Skip to content
Permalink
Browse files Browse the repository at this point in the history
FIX SQL injection
  • Loading branch information
eldy committed Sep 6, 2017
1 parent 032f54d commit 33e2179
Show file tree
Hide file tree
Showing 7 changed files with 27 additions and 32 deletions.
2 changes: 2 additions & 0 deletions htdocs/core/lib/functions.lib.php
Expand Up @@ -6199,6 +6199,8 @@ function natural_search($fields, $value, $mode=0, $nofirstand=0)
{
global $db,$langs;

$value=trim($value);

if ($mode == 0)
{
$value=preg_replace('/\*/','%',$value); // Replace * with %
Expand Down
6 changes: 3 additions & 3 deletions htdocs/don/card.php
Expand Up @@ -345,7 +345,7 @@

// Public note
print '<tr>';
print '<td class="border" valign="top">' . $langs->trans('NotePublic') . '</td>';
print '<td class="tdtop">' . $langs->trans('NotePublic') . '</td>';
print '<td>';

$doleditor = new DolEditor('note_public', $note_public, '', 80, 'dolibarr_notes', 'In', 0, false, true, ROWS_3, '90%');
Expand All @@ -355,7 +355,7 @@
// Private note
if (empty($user->societe_id)) {
print '<tr>';
print '<td class="border" valign="top">' . $langs->trans('NotePrivate') . '</td>';
print '<td class="tdtop">' . $langs->trans('NotePrivate') . '</td>';
print '<td>';

$doleditor = new DolEditor('note_private', $note_private, '', 80, 'dolibarr_notes', 'In', 0, false, true, ROWS_3, '90%');
Expand Down Expand Up @@ -542,7 +542,7 @@
$hselected='card';

$head = donation_prepare_head($object);
dol_fiche_head($head, $hselected, $langs->trans("Donation"), 0, 'generic');
dol_fiche_head($head, $hselected, $langs->trans("Donation"), -1, 'generic');

// Print form confirm
print $formconfirm;
Expand Down
18 changes: 9 additions & 9 deletions htdocs/don/document.php
Expand Up @@ -104,7 +104,7 @@

$head=donation_prepare_head($object);

dol_fiche_head($head, 'documents', $langs->trans("Donation"), 0, 'generic');
dol_fiche_head($head, 'documents', $langs->trans("Donation"), -1, 'generic');


// Construit liste des fichiers
Expand All @@ -116,7 +116,7 @@
}

$linkback = '<a href="'.DOL_URL_ROOT.'/don/list.php'.(! empty($socid)?'?socid='.$socid:'').'">'.$langs->trans("BackToList").'</a>';

$morehtmlref='<div class="refidno">';
// Project
if (! empty($conf->projet->enabled))
Expand Down Expand Up @@ -151,13 +151,13 @@
}
}
$morehtmlref.='</div>';


dol_banner_tab($object, 'rowid', $linkback, 1, 'rowid', 'ref', $morehtmlref);

print '<div class="fichecenter">';
print '<div class="underbanner clearboth"></div>';

print '<table class="border" width="100%">';

// Ref
Expand All @@ -166,7 +166,7 @@
print $form->showrefnav($object, 'id', $linkback, 1, 'rowid', 'ref', '');
print '</td></tr>';
*/

// Societe
//print "<tr><td>".$langs->trans("Company")."</td><td>".$object->client->getNomUrl(1)."</td></tr>";

Expand All @@ -175,9 +175,9 @@
print '</table>';

print '</div>';

print '<div class="clearboth"></div>';

dol_fiche_end();

$modulepart = 'don';
Expand Down
4 changes: 2 additions & 2 deletions htdocs/don/info.php
Expand Up @@ -67,7 +67,7 @@

$head = donation_prepare_head($object);

dol_fiche_head($head, 'info', $langs->trans("Donation"), 0, 'generic');
dol_fiche_head($head, 'info', $langs->trans("Donation"), -1, 'generic');

$linkback = '<a href="'.DOL_URL_ROOT.'/don/list.php'.(! empty($socid)?'?socid='.$socid:'').'">'.$langs->trans("BackToList").'</a>';

Expand Down Expand Up @@ -116,7 +116,7 @@
print '<table width="100%"><tr><td>';
dol_print_object_info($object);
print '</td></tr></table>';

print '</div>';

dol_fiche_end();
Expand Down
22 changes: 6 additions & 16 deletions htdocs/don/list.php
Expand Up @@ -42,7 +42,7 @@
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="d.datedon";

