[AppDB] - protect sql insert statements from injection attacks
Tony Lambregts
tony.lambregts at gmail.com
Thu Jun 22 21:21:27 CDT 2006
Chris Morgan wrote:
> Change compile_insert_string() to compile_insert_array() and add a new first
> parameter of $sTable that represents the table you are building the insert
> statement for. The output of compile_insert_array() is passed to
> query_insert() to perform the insertion. Change all existing calls of
> compile_insert_string() to compile_insert_array() and specify the table as
> the first parameter. Make all instances of sql inserts that didn't use
> compile_insert_string() use compile_insert_array().
>
> The use of mysql_real_escape_string() inside of compile_insert_array()
> protects the insert statement from sql injection attacks.
>
> Chris
>
>
Just a couple of nits
This Could have been broken before but when I try to edit a bundle I
get: *Database Error!*
Query: SELECT bundleId, appBundle.appId, appName FROM appBundle,
appFamily WHERE bundleId = AND appFamily.appId = appBundle.appId
You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near 'AND
appFamily.appId = appBundle.appId' at line 1
This is probably broken from before (makesafe?) but I cannot create a
new distribution.
Here is a big one though. I cannot create a new account. I just get a
blank screen. This is .new see below
You could have broken the patch in two IE:
Change log: The use of mysql_real_escape_string() on inserts to protect
from sql injection attacks.
Files changed:
include/application.php /
include/bugs.php /
include/category.php /
include/comment.php /
include/db.php /
include/distributions.php
include/monitor.php /
include/note.php /
include/screenshot.php
include/testResults.php /
include/url.php /
include/user.php /
include/util.php /
include/vendor.php /
include/version.php /
Change log: Make all remaining instances of sql inserts use
compile_insert_array().
Files changed:
maintainersubmit.php /
admin/adminAppDataQueue.php /
admin/editBundle.php /
include/appdb.php /
include/vote.php /
I'm not say you should have just that it could have been done that way.
You should include the "change log:" and "files changed:" to the patch
the files. "Changed files: really helps in that it gives you an
overview of the scope of the patch.
>
> ------------------------------------------------------------------------
>
> ? compile_insert_array.patch
> ? hits_table_alter
> ? injection_protect.patch
> ? injection_protect2.patch
> ? limittestresults.patch4
> ? vote_table_alter
> ? data/screenshots
Last really trivial nit (these are not really part of the patch)
> Index: include/user.php
> ===================================================================
> RCS file: /opt/cvs-commit/appdb/include/user.php,v
> retrieving revision 1.67
> diff -u -r1.67 user.php
> --- include/user.php 21 Jun 2006 01:04:13 -0000 1.67
> +++ include/user.php 22 Jun 2006 20:07:17 -0000
> @@ -83,14 +83,15 @@
> return false;
> } else
> {
> - $aInsert = compile_insert_string(array( 'realname' =>
> $sRealname,
> - 'email' => $sEmail,
> - 'CVSrelease' =>
> $sWineRelease ));
> + $aInsert = compile_insert_array("user_list",
> + array( 'realname' =>
> $sRealname,
> + 'email' =>
> $sEmail,
> + 'CVSrelease' =>
> $sWineRelease,
> + 'password' =>
> password($sPassword),
> + 'stamp' =>
> "NOW()",
> + 'created' =>
> "NOW()"));
>
I remember fighting with this before. password() and NOW() cannot be
put into the array like this I do not have an easy answer for this at
all at this point
> - $sFields = "({$aInsert['FIELDS']}, `password`, `stamp`,
> `created`)";
> - $sValues = "({$aInsert['VALUES']},
> password('".$sPassword."'), NOW(), NOW() )";
> -
> - query_appdb("INSERT INTO user_list $sFields VALUES
> $sValues", "Error while creating a new user.");
> + query_insert($aInsert, "Error while creating a new user.");
>
> $retval = $this->login($sEmail, $sPassword);
> $this->setPref("comments:mode", "threaded"); /* set the
> users default comments:mode to threaded */
> @@ -183,7 +184,11 @@
> return false;
>
> $hResult = query_appdb("DELETE FROM user_prefs WHERE userid =
> ".$this->iUserId." AND name = '$sKey'");
> - $hResult = query_appdb("INSERT INTO user_prefs
> VALUES(".$this->iUserId.", '$sKey', '$sValue')");
> + $aInsert = compile_insert_array("user_prefs",
> + array( 'userid' =>
> $this->iUserId,
> + 'name' => $sKey,
> + 'value' => $sValue));
> + $hResult = query_insert($aInsert);
> return $hResult;
> }
>
Other than that its clean. We need to find a way of fixing new
accounts though.
--
Tony Lambregts
More information about the wine-patches
mailing list