From 5113776a42d0bc7ff8ed2db8619045d3ffb164a9 Mon Sep 17 00:00:00 2001 From: Daniel Friesel Date: Fri, 3 Jun 2011 11:09:25 +0200 Subject: [PATCH 1/5] include/pages/admin_faq cleanup --- includes/pages/admin_faq.php | 46 ++++++++++++++++++++++++++---------- includes/sys_page.php | 8 +++++++ 2 files changed, 41 insertions(+), 13 deletions(-) diff --git a/includes/pages/admin_faq.php b/includes/pages/admin_faq.php index 5b9a338f..b8ba1a64 100644 --- a/includes/pages/admin_faq.php +++ b/includes/pages/admin_faq.php @@ -4,8 +4,14 @@ function admin_faq() { $faqs_html = ""; $faqs = sql_select("SELECT * FROM `FAQ`"); foreach ($faqs as $faq) { - $faqs_html .= '
' . $faq['Frage_de'] . '
' . $faq['Antwort_de'] . '
' . $faq['Frage_en'] . '
' . $faq['Antwort_en'] . '
'; - $faqs_html .= 'Edit'; + $faqs_html .= sprintf( + '
%s
%s
' + . '
%s
%s
' + . 'Edit', + $faq['Frage_de'], $faq['Antwort_de'], + $faq['Frage_en'], $faq['Antwort_en'], + page_link_to('admin_faq'), $faq['FID'] + ); } return template_render('../templates/admin_faq.html', array ( 'link' => page_link_to("admin_faq"), @@ -14,11 +20,18 @@ function admin_faq() { } else { switch ($_REQUEST['action']) { case 'create' : - $frage = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['frage'])); - $antwort = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['antwort'])); - $question = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['question'])); - $answer = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['answer'])); - sql_query("INSERT INTO `FAQ` SET `Frage_de`='" . sql_escape($frage) . "', `Frage_en`='" . sql_escape($question) . "', `Antwort_de`='" . sql_escape($antwort) . "', `Antwort_en`='" . sql_escape($answer) . "'"); + $frage = strip_request_item_nl('frage'); + $antwort = strip_request_item_nl('antwort'); + $question = strip_request_item_nl('question'); + $answer = strip_request_item_nl('answer'); + + sql_query("INSERT INTO `FAQ` SET `Frage_de`='" . sql_escape($frage) + . "', `Frage_en`='" . sql_escape($question) + . "', `Antwort_de`='" . sql_escape($antwort) + . "', `Antwort_en`='" . sql_escape($answer) + . "'" + ); + header("Location: " . page_link_to("admin_faq")); break; @@ -32,11 +45,18 @@ function admin_faq() { if (count($faq) > 0) { list ($faq) = $faq; - $frage = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['frage'])); - $antwort = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['antwort'])); - $question = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['question'])); - $answer = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($_REQUEST['answer'])); - sql_query("UPDATE `FAQ` SET `Frage_de`='" . sql_escape($frage) . "', `Frage_en`='" . sql_escape($question) . "', `Antwort_de`='" . sql_escape($antwort) . "', `Antwort_en`='" . sql_escape($answer) . "' WHERE `FID`=" . sql_escape($id) . " LIMIT 1"); + $frage = strip_request_item_nl('frage'); + $antwort = strip_request_item_nl('antwort'); + $question = strip_request_item_nl('question'); + $answer = strip_request_item_nl('answer'); + + sql_query("UPDATE `FAQ` SET `Frage_de`='" . sql_escape($frage) + . "', `Frage_en`='" . sql_escape($question) + . "', `Antwort_de`='" . sql_escape($antwort) + . "', `Antwort_en`='" . sql_escape($answer) + . "' WHERE `FID`=" . sql_escape($id) . " LIMIT 1" + ); + header("Location: " . page_link_to("admin_faq")); } else return error("No FAQ found."); @@ -82,4 +102,4 @@ function admin_faq() { } } } -?> \ No newline at end of file +?> diff --git a/includes/sys_page.php b/includes/sys_page.php index 2af5f729..e499cd57 100644 --- a/includes/sys_page.php +++ b/includes/sys_page.php @@ -8,6 +8,14 @@ function strip_request_item($name) { ); } +function strip_request_item_nl($name) { + return preg_replace( + "/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", + '', + strip_tags($_REQUEST[$name]) + ); +} + function error($msg) { return '

