Member
sql injection
Hi, I have been using sugar for our non-profit for about a year now and it has been very successful. However, in board meetings, the security of our data has come up over and over again. One question has been about the SQL injections. Is sugar vulnerable to this, and if so, is there a fix, patch for it?
Sugar Community Member
Re: sql injection
Sugar seems to correctly escape the majority of the inputs given to it, both for html and sql, and thus is not vulnerable to sql injections. I say 'majority of the inputs' because there are a few instances where sugar double escapes, but that doesn't present a security issue. If you want to test this yourself, just go to any text field in sugar and try inputting something with a single or a double quote followed by sql syntax.
If you want to see the code for this, you can find it by fishing around the SugarBean.php file under data and DBHelper.php and DBManager.php files under include/database. Like anything in the core of Sugar these files are somewhat convoluted as far as extracting meaning, but you can get a general idea by looking at the save() function in SugarBean and the quotes() function in DBHelper and DBManager.
On that note, however, if you create custom code where you directly speak to the database, i.e. you use $bean->db->query(); (or even more grossly, mysql_connect() and mysql_query()), you can create a security hole if you are not careful. Its best to use the bean interface whenever possible.
Robert Beckman
Software Engineer
Mirth Corporation
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote
Bookmarks