Merge fefb39a into 773b158

spotweb · Dec 20, 2020 · cf3fd5a · cf3fd5a
2 parents 773b158 + fefb39a
commit cf3fd5a
Showing 1 changed file with 48 additions and 1 deletion.
diff --git a/lib/dao/Base/Dao_Base_Spot.php b/lib/dao/Base/Dao_Base_Spot.php
@@ -29,8 +29,55 @@ public function getSpots($ourUserId, $pageNr, $limit, $parsedSearch)
          * which are always available in the query
          */
         $criteriaFilter = ' WHERE (bl.spotterid IS NULL) ';
-        if (!empty($parsedSearch['filter'])) {
+        if (!empty($parsedSearch['filter'])) {			
             $criteriaFilter .= ' AND '.$parsedSearch['filter'];
+
+			/* Blacklisted SQL commands */
+
+			$notAllowedCommands = array(
+			'DELETE',
+			'TRUNCATE',
+			'AS',
+			'DROP',
+			'USE',
+			'SELECT',
+			'SLEEP',
+			'UPDATE',
+			'ALTER',
+			'CREATE',
+			'RENAME',
+			'GRANT',
+			'REVOKE',
+			'BETWEEN',
+			'COMMIT',
+			'SAVEPOINT',
+			'EXISTS',
+			'GROUP',
+			'HAVING',
+			'IN',
+			'INTO',
+			'INSERT',
+			'ORDER',
+			'BY',
+			'UNION',
+			'LEFT',
+			'RIGHT',
+			'FULL'
+			);					
+
+			/* Check $criteriaFilter for blacklisted SQL commands */
+
+			if(preg_match('[' . implode(' |', $notAllowedCommands ) . ']i', $criteriaFilter) == true) {
+
+			echo '<script language="javascript">';
+			echo 'alert("This query is not allowed!")';
+			echo '</script>';
+			echo '<script language = "javascript">';
+			echo 'window.location.href = "/?search[tree]=&search[unfiltered]=true"';
+			echo '</script>';
+			exit();
+
+			}	
         } // if
 
         /*