[H-5] Dynamic SET-clause accepts arbitrary column names

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: HIGH

Location: src/Models/FileUpload.php:121-133 / src/Models/BbsListing.php:62-75

Bug: {$key} = :{$key} unquoted; latent SQL injection / mass-assignment if any caller passes user-controlled keys.

Fix: Per-model ALLOWED_COLUMNS whitelist, matching the pattern already in User::update.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:33pm

Resolved.

Added ALLOWED_UPDATE_KEYS whitelists to both models:

  • src/Models/FileUpload.php::ALLOWED_UPDATE_KEYS = title, description, area_id, mime_type, file_size, download_count, tags
  • src/Models/BbsListing.php::ALLOWED_UPDATE_KEYS = name, slug, description, telnet_host, telnet_port, terminal_type, ansi_preview, screenshot, sort_order, is_active, listing_type

Any key in $data that isn't on the whitelist now throws InvalidArgumentException. Column names are also backtick-quoted (`{$key}` = :{$key}) as defence in depth.

All existing callers only pass keys that are on the list. Test suite: 93/93 pass.

Locking this thread.

Related Discussions

[L-2] AdminConfigController::update accepts arbitrary timezone string
Security Issues · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy