From c3b9c912001212d327d667d34b1e769268d22928 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 15 Mar 2018 01:33:46 +0100 Subject: [PATCH] Fix SQLi reported by op7ica --- htdocs/adherents/card.php | 56 +++++++++---------- .../adherents/class/adherent_type.class.php | 2 +- htdocs/adherents/list.php | 36 ++++++------ htdocs/societe/class/societe.class.php | 4 +- 4 files changed, 49 insertions(+), 49 deletions(-) diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index de4c0100c48..4f060d280e9 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -320,16 +320,16 @@ if (empty($reshook)) $object->skype = trim($_POST["skype"]); $object->birth = $birthdate; - $object->typeid = $_POST["typeid"]; + $object->typeid = GETPOST("typeid",'int'); //$object->note = trim($_POST["comment"]); - $object->morphy = $_POST["morphy"]; + $object->morphy = GETPOST("morphy",'alpha'); if (GETPOST('deletephoto')) $object->photo=''; elseif (! empty($_FILES['photo']['name'])) $object->photo = dol_sanitizeFileName($_FILES['photo']['name']); // Get status and public property - $object->statut = $_POST["statut"]; - $object->public = $_POST["public"]; + $object->statut = GETPOST("statut",'alpha'); + $object->public = GETPOST("public",'alpha'); // Fill array 'array_options' with data from add form $ret = $extrafields->setOptionalsFromPost($extralabels,$object); @@ -445,29 +445,29 @@ if (empty($reshook)) $datesubscription=dol_mktime(12, 0, 0, $_POST["remonth"], $_POST["reday"], $_POST["reyear"]); } - $typeid=$_POST["typeid"]; - $civility_id=$_POST["civility_id"]; - $lastname=$_POST["lastname"]; - $firstname=$_POST["firstname"]; - $societe=$_POST["societe"]; - $address=$_POST["address"]; - $zip=$_POST["zipcode"]; - $town=$_POST["town"]; - $state_id=$_POST["state_id"]; - $country_id=$_POST["country_id"]; + $typeid=GETPOST("typeid",'int'); + $civility_id=GETPOST("civility_id",'int'); + $lastname=GETPOST("lastname",'alpha'); + $firstname=GETPOST("firstname",'alpha'); + $societe=GETPOST("societe",'alpha'); + $address=GETPOST("address",'alpha'); + $zip=GETPOST("zipcode",'alpha'); + $town=GETPOST("town",'alpha'); + $state_id=GETPOST("state_id",'int'); + $country_id=GETPOST("country_id",'int'); - $phone=$_POST["phone"]; - $phone_perso=$_POST["phone_perso"]; - $phone_mobile=$_POST["phone_mobile"]; - $skype=$_POST["member_skype"]; - $email=$_POST["member_email"]; - $login=$_POST["member_login"]; - $pass=$_POST["password"]; - $photo=$_POST["photo"]; - //$comment=$_POST["comment"]; - $morphy=$_POST["morphy"]; - $subscription=$_POST["subscription"]; - $public=$_POST["public"]; + $phone=GETPOST("phone",'alpha'); + $phone_perso=GETPOST("phone_perso",'alpha'); + $phone_mobile=GETPOST("phone_mobile",'alpha'); + $skype=GETPOST("member_skype",'alpha'); + $email=GETPOST("member_email",'alpha'); + $login=GETPOST("member_login",'alpha'); + $pass=GETPOST("password",'alpha'); + $photo=GETPOST("photo",'alpha'); + //$comment=GETPOST("comment",'none'); + $morphy=GETPOST("morphy",'alpha'); + $subscription=GETPOST("subscription",'alpha'); + $public=GETPOST("public",'alpha'); $userid=$_POST["userid"]; $socid=$_POST["socid"]; @@ -1093,14 +1093,14 @@ else $morphys["phy"] = $langs->trans("Physical"); $morphys["mor"] = $langs->trans("Morale"); print ''.$langs->trans("Nature").''; - print $form->selectarray("morphy", $morphys, isset($_POST["morphy"])?$_POST["morphy"]:$object->morphy); + print $form->selectarray("morphy", $morphys, (GETPOSTISSET("morphy")?GETPOST("morphy",'alpha'):$object->morphy)); print ""; // Type print ''.$langs->trans("Type").''; if ($user->rights->adherent->creer) { - print $form->selectarray("typeid", $adht->liste_array(), (isset($_POST["typeid"])?$_POST["typeid"]:$object->typeid)); + print $form->selectarray("typeid", $adht->liste_array(), (GETPOSTISSET("typeid")?GETPOST("typeid",'int'):$object->typeid)); } else { diff --git a/htdocs/adherents/class/adherent_type.class.php b/htdocs/adherents/class/adherent_type.class.php index c352f5dc944..2f8592d3a21 100644 --- a/htdocs/adherents/class/adherent_type.class.php +++ b/htdocs/adherents/class/adherent_type.class.php @@ -265,7 +265,7 @@ class AdherentType extends CommonObject { $sql = "SELECT d.rowid, d.libelle as label, d.statut, d.subscription, d.mail_valid, d.note, d.vote"; $sql .= " FROM ".MAIN_DB_PREFIX."adherent_type as d"; - $sql .= " WHERE d.rowid = ".$rowid; + $sql .= " WHERE d.rowid = ".(int) $rowid; dol_syslog("Adherent_type::fetch", LOG_DEBUG); diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php index fc30d6f1ae2..cae878829b7 100644 --- a/htdocs/adherents/list.php +++ b/htdocs/adherents/list.php @@ -42,23 +42,23 @@ $toselect = GETPOST('toselect', 'array'); // Security check $result=restrictedArea($user,'adherent'); -$filter=GETPOST("filter"); -$statut=GETPOST("statut"); -$search=GETPOST("search"); -$search_ref=GETPOST("search_ref"); -$search_lastname=GETPOST("search_lastname"); -$search_firstname=GETPOST("search_firstname"); -$search_login=GETPOST("search_login"); -$search_address=GETPOST("search_address"); -$search_zip=GETPOST("search_zip"); -$search_town=GETPOST("search_town"); -$search_state=GETPOST("search_state"); -$search_country=GETPOST("search_country"); -$search_phone=GETPOST("search_phone"); -$search_phone_perso=GETPOST("search_phone_perso"); -$search_phone_mobile=GETPOST("search_phone_mobile"); -$search_type=GETPOST("search_type"); -$search_email=GETPOST("search_email"); +$filter=GETPOST("filter",'alpha'); +$statut=GETPOST("statut",'alpha'); +$search=GETPOST("search",'alpha'); +$search_ref=GETPOST("search_ref",'alpha'); +$search_lastname=GETPOST("search_lastname",'alpha'); +$search_firstname=GETPOST("search_firstname",'alpha'); +$search_login=GETPOST("search_login",'alpha'); +$search_address=GETPOST("search_address",'alpha'); +$search_zip=GETPOST("search_zip",'alpha'); +$search_town=GETPOST("search_town",'alpha'); +$search_state=GETPOST("search_state",'alpha'); +$search_country=GETPOST("search_country",'alpha'); +$search_phone=GETPOST("search_phone",'alpha'); +$search_phone_perso=GETPOST("search_phone_perso",'alpha'); +$search_phone_mobile=GETPOST("search_phone_mobile",'alpha'); +$search_type=GETPOST("search_type",'alpha'); +$search_email=GETPOST("search_email",'alpha'); $search_categ = GETPOST("search_categ",'int'); $catid = GETPOST("catid",'int'); $optioncss = GETPOST('optioncss','alpha'); @@ -288,7 +288,7 @@ if ($num == 1 && ! empty($conf->global->MAIN_SEARCH_DIRECT_OPEN_IF_ONLY_ONE) && llxHeader('',$langs->trans("Member"),'EN:Module_Foundations|FR:Module_Adhérents|ES:Módulo_Miembros'); $titre=$langs->trans("MembersList"); -if (isset($_GET["statut"])) +if (GETPOSTISSET("statut")) { if ($statut == '-1,1') { $titre=$langs->trans("MembersListQualified"); } if ($statut == '-1') { $titre=$langs->trans("MembersListToValid"); } diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index d5591f47037..71377f7c8fb 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -999,9 +999,9 @@ class Societe extends CommonObject $sql .= ", code_fournisseur = ".(! empty($this->code_fournisseur)?"'".$this->db->escape($this->code_fournisseur)."'":"null"); $sql .= ", code_compta_fournisseur = ".(! empty($this->code_compta_fournisseur)?"'".$this->db->escape($this->code_compta_fournisseur)."'":"null"); } - $sql .= ", fk_user_modif = ".(! empty($user->id)?"'".$user->id."'":"null"); + $sql .= ", fk_user_modif = ".($user->id > 0 ? $user->id:"null"); $sql .= ", fk_multicurrency = ".(int) $this->fk_multicurrency; - $sql .= ', multicurrency_code = \''.$this->db->escape($this->multicurrency_code)."'"; + $sql .= ", multicurrency_code = '".$this->db->escape($this->multicurrency_code)."'"; $sql .= " WHERE rowid = '" . $id ."'"; $resql=$this->db->query($sql);