New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix check if table exists #16581
Fix check if table exists #16581
Conversation
@@ -37,7 +37,7 @@ public static function getTablesInstalled($forceReload = true) | |||
*/ | |||
public static function tableExists($tableName) | |||
{ | |||
return Db::get()->query("SHOW TABLES LIKE ?", $tableName)->rowCount() > 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do bind parameters not work there basically @sgiehl ? If we prefix below, then we could also do an equal =
comparison and not like?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couldn't find any reliable information on that, but found various reports that variables don't work in SHOW TABLES
query. Switching to an equal isn't possible in that case I guess as SHOW TABLES LIKE
is a predefined construct, at least I wouldn't know how to convert that to a where condition that works...
@@ -37,7 +37,7 @@ public static function getTablesInstalled($forceReload = true) | |||
*/ | |||
public static function tableExists($tableName) | |||
{ | |||
return Db::get()->query("SHOW TABLES LIKE ?", $tableName)->rowCount() > 0; | |||
return Db::get()->query(sprintf("SHOW TABLES LIKE '%s'", $tableName))->rowCount() > 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could maybe add a comment to the function to not use user input as table name to prevent SQL injections but that kind of applies everywhere for tables in Matomo anyway. At the same time might not hurt to mention it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could also just remove '
characters from $tableName?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this alone would probably not prevent injections. wouldn't hurt though to do it additionally.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
out of curiosity, what kind of value would get past that? I guess we could also remove '";
and the backtick characters?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@diosmosis it depends on the use cases and how it's used. Eg you could trick Matomo into thinking the table is there or not there, or find out what tables exist by changing the input, etc. Make use of _
and %
...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 that makes sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated.
fixes #16580