Added validation checks for all inputs that are passed on to database…

… queries. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@993 f5dc347c-c33d-0410-90a0-b07cc1902cb9
mantisbt · May 20, 2002 · cecfba7 · cecfba7
1 parent 7dde2fe
commit cecfba7
Show file tree

Hide file tree

Showing 60 changed files with 229 additions and 55 deletions.
diff --git a/account_prefs_update.php b/account_prefs_update.php
@@ -93,8 +93,13 @@
 	} else {
 		$f_email_on_priority = 1;
 	}
+
+  $f_project_id = (integer)$f_project_id;
+  $f_language = addslashes($f_language);
+  $f_redirect_delay = (integer)$f_redirect_delay;
 
 	# make sure the delay isn't too low
+  $f_refresh_delay = (integer)$f_refresh_delay;
 	if (( $g_min_refresh_delay > $f_refresh_delay )&&
 		( $f_refresh_delay != 0 )) {
 		$f_refresh_delay = $g_min_refresh_delay;

diff --git a/account_prof_delete.php b/account_prof_delete.php
@@ -22,6 +22,7 @@
 	}
 
 	$f_user_id = get_current_user_field( "id" );
+  $f_id = (integer)$f_id;
 
 	# Delete the profile
 	$query = "DELETE

diff --git a/account_prof_edit_page.php b/account_prof_edit_page.php
@@ -22,6 +22,7 @@
 	}
 
 	$f_user_id = get_current_user_field( "id" );
+  $f_id = (integer)$f_id;
 
 	# If deleteing profile redirect to delete script
 	if ( "delete" == $f_action) {

diff --git a/account_prof_make_default.php b/account_prof_make_default.php
@@ -22,6 +22,7 @@
 	}
 
 	$f_user_id = get_current_user_field( "id" );
+  $f_id = (integer)$f_id;
 
 	# Clear Defaults
 	$query = "UPDATE $g_mantis_user_pref_table

diff --git a/account_prof_update.php b/account_prof_update.php
@@ -22,6 +22,7 @@
 	}
 
 	$f_user_id = get_current_user_field( "id" );
+  $f_id = (integer)$f_id;
 
 	# " character poses problem when editting so let's just convert them
 	$f_platform		= string_prepare_text( $f_platform );

diff --git a/bug_assign.php b/bug_assign.php
@@ -19,6 +19,7 @@
 	project_access_check( $f_id );
 	check_access( DEVELOPER );
 	check_bug_exists( $f_id );
+  $f_id = (integer)$f_id;
 
     $t_ass_val = ASSIGNED;
 

diff --git a/bug_close.php b/bug_close.php
@@ -15,6 +15,7 @@
 	project_access_check( $f_id );
 	check_access( UPDATER );
 	check_bug_exists( $f_id );
+  $f_id = (integer)$f_id;
 
 	$t_handler_id = get_current_user_field( "id " );
 

diff --git a/bug_delete.php b/bug_delete.php
@@ -15,6 +15,8 @@
 	project_access_check( $f_id );
 	check_access( DEVELOPER );
 	check_bug_exists( $f_id );
+  $f_id = (integer)$f_id;
+  $f_bug_text_id = (integer)$f_bug_text_id;
 
 	# Delete the bug entry
 	$query = "DELETE

diff --git a/bug_file_add.php b/bug_file_add.php
@@ -14,6 +14,9 @@
 	project_access_check( $f_id );
 	check_access( REPORTER );
 
+  $f_id = (integer)$f_id;
+  $f_file_type = addslashes($f_file_type);
+
 	$result = 0;
 	$good_upload = 0;
 	$disallowed = 0;

diff --git a/bug_file_delete.php b/bug_file_delete.php
@@ -13,6 +13,8 @@
 	db_connect( $g_hostname, $g_db_username, $g_db_password, $g_database_name );
 	project_access_check( $f_id );
 	check_access( DEVELOPER );
+
+  $f_file_id = (integer)$f_file_id;
 
 	if ( DISK == $g_file_upload_method ) {
 		# grab the file name

diff --git a/bug_monitor.php b/bug_monitor.php
@@ -13,10 +13,12 @@
 <?php
 	db_connect( $g_hostname, $g_db_username, $g_db_password, $g_database_name );
 	project_access_check( $f_id );
-    $query = "SELECT view_state
-    		FROM $g_mantis_bug_table
-    		WHERE id='$f_id'";
-    $result = db_query( $query );
+  $f_id = (integer)$f_id;
+
+  $query = "SELECT view_state
+        		FROM $g_mantis_bug_table
+    		    WHERE id='$f_id'";
+  $result = db_query( $query );
 	$row = db_fetch_array( $result );
 	extract( $row, EXTR_PREFIX_ALL, "v" );
 	if ( PRIVATE == $v_view_state ) {

diff --git a/bug_reopen.php b/bug_reopen.php
@@ -15,6 +15,7 @@
 	project_access_check( $f_id );
 	check_access( DEVELOPER );
 	check_bug_exists( $f_id );
+  $f_id = (integer)$f_id;
 
