Skip to content

Commit bae00c0

Browse files
committed
fix: prevenzione sql injection
1 parent 00ac7e3 commit bae00c0

32 files changed

Lines changed: 77 additions & 77 deletions

File tree

actions.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -554,7 +554,7 @@
554554

555555
// Eliminazione
556556
elseif (!empty($customs)) {
557-
$dbo->query('DELETE FROM `zz_field_record` WHERE `id_record` = '.prepare($id_record).' AND `id_field` IN ('.implode(',', array_column($customs, 'id')).')');
557+
$dbo->query('DELETE FROM `zz_field_record` WHERE `id_record` = '.prepare($id_record).' AND `id_field` IN ('.implode(',', array_map('prepare', array_column($customs, 'id'))).')');
558558
}
559559
}
560560
}

modules/anagrafiche/ajax/search.php

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@
5959
$query .= ' FROM an_anagrafiche WHERE 1=0 ';
6060

6161
foreach ($fields as $name => $value) {
62-
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
62+
$query .= ' OR '.$value.' LIKE '.prepare('%'.$term.'%');
6363
}
6464

6565
$query .= Modules::getAdditionalsQuery(Module::where('name', 'Anagrafiche')->first()->id);
@@ -101,10 +101,10 @@
101101
$query .= ', '.$value." AS '".str_replace("'", "\'", $name)."'";
102102
}
103103

104-
$query .= ' FROM an_referenti LEFT JOIN an_mansioni ON an_referenti.idmansione=an_mansioni.id WHERE idanagrafica IN('.implode(',', $idanagrafiche).') ';
104+
$query .= ' FROM an_referenti LEFT JOIN an_mansioni ON an_referenti.idmansione=an_mansioni.id WHERE idanagrafica IN('.implode(',', array_map('prepare', $idanagrafiche)).') ';
105105

106106
foreach ($fields as $name => $value) {
107-
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
107+
$query .= ' OR '.$value.' LIKE '.prepare('%'.$term.'%');
108108
}
109109

110110
$rs = $dbo->fetchArray($query);
@@ -156,10 +156,10 @@
156156
$query .= ', '.$value." AS '".str_replace("'", "\'", $name)."'";
157157
}
158158

159-
$query .= ' FROM an_sedi WHERE idanagrafica IN('.implode(',', $idanagrafiche).') ';
159+
$query .= ' FROM an_sedi WHERE idanagrafica IN('.implode(',', array_map('prepare', $idanagrafiche)).') ';
160160

161161
foreach ($fields as $name => $value) {
162-
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
162+
$query .= ' OR '.$value.' LIKE '.prepare('%'.$term.'%');
163163
}
164164

165165
$rs = $dbo->fetchArray($query);

modules/anagrafiche/ajax/select.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -489,7 +489,7 @@
489489

490490
// filtro in base alle sedi abilitate dell'utente
491491
if ($user->gruppo != 'Amministratori') {
492-
$filter[] = '`id` IN('.implode(',', $user->sedi).')';
492+
$filter[] = '`id` IN('.implode(',', array_map('prepare', $user->sedi)).')';
493493
}
494494

495495
if (!empty($search)) {

modules/articoli/ajax/complete.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -65,9 +65,9 @@
6565
FROM
6666
`dt_righe_ddt`
6767
INNER JOIN `dt_ddt` ON `dt_ddt`.`id` = `dt_righe_ddt`.`idddt`
68-
INNER JOIN `dt_tipiddt` ON `dt_tipiddt`.`id` = `dt_ddt`.`idtipoddt`
69-
WHERE
70-
`idarticolo`='.$idarticolo.' AND
68+
INNER JOIN `dt_tipiddt` ON `dt_tipiddt`.`id` = `dt_ddt`.`idtipoddt`
69+
WHERE
70+
`idarticolo`='.prepare($idarticolo).' AND
7171
`dt_tipiddt`.`dir`="entrata" AND
7272
`idanagrafica`='.prepare($idanagrafica).'
7373
ORDER BY

