From ebb1dbcec3f122c70a7095c8131589bfeb66615f Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 7 Oct 2013 22:50:12 +0200 Subject: [PATCH 1/2] Fix: security sql injection --- htdocs/contact/fiche.php | 10 +++-- .../class/opensurveysondage.class.php | 38 +++++++++---------- 2 files changed, 25 insertions(+), 23 deletions(-) diff --git a/htdocs/contact/fiche.php b/htdocs/contact/fiche.php index abb19b2cc91..78592dbd232 100644 --- a/htdocs/contact/fiche.php +++ b/htdocs/contact/fiche.php @@ -196,7 +196,7 @@ if (empty($reshook)) if ($action == 'confirm_delete' && $confirm == 'yes' && $user->rights->societe->contact->supprimer) { - $result=$object->fetch($_GET["id"]); + $result=$object->fetch($id); $object->old_lastname = $_POST["old_lastname"]; $object->old_firstname = $_POST["old_firstname"]; @@ -223,7 +223,9 @@ if (empty($reshook)) if (! $error) { - $object->fetch($_POST["contactid"]); + $contactid=GETPOST("contactid",'int'); + + $object->fetch($contactid); $object->oldcopy=dol_clone($object); @@ -256,7 +258,7 @@ if (empty($reshook)) // Fill array 'array_options' with data from add form $ret = $extrafields->setOptionalsFromPost($extralabels,$object); - $result = $object->update($_POST["contactid"], $user); + $result = $object->update($contactid, $user); if ($result > 0) { @@ -318,7 +320,7 @@ else { if ($action == 'delete') { - $ret=$form->form_confirm($_SERVER["PHP_SELF"]."?id=".$_GET["id"],$langs->trans("DeleteContact"),$langs->trans("ConfirmDeleteContact"),"confirm_delete",'',0,1); + $ret=$form->form_confirm($_SERVER["PHP_SELF"]."?id=".$id,$langs->trans("DeleteContact"),$langs->trans("ConfirmDeleteContact"),"confirm_delete",'',0,1); if ($ret == 'html') print '
'; } } diff --git a/htdocs/opensurvey/class/opensurveysondage.class.php b/htdocs/opensurvey/class/opensurveysondage.class.php index 72cb620c462..c43260e85d3 100644 --- a/htdocs/opensurvey/class/opensurveysondage.class.php +++ b/htdocs/opensurvey/class/opensurveysondage.class.php @@ -114,17 +114,17 @@ class Opensurveysondage extends CommonObject $sql.= "canedit"; $sql.= ") VALUES ("; - $sql.= " ".(! isset($this->id_sondage)?'NULL':"'".$this->id_sondage."'").","; + $sql.= " ".(! isset($this->id_sondage)?'NULL':"'".$this->db->escape($this->id_sondage)."'").","; $sql.= " ".(! isset($this->commentaires)?'NULL':"'".$this->db->escape($this->commentaires)."'").","; $sql.= " ".(! isset($this->mail_admin)?'NULL':"'".$this->db->escape($this->mail_admin)."'").","; $sql.= " ".(! isset($this->nom_admin)?'NULL':"'".$this->db->escape($this->nom_admin)."'").","; $sql.= " ".(! isset($this->titre)?'NULL':"'".$this->db->escape($this->titre)."'").","; - $sql.= " ".(! isset($this->id_sondage_admin)?'NULL':"'".$this->id_sondage_admin."'").","; + $sql.= " ".(! isset($this->id_sondage_admin)?'NULL':"'".$this->db->escape($this->id_sondage_admin)."'").","; $sql.= " ".(! isset($this->date_fin) || dol_strlen($this->date_fin)==0?'NULL':$this->db->idate($this->date_fin)).","; $sql.= " ".(! isset($this->format)?'NULL':"'".$this->db->escape($this->format)."'").","; - $sql.= " ".(! isset($this->mailsonde)?'NULL':"'".$this->mailsonde."'").","; - $sql.= " ".(! isset($this->survey_link_visible)?'NULL':"'".$this->survey_link_visible."'").","; - $sql.= " ".(! isset($this->canedit)?'NULL':"'".$this->canedit."'").""; + $sql.= " ".(! isset($this->mailsonde)?'NULL':"'".$this->db->escape($this->mailsonde)."'").","; + $sql.= " ".(! isset($this->survey_link_visible)?'NULL':"'".$this->db->escape($this->survey_link_visible)."'").","; + $sql.= " ".(! isset($this->canedit)?'NULL':"'".$this->db->escape($this->canedit)."'").""; $sql.= ")"; @@ -198,9 +198,9 @@ class Opensurveysondage extends CommonObject $sql.= " t.sujet,"; $sql.= " t.tms"; $sql.= " FROM ".MAIN_DB_PREFIX."opensurvey_sondage as t"; - if ($id > 0) $sql.= " WHERE t.rowid = ".$id; - else if (strlen($numsurvey) == 16) $sql.= " WHERE t.id_sondage = '".$numsurvey."'"; - else $sql.= " WHERE t.id_sondage_admin = '".$numsurvey."'"; + if ($id > 0) $sql.= " WHERE t.rowid = ".$this->db->escape($id); + else if (strlen($numsurvey) == 16) $sql.= " WHERE t.id_sondage = '".$this->db->escape($numsurvey)."'"; + else $sql.= " WHERE t.id_sondage_admin = '".$this->db->escape($numsurvey)."'"; dol_syslog(get_class($this)."::fetch sql=".$sql, LOG_DEBUG); $resql=$this->db->query($sql); @@ -276,20 +276,20 @@ class Opensurveysondage extends CommonObject // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."opensurvey_sondage SET"; - $sql.= " id_sondage='".(isset($this->id_sondage)?$this->id_sondage:"null")."',"; + $sql.= " id_sondage=".(isset($this->id_sondage)?"'".$this->db->escape($this->id_sondage)."'":"null").","; $sql.= " commentaires=".(isset($this->commentaires)?"'".$this->db->escape($this->commentaires)."'":"null").","; $sql.= " mail_admin=".(isset($this->mail_admin)?"'".$this->db->escape($this->mail_admin)."'":"null").","; $sql.= " nom_admin=".(isset($this->nom_admin)?"'".$this->db->escape($this->nom_admin)."'":"null").","; $sql.= " titre=".(isset($this->titre)?"'".$this->db->escape($this->titre)."'":"null").","; - $sql.= " id_sondage_admin='".(isset($this->id_sondage_admin)?$this->id_sondage_admin:"null")."',"; + $sql.= " id_sondage_admin=".(isset($this->id_sondage_admin)?"'".$this->db->escape($this->id_sondage_admin)."'":"null").","; $sql.= " date_fin=".(dol_strlen($this->date_fin)!=0 ? "'".$this->db->idate($this->date_fin)."'" : 'null').","; $sql.= " format=".(isset($this->format)?"'".$this->db->escape($this->format)."'":"null").","; - $sql.= " mailsonde=".(isset($this->mailsonde)?$this->mailsonde:"null").","; - $sql.= " survey_link_visible=".(isset($this->survey_link_visible)?$this->survey_link_visible:"null").","; - $sql.= " canedit=".(isset($this->canedit)?$this->canedit:"null").""; + $sql.= " mailsonde=".(isset($this->mailsonde)?$this->db->escape($this->mailsonde):"null").","; + $sql.= " survey_link_visible=".(isset($this->survey_link_visible)?$this->db->escape($this->survey_link_visible):"null").","; + $sql.= " canedit=".(isset($this->canedit)?$this->db->escape($this->canedit):"null").""; //$sql.= " WHERE rowid=".$this->id; - $sql.= " WHERE id_sondage_admin='".$this->id_sondage_admin."'"; + $sql.= " WHERE id_sondage_admin='".$this->db->escape($this->id_sondage_admin)."'"; $this->db->begin(); @@ -346,7 +346,7 @@ class Opensurveysondage extends CommonObject $error=0; $numsondage=substr($numsondageadmin, 0, 16); - + $this->db->begin(); if (! $error) @@ -368,15 +368,15 @@ class Opensurveysondage extends CommonObject if (! $error) { - $sql='DELETE FROM '.MAIN_DB_PREFIX."opensurvey_comments WHERE id_sondage = '".