Show
Ignore:
Timestamp:
02/14/06 09:51:16 (3 years ago)
Author:
mbonetti
Message:

Some more fixes for possible sql injections

Files:
1 modified

Legend:

Unmodified
Added
Removed

  • trunk/rss/admin/folders.php

    r1181 r1275  
    164164    } 
    165165 
     166    if (isset($_REQUEST['fid'])) { 
     167        $fid = sanitize($_REQUEST['fid'],RSS_SANITIZER_NUMERIC); 
     168    } 
     169 
    166170    $ret__ = CST_ADMIN_DOMAIN_FOLDER; 
    167171    switch ($__action__) { 
    168172 
    169173    case CST_ADMIN_EDIT_ACTION: 
    170         folder_edit($_REQUEST['fid']); 
     174        folder_edit($fid); 
    171175        $ret__ = CST_ADMIN_DOMAIN_NONE; 
    172176        break; 
    173177 
    174178    case CST_ADMIN_DELETE_ACTION: 
    175         $id = $_REQUEST['fid']; 
    176         assert(is_numeric($id)); 
    177  
    178         if ($id == 0) { 
     179 
     180 
     181        if ($fid == 0) { 
    179182            rss_error(LBL_ADMIN_ERROR_CANT_DELETE_HOME_FOLDER, RSS_ERROR_ERROR,true); 
    180183            break; 
     
    182185 
    183186        if (array_key_exists(CST_ADMIN_CONFIRMED,$_POST) && $_POST[CST_ADMIN_CONFIRMED] == LBL_ADMIN_YES) { 
    184             $sql = "delete from " . getTable("folders") ." where id=$id"; 
     187            $sql = "delete from " . getTable("folders") ." where id=$fid"; 
    185188            rss_query($sql); 
    186             $sql = "update " . getTable("channels") ." set parent=" . getRootFolder() . " where parent=$id"; 
     189            $sql = "update " . getTable("channels") ." set parent=" . getRootFolder() . " where parent=$fid"; 
    187190            rss_query($sql); 
    188191        } 
     
    191194        } 
    192195        else { 
    193             list($fname) = rss_fetch_row(rss_query("select name from " .getTable("folders") ." where id = $id")); 
     196            list($fname) = rss_fetch_row(rss_query("select name from " .getTable("folders") ." where id = $fid")); 
    194197 
    195198            echo "<form class=\"box\" method=\"post\" action=\"" .$_SERVER['PHP_SELF'] ."\">\n" 
     
    199202            ."<p><input type=\"submit\" name=\"".CST_ADMIN_CONFIRMED."\" value=\"". LBL_ADMIN_NO ."\"/>\n" 
    200203            ."<input type=\"submit\" name=\"".CST_ADMIN_CONFIRMED."\" value=\"". LBL_ADMIN_YES ."\"/>\n" 
    201             ."<input type=\"hidden\" name=\"fid\" value=\"$id\"/>\n" 
     204            ."<input type=\"hidden\" name=\"fid\" value=\"$fid\"/>\n" 
    202205            ."<input type=\"hidden\" name=\"".CST_ADMIN_DOMAIN."\" value=\"".CST_ADMIN_DOMAIN_FOLDER."\"/>\n" 
    203206            ."<input type=\"hidden\" name=\"action\" value=\"". CST_ADMIN_DELETE_ACTION ."\"/>\n" 
     
    208211 
    209212    case CST_ADMIN_SUBMIT_EDIT: 
    210         $id = $_REQUEST['fid']; 
    211  
     213        // TBD 
    212214        $new_label = rss_real_escape_string($_REQUEST['f_name']); 
    213         if (is_numeric($id) && strlen($new_label) > 0) { 
     215        if (is_numeric($fid) && strlen($new_label) > 0) { 
    214216 
    215217            $res = rss_query("select count(*) as cnt from " . getTable("folders") ." where binary name='$new_label'"); 
     
    219221                break; 
    220222            } 
    221             rss_query("update " .getTable("folders") ." set name='$new_label' where id=$id"); 
     223            rss_query("update " .getTable("folders") ." set name='$new_label' where id=$fid"); 
    222224        } 
    223225        break; 
     
    225227    case LBL_ADMIN_ADD: 
    226228    case 'LBL_ADMIN_ADD': 
    227         $label=$_REQUEST['new_folder']; 
     229        $label=sanitize($_REQUEST['new_folder'],RSS_SANITIZER_SIMPLE_SQL); 
    228230        assert(strlen($label) > 0); 
    229231        create_folder($label); 
     
    232234    case CST_ADMIN_MOVE_UP_ACTION: 
    233235    case CST_ADMIN_MOVE_DOWN_ACTION: 
    234         $id = $_REQUEST['fid']; 
    235  
    236         if ($id == 0) { 
     236 
     237        if ($fid == 0) { 
    237238            return; 
    238239        } 
    239240 
    240         $res = rss_query("select position from " .getTable("folders") ." where id=$id"); 
     241        $res = rss_query("select position from " .getTable("folders") ." where id=$fid"); 
    241242        list($position) = rss_fetch_row($res); 
    242243 
    243244        $sql = "select id, position from " .getTable("folders") 
    244                ." where id != $id order by abs($position-position) limit 2"; 
     245               ." where id != $fid order by abs($position-position) limit 2"; 
    245246 
    246247        $res = rss_query($sql); 
     
    268269        // right, lets! 
    269270        if ($switch_with_position != $position) { 
    270             rss_query( "update " . getTable("folders") ." set position = $switch_with_position where id=$id" ); 
     271            rss_query( "update " . getTable("folders") ." set position = $switch_with_position where id=$fid" ); 
    271272            rss_query( "update " . getTable("folders") ." set position = $position where id=$switch_with_id" ); 
    272273        }