[aur-dev] [PATCH 1/2] Wrap mysql_real_escape_string() in a function
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/html/account.php | 2 +- web/html/addvote.php | 10 +++++----- web/html/logout.php | 2 +- web/html/passreset.php | 4 ++-- web/html/pkgsubmit.php | 28 ++++++++++++++-------------- web/html/voters.php | 2 +- web/lib/acctfuncs.inc.php | 26 +++++++++++++------------- web/lib/aur.inc.php | 30 ++++++++++++++++++------------ web/lib/aurjson.class.php | 8 ++++---- web/lib/pkgfuncs.inc.php | 12 ++++++------ web/lib/stats.inc.php | 2 +- web/template/pkg_comment_form.php | 2 +- 12 files changed, 67 insertions(+), 61 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index ca05d1a..387fd93 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -111,7 +111,7 @@ if (isset($_COOKIE["AURSID"])) { $q.= "WHERE AccountTypes.ID = Users.AccountTypeID "; $q.= "AND Users.ID = Sessions.UsersID "; $q.= "AND Sessions.SessionID = '"; - $q.= mysql_real_escape_string($_COOKIE["AURSID"])."'"; + $q.= db_escape_string($_COOKIE["AURSID"])."'"; $result = db_query($q, $dbh); if (!mysql_num_rows($result)) { print __("Could not retrieve information for the specified user."); diff --git a/web/html/addvote.php b/web/html/addvote.php index fe3037d..f0e7d31 100644 --- a/web/html/addvote.php +++ b/web/html/addvote.php @@ -20,7 +20,7 @@ if ($atype == "Trusted User" OR $atype == "Developer") { $error = ""; if (!empty($_POST['user'])) { - $qcheck = "SELECT * FROM Users WHERE Username = '" . mysql_real_escape_string($_POST['user']) . "'"; + $qcheck = "SELECT * FROM Users WHERE Username = '" . db_escape_string($_POST['user']) . "'"; $result = db_query($qcheck, $dbh); if ($result) { $check = mysql_num_rows($result); @@ -32,7 +32,7 @@ if ($atype == "Trusted User" OR $atype == "Developer") { if ($check == 0) { $error.= __("Username does not exist."); } else { - $qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . mysql_real_escape_string($_POST['user']) . "'"; + $qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . db_escape_string($_POST['user']) . "'"; $qcheck.= " AND End > UNIX_TIMESTAMP()"; $result = db_query($qcheck, $dbh); if ($result) { @@ -67,9 +67,9 @@ if ($atype == "Trusted User" OR $atype == "Developer") { if (!empty($_POST['addVote']) && empty($error)) { $q = "INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES "; - $q.= "('" . mysql_real_escape_string($_POST['agenda']) . "', "; - $q.= "'" . mysql_real_escape_string($_POST['user']) . "', "; - $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . mysql_real_escape_string($len); + $q.= "('" . db_escape_string($_POST['agenda']) . "', "; + $q.= "'" . db_escape_string($_POST['user']) . "', "; + $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . db_escape_string($len); $q.= ", " . uid_from_sid($_COOKIE["AURSID"]) . ")"; db_query($q, $dbh); diff --git a/web/html/logout.php b/web/html/logout.php index 1cdf453..45ab564 100644 --- a/web/html/logout.php +++ b/web/html/logout.php @@ -12,7 +12,7 @@ include_once("acctfuncs.inc.php"); # access AUR common functions if (isset($_COOKIE["AURSID"])) { $dbh = db_connect(); $q = "DELETE FROM Sessions WHERE SessionID = '"; - $q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; + $q.= db_escape_string($_COOKIE["AURSID"]) . "'"; db_query($q, $dbh); # setting expiration to 1 means '1 second after midnight January 1, 1970' setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); diff --git a/web/html/passreset.php b/web/html/passreset.php index 01f3204..87be1b2 100644 --- a/web/html/passreset.php +++ b/web/html/passreset.php @@ -40,8 +40,8 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir Salt = '$salt', ResetKey = '' WHERE ResetKey != '' - AND ResetKey = '".mysql_real_escape_string($resetkey)."' - AND Email = '".mysql_real_escape_string($email)."'"; + AND ResetKey = '".db_escape_string($resetkey)."' + AND Email = '".db_escape_string($email)."'"; $result = db_query($q, $dbh); if (!mysql_affected_rows($dbh)) { $error = __('Invalid e-mail and reset key combination.'); diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 36f74bf..b6b1405 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -301,7 +301,7 @@ if ($uid): $dbh = db_connect(); db_query("BEGIN", $dbh); - $q = "SELECT * FROM Packages WHERE Name = '" . mysql_real_escape_string($new_pkgbuild['pkgname']) . "'"; + $q = "SELECT * FROM Packages WHERE Name = '" . db_escape_string($new_pkgbuild['pkgname']) . "'"; $result = db_query($q, $dbh); $pdata = mysql_fetch_assoc($result); @@ -346,11 +346,11 @@ if ($uid): # Update package data $q = sprintf("UPDATE Packages SET ModifiedTS = UNIX_TIMESTAMP(), Name = '%s', Version = '%s', License = '%s', Description = '%s', URL = '%s', OutOfDateTS = NULL, MaintainerUID = %d WHERE ID = %d", - mysql_real_escape_string($new_pkgbuild['pkgname']), - mysql_real_escape_string($pkg_version), - mysql_real_escape_string($new_pkgbuild['license']), - mysql_real_escape_string($new_pkgbuild['pkgdesc']), - mysql_real_escape_string($new_pkgbuild['url']), + db_escape_string($new_pkgbuild['pkgname']), + db_escape_string($pkg_version), + db_escape_string($new_pkgbuild['license']), + db_escape_string($new_pkgbuild['pkgdesc']), + db_escape_string($new_pkgbuild['url']), $uid, $packageID); @@ -359,12 +359,12 @@ if ($uid): } else { # This is a brand new package $q = sprintf("INSERT INTO Packages (Name, License, Version, CategoryID, Description, URL, SubmittedTS, ModifiedTS, SubmitterUID, MaintainerUID) VALUES ('%s', '%s', '%s', %d, '%s', '%s', UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), %d, %d)", - mysql_real_escape_string($new_pkgbuild['pkgname']), - mysql_real_escape_string($new_pkgbuild['license']), - mysql_real_escape_string($pkg_version), + db_escape_string($new_pkgbuild['pkgname']), + db_escape_string($new_pkgbuild['license']), + db_escape_string($pkg_version), $category_id, - mysql_real_escape_string($new_pkgbuild['pkgdesc']), - mysql_real_escape_string($new_pkgbuild['url']), + db_escape_string($new_pkgbuild['pkgdesc']), + db_escape_string($new_pkgbuild['url']), $uid, $uid); @@ -389,8 +389,8 @@ if ($uid): $q = sprintf("INSERT INTO PackageDepends (PackageID, DepName, DepCondition) VALUES (%d, '%s', '%s')", $packageID, - mysql_real_escape_string($deppkgname), - mysql_real_escape_string($depcondition)); + db_escape_string($deppkgname), + db_escape_string($depcondition)); db_query($q, $dbh); } @@ -401,7 +401,7 @@ if ($uid): foreach ($sources as $src) { if ($src != "" ) { $q = "INSERT INTO PackageSources (PackageID, Source) VALUES ("; - $q .= $packageID . ", '" . mysql_real_escape_string($src) . "')"; + $q .= $packageID . ", '" . db_escape_string($src) . "')"; db_query($q, $dbh); } } diff --git a/web/html/voters.php b/web/html/voters.php index aa2aa50..02abe29 100644 --- a/web/html/voters.php +++ b/web/html/voters.php @@ -5,7 +5,7 @@ include('pkgfuncs.inc.php'); function getvotes($pkgid) { $dbh = db_connect(); - $pkgid = mysql_real_escape_string($pkgid); + $pkgid = db_escape_string($pkgid); $result = db_query("SELECT UsersID,Username FROM PackageVotes LEFT JOIN Users on (UsersID = ID) WHERE PackageID = $pkgid ORDER BY Username", $dbh); return $result; diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 59fa730..692dd19 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -225,7 +225,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # NOTE: a race condition exists here if we care... # $q = "SELECT COUNT(*) AS CNT FROM Users "; - $q.= "WHERE Username = '".mysql_real_escape_string($U)."'"; + $q.= "WHERE Username = '".db_escape_string($U)."'"; if ($TYPE == "edit") { $q.= " AND ID != ".intval($UID); } @@ -243,7 +243,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # NOTE: a race condition exists here if we care... # $q = "SELECT COUNT(*) AS CNT FROM Users "; - $q.