fix(SQL query): use in all case escape to format query

YesWiki · Oct 19, 2021 · c9785f9 · c9785f9
1 parent 6095a40
commit c9785f9
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 28 deletions.
diff --git a/actions/listpages.php b/actions/listpages.php
@@ -115,7 +115,7 @@
             $links[$tree] = array();
     } // switch
     if ($sort != 'tag') {
-        $sql .= ' WHERE a.tag = "' . AddSlashes($tree) . '" AND a.latest = "Y" LIMIT 1';
+        $sql .= ' WHERE a.tag = "' . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($tree) . '" AND a.latest = "Y" LIMIT 1';
         if (!$rootData = $this->LoadSingle($sql)) {
             echo '<div class="alert alert-danger"><strong>'._t('ERROR').' '._t('ACTION').' ListPages</strong> : '._('THE_PAGE').' ' . htmlspecialchars($tree, ENT_COMPAT, YW_CHARSET) . ' '._t('DOESNT_EXIST').' !</div>';
             return;
@@ -132,8 +132,8 @@
 
     // to avoid many loops and computing several time the lists needed for the request,
     // we store them into variables
-    $from = '"' . AddSlashes($tree) . '"';
-    $exclude[] = AddSlashes($tree);
+    $from = '"' . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($tree) . '"';
+    $exclude[] = $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($tree);
     $exclude_str = '"' . implode('", "', $exclude) . '"';
     for ($i = 1; $i <= $levels; $i++) {
         if ($from) {
@@ -151,7 +151,7 @@
                 $sql .= ' WHERE from_tag IN (' . $from . ')'
                     . ' AND to_tag NOT IN (' . $from . ')'
                     . ' AND to_tag = a.tag'
-                    . ' AND a.owner = "' . AddSlashes($owner) . '"'
+                    . ' AND a.owner = "' . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($owner) . '"'
                     . ' AND a.latest = "Y"';
             } else {
                 $sql = 'SELECT from_tag, to_tag, a.tag IS NOT NULL page_exists';
@@ -208,7 +208,7 @@
             $from = '';
             $newworkingon = array();
             foreach ($pages as $page) {
-                $to_tag = '"' . AddSlashes($page['to_tag']) . '"';
+                $to_tag = '"' . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($page['to_tag']) . '"';
                 $workingon[$page['from_tag']][$page['to_tag']] = array('page_exists' => $page['page_exists'], 'haslinksto' => array());
                 if ($sort != 'tag') {
                     $workingon[$page['from_tag']][$page['to_tag']][$sort] = $page[$sort];
@@ -316,9 +316,9 @@ function ShowPageTree($tree, &$wiki, $show = 'tag', $indent = 0)
             LEFT JOIN ' . $prefix . 'users ON b.user = name
             LEFT JOIN ' . $prefix . 'pages user_page ON name = user_page.tag AND user_page.latest = "Y"'
             . ($owner ? '' : ' LEFT JOIN ' . $prefix . 'pages owner_page ON b.owner = owner_page.tag AND owner_page.latest = "Y"')
-            . ' WHERE a.user = "' . AddSlashes($user) . '"'
+            . ' WHERE a.user = "' . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($user) . '"'
             . ' AND a.tag = b.tag AND b.latest = "Y"'
-            . ($owner ? ' AND b.owner = "' . AddSlashes($owner) . '"' : '');
+            . ($owner ? ' AND b.owner = "' . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($owner) . '"' : '');
     } elseif ($owner) {
         if ($sort == 'user') {
             $sql = 'SELECT a.tag, a.time,
@@ -329,7 +329,7 @@ function ShowPageTree($tree, &$wiki, $show = 'tag', $indent = 0)
         } else {
             $sql = 'SELECT tag, time FROM ' . $prefix . 'pages a';
         }
-        $sql .= ' WHERE a.owner = "' . AddSlashes($owner) . '" AND a.latest = "Y"';
+        $sql .= ' WHERE a.owner = "' . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($owner) . '" AND a.latest = "Y"';
     } else {
         if ($sort == 'user') {
             $sql = 'SELECT a.tag, a.owner,

diff --git a/actions/newtextsearch.php b/actions/newtextsearch.php
@@ -148,7 +148,7 @@ function displayNewSearchResult($string, $phrase, $needles = [])
 
     // Modification de caractère spéciaux
     $phraseFormatted= str_replace(array('*', '?'), array('%', '_'), $phrase);
-    $phraseFormatted = addslashes($phraseFormatted);
+    $phraseFormatted = $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($phraseFormatted);
 
     // Blablabla SQL
     $requestfull = 'SELECT body, tag FROM '.$prefixe.'pages

diff --git a/includes/User.class.php b/includes/User.class.php
@@ -1000,7 +1000,7 @@ protected function emailExistsInDB($email)
     {
         /* Build sql query*/
         $sql  = 'SELECT * FROM '.$this->usersTable;
-        $sql .= ' WHERE email = "'.$email.'";';
+        $sql .= ' WHERE email = "'.mysqli_real_escape_string($this->wiki->dblink,$email).'";';
         /* Execute query */
         $results = $this->wiki->loadAll($sql);
         return $results; // If the password does not already exist in DB, $result is an empty table => false

diff --git a/tools/bazar/services/FormManager.php b/tools/bazar/services/FormManager.php
@@ -46,7 +46,7 @@ public function getOne($formId): ?array
             return $this->cachedForms[$formId];
         }
 
-        $form = $this->dbService->loadSingle('SELECT * FROM ' . $this->dbService->prefixTable('nature') . 'WHERE bn_id_nature=\'' . $formId . '\'');
+        $form = $this->dbService->loadSingle('SELECT * FROM ' . $this->dbService->prefixTable('nature') . 'WHERE bn_id_nature=\'' . $this->dbService->escape($formId) . '\'');
 
         if (!$form) {
             return null;
@@ -105,13 +105,13 @@ public function create($data)
         return $this->dbService->query('INSERT INTO ' . $this->dbService->prefixTable('nature')
             . '(`bn_id_nature` ,`bn_ce_i18n` ,`bn_label_nature` ,`bn_template` ,`bn_description` ,`bn_sem_context` ,`bn_sem_type` ,`bn_sem_use_template` ,`bn_condition`)'
             . ' VALUES (' . $data['bn_id_nature'] . ', "fr-FR", "'
-            . addslashes(_convert($data['bn_label_nature'], YW_CHARSET, true)) . '","'
-            . addslashes(_convert($data['bn_template'], YW_CHARSET, true)) . '", "'
-            . addslashes(_convert($data['bn_description'], YW_CHARSET, true)) . '", "'
-            . addslashes(_convert($data['bn_sem_context'], YW_CHARSET, true)) . '", "'
-            . addslashes(_convert($data['bn_sem_type'], YW_CHARSET, true)) . '", '
+            . $this->dbService->escape(_convert($data['bn_label_nature'], YW_CHARSET, true)) . '","'
+            . $this->dbService->escape(_convert($data['bn_template'], YW_CHARSET, true)) . '", "'
+            . $this->dbService->escape(_convert($data['bn_description'], YW_CHARSET, true)) . '", "'
+            . $this->dbService->escape(_convert($data['bn_sem_context'], YW_CHARSET, true)) . '", "'
+            . $this->dbService->escape(_convert($data['bn_sem_type'], YW_CHARSET, true)) . '", '
             . (isset($data['bn_sem_use_template']) ? '1' : '0') . ', "'
-            . addslashes(_convert($data['bn_condition'], YW_CHARSET, true)) . '")');
+            . $this->dbService->escape(_convert($data['bn_condition'], YW_CHARSET, true)) . '")');
     }
 
