FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

codeigniter -- SQL injection vulnerability

Affected packages
codeigniter < 2.0.3

Details

VuXML ID b7d785ea-656d-11e5-9909-002590263bf5
Discovery 2011-08-20
Entry 2015-09-28

The CodeIgniter changelog reports:

An improvement was made to the MySQL and MySQLi drivers to prevent exposing a potential vector for SQL injection on sites using multi-byte character sets in the database client connection.

An incompatibility in PHP versions < 5.2.3 and MySQL > 5.0.7 with mysql_set_charset() creates a situation where using multi-byte character sets on these environments may potentially expose a SQL injection attack vector. Latin-1, UTF-8, and other "low ASCII" character sets are unaffected on all environments.

If you are running or considering running a multi-byte character set for your database connection, please pay close attention to the server environment you are deploying on to ensure you are not vulnerable.

References

FreeBSD PR ports/156486
URL https://codeigniter.com/userguide2/changelog.html