I was trying to execute the following code using redbeansphp(works on the top of php pdo). The issue is that when I pass a valid id in a format like - "id;DROP TABLE users;" , if the id matches any id in the database then the result is returned. Although the sql injection doesnt work. I tried other methods of injection as well. None of them works. But why is it so that I get the result even though the ID is incorrect. One more thing is that that if I add any code in front of the id then results don't come. Any help ?
$article = R::getAll( 'SELECT AVG(rating) FROM reviews WHERE id =?', array($Id));
//throwing an exception if the query is unsuccesful
if(!$article){
throw new Exception();
}
//response message
$arr=array('status' => 'successful', 'message' => 'Reviews found','Reviews'=> $article );
$app->response()->header('Content-Type', 'application/json');
$msg=json_encode($arr);
$app->response->body($msg );
After a lot of research and going through the redbeans file I came across this abs() function that was being used in the binding the parameters.It basically returns the absolute value to any "number" input. So if one enters abs("11;DROP TABLE users;"), the function converts it to 11.
So, this is the reason that even though an invalid input(with valid id preceeding it) is given, one gets a valid output without any sql injection.