From aa0789dc9a2eeb2f6087f2dd17a3fe94d15c0f07 Mon Sep 17 00:00:00 2001
From: Laurent Giovannoni <laurent.giovannoni@maarch.org>
Date: Wed, 21 Sep 2011 10:27:36 +0000
Subject: [PATCH] evo : SQL injection
---
core/trunk/core/class/class_db.php | 47 ++++------
core/trunk/core/class/class_history.php | 112 ++++++++++++------------
2 files changed, 76 insertions(+), 83 deletions(-)
diff --git a/core/trunk/core/class/class_db.php b/core/trunk/core/class/class_db.php
index 96de604ffcb..2097cc49b8d 100644
--- a/core/trunk/core/class/class_db.php
+++ b/core/trunk/core/class/class_db.php
@@ -309,26 +309,13 @@ class dbquery extends functions
* @param $sqlQuery string SQL query
* @param $catchError bool In case of error, catch the error or not,
* if not catched, the error is displayed (false by default)
+ * @param $noFilter bool true if you don't want to filter on ; and --
*/
- public function query($sqlQuery, $catchError = false)
+ public function query($sqlQuery, $catchError = false, $noFilter = false)
{
- $canExecute = true;
- //exclude templates and history to the control
- $search = '#\b(?:templates|history)\b#i';
- preg_match($search, $sqlQuery, $out);
- if (isset($out[0])) {
- $count = count($out[0]);
- if ($count == 1) {
- $found = true;
- } else {
- $found = false;
- }
- } else {
- $found = false;
- }
-
- // if not a sql for history or templates, we looking for ; or -- in the sql query
- if (!$found) {
+ $canExecute = true;
+ // if filter, we looking for ; or -- in the sql query
+ if (!$noFilter) {
$func = new functions();
$sqlQuery = $func->wash_html($sqlQuery, '');
$ctrl1 = array();
@@ -589,26 +576,30 @@ class dbquery extends functions
// Query error
if ($this->_sqlError == 3) {
- echo '- <b>' . _QUERY_ERROR . '</b> -<br /><br />';
+ $sqlErrorToView = '<b>' . _QUERY_ERROR . '</b><br />';
if ($this->_databasetype == 'MYSQL') {
- echo _ERROR_NUM . @mysqli_errno($this->_sqlLink) . ' '
+ $sqlError .= _ERROR_NUM . @mysqli_errno($this->_sqlLink) . ' '
. _HAS_JUST_OCCURED . ' :<br />';
- echo _MESSAGE . ' : ' . @mysqli_error($this->_sqlLink)
- . '<br />';
+ //$sqlError .= _MESSAGE . ' : ' . @mysqli_error($this->_sqlLink) . '<br />';
} else if ($this->_databasetype == 'POSTGRESQL') {
@pg_send_query($this->_sqlLink, $this->_debugQuery);
$res = @pg_get_result($this->_sqlLink);
- echo @pg_result_error($res);
+ $sqlError .= @pg_result_error($res);
} else if ($this->_databasetype == 'SQLSERVER') {
- echo @mssql_get_last_message();
+ $sqlError .= @mssql_get_last_message();
} else if ($this->_databasetype == 'ORACLE') {
$res = @oci_error($this->statement);
- echo $res['message'];
+ $sqlError .= $res['message'];
+ }
+ $_SESSION['error'] = $sqlErrorToView;
+ if ($_SESSION['config']['debug'] == 'true') {
+ echo $sqlError;
+ echo '<br/>' . _QUERY . ' : <textarea cols="70" rows="10">'
+ . $this->_debugQuery . '</textarea>';
+ exit();
}
- echo '<br/>' . _QUERY . ' : <textarea cols="70" rows="10">'
- . $this->_debugQuery . '</textarea>';
$trace->add("", 0, "QUERY", _QUERY_DB_FAILED." : ".$this->_debugQuery, $_SESSION['config']['databasetype'], "database", true, _KO, _LEVEL_ERROR);
- exit();
+ //exit();
}
// Closing connexion error
diff --git a/core/trunk/core/class/class_history.php b/core/trunk/core/class/class_history.php
index 305c2347d6d..898206529f2 100644
--- a/core/trunk/core/class/class_history.php
+++ b/core/trunk/core/class/class_history.php
@@ -38,37 +38,37 @@
*/
class history extends dbquery
{
- /**
- * Inserts a record in the history table
- *
- * @param $where string Table or view of the event
- * @param $id integer Identifier of the event to add
- * @param $how string Event type (Keyword)
- * @param $what string Event description
- * @param $databasetype string Type of the database (MYSQL, POSTGRESQL, etc...)
