Update sql injection issue to make it a better working example [#2824571]

Problem/Motivation

The current SQL injection demo throws a PDO error, but I couldn't get it to inject SQL. Nathan figured out a way during a recent CharDUG meeting. See below

CREATE TABLE `users_test` (
  `uid` int(10) unsigned NOT NULL DEFAULT '0' COMMENT 'Primary Key: Unique user ID.',
  `name` varchar(60) NOT NULL DEFAULT '' COMMENT 'Unique user name.'
)



in the text_field, i insert --> 1; DROP TABLE users_test

Remaining tasks

Test Nathan's injection
Add test db table to the installer
Create a way to reset the table so it is repeatable
Document in code and the UI on how to run the sql injection code

User interface changes

Document example injection attempts and how to view the results
Document proper fix in code and UI for this exploit.

Comments

Comment #1

3 November 2016 at 10:32

shrop created an issue. See original summary.

Comment #2

shrop commented 3 November 2016 at 10:35

Issue summary:

View changes

Update sql injection issue to make it a better working example

Problem/Motivation

Remaining tasks

User interface changes

Comments

Comment #1

Comment #2

News items

Our community

Documentation

Drupal code base

Governance of community