From 10b6a8fff7e6d407421c74889455b969be7f867f Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Thu, 20 Oct 2011 08:15:02 +0200 Subject: Wrap mysql_real_escape_string() in a function Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij Signed-off-by: Lukas Fleischer Conflicts: web/lib/aur.inc.php --- web/html/account.php | 2 +- web/html/addvote.php | 10 +++++----- web/html/logout.php | 2 +- web/html/passreset.php | 4 ++-- web/html/pkgsubmit.php | 28 ++++++++++++++-------------- web/html/voters.php | 2 +- web/lib/acctfuncs.inc.php | 26 +++++++++++++------------- web/lib/aur.inc.php | 30 ++++++++++++++++++------------ web/lib/aurjson.class.php | 8 ++++---- web/lib/pkgfuncs.inc.php | 12 ++++++------ web/lib/stats.inc.php | 2 +- web/template/pkg_comment_form.php | 2 +- 12 files changed, 67 insertions(+), 61 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index ca05d1ac..387fd938 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -111,7 +111,7 @@ if (isset($_COOKIE["AURSID"])) { $q.= "WHERE AccountTypes.ID = Users.AccountTypeID "; $q.= "AND Users.ID = Sessions.UsersID "; $q.= "AND Sessions.SessionID = '"; - $q.= mysql_real_escape_string($_COOKIE["AURSID"])."'"; + $q.= db_escape_string($_COOKIE["AURSID"])."'"; $result = db_query($q, $dbh); if (!mysql_num_rows($result)) { print __("Could not retrieve information for the specified user."); diff --git a/web/html/addvote.php b/web/html/addvote.php index fe3037d5..f0e7d31a 100644 --- a/web/html/addvote.php +++ b/web/html/addvote.php @@ -20,7 +20,7 @@ if ($atype == "Trusted User" OR $atype == "Developer") { $error = ""; if (!empty($_POST['user'])) { - $qcheck = "SELECT * FROM Users WHERE Username = '" . mysql_real_escape_string($_POST['user']) . "'"; + $qcheck = "SELECT * FROM Users WHERE Username = '" . db_escape_string($_POST['user']) . "'"; $result = db_query($qcheck, $dbh); if ($result) { $check = mysql_num_rows($result); @@ -32,7 +32,7 @@ if ($atype == "Trusted User" OR $atype == "Developer") { if ($check == 0) { $error.= __("Username does not exist."); } else { - $qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . mysql_real_escape_string($_POST['user']) . "'"; + $qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . db_escape_string($_POST['user']) . "'"; $qcheck.= " AND End > UNIX_TIMESTAMP()"; $result = db_query($qcheck, $dbh); if ($result) { @@ -67,9 +67,9 @@ if ($atype == "Trusted User" OR $atype == "Developer") { if (!empty($_POST['addVote']) && empty($error)) { $q = "INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES "; - $q.= "('" . mysql_real_escape_string($_POST['agenda']) . "', "; - $q.= "'" . mysql_real_escape_string($_POST['user']) . "', "; - $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . mysql_real_escape_string($len); + $q.= "('" . db_escape_string($_POST['agenda']) . "', "; + $q.= "'" . db_escape_string($_POST['user']) . "', "; + $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . db_escape_string($len); $q.= ", " . uid_from_sid($_COOKIE["AURSID"]) . ")"; db_query($q, $dbh); diff --git a/web/html/logout.php b/web/html/logout.php index 1cdf453d..45ab564e 100644 --- a/web/html/logout.php +++ b/web/html/logout.php @@ -12,7 +12,7 @@ include_once("acctfuncs.inc.php"); # access AUR common functions if (isset($_COOKIE["AURSID"])) { $dbh = db_connect(); $q = "DELETE FROM Sessions WHERE SessionID = '"; - $q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; + $q.= db_escape_string($_COOKIE["AURSID"]) . "'"; db_query($q, $dbh); # setting expiration to 1 means '1 second after midnight January 1, 1970' setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); diff --git a/web/html/passreset.php b/web/html/passreset.php index ed5d4d31..97fbebb0 100644 --- a/web/html/passreset.php +++ b/web/html/passreset.php @@ -40,8 +40,8 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir Salt = '$salt', ResetKey = '' WHERE ResetKey != '' - AND ResetKey = '".mysql_real_escape_string($resetkey)."' - AND Email = '".mysql_real_escape_string($email)."'"; + AND ResetKey = '".db_escape_string($resetkey)."' + AND Email = '".db_escape_string($email)."'"; $result = db_query($q, $dbh); if (!mysql_affected_rows($dbh)) { $error = __('Invalid e-mail and reset key combination.'); diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 21776f9c..539f0561 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -301,7 +301,7 @@ if ($uid): $dbh = db_connect(); db_query("BEGIN", $dbh); - $q = "SELECT * FROM Packages WHERE Name = '" . mysql_real_escape_string($new_pkgbuild['pkgname']) . "'"; + $q = "SELECT * FROM Packages WHERE Name = '" . db_escape_string($new_pkgbuild['pkgname']) . "'"; $result = db_query($q, $dbh); $pdata = mysql_fetch_assoc($result); @@ -346,11 +346,11 @@ if ($uid): # Update package data $q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = '%s', Version = '%s', License = '%s', Description = '%s', URL = '%s', OutOfDateTS = NULL, MaintainerUID = %d WHERE ID = %d", - mysql_real_escape_string($new_pkgbuild['pkgname']), - mysql_real_escape_string($pkg_version), - mysql_real_escape_string($new_pkgbuild['license']), - mysql_real_escape_string($new_pkgbuild['pkgdesc']), - mysql_real_escape_string($new_pkgbuild['url']), + db_escape_string($new_pkgbuild['pkgname']), + db_escape_string($pkg_version), + db_escape_string($new_pkgbuild['license']), + db_escape_string($new_pkgbuild['pkgdesc']), + db_escape_string($new_pkgbuild['url']), $uid, $packageID); @@ -359,12 +359,12 @@ if ($uid): } else { # This is a brand new package $q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES ('%s', '%s', '%s', %d, '%s', '%s', UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)", - mysql_real_escape_string($new_pkgbuild['pkgname']), - mysql_real_escape_string($new_pkgbuild['license']), - mysql_real_escape_string($pkg_version), + db_escape_string($new_pkgbuild['pkgname']), + db_escape_string($new_pkgbuild['license']), + db_escape_string($pkg_version), $category_id, - mysql_real_escape_string($new_pkgbuild['pkgdesc']), - mysql_real_escape_string($new_pkgbuild['url']), + db_escape_string($new_pkgbuild['pkgdesc']), + db_escape_string($new_pkgbuild['url']), $uid, $uid); @@ -389,8 +389,8 @@ if ($uid): $q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, '%s', '%s')", $packageID, - mysql_real_escape_string($deppkgname), - mysql_real_escape_string($depcondition)); + db_escape_string($deppkgname), + db_escape_string($depcondition)); db_query($q, $dbh); } @@ -401,7 +401,7 @@ if ($uid): foreach ($sources as $src) { if ($src != "" ) { $q = "INSERT INTO PackageSources (PackageID, Source) VALUES ("; - $q .= $packageID . ", '" . mysql_real_escape_string($src) . "')"; + $q .= $packageID . ", '" . db_escape_string($src) . "')"; db_query($q, $dbh); } } diff --git a/web/html/voters.php b/web/html/voters.php index aa2aa50c..02abe290 100644 --- a/web/html/voters.php +++ b/web/html/voters.php @@ -5,7 +5,7 @@ include('pkgfuncs.inc.php'); function getvotes($pkgid) { $dbh = db_connect(); - $pkgid = mysql_real_escape_string($pkgid); + $pkgid = db_escape_string($pkgid); $result = db_query("SELECT UsersID,Username FROM PackageVotes LEFT JOIN Users on (UsersID = ID) WHERE PackageID = $pkgid ORDER BY Username", $dbh); return $result; diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 97fb69b9..91718748 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -225,7 +225,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # NOTE: a race condition exists here if we care... # $q = "SELECT COUNT(*) AS CNT FROM Users "; - $q.= "WHERE Username = '".mysql_real_escape_string($U)."'"; + $q.= "WHERE Username = '".db_escape_string($U)."'"; if ($TYPE == "edit") { $q.= " AND ID != ".intval($UID); } @@ -243,7 +243,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # NOTE: a race condition exists here if we care... # $q = "SELECT COUNT(*) AS CNT FROM Users "; - $q.= "WHERE Email = '".mysql_real_escape_string($E)."'"; + $q.= "WHERE Email = '".db_escape_string($E)."'"; if ($TYPE == "edit") { $q.= " AND ID != ".intval($UID); } @@ -265,7 +265,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # no errors, go ahead and create the unprivileged user $salt = generate_salt(); $P = salted_hash($P, $salt); - $escaped = array_map('mysql_real_escape_string', + $escaped = array_map('db_escape_string', array($U, $E, $P, $salt, $R, $L, $I)); $q = "INSERT INTO Users (" . "AccountTypeID, Suspended, Username, Email, Passwd, Salt" . @@ -289,7 +289,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # no errors, go ahead and modify the user account $q = "UPDATE Users SET "; - $q.= "Username = '".mysql_real_escape_string($U)."'"; + $q.= "Username = '".db_escape_string($U)."'"; if ($T) { $q.= ", AccountTypeID = ".intval($T); } @@ -298,15 +298,15 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", } else { $q.= ", Suspended = 0"; } - $q.= ", Email = '".mysql_real_escape_string($E)."'"; + $q.= ", Email = '".db_escape_string($E)."'"; if ($P) { $salt = generate_salt(); $hash = salted_hash($P, $salt); $q .= ", Passwd = '$hash', Salt = '$salt'"; } - $q.= ", RealName = '".mysql_real_escape_string($R)."'"; - $q.= ", LangPreference = '".mysql_real_escape_string($L)."'"; - $q.= ", IRCNick = '".mysql_real_escape_string($I)."'"; + $q.= ", RealName = '".db_escape_string($R)."'"; + $q.= ", LangPreference = '".db_escape_string($L)."'"; + $q.= ", IRCNick = '".db_escape_string($I)."'"; $q.= " WHERE ID = ".intval($UID); $result = db_query($q, $dbh); if (!$result) { @@ -372,19 +372,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", $search_vars[] = "S"; } if ($U) { - $q.= "AND Username LIKE '%".mysql_real_escape_string($U)."%' "; + $q.= "AND Username LIKE '%".db_escape_string($U)."%' "; $search_vars[] = "U"; } if ($E) { - $q.= "AND Email LIKE '%".mysql_real_escape_string($E)."%' "; + $q.= "AND Email LIKE '%".db_escape_string($E)."%' "; $search_vars[] = "E"; } if ($R) { - $q.= "AND RealName LIKE '%".mysql_real_escape_string($R)."%' "; + $q.= "AND RealName LIKE '%".db_escape_string($R)."%' "; $search_vars[] = "R"; } if ($I) { - $q.= "AND IRCNick LIKE '%".mysql_real_escape_string($I)."%' "; + $q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' "; $search_vars[] = "I"; } switch ($SB) { @@ -716,7 +716,7 @@ function valid_user( $user ) if ( $user ) { $dbh = db_connect(); $q = "SELECT ID FROM Users WHERE Username = '" - . mysql_real_escape_string($user). "'"; + . db_escape_string($user). "'"; $result = db_query($q, $dbh); # Is the username in the database? diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index f4326974..51c1eff7 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -29,7 +29,7 @@ function check_sid($dbh=NULL) { $dbh = db_connect(); } $q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions "; - $q.= "WHERE SessionID = '" . mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; + $q.= "WHERE SessionID = '" . db_escape_string($_COOKIE["AURSID"]) . "'"; $result = db_query($q, $dbh); if (mysql_num_rows($result) == 0) { # Invalid SessionID - hacker alert! @@ -53,7 +53,7 @@ function check_sid($dbh=NULL) { # session id timeout was reached and they must login again. # $q = "DELETE FROM Sessions WHERE SessionID = '"; - $q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; + $q.= db_escape_string($_COOKIE["AURSID"]) . "'"; db_query($q, $dbh); setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); @@ -69,7 +69,7 @@ function check_sid($dbh=NULL) { # overwritten. if ($last_update < time() + $LOGIN_TIMEOUT) { $q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() "; - $q.= "WHERE SessionID = '".mysql_real_escape_string($_COOKIE["AURSID"])."'"; + $q.