Skip to content

Commit 77dafb6

Browse files
committed
Prevent $phpwcms['db_prepend'] from SQL injection
1 parent 0d27adc commit 77dafb6

File tree

9 files changed

+52
-15
lines changed

9 files changed

+52
-15
lines changed

Diff for: include/inc_lib/dbcon.inc.php

+6-5
Original file line numberDiff line numberDiff line change
@@ -16,11 +16,7 @@
1616
}
1717
// ----------------------------------------------------------------
1818

19-
// build the database table prepend part
20-
define ('DB_PREPEND', empty($GLOBALS['phpwcms']["db_prepend"]) ? '' : $GLOBALS['phpwcms']["db_prepend"].'_');
21-
22-
// Log DB errors
23-
define ('DB_LOG_ERRORS', empty($GLOBALS['phpwcms']["db_errorlog"]) ? false : true);
19+
define('DB_LOG_ERRORS', empty($GLOBALS['phpwcms']["db_errorlog"]) ? false : true);
2420

2521
// open the connection to MySQL database
2622
if(!empty($GLOBALS['phpwcms']["db_pers"]) && substr($GLOBALS['phpwcms']["db_host"], 0, 2) !== 'p:') {
@@ -37,6 +33,7 @@
3733
// for compatibility issues try to check for MySQL version and charset
3834
$GLOBALS['phpwcms']['db_version'] = _dbInitialize();
3935
define('PHPWCMS_DB_VERSION', $GLOBALS['phpwcms']['db_version']);
36+
define('DB_PREPEND', empty($GLOBALS['phpwcms']["db_prepend"]) ? '' : mysqli_real_escape_string($GLOBALS['db'], $GLOBALS['phpwcms']["db_prepend"]) . '_');
4037

4138
} elseif($is_mysql_error !== 'dbdown.php') {
4239

@@ -45,11 +42,15 @@
4542
} else {
4643

4744
define('PHPWCMS_DB_VERSION', $GLOBALS['phpwcms']['db_version']);
45+
define('DB_PREPEND', empty($GLOBALS['phpwcms']["db_prepend"]) ? '' : aporeplace($GLOBALS['phpwcms']["db_prepend"]) . '_');
4846

4947
}
5048

5149
// deprecated function for escaping db items
5250
function aporeplace($value='') {
51+
if (!$GLOBALS['db']) {
52+
return str_replace(array("\\", "\x00", "\n", "\r", "'", '"', "\x1a"), array("\\\\", "\\0", "\\n", "\\r", "\'", '\"', "\\Z"), $value);
53+
}
5354
return mysqli_real_escape_string($GLOBALS['db'], $value);
5455
}
5556

Diff for: include/inc_lib/revision/revision.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -10,5 +10,5 @@
1010
**/
1111

1212
define('PHPWCMS_VERSION', '1.9.27-dev');
13-
define('PHPWCMS_RELEASE_DATE', '2021/08/19');
13+
define('PHPWCMS_RELEASE_DATE', '2021/08/22');
1414
define('PHPWCMS_REVISION', '552');

Diff for: setup/inc/setup.check.inc.php

+17-4
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,17 @@
11
<?php
2+
/**
3+
* phpwcms content management system
4+
*
5+
* @author Oliver Georgi <og@phpwcms.org>
6+
* @copyright Copyright (c) 2002-2021, Oliver Georgi
7+
* @license http://opensource.org/licenses/GPL-2.0 GNU GPL-2
8+
* @link http://www.phpwcms.org
9+
*
10+
**/
11+
12+
if (!defined('PHP8')) {
13+
die("You Cannot Access This Script Directly, Have a Nice Day.");
14+
}
215

316
if(!empty($step)) {
417

@@ -85,7 +98,7 @@
8598

8699
mysqli_free_result($result);
87100

88-
if($result = mysqli_query($db, 'SELECT * FROM '. ($phpwcms["db_prepend"] ? $phpwcms["db_prepend"].'_' : '').'phpwcms_user')) {
101+
if($result = mysqli_query($db, 'SELECT * FROM '. ($phpwcms["db_prepend"] ? mysqli_real_escape_string($db, $phpwcms["db_prepend"]) . '_' : '') . 'phpwcms_user')) {
89102

90103
$_db_prepend_error = true;
91104
mysqli_free_result($result);
@@ -128,7 +141,7 @@
128141

129142
// now read and display sql queries
130143

131-
$_db_prepend = ($phpwcms["db_prepend"] ? $phpwcms["db_prepend"].'_' : '');
144+
$_db_prepend = $phpwcms["db_prepend"] ? mysqli_real_escape_string($db, $phpwcms["db_prepend"]) . '_' : '';
132145

