Permalink
Browse files

Fix SQL Injection problem in store.php.

  • Loading branch information...
1 parent 124a0f8 commit 6351693126b7e26b1bdcfde232988f420b11d0df @jeresig committed Nov 6, 2013
Showing with 42 additions and 36 deletions.
  1. +2 −1 .gitignore
  2. +40 −35 dep/web/store.php
View
@@ -1,4 +1,5 @@
.DS_Store
results/
dep/run/
-web/
+web/
+!dep/web/
View
@@ -25,59 +25,64 @@
OTHER DEALINGS IN THE SOFTWARE.
*/
- $server = 'mysql.dromaeo.com';
- $user = 'dromaeo';
- $pass = 'dromaeo';
+$server = 'mysql.dromaeo.com';
+$user = 'dromaeo';
+$pass = 'dromaeo';
- require('JSON.php');
+require('JSON.php');
- $json = new Services_JSON();
- $sql = mysql_connect( $server, $user, $pass );
+$json = new Services_JSON();
+$sql = mysql_connect( $server, $user, $pass );
- mysql_select_db( 'dromaeo' );
+mysql_select_db( 'dromaeo' );
- $id = str_replace(';', "", $_REQUEST['id']);
+$id = preg_replace('/[^\d,]/', '', $_REQUEST['id']);
- if ( $id ) {
- $sets = array();
- $ids = split(",", $id);
+if ( $id ) {
+ $sets = array();
+ $ids = split(",", $id);
- foreach ($ids as $i) {
- $query = mysql_query( "SELECT * FROM runs WHERE id=$i;" );
- $data = mysql_fetch_assoc($query);
+ foreach ($ids as $i) {
+ $query = mysql_query( sprintf("SELECT * FROM runs WHERE id=%s;",
+ mysql_real_escape_string($i)));
+ $data = mysql_fetch_assoc($query);
+
+ $query = mysql_query( sprintf("SELECT * FROM results WHERE run_id=%s;",
+ mysql_real_escape_string($i)));
+ $results = array();
- $query = mysql_query( "SELECT * FROM results WHERE run_id=$i;" );
- $results = array();
-
- while ( $row = mysql_fetch_assoc($query) ) {
- array_push($results, $row);
- }
+ while ( $row = mysql_fetch_assoc($query) ) {
+ array_push($results, $row);
+ }
- $data['results'] = $results;
- $data['ip'] = '';
+ $data['results'] = $results;
+ $data['ip'] = '';
- array_push($sets, $data);
- }
+ array_push($sets, $data);
+ }
- echo $json->encode($sets);
- } else {
- $data = $json->decode(str_replace('\\"', '"', $_REQUEST['data']));
+ echo $json->encode($sets);
+} else {
+ $data = $json->decode(str_replace('\\"', '"', $_REQUEST['data']));
- if ( $data ) {
+ if ( $data ) {
mysql_query( sprintf("INSERT into runs VALUES(NULL,'%s','%s',NOW(),'%s');",
- $_SERVER['HTTP_USER_AGENT'], $_SERVER['REMOTE_ADDR'], str_replace(';', "", $_REQUEST['style'])) );
+ mysql_real_escape_string($_SERVER['HTTP_USER_AGENT']),
+ mysql_real_escape_string($_SERVER['REMOTE_ADDR']),
+ mysql_real_escape_string(str_replace(';', "", $_REQUEST['style']))
+ ));
$id = mysql_insert_id();
if ( $id ) {
- foreach ($data as $row) {
- mysql_query( sprintf("INSERT into results VALUES(NULL,'%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s');",
- $id, $row->collection, $row->version, $row->name, $row->scale, $row->median, $row->min, $row->max, $row->mean, $row->deviation, $row->runs) );
- }
+ foreach ($data as $row) {
+ mysql_query( sprintf("INSERT into results VALUES(NULL,'%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s');",
+ $id, $row->collection, $row->version, $row->name, $row->scale, $row->median, $row->min, $row->max, $row->mean, $row->deviation, $row->runs) );
+ }
- echo $id;
- }
+ echo $id;
}
}
+}
?>

0 comments on commit 6351693

Please sign in to comment.