Revision: 3359
http://limesurvey.svn.sourceforge.net/limesurvey/?rev=3359&view=rev
Author: lemeur
Date: 2007-10-08 13:09:46 -0700 (Mon, 08 Oct 2007)
Log Message:
-----------
More Fix for #1272: SQL injection point when checking tokens
Modified Paths:
--------------
source/stable_plus/index.php
Modified: source/stable_plus/index.php
===================================================================
--- source/stable_plus/index.php 2007-10-08 18:55:12 UTC (rev 3358)
+++ source/stable_plus/index.php 2007-10-08 20:09:46 UTC (rev 3359)
@@ -450,7 +450,7 @@
function getTokenData($surveyid, $token)
{
global $dbprefix, $connect;
- $query = "SELECT * FROM ".db_table_name('tokens_'.$surveyid)." WHERE token='$token'";
+ $query = "SELECT * FROM ".db_table_name('tokens_'.$surveyid)." WHERE token='".db_quote($token)."'";
$result = db_execute_assoc($query) or die("Couldn't get token info in getTokenData()<br />".$query."<br />".htmlspecialchars($connect->ErrorMsg()));
while($row=$result->FetchRow())
{
@@ -902,12 +902,12 @@
{
$utquery .= "SET completed='Y'\n";
}
- $utquery .= "WHERE token='{$_POST['token']}'";
+ $utquery .= "WHERE token='".db_quote($_POST['token'])."'";
$utresult = $connect->Execute($utquery) or die ("Couldn't update tokens table!<br />\n$utquery<br />\n".htmlspecialchars($connect->ErrorMsg()));
// TLR change to put date into sent and completed
- $cnfquery = "SELECT * FROM ".db_table_name("tokens_$surveyid")." WHERE token='{$_POST['token']}' AND completed!='N' AND completed!=''";
+ $cnfquery = "SELECT * FROM ".db_table_name("tokens_$surveyid")." WHERE token='".db_quote($_POST['token'])."' AND completed!='N' AND completed!=''";
$cnfresult = db_execute_assoc($cnfquery);
while ($cnfrow = $cnfresult->FetchRow())
@@ -1110,7 +1110,7 @@
elseif ($tokensexist == 1 && returnglobal('token'))
{
//check if token actually does exist
- $tkquery = "SELECT COUNT(*) FROM ".db_table_name('tokens_'.$surveyid)." WHERE token='".trim(returnglobal('token'))."' AND (completed = 'N' or completed='')";
+ $tkquery = "SELECT COUNT(*) FROM ".db_table_name('tokens_'.$surveyid)." WHERE token='".db_quote(trim(returnglobal('token')))."' AND (completed = 'N' or completed='')";
$tkresult = db_execute_num($tkquery);
list($tkexist) = $tkresult->FetchRow();
if (!$tkexist)
@@ -1146,7 +1146,7 @@
if (isset($_GET['token'])){
//get language from token (if one exists)
- $tkquery2 = "SELECT * FROM ".db_table_name('tokens_'.$surveyid)." WHERE token='".trim(returnglobal('token'))."' AND (completed = 'N' or completed='')";
+ $tkquery2 = "SELECT * FROM ".db_table_name('tokens_'.$surveyid)." WHERE token='".db_quote(trim(returnglobal('token')))."' AND (completed = 'N' or completed='')";
//echo $tkquery2;
$result = db_execute_assoc($tkquery2) or die ("Couldn't get tokens<br />$tkquery<br />".htmlspecialchars($connect->ErrorMsg()));
while ($rw = $result->FetchRow())
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|