VYPR
← All advisories
Critical severityNVD Advisory· Published Jan 7, 2023· Updated Aug 6, 2024

ttskch PaginationServiceProvider Demo index.php sql injection

CVE-2014-125029

Description

A vulnerability was found in ttskch PaginationServiceProvider up to 0.x. It has been declared as critical. This vulnerability affects unknown code of the file demo/index.php of the component demo. The manipulation of the argument sort/id leads to sql injection. Upgrading to version 1.0.0 is able to address this issue. The patch is identified as 619de478efce17ece1a3b913ab16e40651e1ea7b. It is recommended to upgrade the affected component. VDB-217150 is the identifier assigned to this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ttskch/pagination-service-providerPackagist
< 1.0.01.0.0

Affected products

1

Patches

1
619de478efce

avoid sql injection on demo code

https://github.com/ttskch/PaginationServiceProviderTakashi KanemotoNov 4, 2014via ghsa
commit
1 file changed · +3 3
  • demo/index.php+3 3 modified
    @@ -35,10 +35,10 @@
 
     $page = $request->get('page', 1);
     $limit = $request->get('limit', 10);
-    $sort = $request->get('sort', 'id');
-    $direction = $request->get('direction', 'asc');
+    $sort = $app['db']->quoteIdentifier($request->get('sort', 'id'));
+    $direction = $request->get('direction') === 'desc' ? 'DESC' : 'ASC';
 
-    $sql = "select * from sample order by \"{$sort}\" {$direction}";
+    $sql = "select * from sample order by {$sort} {$direction}";
     $array = $app['db']->fetchAll($sql);
 
     $pagination = $app['knp_paginator']->paginate($array, $page, $limit);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.