' . $msg . '

'; } From 93dd7113b13b06de1701b216b77bb73e76421fb5 Mon Sep 17 00:00:00 2001 From: Daniel Friesel Date: Fri, 3 Jun 2011 11:17:09 +0200 Subject: [PATCH 2/5] admin_groups minor cleanup --- includes/pages/admin_groups.php | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/includes/pages/admin_groups.php b/includes/pages/admin_groups.php index 5d9d8180..842640d8 100644 --- a/includes/pages/admin_groups.php +++ b/includes/pages/admin_groups.php @@ -7,15 +7,23 @@ function admin_groups() { if (!isset ($_REQUEST["action"])) { $groups_html = ""; foreach ($groups as $group) { - $groups_html .= ''; - $groups_html .= '' . $group['Name'] . ''; + $groups_html .= sprintf( + '%s', + $group['Name'] + ); $privileges = sql_select("SELECT * FROM `GroupPrivileges` JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `group_id`=" . sql_escape($group['UID'])); $privileges_html = array (); + foreach ($privileges as $priv) $privileges_html[] = $priv['name']; - $groups_html .= '' . join(", ", $privileges_html) . ''; - $groups_html .= 'Ändern'; - $groups_html .= ''; + + $groups_html .= sprintf( + '%s' + . 'Ändern', + join(', ', $privileges_html), + page_link_to("admin_groups"), + $group['UID'] + ); } return template_render('../templates/admin_groups.html', array ( From 554bd796dc7aed67b6810e2ae3f30ba66bf263e3 Mon Sep 17 00:00:00 2001 From: Daniel Friesel Date: Fri, 3 Jun 2011 11:24:22 +0200 Subject: [PATCH 3/5] includes/sys_auth: Add sql_escape, just to be safe --- includes/sys_auth.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/includes/sys_auth.php b/includes/sys_auth.php index 68e336b0..009be2d8 100644 --- a/includes/sys_auth.php +++ b/includes/sys_auth.php @@ -19,7 +19,10 @@ function load_auth() { if (count($user) > 0) { // User ist eingeloggt, Datensatz zur Verfügung stellen und Timestamp updaten list ($user) = $user; - sql_query("UPDATE `User` SET " . "`lastLogIn` = '" . time() . "'" . " WHERE `UID` = '" . $_SESSION['uid'] . "' LIMIT 1;"); + sql_query("UPDATE `User` SET " + . "`lastLogIn` = '" . time() . "'" + . " WHERE `UID` = '" . sql_escape($_SESSION['uid']) . "' LIMIT 1;" + ); } else unset ($_SESSION['uid']); } @@ -52,4 +55,4 @@ function PassCrypt($passwort) { return md5($passwort); } } -?> \ No newline at end of file +?> From 70de7e5a1dd96c47c48eb45498004d219bec1283 Mon Sep 17 00:00:00 2001 From: Daniel Friesel Date: Fri, 3 Jun 2011 11:34:54 +0200 Subject: [PATCH 4/5] guest_login: Cleanup, fix sql injection --- includes/pages/guest_faq.php | 14 ++++++--- includes/pages/guest_login.php | 56 ++++++++++++++++++++++++---------- 2 files changed, 50 insertions(+), 20 deletions(-) diff --git a/includes/pages/guest_faq.php b/includes/pages/guest_faq.php index c4bcd0bb..2799cbaf 100644 --- a/includes/pages/guest_faq.php +++ b/includes/pages/guest_faq.php @@ -5,11 +5,17 @@ function guest_faq() { foreach ($faqs as $faq) { $html .= "
"; if ($_SESSION['Sprache'] == "DE") { - $html .= "
" . $faq['Frage_de'] . "
"; - $html .= "
" . $faq['Antwort_de'] . "
"; + $html .= sprintf( + '
%s
%s
', + $faq['frage_de'], + $faq['antwort_de'] + ); } else { - $html .= "
" . $faq['Frage_en'] . "
"; - $html .= "
" . $faq['Antwort_en'] . "
"; + $html .= sprintf( + '
%s
%s
', + $faq['frage_en'], + $faq['antwort_en'] + ); } $html .= "
