I have an application in PHP 5.3.29 and MySQL 5.6.35 which used SQLQUERY to execute the instructions SQL , I changed them using PDO and prepared instructions.
The problem is that I analyze the application using ZAP 2.6.0 and I could verify that the input parameters can be altered as well.
What I did was to enable the log general of MySQL and review all the queries that are executed in the database, so I could check that it reached the database.
The code is:
'function cerrar_sesion($usuario) {
$pdo = new PDO("mysql:"."host=".DB_SERVIDOR.";"."dbname=".DB_BASEDATOS,DB_USUARIO, DB_CLAVE);
$query = $pdo->prepare('UPDATE ADMIN_USUARIO SET USERID=\' \' WHERE C_USUARIO= :usuario');
$query->bindParam(':usuario',$usuario,PDO::PARAM_INT);
$query->execute();
$pdo = null;'
When reviewing the log of MySQL the parameter $ altered user arrives (Example: 54/2, I only sent the 54 and ZAP added the / 2 and this was what arrived in the database) .
If you notice it, the injection consisted of adding the "/ 2" to the parameter sent to the "C_USER" field, then 3 lines recovered from the MySQL log:
227726 Query UPDATE ADMIN_USER SET USERID = '' WHERE C_USER = '54 / 2 ' 227730 Query UPDATE ADMIN_USER SET USERID = '' WHERE C_USERARY = '108/2' 227732 Query UPDATE ADMIN_USER SET USERID = '' WHERE C_USERARY = '108/2'
All this despite using PDO and prepare and still the injection comes.