= "WHERE Email = '".mysql_real_escape_string($E)."'"; + $q.= "WHERE Email = '".db_escape_string($E)."'"; if ($TYPE == "edit") { $q.= " AND ID != ".intval($UID); } @@ -265,7 +265,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # no errors, go ahead and create the unprivileged user $salt = generate_salt(); $P = salted_hash($P, $salt); - $escaped = array_map('mysql_real_escape_string', + $escaped = array_map('db_escape_string', array($U, $E, $P, $salt, $R, $L, $I)); $q = "INSERT INTO Users (" . "AccountTypeID, Suspended, Username, Email, Passwd, Salt" . @@ -289,7 +289,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # no errors, go ahead and modify the user account $q = "UPDATE Users SET "; - $q.= "Username = '".mysql_real_escape_string($U)."'"; + $q.= "Username = '".db_escape_string($U)."'"; if ($T) { $q.= ", AccountTypeID = ".intval($T); } @@ -298,15 +298,15 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", } else { $q.= ", Suspended = 0"; } - $q.= ", Email = '".mysql_real_escape_string($E)."'"; + $q.= ", Email = '".db_escape_string($E)."'"; if ($P) { $salt = generate_salt(); $hash = salted_hash($P, $salt); $q .= ", Passwd = '$hash', Salt = '$salt'"; } - $q.= ", RealName = '".mysql_real_escape_string($R)."'"; - $q.= ", LangPreference = '".mysql_real_escape_string($L)."'"; - $q.= ", IRCNick = '".mysql_real_escape_string($I)."'"; + $q.= ", RealName = '".db_escape_string($R)."'"; + $q.= ", LangPreference = '".db_escape_string($L)."'"; + $q.= ", IRCNick = '".db_escape_string($I)."'"; $q.= " WHERE ID = ".intval($UID); $result = db_query($q, $dbh); if (!$result) { @@ -372,19 +372,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", $search_vars[] = "S"; } if ($U) { - $q.= "AND Username LIKE '%".mysql_real_escape_string($U)."%' "; + $q.= "AND Username LIKE '%".db_escape_string($U)."%' "; $search_vars[] = "U"; } if ($E) { - $q.= "AND Email LIKE '%".mysql_real_escape_string($E)."%' "; + $q.= "AND Email LIKE '%".db_escape_string($E)."%' "; $search_vars[] = "E"; } if ($R) { - $q.= "AND RealName LIKE '%".mysql_real_escape_string($R)."%' "; + $q.= "AND RealName LIKE '%".db_escape_string($R)."%' "; $search_vars[] = "R"; } if ($I) { - $q.= "AND IRCNick LIKE '%".mysql_real_escape_string($I)."%' "; + $q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' "; $search_vars[] = "I"; } switch ($SB) { @@ -716,7 +716,7 @@ function valid_user( $user ) if ( $user ) { $dbh = db_connect(); $q = "SELECT ID FROM Users WHERE Username = '" - . mysql_real_escape_string($user). "'"; + . db_escape_string($user). "'"; $result = db_query($q, $dbh); # Is the username in the database? diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index f432697..51c1eff 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -29,7 +29,7 @@ function check_sid($dbh=NULL) { $dbh = db_connect(); } $q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions "; - $q.= "WHERE SessionID = '" . mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; + $q.= "WHERE SessionID = '" . db_escape_string($_COOKIE["AURSID"]) . "'"; $result = db_query($q, $dbh); if (mysql_num_rows($result) == 0) { # Invalid SessionID - hacker alert! @@ -53,7 +53,7 @@ function check_sid($dbh=NULL) { # session id timeout was reached and they must login again. # $q = "DELETE FROM Sessions WHERE SessionID = '"; - $q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; + $q.= db_escape_string($_COOKIE["AURSID"]) . "'"; db_query($q, $dbh); setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); @@ -69,7 +69,7 @@ function check_sid($dbh=NULL) { # overwritten. if ($last_update < time() + $LOGIN_TIMEOUT) { $q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() "; - $q.= "WHERE SessionID = '".mysql_real_escape_string($_COOKIE["AURSID"])."'"; + $q.