bug 1138: Be more paranoid regarding database query parameters
authorBenny Baumann <BenBE@geshi.org>
Tue, 29 Apr 2014 21:43:46 +0000 (23:43 +0200)
committerBenny Baumann <BenBE@geshi.org>
Wed, 30 Apr 2014 18:18:55 +0000 (20:18 +0200)
includes/general.php
includes/loggedin.php

index a504d65..fcd094a 100644 (file)
 
         if(array_key_exists('profile',$_SESSION) && is_array($_SESSION['profile']) && array_key_exists('id',$_SESSION['profile']) && $_SESSION['profile']['id'] > 0)
        {
-               $locked = mysql_fetch_assoc(mysql_query("select `locked` from `users` where `id`='".$_SESSION['profile']['id']."'"));
+               $locked = mysql_fetch_assoc(mysql_query("select `locked` from `users` where `id`='".intval($_SESSION['profile']['id'])."'"));
                if($locked['locked'] == 0)
                {
-                       $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' and `deleted` = 0 group by `to`";
+                       $query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted` = 0 group by `to`";
                        $res = mysql_query($query);
                        $row = mysql_fetch_assoc($res);
                        $_SESSION['profile']['points'] = $row['total'];
                                        $dom = $bits[$i];
                                $_SESSION['_config']['row'] = "";
                                $dom = mysql_real_escape_string($dom);
-                               $query = "select * from domains where `memid`='".$_SESSION['profile']['id']."' and `domain` like '$dom' and `deleted`=0 and `hash`=''";
+                               $query = "select * from domains where `memid`='".intval($_SESSION['profile']['id'])."' and `domain` like '$dom' and `deleted`=0 and `hash`=''";
                                $res = mysql_query($query);
                                if(mysql_num_rows($res) > 0)
                                {
                                        $dom = $bits[$i];
                                $_SESSION['_config']['altrow'] = "";
                                $dom = mysql_real_escape_string($dom);
-                               $query = "select * from domains where `memid`='".$_SESSION['profile']['id']."' and `domain` like '$dom' and `deleted`=0 and `hash`=''";
+                               $query = "select * from domains where `memid`='".intval($_SESSION['profile']['id'])."' and `domain` like '$dom' and `deleted`=0 and `hash`=''";
                                $res = mysql_query($query);
                                if(mysql_num_rows($res) > 0)
                                {
                                $_SESSION['_config']['row'] = "";
                                $dom = mysql_real_escape_string($dom);
                                $query = "select *, `orginfo`.`id` as `id` from `orginfo`,`orgdomains`,`org` where
-                                               `org`.`memid`='".$_SESSION['profile']['id']."' and
+                                               `org`.`memid`='".intval($_SESSION['profile']['id'])."' and
                                                `org`.`orgid`=`orginfo`.`id` and
                                                `orgdomains`.`orgid`=`orginfo`.`id` and
                                                `orgdomains`.`domain`='$dom'";
                                $_SESSION['_config']['altrow'] = "";
                                $dom = mysql_real_escape_string($dom);
                                $query = "select * from `orginfo`,`orgdomains`,`org` where
-                                               `org`.`memid`='".$_SESSION['profile']['id']."' and
+                                               `org`.`memid`='".intval($_SESSION['profile']['id'])."' and
                                                `org`.`orgid`=`orginfo`.`id` and
                                                `orgdomains`.`orgid`=`orginfo`.`id` and
                                                `orgdomains`.`domain`='$dom'";
                                $dom = $bits[$i];
                        $dom = mysql_real_escape_string($dom);
                        $query = "select * from `org`,`orgdomains`,`orginfo`
-                                       where `org`.`memid`='".$_SESSION['profile']['id']."'
+                                       where `org`.`memid`='".intval($_SESSION['profile']['id'])."'
                                        and `orgdomains`.`orgid`=`org`.`orgid`
                                        and `orginfo`.`id`=`org`.`orgid`
                                        and `orgdomains`.`domain`='$dom'";
                $points = $row['points'];
 
                $dob = date("Y-m-d", mktime(0,0,0,date("m"),date("d"),date("Y")-18));
-               $query = "select * from `users` where `id`='".$_SESSION['profile']['id']."' and `dob` < '$dob'";
+               $query = "select * from `users` where `id`='".intval($_SESSION['profile']['id'])."' and `dob` < '$dob'";
                if(mysql_num_rows(mysql_query($query)) < 1)
                {
                        if($points >= 100)
 
                                        $line = mysql_real_escape_string(trim(strip_tags($line)));
                                        $query = "insert into `pinglog` set `when`=NOW(), `email`='$myemail', `result`='$line'";
-                                       if(is_array($_SESSION['profile'])) $query.=", `uid`='".$_SESSION['profile']['id']."'";
+                                       if(is_array($_SESSION['profile'])) $query.=", `uid`='".intval($_SESSION['profile']['id'])."'";
                                        mysql_query($query);
 
                                        if(substr($line, 0, 3) != "250")
                                }
                        }
                }
-               $query = "insert into `pinglog` set `when`=NOW(), `uid`='".$_SESSION['profile']['id']."',
+               $query = "insert into `pinglog` set `when`=NOW(), `uid`='".intval($_SESSION['profile']['id'])."',
                                `email`='$myemail', `result`='Failed to make a connection to the mail server'";
                mysql_query($query);
                return _("Failed to make a connection to the mail server");
index 46f0659..33e834b 100644 (file)
@@ -43,7 +43,7 @@
                        //session_unregister($key);
                }
 
-               $_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='$uid'"));
+               $_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($uid)."'"));
                if($_SESSION['profile']['locked'] == 0)
                        $_SESSION['profile']['loggedin'] = 1;
                else
@@ -70,7 +70,7 @@
                        }
 
                        $_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
-                                       "select * from `users` where `id`='".$user_id."'"));
+                                       "select * from `users` where `id`='".intval($user_id)."'"));
                        if($_SESSION['profile']['locked'] == 0)
                                $_SESSION['profile']['loggedin'] = 1;
                        else
 
        if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] && $_SESSION['profile']['id'] > 0 && $_SESSION['profile']['loggedin'] > 0)
        {
-               $query = "select sum(`points`) as `total` from `notary` where `to`='".$_SESSION['profile']['id']."' and `deleted` = 0 group by `to`";
+               $query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted` = 0 group by `to`";
                $res = mysql_query($query);
                $row = mysql_fetch_assoc($res);
                $_SESSION['profile']['points'] = $row['total'];
                if($_SESSION['profile']['language'] == "")
                {
                        $query = "update `users` set `language`='".L10n::get_translation()."'
-                                                       where `id`='".$_SESSION['profile']['id']."'";
+                                                       where `id`='".intval($_SESSION['profile']['id'])."'";
                        mysql_query($query);
                } else {
                        L10n::set_translation($_SESSION['profile']['language']);