Skip to content

Commit

Permalink
Fix up database calls regarding SQLI - done by GCI participant Noostra
Browse files Browse the repository at this point in the history 
git-svn-id: file:///Users/Shitiz/Downloads/lssvn/source/limesurvey_yii@11987 b72ed6b6-b9f8-46b5-92b4-906544132732
  • Loading branch information
@c-schmitz
c-schmitz committed Jan 11, 2012
1 parent d25e370 commit 9a1ac9f
Show file tree
Hide file tree
Showing 6 changed files with 97 additions and 75 deletions.
16 changes: 12 additions & 4 deletions application/models/Answers.php
View file
Expand Up @@ -65,14 +65,20 @@ function getAnswerCode($qid, $code, $lang)
return Yii::app()->db->createCommand()
->select(array('code', 'answer'))
->from(self::tableName())
->where(array('and', 'qid='.$qid, 'code="'.$code.'"', 'scale_id=0', 'language="'.$lang.'"'))
->where(array('and', 'qid=:qid', 'code=:code', 'scale_id=0', 'language=:lang'))
->bindParam(":qid", $qid, PDO::PARAM_INT)
->bindParam(":code", $code, PDO::PARAM_STR)
->bindParam(":lang", $lang, PDO::PARAM_STR)
->query();
}

public function oldNewInsertansTags($newsid,$oldsid)
{
$sql = "SELECT a.qid, a.language, a.code, a.answer from {{answers}} as a INNER JOIN {{questions}} as b ON a.qid=b.qid WHERE b.sid=".$newsid." AND a.answer LIKE '%{INSERTANS:".$oldsid."X%'";
return Yii::app()->db->createCommand($sql)->query();
$sql = "SELECT a.qid, a.language, a.code, a.answer from {{answers}} as a INNER JOIN {{questions}} as b ON a.qid=b.qid WHERE b.sid=:newsid AND a.answer LIKE '%{INSERTANS::oldsidX%'";
return Yii::app()->db->createCommand($sql)
->bindParam(":newsid", $newsid, PDO::PARAM_INT)
->bindParam(":oldsid", $oldsid, PDO::PARAM_INT)
->query();
}

public function updateRecord($data, $condition=FALSE)
Expand Down Expand Up @@ -114,8 +120,10 @@ public function getAnswerQuery($surveyid, $lang, $return_query = TRUE)
$query = Yii::app()->db->createCommand();
$query->select("{{answers}}.*, {{questions}}.gid");
$query->from("{{answers}}, {{questions}}");
$query->where("{{questions}}.sid = '{$surveyid}' AND {{questions}}.qid = {{answers}}.qid AND {{questions}}.language = {{answers}}.language AND {{questions}}.language = '{$lang}'");
$query->where("{{questions}}.sid = :surveyid AND {{questions}}.qid = {{answers}}.qid AND {{questions}}.language = {{answers}}.language AND {{questions}}.language = :lang");
$query->order('qid, code, sortorder');
$query->bindParams(":surveyid", $surveyid, PDO::PARAM_INT);
$query->bindParams(":lang", $lang, PDO::PARAM_STR);
return ( $return_query ) ? $query->queryAll() : $query;
}

Expand Down
24 changes: 14 additions & 10 deletions application/models/Conditions.php
View file
Expand Up @@ -62,7 +62,7 @@ public function deleteRecords($condition=FALSE)
{
if( is_array($condition) )
{
foreach($condition as $column=>$value)
foreach($condition as $column=>$value)
{
$criteria->addCondition("$column='$value'");
}
Expand Down Expand Up @@ -131,15 +131,19 @@ function getSomeConditions($fields, $condition, $order, $group){
}
function getConditionsQuestions($distinctrow,$deqrow,$scenariorow,$surveyprintlang)
{
$conquery="SELECT cid, cqid, q.title,\n"
."q.question, value, q.type, cfieldname\n"
."FROM {{conditions}} c, {{questions}} q\n"
."WHERE c.cqid=q.qid\n"
."AND c.cqid={$distinctrow}\n"
."AND c.qid={$deqrow} \n"
."AND c.scenario={$scenariorow} \n"
."AND language='{$surveyprintlang}'";
return Yii::app()->db->createCommand($conquery)->query();
$conquery="SELECT cid, cqid, q.title, q.question, value, q.type, cfieldname"
."FROM {{conditions}} c, {{questions}} q"
."WHERE c.cqid=q.qid"
."AND c.cqid=:distinctrow"
."AND c.qid=:deqrow"
."AND c.scenario=:scenariorow"
."AND language=:surveyprintlang";
return Yii::app()->db->createCommand($conquery)
->bindParam(":distinctrow", $distinctrow, PDO::PARAM_INT)
->bindParam(":deqrow", $deqrow, PDO::PARAM_INT)
->bindParam(":scenariorow", $scenariorow, PDO::PARAM_INT)
->bindParam(":surveyprintlang", $surveyprintlang, PDO::PARAM_STR)
->query();
}
}

