Support for the Medoo framework in PHP to detect SQL injections vulnerabilities

- What are you trying to accomplish?
SonarCloud being able to detect SQL Injections in code that uses the Medoo framework for SQL queries in PHP.
- Why does this matter to you?
We heavily rely on SonarCloud’s analysis and, for our codebase, it would be essential for it to support the PHP framework that we use to interact with MySQL, it’s called Medoo (an abstraction of PDO). It is a big problem for us that SonarCloud is not able to detect SQL Injections in our codebase due to the lack of Medoo framework support. It is a small framework and the method calls most prone to SQL Injection when misused are query() and raw().

Hello @lucasbeiler,

Thanks for participating in our community. I added your request to our backlog and will let you know once Medoo is supported.

Meanwhile, if you can provide a reproducer project containing some examples of SQL injection vulnerabilities involving Medoo that would definitely help.

Regards
Alex

1 Like

Thanks.
The Medoo framework has several functions that interact with the database, but the dangerous ones that are prone to SQL Injection when misused are query() and raw(). I will attach examples of misuse of these ones below. Basically, we should ensure that variables containing user input (either partially or completely) should never be interpolated/concatenated within the SQL query when calling query() or raw() methods. It is simple, since Medoo is tiny. Medoo’s PHP package name is catfan/medoo.

  • query()
    It has two parameters, respectively, the SQL query structure (where user input should never be interpolated) as the 1st parameter and the array of input parameters value for the prepared statement binding as the 2nd parameter. The 2nd parameter is optional and, when lacking, indicates that prepared statements aren’t being used.

  • Example of misused query(): $dbMedooTest->query("SELECT * FROM ${table_name}")

  • Safe usage of query(): $dbMedooTest->query("SELECT * FROM :name", [':name' => $table_name)
    PS. Consider that $table_name is a variable made of user input (either partially or totally).
    PS. Also, $dbMedooTest is the instance of Medoo. (use Medoo\Medoo; $dbMedooTest = new Medoo([/*CONFIG ARRAY HERE*/]);)

Please note that query() and Medoo::raw() are different methods, but both expecting the same two parameters as in the example above. Please, let me know if the examples above are enough and what’s the ETA until Medoo gets supported.