diff options
| author | root | 2014-04-20 18:55:24 +0200 |
|---|---|---|
| committer | root | 2014-04-20 18:55:24 +0200 |
| commit | 3c94eb3f608f9bf0dc8d19583abe273b3a67e5ff (patch) | |
| tree | 9f589754331dbbab8f90f467f36a10f9a5ed99a7 | |
| parent | 2441480079f68bd4bc15a12d7b9b47c18ce0bd52 (diff) | |
| download | jungegemeinde-3c94eb3f608f9bf0dc8d19583abe273b3a67e5ff.tar.gz | |
Fixed XSS vulnerability.
| -rwxr-xr-x | www/functions/func_login.php | 2 | ||||
| -rw-r--r-- | www/functions/func_password.php | 6 | ||||
| -rwxr-xr-x | www/functions/func_register.php | 6 | ||||
| -rwxr-xr-x | www/functions/func_user.php | 8 | ||||
| -rw-r--r-- | www/insert.php | 12 | ||||
| -rw-r--r-- | www/update.php | 14 |
6 files changed, 24 insertions, 24 deletions
diff --git a/www/functions/func_login.php b/www/functions/func_login.php index d909180..7944c3e 100755 --- a/www/functions/func_login.php +++ b/www/functions/func_login.php @@ -4,7 +4,7 @@ function login($db){ /*___Database Query: Login___*/ $username = $_POST["username"]; $password = $_POST["password"]; - $safe_username = SQLite3::escapeString("$username"); + $safe_username = SQLite3::escapeString(htmlentities($username)); $log_in = false; $real_password = ""; diff --git a/www/functions/func_password.php b/www/functions/func_password.php index 3ee496b..e515111 100644 --- a/www/functions/func_password.php +++ b/www/functions/func_password.php @@ -4,7 +4,7 @@ function change_password($db, $first_password, $second_password){ if($_SESSION["login"]){ $username = user_id($db, $_SESSION["username"]); } else { - $username_db = $db->query("SELECT id FROM user WHERE email='" . SQLite3::escapeString($_POST['email']) . "';"); + $username_db = $db->query("SELECT id FROM user WHERE email='" . SQLite3::escapeString(htmlentities($_POST['email'])) . "';"); $username_ar = $username_db->fetchArray(SQLITE3_NUM); $username = $username_ar[0]; } @@ -30,7 +30,7 @@ function change_password($db, $first_password, $second_password){ } function recover_password($db){ - $test_email_db = $db->query("SELECT 1 FROM user WHERE email='" . SQLite3::escapeString($_POST['email']) . "';"); + $test_email_db = $db->query("SELECT 1 FROM user WHERE email='" . SQLite3::escapeString(htmlentities($_POST['email'])) . "';"); $test_email_ar = $test_email_db->fetchArray(SQLITE3_NUM); if($test_email_ar[0] == 1){ @@ -63,7 +63,7 @@ function recover_password($db){ } function validate_password($db, $username, $password){ - $res_db = $db->query("SELECT password FROM user WHERE name='".$db->escapeString($username)."'"); + $res_db = $db->query("SELECT password FROM user WHERE name='".$db->escapeString(htmlentities($username))."'"); $res_ar = $res_db->fetchArray(SQLITE3_NUM); $pepper = file_get_contents("../database/pepper.txt"); diff --git a/www/functions/func_register.php b/www/functions/func_register.php index 3cb79ad..da804d4 100755 --- a/www/functions/func_register.php +++ b/www/functions/func_register.php @@ -20,8 +20,8 @@ function register($db){ $email = ""; } - $safe_name = SQLite3::escapeString("$name"); - $safe_email = SQLite3::escapeString("$email"); + $safe_name = SQLite3::escapeString(htmlentities($name)); + $safe_email = SQLite3::escapeString(htmlentities($email)); /*Checks the validation of the registration attempt*/ @@ -49,7 +49,7 @@ function register($db){ $userid = user_id($db, $safe_name); $_SESSION["login"] = true; - $_SESSION["username"] = $name; + $_SESSION["username"] = $safe_name; $_SESSION["userid"] = $userid; return REGISTER_SUCCESSFULL; diff --git a/www/functions/func_user.php b/www/functions/func_user.php index f044334..394a8f7 100755 --- a/www/functions/func_user.php +++ b/www/functions/func_user.php @@ -298,8 +298,8 @@ function user_id($db, $user){ } function change_username($db, $oldname, $newname){ - $oldname = $db->escapeString($oldname); - $newname = $db->escapeString($newname); + $oldname = $db->escapeString(htmlentities($oldname)); + $newname = $db->escapeString(htmlentities($newname)); $check_db = $db->query("SELECT 1 FROM user WHERE name='".