modules/articoli/ajax/search.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@
4848
$query .= ' FROM `mg_articoli` LEFT JOIN `mg_articoli_lang` ON (`mg_articoli`.`id` = `mg_articoli_lang`.`id_record` AND `mg_articoli_lang`.`id_lang` = '.prepare(Models\Locale::getDefault()->id).') LEFT JOIN `mg_prodotti` ON `mg_prodotti`.`id_articolo` = `mg_articoli`.`id` LEFT JOIN (SELECT CASE WHEN COUNT(`mg_articoli_barcode`.`barcode`) <= 2 THEN GROUP_CONCAT(`mg_articoli_barcode`.`barcode` SEPARATOR \',\') ELSE CONCAT((SELECT GROUP_CONCAT(`b1`.`barcode` SEPARATOR \',\') FROM (SELECT `barcode` FROM `mg_articoli_barcode` `b2` WHERE `b2`.`idarticolo` = `mg_articoli_barcode`.`idarticolo` ORDER BY `b2`.`barcode` ASC) `b1`)) END AS `lista`, `mg_articoli_barcode`.`idarticolo` FROM `mg_articoli` LEFT JOIN `mg_articoli_barcode` ON `mg_articoli_barcode`.`idarticolo` = `mg_articoli`.`id` GROUP BY `mg_articoli`.`id`) AS `barcode` ON `barcode`.`idarticolo` = `mg_articoli`.`id` WHERE deleted_at IS NULL AND (1=0 ';
4949

5050
foreach ($fields as $name => $value) {
51-
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
51+
$query .= ' OR '.$value.' LIKE '.prepare('%'.$term.'%');
5252
}
5353
$query .= ') GROUP BY `mg_articoli`.`id`';
5454

modules/automezzi/bulk.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@
3434
}
3535

3636
// Selezione dei viaggi da stampare
37-
$viaggi = $dbo->fetchArray('SELECT id FROM an_sedi WHERE id IN('.implode(',', $id_records).')');
37+
$viaggi = $dbo->fetchArray('SELECT id FROM an_sedi WHERE id IN('.implode(',', array_map('prepare', $id_records)).')');
3838
$_SESSION[$id_module]['data_inizio'] = post('data_inizio');
3939
$_SESSION[$id_module]['data_fine'] = post('data_fine');
4040

modules/contratti/ajax/search.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -98,7 +98,7 @@
9898
}
9999

100100
// Recupero solo gli articoli che corrispondono al termine di ricerca con quantità e valori
101-
$articoli_query = 'SELECT CONCAT(COALESCE(`mg_articoli`.`codice`, ""), IF(`mg_articoli`.`codice` IS NOT NULL AND `mg_articoli_lang`.`title` IS NOT NULL, " - ", ""), COALESCE(`mg_articoli_lang`.`title`, "")) AS articolo, `co_righe_contratti`.`qta`, `co_righe_contratti`.`prezzo_unitario`, `co_righe_contratti`.`sconto`, `co_righe_contratti`.`subtotale` FROM co_righe_contratti LEFT JOIN `mg_articoli` ON `co_righe_contratti`.`idarticolo` = `mg_articoli`.`id` LEFT JOIN `mg_articoli_lang` ON (`mg_articoli`.`id` = `mg_articoli_lang`.`id_record` AND `mg_articoli_lang`.`id_lang` = '.prepare(Models\Locale::getDefault()->id).') WHERE `co_righe_contratti`.`idcontratto` = '.prepare($r['id']).' AND `mg_articoli`.`id` IS NOT NULL AND (CONCAT(COALESCE(`mg_articoli`.`codice`, ""), " - ", COALESCE(`mg_articoli_lang`.`title`, "")) LIKE "%'.$term.'%" OR `mg_articoli`.`codice` LIKE "%'.$term.'%" OR `mg_articoli_lang`.`title` LIKE "%'.$term.'%")';
101+
$articoli_query = 'SELECT CONCAT(COALESCE(`mg_articoli`.`codice`, ""), IF(`mg_articoli`.`codice` IS NOT NULL AND `mg_articoli_lang`.`title` IS NOT NULL, " - ", ""), COALESCE(`mg_articoli_lang`.`title`, "")) AS articolo, `co_righe_contratti`.`qta`, `co_righe_contratti`.`prezzo_unitario`, `co_righe_contratti`.`sconto`, `co_righe_contratti`.`subtotale` FROM co_righe_contratti LEFT JOIN `mg_articoli` ON `co_righe_contratti`.`idarticolo` = `mg_articoli`.`id` LEFT JOIN `mg_articoli_lang` ON (`mg_articoli`.`id` = `mg_articoli_lang`.`id_record` AND `mg_articoli_lang`.`id_lang` = '.prepare(Models\Locale::getDefault()->id).') WHERE `co_righe_contratti`.`idcontratto` = '.prepare($r['id']).' AND `mg_articoli`.`id` IS NOT NULL AND (CONCAT(COALESCE(`mg_articoli`.`codice`, ""), " - ", COALESCE(`mg_articoli_lang`.`title`, "")) LIKE '.prepare('%'.$term.'%').' OR `mg_articoli`.`codice` LIKE '.prepare('%'.$term.'%').' OR `mg_articoli_lang`.`title` LIKE '.prepare('%'.$term.'%').')';
102102
$articoli_rs = $dbo->fetchArray($articoli_query);
103103