"; } diff --git a/includes/pages/guest_login.php b/includes/pages/guest_login.php index bbf36b6d..db20a207 100644 --- a/includes/pages/guest_login.php +++ b/includes/pages/guest_login.php @@ -16,12 +16,25 @@ function guest_register() { $Ergans = sql_select("SELECT UID FROM `User` WHERE `Nick`='" . sql_escape($_POST["Nick"]) . "'"); if (strlen($_POST["Nick"]) < 2) - $error = Get_Text("makeuser_error_nick1") . $_POST["Nick"] . Get_Text("makeuser_error_nick2"); - elseif (count($Ergans) > 0) $error = Get_Text("makeuser_error_nick1") . $_POST["Nick"] . Get_Text("makeuser_error_nick3"); - elseif (strlen($_POST["email"]) <= 6 && strstr($_POST["email"], "@") == FALSE && strstr($_POST["email"], ".") == false) $error = Get_Text("makeuser_error_mail"); - elseif (!is_numeric($_POST["Alter"])) $error = Get_Text("makeuser_error_Alter"); - elseif ($_POST["Passwort"] != $_POST["Passwort2"]) $error = Get_Text("makeuser_error_password1"); - elseif (strlen($_POST["Passwort"]) < 6) $error = Get_Text("makeuser_error_password2"); + $error = Get_Text("makeuser_error_nick1") + . $_POST["Nick"] . Get_Text("makeuser_error_nick2"); + + elseif (count($Ergans) > 0) + $error = Get_Text("makeuser_error_nick1") + . $_POST["Nick"] . Get_Text("makeuser_error_nick3"); + + elseif (strlen($_POST["email"]) <= 6 && strstr($_POST["email"], "@") == FALSE && strstr($_POST["email"], ".") == false) + $error = Get_Text("makeuser_error_mail"); + + elseif (!is_numeric($_POST["Alter"])) + $error = Get_Text("makeuser_error_Alter"); + + elseif ($_POST["Passwort"] != $_POST["Passwort2"]) + $error = Get_Text("makeuser_error_password1"); + + elseif (strlen($_POST["Passwort"]) < 6) + $error = Get_Text("makeuser_error_password2"); + else { $_POST["Passwort"] = PassCrypt($_POST["Passwort"]); unset ($_POST["Passwort2"]); @@ -35,15 +48,26 @@ function guest_register() { "`Size`, " . "`Passwort`, " . "`Art` , " . "`kommentar`, " . "`Hometown`," . "`CreateDate`, `Sprache` ) " . - "VALUES ( " . - "'" . $_POST["Nick"] . "', " . "'" . $_POST["Name"] . "', " . - "'" . $_POST["Vorname"] . "', " . "'" . $_POST["Alter"] . "', " . - "'" . $_POST["Telefon"] . "', " . "'" . $_POST["DECT"] . "', " . - "'" . $_POST["Handy"] . "', " . "'" . $_POST["email"] . "', " . - "'" . $_POST["ICQ"] . "', " . "'" . $_POST["jabber"] . "', " . - "'" . $_POST["Size"] . "', " . "'" . $_POST["Passwort"] . "', " . - "'" . $_POST["Art"] . "', " . "'" . $_POST["kommentar"] . "', " . - "'" . $_POST["Hometown"] . "'," . "NOW(), '" . $_SESSION['Sprache'] . "')"); + "VALUES ( '" + . sql_escape($_POST["Nick"]) . "', " . "'" + . sql_escape($_POST["Name"]) . "', " . "'" + . sql_escape($_POST["Vorname"]) . "', " . "'" + . sql_escape($_POST["Alter"]) . "', " . "'" + . sql_escape($_POST["Telefon"]) . "', " . "'" + . sql_escape($_POST["DECT"]) . "', " . "'" + . sql_escape($_POST["Handy"]) . "', " . "'" + . sql_escape($_POST["email"]) . "', " . "'" + . sql_escape($_POST["ICQ"]) . "', " . "'" + . sql_escape($_POST["jabber"]) . "', " . "'" + . sql_escape($_POST["Size"]) . "', " . "'" + . sql_escape($_POST["Passwort"]) . "', " . "'" + . sql_escape($_POST["Art"]) . "', " . "'" + . sql_escape($_POST["kommentar"]) . "', " . "'" + . sql_escape($_POST["Hometown"]) . "'," + . "NOW(), '" + . sql_escape($_SESSION["Sprache"]) + . "')" + ); if ($Erg != 1) { $html .= Get_Text("makeuser_error_write1") . "
\n"; @@ -242,4 +266,4 @@ function guest_login_form() { 'send' => Get_Text("index_lang_send") )); } -?> \ No newline at end of file +?> From 75a7755041c4e4b9c5c31bccabc917e188982e80 Mon Sep 17 00:00:00 2001 From: Daniel Friesel Date: Fri, 3 Jun 2011 11:46:46 +0200 Subject: [PATCH 5/5] user_messages: Initial (unfinished) cleanup --- includes/pages/user_messages.php | 41 ++++++++++++++++++++++++-------- 1 file changed, 31 insertions(+), 10 deletions(-) diff --git a/includes/pages/user_messages.php b/includes/pages/user_messages.php index 30871d9d..a13b28f0 100644 --- a/includes/pages/user_messages.php +++ b/includes/pages/user_messages.php @@ -6,7 +6,13 @@ function user_unread_messages() { $new_messages = sql_num_query("SELECT * FROM `Messages` WHERE isRead='N' AND `RUID`=" . sql_escape($user['UID'])); if ($new_messages > 0) - return '

