From 71506db48cf7551ddc4c458804fcc302b434cc58 Mon Sep 17 00:00:00 2001 From: cweiske Date: Sat, 16 Jan 2010 12:20:53 +0000 Subject: fix several sql injection possibilities git-svn-id: https://semanticscuttle.svn.sourceforge.net/svnroot/semanticscuttle/trunk@599 b3834d28-1941-0410-a4f8-b48e95affb8f --- doc/ChangeLog | 1 + src/SemanticScuttle/Service/Bookmark2Tag.php | 2 +- src/SemanticScuttle/Service/CommonDescription.php | 10 ++-- src/SemanticScuttle/Service/Tag.php | 20 +++---- src/SemanticScuttle/Service/Tag2Tag.php | 66 +++++++++++------------ src/SemanticScuttle/Service/TagCache.php | 38 ++++++------- 6 files changed, 69 insertions(+), 68 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index 3ea4b8a..084b2fc 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -10,6 +10,7 @@ ChangeLog for SemantiScuttle - Add config option to allow sorting by bookmark creation date instead of modification date - Fix bug #2887063: Common tag combination description feels broken +- Fix several SQL injection possibilities 0.95.1 - 2009-11-16 diff --git a/src/SemanticScuttle/Service/Bookmark2Tag.php b/src/SemanticScuttle/Service/Bookmark2Tag.php index 3b0f54c..8e5cb22 100644 --- a/src/SemanticScuttle/Service/Bookmark2Tag.php +++ b/src/SemanticScuttle/Service/Bookmark2Tag.php @@ -380,7 +380,7 @@ class SemanticScuttle_Service_Bookmark2Tag extends SemanticScuttle_DbService $privacy = ' AND B.bStatus = 0 '; } - $query = 'SELECT T.tag, COUNT(T.tag) AS bCount FROM '.$GLOBALS['tableprefix'].'bookmarks AS B LEFT JOIN '.$GLOBALS['tableprefix'].'bookmarks2tags AS T ON B.bId = T.bId WHERE B.bHash = "'. $hash .'" '. $privacy .'AND LEFT(T.tag, 7) <> "system:" GROUP BY T.tag ORDER BY bCount DESC'; + $query = 'SELECT T.tag, COUNT(T.tag) AS bCount FROM '.$GLOBALS['tableprefix'].'bookmarks AS B LEFT JOIN '.$GLOBALS['tableprefix'].'bookmarks2tags AS T ON B.bId = T.bId WHERE B.bHash = \''. $this->db->sql_escape($hash) .'\' '. $privacy .'AND LEFT(T.tag, 7) <> "system:" GROUP BY T.tag ORDER BY bCount DESC'; if (!($dbresult =& $this->db->sql_query_limit($query, $limit))) { message_die(GENERAL_ERROR, 'Could not get related tags for this hash', '', __LINE__, __FILE__, $query, $this->db); diff --git a/src/SemanticScuttle/Service/CommonDescription.php b/src/SemanticScuttle/Service/CommonDescription.php index 39c5826..0fffd32 100644 --- a/src/SemanticScuttle/Service/CommonDescription.php +++ b/src/SemanticScuttle/Service/CommonDescription.php @@ -76,7 +76,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic $query = "SELECT *"; $query.= " FROM `". $this->getTableName() ."`"; - $query.= " WHERE tag='".$tag."'"; + $query.= ' WHERE tag=\'' . $this->db->sql_escape($tag) . "'"; $query.= " ORDER BY cdDatetime DESC"; if (!($dbresult = & $this->db->sql_query_limit($query, 1, 0))) { @@ -96,7 +96,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic function getAllTagsDescription($tag) { $query = "SELECT *"; $query.= " FROM `". $this->getTableName() ."`"; - $query.= " WHERE tag='".$tag."'"; + $query.= ' WHERE tag=\'' . $this->db->sql_escape($tag) . "'"; $query.= " ORDER BY cdDatetime DESC"; if (!($dbresult = & $this->db->sql_query($query))) { @@ -112,7 +112,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic function getDescriptionById($cdId) { $query = "SELECT *"; $query.= " FROM `". $this->getTableName() ."`"; - $query.= " WHERE cdId='".$cdId."'"; + $query.= ' WHERE cdId=\'' . $this->db->sql_escape($cdId) . "'"; if (!($dbresult = & $this->db->sql_query($query))) { message_die(GENERAL_ERROR, 'Could not get tag descriptions', '', __LINE__, __FILE__, $query, $this->db); @@ -151,7 +151,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic function getLastBookmarkDescription($bHash) { $query = "SELECT *"; $query.= " FROM `". $this->getTableName() ."`"; - $query.= " WHERE bHash='".$bHash."'"; + $query.= ' WHERE bHash=\'' . $this->db->sql_escape($bHash) . "'"; $query.= " ORDER BY cdDatetime DESC"; if (!($dbresult = & $this->db->sql_query_limit($query, 1, 0))) { @@ -171,7 +171,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic function getAllBookmarksDescription($bHash) { $query = "SELECT *"; $query.= " FROM `". $this->getTableName() ."`"; - $query.= " WHERE bHash='".$bHash."'"; + $query.= ' WHERE bHash=\'' . $this->db->sql_escape($bHash) . "'"; $query.= " ORDER BY cdDatetime DESC"; if (!($dbresult = & $this->db->sql_query($query))) { diff --git a/src/SemanticScuttle/Service/Tag.php b/src/SemanticScuttle/Service/Tag.php index a6bb452..25d3888 100644 --- a/src/SemanticScuttle/Service/Tag.php +++ b/src/SemanticScuttle/Service/Tag.php @@ -51,8 +51,8 @@ class SemanticScuttle_Service_Tag extends SemanticScuttle_DbService function getDescription($tag, $uId) { $query = 'SELECT tag, uId, tDescription'; $query.= ' FROM '.$this->getTableName(); - $query.= ' WHERE tag = "'.$tag.'"'; - $query.= ' AND uId = "'.$uId.'"'; + $query.= ' WHERE tag = \''. $this->db->sql_escape($tag) . "'"; + $query.= ' AND uId = ' . intval($uId); if (!($dbresult = & $this->db->sql_query($query))) { message_die(GENERAL_ERROR, 'Could not get tag description', '', __LINE__, __FILE__, $query, $this->db); @@ -71,8 +71,8 @@ class SemanticScuttle_Service_Tag extends SemanticScuttle_DbService function existsDescription($tag, $uId) { $query = 'SELECT tag, uId, tDescription'; $query.= ' FROM '.$this->getTableName(); - $query.= ' WHERE tag = "'.$tag.'"'; - $query.= ' AND uId = "'.$uId.'"'; + $query.= ' WHERE tag = \'' . $this->db->sql_escape($tag) . "'"; + $query.= ' AND uId = "' . intval($uId) . '"'; if (!($dbresult = & $this->db->sql_query($query))) { message_die(GENERAL_ERROR, 'Could not get tag description', '', __LINE__, __FILE__, $query, $this->db); @@ -91,7 +91,7 @@ class SemanticScuttle_Service_Tag extends SemanticScuttle_DbService function getAllDescriptions($tag) { $query = 'SELECT tag, uId, tDescription'; $query.= ' FROM '.$this->getTableName(); - $query.= ' WHERE tag = "'.$tag.'"'; + $query.= ' WHERE tag = \''. $this->db->sql_escape($tag) . "'"; if (!($dbresult = & $this->db->sql_query($query))) { message_die(GENERAL_ERROR, 'Could not get tag description', '', __LINE__, __FILE__, $query, $this->db); @@ -106,8 +106,8 @@ class SemanticScuttle_Service_Tag extends SemanticScuttle_DbService function updateDescription($tag, $uId, $desc) { if($this->existsDescription($tag, $uId)) { $query = 'UPDATE '.$this->getTableName(); - $query.= ' SET tDescription="'.$this->db->sql_escape($desc).'"'; - $query.= ' WHERE tag="'.$tag.'" AND uId="'.$uId.'"'; + $query.= ' SET tDescription= \'' . $this->db->sql_escape($desc) . "'"; + $query.= ' WHERE tag=\'' . $this->db->sql_escape($tag) . "' AND uId=" . intval($uId); } else { $values = array('tag'=>$tag, 'uId'=>$uId, 'tDescription'=>$desc); $query = 'INSERT INTO '. $this->getTableName() .' '. $this->db->sql_build_array('INSERT', $values); @@ -127,9 +127,9 @@ class SemanticScuttle_Service_Tag extends SemanticScuttle_DbService $newname = $this->normalize($newName); $query = 'UPDATE `'. $this->getTableName() .'`'; - $query.= ' SET tag="'.$newName.'"'; - $query.= ' WHERE tag="'.$oldName.'"'; - $query.= ' AND uId="'.$uId.'"'; + $query.= ' SET tag=\'' . $this->db->sql_escape($newName) . "'"; + $query.= ' WHERE tag=\'' . $this->db->sql_escape($oldName) . "'"; + $query.= ' AND uId=' . intval($uId); $this->db->sql_query($query); return true; } diff --git a/src/SemanticScuttle/Service/Tag2Tag.php b/src/SemanticScuttle/Service/Tag2Tag.php index 13d1f80..8666209 100644 --- a/src/SemanticScuttle/Service/Tag2Tag.php +++ b/src/SemanticScuttle/Service/Tag2Tag.php @@ -127,19 +127,19 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService $query.= " FROM `". $this->getTableName() ."`"; $query.= " WHERE 1=1"; if($tag !=null) { - $query.= " AND ". $givenTag ." = '". $tag ."'"; + $query.= " AND ". $givenTag ." = '". $this->db->sql_escape($tag) ."'"; } if($relationType) { - $query.= " AND relationType = '". $relationType ."'"; + $query.= " AND relationType = '". $this->db->sql_escape($relationType) ."'"; } if(is_array($uId)) { $query.= " AND ( 1=0 "; //tricks always false foreach($uId as $u) { - $query.= " OR uId = '".$u."'"; + $query.= " OR uId = '".intval($u)."'"; } $query.= " ) "; } elseif($uId != null) { - $query.= " AND uId = '".$uId."'"; + $query.= " AND uId = '".intval($uId)."'"; } //die($query); if (! ($dbresult =& $this->db->sql_query($query)) ){ @@ -241,44 +241,44 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService } $query.= " WHERE tts.tag1 <> ALL"; $query.= " (SELECT DISTINCT tag2 FROM `". $this->getTableName() ."`"; - $query.= " WHERE relationType = '".$relationType."'"; + $query.= " WHERE relationType = '" . $this->db->sql_escape($relationType) . "'"; if($uId > 0) { - $query.= " AND uId = '".$uId."'"; + $query.= " AND uId = '".intval($uId)."'"; } $query.= ")"; if($uId > 0) { - $query.= " AND tts.uId = '".$uId."'"; + $query.= " AND tts.uId = '".intval($uId)."'"; } switch($orderBy) { case "nb": $query.= " AND tts.tag1 = tsts.tag1"; - $query.= " AND tsts.relationType = '".$relationType."'"; + $query.= " AND tsts.relationType = '" . $this->db->sql_escape($relationType) . "'"; if($uId > 0) { - $query.= " AND tsts.uId = ".$uId; + $query.= " AND tsts.uId = " . intval($uId); } $query.= " ORDER BY tsts.nb DESC"; break; case "depth": // by nb of descendants $query.= " AND tts.tag1 = tsts.tag1"; - $query.= " AND tsts.relationType = '".$relationType."'"; + $query.= " AND tsts.relationType = '" . $this->db->sql_escape($relationType) . "'"; if($uId > 0) { - $query.= " AND tsts.uId = ".$uId; + $query.= " AND tsts.uId = " . intval($uId); } $query.= " ORDER BY tsts.depth DESC"; break; case "nbupdate": $query.= " AND tts.tag1 = tsts.tag1"; - $query.= " AND tsts.relationType = '".$relationType."'"; + $query.= " AND tsts.relationType = '" . $this->db->sql_escape($relationType) . "'"; if($uId > 0) { - $query.= " AND tsts.uId = ".$uId; + $query.= " AND tsts.uId = " . intval($uId); } $query.= " ORDER BY tsts.nbupdate DESC"; break; } if($limit != null) { - $query.= " LIMIT 0,".$limit; + $query.= " LIMIT 0," . intval($limit); } if (! ($dbresult =& $this->db->sql_query($query)) ){ @@ -297,14 +297,14 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService // we don't use the getAllLinkedTags function in order to improve performance $query = "SELECT tag2 as 'tag', COUNT(tag2) as 'count'"; $query.= " FROM `". $this->getTableName() ."`"; - $query.= " WHERE tag1 = '".$GLOBALS['menuTag']."'"; + $query.= " WHERE tag1 = '" . $this->db->sql_escape($GLOBALS['menuTag']) . "'"; $query.= " AND relationType = '>'"; if($uId > 0) { - $query.= " AND uId = '".$uId."'"; + $query.= " AND uId = " . intval($uId); } $query.= " GROUP BY tag2"; $query.= " ORDER BY count DESC"; - $query.= " LIMIT 0, ".$GLOBALS['maxSizeMenuBlock']; + $query.= " LIMIT 0, " . intval($GLOBALS['maxSizeMenuBlock']); if (! ($dbresult =& $this->db->sql_query($query)) ){ message_die(GENERAL_ERROR, 'Could not get linked tags', '', __LINE__, __FILE__, $query, $this->db); @@ -323,10 +323,10 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService //$tag2 = mysql_real_escape_string($tag2); $query = "SELECT tag1, tag2, relationType, uId FROM `". $this->getTableName() ."`"; - $query.= " WHERE tag1 = '" .$tag1 ."'"; - $query.= " AND tag2 = '".$tag2."'"; - $query.= " AND relationType = '". $relationType ."'"; - $query.= " AND uId = '".$uId."'"; + $query.= " WHERE tag1 = '" . $this->db->sql_escape($tag1) . "'"; + $query.= " AND tag2 = '" . $this->db->sql_escape($tag2) . "'"; + $query.= " AND relationType = '" . $this->db->sql_escape($relationType) . "'"; + $query.= " AND uId = " . intval($uId); //echo($query."
\n"); @@ -340,7 +340,7 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService $query = "SELECT tag1, tag2, relationType, uId FROM `". $this->getTableName() ."`"; $query.= " WHERE 1=1"; if($uId > 0) { - $query.= " AND uId = '".$uId."'"; + $query.= " AND uId = " . intval($uId); } $dbres = $this->db->sql_query($query); @@ -357,10 +357,10 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService } $query = 'DELETE FROM '. $this->getTableName(); $query.= ' WHERE 1=1'; - $query.= strlen($tag1)>0 ? ' AND tag1 = "'. $tag1 .'"' : ''; - $query.= strlen($tag2)>0 ? ' AND tag2 = "'. $tag2 .'"' : ''; - $query.= strlen($relationType)>0 ? ' AND relationType = "'. $relationType .'"' : ''; - $query.= strlen($uId)>0 ? ' AND uId = "'. $uId .'"' : ''; + $query.= strlen($tag1)>0 ? ' AND tag1 = \''. $this->db->sql_escape($tag1) . "'" : ''; + $query.= strlen($tag2)>0 ? ' AND tag2 = \''. $this->db->sql_escape($tag2) . "'" : ''; + $query.= strlen($relationType)>0 ? ' AND relationType = \''. $this->db->sql_escape($relationType) . "'" : ''; + $query.= strlen($uId)>0 ? ' AND uId = '. intval($uId) : ''; if (!($dbresult =& $this->db->sql_query($query))) { message_die(GENERAL_ERROR, 'Could not remove tag relation', '', __LINE__, __FILE__, $query, $this->db); @@ -377,7 +377,7 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService function removeLinkedTagsForUser($uId) { $query = 'DELETE FROM '. $this->getTableName(); - $query.= ' WHERE uId = "'. $uId .'"'; + $query.= ' WHERE uId = '. intval($uId); if (!($dbresult =& $this->db->sql_query($query))) { message_die(GENERAL_ERROR, 'Could not remove tag relation', '', __LINE__, __FILE__, $query, $this->db); @@ -397,15 +397,15 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService $newName = $tagservice->normalize($newName); $query = 'UPDATE `'. $this->getTableName() .'`'; - $query.= ' SET tag1="'.$newName.'"'; - $query.= ' WHERE tag1="'.$oldName.'"'; - $query.= ' AND uId="'.$uId.'"'; + $query.= ' SET tag1=\'' . $this->db->sql_escape($newName) ."'"; + $query.= ' WHERE tag1=\'' . $this->db->sql_escape($oldName) . "'"; + $query.= ' AND uId=' . intval($uId); $this->db->sql_query($query); $query = 'UPDATE `'. $this->getTableName() .'`'; - $query.= ' SET tag2="'.$newName.'"'; - $query.= ' WHERE tag2="'.$oldName.'"'; - $query.= ' AND uId="'.$uId.'"'; + $query.= ' SET tag2=\'' . $this->db->sql_escape($newName) . "'"; + $query.= ' WHERE tag2=\'' . $this->db->sql_escape($oldName) . "'"; + $query.= ' AND uId=' . intval($uId); $this->db->sql_query($query); diff --git a/src/SemanticScuttle/Service/TagCache.php b/src/SemanticScuttle/Service/TagCache.php index 15644b6..b0ddfa6 100644 --- a/src/SemanticScuttle/Service/TagCache.php +++ b/src/SemanticScuttle/Service/TagCache.php @@ -68,8 +68,8 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService $query = "SELECT DISTINCT tag2 as 'tag'"; $query.= " FROM `". $this->getTableName() ."`"; $query.= " WHERE relationType = '>'"; - $query.= " AND tag1 = '".$tag1."'"; - $query.= " AND uId = '".$uId."'"; + $query.= " AND tag1 = '" . $this->db->sql_escape($tag1) . "'"; + $query.= " AND uId = " . intval($uId); //die($query); if (! ($dbresult =& $this->db->sql_query($query)) ){ @@ -117,10 +117,10 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService $query = 'DELETE FROM '. $this->getTableName(); $query.= ' WHERE 1=1'; - $query.= strlen($tag1)>0 ? ' AND tag1 = "'. $tag1 .'"' : ''; - $query.= strlen($tag2)>0 ? ' AND tag2 = "'. $tag2 .'"' : ''; + $query.= strlen($tag1)>0 ? ' AND tag1 = \''. $this->db->sql_escape($tag1) . "'" : ''; + $query.= strlen($tag2)>0 ? ' AND tag2 = \''. $this->db->sql_escape($tag2) . "'" : ''; $query.= ' AND relationType = ">"'; - $query.= strlen($uId)>0 ? ' AND uId = "'. $uId .'"' : ''; + $query.= strlen($uId)>0 ? ' AND uId = ' . intval($uId) : ''; if (!($dbresult =& $this->db->sql_query($query))) { message_die(GENERAL_ERROR, 'Could not remove tag cache inference', '', __LINE__, __FILE__, $query, $this->db); @@ -138,10 +138,10 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService $tag2 = $tagservice->normalize($tag2); $query = "SELECT tag1, tag2, relationType, uId FROM `". $this->getTableName() ."`"; - $query.= " WHERE tag1 = '" .$tag1 ."'"; - $query.= " AND tag2 = '".$tag2."'"; + $query.= " WHERE tag1 = '" . $this->db->sql_escape($tag1) . "'"; + $query.= " AND tag2 = '" . $this->db->sql_escape($tag2) . "'"; $query.= " AND relationType = '>'"; - $query.= " AND uId = '".$uId."'"; + $query.= " AND uId = " . intval($uId); //echo($query."
\n"); @@ -228,9 +228,9 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService function removeSynonymGroup($tag1, $uId) { $query = 'DELETE FROM '. $this->getTableName(); $query.= ' WHERE 1=1'; - $query.= ' AND tag1 = "'. $tag1 .'"'; + $query.= ' AND tag1 = \''. $this->db->sql_escape($tag1) . "'"; $query.= ' AND relationType = "="'; - $query.= ' AND uId = "'. $uId .'"'; + $query.= ' AND uId = ' . intval($uId); if (!($dbresult =& $this->db->sql_query($query))) { message_die(GENERAL_ERROR, 'Could not remove tag cache inference', '', __LINE__, __FILE__, $query, $this->db); @@ -243,9 +243,9 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService $tag1 = $tagservice->normalize($tag1); $query = "SELECT tag1 FROM `". $this->getTableName() ."`"; - $query.= " WHERE tag1 = '" .$tag1 ."'"; + $query.= " WHERE tag1 = '" . $this->db->sql_escape($tag1) ."'"; $query.= " AND relationType = '='"; - $query.= " AND uId = '".$uId."'"; + $query.= " AND uId = " . intval($uId); $dbres = $this->db->sql_query($query); $rows = $this->db->sql_numrows($dbres); @@ -258,9 +258,9 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService $tag2 = $tagservice->normalize($tag2); $query = "SELECT tag2 FROM `". $this->getTableName() ."`"; - $query.= " WHERE tag2 = '" .$tag2 ."'"; + $query.= " WHERE tag2 = '" . $this->db->sql_escape($tag2) . "'"; $query.= " AND relationType = '='"; - $query.= " AND uId = '".$uId."'"; + $query.= " AND uId = " . intval($uId); $dbres = $this->db->sql_query($query); $rows = $this->db->sql_numrows($dbres); @@ -291,8 +291,8 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService $query = "SELECT DISTINCT tag1 as 'tag'"; $query.= " FROM `". $this->getTableName() ."`"; $query.= " WHERE relationType = '='"; - $query.= " AND tag2 = '".$tag2."'"; - $query.= " AND uId = '".$uId."'"; + $query.= " AND tag2 = '" . $this->db->sql_escape($tag2) . "'"; + $query.= " AND uId = " . intval($uId); //die($query); if (! ($dbresult =& $this->db->sql_query($query)) ){ @@ -319,9 +319,9 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService $query = "SELECT DISTINCT tag2 as 'tag'"; $query.= " FROM `". $this->getTableName() ."`"; $query.= " WHERE relationType = '='"; - $query.= " AND tag1 = '".$tag1."'"; - $query.= " AND uId = '".$uId."'"; - $query.= $tagExcepted!=''?" AND tag2!='".$tagExcepted."'":""; + $query.= " AND tag1 = '" . $this->db->sql_escape($tag1) . "'"; + $query.= " AND uId = " . intval($uId); + $query.= $tagExcepted!=''?" AND tag2!='" . $this->db->sql_escape($tagExcepted) . "'" : ''; if (! ($dbresult =& $this->db->sql_query($query)) ){ message_die(GENERAL_ERROR, 'Could not get related tags', '', __LINE__, __FILE__, $query, $this->db); -- cgit v1.2.3