104104
$articoli = [];

modules/contratti/edit.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@
4747
{[ "type": "select", "label": "'.tr('Stato').'", "name": "idstato", "required": 1, "values": "query=SELECT `co_staticontratti`.`id`, `title` as `descrizione`, `colore` AS _bgcolor_ FROM `co_staticontratti` LEFT JOIN `co_staticontratti_lang` ON (`co_staticontratti`.`id` = `co_staticontratti_lang`.`id_record` AND `co_staticontratti_lang`.`id_lang` = '.prepare(Models\Locale::getDefault()->id).') ORDER BY `title`", "value": "$idstato$", "class": "unblockable" ]}';
4848
} else {
4949
echo '
50-
{[ "type": "select", "label": "'.tr('Stato').'", "name": "idstato", "required": 1, "values": "query=SELECT `co_staticontratti`.`id`, `title` as `descrizione`, `colore` AS _bgcolor_ FROM `co_staticontratti` LEFT JOIN `co_staticontratti_lang` ON (`co_staticontratti`.`id` = `co_staticontratti_lang`.`id_record` AND `co_staticontratti_lang`.`id_lang` = '.prepare(Models\Locale::getDefault()->id).') WHERE `co_staticontratti`.`id` NOT IN ('.implode(',', [$id_stato_fatt, $id_stato_parz_fatt]).') ORDER BY `title`", "value": "$idstato$", "class": "unblockable" ]}';
50+
{[ "type": "select", "label": "'.tr('Stato').'", "name": "idstato", "required": 1, "values": "query=SELECT `co_staticontratti`.`id`, `title` as `descrizione`, `colore` AS _bgcolor_ FROM `co_staticontratti` LEFT JOIN `co_staticontratti_lang` ON (`co_staticontratti`.`id` = `co_staticontratti_lang`.`id_record` AND `co_staticontratti_lang`.`id_lang` = '.prepare(Models\Locale::getDefault()->id).') WHERE `co_staticontratti`.`id` NOT IN ('.implode(',', array_map('prepare', [$id_stato_fatt, $id_stato_parz_fatt])).') ORDER BY `title`", "value": "$idstato$", "class": "unblockable" ]}';
5151
}
5252
} else {
5353
echo '
@@ -330,7 +330,7 @@
330330
<div class="hide">';
331331

