r1249: Fixed potential SQL injections via a POST attack on search.php

diff --git a/docs/changes.txt b/docs/changes.txt
index 16c75fbda8abd619c5bcff6b328b0aa4095be7b2..f484d8104e5e36ab7545b24fa17c9da5e391bea6 100644 (file)
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -1,6 +1,7 @@
 1.1.2
 ===============================
 - Fixed a SQL injection on login.php (http://www.bluestatic.org/bugs/showreport.php?bugid=36)
+- Fixed potential SQL injections on search.php
 
 1.1.1
 ===============================

diff --git a/search.php b/search.php
index 75855b60fe52c4b4256467f000cf9cd2a4bde3b0..dc9df7e320fd6f8fe22ba18338118d5862ad24c1 100644 (file)
--- a/search.php
+++ b/search.php
@@ -2,7 +2,7 @@
 /*=====================================================================*\
 || ###################################################################
 || # Bugdar [#]version[#]
-|| # Copyright ©2002-[#]year[#] Blue Static
+|| # Copyright 2002-[#]year[#] Blue Static
 || #
 || # This program is free software; you can redistribute it and/or modify
 || # it under the terms of the GNU General Public License as published by
@@ -110,7 +110,7 @@ if ($_REQUEST['do'] == 'process')
        {
                // force email or name?? make a distinction?
                // more elegant way to do this? probably
-               $user = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "user WHERE email LIKE '%" . str_replace('%', '\%', $bugsys->in['reporter']) . "' OR displayname LIKE '%" . str_replace('%', '\%', $bugsys->in['reporter']) . "%'");
+               $user = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "user WHERE email LIKE '%" . str_replace('%', '\%', $bugsys->input_escape('reporter')) . "' OR displayname LIKE '%" . str_replace('%', '\%', $bugsys->input_escape('reporter')) . "%'");
                if ($user['userid'])
                {
                        $querybuild['reporter'] = "AND bug.userid = $user[userid] OR comment.userid = $user[userid]";
@@ -138,35 +138,35 @@ if ($_REQUEST['do'] == 'process')
        if ($bugsys->in['severity'])
        {
                $bugsys->input_clean('severity', TYPE_UINT);
-               $querybuild['severity'] = "AND bug.severity IN (" . implode(',', $bugsys->in['severity']) . ")";
+               $querybuild['severity'] = "AND bug.severity IN (" . $bugsys->clean(implode(',', $bugsys->in['severity']), TYPE_UINT) . ")";
        }
        
        // priority
        if ($bugsys->in['priority'])
        {
                $bugsys->input_clean('priority', TYPE_UINT);
-               $querybuild['priority'] = "AND bug.priority IN (" . implode(',', $bugsys->in['priority']) . ")";
+               $querybuild['priority'] = "AND bug.priority IN (" . $bugsys->clean(implode(',', $bugsys->in['priority']), TYPE_UINT) . ")";
        }
        
        // status
        if ($bugsys->in['status'])
        {
                $bugsys->input_clean('status', TYPE_UINT);
-               $querybuild['status'] = "AND bug.status IN (" . implode(',', $bugsys->in['status']) . ")";
+               $querybuild['status'] = "AND bug.status IN (" . $bugsys->clean(implode(',', $bugsys->in['status']), TYPE_UINT) . ")";
        }
        
        // resolution
        if ($bugsys->in['resolution'])
        {
                $bugsys->input_clean('resolution', TYPE_UINT);
-               $querybuild['resolution'] = "AND bug.resolution IN (" . implode(',', $bugsys->in['resolution']) . ")";
+               $querybuild['resolution'] = "AND bug.resolution IN (" . $bugsys->clean(implode(',', $bugsys->in['resolution']), TYPE_UINT) . ")";
        }
        
        // assignment
        if ($bugsys->in['assignedto'])
        {
                $bugsys->input_clean('assignedto', TYPE_UINT);
-               $querybuild['assignedto'] = "AND bug.assignedto IN (" . implode(',', $bugsys->in['assignedto']) . ")";
+               $querybuild['assignedto'] = "AND bug.assignedto IN (" . $bugsys->clean(implode(',', $bugsys->in['assignedto']), TYPE_UINT) . ")";
        }
        
        // -------------------------------------------------------------------