Listen to this Post
The vulnerability exists because SimplePdo::insert(), ::update(), and `::delete()` directly concatenate the `$table` argument and the keys of the `$data` array into the SQL string without any identifier quoting or validation. No function like `quoteIdentifier()` is used, and no regex check against a safe pattern (e.g., ^[A-Za-z_][A-Za-z0-9_]$) is applied. This allows an attacker to control table names and column names through user‑supplied array keys.
In a typical usage pattern documented in the framework, a controller forwards user input directly: $db->insert('users', $request->data->getData()). An attacker sends a JSON body with a crafted array key, such as {"name, is_admin) VALUES (?, 1);-- ": "attacker_injected"}. The `insert()` method builds the SQL via sprintf("INSERT INTO %s (%s) VALUES (%s)", $table, implode(', ', array_keys($data)), implode(', ', $placeholders)). The array key becomes part of the column list, producing: INSERT INTO users (name, is_admin) VALUES (?, 1);-- ) VALUES (?). The SQL comment `–` terminates the rest of the query, and the effective statement becomes INSERT INTO users (name, is_admin) VALUES (?, 1). The bound value `’attacker_injected’` fills the first placeholder, and `is_admin` is set to 1.
Similarly, `update()` concatenates user‑controlled column names in the `SET` clause, and `delete()` concatenates the `$where` parameter (raw SQL) directly. A proof‑of‑concept `$db->update(‘users’, [‘is_admin’ => 1], “id = 1 OR 1=1”)` sets admin for all rows. The `$where` parameter also allows UNION‑based exfiltration or full table deletion. The patch (version 3.18.1, commit b8dd23a) introduces `requireSafeIdentifier()` that validates identifiers against `^[A-Za-z_][A-Za-z0-9_]$` before interpolation.
Platform: Flight PHP/SimplePdo
Version: before 3.18.1
Vulnerability: SQL Injection (Keys)
Severity: Critical
date: 2026-05-06
Prediction: Released in 3.18.1
What Undercode Say:
Identify vulnerable endpoint using array key injection
curl -X POST http://target.com/register \
-H "Content-Type: application/json" \
-d '{"name, is_admin) VALUES (?,1);-- ": "hacker"}'
Check if update() allows WHERE injection
curl -X POST http://target.com/update_profile \
-d "id=1&is_admin=1&where=id+OR+1%3D1"
Exploit:
Send JSON with column‑named key containing `, extra_column) VALUES (?,1);–` to insert admin. For update(), pass array keys as arbitrary columns. For delete(), inject `1=1` or `UNION SELECT …` into $where.
Protection from this CVE:
Upgrade to Flight PHP ≥3.18.1. If patching impossible, validate all table and column names against `^[A-Za-z_][A-Za-z0-9_]$` before passing to any `SimplePdo` method. Never forward raw request data keys into `$data` or `$table` arguments.
Impact:
Privilege escalation (attacker creates admin account), arbitrary column overwrites, full table data destruction, and data exfiltration via UNION‑based SQL injection in the `$where` parameter.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
