Commit bd16374a authored by David Morley's avatar David Morley

Merge pull request #13 from votacom/master

SQL security fix
parents d061f628 55d101e7
...@@ -73,12 +73,8 @@ if (stristr($output, 'Set-Cookie: _diaspora_session=')) { ...@@ -73,12 +73,8 @@ if (stristr($output, 'Set-Cookie: _diaspora_session=')) {
} }
if ($valid=="1") { if ($valid=="1") {
$pingdomurl = pg_escape_string($_POST['url']); $sql = "INSERT INTO pods (domain, pingdomurl, email) VALUES($1, $2, $3)";
$domain = pg_escape_string($_POST['domain']); $result = pg_query_params($dbh, $sql, array($_POST['domain'], $_POST['url'], $_POST['email']));
$email = pg_escape_string($_POST['email']);
$sql = "INSERT INTO pods (domain, pingdomurl, email) VALUES('$domain', '$pingdomurl', '$email')";
$result = pg_query($dbh, $sql);
if (!$result) { if (!$result) {
die("Error in SQL query: " . pg_last_error()); die("Error in SQL query: " . pg_last_error());
} }
...@@ -97,4 +93,4 @@ if ($valid=="1") { ...@@ -97,4 +93,4 @@ if ($valid=="1") {
echo "Could not validate your pod on http or https, check your setup!"; echo "Could not validate your pod on http or https, check your setup!";
} }
?> ?>
\ No newline at end of file
...@@ -6,9 +6,8 @@ ...@@ -6,9 +6,8 @@
if (!$dbh) { if (!$dbh) {
die("Error in connection: " . pg_last_error()); die("Error in connection: " . pg_last_error());
} }
$domain = $_GET['url']; $sql = "SELECT * FROM pods WHERE domain = $1";
$sql = "SELECT * FROM pods WHERE domain = '$domain'"; $result = pg_query_params($dbh, $sql, array($_GET['url']));
$result = pg_query($dbh, $sql);
if (!$result) { if (!$result) {
die("Error in SQL query: " . pg_last_error()); die("Error in SQL query: " . pg_last_error());
} }
......
...@@ -22,10 +22,17 @@ $debug = isset($argv[1])?1:0; ...@@ -22,10 +22,17 @@ $debug = isset($argv[1])?1:0;
} }
//foreach pod check it and update db //foreach pod check it and update db
$domain = isset($_GET['domain'])?$_GET['domain']:null; $domain = isset($_GET['domain'])?$_GET['domain']:null;
if ($domain) {$sql = "SELECT domain,pingdomurl,score,datecreated FROM pods WHERE domain = '$domain'";$sleep="0";} if ($domain) {
else {$sql = "SELECT domain,pingdomurl,score,datecreated,adminrating FROM pods";$sleep="1";} $sql = "SELECT domain,pingdomurl,score,datecreated FROM pods WHERE domain = $1";
$sleep="0";
$result = pg_query_params($dbh, $sql, array($domain));
}
else {
$sql = "SELECT domain,pingdomurl,score,datecreated,adminrating FROM pods";
$sleep="1";
$result = pg_query($dbh, $sql);
}
$result = pg_query($dbh, $sql);
if (!$result) { if (!$result) {
die("Error in SQL query1: " . pg_last_error()); die("Error in SQL query1: " . pg_last_error());
} }
...@@ -38,8 +45,8 @@ $debug = isset($argv[1])?1:0; ...@@ -38,8 +45,8 @@ $debug = isset($argv[1])?1:0;
$admindb = $row[$i]['adminrating']; $admindb = $row[$i]['adminrating'];
//get ratings //get ratings
$userrate=0;$adminrate=0;$userratingavg = array();$adminratingavg = array();$userrating = array();$adminrating = array(); $userrate=0;$adminrate=0;$userratingavg = array();$adminratingavg = array();$userrating = array();$adminrating = array();
$sqlforr = "SELECT * FROM rating_comments WHERE domain = '$domain'"; $sqlforr = "SELECT * FROM rating_comments WHERE domain = $1";
$ratings = pg_query($dbh, $sqlforr); $ratings = pg_query_params($dbh, $sqlforr, array($domain));
if (!$ratings) { if (!$ratings) {
die("Error in SQL query2: " . pg_last_error()); die("Error in SQL query2: " . pg_last_error());
} }
...@@ -263,15 +270,14 @@ $pingdomdate = date('Y-m-d H:i:s'); ...@@ -263,15 +270,14 @@ $pingdomdate = date('Y-m-d H:i:s');
} }
//sql it //sql it
