Security Issue! Missing argument 2 for sql()

If you're a new user of AppGini, feel free to ask general usage questions, or look for answers here.
Post Reply
thecomputerchap
Veteran Member
Posts: 47
Joined: 2016-08-28 10:37

Security Issue! Missing argument 2 for sql()

Post by thecomputerchap » 2017-01-11 13:32

Hi all,

According to my php logs, every time Appgini executes a MySQL query, the above is displayed. According to https://make.wordpress.org/core/2012/12 ... b-prepare/ this is an SQL Injection vulnerability.

This has me a little concerned to be honest. Can the developers put our minds at rest regarding this please.

Thank you :)

AhmedBR
AppGini Super Hero
AppGini Super Hero
Posts: 327
Joined: 2013-09-19 10:23

Re: Security Issue! Missing argument 2 for sql()

Post by AhmedBR » 2017-01-15 13:36

I opened a support request for this as I have the same in my logs.
Log points to line 249 in incFunctions.

I am also getting this error for the same file:
PHP Warning: htmlspecialchars() [<a href='function.htmlspecialchars'>function.htmlspecialchars</a>]: Invalid multibyte sequence in argument in /home1/....../incFunctions.php on line 935

Best regards,
Ahmed
AppGini 22.14 - xampp 3.3.0 - PHP 7.4.30 - Summary reports - Calendar - Mass update - Messages - AppGiniHelper

User avatar
a.gneady
Site Admin
Posts: 1281
Joined: 2012-09-27 14:46
Contact:

Re: Security Issue! Missing argument 2 for sql()

Post by a.gneady » 2017-01-15 14:06

Hmm ... I tried looking in the generated code and couldn't find anything that would cause this error either in incFunctions or in any other files. Would you send me the file generated on your side to inspect it please? And also the exact error message if it contains any further details.

To clarify, this error means there is a call to sql() function, with a missing 2nd parameter. There's no SQL injection vulnerability here ... only a call missing the 2nd argument to the function. The page mentioning it's an SQL injection is probably just a co-incidence that got matched by the keyword "SQL", no more.
:idea: AppGini plugins to add more power to your apps:
  • DataTalk is an innovative AppGini plugin based on ChatGPT that allows you to interact with your AppGini database using natural language questions, without writing any SQL. Check the demo video
  • Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
  • Check our other plugins and get a generous discount of up to 30% when buying 2 or more plugins.

AhmedBR
AppGini Super Hero
AppGini Super Hero
Posts: 327
Joined: 2013-09-19 10:23

Re: Security Issue! Missing argument 2 for sql()

Post by AhmedBR » 2017-01-15 14:35

Hi Ahmad,

thank you for the quick reply.

Error in log:
[06-Jan-2017 12:19:33] PHP Warning: Missing argument 2 for sql(), called in /home1/.../hooks/Price.php on line 20 and defined in /home1/.../incFunctions.php on line 249

I checked line 20 in the hook file there is a simple sql, here it is before and after the change:

Sql that generated the error:
sql('DROP TABLE IF EXISTS `Price`');

Sql change with no error in log:
sql('DROP TABLE IF EXISTS `Price`', $eo);

This change solved my problem.


The other error still persists, have no idea what is causing it, this is what in the log file:

[14-Jan-2017 19:22:10] PHP Warning: htmlspecialchars() [<a href='function.htmlspecialchars'>function.htmlspecialchars</a>]: Invalid multibyte sequence in argument in /home1/......../admin/incFunctions.php on line 935

Thanks,
Ahmed
AppGini 22.14 - xampp 3.3.0 - PHP 7.4.30 - Summary reports - Calendar - Mass update - Messages - AppGiniHelper

AhmedBR
AppGini Super Hero
AppGini Super Hero
Posts: 327
Joined: 2013-09-19 10:23

Re: Security Issue! Missing argument 2 for sql()

Post by AhmedBR » 2017-01-15 15:14

I just managed to pinpoint which file is causing the PHP Warning: htmlspecialchars().

Taking a look at the code only one thing is different in this hook file:
It is using aes_decrypt

cast(aes_decrypt(`Client`.`EncName`, "9A4E8B695586652E4FDA73AA6XXXXXXXDECRYPTKEY") as CHAR(200))

That is what causing the warning.
I will need to check that further to see if I can do something about it.

The Clients names are always encrypted in database, and the decrypt is only done on the fly using function Clients_init to show unencrypted names.

Any help in this would be appreciated.
AppGini 22.14 - xampp 3.3.0 - PHP 7.4.30 - Summary reports - Calendar - Mass update - Messages - AppGiniHelper

User avatar
a.gneady
Site Admin
Posts: 1281
Joined: 2012-09-27 14:46
Contact:

Re: Security Issue! Missing argument 2 for sql()

Post by a.gneady » 2017-01-16 17:14

Ahmed, thanks for the update. So, if I understand correctly, this error was due to code placed in a hook file rather than code generated by AppGini, right?

Regarding the CAST statement where you pinpointed the htmlspecialchars() error, I guess you need to specify the encoding after "CHAR(200)" .. Please refer to this page for details: https://dev.mysql.com/doc/refman/5.7/en ... on_convert
:idea: AppGini plugins to add more power to your apps:
  • DataTalk is an innovative AppGini plugin based on ChatGPT that allows you to interact with your AppGini database using natural language questions, without writing any SQL. Check the demo video
  • Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
  • Check our other plugins and get a generous discount of up to 30% when buying 2 or more plugins.

AhmedBR
AppGini Super Hero
AppGini Super Hero
Posts: 327
Joined: 2013-09-19 10:23

Re: Security Issue! Missing argument 2 for sql()

Post by AhmedBR » 2017-01-16 17:23

In my case YES, that is why I posted the before and after code, in case someone else has to same message in their log file.

Thanks for the tip about CAST, I will check that.
AppGini 22.14 - xampp 3.3.0 - PHP 7.4.30 - Summary reports - Calendar - Mass update - Messages - AppGiniHelper

Post Reply