Skip to content

fix(security): prevent SQL injection in nik_exists and password_exist… #1404

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vickyrolanda merged 3 commits into from
Jan 20, 2026
Merged

fix(security): prevent SQL injection in nik_exists and password_exist… #1404

vickyrolanda merged 3 commits into from
Jan 20, 2026
+15 −13

Conversation

@Revanza1106
Copy link

@Revanza1106 Revanza1106 commented Jan 19, 2026

Memperbaiki SQL Injection vulnerability pada validator custom nik_exists dan password_exists di AppServiceProvider.php.

🐛 Masalah

Terdapat SQL Injection vulnerability karena penggunaan whereRaw() dengan string concatenation:

```php
->whereRaw("tanggal_lahir = '" . $parameters[0] . "'")
->whereRaw("nik = '" . $parameters[0] . "'")
```

✅ Perbaikan

Mengganti whereRaw() dengan where() yang menggunakan parameter binding:

```php
->where('tanggal_lahir', $parameters[0])
->where('nik', $parameters[0])
```

📝 Perubahan

  • Menghapus `whereRaw()` yang vulnerable
  • Menggunakan parameter binding via `where()`
  • Menyederhanakan kode dengan menghapus if-else yang tidak perlu

🔗 Terkait

Fixes #1403

@vickyrolanda vickyrolanda added this to the M3 OpenDK 2602 milestone Jan 20, 2026
pandigresik
pandigresik approved these changes Jan 20, 2026
View reviewed changes
Copy link
Contributor

@pandigresik pandigresik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, sudah lolos test juga php artisan test tests/Feature/SistemKomplainControllerTest.php

image

@vickyrolanda vickyrolanda changed the base branch from master to dev January 20, 2026 09:25
@vickyrolanda vickyrolanda merged commit b312baa into OpenSID:dev Jan 20, 2026
@vickyrolanda vickyrolanda mentioned this pull request Jan 20, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pandigresik pandigresik pandigresik approved these changes

Assignees

@pandigresik pandigresik

Labels

T1

Projects

None yet

Milestone

M3 OpenDK 2602

Development

Successfully merging this pull request may close these issues.

Perbaikan SQL Injection di AppServiceProvider.php

3 participants

@Revanza1106 @pandigresik @vickyrolanda