332332
// Loop fra i tipi di attività e i relativi costi del tipo intervento (quelli a 0)
333-
$rs = $dbo->fetchArray('SELECT * FROM `co_contratti_tipiintervento` INNER JOIN `in_tipiintervento` ON `in_tipiintervento`.`id` = `co_contratti_tipiintervento`.`idtipointervento` LEFT JOIN `in_tipiintervento_lang` ON (`in_tipiintervento`.`id`=`in_tipiintervento_lang`.`id_record` AND `in_tipiintervento_lang`.`id_lang` = '.prepare(Models\Locale::getDefault()->id).') WHERE `co_contratti_tipiintervento`.`idtipointervento` NOT IN('.implode(',', $idtipiintervento).') AND `idcontratto`='.prepare($id_record).' ORDER BY `title`');
333+
$rs = $dbo->fetchArray('SELECT * FROM `co_contratti_tipiintervento` INNER JOIN `in_tipiintervento` ON `in_tipiintervento`.`id` = `co_contratti_tipiintervento`.`idtipointervento` LEFT JOIN `in_tipiintervento_lang` ON (`in_tipiintervento`.`id`=`in_tipiintervento_lang`.`id_record` AND `in_tipiintervento_lang`.`id_lang` = '.prepare(Models\Locale::getDefault()->id).') WHERE `co_contratti_tipiintervento`.`idtipointervento` NOT IN('.implode(',', array_map('prepare', $idtipiintervento)).') AND `idcontratto`='.prepare($id_record).' ORDER BY `title`');
334334

335335
if (!empty($rs)) {
336336
echo '

modules/dashboard/ajax.php

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -91,12 +91,12 @@
9191
`in_interventi_tecnici`.`orario_fine` <= '.prepare($end).'
9292
)
9393
)
94-
AND `idtecnico` IN('.implode(',', $tecnici).')
95-
AND `in_interventi`.`idstatointervento` IN('.implode(',', $stati).')
96-
AND `in_interventi_tecnici`.`idtipointervento` IN('.implode(',', $tipi).')
94+
AND `idtecnico` IN('.implode(',', array_map('prepare', $tecnici)).')
95+
AND `in_interventi`.`idstatointervento` IN('.implode(',', array_map('prepare', $stati)).')
96+
AND `in_interventi_tecnici`.`idtipointervento` IN('.implode(',', array_map('prepare', $tipi)).')
9797
'.Modules::getAdditionalsQuery(Module::where('name', 'Interventi')->first()->id).'
9898
HAVING
99-
`idzona` IN ('.implode(',', $zone).')';
99+
`idzona` IN ('.implode(',', array_map('prepare', $zone)).')';
100100
$sessioni = $dbo->fetchArray($query);
101101

102102
$results = [];

modules/ddt/ajax/search.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -40,11 +40,11 @@
4040
$query .= ' FROM `dt_ddt` INNER JOIN `dt_tipiddt` ON `dt_ddt`.`idtipoddt`=`dt_tipiddt`.`id` LEFT JOIN `dt_tipiddt_lang` ON (`dt_tipiddt`.`id`= `dt_tipiddt_lang`.`id_record` AND `dt_tipiddt_lang`.`id_lang`='.prepare(Models\Locale::getDefault()->id).') LEFT JOIN (SELECT GROUP_CONCAT(`descrizione` SEPARATOR " -- ") AS "descrizione", `idddt`, SUM(`qta`) AS "totale_quantita", SUM(`costo_unitario` * `qta`) AS "totale_acquisto", SUM(`prezzo_unitario` * `qta` - `sconto`) AS "totale_vendita" FROM dt_righe_ddt GROUP BY `idddt`) righe ON `righe`.`idddt`=`dt_ddt`.`id` WHERE `idanagrafica` IN('.implode(',', $idanagrafiche).') ';
4141

4242
foreach ($fields as $name => $value) {
43-
$query .= ' OR '.$value.' LIKE "%'.$term.'%"';
43+
$query .= ' OR '.$value.' LIKE '.prepare('%'.$term.'%');
4444
}
4545

