Skip to content
Permalink
Browse files Browse the repository at this point in the history
fixed and commented on some of the potential sql injection vectors
  • Loading branch information
Chris Hines committed Sep 4, 2014
1 parent d89b26f commit f8e4ecf
Show file tree
Hide file tree
Showing 7 changed files with 43 additions and 30 deletions.
5 changes: 0 additions & 5 deletions ToCheck.txt
@@ -1,8 +1,3 @@
auth: $sql = "SELECT Handle, Name, Profile_Text, Avatar, Email_Addr, Activated FROM Users WHERE ID='$UID'";
evaluate_cookie: $sql = "SELECT SessionKey, UserID, IP FROM Session WHERE SessionKey='$e_key'";
evaluate_password: $sql = "SELECT Handle, Email_Addr, Password_Hash FROM Users WHERE Handle='$e_uname' || Email_Addr='$e_uname'";
evaluate_signup: $sql = "SELECT Email_Addr FROM Users WHERE Email_Addr='$e_email'";
evaluate_signup: $sql = "SELECT Handle FROM Users WHERE Handle='$e_uname'";
klattr_retrieve_queries: $sql = "SELECT ID, Subscribed_To FROM Users WHERE Handle='$profileID'";
klattr_retrieve_queries: $sql = "SELECT ID, Handle, Name, Profile_Text FROM Users WHERE Handle REGEXP '" . $sub_regexp . "' " . $oldest_text . "AND Activated = '1' ORDER BY ID DESC LIMIT 0, 10";
klattr_retrieve_queries: $sql = "SELECT Povs.Recipient, Povs.Num_Replies, Povs.ID, Povs.Title, Povs.Tags, Povs.Data, Povs.Private, Povs.Time_Posted, Povs.Waveform, Users.Handle FROM Users INNER JOIN Povs ON Povs.Poster=Users.ID WHERE Povs.Parent_ID='$parentId' AND Povs.Private='0' AND Users.Activated = '1' ORDER BY ID DESC LIMIT 0, 10";
Expand Down
44 changes: 20 additions & 24 deletions www/ht_docs/do_profile_text_edit.php
@@ -1,30 +1,26 @@
<?php
if (isset($_COOKIE['session_auth'])) {
include "/data/klattr.com/www/includes/open_db";
include "/data/klattr.com/www/includes/evaluate_cookie";
$ip = $_SERVER['HTTP_X_REAL_IP'];
if ($ip == "") {
$ip = $_SERVER['REMOTE_ADDR'];
include "/data/klattr.com/www/includes/auth";
if ($auth == 1) {
$profileText = $_POST["profileText"];
$profileURL = $_POST["webAddress"];
$senduname = $_POST["senduname"];
if(strpos($profileURL, 'http') !== 0) {
$profileURL = "http://" . $profileURL;
}
$cookie_key = $_COOKIE['session_auth'];
$UID = evaluate_cookie($cookie_key, $ip);
if ($UID !== 0) {
$profileText = $_POST["profileText"];
$profileURL = $_POST["webAddress"];
$senduname = $_POST["senduname"];
$profileText = htmlspecialchars($profileText);
$profileText = addslashes($profileText);
if(strpos($profileURL, 'http') !== 0) {
$profileURL = "http://" . $profileURL;
}
if(!filter_var($profileURL, FILTER_VALIDATE_URL, FILTER_FLAG_HOST_REQUIRED)) {
$profileURL = "";
}
$sql = "UPDATE Users SET Website_Addr='$profileURL', Profile_Text='$profileText' WHERE ID='$UID'";
mysqli_query($con,$sql);
header( "Location: https://klattr.com/$senduname" );
if(!filter_var($profileURL, FILTER_VALIDATE_URL, FILTER_FLAG_HOST_REQUIRED)) {
$profileURL = "";
}
} else {
/*Sanitize the vars that are going into the database*/
$profileText = htmlspecialchars($profileText);
$profileText = addslashes($profileText);
$profileURL = htmlspecialchars($profileURL);
$profileURL = addslashes($profileURL);


$sql = "UPDATE Users SET Website_Addr='$profileURL', Profile_Text='$profileText' WHERE ID='$UID'";
mysqli_query($con,$sql);
header( "Location: https://klattr.com/$senduname" );
} else {
header( 'Location: https://klattr.com' );
}
?>
6 changes: 5 additions & 1 deletion www/ht_docs/do_signup.php
Expand Up @@ -75,9 +75,13 @@
$row = mysqli_fetch_array($sql_result);
$UID = $row['ID'];
$session_date = date("Y-m-d h:i:s");
setcookie ("session_auth", $randkey, $expire_time, "/", ".klattr.com");
/*make sure the cookie in the database matches sanitized cookie from user*/
$randkey = htmlspecialchars($randkey);
$randkey = addslashes($randkey);

$sql = "INSERT INTO Session (SessionKey, UserID, IP, Date) VALUES ('$randkey','$UID','$ip','$session_date')";
mysqli_query($con,$sql);
setcookie ("session_auth", $randkey, $expire_time, "/", ".klattr.com");
$uname = $username;
$rname = $name;
$uEmailAddr = $email;
Expand Down
4 changes: 4 additions & 0 deletions www/includes/auth
Expand Up @@ -7,6 +7,10 @@ if (isset($_COOKIE['session_auth'])) {
$ip = $_SERVER['REMOTE_ADDR'];
}
$cookie_key = $_COOKIE['session_auth'];
/* Sanitize $cookie_key */
$cookie_key = htmlspecialchars($cookie_key);
$cookie_key = addslashes($cookie_key);

$UID = evaluate_cookie($cookie_key, $ip);
if ($UID !== 0) {
/* $UID is now an SQL injection attack
Expand Down
1 change: 1 addition & 0 deletions www/includes/evaluate_cookie
Expand Up @@ -4,6 +4,7 @@ function evaluate_cookie ($e_key, $e_ip) {

/*
what is $e_key ? - should check it - SQL injection.
-It is the key from the cookie, it is sanitized before this function call.
*/

$sql = "SELECT SessionKey, UserID, IP FROM Session WHERE SessionKey='$e_key'";
Expand Down
8 changes: 8 additions & 0 deletions www/includes/evaluate_password
Expand Up @@ -2,6 +2,14 @@

function evaluate_password ($e_uname, $e_password) {
global $con;

/*sanitize variables before sql injection*/

$e_uname = htmlspecialchars($e_uname);
$e_uname = addslashes($e_uname);
$e_password = htmlspecialchars($e_password);
$e_password = addslashes($e_password);

$sql = "SELECT Handle, Email_Addr, Password_Hash FROM Users WHERE Handle='$e_uname' || Email_Addr='$e_uname'";
$sql_result = mysqli_query($con,$sql);
$row = mysqli_fetch_array($sql_result);
Expand Down
5 changes: 5 additions & 0 deletions www/includes/evaluate_signup
Expand Up @@ -41,6 +41,11 @@ function evaluate_pass ($e_pass) {
}

function evaluate_uname ($e_uname) {

// sanitize before injection
$e_uname = htmlspecialchars($e_uname);
$e_uname = addslashes($e_uname);

global $con;
if (preg_match("/^[a-zA-Z0-9_]+$/",$e_uname)) {
$sql = "SELECT Handle FROM Users WHERE Handle='$e_uname'";
Expand Down

0 comments on commit f8e4ecf

Please sign in to comment.