CVE-2018-18546
Description
ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ThinkPHP 3.2.4 has an SQL injection vulnerability in the order parameter due to improper handling of the key variable in the parseOrder function.
Vulnerability
ThinkPHP 3.2.4 contains a SQL injection vulnerability in the order parameter. The issue resides in the Library/Think/Db/Driver.class.php file within the parseOrder function, which mishandles the key variable when processing the order input. This allows an attacker to inject arbitrary SQL commands via the order parameter. All installations of ThinkPHP 3.2.4 are affected [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request that includes a malicious order parameter. No authentication is required if the application exposes this parameter to user input. The parseOrder function does not sanitize the key variable, enabling SQL injection [2]. Example payloads may include classic injection patterns.
Impact
Successful exploitation allows an attacker to execute arbitrary SQL statements against the database. This can lead to unauthorized data disclosure, modification, or deletion, potentially compromising the entire application and its data [1].
Mitigation
The vulnerability was fixed in commit 9748cb8 [2]. Users should upgrade to a patched version of ThinkPHP (e.g., 3.2.5 or later) or apply the commit manually. No other workarounds are documented.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
topthink/frameworkPackagist | <= 3.2.4 | — |
Affected products
1Patches
11 file changed · +13 −13
ThinkPHP/Library/Think/Db/Driver.class.php+13 −13 modified@@ -758,29 +758,29 @@ protected function parseOrder($order) return ''; } $array = array(); + if (is_string($order) && '[RAND]' != $order) { + $order = explode(',', $order); + } + if (is_array($order)) { foreach ($order as $key => $val) { if (is_numeric($key)) { - if (false === strpos($val, '(') && false === strpos($val, ';')) { - $array[] = $this->parseKey($val); - } - } elseif (false === strpos($key, ')') && false === strpos($key, '#')) { - $sort = in_array(strtolower($val), array('asc', 'desc')) ? ' ' . $val : ''; + list($key, $sort) = explode(' ', strpos($val, ' ') ? $val : $val . ' '); + } else { + $sort = $val; + } + + if (preg_match('/^[\w]+$/', $key)) { + $sort = strtoupper($sort); + $sort = in_array($sort, ['ASC', 'DESC'], true) ? ' ' . $sort : ''; $array[] = $this->parseKey($key, true) . $sort; } } } elseif ('[RAND]' == $order) { // 随机排序 $array[] = $this->parseRand(); - } else { - foreach (explode(',', $order) as $val) { - if (preg_match('/\s+(ASC|DESC)$/i', rtrim($val), $match, PREG_OFFSET_CAPTURE)) { - $array[] = $this->parseKey(ltrim(substr($val, 0, $match[0][1]))) . ' ' . $match[1][0]; - } elseif (false === strpos($val, '(') && false === strpos($val, ';')) { - $array[] = $this->parseKey($val); - } - } } + $order = implode(',', $array); return !empty($order) ? ' ORDER BY ' . $order : ''; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-j7g8-3qqg-8cvmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-18546ghsaADVISORY
- 98587329.github.io/2018/10/09/thinkphp%E6%B3%A8%E5%85%A5%E5%88%86%E6%9E%90ghsaWEB
- 98587329.github.io/2018/10/09/thinkphp%E6%B3%A8%E5%85%A5%E5%88%86%E6%9E%90/mitrex_refsource_MISC
- github.com/top-think/framework/issues/2613ghsaWEB
- github.com/top-think/thinkphp/commit/9748cb80d2f24c89218f358ca2f5ab88ee33396fghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.