Hi all,
According to my php logs, every time Appgini executes a MySQL query, the above is displayed. According to https://make.wordpress.org/core/2012/12 ... b-prepare/ this is an SQL Injection vulnerability.
This has me a little concerned to be honest. Can the developers put our minds at rest regarding this please.
Thank you
Security Issue! Missing argument 2 for sql()
-
- Veteran Member
- Posts: 47
- Joined: 2016-08-28 10:37
Re: Security Issue! Missing argument 2 for sql()
I opened a support request for this as I have the same in my logs.
Log points to line 249 in incFunctions.
I am also getting this error for the same file:
PHP Warning: htmlspecialchars() [<a href='function.htmlspecialchars'>function.htmlspecialchars</a>]: Invalid multibyte sequence in argument in /home1/....../incFunctions.php on line 935
Best regards,
Ahmed
Log points to line 249 in incFunctions.
I am also getting this error for the same file:
PHP Warning: htmlspecialchars() [<a href='function.htmlspecialchars'>function.htmlspecialchars</a>]: Invalid multibyte sequence in argument in /home1/....../incFunctions.php on line 935
Best regards,
Ahmed
AppGini 22.14 - xampp 3.3.0 - PHP 7.4.30 - Summary reports - Calendar - Mass update - Messages - AppGiniHelper
Re: Security Issue! Missing argument 2 for sql()
Hmm ... I tried looking in the generated code and couldn't find anything that would cause this error either in incFunctions or in any other files. Would you send me the file generated on your side to inspect it please? And also the exact error message if it contains any further details.
To clarify, this error means there is a call to sql() function, with a missing 2nd parameter. There's no SQL injection vulnerability here ... only a call missing the 2nd argument to the function. The page mentioning it's an SQL injection is probably just a co-incidence that got matched by the keyword "SQL", no more.
To clarify, this error means there is a call to sql() function, with a missing 2nd parameter. There's no SQL injection vulnerability here ... only a call missing the 2nd argument to the function. The page mentioning it's an SQL injection is probably just a co-incidence that got matched by the keyword "SQL", no more.
AppGini plugins to add more power to your apps:
- DataTalk is an innovative AppGini plugin based on ChatGPT that allows you to interact with your AppGini database using natural language questions, without writing any SQL. Check the demo video
- Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
- Check our other plugins and get a generous discount of up to 30% when buying 2 or more plugins.
Re: Security Issue! Missing argument 2 for sql()
Hi Ahmad,
thank you for the quick reply.
Error in log:
[06-Jan-2017 12:19:33] PHP Warning: Missing argument 2 for sql(), called in /home1/.../hooks/Price.php on line 20 and defined in /home1/.../incFunctions.php on line 249
I checked line 20 in the hook file there is a simple sql, here it is before and after the change:
Sql that generated the error:
sql('DROP TABLE IF EXISTS `Price`');
Sql change with no error in log:
sql('DROP TABLE IF EXISTS `Price`', $eo);
This change solved my problem.
The other error still persists, have no idea what is causing it, this is what in the log file:
[14-Jan-2017 19:22:10] PHP Warning: htmlspecialchars() [<a href='function.htmlspecialchars'>function.htmlspecialchars</a>]: Invalid multibyte sequence in argument in /home1/......../admin/incFunctions.php on line 935
Thanks,
Ahmed
thank you for the quick reply.
Error in log:
[06-Jan-2017 12:19:33] PHP Warning: Missing argument 2 for sql(), called in /home1/.../hooks/Price.php on line 20 and defined in /home1/.../incFunctions.php on line 249
I checked line 20 in the hook file there is a simple sql, here it is before and after the change:
Sql that generated the error:
sql('DROP TABLE IF EXISTS `Price`');
Sql change with no error in log:
sql('DROP TABLE IF EXISTS `Price`', $eo);
This change solved my problem.
The other error still persists, have no idea what is causing it, this is what in the log file:
[14-Jan-2017 19:22:10] PHP Warning: htmlspecialchars() [<a href='function.htmlspecialchars'>function.htmlspecialchars</a>]: Invalid multibyte sequence in argument in /home1/......../admin/incFunctions.php on line 935
Thanks,
Ahmed
AppGini 22.14 - xampp 3.3.0 - PHP 7.4.30 - Summary reports - Calendar - Mass update - Messages - AppGiniHelper
Re: Security Issue! Missing argument 2 for sql()
I just managed to pinpoint which file is causing the PHP Warning: htmlspecialchars().
Taking a look at the code only one thing is different in this hook file:
It is using aes_decrypt
cast(aes_decrypt(`Client`.`EncName`, "9A4E8B695586652E4FDA73AA6XXXXXXXDECRYPTKEY") as CHAR(200))
That is what causing the warning.
I will need to check that further to see if I can do something about it.
The Clients names are always encrypted in database, and the decrypt is only done on the fly using function Clients_init to show unencrypted names.
Any help in this would be appreciated.
Taking a look at the code only one thing is different in this hook file:
It is using aes_decrypt
cast(aes_decrypt(`Client`.`EncName`, "9A4E8B695586652E4FDA73AA6XXXXXXXDECRYPTKEY") as CHAR(200))
That is what causing the warning.
I will need to check that further to see if I can do something about it.
The Clients names are always encrypted in database, and the decrypt is only done on the fly using function Clients_init to show unencrypted names.
Any help in this would be appreciated.
AppGini 22.14 - xampp 3.3.0 - PHP 7.4.30 - Summary reports - Calendar - Mass update - Messages - AppGiniHelper
Re: Security Issue! Missing argument 2 for sql()
Ahmed, thanks for the update. So, if I understand correctly, this error was due to code placed in a hook file rather than code generated by AppGini, right?
Regarding the CAST statement where you pinpointed the htmlspecialchars() error, I guess you need to specify the encoding after "CHAR(200)" .. Please refer to this page for details: https://dev.mysql.com/doc/refman/5.7/en ... on_convert
Regarding the CAST statement where you pinpointed the htmlspecialchars() error, I guess you need to specify the encoding after "CHAR(200)" .. Please refer to this page for details: https://dev.mysql.com/doc/refman/5.7/en ... on_convert
AppGini plugins to add more power to your apps:
- DataTalk is an innovative AppGini plugin based on ChatGPT that allows you to interact with your AppGini database using natural language questions, without writing any SQL. Check the demo video
- Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
- Check our other plugins and get a generous discount of up to 30% when buying 2 or more plugins.
Re: Security Issue! Missing argument 2 for sql()
In my case YES, that is why I posted the before and after code, in case someone else has to same message in their log file.
Thanks for the tip about CAST, I will check that.
Thanks for the tip about CAST, I will check that.
AppGini 22.14 - xampp 3.3.0 - PHP 7.4.30 - Summary reports - Calendar - Mass update - Messages - AppGiniHelper