 	$t_handler_id = get_current_user_field( "id" );
 

diff --git a/bug_resolve.php b/bug_resolve.php
@@ -15,6 +15,10 @@
 	project_access_check( $f_id );
 	check_access( DEVELOPER );
 	check_bug_exists( $f_id );
+
+  $f_id = (integer)$f_id;
+  $f_resolution = (integer)$f_resolution;
+  $f_duplicate_id = (integer)$f_duplicate_id;
 
 	$t_handler_id = get_current_user_field( "id" );
 

diff --git a/bug_update.php b/bug_update.php
@@ -14,18 +14,20 @@
 	project_access_check( $f_id );
 	check_access( UPDATER );
 	check_bug_exists( $f_id );
+  $f_id = (integer)$f_id;
 
 	# set variable to be valid if necessary
 	if ( !isset( $f_duplicate_id ) ) {
 		$f_duplicate_id = "";
 	}
+  $f_duplicate_id = (integer)$f_duplicate_id;
 
 	# grab the bug_text_id
-    $query = "SELECT bug_text_id
-    		FROM $g_mantis_bug_table
-    		WHERE id='$f_id'";
-    $result = db_query( $query );
-    $t_bug_text_id = db_result( $result, 0, 0 );
+  $query = "SELECT bug_text_id
+            FROM $g_mantis_bug_table
+            WHERE id='$f_id'";
+  $result = db_query( $query );
+  $t_bug_text_id = db_result( $result, 0, 0 );
 
 	# prevent warnings
 	if ( !isset( $f_os ) ) {
@@ -67,6 +69,19 @@
 	$f_summary					= string_prepare_text( $f_summary );
 	$f_description 				= string_prepare_textarea( $f_description );
 	$f_additional_information 	= string_prepare_textarea( $f_additional_information );
+
+  $f_status = (integer)$f_status;
+  $f_category = addslashes($f_category);
+  $f_severity = (integer)$f_severity;
+  $f_resolution = (integer)$f_resolution;
+  $f_projection = (integer)$f_projection;
+  $f_eta = (integer)$f_eta;
+  $f_priority = (integer)$f_priority;
+  $f_reproducibility = (integer)$f_reproducibility;
+  $f_status = (integer)$f_status;
+  $f_duplicate_id = (integer)$f_duplicate_id;
+  $f_handler_id = (integer)$f_handler_id;
+  $f_view_state = (integer)$f_view_state;
 
     if ( ( $f_handler_id != 0 ) AND ( NEW_ == $f_status ) ) {
         $f_status = ASSIGNED;

diff --git a/bug_update_advanced_page.php b/bug_update_advanced_page.php
@@ -18,6 +18,7 @@
 	project_access_check( $f_id );
 	check_access( UPDATER );
 	check_bug_exists( $f_id );
+  $f_id = (integer)$f_id;
 
     $query = "SELECT *, UNIX_TIMESTAMP(date_submitted) as date_submitted,
     		UNIX_TIMESTAMP(last_updated) as last_updated

diff --git a/bug_update_page.php b/bug_update_page.php
@@ -18,6 +18,7 @@
 	project_access_check( $f_id );
 	check_access( UPDATER );
 	check_bug_exists( $f_id );
+  $f_id = (integer)$f_id;
 
 	# grab data
     $query = "SELECT *, UNIX_TIMESTAMP(date_submitted) as date_submitted,

diff --git a/bug_vote_add.php b/bug_vote_add.php
@@ -10,6 +10,8 @@
 	db_connect( $g_hostname, $g_db_username, $g_db_password, $g_database_name );
 	project_access_check( $f_id );
 	check_access( REPORTER );
+  $f_id = (integer)$f_id;
+  $f_vote = (integer)$f_vote;
 
 	# increase vote count and update in table
 	$f_vote++;

diff --git a/bugnote_add.php b/bugnote_add.php
@@ -14,6 +14,7 @@
 	project_access_check( $f_id );
 	check_access( REPORTER );
 	check_bug_exists( $f_id );
+  $f_id = (integer)$f_id;
 
 	# get user information
 	$u_id = get_current_user_field( "id " );

diff --git a/bugnote_delete.php b/bugnote_delete.php
@@ -15,6 +15,7 @@
 	project_access_check( $f_id );
 	check_access( REPORTER );
 	check_bugnote_exists( $f_id );
+  $f_bugnote_id = (integer)$f_bugnote_id;
 
 	# grab the bugnote text id
 	$query = "SELECT bugnote_text_id

diff --git a/bugnote_edit_page.php b/bugnote_edit_page.php
@@ -27,6 +27,7 @@
 	} else {
 		print_header_redirect( $g_logout_page );
 	}
+  $f_bugnote_text_id = (integer)$f_bugnote_text_id;
 
