|
From: Tom S. <tom...@us...> - 2004-09-13 20:26:44
|
Update of /cvsroot/php-blog/serendipity In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv12988 Modified Files: serendipity_functions.inc.php Log Message: - Secure some more *POSSIBLY* bad SQL strings, by securing variables that must be integers Index: serendipity_functions.inc.php =================================================================== RCS file: /cvsroot/php-blog/serendipity/serendipity_functions.inc.php,v retrieving revision 1.420 retrieving revision 1.421 diff -u -d -r1.420 -r1.421 --- serendipity_functions.inc.php 13 Sep 2004 20:06:26 -0000 1.420 +++ serendipity_functions.inc.php 13 Sep 2004 20:26:33 -0000 1.421 @@ -546,7 +546,7 @@ function serendipity_fetchCategoryRange($categoryid) { global $serendipity; - $res = serendipity_db_query("SELECT category_left, category_right FROM {$serendipity['dbPrefix']}category WHERE categoryid='{$categoryid}'"); + $res = serendipity_db_query("SELECT category_left, category_right FROM {$serendipity['dbPrefix']}category WHERE categoryid='". (int)$categoryid ."'"); return array('category_left' => $res[0]['category_left'], 'category_right' => $res[0]['category_right']); } @@ -880,7 +880,7 @@ global $serendipity; $right = $left + 1; - $result = serendipity_db_query("SELECT categoryid FROM {$serendipity['dbPrefix']}category WHERE parentid='" . $parent . "'"); + $result = serendipity_db_query("SELECT categoryid FROM {$serendipity['dbPrefix']}category WHERE parentid='" . (int)$parent . "'"); if ( is_array($result) ) { foreach ( $result as $category ) { $right = serendipity_rebuildCategoryTree($category['categoryid'], $right); @@ -898,7 +898,7 @@ $where = ''; if (!empty($user)) { - $where = 'WHERE authorid = ' . serendipity_db_escape_string($user); + $where = "WHERE authorid = '" . (int)$user ."'"; } $querystring = "SELECT * FROM {$serendipity['dbPrefix']}authors $where ORDER BY username ASC"; @@ -1215,7 +1215,7 @@ $label = $entry['comments'] == 1 ? COMMENT : COMMENTS; if ($serendipity['enablePopup']) { $uriExtra = ' onclick="window.open(this.href, \'comments\', \'width=480,height=480,scrollbars=yes\'); return false;"'; - $commentUri = $serendipity['serendipityHTTPPath'] . 'comment.php?serendipity[entry_id]=' . $entry['id'] . '&serendipity[type]=comments'; + $commentUri = $serendipity['serendipityHTTPPath'] . 'comment.php?serendipity[entry_id]=' . (int)$entry['id'] . '&serendipity[type]=comments'; } else { $uriExtra = ''; $commentUri = $entryLink .'#comments'; @@ -1229,7 +1229,7 @@ $label = $entry['trackbacks'] == 1 ? TRACKBACK : TRACKBACKS; if ($serendipity['enablePopup']) { $uriExtra = ' onclick="window.open(this.href, \'comments\', \'width=480,height=480,scrollbars=yes\'); return false;"'; - $trackbackUri = $serendipity['serendipityHTTPPath'] . 'comment.php?serendipity[entry_id]=' . $entry['id'] . '&serendipity[type]=trackbacks'; + $trackbackUri = $serendipity['serendipityHTTPPath'] . 'comment.php?serendipity[entry_id]=' . (int)$entry['id'] . '&serendipity[type]=trackbacks'; } else { $uriExtra = ''; $trackbackUri = $entryLink .'#trackbacks'; @@ -1255,7 +1255,7 @@ xmlns:dc="http://purl.org/dc/elements/1.1/"> <rdf:Description rdf:about="<?php echo $serendipity['baseURL'] . ($serendipity['rewrite'] == 'none' ? $serendipity['indexFile'] . '?/' : ''); ?>feeds/ei_<?php echo $entry['id']; ?>.rdf" - trackback:ping="<?php echo $serendipity['baseURL']; ?>comment.php?type=trackback&entry_id=<?php echo $entry['id']; ?>" + trackback:ping="<?php echo $serendipity['baseURL']; ?>comment.php?type=trackback&entry_id=<?php echo (int)$entry['id']; ?>" dc:title="<?php echo htmlspecialchars($entry['title']); ?>" dc:identifier="<?php echo serendipity_archiveURL($entry['id'], $entry['title'], 'baseURL'); ?>" /> </rdf:RDF> @@ -1296,7 +1296,7 @@ if (!$serendipity['enablePopup']) { - $tbu = $serendipity['baseURL'] . 