On Monday, 26 August 2013 at 1:39 AM, Ayush Chaudhary wrote:
Hi,

On Monday, 26 August 2013 at 12:20 AM, Rouslan Placella wrote:

On 08/25/2013 10:14 AM, Ayush Chaudhary wrote:
Hi,

I was writing Selenium tests for editing an event. While creating an
event, I created it with the clause 'EVERY 2 MINUTE_SECOND' and it
worked fine. However, MySQL stores it as '0:2', so when I go to edit the
event, the default value for interval field is '0:2', and then when I
submit the edit form, our code takes the intval from 0:2 and forms the
query 'EVERY 0 MINUTE_SECOND' and this creates an error.

Is there a specific reason why intval is being used in
rte_events.lib.php on Line 585? If not, should I remove that and issue a
pull request?

IIRC, intval was used there to sanitize user input. If you remove it,
you'll need to add something else to avoid sql injections.
Shouldn't addslashes be fine? And moreover, since the query will be executed via PMA_DatabaseInterface class, shouldn't that alone take care of sanitisation against sql injection? 
Just realised addslashes won't work either as the field value is not really 'assigned' anywhere in SQL but used as an independent entity like "CREATE EVENT …. EVERY '0:2' …." I am wondering what kind of sql injection vulnerability are we looking at here? I tried the most common sql injection that is  "'0:2'; DELETE FROM table; #" and MySQL returned an error. 

Bye,
Rouslan
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
_______________________________________________
Phpmyadmin-devel mailing list