is this a codeigniter vulnerability?

Question

hello guys I'm having 3 months with codeigniter so today I discover an error on my pagination script :

 $this->db->where("by_id",$user_id);
 $this->db->order_by("date","desc");
 $this->db->limit(10,$from);
 $query = $this->db->get("status");

well the url is look like this : server/demo/page/10

so if user type server/nedjma/baniss/1000000000000000000000

Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1000000000000000000000, 10' at line 5

SELECT * FROM (status) WHERE by_id = '58' ORDER BY date desc LIMIT 1000000000000000000000, 10

exactly like this web site its maded by codeigniter too : [removed]

can you tell me please what's the bug ?

thank you :)

Answer 1

It's not a CodeIgniter vulnerability or bug. It's simply an SQL/MySQL issue. I did a little testing with phpMyAdmin, the largest offset you can use is somewhere around 18000000000000000000.

Anything larger, and you will get an SQL syntax error. If you want to prevent this error from happening, just check to make sure $from isn't greater than 18 x 10^18, or create your own custom error pages. You could also just turn error reporting off - at the top of CI's index.php, error_reporting(0);

One final note - the code you posted isn't open to SQL injection. CodeIgniter's Active Record class escapes and checks your input for you. If $from is not a number, then Active Record won't generate a LIMIT clause when creating the SQL.