Page 1 of 1

Security Issue! Missing argument 2 for sql()

Posted: 2017-01-11 13:32
by thecomputerchap
Hi all,

According to my php logs, every time Appgini executes a MySQL query, the above is displayed. According to https://make.wordpress.org/core/2012/12 ... b-prepare/ this is an SQL Injection vulnerability.

This has me a little concerned to be honest. Can the developers put our minds at rest regarding this please.

Thank you :)

Re: Security Issue! Missing argument 2 for sql()

Posted: 2017-01-15 13:36
by AhmedBR
I opened a support request for this as I have the same in my logs.
Log points to line 249 in incFunctions.

I am also getting this error for the same file:
PHP Warning: htmlspecialchars() [<a href='function.htmlspecialchars'>function.htmlspecialchars</a>]: Invalid multibyte sequence in argument in /home1/....../incFunctions.php on line 935

Best regards,
Ahmed

Re: Security Issue! Missing argument 2 for sql()

Posted: 2017-01-15 14:06
by a.gneady
Hmm ... I tried looking in the generated code and couldn't find anything that would cause this error either in incFunctions or in any other files. Would you send me the file generated on your side to inspect it please? And also the exact error message if it contains any further details.

To clarify, this error means there is a call to sql() function, with a missing 2nd parameter. There's no SQL injection vulnerability here ... only a call missing the 2nd argument to the function. The page mentioning it's an SQL injection is probably just a co-incidence that got matched by the keyword "SQL", no more.

Re: Security Issue! Missing argument 2 for sql()

Posted: 2017-01-15 14:35
by AhmedBR
Hi Ahmad,

thank you for the quick reply.

Error in log:
[06-Jan-2017 12:19:33] PHP Warning: Missing argument 2 for sql(), called in /home1/.../hooks/Price.php on line 20 and defined in /home1/.../incFunctions.php on line 249

I checked line 20 in the hook file there is a simple sql, here it is before and after the change:

Sql that generated the error:
sql('DROP TABLE IF EXISTS `Price`');

Sql change with no error in log:
sql('DROP TABLE IF EXISTS `Price`', $eo);

This change solved my problem.


The other error still persists, have no idea what is causing it, this is what in the log file:

[14-Jan-2017 19:22:10] PHP Warning: htmlspecialchars() [<a href='function.htmlspecialchars'>function.htmlspecialchars</a>]: Invalid multibyte sequence in argument in /home1/......../admin/incFunctions.php on line 935

Thanks,
Ahmed

Re: Security Issue! Missing argument 2 for sql()

Posted: 2017-01-15 15:14
by AhmedBR
I just managed to pinpoint which file is causing the PHP Warning: htmlspecialchars().

Taking a look at the code only one thing is different in this hook file:
It is using aes_decrypt

cast(aes_decrypt(`Client`.`EncName`, "9A4E8B695586652E4FDA73AA6XXXXXXXDECRYPTKEY") as CHAR(200))

That is what causing the warning.
I will need to check that further to see if I can do something about it.

The Clients names are always encrypted in database, and the decrypt is only done on the fly using function Clients_init to show unencrypted names.

Any help in this would be appreciated.

Re: Security Issue! Missing argument 2 for sql()

Posted: 2017-01-16 17:14
by a.gneady
Ahmed, thanks for the update. So, if I understand correctly, this error was due to code placed in a hook file rather than code generated by AppGini, right?

Regarding the CAST statement where you pinpointed the htmlspecialchars() error, I guess you need to specify the encoding after "CHAR(200)" .. Please refer to this page for details: https://dev.mysql.com/doc/refman/5.7/en ... on_convert

Re: Security Issue! Missing argument 2 for sql()

Posted: 2017-01-16 17:23
by AhmedBR
In my case YES, that is why I posted the before and after code, in case someone else has to same message in their log file.

Thanks for the tip about CAST, I will check that.