@ 2023-02-07T11:54:18Z <?php
class sqli_protected_db {
private $db;
public function __construct() {
// $this->db = new mysqli('localhost', 'username', 'password', 'database');
}
public function query(String $sql, Array $parameters = [], Array $aliases = []) {
if (!is_literal($sql)) {
echo '[WRONG] ';
}
foreach ($aliases as $name => $value) {
$sql = str_replace('{' . $name . '}', '`' . str_replace('`', '``', $value) . '`', $sql);
}
echo $sql . "\n\n";
// print_r(iterator_to_array($this->db->execute_query($sql, $parameters)));
}
}
$db = new sqli_protected_db();
$id = ($_GET['id'] ?? chr(53)); // non-LiteralString '5'
$order = ($_GET['order'] ?? chr(110)); // non-LiteralString 'n'
$db->query('SELECT name FROM user WHERE id = ?', [$id]); // Correct
$db->query('SELECT name FROM user WHERE id = ' . $id); // WRONG
$db->query('SELECT name FROM user ORDER BY {o}', [], ['o' => $order]); // Correct
$db->query('SELECT name FROM user ORDER BY ' . $order); // WRONG
echo "-----\n\n";
class query_builder {
public function where(String $column, ?String $operator = null, $value = null) {
if (!is_literal($column) || (!is_literal($operator) && $operator !== null)) {
echo '[WRONG] ';
}
echo $column . ($operator === null ? '' : ' ' . $operator) . ($value === null ? '' : ' ?') . "\n\n";
}
}
$qb = new query_builder();
$name = ($_GET['name'] ?? chr(110)); // non-LiteralString 'n'
$field = ($_GET['field'] ?? chr(102)); // non-LiteralString 'f'
$value = ($_GET['value'] ?? chr(118)); // non-LiteralString 'v'
$qb->where('CONCAT(name_first, " ", name_last)', 'LIKE', $name); // Correct
$qb->where('CONCAT(name_first, " ", name_last) LIKE "' . $name . '"'); // WRONG
$qb->where('some_value IS NULL'); // Correct
$qb->where($field, '=', $value); // WRONG
echo "-----\n\n";
// https://github.com/doctrine/orm/blob/2.12.x/lib/Doctrine/ORM/Query/Expr/Func.php
class Func {
protected $name;
protected $arguments;
public function __construct($name, $arguments) {
$this->name = $name;
$this->arguments = $arguments;
}
public function __toString() {
return $this->name . '(' . implode(', ', $this->arguments) . ')';
}
}
function check_func(Func $func) {
$sql = (string) $func;
if (!is_literal($sql)) {
echo '[WRONG] ';
}
echo $sql . "\n\n";
}
$func = ($_GET['func'] ?? chr(102)); // non-LiteralString 'f'
$value = ($_GET['value'] ?? chr(118)); // non-LiteralString 'v'
check_func(new Func('MIN', ['field1', 'field2'])); // Correct
check_func(new Func($func, ['field1', 'field2'])); // WRONG
check_func(new Func('MIN', ['field1', $value])); // WRONG
?>
Enable javascript to submit You have javascript disabled. You will not be able to edit any code.
Output for 8.1.23 - 8.1.28 , 8.2.10 - 8.2.18 , 8.3.0 - 8.3.6 Fatal error: Uncaught Error: Call to undefined function is_literal() in /in/sLmC9:9
Stack trace:
#0 /in/sLmC9(25): sqli_protected_db->query('SELECT name FRO...', Array)
#1 {main}
thrown in /in/sLmC9 on line 9
Process exited with code 255 . preferences:dark mode live preview
65.49 ms | 402 KiB | 27 Q