Hello,
first of all i apologize if this is a very basic question, but i only started playing with Elixir last week, and my knowledge of Elixir and Phoenix is minimal.
I am creating a webapp based on Elixir / Phoenix that is on purpose vulnerable to several web attacks. What i am trying to achieve now is a basic SQL Injection, but it seems that Phoenix is using parameterized queries which makes it impossible to have an SQL injection.
The code so far looks like this:
content = Ecto.Adapters.SQL.query!(
MyApp.Repo, "SELECT name,data from contents WHERE name=$1", [params["name"]]
)
If i execute the code with a typical SQL injection string like ' OR '1' = ‘1
then Phoenix replies with:
SELECT name,data from contents WHERE name=$1 [“’ OR ‘1’ = ‘1”]
If i execute the code with some valid name, then i see this:
SELECT name,data from contents WHERE name=$1 [“Per”]
[[“Per”, “This is a test”]]
Which is what i would expect from this query.
So, my question is, is there a way to write the query
code to make this SQL injection viable?
In Python, it was as simple as:
if request.method == 'POST':
input = request.POST.get('input')
query = "SELECT * from levels_content WHERE name = '%s'" % input
result = Content.objects.raw(query)
Again apologies if this is a very basic question, and thanks in advance for the help