$numsondage."'"; + $sql='DELETE FROM '.MAIN_DB_PREFIX."opensurvey_comments WHERE id_sondage = '".$this->db->escape($numsondage)."'"; dol_syslog(get_class($this)."::delete sql=".$sql, LOG_DEBUG); $resql=$this->db->query($sql); - $sql='DELETE FROM '.MAIN_DB_PREFIX."opensurvey_user_studs WHERE id_sondage = '".$numsondage."'"; + $sql='DELETE FROM '.MAIN_DB_PREFIX."opensurvey_user_studs WHERE id_sondage = '".$this->db->escape($numsondage)."'"; dol_syslog(get_class($this)."::delete sql=".$sql, LOG_DEBUG); $resql=$this->db->query($sql); $sql = "DELETE FROM ".MAIN_DB_PREFIX."opensurvey_sondage"; - $sql.= " WHERE id_sondage_admin = '".$numsondageadmin."'"; + $sql.= " WHERE id_sondage_admin = '".$this->db->escape($numsondageadmin)."'"; dol_syslog(get_class($this)."::delete sql=".$sql); $resql = $this->db->query($sql); @@ -410,7 +410,7 @@ class Opensurveysondage extends CommonObject { $ret=array(); $sql = "SELECT id_users, nom, reponses FROM ".MAIN_DB_PREFIX."opensurvey_user_studs"; - $sql.= " WHERE id_sondage = '".$this->id_sondage."'"; + $sql.= " WHERE id_sondage = '".$this->db->escape($this->id_sondage)."'"; $resql=$this->db->query($sql); if ($resql) From c235c4e4ba158d0a2d4a091b6f212eff234f9950 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 7 Oct 2013 22:49:33 +0200 Subject: [PATCH 2/2] Fix: security sql injection --- htdocs/comm/address.php | 2 +- htdocs/societe/class/address.class.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/htdocs/comm/address.php b/htdocs/comm/address.php index 5e0a261020f..6443b426934 100644 --- a/htdocs/comm/address.php +++ b/htdocs/comm/address.php @@ -114,7 +114,7 @@ if ($action == 'add' || $action == 'update') // Update address else if ($action == 'update') { - $result = $object->update($_POST["id"], $socid, $user); + $result = $object->update($id, $socid, $user); if ($result >= 0) { diff --git a/htdocs/societe/class/address.class.php b/htdocs/societe/class/address.class.php index 4f9b100cd83..0f1091b37ce 100644 --- a/htdocs/societe/class/address.class.php +++ b/htdocs/societe/class/address.class.php @@ -192,12 +192,12 @@ class Address $sql.= ", address = ".($this->address?"'".$this->db->escape($this->address)."'":"null"); $sql.= ", zip = ".($this->zip?"'".$this->db->escape($this->zip)."'":"null"); $sql.= ", town = ".($this->town?"'".$this->db->escape($this->town)."'":"null"); - $sql.= ", fk_pays = '" . ($this->country_id?$this->country_id:'0') ."'"; + $sql.= ", fk_pays = '" . ($this->country_id?$this->db->escape($this->country_id):'0') ."'"; $sql.= ", note = ".($this->note?"'".$this->db->escape($this->note)."'":"null"); $sql.= ", phone = ".($this->phone?"'".$this->db->escape($this->phone)."'":"null"); $sql.= ", fax = ".($this->fax?"'".$this->db->escape($this->fax)."'":"null"); if ($user) $sql .= ",fk_user_modif = '".$user->id."'"; - $sql .= " WHERE fk_soc = '" . $socid ."' AND rowid = '" . $id ."'"; + $sql .= " WHERE fk_soc = '" . $socid ."' AND rowid = '" . $this->db->escape($id) ."'"; dol_syslog(get_class($this)."::Update sql=".$sql, LOG_DEBUG); $resql=$this->db->query($sql);