- * @param $id_module string Identifier of the module concerned by the event (admin by default)
- */
- public function add($where, $id, $how, $what, $databasetype, $id_module ="admin", $isTech = false, $result = _OK, $level = _LEVEL_INFO, $user="")
- {
- if($databasetype == "SQLSERVER")
- {
- $date_now = "getdate()";
- }
- else if($databasetype == "MYSQL" || $databasetype == "POSTGRESQL" )
- {
- $date_now = "now()";
- }
- elseif($databasetype == "ORACLE")
- {
- $date_now = "SYSDATE";
- }
- $remote_ip = $_SERVER['REMOTE_ADDR'];
- $what = $this->protect_string_db($what, $databasetype);
+ /**
+ * Inserts a record in the history table
+ *
+ * @param $where string Table or view of the event
+ * @param $id integer Identifier of the event to add
+ * @param $how string Event type (Keyword)
+ * @param $what string Event description
+ * @param $databasetype string Type of the database (MYSQL, POSTGRESQL, etc...)
+ * @param $id_module string Identifier of the module concerned by the event (admin by default)
+ */
+ public function add($where, $id, $how, $what, $databasetype, $id_module ="admin", $isTech = false, $result = _OK, $level = _LEVEL_INFO, $user="")
+ {
+ if($databasetype == "SQLSERVER")
+ {
+ $date_now = "getdate()";
+ }
+ else if($databasetype == "MYSQL" || $databasetype == "POSTGRESQL" )
+ {
+ $date_now = "now()";
+ }
+ elseif($databasetype == "ORACLE")
+ {
+ $date_now = "SYSDATE";
+ }
+ $remote_ip = $_SERVER['REMOTE_ADDR'];
+ $what = $this->protect_string_db($what, $databasetype);
//$what = $this->protect_string_db($what);
- $user = '';
- if(isset($_SESSION['user']['UserId'])) {
- $user = $_SESSION['user']['UserId'];
- }
+ $user = '';
+ if(isset($_SESSION['user']['UserId'])) {
+ $user = $_SESSION['user']['UserId'];
+ }
if (!$isTech) {
$this->connect();
$this->query(
@@ -77,36 +77,38 @@ class history extends dbquery
. "info , id_module, remote_ip) VALUES ('".$where."', '".$id."', '"
.$how."', '".$user."', ".$date_now.", '".$what."', '".$id_module
."' , '".$remote_ip."')"
+ , false
+ , true
);
$this->disconnect();
} else {
//write on a log
}
- }
+ }
- /**
- * Gets the label of an history keyword
- *
- * @param $id string Key word identifier
- * @return string Label of the key word or empty string
- */
- public function get_label_history_keyword($id)
- {
- if(empty($id))
- {
- return '';
- }
- else
- {
- for($i=0; $i<count($_SESSION['history_keywords']);$i++)
- {
- if($id == $_SESSION['history_keywords'][$i]['id'])
- {
- return $_SESSION['history_keywords'][$i]['label'];
- }
- }
- }
- return '';
- }
+ /**
+ * Gets the label of an history keyword
+ *
+ * @param $id string Key word identifier
+ * @return string Label of the key word or empty string
+ */
+ public function get_label_history_keyword($id)
+ {
+ if(empty($id))
+ {
+ return '';
+ }
+ else
+ {
+ for($i=0; $i<count($_SESSION['history_keywords']);$i++)
+ {
+ if($id == $_SESSION['history_keywords'][$i]['id'])
+ {
+ return $_SESSION['history_keywords'][$i]['label'];
+ }
+ }
+ }
+ return '';
+ }
}
?>
--
GitLab