Expand Down
23 changes: 16 additions & 7 deletions application/models/Groups.php
View file
Expand Up @@ -70,8 +70,15 @@ function getAllRecords($condition=FALSE, $order=FALSE, $return_query = TRUE)

function updateGroupOrder($sid,$lang,$position=0)
{
$data=Yii::app()->db->createCommand()->select('gid')->where(array('and','sid='.$sid,'language="'.$lang.'"'))->order('group_order, group_name ASC')->from('{{groups}}')->query();

$data=Yii::app()->db->createCommand()->select('gid')
->where(array('and','sid=:sid','language=:language'))
->order('group_order, group_name ASC')
->from('{{groups}}')
->bindParam(':sid', $sid, PDO::PARAM_INT)
->bindParam(':language', $language, PDO::PARAM_STR)
->query();

$position = intval($position);
foreach($data->readAll() as $row)
{
Yii::app()->db->createCommand()->update($this->tableName(),array('group_order' => $position),'gid='.$row['gid']);
Expand All @@ -93,9 +100,10 @@ function getGroups($surveyid) {
return Yii::app()->db->createCommand()
->select(array('gid', 'group_name'))
->from($this->tableName())
->where(array('and', 'sid='.$surveyid, 'language=:language'))
->where(array('and', 'sid=:surveyid', 'language=:language'))
->order('group_order asc')
->bindParam(":language", $language, PDO::PARAM_STR)
->bindParam(":surveyid", $surveyid, PDO::PARAM_INT)
->query()->readAll();
}

Expand All @@ -111,8 +119,10 @@ private static function getQuestionIdsInGroup($groupId) {
$questions = Yii::app()->db->createCommand()
->select('qid')
->from('{{questions}} q')
->join('{{groups}} g', 'g.gid=q.gid AND g.gid=' . $groupId . ' AND q.parent_qid=0')
->group('qid')->queryAll();
->join('{{groups}} g', 'g.gid=q.gid AND g.gid=:groupid AND q.parent_qid=0')
->group('qid')
->bindParam(":groupid", $groupId, PDO::PARAM_INT)
->queryAll();

$questionIds = array();
foreach ($questions as $question) {
Expand All @@ -121,10 +131,9 @@ private static function getQuestionIdsInGroup($groupId) {

return $questionIds;
}

function getAllGroups($condition, $order=false)
{


$command = Yii::app()->db->createCommand()->where($condition)->select('*')->from($this->tableName());
if ($order != FALSE)
{
Expand Down
2 changes: 1 addition & 1 deletion application/models/Label.php
View file
Expand Up @@ -73,7 +73,7 @@ function getAllRecords($condition=FALSE)

function getLabelCodeInfo($lid)
{
return Yii::app()->db->createCommand()->select('code, title, sortorder, language, assessment_value')->order('language, sortorder, code')->where('lid='.$lid)->from(tableName())->query()->readAll();
return Yii::app()->db->createCommand()->select('code, title, sortorder, language, assessment_value')->order('language, sortorder, code')->where('lid=:lid')->from(tableName())->bindParam(":lid", $lid, PDO::PARAM_INT)->query()->readAll();
}

function insertRecords($data)
Expand Down
30 changes: 15 additions & 15 deletions application/models/ParticipantAttributeNames.php
View file
Expand Up @@ -141,7 +141,7 @@ function getAttributeValue($participantid,$attributeid)

function getAttributes($count = false, $limit = -1, $offset = -1)
{
$command = Yii::app()->db->createCommand()->from('{{participant_attribute_names}}')->join('{{participant_attribute_names_lang}}', '{{participant_attribute_names}}.attribute_id = {{participant_attribute_names_lang}}.attribute_id')->where('lang = "'.Yii::app()->session['adminlang'].'"')->limit($limit, $offset);
$command = Yii::app()->db->createCommand()->from('{{participant_attribute_names}}')->join('{{participant_attribute_names_lang}}', '{{participant_attribute_names}}.attribute_id = {{participant_attribute_names_lang}}.attribute_id')->where('lang = "'.Yii::app()->session['adminlang'].'"')->limit(intval($limit), intval($offset));
if (empty($count))
{
return $command->select('{{participant_attribute_names}}.*,{{participant_attribute_names_lang}}.*')->queryAll();
Expand All @@ -154,7 +154,7 @@ function getAttributes($count = false, $limit = -1, $offset = -1)

function getAttributesValues($attribute_id)
{
return Yii::app()->db->createCommand()->select('*')->from('{{participant_attribute_values}}')->where('attribute_id = '.$attribute_id)->queryAll();
return Yii::app()->db->createCommand()->select('*')->from('{{participant_attribute_values}}')->where('attribute_id = :attribute_id')->bindParam(":attribute_id", $attribute_id, PDO::PARAM_INT)->queryAll();
}

// this is a very specific function used to get the attributes that are not present for the participant
Expand All @@ -175,8 +175,8 @@ function storeAttribute($data)
'visible' => $data['visible']);
Yii::app()->db->createCommand()->insert('{{participant_attribute_names}}',$insertnames);
$attribute_id = Yii::app()->db->getLastInsertID();
$insertnameslang = array('attribute_id' => $attribute_id,
'attribute_name'=>$data['attribute_name'],
$insertnameslang = array('attribute_id' => intval($attribute_id),
'attribute_name'=> Yii::app()->db->quoteValue($data['attribute_name']),
'lang' => Yii::app()->session['adminlang']);
Yii::app()->db->createCommand()->insert('{{participant_attribute_names_lang}}',$insertnameslang);

Expand All @@ -186,15 +186,15 @@ function storeAttribute($data)

function editParticipantAttributeValue($data)
{
$query = Yii::app()->db->createCommand()->where('participant_id = "'.$data['participant_id'].'" AND attribute_id = '. $data['attribute_id'])->from('{{participant_attribute}}')->select('*')->queryAll();
$query = Yii::app()->db->createCommand()->where('participant_id = :participant_id AND attribute_id = :attribute_id')->from('{{participant_attribute}}')->select('*')->bindParam(":participant_id", $data["participant_id"], PDO::PARAM_INT)->bindParam(":attribute_id", $data["attribute_id"], PDO::PARAM_INT)->queryAll();
if(count($query) == 0)
{
Yii::app()->db->createCommand()->insert('{{participant_attribute}}',$data);
}
else
{
Yii::app()->db->createCommand()->update('{{participant_attribute}}',$data,'participant_id = "'.$data['participant_id'].'" AND attribute_id = '.$data['attribute_id']);
}
Yii::app()->db->createCommand()->update('{{participant_attribute}}',$data,'participant_id = :participant_id AND attribute_id = :attribute_id')->bindParam(":participant_id", $data["participant_id"], PDO::PARAM_INT)->bindParam(":attribute_id", $data["attribute_id"], PDO::PARAM_INT);
}

}

Expand All @@ -208,12 +208,12 @@ function delAttribute($attid)

function delAttributeValues($attid,$valid)
{
Yii::app()->db->createCommand()->delete('{{participant_attribute_values}}', 'attribute_id = '.$attid.' AND value_id = '.$valid);
Yii::app()->db->createCommand()->delete('{{participant_attribute_values}}', 'attribute_id = :attribute_id AND value_id = :value_id')->bindParam(":attribute_id", $attid, PDO::PARAM_INT)->bindParam(":value_id", $valid, PDO::PARAM_INT);
}

function getAttributeNames($attributeid)
{
return Yii::app()->db->createCommand()->where("attribute_id = {$attributeid}")->from('{{participant_attribute_names_lang}}')->select('*')->queryAll();
return Yii::app()->db->createCommand()->where("attribute_id = :attribute_id")->from('{{participant_attribute_names_lang}}')->select('*')->bindParam(":attribute_id", $attributeid, PDO::PARAM_INT)->queryAll();
}
function getAttribute($attribute_id)
{
Expand All @@ -239,18 +239,18 @@ function saveAttribute($data)
}
if (!empty($insertnames))
{
Yii::app()->db->createCommand()->update('{{participant_attribute_names}}', $insertnames, 'attribute_id = '.$data['attribute_id']);
Yii::app()->db->createCommand()->update('{{participant_attribute_names}}', $insertnames, 'attribute_id = :attribute_id')->bindParam(":attribute_id", $data['attribute_id'], PDO::PARAM_INT);
}

if (!empty($data['attribute_name']))
{
Yii::app()->db->createCommand()->update('{{participant_attribute_names_lang}}', array('attribute_name' => $data['attribute_name']), 'attribute_id = '.$data['attribute_id'].' AND lang="'.Yii::app()->session['adminlang'].'"');
Yii::app()->db->createCommand()->update('{{participant_attribute_names_lang}}', array('attribute_name' => $data['attribute_name']), 'attribute_id = :attribute_id AND lang="'.Yii::app()->session['adminlang'].'"')->bindParam(":attribute_id", $data['attribute_id'], PDO::PARAM_INT);
}
}

function saveAttributeLanguages($data)
{
$query = Yii::app()->db->createCommand()->from('{{participant_attribute_names_lang}}')->where('attribute_id = '.$data['attribute_id'].' AND lang = "'.$data['lang'].'"')->select('*')->queryAll();
$query = Yii::app()->db->createCommand()->from('{{participant_attribute_names_lang}}')->where('attribute_id = :attribute_id AND lang = :lang')->select('*')->bindParam(":attribute_id", $data['attribute_id'], PDO::PARAM_INT)->bindParam(":lang", $data['lang'], PDO::PARAM_STR)->queryAll();
if (count($query) == 0)
{
// A record does not exist, insert one.
Expand All @@ -260,7 +260,7 @@ function saveAttributeLanguages($data)
else
{
// A record does exist, update it.
$query = Yii::app()->db->createCommand()->update('{{participant_attribute_names_lang}}',array('attribute_name'=>$data['attribute_name'],),'attribute_id = '.$data['attribute_id'].' AND lang="'.$data['lang'].'"');
$query = Yii::app()->db->createCommand()->update('{{participant_attribute_names_lang}}',array('attribute_name'=>$data['attribute_name'],),'attribute_id = :attribute_id AND lang= :lang')->bindParam(":attribute_id", $data['attribute_id'], PDO::PARAM_INT)->bindParam(":lang", $data['lang'], PDO::PARAM_STR);
}
}

Expand Down Expand Up @@ -288,7 +288,7 @@ function storeAttributeCSV($data)
//updates the attribute values in participant_attribute_values
function saveAttributeValue($data)
{
Yii::app()->db->createCommand()->update('{{participant_attribute_values}}', $data, "attribute_id='{$data['attribute_id']}' AND value_id='{$data['value_id']}'");
Yii::app()->db->createCommand()->update('{{participant_attribute_values}}', $data, "attribute_id = :attribute_id AND value_id = :value_id")->bindParam(":attribute_id", $data['attribute_id'], PDO::PARAM_INT)->bindParam(":value_id", $data['value_id'], PDO::PARAM_INT);
}

function saveAttributeVisible($attid,$visiblecondition)
Expand All @@ -300,7 +300,7 @@ function saveAttributeVisible($attid,$visiblecondition)
{
$data=array('visible'=>'FALSE');
}
Yii::app()->db->createCommand()->update('{{participant_attribute_names}}',$data,'attribute_id = '.$attribute_id[1]);
Yii::app()->db->createCommand()->update('{{participant_attribute_names}}',$data,'attribute_id = :attribute_id')->bindParam(":attribute_id", $attribute_id[1], PDO::PARAM_INT);
}

function getAttributeID()
Expand Down

0 comments on commit 9a1ac9f

Please sign in to comment.