Should we report SQL direct concatenation when it appears inside an unused function?
Should we report it if it is used inside a function which does not receive user input?
Nice questions!!!
- Please split it in two to allow divergent answers for each scenario.
- The question is constrained to SQLi only? or applys for each type of vulnerability that you find?
I am eager to see the answers from all the big minds here.
1 Like
The short answer is yes, keep reading.
Should we report SQL direct concatenation when it appears inside an unused function?
Yes, because sometimes there are functions that are being developed at the moment and if a function is not used right now it doesn’t mean that it won’t be used in the near future.
Should we report it if it is used inside a function which does not receive user input?
Yes, generally if a function doesn’t receive user input it’s because they pull the data from the database or a local variable, but if the string that is pulled have a sqli query it will do the same damage.
You can check an example of this in here.
Developers should always use prepared statements when they need to use variables in their queries.
3 Likes
@scathing-imp It would be nice to rename the topic and change the body accordingly to the new scope!
@martial-wolf Help us to enforce the new rules sending the warnings for splitting, naming convention, cli-verbatim vs images, etc, before answering.
1 Like
@scathing-imp my reply cleared your doubts? If the answer is yes, please mark the topic as solved and if you want give a like or a feedback. If you have more questions about the topic don’t hesitate to ask more.
@scathing-imp If this topic is solved, please mark it as such by checking the solution chart at the bottom of the post you consider that properly answers your question. If not, please update the post with fuhrer information about the issue and/or the proposed solutions of the participants.