GrepRules
Sign inPublish rule
Explore/cve-2024-12894-pdo-param-int-sqli

CVE-2024-12894: Pdo Param Int Sqli

Binding unvalidated or unsanitized user input to a PDO statement using `PDO::PARAM_INT` can lead to SQL Injection. If emulated prepared statements are enabled, PDO may fail to quote the string input, treating it as an integer and injecting the payload dynamically into the query. Ensure that the input is properly cast to an integer (e.g., using `(int)` or `in

Provally CuratedPublic repositoryMediumHigh confidenceVerifiedApache-2.0PHPβ
greprules fetch cve-2024-12894-pdo-param-int-sqli --engine opengrep

Description

Binding unvalidated or unsanitized user input to a PDO statement using `PDO::PARAM_INT` can lead to SQL Injection. If emulated prepared statements are enabled, PDO may fail to quote the string input, treating it as an integer and injecting the payload dynamically into the query. Ensure that the input is properly cast to an integer (e.g., using `(int)` or `in

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
145 downloads0 direct145 via packs
· 0 stars · Quality score 83How quality works
Included packs
2 packs