$newname."'"); $check_ar = $check_db->fetchArray(SQLITE3_NUM); @@ -320,7 +320,7 @@ function change_username($db, $oldname, $newname){ } function change_email($db, $name, $email){ - $res_db = $db->query("SELECT 1, name FROM user WHERE email='".$db->escapeString($email)."'"); + $res_db = $db->query("SELECT 1, name FROM user WHERE email='".$db->escapeString(htmlentities($email))."'"); $res_ar = $res_db->fetchArray(SQLITE3_NUM); if($res_ar[0] == 1){ @@ -331,7 +331,7 @@ function change_email($db, $name, $email){ if($db->exec(" BEGIN TRANSACTION; - UPDATE user SET email='".$db->escapeString($email)."' WHERE name='".$db->escapeString($name)."'; + UPDATE user SET email='".$db->escapeString(htmlentities($email))."' WHERE name='".$db->escapeString(htmlentities($name))."'; COMMIT; ")){ return CH_EMAIL_SUCCESS; diff --git a/www/insert.php b/www/insert.php index 4a17042..f373205 100644 --- a/www/insert.php +++ b/www/insert.php @@ -5,12 +5,12 @@ Licensed under the GPL. Read LICENSE for more Information.*/ function insert_db($db){ - $safe1 = SQLite3::escapeString("$_POST[name]"); - $safe2 = SQLite3::escapeString("$_POST[adresse]"); - $safe3 = SQLite3::escapeString("$_POST[telefonnummer]"); - $safe4 = SQLite3::escapeString("$_POST[handynummer]"); - $safe5 = SQLite3::escapeString("$_POST[email]"); - $safe6 = SQLite3::escapeString("$_POST[geburtstag]"); + $safe1 = SQLite3::escapeString(htmlentities($_POST[name])); + $safe2 = SQLite3::escapeString(htmlentities($_POST[adresse])); + $safe3 = SQLite3::escapeString(htmlentities($_POST[telefonnummer])); + $safe4 = SQLite3::escapeString(htmlentities($_POST[handynummer])); + $safe5 = SQLite3::escapeString(htmlentities($_POST[email])); + $safe6 = SQLite3::escapeString(htmlentities($_POST[geburtstag])); $query = "INSERT INTO jg (id, name, adresse, telefonnummer, handynummer, email, geburtstag) VALUES(NULL,'$safe1','$safe2','$safe3','$safe4','$safe5','$safe6');"; if($db->exec(" BEGIN TRANSACTION; diff --git a/www/update.php b/www/update.php index 67a92a1..26c05ca 100644 --- a/www/update.php +++ b/www/update.php @@ -2,13 +2,13 @@ function update_db($db){ - $id = SQLite3::escapeString($_POST["id"]); - $name = SQLite3::escapeString($_POST["name"]); - $adresse = SQLite3::escapeString($_POST["adresse"]); - $telefonnummer = SQLite3::escapeString($_POST["telefonnummer"]); - $handynummer = SQLite3::escapeString($_POST["handynummer"]); - $email = SQLite3::escapeString($_POST["email"]); - $bday = SQLite3::escapeString($_POST["geburtstag"]); + $id = SQLite3::escapeString(htmlentities($_POST["id"])); + $name = SQLite3::escapeString(htmlentities($_POST["name"])); + $adresse = SQLite3::escapeString(htmlentities($_POST["adresse"])); + $telefonnummer = SQLite3::escapeString(htmlentities($_POST["telefonnummer"])); + $handynummer = SQLite3::escapeString(htmlentities($_POST["handynummer"])); + $email = SQLite3::escapeString(htmlentities($_POST["email"])); + $bday = SQLite3::escapeString(htmlentities($_POST["geburtstag"])); if((!empty($id) && !preg_match("/^[0-9]+$/", $id)) || (!empty($telefonnummer) && !preg_match("/^[0-9]+$/", $telefonnummer) )|| (!empty($email) && !preg_match("/^.+@.+$/", $email))){ return false; |