4646
// Aggiunta ricerca diretta negli articoli
47-
$query .= ' OR `dt_ddt`.`id` IN (SELECT DISTINCT `dt_righe_ddt`.`idddt` FROM `dt_righe_ddt` LEFT JOIN `mg_articoli` ON `dt_righe_ddt`.`idarticolo` = `mg_articoli`.`id` LEFT JOIN `mg_articoli_lang` ON (`mg_articoli`.`id` = `mg_articoli_lang`.`id_record` AND `mg_articoli_lang`.`id_lang` = '.prepare(Models\Locale::getDefault()->id).') WHERE `mg_articoli`.`codice` LIKE "%'.$term.'%" OR `mg_articoli_lang`.`title` LIKE "%'.$term.'%")';
47+
$query .= ' OR `dt_ddt`.`id` IN (SELECT DISTINCT `dt_righe_ddt`.`idddt` FROM `dt_righe_ddt` LEFT JOIN `mg_articoli` ON `dt_righe_ddt`.`idarticolo` = `mg_articoli`.`id` LEFT JOIN `mg_articoli_lang` ON (`mg_articoli`.`id` = `mg_articoli_lang`.`id_record` AND `mg_articoli_lang`.`id_lang` = '.prepare(Models\Locale::getDefault()->id).') WHERE `mg_articoli`.`codice` LIKE '.prepare('%'.$term.'%').' OR `mg_articoli_lang`.`title` LIKE '.prepare('%'.$term.'%').')';
4848

4949
$rs = $dbo->fetchArray($query);
5050

@@ -80,7 +80,7 @@
8080
}
8181

8282
// Recupero solo gli articoli che corrispondono al termine di ricerca con quantità e valori
83-
$articoli_query = 'SELECT CONCAT(COALESCE(`mg_articoli`.`codice`, ""), IF(`mg_articoli`.`codice` IS NOT NULL AND `mg_articoli_lang`.`title` IS NOT NULL, " - ", ""), COALESCE(`mg_articoli_lang`.`title`, "")) AS articolo, `dt_righe_ddt`.`qta`, `dt_righe_ddt`.`prezzo_unitario`, `dt_righe_ddt`.`costo_unitario`, `dt_righe_ddt`.`sconto`, `dt_righe_ddt`.`subtotale` FROM dt_righe_ddt LEFT JOIN `mg_articoli` ON `dt_righe_ddt`.`idarticolo` = `mg_articoli`.`id` LEFT JOIN `mg_articoli_lang` ON (`mg_articoli`.`id` = `mg_articoli_lang`.`id_record` AND `mg_articoli_lang`.`id_lang` = '.prepare(Models\Locale::getDefault()->id).') WHERE `dt_righe_ddt`.`idddt` = '.prepare($r['id']).' AND `mg_articoli`.`id` IS NOT NULL AND (CONCAT(COALESCE(`mg_articoli`.`codice`, ""), " - ", COALESCE(`mg_articoli_lang`.`title`, "")) LIKE "%'.$term.'%" OR `mg_articoli`.`codice` LIKE "%'.$term.'%" OR `mg_articoli_lang`.`title` LIKE "%'.$term.'%")';
83+
$articoli_query = 'SELECT CONCAT(COALESCE(`mg_articoli`.`codice`, ""), IF(`mg_articoli`.`codice` IS NOT NULL AND `mg_articoli_lang`.`title` IS NOT NULL, " - ", ""), COALESCE(`mg_articoli_lang`.`title`, "")) AS articolo, `dt_righe_ddt`.`qta`, `dt_righe_ddt`.`prezzo_unitario`, `dt_righe_ddt`.`costo_unitario`, `dt_righe_ddt`.`sconto`, `dt_righe_ddt`.`subtotale` FROM dt_righe_ddt LEFT JOIN `mg_articoli` ON `dt_righe_ddt`.`idarticolo` = `mg_articoli`.`id` LEFT JOIN `mg_articoli_lang` ON (`mg_articoli`.`id` = `mg_articoli_lang`.`id_record` AND `mg_articoli_lang`.`id_lang` = '.prepare(Models\Locale::getDefault()->id).') WHERE `dt_righe_ddt`.`idddt` = '.prepare($r['id']).' AND `mg_articoli`.`id` IS NOT NULL AND (CONCAT(COALESCE(`mg_articoli`.`codice`, ""), " - ", COALESCE(`mg_articoli_lang`.`title`, "")) LIKE '.prepare('%'.$term.'%').' OR `mg_articoli`.`codice` LIKE '.prepare('%'.$term.'%').' OR `mg_articoli_lang`.`title` LIKE '.prepare('%'.$term.'%').')';
8484
$articoli_rs = $dbo->fetchArray($articoli_query);
8585

8686
$articoli = [];

0 commit comments

Comments
 (0)