I'm working on a search component that takes an SQL query as input at the end of the URL...something like:

www.MySite.com?option=com_avatarmatrix?task=show&sqlquery=[whatever]

It outputs a matrix of user avatars. But...does this create an opportunity for SQL injection? In other words, could a mischievous user jigger the sqlquery passed to drop tables, etc.?

I don't know enough about this to know one way or another.

Roger

Why do you need to send a complete SQL?

Lets say you have this SQL statment:

SELECT name FROM addresses WHERE id=uid

just an example.

Then you could send:

&select=name&from=addresses&where=uid

and then reconstruct the SQL query...

This way you also should be save with attacks!

By passing the whole query at the end of the URL, you could say...

"Give me a list of all female optometrists in Los Angeles who specialize in dry eye conditions"

...for example.

I don't know how to translate that into an SQL statement, because I'm just starting to learn this.

My question is whether this approach is safe, or whether it exposes the site to SQL injections.

Roger

If you pass the whole sql string you of course expose the site to SQL injections. You could change the statment and delete something, add a user or whatever you like.
If you do it the way, I proposed you should be fine.
You also can hide the whole query by either using POST instead or GET. I am not sure which on, was the right on. Just give it a try.

Thanks Caspar, I'll follow your advice. I just released a beta of the module in another thread.

I want to turn it into a component, but apparently it's easy to construct the backend interface for a module through the XML setup file, but for a component, you have to build the backend interface through code.

Raj