 	# grab the bugnote text
   	$query = "SELECT note

diff --git a/bugnote_update.php b/bugnote_update.php
@@ -17,6 +17,7 @@
 	$f_bugnote_text = $f_bugnote_text."\n\n";
 	$f_bugnote_text = $f_bugnote_text.$s_edited_on.date( $g_normal_date_format );
 	$f_bugnote_text = string_prepare_textarea( $f_bugnote_text );
+  $f_bugnote_text_id = (integer)$f_bugnote_text_id;
     $query = "UPDATE $g_mantis_bugnote_text_table
     		SET note='$f_bugnote_text'
     		WHERE id='$f_bugnote_text_id'";

diff --git a/core_category_API.php b/core_category_API.php
@@ -12,6 +12,8 @@
 	# we do it this way because each different project can have the same category names
 	function is_duplicate_category( $p_project_id, $p_category ) {
 		global $g_mantis_project_category_table;
+    $p_project_id = (integer)$p_project_id;
+    $p_category = addslashes($p_category);
 
 		$query = "SELECT COUNT(*)
 				FROM $g_mantis_project_category_table
@@ -28,6 +30,8 @@ function is_duplicate_category( $p_project_id, $p_category ) {
 	# --------------------
 	function category_add( $p_project_id, $p_category ) {
 		global $g_mantis_project_category_table;
+    $p_project_id = (integer)$p_project_id;
+    $p_category = addslashes($p_category);
 
 		$query = "INSERT
 				INTO $g_mantis_project_category_table
@@ -39,6 +43,9 @@ function category_add( $p_project_id, $p_category ) {
 	# --------------------
 	function category_update( $p_project_id, $p_category, $p_orig_category ) {
 		global $g_mantis_project_category_table;
+    $p_project_id = (integer)$p_project_id;
+    $p_category = addslashes($p_category);
+    $p_orig_category = addslashes($p_orig_category);
 
 		$query = "UPDATE $g_mantis_project_category_table
 				SET category='$p_category'
@@ -49,6 +56,8 @@ function category_update( $p_project_id, $p_category, $p_orig_category ) {
 	# --------------------
 	function category_delete( $p_project_id, $p_category ) {
 		global $g_mantis_project_category_table;
+    $p_project_id = (integer)$p_project_id;
+    $p_category = addslashes($p_category);
 
 		$query = "DELETE
 				FROM $g_mantis_project_category_table
@@ -60,6 +69,7 @@ function category_delete( $p_project_id, $p_category ) {
 	# return all categories for the specified project id
 	function category_get_all( $p_project_id ) {
 		global $g_mantis_project_category_table;
+    $p_project_id = (integer)$p_project_id;
 
 		$query = "SELECT category
 				FROM $g_mantis_project_category_table

diff --git a/core_email_API.php b/core_email_API.php
@@ -70,6 +70,7 @@ function build_bcc_list( $p_bug_id, $p_notify_type ) {
 				$g_notify_developers_on_new,
 				$g_use_bcc, $g_use_phpMailer,
 				$g_mantis_bug_monitor_table;
+    $p_bug_id = (integer)$p_bug_id;
 
 		# setup the array of email entries
 		$send_arr = array();
@@ -255,6 +256,7 @@ function email_signup( $p_user_id, $p_password ) {
 			$s_new_account_greeting, $s_new_account_url,
 			$s_new_account_username, $s_new_account_password,
 			$s_new_account_message, $s_new_account_do_not_reply;
+    $p_user_id = (integer)$p_user_id;
 
 		$query = "SELECT username, email
 				FROM $g_mantis_user_table
@@ -280,6 +282,7 @@ function email_reset( $p_user_id, $p_password ) {
 		global 	$g_mantis_user_table, $g_path,
 				$s_reset_request_msg, $s_account_name_msg,
 				$s_news_password_msg;
+    $p_user_id = (integer)$p_user_id;
 
 		$query = "SELECT username, email
 				FROM $g_mantis_user_table
@@ -370,6 +373,7 @@ function email_build_bug_message( $p_bug_id ) {
 				$s_email_description,
 				$g_email_separator1,
 				$g_email_padding_length;
+    $p_bug_id = (integer)$p_bug_id;
 
 		$query = "SELECT *, UNIX_TIMESTAMP(date_submitted) as date_submitted,
 				UNIX_TIMESTAMP(last_updated) as last_updated
@@ -442,6 +446,7 @@ function email_build_bugnote_message( $p_bug_id ) {
 		global 	$g_mantis_bugnote_table, $g_mantis_bugnote_text_table,
 				$g_mantis_user_table, $g_complete_date_format,
 				$g_bugnote_order, $g_email_separator2;
+    $p_bug_id = (integer)$p_bug_id;
 
 		$t_message = "";