Skip to content

Commit

Permalink
FIX SQL injection on rowid of dict.php
Browse files Browse the repository at this point in the history
  • Loading branch information
@eldy
eldy committed Jan 10, 2019
1 parent 0d9367b commit 1aa2b7a
Showing 1 changed file with 11 additions and 11 deletions.
22 changes: 11 additions & 11 deletions htdocs/admin/dict.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -794,7 +794,7 @@
else $sql.="'".$db->escape($_POST[$listfieldvalue[$i]])."'";
$i++;
}
$sql.= " WHERE ".$rowidcol." = '".$rowid."'";
$sql.= " WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
if (in_array('entity', $listfieldmodify)) $sql.= " AND entity = '".getEntity($tabname[$id])."'";

dol_syslog("actionmodify", LOG_DEBUG);
Expand All @@ -818,7 +818,7 @@
if ($tabrowid[$id]) { $rowidcol=$tabrowid[$id]; }
else { $rowidcol="rowid"; }

$sql = "DELETE FROM ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : '');
$sql = "DELETE FROM ".$tabname[$id]." WHERE ".$rowidcol."='".$db->escape($rowid)."'".($entity != '' ? " AND entity = " . (int) $entity : '');

dol_syslog("delete", LOG_DEBUG);
$result = $db->query($sql);
Expand All @@ -842,7 +842,7 @@
else { $rowidcol="rowid"; }

if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : '');
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$db->escape($rowid)."'".($entity != '' ? " AND entity = " . (int) $entity : '');
}
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : '');
Expand All @@ -862,7 +862,7 @@
else { $rowidcol="rowid"; }

if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : '');
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$db->escape($rowid)."'".($entity != '' ? " AND entity = " . (int) $entity : '');
}
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : '');
Expand All @@ -882,7 +882,7 @@
else { $rowidcol="rowid"; }

if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : '');
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$db->escape($rowid)."'".($entity != '' ? " AND entity = " . (int) $entity : '');
}
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : '');
Expand All @@ -902,7 +902,7 @@
else { $rowidcol="rowid"; }

if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'".($entity != '' ? " AND entity = " . (int) $entity : '');
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$db->escape($rowid)."'".($entity != '' ? " AND entity = " . (int) $entity : '');
}
elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".dol_escape_htmltag($code)."'".($entity != '' ? " AND entity = " . (int) $entity : '');
Expand Down Expand Up @@ -967,7 +967,7 @@
// Confirmation de la suppression de la ligne
if ($action == 'delete')
{
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'rowid='.$rowid.'&code='.urlencode($code).$paramwithsearch, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'rowid='.urlencode($rowid).'&code='.urlencode($code).$paramwithsearch, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
}
//var_dump($elementList);

Expand Down Expand Up @@ -1367,8 +1367,8 @@

print '<td colspan="3" align="center">';
print '<div name="'.(! empty($obj->rowid)?$obj->rowid:$obj->code).'"></div>';
print '<input type="hidden" name="page" value="'.$page.'">';
print '<input type="hidden" name="rowid" value="'.$rowid.'">';
print '<input type="hidden" name="page" value="'.dol_escape_htmltag($page).'">';
print '<input type="hidden" name="rowid" value="'.dol_escape_htmltag($rowid).'">';
if (! is_null($withentity))
print '<input type="hidden" name="entity" value="'.$withentity.'">';
print '<input type="submit" class="button" name="actionmodify" value="'.$langs->trans("Modify").'">';
Expand Down Expand Up @@ -1622,14 +1622,14 @@
if ($id == 4)
{
print '<td align="center" class="nowrap">';
if ($iserasable) print '<a href="'.$url.'action='.$acts[$obj->favorite].'_favorite">'.$actl[$obj->favorite].'</a>';
if ($iserasable) print '<a class="reposition" href="'.$url.'action='.$acts[$obj->favorite].'_favorite">'.$actl[$obj->favorite].'</a>';
else print $langs->trans("AlwaysActive");
print '</td>';
}

// Active
print '<td align="center" class="nowrap">';
if ($canbedisabled) print '<a href="'.$url.'action='.$acts[$obj->active].'">'.$actl[$obj->active].'</a>';
if ($canbedisabled) print '<a class="reposition" href="'.$url.'action='.$acts[$obj->active].'">'.$actl[$obj->active].'</a>';
else
{
if (in_array($obj->code, array('AC_OTH','AC_OTH_AUTO'))) print $langs->trans("AlwaysActive");
Expand Down

0 comments on commit 1aa2b7a

Please sign in to comment.