diff --git a/include/cvs-auth.inc b/include/cvs-auth.inc index 23aae37..64fa1b4 100644 --- a/include/cvs-auth.inc +++ b/include/cvs-auth.inc @@ -12,12 +12,11 @@ function verify_password($user, $pass) { db_connect(); - $username = real_clean($user); - $res = mysql_query("SELECT svnpasswd FROM users WHERE cvsaccess AND username = '$username'"); + $res = db_query_safe("SELECT svnpasswd FROM users WHERE cvsaccess AND username = ?", [$user]); if ($res && mysql_num_rows($res) == 1) { $row = mysql_fetch_array($res); - return gen_svn_pass($username, $pass) === $row["svnpasswd"]; + return gen_svn_pass($user, $pass) === $row["svnpasswd"]; } return false; @@ -25,13 +24,6 @@ function verify_password($user, $pass) function verify_username($user) { db_connect(); - - $username = real_clean($user); - $res = mysql_query("SELECT 1 FROM users WHERE cvsaccess AND username = '$username'"); - - if ($res && mysql_num_rows($res) == 1) { - return true; - } - - return false; + $res = db_query_safe("SELECT 1 FROM users WHERE cvsaccess AND username = ?", [$user]); + return $res && mysql_num_rows($res) == 1; } diff --git a/include/functions.inc b/include/functions.inc index 847bb3a..3d92e16 100644 --- a/include/functions.inc +++ b/include/functions.inc @@ -119,6 +119,21 @@ function db_query($query) return $res; } +function db_prepare_query($query, $params) { + if (substr_count($query, '?') !== count($params)) { + die("Incorrect number of parameters to query."); + } + + $i = 0; + return preg_replace_callback('/\?/', function() use ($params, &$i) { + return "'" . mysql_real_escape_string($params[$i++]) . "'"; + }, $query); +} + +function db_query_safe($query, array $params = []) +{ + return db_query(db_prepare_query($query, $params)); +} function db_get_one($query) { @@ -198,7 +213,7 @@ function show_prev_next($begin, $rows, $skip, $total, $extra = [], $table = true function show_country_options($cc = "") { - $res = db_query("SELECT id, name FROM country ORDER BY name"); + $res = db_query_safe("SELECT id, name FROM country ORDER BY name"); while ($row = mysql_fetch_assoc($res)) { echo ""; } @@ -291,7 +306,7 @@ function undo_magic_quotes() { function find_group_address_from_notes_for($id) { - $res = db_query("SELECT note FROM users_note WHERE userid=$id LIMIT 1"); + $res = db_query_safe("SELECT note FROM users_note WHERE userid = ? LIMIT 1", [$id]); $row = mysql_fetch_assoc($res); $cc = ""; if (preg_match("/\[group: (\w+)\]/", $row["note"], $matches)) { @@ -316,7 +331,7 @@ function find_group_address_from_notes_for($id) { define("MT_USER_APPROVE_MAIL", "group@php.net"); define("MT_USER_REMOVE_MAIL", "group@php.net"); function user_approve($id) { - $res = db_query("UPDATE users SET cvsaccess=1, enable=1 WHERE userid=$id"); + $res = db_query_safe("UPDATE users SET cvsaccess=1, enable=1 WHERE userid=?", [$id]); if ($res && mysql_affected_rows()) { $cc = find_group_address_from_notes_for($id); $mailtext = $cc ? $cc : EMAIL_DEFAULT_CC; @@ -343,7 +358,7 @@ function user_approve($id) { function user_remove($id) { $userinfo = fetch_user($id); - $res = db_query("DELETE FROM users WHERE userid=$id"); + $res = db_query_safe("DELETE FROM users WHERE userid=?", [$id]); if ($res && mysql_affected_rows()) { $cc = find_group_address_from_notes_for($id); @@ -360,8 +375,8 @@ function user_remove($id) { /* Notify public records */ mail($to, $subject, $message,"From: PHP Group \nIn-Reply-To: ", "-fnoreply@php.net"); - db_query("DELETE FROM users_note WHERE userid=$id"); - db_query("DELETE FROM users_profile WHERE userid=$id"); + db_query_safe("DELETE FROM users_note WHERE userid=?", [$id]); + db_query_safe("DELETE FROM users_profile WHERE userid=?", [$id]); warn("record $id ($userinfo[username]) removed"); return true; } @@ -446,32 +461,23 @@ function is_mirror_site_admin($user) { function can_modify($user,$userid) { if (is_admin($user)) return true; - $userid = (int)$userid; - - $quser = addslashes($user); - $query = "SELECT userid FROM users" - . " WHERE userid=$userid" - . " AND (email='$quser' OR username='$quser')"; - - $res = db_query($query); + $query = "SELECT userid FROM users WHERE userid = ? AND (email = ? OR username = ?)"; + $res = db_query_safe($query, [$userid, $user, $user]); return $res ? mysql_num_rows($res) : false; } function fetch_user($user) { - $query = "SELECT * FROM users LEFT JOIN users_note USING (userid)"; if ((int)$user) { - $query .= " WHERE users.userid=$user"; - } - else { - $quser = addslashes((string)$user); - $query .= " WHERE username='$quser' OR email='$quser'"; - } - - if ($res = db_query($query)) { - return mysql_fetch_array($res); + $res = db_query_safe( + "SELECT * FROM users LEFT JOIN users_note USING (userid) WHERE users.userid = ?", + [$user]); + } else { + $res = db_query_safe( + "SELECT * FROM users LEFT JOIN users_note USING (userid) WHERE username = ? OR email = ?", + [$user, $user]); } - return false; + return mysql_fetch_array($res); } function invalid_input($in) { if (!empty($in['email']) && strlen($in['email']) && !is_emailable_address($in['email'])) { @@ -503,13 +509,8 @@ function validateAction($k) { } function fetch_event($id) { - $query = "SELECT * FROM phpcal WHERE id=$id"; - - if ($res = db_query($query)) { - return mysql_fetch_array($res,MYSQL_ASSOC); - } - - return false; + $res = db_query_safe("SELECT * FROM phpcal WHERE id = ?", [$id]); + return mysql_fetch_array($res,MYSQL_ASSOC); } function display_options($options,$current) { diff --git a/manage/challenge-response.php b/manage/challenge-response.php index 71e5f0f..f571e97 100644 --- a/manage/challenge-response.php +++ b/manage/challenge-response.php @@ -13,13 +13,14 @@ if (isset($_POST['confirm_them']) && isset($_POST['confirm']) && is_array($_POST['confirm'])) { foreach ($_POST['confirm'] as $address) { - $addr = mysql_real_escape_string($address); - db_query("insert into accounts.confirmed (email, ts) values ('$addr', NOW())"); + db_query_safe("insert into accounts.confirmed (email, ts) values (?, NOW())", [$address]); } } -$user_db = mysql_real_escape_string($user); -$res = db_query("select distinct sender from phpmasterdb.users left join accounts.quarantine on users.email = rcpt where username='$user_db' and not isnull(id)"); +// TODO: Where does $user come from here? +$res = db_query_safe( + "select distinct sender from phpmasterdb.users left join accounts.quarantine on users.email = rcpt " . + "where username=? and not isnull(id)", [$user]); $inmates = []; while ($row = mysql_fetch_row($res)) { @@ -81,7 +82,9 @@ function sort_by_domain($a, $b) 0) { diff --git a/manage/event.php b/manage/event.php index a47e188..9fd03d2 100644 --- a/manage/event.php +++ b/manage/event.php @@ -25,16 +25,22 @@ head("event administration"); db_connect(); -$valid_vars = ['id', 