= "WHERE SessionID = '".db_escape_string($_COOKIE["AURSID"])."'"; db_query($q, $dbh); } } @@ -106,7 +106,7 @@ function username_from_id($id="", $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT Username FROM Users WHERE ID = " . mysql_real_escape_string($id); + $q = "SELECT Username FROM Users WHERE ID = " . db_escape_string($id); $result = db_query($q, $dbh); if (!$result) { return "None"; @@ -129,7 +129,7 @@ function username_from_sid($sid="", $dbh=NULL) { $q = "SELECT Username "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return ""; @@ -151,7 +151,7 @@ function email_from_sid($sid="", $dbh=NULL) { $q = "SELECT Email "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return ""; @@ -175,7 +175,7 @@ function account_from_sid($sid="", $dbh=NULL) { $q.= "FROM Users, AccountTypes, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND AccountTypes.ID = Users.AccountTypeID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return ""; @@ -197,7 +197,7 @@ function uid_from_sid($sid="", $dbh=NULL) { $q = "SELECT Users.ID "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'"; + $q.= "AND Sessions.SessionID = '" . db_escape_string($sid) . "'"; $result = db_query($q, $dbh); if (!$result) { return 0; @@ -223,6 +223,12 @@ function db_connect() { return $handle; } +# Escape strings for SQL query usage. +# Wraps the database driver's provided method (for convenience and porting). +function db_escape_string($string) { + return mysql_real_escape_string($string); +} + # disconnect from the database # this won't normally be needed as PHP/reference counting will take care of # closing the connection once it is no longer referenced @@ -290,7 +296,7 @@ function set_lang($dbh=NULL) { $q = "SELECT LangPreference FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Sessions.SessionID = '"; - $q.= mysql_real_escape_string($_COOKIE["AURSID"])."'"; + $q.= db_escape_string($_COOKIE["AURSID"])."'"; $result = db_query($q, $dbh); if ($result) { @@ -355,7 +361,7 @@ function can_submit_pkg($name="", $sid="", $dbh=NULL) { $dbh = db_connect(); } $q = "SELECT MaintainerUID "; - $q.= "FROM Packages WHERE Name = '".mysql_real_escape_string($name)."'"; + $q.= "FROM Packages WHERE Name = '".db_escape_string($name)."'"; $result = db_query($q, $dbh); if (mysql_num_rows($result) == 0) {return 1;} $row = mysql_fetch_row($result); @@ -428,7 +434,7 @@ function uid_from_username($username="", $dbh=NULL) if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT ID FROM Users WHERE Username = '".mysql_real_escape_string($username) + $q = "SELECT ID FROM Users WHERE Username = '".db_escape_string($username) ."'"; $result = db_query($q, $dbh); if (!$result) { @@ -449,7 +455,7 @@ function uid_from_email($email="", $dbh=NULL) if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT ID FROM Users WHERE Email = '".mysql_real_escape_string($email) + $q = "SELECT ID FROM Users WHERE Email = '".db_escape_string($email) ."'"; $result = db_query($q, $dbh); if (!$result) { diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php index 3a8e830..e6e62f4 100644 --- a/web/lib/aurjson.class.php +++ b/web/lib/aurjson.class.php @@ -177,7 +177,7 @@ class AurJSON { if (is_numeric($arg)) { $id_args[] = intval($arg); } else { - $escaped = mysql_real_escape_string($arg, $this->dbh); + $escaped = db_escape_string($arg, $this->dbh); $name_args[] = "'" . $escaped . "'"; } } @@ -195,7 +195,7 @@ class AurJSON { return $this->json_error('Query arg too small'); } - $keyword_string = mysql_real_escape_string($keyword_string, $this->dbh); + $keyword_string = db_escape_string($keyword_string, $this->dbh); $keyword_string = addcslashes($keyword_string, '%_'); $where_condition = "( Name LIKE '%{$keyword_string}%' OR " . @@ -218,7 +218,7 @@ class AurJSON { } else { $where_condition = sprintf("Name=\"%s\"", - mysql_real_escape_string($pqdata, $this->dbh)); + db_escape_string($pqdata, $this->dbh)); } return $this->process_query('info', $where_condition); } @@ -260,7 +260,7 @@ class AurJSON { * @return mixed Returns an array of value data containing the package data **/ private function msearch($maintainer) { - $maintainer = mysql_real_escape_string($maintainer, $this->dbh); + $maintainer = db_escape_string($maintainer, $this->dbh); $where_condition = "Users.Username = '{$maintainer}'"; diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index 3e89fa3..b078c48 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -100,7 +100,7 @@ function pkgid_from_name($name="", $dbh=NULL) { $dbh = db_connect(); } $q = "SELECT ID FROM Packages "; - $q.