From f516626a293edd613cb823db88e36dcf7e1fb8f4 Mon Sep 17 00:00:00 2001 From: Dries Buytaert Date: Wed, 7 Mar 2001 21:29:40 +0000 Subject: A rather large and important update: revised most of the SQL queries and tried to make drupal as secure as possible (while trying to avoid redundant/duplicate checks). For drupal's sake, try to screw something up. See the mail about PHPNuke being hacked appr. 6 days ago. The one who finds a problem is rewarded a beer (and I'm willing to ship it to Norway if required). I beg you to be evil. Try dumping a table a la "http://localhost/index.php?date=77778;DROP TABLE users" or something. ;) --- includes/ban.inc | 15 +++++++-------- includes/comment.inc | 26 +++++++++++++------------- includes/module.inc | 10 +++++----- 3 files changed, 25 insertions(+), 26 deletions(-) (limited to 'includes') diff --git a/includes/ban.inc b/includes/ban.inc index 618b275ec..e1b05fc1d 100644 --- a/includes/ban.inc +++ b/includes/ban.inc @@ -10,10 +10,9 @@ $index2type = array(0x01 => "addresses", 0x03 => "hostnames", 0x04 => "usernames"); - function ban_match($mask, $category) { // Perform query: - $result = db_query("SELECT * FROM bans WHERE type = $category AND LOWER('$mask') LIKE LOWER(mask)"); + $result = db_query("SELECT * FROM bans WHERE type = '$category' AND LOWER('$mask') LIKE LOWER(mask)"); // Return result: return db_fetch_object($result); @@ -25,29 +24,29 @@ function ban_add($mask, $category, $reason, $message = "") { if (empty($mask)) { $message = "failed: empty banmasks are not allowed.

\n"; } - else if ($ban = db_fetch_object(db_query("SELECT * FROM bans WHERE type = $category AND '$mask' LIKE mask"))) { + else if ($ban = db_fetch_object(db_query("SELECT * FROM bans WHERE type = '$category' AND '$mask' LIKE mask"))) { $message = "failed: ban is already matched by '$ban->mask'.

\n"; } else { $result = db_query("INSERT INTO bans (mask, type, reason, timestamp) VALUES ('$mask', '$category', '$reason', '". time() ."')"); - $message = "added new ban with mask `$mask'.

\n"; + $message = "added new ban with mask '$mask'.

