Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added input cleaning to the bug history (another SQL poisoning attack…
…). Reformatted code in bugnote_set_view_state.php git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@1188 f5dc347c-c33d-0410-90a0-b07cc1902cb9
- Loading branch information
Jeroen Latour
committed
Aug 12, 2002
1 parent
2e841fb
commit 36ed5a4
Showing
3 changed files
with
95 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,76 @@ | ||
<?php # Mantis - a php based bugtracking system # Copyright (C) 2000, 2001 Kenzaburo Ito - kenito@300baud.org # This program is distributed under the terms and conditions of the GPL # See the files README and LICENSE for details ########################################################################### # History API ########################################################################### # -------------------- # log the changes (old / new value are supplied to reduce db access) # events should be logged *after* the modification function history_log_event_direct( $p_bug_id, $p_field_name, $p_old_value, $p_new_value, $p_user_id = 0 ) { global $g_mantis_bug_history_table; # Only log events that change the value if ( $p_new_value != $p_old_value ) { $c_user_id = (integer)$p_user_id; if ( 0 == $c_user_id ) { $c_user_id = get_current_user_field( 'id' ); }; $query = "INSERT INTO $g_mantis_bug_history_table ( user_id, bug_id, date_modified, field_name, old_value, new_value ) VALUES ( '$c_user_id', '$p_bug_id', NOW(), '$p_field_name', '$p_old_value', '$p_new_value' )"; $result = db_query( $query ); } } # -------------------- # log the changes # events should be logged *after* the modification function history_log_event( $p_bug_id, $p_field_name, $p_old_value ) { history_log_event_direct( $p_bug_id, $p_field_name, $p_old_value, get_bug_field( $p_bug_id, $p_field_name ) ); } # -------------------- # log the changes # events should be logged *after* the modification # These are special case logs (new bug, deleted bugnote, etc.) function history_log_event_special( $p_bug_id, $p_type, $p_optional='', $p_optional2='' ) { global $g_mantis_bug_history_table; $p_optional = string_prepare_text( $p_optional ); $t_user_id = get_current_user_field( 'id' ); $query = "INSERT INTO $g_mantis_bug_history_table ( user_id, bug_id, date_modified, type, old_value, new_value ) VALUES ( '$t_user_id', '$p_bug_id', NOW(), '$p_type', '$p_optional', '$p_optional2' )"; $result = db_query( $query ); } # -------------------- # return all bug history for a given bug id ordered by date function history_get_events( $p_bug_id ) { global $g_mantis_bug_history_table, $g_mantis_user_table; $query = "SELECT b.*, u.username FROM $g_bug_history_table b LEFT JOIN $g_mantis_user_table u ON b.user_id=u.id WHERE bug_id='$p_bug_id' ORDER BY date_modified DESC"; $result = db_query( $query ); } # --------------------?> | ||
<?php | ||
# Mantis - a php based bugtracking system | ||
# Copyright (C) 2000, 2001 Kenzaburo Ito - kenito@300baud.org | ||
# This program is distributed under the terms and conditions of the GPL | ||
# See the files README and LICENSE for details | ||
|
||
########################################################################### | ||
# History API | ||
########################################################################### | ||
|
||
# -------------------- | ||
# log the changes (old / new value are supplied to reduce db access) | ||
# events should be logged *after* the modification | ||
function history_log_event_direct( $p_bug_id, $p_field_name, $p_old_value, $p_new_value, $p_user_id = 0 ) { | ||
global $g_mantis_bug_history_table; | ||
|
||
# Only log events that change the value | ||
if ( $p_new_value != $p_old_value ) { | ||
$c_field_name = string_prepare_text( $p_field_name ); | ||
$c_old_value = string_prepare_text( $p_old_value ); | ||
$c_new_value = string_prepare_text( $p_new_value ); | ||
$c_bug_id = (integer)$p_bug_id; | ||
$c_user_id = (integer)$p_user_id; | ||
if ( 0 == $c_user_id ) { | ||
$c_user_id = get_current_user_field( 'id' ); | ||
}; | ||
|
||
$query = "INSERT INTO $g_mantis_bug_history_table | ||
( user_id, bug_id, date_modified, field_name, old_value, new_value ) | ||
VALUES | ||
( '$c_user_id', '$c_bug_id', NOW(), '$c_field_name', '$c_old_value', '$c_new_value' )"; | ||
$result = db_query( $query ); | ||
} | ||
} | ||
# -------------------- | ||
# log the changes | ||
# events should be logged *after* the modification | ||
function history_log_event( $p_bug_id, $p_field_name, $p_old_value ) { | ||
history_log_event_direct( $p_bug_id, $p_field_name, $p_old_value, get_bug_field( $p_bug_id, $p_field_name ) ); | ||
} | ||
# -------------------- | ||
# log the changes | ||
# events should be logged *after* the modification | ||
# These are special case logs (new bug, deleted bugnote, etc.) | ||
function history_log_event_special( $p_bug_id, $p_type, $p_optional='', $p_optional2='' ) { | ||
global $g_mantis_bug_history_table; | ||
|
||
$c_bug_id = (integer)$c_bug_id; | ||
$c_type = (integer)$c_type; | ||
$c_optional = string_prepare_text( $p_optional ); | ||
$c_optional2 = string_prepare_text( $p_optional2 ); | ||
$t_user_id = get_current_user_field( 'id' ); | ||
|
||
$query = "INSERT INTO $g_mantis_bug_history_table | ||
( user_id, bug_id, date_modified, type, old_value, new_value ) | ||
VALUES | ||
( '$t_user_id', '$c_bug_id', NOW(), '$c_type', '$c_optional', '$c_optional2' )"; | ||
$result = db_query( $query ); | ||
} | ||
# -------------------- | ||
# return all bug history for a given bug id ordered by date | ||
function history_get_events( $p_bug_id ) { | ||
global $g_mantis_bug_history_table, $g_mantis_user_table; | ||
|
||
$c_bug_id = (integer)$p_bug_id; | ||
|
||
$query = "SELECT b.*, u.username | ||
FROM $g_bug_history_table b | ||
LEFT JOIN $g_mantis_user_table u | ||
ON b.user_id=u.id | ||
WHERE bug_id='$c_bug_id' | ||
ORDER BY date_modified DESC"; | ||
$result = db_query( $query ); | ||
} | ||
# -------------------- | ||
?> |