SQL Injection detected

Question

I was loading my sites front end and watching the responses in burpsuite when I noticed a response which contained a very verbose sql error

    "message": "SQLSTATE[22P02]: Invalid text representation: 7 ERROR:  invalid input syntax for type bigint: \"1test\" (SQL: select * from \"passengers\" where \"passengers\".\"id\" = 1test limit 1)",
    "exception": "Illuminate\\Database\\QueryException",

My question is whether an attacker could inject inside the int value expected by the sql engine.

PS. The error is also sent to the frontend - see pic

• System is Laravel

Answer 1

A direct injection is unlikely, since the error is caused by what ought to have been a bigint being cast to a bigint, and raising an exception. So, it's pretty clear that only bigints are going to pass that particular hurdle.

But you have at least one potential problem just right there - what happens if someone passes a valid id for something they shouldn't be able to access? This kind of query seems as it should have some form of validation. Some systems allow replacing parameters with an encrypted form of the same (i.e. instead of type=summary&id=12345 you would get enc=73a33390e99459324cc2e9c741dd831891638a50fc62ad6f91556f6a0c7621c1 and, of course, replacing characters at random would get rejected out of hand), some others use a simpler hash validation (e.g. type=summary&id=12345&hash=65823ce5).

Also, errors being passed back to the UI are bad. They're bad for the aesthetics, as they give a stronger impression of unreliability, and they're bad for the information they might disclose. That, at least, ought to be fixed urgently.

Answer 2

It depends on the code.

If you use raw strings like this

...->select( ... )->whereRaw( "id = " . $id )

then your code is vulnerable to SQL injection.

If you use parametrized queries like this

...->select( ... )->whereRaw( "id = ?", $id )

then SQL injection in such code is not possible.