$statut=isset($_GET["statut"])?$_GET["statut"]:"-1";
$statut=(GETPOST("statut",'intcomma')!='')?GETPOST("statut",'intcomma'):"-1";
$search_all=GETPOST('sall', 'alphanohtml');
$search_ref=GETPOST('search_ref','alpha');
$search_company=GETPOST('search_company','alpha');
Expand Down Expand Up @@ -90,13 +90,13 @@
$sql.= " p.rowid as pid, p.ref, p.title, p.public";
$sql.= " FROM ".MAIN_DB_PREFIX."don as d LEFT JOIN ".MAIN_DB_PREFIX."projet AS p";
$sql.= " ON p.rowid = d.fk_projet WHERE 1 = 1";
if ($statut >= 0)
if ($statut != '' && $statut != '-1')
{
$sql .= " AND d.fk_statut = ".$statut;
$sql .= " AND d.fk_statut IN (".$statut.")";
}
if (trim($search_ref) != '')
{
$sql.= ' AND d.rowid LIKE \'%'.$db->escape(trim($search_ref)) . '%\'';
$sql.= natural_search('d.ref',$search_ref);
}
if (trim($search_all) != '')
{
Expand All @@ -110,7 +110,7 @@
{
$sql .= natural_search(array('d.lastname', 'd.firstname'), $search_name);
}
if ($search_amount) $sql.= natural_search(array('d.amount'), price2num(trim($search_amount)), 1);
if ($search_amount) $sql.= natural_search('d.amount', $search_amount, 1);

$sql.= $db->order($sortfield,$sortorder);
$nbtotalofrecords = '';
Expand All @@ -131,17 +131,7 @@
//if ($page > 0) $param.= '&page='.$page;
if ($optioncss != '') $param.='&optioncss='.$optioncss;

if ($statut >= 0)
{
$donationstatic->statut=$statut;
$label=$donationstatic->getLibStatut(0);
print_barre_liste($langs->trans("Donations"), $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, '', $num,$nbtotalofrecords);
}
else
{
print_barre_liste($langs->trans("Donations"), $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, '', $num,$nbtotalofrecords);
}

print_barre_liste($langs->trans("Donations"), $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, '', $num,$nbtotalofrecords);

print '<form method="get" action="'.$_SERVER["PHP_SELF"].'">'."\n";
if ($optioncss != '') print '<input type="hidden" name="optioncss" value="'.$optioncss.'">';
Expand Down
2 changes: 1 addition & 1 deletion htdocs/don/note.php
Expand Up @@ -84,7 +84,7 @@

$head = donation_prepare_head($object);

dol_fiche_head($head, 'note', $langs->trans("Donation"), 0, 'generic');
dol_fiche_head($head, 'note', $langs->trans("Donation"), -1, 'generic');

$linkback = '<a href="'.DOL_URL_ROOT.'/don/list.php'.(! empty($socid)?'?socid='.$socid:'').'">'.$langs->trans("BackToList").'</a>';

Expand Down
5 changes: 4 additions & 1 deletion htdocs/install/mysql/migration/5.0.0-6.0.0.sql
Expand Up @@ -24,6 +24,8 @@
-- -- VPGSQL8.2 DELETE FROM llx_usergroup_user WHERE fk_user NOT IN (SELECT rowid from llx_user);
-- -- VMYSQL4.1 DELETE FROM llx_usergroup_user WHERE fk_usergroup NOT IN (SELECT rowid from llx_usergroup);



ALTER TABLE llx_holiday_config MODIFY COLUMN name varchar(128);

ALTER TABLE llx_supplier_proposaldet CHANGE COLUMN fk_askpricesupplier fk_supplier_proposal integer NOT NULL;
Expand Down Expand Up @@ -326,7 +328,8 @@ ALTER TABLE llx_expensereport_det ADD COLUMN vat_src_code varchar(10) DEFAULT '

DELETE FROM llx_const WHERE name = __ENCRYPT('ADHERENT_BANK_USE_AUTO')__;

UPDATE llx_const SET value = __ENCRYPT('moono-lisa')__ WHERE value = __ENCRYPT('moono')__ AND name = __ENCRYPT('FCKEDITOR_SKIN')__;
UPDATE llx_const SET value = __ENCRYPT('moono-lisa')__ WHERE value = __ENCRYPT('moono')__ AND name = __ENCRYPT('FCKEDITOR_SKIN')__;
DELETE FROM llx_document_model where nom = 'fsfe.fr.php' and type='donation';

ALTER TABLE llx_product_price ADD COLUMN default_vat_code varchar(10) AFTER tva_tx;
ALTER TABLE llx_product_fournisseur_price ADD COLUMN default_vat_code varchar(10) AFTER tva_tx;
Expand Down

1 comment on commit 33e2179

@eldy
Copy link
Member Author

@eldy eldy commented on 33e2179 Sep 7, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FIX SQL injection on don/list.php parameter statut Discovered by ADLab of Venustech

Please sign in to comment.