     public function update($data)
@@ -120,14 +120,14 @@ public function update($data)
             throw new \Exception(_t('WIKI_IN_HIBERNATION'));
         }
         return $this->dbService->query('UPDATE' . $this->dbService->prefixTable('nature') . 'SET '
-            . '`bn_label_nature`="' . addslashes(_convert($data['bn_label_nature'], YW_CHARSET, true)) . '" ,'
-            . '`bn_template`="' . addslashes(_convert($data['bn_template'], YW_CHARSET, true)) . '" ,'
-            . '`bn_description`="' . addslashes(_convert($data['bn_description'], YW_CHARSET, true)) . '" ,'
-            . '`bn_sem_context`="' . addslashes(_convert($data['bn_sem_context'], YW_CHARSET, true)) . '" ,'
-            . '`bn_sem_type`="' . addslashes(_convert($data['bn_sem_type'], YW_CHARSET, true)) . '" ,'
+            . '`bn_label_nature`="' . $this->dbService->escape(_convert($data['bn_label_nature'], YW_CHARSET, true)) . '" ,'
+            . '`bn_template`="' . $this->dbService->escape(_convert($data['bn_template'], YW_CHARSET, true)) . '" ,'
+            . '`bn_description`="' . $this->dbService->escape(_convert($data['bn_description'], YW_CHARSET, true)) . '" ,'
+            . '`bn_sem_context`="' . $this->dbService->escape(_convert($data['bn_sem_context'], YW_CHARSET, true)) . '" ,'
+            . '`bn_sem_type`="' . $this->dbService->escape(_convert($data['bn_sem_type'], YW_CHARSET, true)) . '" ,'
             . '`bn_sem_use_template`=' . (isset($data['bn_sem_use_template']) ? '1' : '0') . ' ,'
-            . '`bn_condition`="' . addslashes(_convert($data['bn_condition'], YW_CHARSET, true)) . '"'
-            . ' WHERE `bn_id_nature`=' . $data['bn_id_nature']);
+            . '`bn_condition`="' . $this->dbService->escape(_convert($data['bn_condition'], YW_CHARSET, true)) . '"'
+            . ' WHERE `bn_id_nature`=' . $this->dbService->escape($data['bn_id_nature']));
     }
 
     public function clone($id)
@@ -155,7 +155,7 @@ public function delete($id)
         }
 
         $this->clear($id);
-        return $this->dbService->query('DELETE FROM ' . $this->dbService->prefixTable('nature') . 'WHERE bn_id_nature=' . $id);
+        return $this->dbService->query('DELETE FROM ' . $this->dbService->prefixTable('nature') . 'WHERE bn_id_nature=' . $this->dbService->escape($id));
     }
 
     public function clear($id)
@@ -167,14 +167,14 @@ public function clear($id)
             'DELETE FROM' . $this->dbService->prefixTable('acls') .
             'WHERE page_tag IN (SELECT tag FROM ' . $this->dbService->prefixTable('pages') .
             'WHERE tag IN (SELECT resource FROM ' . $this->dbService->prefixTable('triples') .
-            'WHERE property="http://outils-reseaux.org/_vocabulary/type" AND value="fiche_bazar") AND body LIKE \'%"id_typeannonce":"' . $id . '"%\' );'
+            'WHERE property="http://outils-reseaux.org/_vocabulary/type" AND value="fiche_bazar") AND body LIKE \'%"id_typeannonce":"' . $this->dbService->escape($id) . '"%\' );'
         );
 
         // TODO use PageManager
         $this->dbService->query(
             'DELETE FROM' . $this->dbService->prefixTable('pages') .
             'WHERE tag IN (SELECT resource FROM ' . $this->dbService->prefixTable('triples') .
-            'WHERE property="http://outils-reseaux.org/_vocabulary/type" AND value="fiche_bazar") AND body LIKE \'%"id_typeannonce":"' . $id . '"%\';'
+            'WHERE property="http://outils-reseaux.org/_vocabulary/type" AND value="fiche_bazar") AND body LIKE \'%"id_typeannonce":"' . $this->dbService->escape($id) . '"%\';'
         );
 
         // TODO use TripleStore

diff --git a/tools/security/actions/despam.php b/tools/security/actions/despam.php
@@ -62,7 +62,7 @@
               "select *
               from ".$this->config["table_prefix"]."pages
               where
-              time > date_sub(now(), interval " . addslashes($_POST['from']) . " hour)
+              time > date_sub(now(), interval " . $this->services->get(\YesWiki\Core\Service\DbService::class)->escape($_POST['from']) . " hour)
               and latest = 'Y'
               order by `time` desc";
             $title =