$sortingOrder = $_GET['sortingOrder'] === 'DESC' ? 'DESC' : 'ASC';
  • Do use safe lists to validate external input, if dynamic input is required.
private function validatedTableName($table_name)
{
  if in_array($table_name, $ALLOWED_TABLE_NAMES) {
    return $table_name
  }
  // handle invalid table name
}
  • Do use prepared statements for database queries to separate SQL logic from external input, significantly reducing the risk of SQL injection.
$stmt = $pdo->prepare("SELECT * FROM products WHERE id LIKE ? ORDER BY price {$sortingOrder}");
$stmt->execute(["%{$productId}%"]);
  • Do escape all external input using appropriate database-specific escaping functions before including it in SQL queries.
$ok = mysqli_real_escape_string($conn, $_GET['ok']);

❌ Don't

  • Do not include raw external input in SQL queries. This practice can lead to SQL injection vulnerabilities.
$sortingOrder = $_GET['untrusted'];
$query  = "SELECT id, name FROM products ORDER BY name LIMIT 20 $sortingOrder;"; // unsafe

📋 References

🎥 Learning materials (by Secure Code Warrior)

Tell us what how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_sast_false_positive <reason> Mark as false positive — applies to this violation only
#cycode_ai_remediation Request remediation guidance using Cycode AI
#cycode_sast_ignore_here <reason> Ignore this violation — applies to this violation only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

Copy link
Copy Markdown
Contributor Author

@jeff-cycode jeff-cycode Oct 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#cycode_ai_remediation

Copy link
Copy Markdown
Contributor

@cycode-security cycode-security Bot Oct 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Cycode is processing your request. This may take up to one minute. Please, wait...

Copy link
Copy Markdown
Contributor

@cycode-security cycode-security Bot Oct 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Vulnerability Explanation

The vulnerability is caused by directly including user input ($id) in the SQL query without proper sanitization. This allows an attacker to manipulate the query and potentially access or modify sensitive data. The issue is evident in the lines where the $query is constructed, specifically: $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";. By using user input directly in the query, the application is exposed to SQL injection attacks.

Remediation Instructions

To fix the vulnerability, we need to use prepared statements to separate the SQL logic from the external input. Here's a step-by-step guide:

  1. Validate the external input ($id) to ensure it meets the expected format.
  2. Use a prepared statement to construct the SQL query, leaving a placeholder for the $id variable.
  3. Bind the $id variable to the prepared statement, ensuring it's treated as a parameter rather than part of the SQL code.
  4. Execute the prepared statement, which will safely include the $id value in the query.
    By following these steps, we can prevent SQL injection attacks and ensure the security of our application.
Suggested Fix

AI Confidence score ✨
🟢 100%

The Cycode AI Confidence Score estimates the quality of the suggested code fix. Please review it carefully before applying.

--- jwr-low.php
+++ jwr-low.php
@@ -1,3 +1,4 @@
+
 <?php
 
 if( isset( $_GET[ 'Submit' ] ) ) {
@@ -8,9 +9,11 @@
 	switch ($_DVWA['SQLI_DB']) {
 		case MYSQL:
 			// Check database
-			$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
+			$stmt = $GLOBALS["___mysqli_ston"]->prepare("SELECT first_name, last_name FROM users WHERE user_id = ?");
+			$stmt->bind_param("i", $id);
 			try {
-				$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ); // Removed 'or die' to suppress mysql errors
+				$stmt->execute();
+				$result = $stmt->get_result();
 			} catch (Exception $e) {
 				print "There was an error.";
 				exit;
@@ -29,10 +32,11 @@
 		case SQLITE:
 			global $sqlite_db_connection;
 
-			$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
+			$stmt = $sqlite_db_connection->prepare("SELECT first_name, last_name FROM users WHERE user_id = :id");
+			$stmt->bindValue(':id', $id, SQLITE3_INTEGER);
 			try {
-				$results = $sqlite_db_connection->query($query);
-				$row = $results->fetchArray();
+				$result = $stmt->execute();
+				$row = $result->fetchArray();
 				$exists = $row !== false;
 			} catch(Exception $e) {
 				$exists = false;

Tell us what to do with one of the following hashtags:

Tag Short Description
#cycode_fix_this_violation Apply the proposed fix

Copy link
Copy Markdown
Contributor Author

@jeff-cycode jeff-cycode Oct 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#cycode_fix_this_violation  

Copy link
Copy Markdown
Contributor

@cycode-security cycode-security Bot Oct 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Cycode has finished processing your request. Please review your status checks.

} catch (Exception $e) {
print "There was an error.";
exit;
}

$exists = false;
if ($result !== false) {
try {
$exists = (mysqli_num_rows( $result ) > 0);
} catch(Exception $e) {
$exists = false;
}
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
break;
case SQLITE:
global $sqlite_db_connection;

$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
try {
$results = $sqlite_db_connection->query($query);
$row = $results->fetchArray();
$exists = $row !== false;
} catch(Exception $e) {
$exists = false;
}

break;
}

if ($exists) {
// Feedback for end user
$html .= '<pre>User ID exists in the database.</pre>';
} else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

// Feedback for end user
$html .= '<pre>User ID is MISSING from the database.</pre>';
}

}

?>