From 86dca32ed4dd55abe5480dfa221a771ea65c6a22 Mon Sep 17 00:00:00 2001 From: Robert Sesek Date: Thu, 12 Oct 2006 18:45:17 +0000 Subject: [PATCH] r1249: Fixed potential SQL injections via a POST attack on search.php --- docs/changes.txt | 1 + search.php | 14 +++++++------- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/changes.txt b/docs/changes.txt index 16c75fb..f484d81 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -1,6 +1,7 @@ 1.1.2 =============================== - Fixed a SQL injection on login.php (http://www.bluestatic.org/bugs/showreport.php?bugid=36) +- Fixed potential SQL injections on search.php 1.1.1 =============================== diff --git a/search.php b/search.php index 75855b6..dc9df7e 100644 --- a/search.php +++ b/search.php @@ -2,7 +2,7 @@ /*=====================================================================*\ || ################################################################### || # Bugdar [#]version[#] -|| # Copyright ©2002-[#]year[#] Blue Static +|| # Copyright 2002-[#]year[#] Blue Static || # || # This program is free software; you can redistribute it and/or modify || # it under the terms of the GNU General Public License as published by @@ -110,7 +110,7 @@ if ($_REQUEST['do'] == 'process') { // force email or name?? make a distinction? // more elegant way to do this? probably - $user = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "user WHERE email LIKE '%" . str_replace('%', '\%', $bugsys->in['reporter']) . "' OR displayname LIKE '%" . str_replace('%', '\%', $bugsys->in['reporter']) . "%'"); + $user = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "user WHERE email LIKE '%" . str_replace('%', '\%', $bugsys->input_escape('reporter')) . "' OR displayname LIKE '%" . str_replace('%', '\%', $bugsys->input_escape('reporter')) . "%'"); if ($user['userid']) { $querybuild['reporter'] = "AND bug.userid = $user[userid] OR comment.userid = $user[userid]"; @@ -138,35 +138,35 @@ if ($_REQUEST['do'] == 'process') if ($bugsys->in['severity']) { $bugsys->input_clean('severity', TYPE_UINT); - $querybuild['severity'] = "AND bug.severity IN (" . implode(',', $bugsys->in['severity']) . ")"; + $querybuild['severity'] = "AND bug.severity IN (" . $bugsys->clean(implode(',', $bugsys->in['severity']), TYPE_UINT) . ")"; } // priority if ($bugsys->in['priority']) { $bugsys->input_clean('priority', TYPE_UINT); - $querybuild['priority'] = "AND bug.priority IN (" . implode(',', $bugsys->in['priority']) . ")"; + $querybuild['priority'] = "AND bug.priority IN (" . $bugsys->clean(implode(',', $bugsys->in['priority']), TYPE_UINT) . ")"; } // status if ($bugsys->in['status']) { $bugsys->input_clean('status', TYPE_UINT); - $querybuild['status'] = "AND bug.status IN (" . implode(',', $bugsys->in['status']) . ")"; + $querybuild['status'] = "AND bug.status IN (" . $bugsys->clean(implode(',', $bugsys->in['status']), TYPE_UINT) . ")"; } // resolution if ($bugsys->in['resolution']) { $bugsys->input_clean('resolution', TYPE_UINT); - $querybuild['resolution'] = "AND bug.resolution IN (" . implode(',', $bugsys->in['resolution']) . ")"; + $querybuild['resolution'] = "AND bug.resolution IN (" . $bugsys->clean(implode(',', $bugsys->in['resolution']), TYPE_UINT) . ")"; } // assignment if ($bugsys->in['assignedto']) { $bugsys->input_clean('assignedto', TYPE_UINT); - $querybuild['assignedto'] = "AND bug.assignedto IN (" . implode(',', $bugsys->in['assignedto']) . ")"; + $querybuild['assignedto'] = "AND bug.assignedto IN (" . $bugsys->clean(implode(',', $bugsys->in['assignedto']), TYPE_UINT) . ")"; } // ------------------------------------------------------------------- -- 2.22.5