= "WHERE Name = '".mysql_real_escape_string($name)."' "; + $q.= "WHERE Name = '".db_escape_string($name)."' "; $result = db_query($q, $dbh); if (!$result) {return NULL;} $row = mysql_fetch_row($result); @@ -137,7 +137,7 @@ function package_required($name="", $dbh=NULL) { } $q = "SELECT p.Name, PackageID FROM PackageDepends pd "; $q.= "JOIN Packages p ON pd.PackageID = p.ID "; - $q.= "WHERE DepName = '".mysql_real_escape_string($name)."' "; + $q.= "WHERE DepName = '".db_escape_string($name)."' "; $q.= "ORDER BY p.Name"; $result = db_query($q, $dbh); if (!$result) {return array();} @@ -234,7 +234,7 @@ function pkgvotes_from_sid($sid="", $dbh=NULL) { $q.= "FROM PackageVotes, Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Users.ID = PackageVotes.UsersID "; - $q.= "AND Sessions.SessionID = '".mysql_real_escape_string($sid)."'"; + $q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'"; $result = db_query($q, $dbh); if ($result) { while ($row = mysql_fetch_row($result)) { @@ -257,7 +257,7 @@ function pkgnotify_from_sid($sid="", $dbh=NULL) { $q.= "FROM CommentNotify, Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Users.ID = CommentNotify.UserID "; - $q.= "AND Sessions.SessionID = '".mysql_real_escape_string($sid)."'"; + $q.= "AND Sessions.SessionID = '".db_escape_string($sid)."'"; $result = db_query($q, $dbh); if ($result) { while ($row = mysql_fetch_row($result)) { @@ -291,7 +291,7 @@ function pkgname_is_blacklisted($name, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } - $q = "SELECT COUNT(*) FROM PackageBlacklist WHERE Name = '" . mysql_real_escape_string($name) . "'"; + $q = "SELECT COUNT(*) FROM PackageBlacklist WHERE Name = '" . db_escape_string($name) . "'"; $result = db_query($q, $dbh); if (!$result) return false; @@ -457,7 +457,7 @@ function pkg_search_page($SID="", $dbh=NULL) { } if (isset($_GET['K'])) { - $_GET['K'] = mysql_real_escape_string(trim($_GET['K'])); + $_GET['K'] = db_escape_string(trim($_GET['K'])); # Search by maintainer if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") { diff --git a/web/lib/stats.inc.php b/web/lib/stats.inc.php index 2690a5c..8f0f770 100644 --- a/web/lib/stats.inc.php +++ b/web/lib/stats.inc.php @@ -20,7 +20,7 @@ function updates_table($dbh) function user_table($user, $dbh) { - $escuser = mysql_real_escape_string($user); + $escuser = db_escape_string($user); $base_q = "SELECT count(*) FROM Packages,Users WHERE Packages.MaintainerUID = Users.ID AND Users.Username='" . $escuser . "'"; $maintainer_unsupported_count = db_cache_value($base_q, $dbh, diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php index e52c92d..d3b602c 100644 --- a/web/template/pkg_comment_form.php +++ b/web/template/pkg_comment_form.php @@ -7,7 +7,7 @@ if (isset($_REQUEST['comment'])) { $q = 'INSERT INTO PackageComments '; $q.= '(PackageID, UsersID, Comments, CommentTS) VALUES ('; $q.= intval($_REQUEST['ID']) . ', ' . uid_from_sid($_COOKIE['AURSID']) . ', '; - $q.= "'" . mysql_real_escape_string($_REQUEST['comment']) . "', "; + $q.= "'" . db_escape_string($_REQUEST['comment']) . "', "; $q.= 'UNIX_TIMESTAMP())'; db_query($q, $dbh); -- 1.7.7
