Reflected SQL injection
Published: Mon, 23 Jul 2007 14:00:17 GMT
Updated: Sat, 22 Mar 2025 15:38:02 GMT
I've been developing a system for a while now and it's currently in the testing stage, I noticed that a SQL injection vulnerability had crept in. I was quite surprised because my filtering methods are generally quite good and I've not seen any SQL errors in the logs for quite some time. Luckly the site wasn't live so I had plenty of time to see what was going on.
I noticed that all my input was being escaped correctly and I couldn't understand how the system was producing a SQL error. Then I noticed something, my code was sharing data across 2 tables. So it would query 1 table and then loop through the records and use that data to perform another SQL query on the other table.
This image displays clearly my simple mistake:-
So although I was escaping the data originally, I had forgotten to escape it a second time when it was used looping through the data. The SQL data was reflected from table 1 to table 2, a simple code change cleared the problem quite easily but I think it is one of those items that can slip under the radar unnoticed.