appdb/include tableve.php

WineHQ wineowner at wine.codeweavers.com
Tue Apr 24 18:36:11 CDT 2007


ChangeSet ID:	31102
CVSROOT:	/opt/cvs-commit
Module name:	appdb
Changes by:	wineowner at winehq.org	2007/04/24 18:36:10

Modified files:
	include        : tableve.php 

Log message:
	Alexander Nicolaysen Sørnes <alex at thehandofagony.com>
	Fix TableVE::make_option_list's where handling to prevent sql injection

Patch: http://cvs.winehq.org/patch.py?id=31102

Old revision  New revision  Changes     Path
 1.13          1.14          +15 -9      appdb/include/tableve.php

Index: appdb/include/tableve.php
diff -u -p appdb/include/tableve.php:1.13 appdb/include/tableve.php:1.14
--- appdb/include/tableve.php:1.13	24 Apr 2007 23:36:10 -0000
+++ appdb/include/tableve.php	24 Apr 2007 23:36:10 -0000
@@ -171,23 +171,29 @@ class TableVE {
         echo html_frame_end();
     }
 
-    function make_option_list($varname, $cvalue, $table, $idField, $nameField, $where = "")
+    function make_option_list($sVarname, $sCvalue, $sTable, $sIdField, $sNameField, $aWhere = null)
     {
-        $hResult = query_parameters("SELECT ?, ? FROM ? ? ORDER BY '?'",
-                                $idField, $nameField, $table, $where, $nameField);
+        /* We do not allow direct insertion into of SQL code, so the WHERE clause is
+           is accepted in an array form, where the first element is the variable
+           and the second is the value it must be equal to */
+        if($aWhere)
+            $sWhere = "WHERE ".$aWhere[0]." ='".$aWhere[1]."'";
+
+        $hResult = query_parameters("SELECT ?, ? FROM ? $sWhere ORDER BY '?'",
+                                $sIdField, $sNameField, $sTable, $sNameField);
         if(!$hResult)
             return; // Oops
 
-        echo "<select name='$varname'>\n";
+        echo "<select name='$sVarname'>\n";
         echo "<option value=0>Choose ...</option>\n";
-        while(list($id, $name) = mysql_fetch_row($hResult))
+        while(list($iId, $sName) = mysql_fetch_row($hResult))
         {
-            if ($name == "NONAME")
+            if ($sName == "NONAME")
                 continue;
-            if($id == $cvalue)
-                echo "<option value=$id selected>$name\n";
+            if($iId == $sCvalue)
+                echo "<option value=$iId selected>$sName\n";
             else
-                echo "<option value=$id>$name\n";
+                echo "<option value=$iId>$sName\n";
         }
         echo "</select>\n";
     }



More information about the wine-cvs mailing list