MixPHP Framework SQL Injection Vulnerability

A SQL injection vulnerability exists in MixPHP Framework versions 2.x through 2.2.17. The issue arises in the 'data' function of BuildHelper.php, where user-supplied data is directly concatenated into SQL queries without proper parameterization. This flaw allows attackers to manipulate the query structure and potentially execute arbitrary SQL commands.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a crafted 'data' array to the 'data' function in BuildHelper.php. The array can include keys and values that will be directly inserted into SQL 'INSERT' or 'UPDATE' statements without any sanitization or parameterization. This can be done by creating a MixPHP project and using the query builder to pass the malicious data array.

Remediation

To address this vulnerability, update the query builder to use PDO prepared statements, which properly handle parameterization. For SQL identifiers such as table and column names, implement validation against an allowlist derived from the database schema before interpolation.