Fix: sql injection

2012-04-09 22:57:15 +02:00 · 2012-04-09 22:57:15 +02:00 · feeb542e80
commit feeb542e80
parent 0e2de4f155
2 changed files with 7 additions and 2 deletions
--- a/htdocs/admin/tools/export.php
+++ b/htdocs/admin/tools/export.php
@ -111,7 +111,7 @@ if ($what == 'mysql')
 	if (! empty($dolibarr_main_db_port)) $param.=" -P ".$dolibarr_main_db_port;
 	if (! $_POST["use_transaction"]) $param.=" -l --single-transaction";
 	if ($_POST["disable_fk"])        $param.=" -K";
-	if ($_POST["sql_compat"] && $_POST["sql_compat"] != 'NONE') $param.=" --compatible=".GETPOST("sql_compat","alpha");
+	if ($_POST["sql_compat"] && $_POST["sql_compat"] != 'NONE') $param.=" --compatible=".GETPOST("sql_compat","special");
 	if ($_POST["drop_database"])     $param.=" --add-drop-database";
 	if ($_POST["sql_structure"])
 	{
--- a/htdocs/lib/functions.lib.php
+++ b/htdocs/lib/functions.lib.php
@ -185,7 +185,12 @@ function GETPOST($paramname,$check='',$method=0)
        if ($check == 'int' && ! preg_match('/^[-\.,0-9]+$/i',trim($out))) $out='';
        // Check if alpha
        //if ($check == 'alpha' && ! preg_match('/^[ =:@#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out='';
-        if ($check == 'alpha' && preg_match('/"/',trim($out))) $out='';    // Only " is dangerous because param in url can close the href= or src= and add javascript functions
+        elseif ($check == 'alpha' && preg_match('/"/',trim($out))) $out='';    // Only " is dangerous because param in url can close the href= or src= and add javascript functions
+        elseif ($check == 'special')
+        {
+        	$out=trim($out);
+        	if (preg_match('/(\s)*|(%20)*/',$out)) $out='';
+        }
    }

    return $out;