\n"; // Add log entry: - watchdog("message", "added new ban `$mask' to category `". $index2type[$category] ."' with reason `$reason'."); + watchdog("message", "added new ban '$mask' to category '". $index2type[$category] ."' with reason '$reason'."); } } function ban_delete($id) { global $index2type; - $result = db_query("SELECT * FROM bans WHERE id = $id"); + $result = db_query("SELECT * FROM bans WHERE id = '$id'"); if ($ban = db_fetch_object($result)) { // Perform query: - $result = db_query("DELETE FROM bans WHERE id = $id"); + $result = db_query("DELETE FROM bans WHERE id = '$id'"); // Deleted log entry: - watchdog("message", "removed ban `$ban->mask' from category `". $index2type[$ban->type] ."'."); + watchdog("message", "removed ban '$ban->mask' from category '". $index2type[$ban->type] ."'."); } } diff --git a/includes/comment.inc b/includes/comment.inc index 7ec1d3734..2c8aaf3b9 100644 --- a/includes/comment.inc +++ b/includes/comment.inc @@ -34,7 +34,7 @@ function comment_moderate($moderate) { foreach ($moderate as $id=>$vote) { if ($vote != $comment_votes[$none] && !user_get($user, "history", "c$id")) { // Update the comment's score: - $result = db_query("UPDATE comments SET score = score $vote, votes = votes + 1 WHERE cid = $id"); + $result = db_query("UPDATE comments SET score = score ". check_input($vote) .", votes = votes + 1 WHERE cid = '". check_input($id) ."'"); // Update the user's history: $user = user_set($user, "history", "c$id", $vote); @@ -52,13 +52,13 @@ function comment_reply($pid, $id) { global $allowed_html, $link, $REQUEST_URI, $theme, $user; if ($pid) { - $item = db_fetch_object(db_query("SELECT comments.*, users.userid FROM comments LEFT JOIN users ON comments.author = users.id WHERE comments.cid = $pid")); + $item = db_fetch_object(db_query("SELECT comments.*, users.userid FROM comments LEFT JOIN users ON comments.author = users.id WHERE comments.cid = '$pid'")); comment_view(new Comment($item->userid, $item->subject, $item->comment, $item->timestamp, $item->url, $item->fake_email, comment_score($comment), $comment->votes, $item->cid, $item->lid), t("reply to this comment")); } else { $pid = 0; if ($link == "story") { - $item = db_fetch_object(db_query("SELECT stories.*, users.userid FROM stories LEFT JOIN users ON stories.author = users.id WHERE stories.status != 0 AND stories.id = $id")); + $item = db_fetch_object(db_query("SELECT stories.*, users.userid FROM stories LEFT JOIN users ON stories.author = users.id WHERE stories.status != 0 AND stories.id = '$id'")); $theme->article($item, ""); } } @@ -132,7 +132,7 @@ function comment_post($pid, $id, $subject, $comment) { global $theme, $link, $user; // Check for duplicate comments: - $duplicate = db_result(db_query("SELECT COUNT(cid) FROM comments WHERE link = '$link' AND pid = '$pid' AND lid = '$id' AND subject = '". check_input($subject) ."' AND comment = '". check_input($comment) ."'"), 0); + $duplicate = db_result(db_query("SELECT COUNT(cid) FROM comments WHERE link = '$link' AND pid = '$pid' AND lid = '$id' AND subject = '$subject' AND comment = '$comment'"), 0); if ($duplicate != 0) { watchdog("error", "comment: attempt to insert duplicate comment"); @@ -145,7 +145,7 @@ function comment_post($pid, $id, $subject, $comment) { watchdog("comment", "comment: added comment with subject '$subject'"); // Add comment to database: - db_query("INSERT INTO comments (link, lid, pid, author, subject, comment, hostname, timestamp, score) VALUES ('". check_input($link) ."', $id, $pid, '$user->id', '". check_input($subject) ."', '". check_input($comment) ."', '". getenv("REMOTE_ADDR") ."', '". time() ."', '". ($user->userid ? 1 : 0) ."')"); + db_query("INSERT INTO comments (link, lid, pid, author, subject, comment, hostname, timestamp, score) VALUES ('$link', '$id', '$pid', '$user->id', '$subject', '$comment', '". getenv("REMOTE_ADDR") ."', '". time() ."', '". ($user->userid ? 1 : 0) ."')"); } } @@ -155,7 +155,7 @@ function comment_score($comment) { } function comment_num_replies($id, $count = 0) { - $result = db_query("SELECT COUNT(cid) FROM comments WHERE pid = $id"); + $result = db_query("SELECT COUNT(cid) FROM comments WHERE pid = '$id'"); return ($result) ? db_result($result, 0) : 0; } @@ -165,7 +165,7 @@ function comment_num_filtered($lid, $pid) { $threshold = ($user->id) ? $user->threshold : "0"; $pid = ($pid) ? $pid : 0; - $result = db_query("SELECT COUNT(cid) FROM comments WHERE lid = $lid AND pid = $pid AND ((votes = 0 AND score < $threshold) OR (score / votes < $threshold))"); + $result = db_query("SELECT COUNT(cid) FROM comments WHERE lid = '$lid' AND pid = '$pid' AND ((votes = 0 AND score < $threshold) OR (score / votes < $threshold))"); return ($result) ? db_result($result, 0) : 0; } @@ -183,7 +183,7 @@ function comment_moderation($comment) { } else { // comment has already been moderated: - $output .= "
". t("score") .":". check_output($comment->score) ."
". t("votes") .":". check_output($comment->votes) ."
\n"; + $output .= "
". t("score") .":". check_output($comment->score) ."
". t("votes") .":". check_output($comment->votes) ."
\n"; } return $output; @@ -221,8 +221,8 @@ function comment_order($order) { } function comment_query($link, $lid, $order, $pid = -1) { - $query .= "SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE link = '$link' AND c.lid = $lid"; - if ($pid >= 0) $query .= " AND pid = $pid"; + $query .= "SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE link = '$link' AND c.lid = '$lid'"; + if ($pid >= 0) $query .= " AND pid = '$pid'"; if ($order == 1) $query .= " ORDER BY c.timestamp DESC"; else if ($order == 2) $query .= " ORDER BY c.timestamp"; else if ($order == 3) $query .= " ORDER BY c.score DESC"; @@ -262,7 +262,7 @@ function comment_view($comment, $folded = 0) { function comment_thread_min($cid, $threshold) { global $user; - $result = db_query("SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.pid = $cid ORDER BY c.timestamp, c.cid"); + $result = db_query("SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.pid = '$cid' ORDER BY c.timestamp, c.cid"); print "