'comment.php?type=trackback&entry_id=' . $entry['id']; + $tbu = $serendipity['baseURL'] . 'comment.php?type=trackback&entry_id=' . (int)$entry['id']; ?> <div class="serendipity_comments"> <br /> @@ -1429,14 +1429,14 @@ if ($_SESSION['serendipityAuthedUser'] === true) { $admin = ''; if ($_SESSION['serendipityUserlevel'] < USERLEVEL_CHIEF) { - $admin = ' AND authorid = ' . $_SESSION['serendipityAuthorid']; + $admin = " AND authorid = " . (int)$_SESSION['serendipityAuthorid'] ."'"; } - $query = "DELETE FROM {$serendipity['dbPrefix']}comments WHERE entry_id = $entry_id AND id = $id $admin"; + $query = "DELETE FROM {$serendipity['dbPrefix']}comments WHERE entry_id = '". (int)$entry_id ."' AND id = '". (int)$id ."' $admin"; serendipity_db_query($query); $affected = serendipity_db_affected_rows(); - $query = "UPDATE {$serendipity['dbPrefix']}entries SET $type = $type-1 WHERE id = $entry_id $admin"; + $query = "UPDATE {$serendipity['dbPrefix']}entries SET $type = $type-1 WHERE id = '". (int)$entry_id ."' $admin"; serendipity_db_query($query); return $affected; } else { @@ -1450,10 +1450,10 @@ if ($_SESSION['serendipityAuthedUser'] === true) { $admin = ''; if ($_SESSION['serendipityUserlevel'] < USERLEVEL_CHIEF) { - $admin = ' AND authorid = ' . $_SESSION['serendipityAuthorid']; + $admin = " AND authorid = '" . (int)$_SESSION['serendipityAuthorid'] ."'"; } - $query = "UPDATE {$serendipity['dbPrefix']}entries SET allow_comments = '" . ($switch == 'disable' ? 'false' : 'true') . "' WHERE id = $entry_id $admin"; + $query = "UPDATE {$serendipity['dbPrefix']}entries SET allow_comments = '" . ($switch == 'disable' ? 'false' : 'true') . "' WHERE id = '". (int)$entry_id ."' $admin"; serendipity_db_query($query); header('Location: '. $_SERVER['HTTP_REFERER']); } else { @@ -1473,7 +1473,7 @@ } if (!empty($id)) { - $and .= ' AND co.entry_id=' . $id; + $and .= ' AND co.entry_id=' . (int)$id; } if (!$showAll) { @@ -1526,7 +1526,7 @@ $and = "AND status = 'approved'"; } - $query = "SELECT * FROM {$serendipity['dbPrefix']}comments WHERE entry_id=$id AND type = 'TRACKBACK' $and ORDER BY id"; + $query = "SELECT * FROM {$serendipity['dbPrefix']}comments WHERE entry_id = '". (int)$id ."' AND type = 'TRACKBACK' $and ORDER BY id"; if (isset($limit)) { $limit = serendipity_db_limit_sql($limit); $query .= " $limit"; @@ -1706,7 +1706,7 @@ FROM {$serendipity['dbPrefix']}comments c LEFT JOIN {$serendipity['dbPrefix']}entries e ON (e.id = c.entry_id) LEFT JOIN {$serendipity['dbPrefix']}authors a ON (e.authorid = a.authorid) - WHERE c.id = ". $cid ." + WHERE c.id = ". (int)$cid ." ". (($serendipity['serendipityUserlevel'] != USERLEVEL_ADMIN && $force !== true) ? 'AND e.authorid = '. $serendipity['authorId'] : '') ." ". (($force === true) ? "" : "AND status = 'pending'"); $rs = serendipity_db_query($sql, true); @@ -1729,7 +1729,7 @@ $lm = (int)$rs['entry_last_modified']; } - $query = "UPDATE {$serendipity['dbPrefix']}entries SET $field=$field+1, last_modified=". $lm ." WHERE id='$entry_id'"; + $query = "UPDATE {$serendipity['dbPrefix']}entries SET $field=$field+1, last_modified=". $lm ." WHERE id='". (int)$entry_id ."'"; serendipity_db_query($query); if ($serendipity['allowSubscriptions']) { @@ -1741,7 +1741,7 @@ function serendipity_saveComment($id, $commentInfo, $type = 'NORMAL') { global $serendipity; - $query = "SELECT allow_comments, moderate_comments, last_modified, timestamp FROM {$serendipity['dbPrefix']}entries WHERE id = '$id'"; + $query = "SELECT allow_comments, moderate_comments, last_modified, timestamp FROM {$serendipity['dbPrefix']}entries WHERE id = '". (int)$id ."'"; $ca = serendipity_db_query($query, true); serendipity_plugin_api::hook_event('frontend_saveComment', $ca, $commentInfo); @@ -1771,7 +1771,7 @@ $query = "SELECT