SQL injection vulnerabilities fixed

db/add.php

@@ -73,12 +73,8 @@ if (stristr($output, 'Set-Cookie: _diaspora_session=')) {
 }
 
 if ($valid=="1") {    
-     $pingdomurl = pg_escape_string($_POST['url']);
-     $domain = pg_escape_string($_POST['domain']);
-     $email = pg_escape_string($_POST['email']);
-    
-     $sql = "INSERT INTO pods (domain, pingdomurl, email) VALUES('$domain', '$pingdomurl', '$email')";
-     $result = pg_query($dbh, $sql);
+     $sql = "INSERT INTO pods (domain, pingdomurl, email) VALUES($1, $2, $3)";
+     $result = pg_query_params($dbh, $sql, array($_POST['domain'], $_POST['url'], $_POST['email']));
      if (!$result) {
          die("Error in SQL query: " . pg_last_error());
      }
@@ -97,4 +93,4 @@ if ($valid=="1") {
 echo "Could not validate your pod on http or https, check your setup!";
 }
 
-?>
\ No newline at end of file
+?>

db/api-more.php

@@ -6,9 +6,8 @@
  if (!$dbh) {
      die("Error in connection: " . pg_last_error());
  }  
- $domain = $_GET['url'];
- $sql = "SELECT * FROM pods WHERE domain = '$domain'";
- $result = pg_query($dbh, $sql);
+ $sql = "SELECT * FROM pods WHERE domain = $1";
+ $result = pg_query_params($dbh, $sql, array($_GET['url']));
  if (!$result) {
      die("Error in SQL query: " . pg_last_error());
  }   

db/pull.php

@@ -22,10 +22,17 @@ $debug = isset($argv[1])?1:0;
      }
 //foreach pod check it and update db
  $domain = isset($_GET['domain'])?$_GET['domain']:null;
- if ($domain) {$sql = "SELECT domain,pingdomurl,score,datecreated FROM pods WHERE domain = '$domain'";$sleep="0";} 
- else {$sql = "SELECT domain,pingdomurl,score,datecreated,adminrating FROM pods";$sleep="1";}
+ if ($domain) {
+	 $sql = "SELECT domain,pingdomurl,score,datecreated FROM pods WHERE domain = $1";
+	 $sleep="0";
+	 $result = pg_query_params($dbh, $sql, array($domain));
+ } 
+ else {
+	 $sql = "SELECT domain,pingdomurl,score,datecreated,adminrating FROM pods";
+	 $sleep="1";
+	 $result = pg_query($dbh, $sql);
+ }
 
- $result = pg_query($dbh, $sql);
  if (!$result) {
      die("Error in SQL query1: " . pg_last_error());
  }
@@ -38,8 +45,8 @@ $debug = isset($argv[1])?1:0;
      $admindb = $row[$i]['adminrating'];
 //get ratings
  $userrate=0;$adminrate=0;$userratingavg = array();$adminratingavg = array();$userrating = array();$adminrating = array();
- $sqlforr = "SELECT * FROM rating_comments WHERE domain = '$domain'";
- $ratings = pg_query($dbh, $sqlforr);
+ $sqlforr = "SELECT * FROM rating_comments WHERE domain = $1";
+ $ratings = pg_query_params($dbh, $sqlforr, array($domain));
  if (!$ratings) {
      die("Error in SQL query2: " . pg_last_error());
  }
@@ -263,15 +270,14 @@ $pingdomdate =  date('Y-m-d H:i:s');
 }
 //sql it
      $timenow = date('Y-m-d H:i:s');
-     $city = pg_escape_string($city);    
-     $sql = "UPDATE pods SET Hgitdate='$gitdate', Hencoding='$encoding', secure='$secure', hidden='$hidden', Hruntime='$runtime', Hgitref='$gitrev', ip='$ipnum', ipv6='$ipv6', monthsmonitored='$months', 
-uptimelast7='$uptime', status='$live', dateLaststats='$pingdomdate', dateUpdated='$timenow', responsetimelast7='$responsetime', score='$score', adminrating='$adminrating', country='$country', city='$city', 
-state='$state', lat='$lat', long='$long', postalcode='', connection='$dver', whois='$whois', userrating='$userrating', longversion='$xdver[1]', shortversion='$dver', 
-masterversion='$masterversion' 
+     $sql = "UPDATE pods SET Hgitdate=$1, Hencoding=$2, secure=$3, hidden=$4, Hruntime=$5, Hgitref=$6, ip=$7, ipv6=$8, monthsmonitored=$9, 
+uptimelast7=$10, status$11', dateLaststats=$12, dateUpdated=$13, responsetimelast7=$14, score=$15, adminrating=$16, country=$17, city=$18, 
+state=$19, lat=$20, long=$21, postalcode='', connection=$22, whois=$23, userrating=$24, longversion=$25, shortversion=$26, 
+masterversion=$27 
 WHERE 
-domain='$domain'";
+domain=$28";
      if ($debug) {echo "SQL: ".$sql."<br>";}
-     $result = pg_query($dbh, $sql);
+     $result = pg_query_params($dbh, $sql, array($gitdate, $encoding, $secure, $hidden, $runtime, $gitrev, $ipnum, $ipv6, $months, $uptime, $live, $pingdomdate, $timenow, $responsetime, $score, $adminrating, $country, $city, $state, $lat, $long, $dver, $whois, $userrating, $xdver[1], $dver, $masterversion, $domain));
      if (!$result) {
          die("Error in SQL query3: " . pg_last_error());
      }

db/saverating.php

@@ -21,17 +21,12 @@ if (!$_POST['rating']){
  die;
 }
 
-$domain = pg_escape_string($_POST['domain']);
-$comment = pg_escape_string($_POST['comment']);
-$rating = pg_escape_string($_POST['rating']);
-$username = pg_escape_string($_POST['username']);
-$userurl = pg_escape_string($_POST['userurl']);
  $dbh = pg_connect("dbname=$pgdb user=$pguser password=$pgpass");
      if (!$dbh) {
          die("Error in connection: " . pg_last_error());
      }
-     $sql = "INSERT INTO rating_comments (domain, comment, rating, username, userurl) VALUES('$domain', '$comment', '$rating', '$username', '$userurl')";
-     $result = pg_query($dbh, $sql);
+     $sql = "INSERT INTO rating_comments (domain, comment, rating, username, userurl) VALUES($1, $2, $3, $4, $5)";
+     $result = pg_query_params($dbh, $sql, array($_POST['domain'], $_POST['comment'], $_POST['rating'], $_POST['username'], $_POST['userurl']));
      if (!$result) {
          die("Error in SQL query: " . pg_last_error());
      }

rate.php

@@ -40,11 +40,11 @@ $("#rating").prop( "value", value )
  if (!$dbh) {
      die("Error in connection: " . pg_last_error());
  }  
- if ($_GET['domain']) {
- $domain = $_GET['domain'];
- $sql = "SELECT * FROM rating_comments WHERE domain = '$domain'";
- } 
- $result = pg_query($dbh, $sql);
+ if (~ $_GET['domain']) {
+     die(domain not specified);
+ }
+ $sql = "SELECT * FROM rating_comments WHERE domain = $1";
+ $result = pg_query_params($dbh, $sql, array($_GET['domain']));
  if (!$result) {
      die("Error in SQL query: " . pg_last_error());
  }