aliens/SemanticScuttle
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix several sql injection possibilities

Browse source 
git-svn-id: https://semanticscuttle.svn.sourceforge.net/svnroot/semanticscuttle/trunk@599 b3834d28-1941-0410-a4f8-b48e95affb8f
This commit is contained in:
cweiske 2010-01-16 12:20:53 +00:00
parent 180e5a0fc6
commit 71506db48c
6 changed files with 69 additions and 68 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
doc/ChangeLog
View file

@ -10,6 +10,7 @@ ChangeLog for SemantiScuttle
- Add config option to allow sorting by bookmark creation date
instead of modification date
- Fix bug #2887063: Common tag combination description feels broken
- Fix several SQL injection possibilities
0.95.1 - 2009-11-16

2
src/SemanticScuttle/Service/Bookmark2Tag.php
View file

@ -380,7 +380,7 @@ class SemanticScuttle_Service_Bookmark2Tag extends SemanticScuttle_DbService
$privacy = ' AND B.bStatus = 0 ';
}
$query = 'SELECT T.tag, COUNT(T.tag) AS bCount FROM '.$GLOBALS['tableprefix'].'bookmarks AS B LEFT JOIN '.$GLOBALS['tableprefix'].'bookmarks2tags AS T ON B.bId = T.bId WHERE B.bHash = "'. $hash .'" '. $privacy .'AND LEFT(T.tag, 7) <> "system:" GROUP BY T.tag ORDER BY bCount DESC';
$query = 'SELECT T.tag, COUNT(T.tag) AS bCount FROM '.$GLOBALS['tableprefix'].'bookmarks AS B LEFT JOIN '.$GLOBALS['tableprefix'].'bookmarks2tags AS T ON B.bId = T.bId WHERE B.bHash = \''. $this->db->sql_escape($hash) .'\' '. $privacy .'AND LEFT(T.tag, 7) <> "system:" GROUP BY T.tag ORDER BY bCount DESC';
if (!($dbresult =& $this->db->sql_query_limit($query, $limit))) {
message_die(GENERAL_ERROR, 'Could not get related tags for this hash', '', __LINE__, __FILE__, $query, $this->db);

10
src/SemanticScuttle/Service/CommonDescription.php
View file

@ -76,7 +76,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic
$query = "SELECT *";
$query.= " FROM `". $this->getTableName() ."`";
$query.= " WHERE tag='".$tag."'";
$query.= ' WHERE tag=\'' . $this->db->sql_escape($tag) . "'";
$query.= " ORDER BY cdDatetime DESC";
if (!($dbresult = & $this->db->sql_query_limit($query, 1, 0))) {
@ -96,7 +96,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic
function getAllTagsDescription($tag) {
$query = "SELECT *";
$query.= " FROM `". $this->getTableName() ."`";
$query.= " WHERE tag='".$tag."'";
$query.= ' WHERE tag=\'' . $this->db->sql_escape($tag) . "'";
$query.= " ORDER BY cdDatetime DESC";
if (!($dbresult = & $this->db->sql_query($query))) {
@ -112,7 +112,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic
function getDescriptionById($cdId) {
$query = "SELECT *";
$query.= " FROM `". $this->getTableName() ."`";
$query.= " WHERE cdId='".$cdId."'";
$query.= ' WHERE cdId=\'' . $this->db->sql_escape($cdId) . "'";
if (!($dbresult = & $this->db->sql_query($query))) {
message_die(GENERAL_ERROR, 'Could not get tag descriptions', '', __LINE__, __FILE__, $query, $this->db);
@ -151,7 +151,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic
function getLastBookmarkDescription($bHash) {
$query = "SELECT *";
$query.= " FROM `". $this->getTableName() ."`";
$query.= " WHERE bHash='".$bHash."'";
$query.= ' WHERE bHash=\'' . $this->db->sql_escape($bHash) . "'";
$query.= " ORDER BY cdDatetime DESC";
if (!($dbresult = & $this->db->sql_query_limit($query, 1, 0))) {
@ -171,7 +171,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic
function getAllBookmarksDescription($bHash) {
$query = "SELECT *";
$query.= " FROM `". $this->getTableName() ."`";
$query.= " WHERE bHash='".$bHash."'";
$query.= ' WHERE bHash=\'' . $this->db->sql_escape($bHash) . "'";
$query.= " ORDER BY cdDatetime DESC";
if (!($dbresult = & $this->db->sql_query($query))) {

20
src/SemanticScuttle/Service/Tag.php
View file

@ -51,8 +51,8 @@ class SemanticScuttle_Service_Tag extends SemanticScuttle_DbService
function getDescription($tag, $uId) {
$query = 'SELECT tag, uId, tDescription';
$query.= ' FROM '.$this->getTableName();
$query.= ' WHERE tag = "'.$tag.'"';
$query.= ' AND uId = "'.$uId.'"';
$query.= ' WHERE tag = \''. $this->db->sql_escape($tag) . "'";
$query.= ' AND uId = ' . intval($uId);
if (!($dbresult = & $this->db->sql_query($query))) {
message_die(GENERAL_ERROR, 'Could not get tag description', '', __LINE__, __FILE__, $query, $this->db);
@ -71,8 +71,8 @@ class SemanticScuttle_Service_Tag extends SemanticScuttle_DbService
function existsDescription($tag, $uId) {
$query = 'SELECT tag, uId, tDescription';
$query.= ' FROM '.$this->getTableName();
$query.= ' WHERE tag = "'.$tag.'"';
$query.= ' AND uId = "'.$uId.'"';
$query.= ' WHERE tag = \'' . $this->db->sql_escape($tag) . "'";
$query.= ' AND uId = "' . intval($uId) . '"';
if (!($dbresult = & $this->db->sql_query($query))) {
message_die(GENERAL_ERROR, 'Could not get tag description', '', __LINE__, __FILE__, $query, $this->db);
@ -91,7 +91,7 @@ class SemanticScuttle_Service_Tag extends SemanticScuttle_DbService
function getAllDescriptions($tag) {
$query = 'SELECT tag, uId, tDescription';
$query.= ' FROM '.$this->getTableName();
$query.= ' WHERE tag = "'.$tag.'"';
$query.= ' WHERE tag = \''. $this->db->sql_escape($tag) . "'";
if (!($dbresult = & $this->db->sql_query($query))) {
message_die(GENERAL_ERROR, 'Could not get tag description', '', __LINE__, __FILE__, $query, $this->db);
@ -106,8 +106,8 @@ class SemanticScuttle_Service_Tag extends SemanticScuttle_DbService
function updateDescription($tag, $uId, $desc) {
if($this->existsDescription($tag, $uId)) {
$query = 'UPDATE '.$this->getTableName();
$query.= ' SET tDescription="'.$this->db->sql_escape($desc).'"';
$query.= ' WHERE tag="'.$tag.'" AND uId="'.$uId.'"';
$query.= ' SET tDescription= \'' . $this->db->sql_escape($desc) . "'";
$query.= ' WHERE tag=\'' . $this->db->sql_escape($tag) . "' AND uId=" . intval($uId);
} else {
$values = array('tag'=>$tag, 'uId'=>$uId, 'tDescription'=>$desc);
$query = 'INSERT INTO '. $this->getTableName() .' '. $this->db->sql_build_array('INSERT', $values);
@ -127,9 +127,9 @@ class SemanticScuttle_Service_Tag extends SemanticScuttle_DbService
$newname = $this->normalize($newName);
$query = 'UPDATE `'. $this->getTableName() .'`';
$query.= ' SET tag="'.$newName.'"';
$query.= ' WHERE tag="'.$oldName.'"';
$query.= ' AND uId="'.$uId.'"';
$query.= ' SET tag=\'' . $this->db->sql_escape($newName) . "'";
$query.= ' WHERE tag=\'' . $this->db->sql_escape($oldName) . "'";
$query.= ' AND uId=' . intval($uId);
$this->db->sql_query($query);
return true;
}

66
src/SemanticScuttle/Service/Tag2Tag.php
View file

@ -127,19 +127,19 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService
$query.= " FROM `". $this->getTableName() ."`";
$query.= " WHERE 1=1";
if($tag !=null) {
$query.= " AND ". $givenTag ." = '". $tag ."'";
$query.= " AND ". $givenTag ." = '". $this->db->sql_escape($tag) ."'";
}
if($relationType) {
$query.= " AND relationType = '". $relationType ."'";
$query.= " AND relationType = '". $this->db->sql_escape($relationType) ."'";
}
if(is_array($uId)) {
$query.= " AND ( 1=0 "; //tricks always false
foreach($uId as $u) {
$query.= " OR uId = '".$u."'";
$query.= " OR uId = '".intval($u)."'";
}
$query.= " ) ";
} elseif($uId != null) {
$query.= " AND uId = '".$uId."'";
$query.= " AND uId = '".intval($uId)."'";
}
//die($query);
if (! ($dbresult =& $this->db->sql_query($query)) ){
@ -241,44 +241,44 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService
}
$query.= " WHERE tts.tag1 <> ALL";
$query.= " (SELECT DISTINCT tag2 FROM `". $this->getTableName() ."`";
$query.= " WHERE relationType = '".$relationType."'";
$query.= " WHERE relationType = '" . $this->db->sql_escape($relationType) . "'";
if($uId > 0) {
$query.= " AND uId = '".$uId."'";
$query.= " AND uId = '".intval($uId)."'";
}
$query.= ")";
if($uId > 0) {
$query.= " AND tts.uId = '".$uId."'";
$query.= " AND tts.uId = '".intval($uId)."'";
}
switch($orderBy) {
case "nb":
$query.= " AND tts.tag1 = tsts.tag1";
$query.= " AND tsts.relationType = '".$relationType."'";
$query.= " AND tsts.relationType = '" . $this->db->sql_escape($relationType) . "'";
if($uId > 0) {
$query.= " AND tsts.uId = ".$uId;
$query.= " AND tsts.uId = " . intval($uId);
}
$query.= " ORDER BY tsts.nb DESC";
break;
case "depth": // by nb of descendants
$query.= " AND tts.tag1 = tsts.tag1";
$query.= " AND tsts.relationType = '".$relationType."'";
$query.= " AND tsts.relationType = '" . $this->db->sql_escape($relationType) . "'";
if($uId > 0) {
$query.= " AND tsts.uId = ".$uId;
$query.= " AND tsts.uId = " . intval($uId);
}
$query.= " ORDER BY tsts.depth DESC";
break;
case "nbupdate":
$query.= " AND tts.tag1 = tsts.tag1";
$query.= " AND tsts.relationType = '".$relationType."'";
$query.= " AND tsts.relationType = '" . $this->db->sql_escape($relationType) . "'";
if($uId > 0) {
$query.= " AND tsts.uId = ".$uId;
$query.= " AND tsts.uId = " . intval($uId);
}
$query.= " ORDER BY tsts.nbupdate DESC";
break;
}
if($limit != null) {
$query.= " LIMIT 0,".$limit;
$query.= " LIMIT 0," . intval($limit);
}
if (! ($dbresult =& $this->db->sql_query($query)) ){
@ -297,14 +297,14 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService
// we don't use the getAllLinkedTags function in order to improve performance
$query = "SELECT tag2 as 'tag', COUNT(tag2) as 'count'";
$query.= " FROM `". $this->getTableName() ."`";
$query.= " WHERE tag1 = '".$GLOBALS['menuTag']."'";
$query.= " WHERE tag1 = '" . $this->db->sql_escape($GLOBALS['menuTag']) . "'";
$query.= " AND relationType = '>'";
if($uId > 0) {
$query.= " AND uId = '".$uId."'";
$query.= " AND uId = " . intval($uId);
}
$query.= " GROUP BY tag2";
$query.= " ORDER BY count DESC";
$query.= " LIMIT 0, ".$GLOBALS['maxSizeMenuBlock'];
$query.= " LIMIT 0, " . intval($GLOBALS['maxSizeMenuBlock']);
if (! ($dbresult =& $this->db->sql_query($query)) ){
message_die(GENERAL_ERROR, 'Could not get linked tags', '', __LINE__, __FILE__, $query, $this->db);
@ -323,10 +323,10 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService
//$tag2 = mysql_real_escape_string($tag2);
$query = "SELECT tag1, tag2, relationType, uId FROM `". $this->getTableName() ."`";
$query.= " WHERE tag1 = '" .$tag1 ."'";
$query.= " AND tag2 = '".$tag2."'";
$query.= " AND relationType = '". $relationType ."'";
$query.= " AND uId = '".$uId."'";
$query.= " WHERE tag1 = '" . $this->db->sql_escape($tag1) . "'";
$query.= " AND tag2 = '" . $this->db->sql_escape($tag2) . "'";
$query.= " AND relationType = '" . $this->db->sql_escape($relationType) . "'";
$query.= " AND uId = " . intval($uId);
//echo($query."<br>\n");
@ -340,7 +340,7 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService
$query = "SELECT tag1, tag2, relationType, uId FROM `". $this->getTableName() ."`";
$query.= " WHERE 1=1";
if($uId > 0) {
$query.= " AND uId = '".$uId."'";
$query.= " AND uId = " . intval($uId);
}
$dbres = $this->db->sql_query($query);
@ -357,10 +357,10 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService
}
$query = 'DELETE FROM '. $this->getTableName();
$query.= ' WHERE 1=1';
$query.= strlen($tag1)>0 ? ' AND tag1 = "'. $tag1 .'"' : '';
$query.= strlen($tag2)>0 ? ' AND tag2 = "'. $tag2 .'"' : '';
$query.= strlen($relationType)>0 ? ' AND relationType = "'. $relationType .'"' : '';
$query.= strlen($uId)>0 ? ' AND uId = "'. $uId .'"' : '';
$query.= strlen($tag1)>0 ? ' AND tag1 = \''. $this->db->sql_escape($tag1) . "'" : '';
$query.= strlen($tag2)>0 ? ' AND tag2 = \''. $this->db->sql_escape($tag2) . "'" : '';
$query.= strlen($relationType)>0 ? ' AND relationType = \''. $this->db->sql_escape($relationType) . "'" : '';
$query.= strlen($uId)>0 ? ' AND uId = '. intval($uId) : '';
if (!($dbresult =& $this->db->sql_query($query))) {
message_die(GENERAL_ERROR, 'Could not remove tag relation', '', __LINE__, __FILE__, $query, $this->db);
@ -377,7 +377,7 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService
function removeLinkedTagsForUser($uId) {
$query = 'DELETE FROM '. $this->getTableName();
$query.= ' WHERE uId = "'. $uId .'"';
$query.= ' WHERE uId = '. intval($uId);
if (!($dbresult =& $this->db->sql_query($query))) {
message_die(GENERAL_ERROR, 'Could not remove tag relation', '', __LINE__, __FILE__, $query, $this->db);
@ -397,15 +397,15 @@ class SemanticScuttle_Service_Tag2Tag extends SemanticScuttle_DbService
$newName = $tagservice->normalize($newName);
$query = 'UPDATE `'. $this->getTableName() .'`';
$query.= ' SET tag1="'.$newName.'"';
$query.= ' WHERE tag1="'.$oldName.'"';
$query.= ' AND uId="'.$uId.'"';
$query.= ' SET tag1=\'' . $this->db->sql_escape($newName) ."'";
$query.= ' WHERE tag1=\'' . $this->db->sql_escape($oldName) . "'";
$query.= ' AND uId=' . intval($uId);
$this->db->sql_query($query);
$query = 'UPDATE `'. $this->getTableName() .'`';
$query.= ' SET tag2="'.$newName.'"';
$query.= ' WHERE tag2="'.$oldName.'"';
$query.= ' AND uId="'.$uId.'"';
$query.= ' SET tag2=\'' . $this->db->sql_escape($newName) . "'";
$query.= ' WHERE tag2=\'' . $this->db->sql_escape($oldName) . "'";
$query.= ' AND uId=' . intval($uId);
$this->db->sql_query($query);

38
src/SemanticScuttle/Service/TagCache.php
View file

@ -68,8 +68,8 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService
$query = "SELECT DISTINCT tag2 as 'tag'";
$query.= " FROM `". $this->getTableName() ."`";
$query.= " WHERE relationType = '>'";
$query.= " AND tag1 = '".$tag1."'";
$query.= " AND uId = '".$uId."'";
$query.= " AND tag1 = '" . $this->db->sql_escape($tag1) . "'";
$query.= " AND uId = " . intval($uId);
//die($query);
if (! ($dbresult =& $this->db->sql_query($query)) ){
@ -117,10 +117,10 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService
$query = 'DELETE FROM '. $this->getTableName();
$query.= ' WHERE 1=1';
$query.= strlen($tag1)>0 ? ' AND tag1 = "'. $tag1 .'"' : '';
$query.= strlen($tag2)>0 ? ' AND tag2 = "'. $tag2 .'"' : '';
$query.= strlen($tag1)>0 ? ' AND tag1 = \''. $this->db->sql_escape($tag1) . "'" : '';
$query.= strlen($tag2)>0 ? ' AND tag2 = \''. $this->db->sql_escape($tag2) . "'" : '';
$query.= ' AND relationType = ">"';
$query.= strlen($uId)>0 ? ' AND uId = "'. $uId .'"' : '';
$query.= strlen($uId)>0 ? ' AND uId = ' . intval($uId) : '';
if (!($dbresult =& $this->db->sql_query($query))) {
message_die(GENERAL_ERROR, 'Could not remove tag cache inference', '', __LINE__, __FILE__, $query, $this->db);
@ -138,10 +138,10 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService
$tag2 = $tagservice->normalize($tag2);
$query = "SELECT tag1, tag2, relationType, uId FROM `". $this->getTableName() ."`";
$query.= " WHERE tag1 = '" .$tag1 ."'";
$query.= " AND tag2 = '".$tag2."'";
$query.= " WHERE tag1 = '" . $this->db->sql_escape($tag1) . "'";
$query.= " AND tag2 = '" . $this->db->sql_escape($tag2) . "'";
$query.= " AND relationType = '>'";
$query.= " AND uId = '".$uId."'";
$query.= " AND uId = " . intval($uId);
//echo($query."<br>\n");
@ -228,9 +228,9 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService
function removeSynonymGroup($tag1, $uId) {
$query = 'DELETE FROM '. $this->getTableName();
$query.= ' WHERE 1=1';
$query.= ' AND tag1 = "'. $tag1 .'"';
$query.= ' AND tag1 = \''. $this->db->sql_escape($tag1) . "'";
$query.= ' AND relationType = "="';
$query.= ' AND uId = "'. $uId .'"';
$query.= ' AND uId = ' . intval($uId);
if (!($dbresult =& $this->db->sql_query($query))) {
message_die(GENERAL_ERROR, 'Could not remove tag cache inference', '', __LINE__, __FILE__, $query, $this->db);
@ -243,9 +243,9 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService
$tag1 = $tagservice->normalize($tag1);
$query = "SELECT tag1 FROM `". $this->getTableName() ."`";
$query.= " WHERE tag1 = '" .$tag1 ."'";
$query.= " WHERE tag1 = '" . $this->db->sql_escape($tag1) ."'";
$query.= " AND relationType = '='";
$query.= " AND uId = '".$uId."'";
$query.= " AND uId = " . intval($uId);
$dbres = $this->db->sql_query($query);
$rows = $this->db->sql_numrows($dbres);
@ -258,9 +258,9 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService
$tag2 = $tagservice->normalize($tag2);
$query = "SELECT tag2 FROM `". $this->getTableName() ."`";
$query.= " WHERE tag2 = '" .$tag2 ."'";
$query.= " WHERE tag2 = '" . $this->db->sql_escape($tag2) . "'";
$query.= " AND relationType = '='";
$query.= " AND uId = '".$uId."'";
$query.= " AND uId = " . intval($uId);
$dbres = $this->db->sql_query($query);
$rows = $this->db->sql_numrows($dbres);
@ -291,8 +291,8 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService
$query = "SELECT DISTINCT tag1 as 'tag'";
$query.= " FROM `". $this->getTableName() ."`";
$query.= " WHERE relationType = '='";
$query.= " AND tag2 = '".$tag2."'";
$query.= " AND uId = '".$uId."'";
$query.= " AND tag2 = '" . $this->db->sql_escape($tag2) . "'";
$query.= " AND uId = " . intval($uId);
//die($query);
if (! ($dbresult =& $this->db->sql_query($query)) ){
@ -319,9 +319,9 @@ class SemanticScuttle_Service_TagCache extends SemanticScuttle_DbService
$query = "SELECT DISTINCT tag2 as 'tag'";
$query.= " FROM `". $this->getTableName() ."`";
$query.= " WHERE relationType = '='";
$query.= " AND tag1 = '".$tag1."'";
$query.= " AND uId = '".$uId."'";
$query.= $tagExcepted!=''?" AND tag2!='".$tagExcepted."'":"";
$query.= " AND tag1 = '" . $this->db->sql_escape($tag1) . "'";
$query.= " AND uId = " . intval($uId);
$query.= $tagExcepted!=''?" AND tag2!='" . $this->db->sql_escape($tagExcepted) . "'" : '';
if (! ($dbresult =& $this->db->sql_query($query)) ){
message_die(GENERAL_ERROR, 'Could not get related tags', '', __LINE__, __FILE__, $query, $this->db);