' . Get_Text("pub_messages_new1") . " " . $new_messages . " " . Get_Text("pub_messages_new2") . '


'; + return sprintf( + '

%s %s %s


', + page_link_to("user_messages"), + Get_Text("pub_messages_new1"), + $new_messages, + Get_Text("pub_messages_new2") + ); } return ""; @@ -16,23 +22,37 @@ function user_messages() { global $user; if (!isset ($_REQUEST['action'])) { - $users = sql_select("SELECT * FROM `User` WHERE NOT `UID`=" . sql_escape($user['UID']) . " ORDER BY `Nick`"); + $users = sql_select("SELECT * FROM `User` WHERE NOT `UID`=" + . sql_escape($user['UID']) . " ORDER BY `Nick`"); + $to_select_data = array ( "" => "Select receiver..." ); + foreach ($users as $u) $to_select_data[$u['UID']] = $u['Nick']; + $to_select = html_select_key('to', $to_select_data, ''); $messages_html = ""; - $messages = sql_select("SELECT * FROM `Messages` WHERE `SUID`=" . sql_escape($user['UID']) . " OR `RUID`=" . sql_escape($user['UID']) . " ORDER BY `isRead`,`Datum` DESC"); + $messages = sql_select("SELECT * FROM `Messages` WHERE `SUID`=" + . sql_escape($user['UID']) + . " OR `RUID`=" . sql_escape($user['UID']) + . " ORDER BY `isRead`,`Datum` DESC" + ); foreach ($messages as $message) { - $messages_html .= ''; - $messages_html .= '' . ($message['isRead'] == 'N' ? '•' : '') . ''; - $messages_html .= '' . date("Y-m-d H:i", $message['Datum']) . ''; - $messages_html .= '' . UID2Nick($message['SUID']) . ''; - $messages_html .= '' . UID2Nick($message['RUID']) . ''; - $messages_html .= '' . str_replace("\n", '
', $message['Text']) . ''; + + $messages_html .= sprintf( + ' %s %s %s %s' + .'%s', + ($message['isRead'] == 'N' ? ' class="new_message"' : ''), + ($message['isRead'] == 'N' ? '•' : ''), + date("Y-m-d H:i", $message['Datum']), + UID2Nick($message['SUID']), + UID2Nick($message['RUID']), + str_replace("\n", '
', $message['Text']) + ); + $messages_html .= ''; if ($message['RUID'] == $user['UID']) { if ($message['isRead'] == 'N') @@ -45,7 +65,8 @@ function user_messages() { return template_render('../templates/user_messages.html', array ( 'link' => page_link_to("user_messages"), - 'greeting' => Get_Text("Hello") . $user['Nick'] . ",
\n" . Get_Text("pub_messages_text1") . "

\n", + 'greeting' => Get_Text("Hello") . $user['Nick'] . ",
\n" + . Get_Text("pub_messages_text1") . "

\n", 'messages' => $messages_html, 'new_label' => Get_Text("pub_messages_Neu"), 'date_label' => Get_Text("pub_messages_Datum"),