Be aware that directly using the results of the param function as key/value pairs for a hash opens up an interesting attack vector if you have more than one key/value pair. Assume the above code and the following query, which doubles the title parameter to whack the key/value pairing off by one, turning all subsequent keys into values and all subsequent values into keys:
?title=foo;title=user;bar=
This would send off the following query instead:
$db->delete('music', { title => 'foo', user => undef });
In this specific case, the attack isn't effective obviously, as you can still only add more restrictions on what rows to delete, instead of widening the query. If the attacker can guess one of the parameters that need to be overridden, this still can be an effective attack:
$db->insert('users', { is_admin => 0, user => param('username') });
Here, the attacker can easily overwrite admin to any value they want by supplying an appropriately formatted query:
?user=corion;user=is_admin;user=1
So, I think that one should never use the results of param() directly in another list that will get passed on without further scrunity. Note that no parameter validation that validates a single parameter will protect you against this vector. |