$timenow = date('Y-m-d H:i:s'); $timenow = date('Y-m-d H:i:s');
$city = pg_escape_string($city); $sql = "UPDATE pods SET Hgitdate=$1, Hencoding=$2, secure=$3, hidden=$4, Hruntime=$5, Hgitref=$6, ip=$7, ipv6=$8, monthsmonitored=$9,
$sql = "UPDATE pods SET Hgitdate='$gitdate', Hencoding='$encoding', secure='$secure', hidden='$hidden', Hruntime='$runtime', Hgitref='$gitrev', ip='$ipnum', ipv6='$ipv6', monthsmonitored='$months', uptimelast7=$10, status$11', dateLaststats=$12, dateUpdated=$13, responsetimelast7=$14, score=$15, adminrating=$16, country=$17, city=$18,
uptimelast7='$uptime', status='$live', dateLaststats='$pingdomdate', dateUpdated='$timenow', responsetimelast7='$responsetime', score='$score', adminrating='$adminrating', country='$country', city='$city', state=$19, lat=$20, long=$21, postalcode='', connection=$22, whois=$23, userrating=$24, longversion=$25, shortversion=$26,
state='$state', lat='$lat', long='$long', postalcode='', connection='$dver', whois='$whois', userrating='$userrating', longversion='$xdver[1]', shortversion='$dver', masterversion=$27
masterversion='$masterversion'
WHERE WHERE
domain='$domain'"; domain=$28";
if ($debug) {echo "SQL: ".$sql."<br>";} if ($debug) {echo "SQL: ".$sql."<br>";}
$result = pg_query($dbh, $sql); $result = pg_query_params($dbh, $sql, array($gitdate, $encoding, $secure, $hidden, $runtime, $gitrev, $ipnum, $ipv6, $months, $uptime, $live, $pingdomdate, $timenow, $responsetime, $score, $adminrating, $country, $city, $state, $lat, $long, $dver, $whois, $userrating, $xdver[1], $dver, $masterversion, $domain));
if (!$result) { if (!$result) {
die("Error in SQL query3: " . pg_last_error()); die("Error in SQL query3: " . pg_last_error());
} }
......
...@@ -21,17 +21,12 @@ if (!$_POST['rating']){ ...@@ -21,17 +21,12 @@ if (!$_POST['rating']){
die; die;
} }
$domain = pg_escape_string($_POST['domain']);
$comment = pg_escape_string($_POST['comment']);
$rating = pg_escape_string($_POST['rating']);
$username = pg_escape_string($_POST['username']);
$userurl = pg_escape_string($_POST['userurl']);
$dbh = pg_connect("dbname=$pgdb user=$pguser password=$pgpass"); $dbh = pg_connect("dbname=$pgdb user=$pguser password=$pgpass");
if (!$dbh) { if (!$dbh) {
die("Error in connection: " . pg_last_error()); die("Error in connection: " . pg_last_error());
} }
$sql = "INSERT INTO rating_comments (domain, comment, rating, username, userurl) VALUES('$domain', '$comment', '$rating', '$username', '$userurl')"; $sql = "INSERT INTO rating_comments (domain, comment, rating, username, userurl) VALUES($1, $2, $3, $4, $5)";
$result = pg_query($dbh, $sql); $result = pg_query_params($dbh, $sql, array($_POST['domain'], $_POST['comment'], $_POST['rating'], $_POST['username'], $_POST['userurl']));
if (!$result) { if (!$result) {
die("Error in SQL query: " . pg_last_error()); die("Error in SQL query: " . pg_last_error());
} }
......
...@@ -40,11 +40,11 @@ $("#rating").prop( "value", value ) ...@@ -40,11 +40,11 @@ $("#rating").prop( "value", value )
if (!$dbh) { if (!$dbh) {
die("Error in connection: " . pg_last_error()); die("Error in connection: " . pg_last_error());
} }
if ($_GET['domain']) { if (~ $_GET['domain']) {
$domain = $_GET['domain']; die("domain not specified");
$sql = "SELECT * FROM rating_comments WHERE domain = '$domain'"; }
} $sql = "SELECT * FROM rating_comments WHERE domain = $1";
$result = pg_query($dbh, $sql); $result = pg_query_params($dbh, $sql, array($_GET['domain']));
if (!$result) { if (!$result) {
die("Error in SQL query: " . pg_last_error()); die("Error in SQL query: " . pg_last_error());
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment