Skip to content

Commit

Permalink
More Fix for #1272: SQL injection point when checking tokens
Browse files Browse the repository at this point in the history 
git-svn-id: file:///Users/Shitiz/Downloads/lssvn/source/stable_plus@3359 b72ed6b6-b9f8-46b5-92b4-906544132732
  • Loading branch information
Thibault Le Meur committed Oct 8, 2007
1 parent 57f88bf commit ddc1f4a
Showing 1 changed file with 5 additions and 5 deletions.
10 changes: 5 additions & 5 deletions index.php
View file
Expand Up @@ -450,7 +450,7 @@ function loadanswers()
function getTokenData($surveyid, $token)
{
global $dbprefix, $connect;
$query = "SELECT * FROM ".db_table_name('tokens_'.$surveyid)." WHERE token='$token'";
$query = "SELECT * FROM ".db_table_name('tokens_'.$surveyid)." WHERE token='".db_quote($token)."'";
$result = db_execute_assoc($query) or die("Couldn't get token info in getTokenData()<br />".$query."<br />".htmlspecialchars($connect->ErrorMsg()));
while($row=$result->FetchRow())
{
Expand Down Expand Up @@ -902,12 +902,12 @@ function submittokens()
{
$utquery .= "SET completed='Y'\n";
}
$utquery .= "WHERE token='{$_POST['token']}'";
$utquery .= "WHERE token='".db_quote($_POST['token'])."'";

$utresult = $connect->Execute($utquery) or die ("Couldn't update tokens table!<br />\n$utquery<br />\n".htmlspecialchars($connect->ErrorMsg()));

// TLR change to put date into sent and completed
$cnfquery = "SELECT * FROM ".db_table_name("tokens_$surveyid")." WHERE token='{$_POST['token']}' AND completed!='N' AND completed!=''";
$cnfquery = "SELECT * FROM ".db_table_name("tokens_$surveyid")." WHERE token='".db_quote($_POST['token'])."' AND completed!='N' AND completed!=''";

$cnfresult = db_execute_assoc($cnfquery);
while ($cnfrow = $cnfresult->FetchRow())
Expand Down Expand Up @@ -1110,7 +1110,7 @@ function buildsurveysession()
elseif ($tokensexist == 1 && returnglobal('token'))
{
//check if token actually does exist
$tkquery = "SELECT COUNT(*) FROM ".db_table_name('tokens_'.$surveyid)." WHERE token='".trim(returnglobal('token'))."' AND (completed = 'N' or completed='')";
$tkquery = "SELECT COUNT(*) FROM ".db_table_name('tokens_'.$surveyid)." WHERE token='".db_quote(trim(returnglobal('token')))."' AND (completed = 'N' or completed='')";
$tkresult = db_execute_num($tkquery);
list($tkexist) = $tkresult->FetchRow();
if (!$tkexist)
Expand Down Expand Up @@ -1146,7 +1146,7 @@ function buildsurveysession()

if (isset($_GET['token'])){
//get language from token (if one exists)
$tkquery2 = "SELECT * FROM ".db_table_name('tokens_'.$surveyid)." WHERE token='".trim(returnglobal('token'))."' AND (completed = 'N' or completed='')";
$tkquery2 = "SELECT * FROM ".db_table_name('tokens_'.$surveyid)." WHERE token='".db_quote(trim(returnglobal('token')))."' AND (completed = 'N' or completed='')";
//echo $tkquery2;
$result = db_execute_assoc($tkquery2) or die ("Couldn't get tokens<br />$tkquery<br />".htmlspecialchars($connect->ErrorMsg()));
while ($rw = $result->FetchRow())
Expand Down

0 comments on commit ddc1f4a

Please sign in to comment.