Percent signs ("%") and underscores ("_") are not escaped by mysql_real_escape_string() and are interpreted as wildcards if combined with "LIKE". Write a wrapper function db_escape_like() and use it where appropriate. Note that we already fixed this for the RPC interface in commit da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places. This patch should fix all remaining flaws reported in FS#26527. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/lib/acctfuncs.inc.php | 8 ++++---- web/lib/aur.inc.php | 5 +++++ web/lib/aurjson.class.php | 3 +-- web/lib/pkgfuncs.inc.php | 12 +++++------- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 692dd19..96a478b 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -372,19 +372,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", $search_vars[] = "S"; } if ($U) { - $q.= "AND Username LIKE '%".db_escape_string($U)."%' "; + $q.= "AND Username LIKE '%".db_escape_like($U)."%' "; $search_vars[] = "U"; } if ($E) { - $q.= "AND Email LIKE '%".db_escape_string($E)."%' "; + $q.= "AND Email LIKE '%".db_escape_like($E)."%' "; $search_vars[] = "E"; } if ($R) { - $q.= "AND RealName LIKE '%".db_escape_string($R)."%' "; + $q.= "AND RealName LIKE '%".db_escape_like($R)."%' "; $search_vars[] = "R"; } if ($I) { - $q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' "; + $q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' "; $search_vars[] = "I"; } switch ($SB) { diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 51c1eff..6bc36ac 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -229,6 +229,11 @@ function db_escape_string($string) { return mysql_real_escape_string($string); } +# Escape strings for usage in SQL LIKE operators. +function db_escape_like($string) { + return addcslashes(mysql_real_escape_string($string), '%_'); +} + # disconnect from the database # this won't normally be needed as PHP/reference counting will take care of # closing the connection once it is no longer referenced diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php index e6e62f4..234a3c4 100644 --- a/web/lib/aurjson.class.php +++ b/web/lib/aurjson.class.php @@ -195,8 +195,7 @@ class AurJSON { return $this->json_error('Query arg too small'); } - $keyword_string = db_escape_string($keyword_string, $this->dbh); - $keyword_string = addcslashes($keyword_string, '%_'); + $keyword_string = db_escape_like($keyword_string, $this->dbh); $where_condition = "( Name LIKE '%{$keyword_string}%' OR " . "Description LIKE '%{$keyword_string}%' )"; diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index b078c48..88b18b8 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -457,11 +457,9 @@ function pkg_search_page($SID="", $dbh=NULL) { } if (isset($_GET['K'])) { - $_GET['K'] = db_escape_string(trim($_GET['K'])); - # Search by maintainer if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") { - $q_where .= "AND Users.Username = '".$_GET['K']."' "; + $q_where .= "AND Users.Username = '".db_escape_string($_GET['K'])."' "; } # Search by submitter elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "s") { @@ -469,16 +467,16 @@ function pkg_search_page($SID="", $dbh=NULL) { } # Search by name elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "n") { - $q_where .= "AND (Name LIKE '%".$_GET['K']."%') "; + $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%') "; } # Search by name (exact match) elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "x") { - $q_where .= "AND (Name = '".$_GET['K']."') "; + $q_where .= "AND (Name = '".db_escape_string($_GET['K'])."') "; } # Search by name and description (Default) else { - $q_where .= "AND (Name LIKE '%".$_GET['K']."%' OR "; - $q_where .= "Description LIKE '%".$_GET['K']."%') "; + $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%' OR "; + $q_where .= "Description LIKE '%".db_escape_like($_GET['K'])."%') "; } } -- 1.7.7
On Thu, Oct 20, 2011 at 1:52 AM, Lukas Fleischer <archlinux@cryptocrack.de> wrote:
Percent signs ("%") and underscores ("_") are not escaped by mysql_real_escape_string() and are interpreted as wildcards if combined with "LIKE". Write a wrapper function db_escape_like() and use it where appropriate.
