From e5f1078d7dc81911c63e6f07a66cf53d6822d1d2 Mon Sep 17 00:00:00 2001 From: jeffnm Date: Fri, 21 Oct 2016 09:53:59 -0500 Subject: [PATCH] SQL Security Patch Security patch for sql injection --- admin/classes/common/DBService.php | 61 +++++++++++++++++++++++++ admin/classes/common/DatabaseObject.php | 6 ++- install/UPGRADE_README.txt | 4 ++ templates/footer.php | 2 +- 4 files changed, 70 insertions(+), 3 deletions(-) diff --git a/admin/classes/common/DBService.php b/admin/classes/common/DBService.php index 17dbcef..4cbc77f 100644 --- a/admin/classes/common/DBService.php +++ b/admin/classes/common/DBService.php @@ -93,6 +93,67 @@ public function processQuery($sql, $type = NULL) { return $data; } + /** + * Version of processQuery() that deals with prepared statements. As prepared + * statements use variadic functions, much of this function's complexity + * comes from wrapping a variadic function in a PHP 5.5 compatible way. + * + * @param string $query Same format as mysqli::prepare(), with usually one + * or more "?" inside it. + * + * @param string $type Must be "num" or "assoc". Contrary to processQuery(), + * it's not an optionnal argument. Due to this function being variadic. + * + * @param mixed ...$paramsToBind Same format as mysqli_stmt::bind_param() + * It's a variadic function based on this PHP 5.5 compatible implementation + * https://wiki.php.net/rfc/variadics#introduction + * We will be able to simplify this once we require PHP 5.6 + * https://secure.php.net/manual/en/migration56.new-features.php#migration56.new-features.variadics + */ + public function processPreparedQuery($query, $type) { + $paramsToBind = array_slice(func_get_args(), 2); // additional arguments + // prepared statements specific code + $statement = $this->db->prepare($query); + $this->checkForError(); + // The following is an implementation of the splat operator. This + // will be simpler with PHP 5.6 + // https://secure.php.net/manual/en/migration56.new-features.php#migration56.new-features.splat + // We need to pass references to bind_param(), hence the use of refValues() + call_user_func_array([$statement, "bind_param"], self::refValues($paramsToBind)) ; + $statement->execute(); + $result = $statement->get_result(); + + // same as processQuery() + $this->checkForError(); + $data = array(); + + if ($result instanceof mysqli_result) { + $resultType = MYSQLI_NUM; + if ($type == 'assoc') { + $resultType = MYSQLI_ASSOC; + } + while ($row = $result->fetch_array($resultType)) { + if ($this->db->affected_rows > 1) { + array_push($data, $row); + } else { + $data = $row; + } + } + $result->free(); + } else if ($result) { + $data = $this->db->insert_id; + } + + return $data; + } + + private static function refValues($arr){ + $refs = array(); + foreach($arr as $key => $value) { + $refs[$key] = &$arr[$key]; + } + return $refs; + } } ?> diff --git a/admin/classes/common/DatabaseObject.php b/admin/classes/common/DatabaseObject.php index abaaa48..9b25bca 100644 --- a/admin/classes/common/DatabaseObject.php +++ b/admin/classes/common/DatabaseObject.php @@ -282,8 +282,10 @@ public function allAsArray() { public function load() { //if exists in the database if (isset($this->primaryKey)) { - $query = "SELECT * FROM `$this->tableName` WHERE `$this->primaryKeyName` = '$this->primaryKey'"; - $result = $this->db->processQuery($query, 'assoc'); + $query = "SELECT * FROM `$this->tableName` WHERE `$this->primaryKeyName` = ?"; + $result = $this->db->processPreparedQuery($query, "assoc", + "s", + $this->primaryKey); foreach (array_keys($result) as $attributeName) { $this->addAttribute($attributeName); diff --git a/install/UPGRADE_README.txt b/install/UPGRADE_README.txt index 85f644a..210609c 100644 --- a/install/UPGRADE_README.txt +++ b/install/UPGRADE_README.txt @@ -1,3 +1,7 @@ +1.4.1 The 1.4.1 update is a security fix + + - No database changes. + 1.4 The 1.4 update to the CORAL Resources module includes the following enhancements: -Added Issue tracker feature that allows tracking of down resources. diff --git a/templates/footer.php b/templates/footer.php index 1f3eb4a..630875d 100644 --- a/templates/footer.php +++ b/templates/footer.php @@ -28,6 +28,6 @@
 
-
Copyright © 2015. Resources Module version 1.4
CORAL Project Website | GitHub Site
+
Copyright © 2015. Resources Module version 1.4.1
CORAL Project Website | GitHub Site