diff options
| author | Gábor Hojtsy <gabor@hojtsy.hu> | 2008-01-04 09:31:49 +0000 |
|---|---|---|
| committer | Gábor Hojtsy <gabor@hojtsy.hu> | 2008-01-04 09:31:49 +0000 |
| commit | 89be29505b1ed6146aef314d5524f46cc289cee3 (patch) | |
| tree | 6be929fa5d9b84c48f0a5682bc6f95cb09b3bde3 | |
| parent | 52f95c981bbf7588aedd1b5cb3ef74641572e39e (diff) | |
| download | brdo-89be29505b1ed6146aef314d5524f46cc289cee3.tar.gz brdo-89be29505b1ed6146aef314d5524f46cc289cee3.tar.bz2 | |
#198856 by hswong3i: Fix some incorrect use of %s for table name escaping, implement better security checks
| -rw-r--r-- | includes/database.inc | 2 | ||||
| -rw-r--r-- | includes/database.mysql.inc | 4 | ||||
| -rw-r--r-- | includes/database.mysqli.inc | 4 | ||||
| -rw-r--r-- | includes/database.pgsql.inc | 6 | ||||
| -rw-r--r-- | includes/tablesort.inc | 11 | ||||
| -rw-r--r-- | modules/statistics/statistics.module | 5 | ||||
| -rw-r--r-- | modules/system/system.module | 2 |
7 files changed, 21 insertions, 13 deletions
diff --git a/includes/database.inc b/includes/database.inc index 45a8b592c..25aadf57a 100644 --- a/includes/database.inc +++ b/includes/database.inc @@ -350,7 +350,7 @@ function db_rewrite_sql($query, $primary_table = 'n', $primary_field = 'nid', $ } /** - * Restrict a dynamic tablename to safe characters. + * Restrict a dynamic table, column or constraint name to safe characters. * * Only keeps alphanumeric and underscores. */ diff --git a/includes/database.mysql.inc b/includes/database.mysql.inc index a20486996..01eb22bef 100644 --- a/includes/database.mysql.inc +++ b/includes/database.mysql.inc @@ -346,14 +346,14 @@ function db_unlock_tables() { * Check if a table exists. */ function db_table_exists($table) { - return db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'")) ? TRUE : FALSE; + return (bool) db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'")); } /** * Check if a column exists in the given table. */ function db_column_exists($table, $column) { - return db_fetch_object(db_query("SHOW COLUMNS FROM {%s} LIKE '%s'", $table, $column)) ? TRUE : FALSE; + return (bool) db_fetch_object(db_query("SHOW COLUMNS FROM {". db_escape_table($table) ."} LIKE '". db_escape_table($column) ."'")); } /** diff --git a/includes/database.mysqli.inc b/includes/database.mysqli.inc index 9cefafc6d..191999145 100644 --- a/includes/database.mysqli.inc +++ b/includes/database.mysqli.inc @@ -346,14 +346,14 @@ function db_unlock_tables() { * Check if a table exists. */ function db_table_exists($table) { - return db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'")) ? TRUE : FALSE; + return (bool) db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'")); } /** * Check if a column exists in the given table. */ function db_column_exists($table, $column) { - return db_fetch_object(db_query("SHOW COLUMNS FROM {%s} LIKE '%s'", $table, $column)) ? TRUE : FALSE; + return (bool) db_fetch_object(db_query("SHOW COLUMNS FROM {". db_escape_table($table) ."} LIKE '". db_escape_table($column) ."'")); } /** diff --git a/includes/database.pgsql.inc b/includes/database.pgsql.inc index 65e049263..f5196fb91 100644 --- a/includes/database.pgsql.inc +++ b/includes/database.pgsql.inc @@ -228,7 +228,7 @@ function db_error() { * The name of the autoincrement field. */ function db_last_insert_id($table, $field) { - return db_result(db_query("SELECT currval('%s_seq')", db_prefix_tables('{'. $table .'}') .'_'. $field)); + return db_result(db_query("SELECT CURRVAL('{". db_escape_table($table) ."}_". db_escape_table($field) ."_seq')")); } /** @@ -384,14 +384,14 @@ function db_unlock_tables() { * Check if a table exists. */ function db_table_exists($table) { - return db_result(db_query("SELECT COUNT(*) FROM pg_class WHERE relname = '{". db_escape_table($table) ."}'")); + return (bool) db_result(db_query("SELECT COUNT(*) FROM pg_class WHERE relname = '{". db_escape_table($table) ."}'")); } /** * Check if a column exists in the given table. */ function db_column_exists($table, $column) { - return db_result(db_query("SELECT COUNT(pg_attribute.attname) FROM pg_class, pg_attribute WHERE pg_attribute.attrelid = pg_class.oid AND pg_class.relname = '{". db_escape_table($table) ."}' AND attname='%s'", $column)); + return (bool) db_result(db_query("SELECT COUNT(pg_attribute.attname) FROM pg_class, pg_attribute WHERE pg_attribute.attrelid = pg_class.oid AND pg_class.relname = '{". db_escape_table($table) ."}' AND attname = '". db_escape_table($column) ."'")); } /** diff --git a/includes/tablesort.inc b/includes/tablesort.inc index d241a0c2d..9c39c5ce8 100644 --- a/includes/tablesort.inc +++ b/includes/tablesort.inc @@ -39,9 +39,14 @@ function tablesort_init($header) { function tablesort_sql($header, $before = '') { $ts = tablesort_init($header); if ($ts['sql']) { - $sql = db_escape_string($ts['sql']); - $sort = drupal_strtoupper(db_escape_string($ts['sort'])); - return " ORDER BY $before $sql $sort"; + // Based on code from db_escape_table(), but this can also contain a dot. + $field = preg_replace('/[^A-Za-z0-9_.]+/', '', $ts['sql']); + + // Sort order can only be ASC or DESC. + $sort = drupal_strtoupper($ts['sort']); + $sort = in_array($sort, array('ASC', 'DESC')) ? $sort : ''; + + return " ORDER BY $before $field $sort"; } } diff --git a/modules/statistics/statistics.module b/modules/statistics/statistics.module index 831a0d5c7..1242e973b 100644 --- a/modules/statistics/statistics.module +++ b/modules/statistics/statistics.module @@ -206,7 +206,10 @@ function statistics_cron() { * or FALSE if the query could not be executed correctly. */ function statistics_title_list($dbfield, $dbrows) { - return db_query_range(db_rewrite_sql("SELECT n.nid, n.title, u.uid, u.name FROM {node} n INNER JOIN {node_counter} s ON n.nid = s.nid INNER JOIN {users} u ON n.uid = u.uid WHERE %s <> '0' AND n.status = 1 ORDER BY %s DESC"), 's.'. $dbfield, 's.'. $dbfield, 0, $dbrows); + if (in_array($dbfield, array('totalcount', 'daycount', 'timestamp'))) { + return db_query_range(db_rewrite_sql("SELECT n.nid, n.title, u.uid, u.name FROM {node} n INNER JOIN {node_counter} s ON n.nid = s.nid INNER JOIN {users} u ON n.uid = u.uid WHERE s.". $dbfield ." != 0 AND n.status = 1 ORDER BY s.". $dbfield ." DESC"), 0, $dbrows); + } + return FALSE; } diff --git a/modules/system/system.module b/modules/system/system.module index edf3a3bff..2431ef613 100644 --- a/modules/system/system.module +++ b/modules/system/system.module @@ -1213,7 +1213,7 @@ function system_cron() { db_query('DELETE FROM {batch} WHERE timestamp < %d', time() - 864000); // Remove temporary files that are older than DRUPAL_MAXIMUM_TEMP_FILE_AGE. - $result = db_query('SELECT * FROM {files} WHERE status = %s and timestamp < %d', FILE_STATUS_TEMPORARY, time() - DRUPAL_MAXIMUM_TEMP_FILE_AGE); + $result = db_query('SELECT * FROM {files} WHERE status = %d and timestamp < %d', FILE_STATUS_TEMPORARY, time() - DRUPAL_MAXIMUM_TEMP_FILE_AGE); while ($file = db_fetch_object($result)) { if (file_exists($file->filepath)) { // If files that exist cannot be deleted, continue so the database remains |