133146
$sql_data = read_textfile($DOCROOT . '/setup/default_sql/phpwcms_init.sql');
134147
$sql_data = $sql_data . read_textfile($DOCROOT . '/setup/default_sql/phpwcms_inserts.sql');
@@ -219,8 +232,8 @@
219232
} else {
220233
mysqli_query($db, "SET SQL_MODE=NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION");
221234
mysqli_query($db, "SET NAMES '".mysqli_real_escape_string($db, $phpwcms["charset"])."'");
222-
$phpwcms["db_prepend"] = ($phpwcms["db_prepend"]) ? $phpwcms["db_prepend"]."_" : "";
223-
$sql = "INSERT INTO ".$phpwcms["db_prepend"]."phpwcms_user (usr_login, usr_pass, usr_email, ".
235+
$_db_prepend = $phpwcms["db_prepend"] ? mysqli_real_escape_string($db, $phpwcms["db_prepend"]) . "_" : "";
236+
$sql = "INSERT INTO " . $_db_prepend . "phpwcms_user (usr_login, usr_pass, usr_email, ".
224237
"usr_admin, usr_aktiv, usr_name, usr_fe, usr_wysiwyg ) VALUES ('".
225238
mysqli_real_escape_string($db, $phpwcms["admin_user"])."', '".
226239
mysqli_real_escape_string($db, md5($phpwcms["admin_pass"]))."', '".

Diff for: setup/inc/step0.inc.php

+4
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,10 @@
99
*
1010
**/
1111

12+
if (!defined('PHP8')) {
13+
die("You Cannot Access This Script Directly, Have a Nice Day.");
14+
}
15+
1216
$_SESSION['admin_set'] = false;
1317
$setup_recommend = true;
1418

Diff for: setup/inc/step1.inc.php

+9-5
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,10 @@
99
*
1010
**/
1111

12+
if (!defined('PHP8')) {
13+
die("You Cannot Access This Script Directly, Have a Nice Day.");
14+
}
15+
1216
?>
1317
<h1><span class="number">3.</span> MySQL database settings </h1>
1418
<?php
@@ -142,14 +146,14 @@
142146
} elseif(isset($db_create_err) || !empty($db_no_create)) {
143147

144148
// OK fine - initial tables were created without error
145-
$_db_prepend = ($phpwcms["db_prepend"] ? $phpwcms["db_prepend"].'_' : '');
149+
$_db_prepend = $phpwcms["db_prepend"] ? mysqli_real_escape_string($db, $phpwcms["db_prepend"]) . '_' : '';
146150
$check = _dbQuery("SHOW TABLES LIKE '".$_db_prepend."phpwcms_%'");
147151

148152
if($check && count($check)) {
149153

150-
$sql_data = false;
151-
$db_sql = false;
152-
$db_fine = true;
154+
$sql_data = false;
155+
$db_sql = false;
156+
$db_fine = true;
153157

154158
?>
155159
<tr>
@@ -305,7 +309,7 @@
305309

306310
} else {
307311

308-
$_db_prepend = ($phpwcms["db_prepend"] ? $phpwcms["db_prepend"].'_' : '');
312+
$_db_prepend = $phpwcms["db_prepend"] ? mysqli_real_escape_string($db, $phpwcms["db_prepend"]) . '_' : '';
309313

310314
//show Info that admin info was saved
311315
//and also if stored in database

Diff for: setup/inc/step2.inc.php

+4
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,10 @@
99
*
1010
**/
1111

12+
if (!defined('PHP8')) {
13+
die("You Cannot Access This Script Directly, Have a Nice Day.");
14+
}
15+
1216
if ($err) {
1317
echo '<p class="error"><b>Check your admin user name and password!</b></p>';
1418
}

Diff for: setup/inc/step3.inc.php

+4
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,10 @@
99
*
1010
**/
1111

12+
if (!defined('PHP8')) {
13+
die("You Cannot Access This Script Directly, Have a Nice Day.");
14+
}
15+
1216
?>
1317
<p class="title">phpwcms path settings </p>
1418
<p>Please check that any path value does NOT begin or end with a slash. I recommend

Diff for: setup/inc/step4.inc.php

+4
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,10 @@
99
*
1010
**/
1111

12+
if (!defined('PHP8')) {
13+
die("You Cannot Access This Script Directly, Have a Nice Day.");
14+
}
15+
1216
?><p class="title">phpwcms content values</p>
1317
<form action="setup.php?step=4" method="post"><table border="0" cellpadding="0" cellspacing="0" summary="">
1418
<tr>

Diff for: setup/inc/step5.inc.php

+3
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@
99
*
1010
**/
1111

12+
if (!defined('PHP8')) {
13+
die("You Cannot Access This Script Directly, Have a Nice Day.");
14+
}
1215

1316
$_SERVER['DOCUMENT_ROOT'] = $phpwcms['DOC_ROOT'];
1417
$phpwcms["root"] = !empty($phpwcms["root"]) ? "/".$phpwcms["root"] : "";

0 commit comments

Comments
 (0)