'action','in','begin','max','search','order','full','unapproved']; -foreach($valid_vars as $k) { - $$k = isset($_REQUEST[$k]) ? $_REQUEST[$k] : false; -} +$id = isset($_REQUEST['id']) ? $_REQUEST['id'] : false; +$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : false; +$in = isset($_REQUEST['in']) ? $_REQUEST['in'] : false; +$begin = isset($_REQUEST['begin']) ? $_REQUEST['begin'] : false; +$max = isset($_REQUEST['max']) ? $_REQUEST['max'] : false; +$search = isset($_REQUEST['search']) ? $_REQUEST['search'] : false; +$order = isset($_REQUEST['order']) ? $_REQUEST['order'] : false; +$full = isset($_REQUEST['full']) ? $_REQUEST['full'] : false; +$unapproved = isset($_REQUEST['unapproved']) ? $_REQUEST['unapproved'] : false; + if($id) $id = (int)$id; if ($id && $action) { switch ($action) { case 'approve': - if (db_query("UPDATE phpcal SET approved=1,app_by='".real_clean($cuser)."' WHERE id=$id") + if (db_query_safe("UPDATE phpcal SET approved=1,app_by=? WHERE id=?", [$cuser, $id]) && mysql_affected_rows()) { $event = fetch_event($id); $message = "This event has been approved. It will appear on the PHP website shortly."; @@ -48,7 +54,7 @@ break; case 'reject': $event = fetch_event($id); - if (db_query("DELETE FROM phpcal WHERE id=$id") + if (db_query_safe("DELETE FROM phpcal WHERE id=?", [$id]) && mysql_affected_rows()) { $message = $event['approved'] ? "This event has been deleted." : "This event has been rejected."; $did = $event['approved'] ? 'Deleted' : 'Rejected'; diff --git a/manage/user-notes.php b/manage/user-notes.php index 3edba18..a12045a 100644 --- a/manage/user-notes.php +++ b/manage/user-notes.php @@ -145,8 +145,8 @@ if (($iprange = wildcard_ip($_GET['votessearch'])) !== false) { $search = html_entity_decode($_GET['votessearch'], ENT_QUOTES, 'UTF-8'); $start = real_clean($iprange[0]); $end = real_clean($iprange[1]); - $resultCount = db_query("SELECT count(votes.id) AS total_votes FROM votes JOIN (note) ON (votes.note_id = note.id) WHERE ". - "(hostip >= $start AND hostip <= $end) OR (ip >= $start AND ip <= $end)"); + $resultCount = db_query_safe("SELECT count(votes.id) AS total_votes FROM votes JOIN (note) ON (votes.note_id = note.id) WHERE ". + "(hostip >= ? AND hostip <= ?) OR (ip >= ? AND ip <= ?)", [$start, $end, $start, $end]); $resultCount = mysql_fetch_assoc($resultCount); $resultCount = $resultCount['total_votes']; $isSearch = '&votessearch=' . hsc($search); @@ -158,7 +158,7 @@ } elseif (filter_var(html_entity_decode($_GET['votessearch'], ENT_QUOTES, 'UTF-8'), FILTER_VALIDATE_IP)) { $searchip = (int) ip2long(filter_var(html_entity_decode($_GET['votessearch'], ENT_QUOTES, 'UTF-8'), FILTER_VALIDATE_IP)); - $resultCount = db_query("SELECT count(votes.id) AS total_votes FROM votes JOIN(note) ON (votes.note_id = note.id) WHERE hostip = $searchip OR ip = $searchip"); + $resultCount = db_query_safe("SELECT count(votes.id) AS total_votes FROM votes JOIN(note) ON (votes.note_id = note.id) WHERE hostip = ? OR ip = ?", [$searchip, $searchip]); $resultCount = mysql_fetch_assoc($resultCount); $resultCount = $resultCount['total_votes']; $isSearch = '&votessearch=' . hsc(long2ip($searchip)); @@ -169,7 +169,7 @@ "ORDER BY votes.id DESC LIMIT $limitVotes, 25"; } else { $search = (int) html_entity_decode($_GET['votessearch'], ENT_QUOTES, 'UTF-8'); - $resultCount = db_query("SELECT count(votes.id) AS total_votes FROM votes JOIN(note) ON (votes.note_id = note.id) WHERE votes.note_id = $search"); + $resultCount = db_query_safe("SELECT count(votes.id) AS total_votes FROM votes JOIN(note) ON (votes.note_id = note.id) WHERE votes.note_id = ?", [$search]); $resultCount = mysql_fetch_assoc($resultCount); $resultCount = $resultCount['total_votes']; $isSearch = '&votessearch=' . hsc($search); @@ -181,7 +181,7 @@ } } else { $isSearch = null; - $resultCount = db_query("SELECT COUNT(votes.id) AS total_votes FROM votes JOIN(note) ON (votes.note_id = note.id)"); + $resultCount = db_query_safe("SELECT COUNT(votes.id) AS total_votes FROM votes JOIN(note) ON (votes.note_id = note.id)"); $resultCount = mysql_fetch_assoc($resultCount); $resultCount = $resultCount['total_votes']; $sql = "SELECT votes.id, UNIX_TIMESTAMP(votes.ts) AS ts, votes.vote, votes.note_id, note.sect, votes.hostip, votes.ip ". @@ -513,7 +513,7 @@ die ("Note #$id has already been approved"); } - if ($row['id'] && db_query("UPDATE note SET status=NULL WHERE id=".real_clean($id))) { + if ($row['id'] && db_query_safe("UPDATE note SET status=NULL WHERE id=?", [$id])) { note_mail_on_action( $cuser, $id, @@ -530,7 +530,7 @@ case 'delete': if ($id) { if ($row = note_get_by_id($id)) { - if ($row['id'] && db_query("DELETE note,votes FROM note LEFT JOIN (votes) ON (note.id = votes.note_id) WHERE note.id = ".real_clean($id))) { + if ($row['id'] && db_query_safe("DELETE note,votes FROM note LEFT JOIN (votes) ON (note.id = votes.note_id) WHERE note.id = ?", [$id])) { // ** alerts ** //$mailto .= get_emails_for_sect($row["sect"]); $action_taken = ($action == "reject" ? "rejected" : "deleted"); @@ -647,7 +647,7 @@ $sql = 'DELETE FROM votes WHERE votes.note_id = ' . real_clean($id) . ' AND votes.vote = 0'; } /* Make sure the note has votes before we attempt to delete them */ - $result = db_query("SELECT COUNT(id) AS id FROM votes WHERE note_id = " . real_clean($id)); + $result = db_query_safe("SELECT COUNT(id) AS id FROM votes WHERE note_id = ?", [$id]); $rows = mysql_fetch_assoc($result); if (!$rows['id']) { echo "

No votes exist for Note ID ". hsc($id) ."!

"; diff --git a/manage/users.php b/manage/users.php index fc0da84..c4b4ae7 100644 --- a/manage/users.php +++ b/manage/users.php @@ -61,18 +61,17 @@ function csrf_validate(&$mydata, $name) { # ?username=whatever will look up 'whatever' by email or username if ($username) { - $tmp = filter_input(INPUT_GET, "username", FILTER_CALLBACK, ["options" => "mysql_real_escape_string"]) ?: ""; $query = "SELECT userid FROM users" - . " WHERE username='$tmp' OR email='$tmp'"; - $res = db_query($query); + . " WHERE username=? OR email=?"; + $res = db_query_safe($query, [$username, $username]); if (!($id = @mysql_result($res, 0))) { warn("wasn't able to find user matching '$username'"); } } if ($id) { - $query = "SELECT * FROM users WHERE users.userid=$id"; - $res = db_query($query); + $query = "SELECT * FROM users WHERE users.userid=?"; + $res = db_query_safe($query, [$id]); $userdata = mysql_fetch_array($res); if (!$userdata) { warn("Can't find user#$id"); @@ -249,7 +248,7 @@ function csrf_validate(&$mydata, $name) {

Notes:

", date("r",$userdata['ts']), "
".$userdata['note'].""; } @@ -350,7 +349,7 @@ function csrf_validate(&$mydata, $name) { $res = db_query($query); #echo $query; -$res2 = db_query("SELECT FOUND_ROWS()"); +$res2 = db_query_safe("SELECT FOUND_ROWS()"); $total = (int)mysql_result($res2,0);