Hi.
I would like to learn more about the actual impacts of SQL injection risks in Moodle.
Sometimes when a security issue related to SQL injection is reported, it mentions potential risks such as updating existing database records, deleting them or inserting new ones. I would like to understand how exactly it could work with SELECT queries.
Moodle's own documentation on SQL injection seems to spread some fear, uncertainty, and doubt in its example which I don't think is actually right.
From how I read the code, all Moodle database drivers throw exception whenever there is an attempt to execute multiple statements ("cannot insert multiple commands into a prepared statement").
So let's say we have a code like this:
// DO NOT DO THIS, IT IS AN EXAMPLE OF BADLY WRITTEN CODE.
$id = $_GET['id'];
$r = $DB->get_records_sql('SELECT * FROM {config} WHERE id = ' . $id
Now. I do understand how the attacker can submit values such as 3 OR 1=1
or 0 UNION SELECT ...
etc and make that statement return other / more records, data from other tables and things like that. Depending on the actual code, this can easily leak the content that would not be normally available. Such as someone else's assignment submission, quiz attempt data, admin password reset token and so on. These all are valid and serious security issues and must be fixed (typically by the input validation and placeholders in the query).
I would like to know if there is a way how SQL injection bugs in read statements could be potentially abused for directly modifying the database. By directly, I mean that the attacker can of course amend the returned data, and the following code can perform certain actions based on the data (such as iterating through them in a loop and doing other actions etc). That risk is clear to me. What I cannot see is a way how the attacker could replace these SELECT statements with some UPDATE / CREATE / DELETE ones.
Please don't get me wrong, my intention is not to lower the importance or impact of SQL injections in SELECT queries. I would just like to be sure I understand the actual mechanics well. Thank you for sharing your experience.