PHP Sanitize & Documentation
60 views
Skip to first unread message
Hisnan Faudan Azmia
Sep 7, 2021, 10:48:35 PM9/7/21
to Fusio
hi, Christoph
i wanna ask about PHP Sanitize & Documentation :
1. is this still vunerable from sql injection ?
i wanna ask about PHP Sanitize & Documentation :
1. is this still vunerable from sql injection ?
$city = $request->getParameter('city');
$address = $request->getParameter('address');
$name = $request->getParameter('name');
if (isset($city)) {
$where = "WHERE
city= :city
AND
address LIKE '%$address%'
AND
name LIKE '%$name%'";
$params = ['city' => $city];
} else {
$where = "WHERE 1";
$params = [ ];
}
$d = $connection->fetchAll('SELECT * FROM student', $params);
2. how to use oauth2 in fusio ?, in documentation i still confused how use oauth2 in fusio
3. can i create oauth2 from fusio backend / UI ?
4. can you add more documentaion about fetchOne, fetchAllAssosiative, getDatabasePlafrom and the other ?
Thanks & Regrads
$d = $connection->fetchAll('SELECT * FROM student', $params);
2. how to use oauth2 in fusio ?, in documentation i still confused how use oauth2 in fusio
3. can i create oauth2 from fusio backend / UI ?
4. can you add more documentaion about fetchOne, fetchAllAssosiative, getDatabasePlafrom and the other ?
Thanks & Regrads
Christoph Kappestein
Sep 16, 2021, 2:22:11 PM9/16/21
to Fusio
Hi,
1. regarding your questions about the query, yes it looks like the query is still vulnerable, since you add the $address and $name variable to the query.
You would need to use there also prepared statements like :address and :name to the query and then add those values to the params array.
2/3. you would need to create an App at the backend, then you can use the App-Key/Secret to obtain an Access-Token through OAuth2.
The OAuth2 endpoint is available at /authorization/token s. https://demo.fusio-project.org/apps/internal/#!/api/authorization/token
4. so this is a doctrine/dbal Connection instance, for the current API you can also take a look at the vendor/ folder. Currently we have no
web rendered API documentation available.
best regards
Christoph
Hisnan Faudan Azmia
Sep 21, 2021, 9:36:24 PM9/21/21
to Fusio
1. can u give more example cause i already try it but still no result :
$city = $request->getParameter('city');
$address = $request->getParameter('address');
$name = $request->getParameter('name');
if (isset($city)&& isset($address) && isset(name)) {
$where = "WHERE
city= :city
AND
address LIKE '%:address%'
AND
name LIKE '%:name%'";
$params = ['city' => $city,'address' => $address,'name'=>$name ];
} else {
$where = "WHERE 1";
$params = [ ];
}
$d = $connection->fetchAll('SELECT * FROM student', $params);
$d = $connection->fetchAll('SELECT * FROM student', $params);
Hisnan Faudan Azmia
Sep 22, 2021, 10:10:35 PM9/22/21
to Fusio
And Can u give example how to use getParameters() ?
Christoph Kappestein
Oct 2, 2021, 7:23:46 AM10/2/21
to Fusio
Hi,
so this is a fixed version of your action:
<?php
$connection = $connector->getConnection('System');
$city = $request->getParameter('city');
$address = $request->getParameter('address');
$name = $request->getParameter('name');
if (isset($city) && isset($address) && isset($name)) {
$where = "WHERE city = :city
AND address LIKE :address
AND name LIKE :name";
$params = [
'city' => $city,
'address' => '%' . $address . '%',
'name' => '%' . $name . '%'
];
} else {
$where = "WHERE 1";
$params = [];
}
$result = $connection->fetchAll('SELECT * FROM student ' . $where, $params);
return $response->build(200, [], [
'result' => $result,
]);
best regards
Christoph
Hisnan Faudan Azmia
Oct 3, 2021, 11:43:12 PM10/3/21
to Fusio
thank you mr.
christoph its working
Reply all
Reply to author
Forward
0 new messages