Php Mysql Query Unsanitized Table Name

Description

Detects potential SQL injection vulnerabilities in PHP applications where table names in mysql_query() calls are not properly sanitized. These vulnerabilities could allow attackers to manipulate database queries through user-controlled table names, potentially leading to unauthorized data access or manipulation of database structures.

Weakness:

146 - SQL injection

Category: Unexpected Injection

Detection Strategy

• Identifies direct calls to the mysql_query() function in PHP code

• Examines the first argument passed to mysql_query() to check if it contains user-controlled or unsanitized data

• Reports a vulnerability when the table name in the query is dynamically constructed using unescaped or unsanitized variables

• Specifically focuses on table name injection rather than general SQL injection in WHERE clauses or other parts of the query

Vulnerable code example

<?php
function show_table_data() {
    $tablename = $_POST["table_name"];  // Unsafe: Direct use of user input
    $t = mysql_connect("localhost", "user", "pass");
    mysql_select_db("mydb", $t);
    $result = mysql_query("SHOW COLUMNS FROM $tablename");  // Vulnerable: SQL injection possible
    $query = mysql_query("SELECT * FROM $tablename");       // Vulnerable: SQL injection possible
}

✅ Secure code example

<?php
function show_table_data() {
    try {
        // Validate input exists and is not empty
        if (!isset($_POST["table_name"]) || empty($_POST["table_name"])) {
            throw new Exception("Invalid table name provided");
        }
        ...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.