PHP MySQLi Database Class 2.9.2 SQL Injection

PHP MySQLi Database Class version 2.9.2 which is from joshcam suffers from a remote SQL injection vulnerability.

MD5 | 91d10b8a3c32ac8a868953e610dcaa2f aka v2.9.2 is
vulnerable to SQL injection in functon Where() because of special
"forkaround" at line 971

If $whereValue happens to be an array, key value is used as $operator to
build query.
However typical usage of the class looks like:

$db->where('ID', $_POST['id']);
$name = $db->getValue('USERS', 'name');

The $whereValue is usually untrusted and if there are no additional checks
like is_numeric($_POST['id']) an attacker may inject his statements. For
example: id[= ? or 1=1 --]=0(Url encoded version for HTTP
POST: id%5B%3D%20%3F%20or%201%3D1%20--%5D=0)

08-03-2019 Sent and email to a.butenka at
and josh.lee.campbell at
13-03-2019 No response, created public GitHub issue
The maintainer replies "not a bug".
13-03-2019 Full disclosure list.

Jaroslav LobaAevski

Related Posts