Prevent $phpwcms['db_prepend'] from SQL injection

slackero · Aug 22, 2021 · 77dafb6 · 77dafb6
1 parent 0d27adc
commit 77dafb6
Show file tree

Hide file tree

Showing 9 changed files with 52 additions and 15 deletions.
diff --git a/include/inc_lib/dbcon.inc.php b/include/inc_lib/dbcon.inc.php
@@ -16,11 +16,7 @@
 }
 // ----------------------------------------------------------------
 
-// build the database table prepend part
-define ('DB_PREPEND', empty($GLOBALS['phpwcms']["db_prepend"]) ? '' : $GLOBALS['phpwcms']["db_prepend"].'_');
-
-// Log DB errors
-define ('DB_LOG_ERRORS', empty($GLOBALS['phpwcms']["db_errorlog"]) ? false : true);
+define('DB_LOG_ERRORS', empty($GLOBALS['phpwcms']["db_errorlog"]) ? false : true);
 
 // open the connection to MySQL database
 if(!empty($GLOBALS['phpwcms']["db_pers"]) && substr($GLOBALS['phpwcms']["db_host"], 0, 2) !== 'p:') {
@@ -37,6 +33,7 @@
     // for compatibility issues try to check for MySQL version and charset
     $GLOBALS['phpwcms']['db_version'] = _dbInitialize();
     define('PHPWCMS_DB_VERSION', $GLOBALS['phpwcms']['db_version']);
+    define('DB_PREPEND', empty($GLOBALS['phpwcms']["db_prepend"]) ? '' : mysqli_real_escape_string($GLOBALS['db'], $GLOBALS['phpwcms']["db_prepend"]) . '_');
 
 } elseif($is_mysql_error !== 'dbdown.php') {
 
@@ -45,11 +42,15 @@
 } else {
 
     define('PHPWCMS_DB_VERSION', $GLOBALS['phpwcms']['db_version']);
+    define('DB_PREPEND', empty($GLOBALS['phpwcms']["db_prepend"]) ? '' : aporeplace($GLOBALS['phpwcms']["db_prepend"]) . '_');
 
 }
 
 // deprecated function for escaping db items
 function aporeplace($value='') {
+    if (!$GLOBALS['db']) {
+        return str_replace(array("\\", "\x00", "\n", "\r", "'",  '"', "\x1a"), array("\\\\", "\\0", "\\n", "\\r", "\'", '\"', "\\Z"), $value);
+    }
     return mysqli_real_escape_string($GLOBALS['db'], $value);
 }
 

diff --git a/include/inc_lib/revision/revision.php b/include/inc_lib/revision/revision.php
@@ -10,5 +10,5 @@
  **/
 
 define('PHPWCMS_VERSION', '1.9.27-dev');
-define('PHPWCMS_RELEASE_DATE', '2021/08/19');
+define('PHPWCMS_RELEASE_DATE', '2021/08/22');
 define('PHPWCMS_REVISION', '552');
diff --git a/setup/inc/setup.check.inc.php b/setup/inc/setup.check.inc.php
@@ -1,4 +1,17 @@
 <?php
+/**
+ * phpwcms content management system
+ *
+ * @author Oliver Georgi <og@phpwcms.org>
+ * @copyright Copyright (c) 2002-2021, Oliver Georgi
+ * @license http://opensource.org/licenses/GPL-2.0 GNU GPL-2
+ * @link http://www.phpwcms.org
+ *
+ **/
+
+if (!defined('PHP8')) {
+    die("You Cannot Access This Script Directly, Have a Nice Day.");
+}
 
 if(!empty($step)) {
 
@@ -85,7 +98,7 @@
 
                     mysqli_free_result($result);
 
-                    if($result = mysqli_query($db, 'SELECT * FROM '. ($phpwcms["db_prepend"] ? $phpwcms["db_prepend"].'_' : '').'phpwcms_user')) {
+                    if($result = mysqli_query($db, 'SELECT * FROM '. ($phpwcms["db_prepend"] ? mysqli_real_escape_string($db, $phpwcms["db_prepend"]) . '_' : '') . 'phpwcms_user')) {
 
                         $_db_prepend_error = true;
                         mysqli_free_result($result);
@@ -128,7 +141,7 @@
 
                             // now read and display sql queries
 
-                            $_db_prepend = ($phpwcms["db_prepend"] ? $phpwcms["db_prepend"].'_' : '');
+                            $_db_prepend = $phpwcms["db_prepend"] ? mysqli_real_escape_string($db, $phpwcms["db_prepend"]) . '_' : '';
 
