SQL Injections using Jfactory::getDBO and setQuery()

by Jay Shri   Last Updated April 18, 2018 19:10 PM

$db = JFactory::getDBO();
$searchP = JRequest::getVar('key');
$sql = "SELECT name FROM people LIKE " . "'%" . $searchP . "%'";

$db->setQuery($sql);
$fileR = $db->loadObjectList();

Will setQuery() throw an error for having two SQL statements in the same string?

For example, according to my code, is it possible to execute a drop table command by passing this query parameter or something similar:

key=a'; DROP TABLE people; # 

Furthermore will using something like

$db = JFactory::getDBO();
$query = $db->getQuery(true); 
$query ->setLimit('1');
$query ->select($db->quoteName('name'));
$query ->from($db->quoteName('people'));
$query ->like($db->quoteName($searchP));
$db->setQuery($query);

prevent injection since the query object's query limit is being set to 1?



Related Questions




Ordering a UNION

Updated April 21, 2015 00:04 AM

PHP function with JDatabase queries

Updated September 08, 2016 08:06 AM

Transforming a Query for JDATABASE

Updated July 28, 2015 14:04 PM