a.email, e.title, a.mail_comments, a.mail_trackbacks, e.moderate_comments FROM {$serendipity['dbPrefix']}entries e, {$serendipity['dbPrefix']}authors a - WHERE e.id = '$id' + WHERE e.id = '". (int)$id ."' AND e.authorid = a.authorid"; $row = serendipity_db_query($query, true); // Get info on author/entry @@ -1809,7 +1809,7 @@ $sql = "SELECT $pgsql_insert author, email, type FROM {$serendipity['dbPrefix']}comments - WHERE entry_id = $entry_id + WHERE entry_id = ". (int)$entry_id ." AND email <> '$posterMail' AND subscribed = 'true' $mysql_insert"; $subscribers = serendipity_db_query($sql); @@ -1828,7 +1828,7 @@ $title, $poster, $entryURI, - $serendipity['baseURL'] . ($serendipity['rewrite'] == 'none' ? $serendipity['indexFile'] . '?/' : '') . 'unsubscribe/' . urlencode($subscriber['email']) . '/' . $entry_id + $serendipity['baseURL'] . ($serendipity['rewrite'] == 'none' ? $serendipity['indexFile'] . '?/' : '') . 'unsubscribe/' . urlencode($subscriber['email']) . '/' . (int)$entry_id ); } else { $text = sprintf( @@ -1839,7 +1839,7 @@ $title, $poster, $entryURI, - $serendipity['baseURL'] . ($serendipity['rewrite'] == 'none' ? $serendipity['indexFile'] . '?/' : '') . 'unsubscribe/' . urlencode($subscriber['email']) . '/' . $entry_id + $serendipity['baseURL'] . ($serendipity['rewrite'] == 'none' ? $serendipity['indexFile'] . '?/' : '') . 'unsubscribe/' . urlencode($subscriber['email']) . '/' . (int)$entry_id ); } @@ -1851,7 +1851,7 @@ global $serendipity; $sql = "UPDATE {$serendipity['dbPrefix']}comments SET subscribed = 'false' - WHERE entry_id = $entry_id + WHERE entry_id = '". (int)$entry_id ."' AND email = '$email'"; serendipity_db_query($sql); @@ -1922,7 +1922,7 @@ { global $serendipity; - $query = "SELECT name,link FROM {$serendipity['dbPrefix']}references WHERE entry_id='" . serendipity_db_escape_string($id) . "'"; + $query = "SELECT name,link FROM {$serendipity['dbPrefix']}references WHERE entry_id='" . (int)$id . "'"; return serendipity_db_query($query); } @@ -2001,7 +2001,7 @@ // extract author information if (empty($entry['email'])) { - $query = "select email from {$serendipity['dbPrefix']}authors where username='{$entry['username']}'"; + $query = "select email from {$serendipity['dbPrefix']}authors where username='". serendipity_db_escape_string($entry['username']) ."'"; $results = serendipity_db_query($query); $entry['email'] = $results[0]['email']; } @@ -2499,7 +2499,7 @@ } $query = "SELECT COUNT(id) FROM {$serendipity['dbPrefix']}references WHERE "; - $query .= "entry_id=$tmpid AND link='" . serendipity_db_escape_string($locations[$i]) . "'"; + $query .= "entry_id=". (int)$tmpid ." AND link='" . serendipity_db_escape_string($locations[$i]) . "'"; $row = serendipity_db_query($query, true, 'num'); if ($row[0] > 0) { @@ -2657,7 +2657,7 @@ } // Purge the daily/monthly entries so they can be rebuilt - $result = serendipity_db_query("SELECT timestamp, authorid FROM {$serendipity['dbPrefix']}entries WHERE id=$id", true); + $result = serendipity_db_query("SELECT timestamp, authorid FROM {$serendipity['dbPrefix']}entries WHERE id=". (int)$id, true); if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF && $result[1] != $serendipity['authorid']) { // Only admins and chief users can delete entries which do not belong to the author @@ -3249,7 +3249,7 @@ $url_parts['port'], $url_parts['path'], $url_parts['query'], - ($entry_id != 0) ? "AND entry_id = '$entry_id'" : '' + ($entry_id != 0) ? "AND entry_id = '". (int)$entry_id ."'" : '' ) ); @@ -3567,7 +3567,7 @@ // Replace default configuration directives with user-relevant data $rows = serendipity_db_query("SELECT name,value FROM {$serendipity['dbPrefix']}config - WHERE authorid = $author"); + WHERE authorid = '". (int)$author ."'"); } else { // Only get default variables, user-independent (frontend) $rows = serendipity_db_query("SELECT name,value |
