I use CakePHP3.6.
I heard that Query Builder's "
updateAll" is vulnerable to SQL injection.
Is there such a fact here?
Here's Gugu, but I don't get any serious information ...
If i know anyone, I would appreciate it if you could tell me.
- https://www.google.com/search?q=cakephp3+updateAll+SQL%E3%82%A4%E3%83%B3%E3%82%B8%E3%82%A7%E3%82 % AF% E3% 82% B7% E3% 83% A7% E3% 83% B3&ie = utf-8&oe = utf-8&client = firefox-b-ab
- https://www.google.com/search?client=firefox-b-ab&q=cakephp3+updateAll+SQL%E3%82%A4%E3%83%B3%E3%82%B8%E3 % 82% A7% E3% 82% AF% E3% 82% B7% E3% 83% A7% E3% 83% B3&nirf = cakephp + updateAll + SQL% E3% 82% A4% E3% 83% B3% E3 % 82% B8% E3% 82% A7% E3% 82% AF% E3% 82% B7% E3% 83% A7% E3% 83% B3&sa = X&ved = 0ahUKEwiy7YSH74TdAhWBMt4KHbmdAP0Q8BYIJSgB&biw = 1440&bih = 712
- https://www.google.com/search?client=firefox-b-ab&biw=1440&bih=712&ei=mo1_W7_eNoPk-AbP4YjQBw&q=cakephp3+updateall+%E8%84%86%E5 % BC% B1% E6% 80% A7&oq = cakephp3 + updateall +% E8% 84% 86% E5% BC% B1% E6% 80% A7&gs;l_psy = ab.3 ... 6033.11060.0.11257.0.0 .0.0.0.0.0.0..0.0 .... 0 ... 1c.1j4.64.psy-ab..0.0.0 .... 0.xXuS1JCjTAA
Answer # 1
It seems that there was a vulnerability when cakephp 2. was not sanitized during updateAll.
- SQL injection vulnerability process example and solution
- PHP serialization/object injection vulnerability analysis
- Discuz72 version of faqphp SQL injection vulnerability analysis
- Discuz 72 version of faqphp injection vulnerability tool written in Python
- WebView unable to back up and js injection vulnerability solution in Android
- Detailed analysis of a SQL injection vulnerability in an earlier version of ThinkPHP framework
- PHPCMS2008 Advertising Template SQL Injection Vulnerability Fix
- i don't understand cakephp36 error message
- cakephp36 i want to be able to see the page without logging in