Note that we already fixed this for the RPC interface in commit da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places. This patch should fix all remaining flaws reported in FS#26527.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Looks good to me.
Signed-off-by: Dan McGee <dan@archlinux.org>
--- web/lib/acctfuncs.inc.php | 8 ++++---- web/lib/aur.inc.php | 5 +++++ web/lib/aurjson.class.php | 3 +-- web/lib/pkgfuncs.inc.php | 12 +++++------- 4 files changed, 15 insertions(+), 13 deletions(-)
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 692dd19..96a478b 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -372,19 +372,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", $search_vars[] = "S"; } if ($U) { - $q.= "AND Username LIKE '%".db_escape_string($U)."%' "; + $q.= "AND Username LIKE '%".db_escape_like($U)."%' "; $search_vars[] = "U"; } if ($E) { - $q.= "AND Email LIKE '%".db_escape_string($E)."%' "; + $q.= "AND Email LIKE '%".db_escape_like($E)."%' "; $search_vars[] = "E"; } if ($R) { - $q.= "AND RealName LIKE '%".db_escape_string($R)."%' "; + $q.= "AND RealName LIKE '%".db_escape_like($R)."%' "; $search_vars[] = "R"; } if ($I) { - $q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' "; + $q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' "; $search_vars[] = "I"; } switch ($SB) { diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 51c1eff..6bc36ac 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -229,6 +229,11 @@ function db_escape_string($string) { return mysql_real_escape_string($string); }
+# Escape strings for usage in SQL LIKE operators. +function db_escape_like($string) { + return addcslashes(mysql_real_escape_string($string), '%_'); +} + # disconnect from the database # this won't normally be needed as PHP/reference counting will take care of # closing the connection once it is no longer referenced diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php index e6e62f4..234a3c4 100644 --- a/web/lib/aurjson.class.php +++ b/web/lib/aurjson.class.php @@ -195,8 +195,7 @@ class AurJSON { return $this->json_error('Query arg too small'); }
- $keyword_string = db_escape_string($keyword_string, $this->dbh); - $keyword_string = addcslashes($keyword_string, '%_'); + $keyword_string = db_escape_like($keyword_string, $this->dbh);
$where_condition = "( Name LIKE '%{$keyword_string}%' OR " . "Description LIKE '%{$keyword_string}%' )"; diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index b078c48..88b18b8 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -457,11 +457,9 @@ function pkg_search_page($SID="", $dbh=NULL) { }
if (isset($_GET['K'])) { - $_GET['K'] = db_escape_string(trim($_GET['K'])); - # Search by maintainer if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") { - $q_where .= "AND Users.Username = '".$_GET['K']."' "; + $q_where .= "AND Users.Username = '".db_escape_string($_GET['K'])."' "; } # Search by submitter elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "s") { @@ -469,16 +467,16 @@ function pkg_search_page($SID="", $dbh=NULL) { } # Search by name elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "n") { - $q_where .= "AND (Name LIKE '%".$_GET['K']."%') "; + $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%') "; } # Search by name (exact match) elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "x") { - $q_where .= "AND (Name = '".$_GET['K']."') "; + $q_where .= "AND (Name = '".db_escape_string($_GET['K'])."') "; } # Search by name and description (Default) else { - $q_where .= "AND (Name LIKE '%".$_GET['K']."%' OR "; - $q_where .= "Description LIKE '%".$_GET['K']."%') "; + $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%' OR "; + $q_where .= "Description LIKE '%".db_escape_like($_GET['K'])."%') "; } }
-- 1.7.7
participants (2)
-
Dan McGee
-
Lukas Fleischer