= "WHERE SessionID = '".db_escape_string($_COOKIE["AURSID"])."'"; db_query($q, $dbh); } } @@ -106,7 +106,7 @@ function username_from_id($id="", $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT Username FROM Users WHERE ID = " . mysql_real_escape_string($id); + $q = "SELECT Username FROM Users WHERE ID = " . db_escape_string($id); $result = db_query($q, $dbh); if (!$result) { return "None"; @@ -129,7 +129,7 @@ function username_from_sid($sid="", $dbh=NULL) { $q = "SELECT Username "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return ""; @@ -151,7 +151,7 @@ function email_from_sid($sid="", $dbh=NULL) { $q = "SELECT Email "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return ""; @@ -175,7 +175,7 @@ function account_from_sid($sid="", $dbh=NULL) { $q.= "FROM Users, AccountTypes, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND AccountTypes.ID = Users.AccountTypeID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return ""; @@ -197,7 +197,7 @@ function uid_from_sid($sid="", $dbh=NULL) { $q = "SELECT Users.ID "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return 0; @@ -223,6 +223,12 @@ function db_connect() { return $handle; } +# Escape strings for SQL query usage. +# Wraps the database driver's provided method (for convenience and porting). +function db_escape_string($string) { + return mysql_real_escape_string($string); +} + # disconnect from the database # this won't normally be needed as PHP/reference counting will take care of # closing the connection once it is no longer referenced @@ -290,7 +296,7 @@ function set_lang($dbh=NULL) { $q = "SELECT LangPreference FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Sessions.SessionID = '"; - $q.= mysql_real_escape_string($_COOKIE["AURSID"])."'"; + $q.= db_escape_string($_COOKIE["AURSID"])."'"; $result = db_query($q, $dbh); if ($result) { @@ -355,7 +361,7 @@ function can_submit_pkg($name="", $sid="", $dbh=NULL) { $dbh = db_connect(); } $q = "SELECT MaintainerUID "; - $q.= "FROM Packages WHERE Name = '".mysql_real_escape_string($name)."'"; + $q.= "FROM Packages WHERE Name = '".db_escape_string($name)."'"; $result = db_query($q, $dbh); if (mysql_num_rows($result) == 0) {return 1;} $row = mysql_fetch_row($result); @@ -428,7 +434,7 @@ function uid_from_username($username="", $dbh=NULL) if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT ID FROM Users WHERE Username = '".mysql_real_escape_string($username) + $q = "SELECT ID FROM Users WHERE Username = '".db_escape_string($username) ."'"; $result = db_query($q, $dbh); if (!$result) { @@ -449,7 +455,7 @@ function uid_from_email($email="", $dbh=NULL) if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT ID FROM Users WHERE Email = '".mysql_real_escape_string($email) + $q = "SELECT ID FROM Users WHERE Email = '".db_escape_string($email) ."'"; $result = db_query($q, $dbh); if (!$result) { diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php index b5963595..edd6872e 100644 --- a/web/lib/aurjson.class.php +++ b/web/lib/aurjson.class.php @@ -166,7 +166,7 @@ class AurJSON { if (is_numeric($arg)) { $id_args[] = intval($arg); } else { - $escaped = mysql_real_escape_string($arg, $this->dbh); + $escaped = db_escape_string($arg, $this->dbh); $name_args[] = "'" . $escaped . "'"; } } @@ -184,7 +184,7 @@ class AurJSON { return $this->json_error('Query arg too small'); } - $keyword_string = mysql_real_escape_string($keyword_string, $this->dbh); + $keyword_string = db_escape_string($keyword_string, $this->dbh); $keyword_string = addcslashes($keyword_string, '%_'); $where_condition = "( Name LIKE '%{$keyword_string}%' OR " . @@ -207,7 +207,7 @@ class AurJSON { } else { $where_condition = sprintf("Name=\"%s\"", - mysql_real_escape_string($pqdata, $this->dbh)); + db_escape_string($pqdata, $this->dbh)); } return $this->process_query('info', $where_condition); } @@ -249,7 +249,7 @@ class AurJSON { * @return mixed Returns an array of value data containing the package data **/ private function msearch($maintainer) { - $maintainer = mysql_real_escape_string($maintainer, $this->dbh); + $maintainer = db_escape_string($maintainer, $this->dbh); $where_condition = "Users.Username = '{$maintainer}'"; diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index 3e89fa35..b078c48a 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -100,7 +100,7 @@ function pkgid_from_name($name="", $dbh=NULL) { $dbh = db_connect(); } $q = "SELECT ID FROM Packages "; - $q.= "WHERE Name = '".mysql_real_escape_string($name)."' "; + $q.= "WHERE Name = '".db_escape_string($name)."' "; $result = db_query($q, $dbh); if (!$result) {return NULL;} $row = mysql_fetch_row($result); @@ -137,7 +137,7 @@ function package_required($name="", $dbh=NULL) { } $q = "SELECT p.Name, PackageID FROM PackageDepends pd "; $q.= "JOIN Packages p ON pd.PackageID = p.ID "; - $q.= "WHERE DepName = '".mysql_real_escape_string($name)."' "; + $q.= "WHERE DepName = '".db_escape_string($name)."' "; $q.= "ORDER BY p.Name"; $result = db_query($q, $dbh); if (!$result) {return array();} @@ -234,7 +234,7 @@ function pkgvotes_from_sid($sid="", $dbh=NULL) { $q.= "FROM PackageVotes, Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Users.ID = PackageVotes.UsersID "; - $q.= "AND Sessions.SessionID = '".mysql_real_escape_string($sid)."'"; + $q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'"; $result = db_query($q, $dbh); if ($result) { while ($row = mysql_fetch_row($result)) { @@ -257,7 +257,7 @@ function pkgnotify_from_sid($sid="", $dbh=NULL) { $q.= "FROM CommentNotify, Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Users.ID = CommentNotify.UserID "; - $q.= "AND Sessions.SessionID = '".mysql_real_escape_string($sid)."'"; + $q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'"; $result = db_query($q, $dbh); if ($result) { while ($row = mysql_fetch_row($result)) { @@ -291,7 +291,7 @@ function pkgname_is_blacklisted($name, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT COUNT(*) FROM PackageBlacklist WHERE Name = '" . mysql_real_escape_string($name) . "'"; + $q = "SELECT COUNT(*) FROM PackageBlacklist WHERE Name = '" . db_escape_string($name) . "'"; $result = db_query($q, $dbh); if (!$result) return false; @@ -457,7 +457,7 @@ function pkg_search_page($SID="", $dbh=NULL) { } if (isset($_GET['K'])) { - $_GET['K'] = mysql_real_escape_string(trim($_GET['K'])); + $_GET['K'] = db_escape_string(trim($_GET['K'])); # Search by maintainer if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") { diff --git a/web/lib/stats.inc.php b/web/lib/stats.inc.php index 2690a5cb..8f0f7707 100644 --- a/web/lib/stats.inc.php +++ b/web/lib/stats.inc.php @@ -20,7 +20,7 @@ function updates_table($dbh) function user_table($user, $dbh) { - $escuser = mysql_real_escape_string($user); + $escuser = db_escape_string($user); $base_q = "SELECT count(*) FROM Packages,Users WHERE Packages.MaintainerUID = Users.ID AND Users.Username='" . $escuser . "'"; $maintainer_unsupported_count = db_cache_value($base_q, $dbh, diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php index e52c92d2..d3b602cd 100644 --- a/web/template/pkg_comment_form.php +++ b/web/template/pkg_comment_form.php @@ -7,7 +7,7 @@ if (isset($_REQUEST['comment'])) { $q = 'INSERT INTO PackageComments '; $q.= '(PackageID, UsersID, Comments, CommentTS) VALUES ('; $q.= intval($_REQUEST['ID']) . ', ' . uid_from_sid($_COOKIE['AURSID']) . ', '; - $q.= "'" . mysql_real_escape_string($_REQUEST['comment']) . "', "; + $q.= "'" . db_escape_string($_REQUEST['comment']) . "', "; $q.= 'UNIX_TIMESTAMP())'; db_query($q, $dbh); -- cgit v1.2.3-24-g4f1b From e53b91fe52be262d94a45769814c1e87c796988b Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Thu, 20 Oct 2011 08:43:44 +0200 Subject: Escape wildcards in "LIKE" patterns Percent signs ("%") and underscores ("_") are not escaped by mysql_real_escape_string() and are interpreted as wildcards if combined with "LIKE". Write a wrapper function db_escape_like() and use it where appropriate. Note that we already fixed this for the RPC interface in commit da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places. This patch should fix all remaining flaws reported in FS#26527. Signed-off-by: Lukas Fleischer Signed-off-by: Dan McGee --- web/lib/acctfuncs.inc.php | 8 ++++---- web/lib/aur.inc.php | 5 +++++ web/lib/aurjson.class.php | 3 +-- web/lib/pkgfuncs.inc.php | 12 +++++------- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 91718748..9bd6e511 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -372,19 +372,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", $search_vars[] = "S"; } if ($U) { - $q.= "AND Username LIKE '%".db_escape_string($U)."%' "; + $q.= "AND Username LIKE '%".db_escape_like($U)."%' "; $search_vars[] = "U"; } if ($E) { - $q.= "AND Email LIKE '%".db_escape_string($E)."%' "; + $q.= "AND Email LIKE '%".db_escape_like($E)."%' "; $search_vars[] = "E"; } if ($R) { - $q.= "AND RealName LIKE '%".db_escape_string($R)."%' "; + $q.= "AND RealName LIKE '%".db_escape_like($R)."%' "; $search_vars[] = "R"; } if ($I) { - $q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' "; + $q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' "; $search_vars[] = "I"; } switch ($SB) { diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 51c1eff7..6bc36ac5 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -229,6 +229,11 @@ function db_escape_string($string) { return mysql_real_escape_string($string); } +# Escape strings for usage in SQL LIKE operators. +function db_escape_like($string) { + return addcslashes(mysql_real_escape_string($string), '%_'); +} + # disconnect from the database # this won't normally be needed as PHP/reference counting will take care of # closing the connection once it is no longer referenced diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php index edd6872e..6c7725c0 100644 --- a/web/lib/aurjson.class.php +++ b/web/lib/aurjson.class.php @@ -184,8 +184,7 @@ class AurJSON { return $this->json_error('Query arg too small'); } - $keyword_string = db_escape_string($keyword_string, $this->dbh); - $keyword_string = addcslashes($keyword_string, '%_'); + $keyword_string = db_escape_like($keyword_string, $this->dbh); $where_condition = "( Name LIKE '%{$keyword_string}%' OR " . "Description LIKE '%{$keyword_string}%' )"; diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index b078c48a..88b18b88 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -457,11 +457,9 @@ function pkg_search_page($SID="", $dbh=NULL) { } if (isset($_GET['K'])) { - $_GET['K'] = db_escape_string(trim($_GET['K'])); - # Search by maintainer if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") { - $q_where .= "AND Users.Username = '".$_GET['K']."' "; + $q_where .= "AND Users.Username = '".db_escape_string($_GET['K'])."' "; } # Search by submitter elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "s") { @@ -469,16 +467,16 @@ function pkg_search_page($SID="", $dbh=NULL) { } # Search by name elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "n") { - $q_where .= "AND (Name LIKE '%".$_GET['K']."%') "; + $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%') "; } # Search by name (exact match) elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "x") { - $q_where .= "AND (Name = '".$_GET['K']."') "; + $q_where .= "AND (Name = '".db_escape_string($_GET['K'])."') "; } # Search by name and description (Default) else { - $q_where .= "AND (Name LIKE '%".$_GET['K']."%' OR "; - $q_where .= "Description LIKE '%".$_GET['K']."%') "; + $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%' OR "; + $q_where .= "Description LIKE '%".db_escape_like($_GET['K'])."%') "; } } -- cgit v1.2.3-24-g4f1b