Skip to content

SQL Injection #48

Closed
Closed
@Dylan-DutchAndBold

Description

@Dylan-DutchAndBold

Clicking through the source code has me worried. It looks like this package facilitates SQL Injections.

For example the scopeDistance function

public function scopeDistance($query, $geometryColumn, $geometry, $distance)
    {
        $query->whereRaw("st_distance(`{$geometryColumn}`, ST_GeomFromText('{$geometry->toWkt()}')) <= {$distance}");

        return $query;
    }

The user data is just executed raw, no bindings, no escaping. Doing a simple test below shows it allows for SQL Injection.

>>> Address::distance('location', new \Grimzy\LaravelMysqlSpatial\Types\Point(51.905737, 4.430866), "'' OR 1=1")->toSql()
=> "select * from `addresses` where st_distance(`location`, ST_GeomFromText('POINT(4.430866 51.905737)')) <= '' OR 1=1"

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions