From c9785f9a92744c3475f9676a0d8f95de24750094 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dufraisse?= Date: Wed, 20 Oct 2021 01:36:49 +0200 Subject: [PATCH] fix(SQL query): use in all case escape to format query --- actions/listpages.php | 16 ++++++------- actions/newtextsearch.php | 2 +- includes/User.class.php | 2 +- tools/bazar/services/FormManager.php | 34 ++++++++++++++-------------- tools/security/actions/despam.php | 2 +- 5 files changed, 28 insertions(+), 28 deletions(-) diff --git a/actions/listpages.php b/actions/listpages.php index 0daa4abf1..42f8b8ad3 100755 --- a/actions/listpages.php +++ b/actions/listpages.php @@ -115,7 +115,7 @@ $links[$tree] = array(); } // switch if ($sort != 'tag') { - $sql .= ' WHERE a.tag = "' . AddSlashes($tree) . '" AND a.latest = "Y" LIMIT 1'; + $sql .= ' WHERE a.tag = "' . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($tree) . '" AND a.latest = "Y" LIMIT 1'; if (!$rootData = $this->LoadSingle($sql)) { echo '
'._t('ERROR').' '._t('ACTION').' ListPages : '._('THE_PAGE').' ' . htmlspecialchars($tree, ENT_COMPAT, YW_CHARSET) . ' '._t('DOESNT_EXIST').' !
'; return; @@ -132,8 +132,8 @@ // to avoid many loops and computing several time the lists needed for the request, // we store them into variables - $from = '"' . AddSlashes($tree) . '"'; - $exclude[] = AddSlashes($tree); + $from = '"' . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($tree) . '"'; + $exclude[] = $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($tree); $exclude_str = '"' . implode('", "', $exclude) . '"'; for ($i = 1; $i <= $levels; $i++) { if ($from) { @@ -151,7 +151,7 @@ $sql .= ' WHERE from_tag IN (' . $from . ')' . ' AND to_tag NOT IN (' . $from . ')' . ' AND to_tag = a.tag' - . ' AND a.owner = "' . AddSlashes($owner) . '"' + . ' AND a.owner = "' . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($owner) . '"' . ' AND a.latest = "Y"'; } else { $sql = 'SELECT from_tag, to_tag, a.tag IS NOT NULL page_exists'; @@ -208,7 +208,7 @@ $from = ''; $newworkingon = array(); foreach ($pages as $page) { - $to_tag = '"' . AddSlashes($page['to_tag']) . '"'; + $to_tag = '"' . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($page['to_tag']) . '"'; $workingon[$page['from_tag']][$page['to_tag']] = array('page_exists' => $page['page_exists'], 'haslinksto' => array()); if ($sort != 'tag') { $workingon[$page['from_tag']][$page['to_tag']][$sort] = $page[$sort]; @@ -316,9 +316,9 @@ function ShowPageTree($tree, &$wiki, $show = 'tag', $indent = 0) LEFT JOIN ' . $prefix . 'users ON b.user = name LEFT JOIN ' . $prefix . 'pages user_page ON name = user_page.tag AND user_page.latest = "Y"' . ($owner ? '' : ' LEFT JOIN ' . $prefix . 'pages owner_page ON b.owner = owner_page.tag AND owner_page.latest = "Y"') - . ' WHERE a.user = "' . AddSlashes($user) . '"' + . ' WHERE a.user = "' . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($user) . '"' . ' AND a.tag = b.tag AND b.latest = "Y"' - . ($owner ? ' AND b.owner = "' . AddSlashes($owner) . '"' : ''); + . ($owner ? ' AND b.owner = "' . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($owner) . '"' : ''); } elseif ($owner) { if ($sort == 'user') { $sql = 'SELECT a.tag, a.time, @@ -329,7 +329,7 @@ function ShowPageTree($tree, &$wiki, $show = 'tag', $indent = 0) } else { $sql = 'SELECT tag, time FROM ' . $prefix . 'pages a'; } - $sql .= ' WHERE a.owner = "' . AddSlashes($owner) . '" AND a.latest = "Y"'; + $sql .= ' WHERE a.owner = "' . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($owner) . '" AND a.latest = "Y"'; } else { if ($sort == 'user') { $sql = 'SELECT a.tag, a.owner, diff --git a/actions/newtextsearch.php b/actions/newtextsearch.php index 1ebd29081..82199e916 100644 --- a/actions/newtextsearch.php +++ b/actions/newtextsearch.php @@ -148,7 +148,7 @@ function displayNewSearchResult($string, $phrase, $needles = []) // Modification de caractère spéciaux $phraseFormatted= str_replace(array('*', '?'), array('%', '_'), $phrase); - $phraseFormatted = addslashes($phraseFormatted); + $phraseFormatted = $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($phraseFormatted); // Blablabla SQL $requestfull = 'SELECT body, tag FROM '.$prefixe.'pages diff --git a/includes/User.class.php b/includes/User.class.php index f81597e47..97374fb3b 100644 --- a/includes/User.class.php +++ b/includes/User.class.php @@ -1000,7 +1000,7 @@ protected function emailExistsInDB($email) { /* Build sql query*/ $sql = 'SELECT * FROM '.$this->usersTable; - $sql .= ' WHERE email = "'.$email.'";'; + $sql .= ' WHERE email = "'.mysqli_real_escape_string($this->wiki->dblink,$email).'";'; /* Execute query */ $results = $this->wiki->loadAll($sql); return $results; // If the password does not already exist in DB, $result is an empty table => false diff --git a/tools/bazar/services/FormManager.php b/tools/bazar/services/FormManager.php index 137100603..2332c9f5e 100644 --- a/tools/bazar/services/FormManager.php +++ b/tools/bazar/services/FormManager.php @@ -46,7 +46,7 @@ public function getOne($formId): ?array return $this->cachedForms[$formId]; } - $form = $this->dbService->loadSingle('SELECT * FROM ' . $this->dbService->prefixTable('nature') . 'WHERE bn_id_nature=\'' . $formId . '\''); + $form = $this->dbService->loadSingle('SELECT * FROM ' . $this->dbService->prefixTable('nature') . 'WHERE bn_id_nature=\'' . $this->dbService->escape($formId) . '\''); if (!$form) { return null; @@ -105,13 +105,13 @@ public function create($data) return $this->dbService->query('INSERT INTO ' . $this->dbService->prefixTable('nature') . '(`bn_id_nature` ,`bn_ce_i18n` ,`bn_label_nature` ,`bn_template` ,`bn_description` ,`bn_sem_context` ,`bn_sem_type` ,`bn_sem_use_template` ,`bn_condition`)' . ' VALUES (' . $data['bn_id_nature'] . ', "fr-FR", "' - . addslashes(_convert($data['bn_label_nature'], YW_CHARSET, true)) . '","' - . addslashes(_convert($data['bn_template'], YW_CHARSET, true)) . '", "' - . addslashes(_convert($data['bn_description'], YW_CHARSET, true)) . '", "' - . addslashes(_convert($data['bn_sem_context'], YW_CHARSET, true)) . '", "' - . addslashes(_convert($data['bn_sem_type'], YW_CHARSET, true)) . '", ' + . $this->dbService->escape(_convert($data['bn_label_nature'], YW_CHARSET, true)) . '","' + . $this->dbService->escape(_convert($data['bn_template'], YW_CHARSET, true)) . '", "' + . $this->dbService->escape(_convert($data['bn_description'], YW_CHARSET, true)) . '", "' + . $this->dbService->escape(_convert($data['bn_sem_context'], YW_CHARSET, true)) . '", "' + . $this->dbService->escape(_convert($data['bn_sem_type'], YW_CHARSET, true)) . '", ' . (isset($data['bn_sem_use_template']) ? '1' : '0') . ', "' - . addslashes(_convert($data['bn_condition'], YW_CHARSET, true)) . '")'); + . $this->dbService->escape(_convert($data['bn_condition'], YW_CHARSET, true)) . '")'); } public function update($data) @@ -120,14 +120,14 @@ public function update($data) throw new \Exception(_t('WIKI_IN_HIBERNATION')); } return $this->dbService->query('UPDATE' . $this->dbService->prefixTable('nature') . 'SET ' - . '`bn_label_nature`="' . addslashes(_convert($data['bn_label_nature'], YW_CHARSET, true)) . '" ,' - . '`bn_template`="' . addslashes(_convert($data['bn_template'], YW_CHARSET, true)) . '" ,' - . '`bn_description`="' . addslashes(_convert($data['bn_description'], YW_CHARSET, true)) . '" ,' - . '`bn_sem_context`="' . addslashes(_convert($data['bn_sem_context'], YW_CHARSET, true)) . '" ,' - . '`bn_sem_type`="' . addslashes(_convert($data['bn_sem_type'], YW_CHARSET, true)) . '" ,' + . '`bn_label_nature`="' . $this->dbService->escape(_convert($data['bn_label_nature'], YW_CHARSET, true)) . '" ,' + . '`bn_template`="' . $this->dbService->escape(_convert($data['bn_template'], YW_CHARSET, true)) . '" ,' + . '`bn_description`="' . $this->dbService->escape(_convert($data['bn_description'], YW_CHARSET, true)) . '" ,' + . '`bn_sem_context`="' . $this->dbService->escape(_convert($data['bn_sem_context'], YW_CHARSET, true)) . '" ,' + . '`bn_sem_type`="' . $this->dbService->escape(_convert($data['bn_sem_type'], YW_CHARSET, true)) . '" ,' . '`bn_sem_use_template`=' . (isset($data['bn_sem_use_template']) ? '1' : '0') . ' ,' - . '`bn_condition`="' . addslashes(_convert($data['bn_condition'], YW_CHARSET, true)) . '"' - . ' WHERE `bn_id_nature`=' . $data['bn_id_nature']); + . '`bn_condition`="' . $this->dbService->escape(_convert($data['bn_condition'], YW_CHARSET, true)) . '"' + . ' WHERE `bn_id_nature`=' . $this->dbService->escape($data['bn_id_nature'])); } public function clone($id) @@ -155,7 +155,7 @@ public function delete($id) } $this->clear($id); - return $this->dbService->query('DELETE FROM ' . $this->dbService->prefixTable('nature') . 'WHERE bn_id_nature=' . $id); + return $this->dbService->query('DELETE FROM ' . $this->dbService->prefixTable('nature') . 'WHERE bn_id_nature=' . $this->dbService->escape($id)); } public function clear($id) @@ -167,14 +167,14 @@ public function clear($id) 'DELETE FROM' . $this->dbService->prefixTable('acls') . 'WHERE page_tag IN (SELECT tag FROM ' . $this->dbService->prefixTable('pages') . 'WHERE tag IN (SELECT resource FROM ' . $this->dbService->prefixTable('triples') . - 'WHERE property="http://outils-reseaux.org/_vocabulary/type" AND value="fiche_bazar") AND body LIKE \'%"id_typeannonce":"' . $id . '"%\' );' + 'WHERE property="http://outils-reseaux.org/_vocabulary/type" AND value="fiche_bazar") AND body LIKE \'%"id_typeannonce":"' . $this->dbService->escape($id) . '"%\' );' ); // TODO use PageManager $this->dbService->query( 'DELETE FROM' . $this->dbService->prefixTable('pages') . 'WHERE tag IN (SELECT resource FROM ' . $this->dbService->prefixTable('triples') . - 'WHERE property="http://outils-reseaux.org/_vocabulary/type" AND value="fiche_bazar") AND body LIKE \'%"id_typeannonce":"' . $id . '"%\';' + 'WHERE property="http://outils-reseaux.org/_vocabulary/type" AND value="fiche_bazar") AND body LIKE \'%"id_typeannonce":"' . $this->dbService->escape($id) . '"%\';' ); // TODO use TripleStore diff --git a/tools/security/actions/despam.php b/tools/security/actions/despam.php index 62194fa4f..60260851f 100755 --- a/tools/security/actions/despam.php +++ b/tools/security/actions/despam.php @@ -62,7 +62,7 @@ "select * from ".$this->config["table_prefix"]."pages where - time > date_sub(now(), interval " . addslashes($_POST['from']) . " hour) + time > date_sub(now(), interval " . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($_POST['from']) . " hour) and latest = 'Y' order by `time` desc"; $title =