                             $sql_data = read_textfile($DOCROOT . '/setup/default_sql/phpwcms_init.sql');
                             $sql_data = $sql_data . read_textfile($DOCROOT . '/setup/default_sql/phpwcms_inserts.sql');
@@ -219,8 +232,8 @@
             } else {
                 mysqli_query($db, "SET SQL_MODE=NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION");
                 mysqli_query($db, "SET NAMES '".mysqli_real_escape_string($db, $phpwcms["charset"])."'");
-                $phpwcms["db_prepend"] = ($phpwcms["db_prepend"]) ? $phpwcms["db_prepend"]."_" : "";
-                $sql =  "INSERT INTO ".$phpwcms["db_prepend"]."phpwcms_user (usr_login, usr_pass, usr_email, ".
+                $_db_prepend = $phpwcms["db_prepend"] ? mysqli_real_escape_string($db, $phpwcms["db_prepend"]) . "_" : "";
+                $sql =  "INSERT INTO " . $_db_prepend . "phpwcms_user (usr_login, usr_pass, usr_email, ".
                         "usr_admin, usr_aktiv, usr_name, usr_fe, usr_wysiwyg ) VALUES ('".
                         mysqli_real_escape_string($db, $phpwcms["admin_user"])."', '".
                         mysqli_real_escape_string($db, md5($phpwcms["admin_pass"]))."', '".

diff --git a/setup/inc/step0.inc.php b/setup/inc/step0.inc.php
@@ -9,6 +9,10 @@
  *
  **/
 
+if (!defined('PHP8')) {
+    die("You Cannot Access This Script Directly, Have a Nice Day.");
+}
+
 $_SESSION['admin_set'] = false;
 $setup_recommend = true;
 

diff --git a/setup/inc/step1.inc.php b/setup/inc/step1.inc.php
@@ -9,6 +9,10 @@
  *
  **/
 
+if (!defined('PHP8')) {
+    die("You Cannot Access This Script Directly, Have a Nice Day.");
+}
+
 ?>
 <h1><span class="number">3.</span> MySQL database settings </h1>
 <?php
@@ -142,14 +146,14 @@
     } elseif(isset($db_create_err) || !empty($db_no_create)) {
 
         // OK fine - initial tables were created without error
-        $_db_prepend = ($phpwcms["db_prepend"] ? $phpwcms["db_prepend"].'_' : '');
+        $_db_prepend = $phpwcms["db_prepend"] ? mysqli_real_escape_string($db, $phpwcms["db_prepend"]) . '_' : '';
         $check = _dbQuery("SHOW TABLES LIKE '".$_db_prepend."phpwcms_%'");
 
         if($check && count($check)) {
 
-            $sql_data               = false;
-            $db_sql                 = false;
-            $db_fine                = true;
+            $sql_data   = false;
+            $db_sql     = false;
+            $db_fine    = true;
 
 ?>
       <tr>
@@ -305,7 +309,7 @@
 
     } else {
 
-        $_db_prepend = ($phpwcms["db_prepend"] ? $phpwcms["db_prepend"].'_' : '');
+        $_db_prepend = $phpwcms["db_prepend"] ? mysqli_real_escape_string($db, $phpwcms["db_prepend"]) . '_' : '';
 
         //show Info that admin info was saved
         //and also if stored in database

diff --git a/setup/inc/step2.inc.php b/setup/inc/step2.inc.php
@@ -9,6 +9,10 @@
  *
  **/
 
+if (!defined('PHP8')) {
+    die("You Cannot Access This Script Directly, Have a Nice Day.");
+}
+
 if ($err) {
     echo '<p class="error"><b>Check your admin user name and password!</b></p>';
 }

diff --git a/setup/inc/step3.inc.php b/setup/inc/step3.inc.php
@@ -9,6 +9,10 @@
  *
  **/
 
+if (!defined('PHP8')) {
+    die("You Cannot Access This Script Directly, Have a Nice Day.");
+}
+
 ?>
 <p class="title">phpwcms path settings </p>
 <p>Please check that any path value does NOT begin or end with a slash. I recommend

diff --git a/setup/inc/step4.inc.php b/setup/inc/step4.inc.php
@@ -9,6 +9,10 @@
  *
  **/
 
+if (!defined('PHP8')) {
+    die("You Cannot Access This Script Directly, Have a Nice Day.");
+}
+
 ?><p class="title">phpwcms content values</p>
 <form action="setup.php?step=4" method="post"><table border="0" cellpadding="0" cellspacing="0" summary="">
           <tr>

diff --git a/setup/inc/step5.inc.php b/setup/inc/step5.inc.php
@@ -9,6 +9,9 @@
  *
  **/
 
+if (!defined('PHP8')) {
+    die("You Cannot Access This Script Directly, Have a Nice Day.");
+}
 
 $_SERVER['DOCUMENT_ROOT'] = $phpwcms['DOC_ROOT'];
 $phpwcms["root"] = !empty($phpwcms["root"]) ? "/".$phpwcms["root"] : "";