From 6c40fdfeb948c399991c02f7d8ae78e649b3caa8 Mon Sep 17 00:00:00 2001 From: ruan Date: Sat, 18 Jan 2020 11:54:28 +0200 Subject: [PATCH] Clean up, add query comments All user input appended to queries is either constantified or prepared - SQL injection should be impossible. --- check.php | 6 +++--- history.php | 13 ++++++------- inc/page.php | 25 ++++++++++++------------- info.php | 7 ++++--- 4 files changed, 25 insertions(+), 26 deletions(-) diff --git a/check.php b/check.php index 267c07d..d755723 100644 --- a/check.php +++ b/check.php @@ -5,7 +5,7 @@ class Check { public function run($name, $from) { $page = new Page("check", false); - $column = "name"; + $column = "name"; // Safe user input (constants only) // validate user input if ($page->is_uuid($name) && preg_match("/^[0-9a-zA-Z-]{32,36}$/", $name)) { @@ -15,10 +15,10 @@ class Check { $this->println($page->t("error.name.invalid")); return; } - $history = $page->settings->table['history']; + $table = $page->settings->table['history']; // Not user input try { - $stmt = $page->conn->prepare("SELECT name,uuid FROM $history WHERE $column=:val ORDER BY date LIMIT 1"); + $stmt = $page->conn->prepare("SELECT name,uuid FROM $table WHERE $column=:val ORDER BY date LIMIT 1"); $stmt->bindParam(':val', $name, PDO::PARAM_STR); if ($stmt->execute()) { if ($row = $stmt->fetch()) { diff --git a/history.php b/history.php index 0bee225..b7e254f 100644 --- a/history.php +++ b/history.php @@ -12,18 +12,16 @@ class History { * @param string $field */ static function push($page, &$array, $type, $uuid, $field, $before, $after) { - $table = $page->settings->table[$type]; - - $sel = $page->get_selection($table); - - $limit = $page->settings->limit_per_page; + $table = $page->settings->table[$type]; // Not user input + $select = $page->get_selection($table); // Not user input + $limit = $page->settings->limit_per_page; // Not user input if ($after > 0) { $order = "ASC"; } else { $order = "DESC"; } - $st = $page->conn->prepare("SELECT $sel FROM $table WHERE $field=:uuid AND time > :after AND time < :before ORDER BY time $order LIMIT :limit"); + $st = $page->conn->prepare("SELECT $select FROM $table WHERE $field=:uuid AND time > :after AND time < :before ORDER BY time $order LIMIT :limit"); $st->bindParam(":uuid", $uuid, PDO::PARAM_STR); $st->bindParam(":limit", $limit, PDO::PARAM_INT); $st->bindParam(":before", $before, PDO::PARAM_INT); @@ -125,11 +123,12 @@ if (isset($_GET['after']) && is_string($_GET['after'])) { try { $all = array(); - $field = "uuid"; + $field = "uuid"; // Safe user input (constants only) if ($staffhistory) { $field = "banned_by_uuid"; } + // Not user input $t = $page->settings->table; $t_bans = $t['bans']; $t_mutes = $t['mutes']; diff --git a/inc/page.php b/inc/page.php index 560ca73..6d9908d 100644 --- a/inc/page.php +++ b/inc/page.php @@ -137,8 +137,8 @@ class Page { function run_query() { try { - $table = $this->table; - $limit = $this->settings->limit_per_page; + $table = $this->table; // Safe user input (constants only) + $limit = $this->settings->limit_per_page; // Not user input $offset = 0; if ($this->settings->show_pager) { @@ -146,14 +146,12 @@ class Page { $offset = ($limit * $page); } - $sel = $this->get_selection($table); + $select = $this->get_selection($table); // Not user input - $where = $this->where_append($this->name === "kicks" ? "" : $this->settings->active_query); + $where = $this->where_append($this->name === "kicks" ? "" : $this->settings->active_query); // Not user input $where .= "(uuid <> '#offline#' AND uuid IS NOT NULL)"; - $query = "SELECT $sel FROM $table $where GROUP BY $table.id ORDER BY time DESC LIMIT :limit OFFSET :offset"; - $st = $this->conn->prepare($query); - + $st = $this->conn->prepare("SELECT $select FROM $table $where GROUP BY $table.id ORDER BY time DESC LIMIT :limit OFFSET :offset"); $st->bindParam(':offset', $offset, PDO::PARAM_INT); $st->bindParam(':limit', $limit, PDO::PARAM_INT); @@ -188,8 +186,7 @@ class Page { if ($phpIsBroken === true) { foreach ($bitColumns as $column) { unset($columns[$column]); - $alias = $column; - array_push($columns, "CAST($column AS UNSIGNED) AS $alias"); + array_push($columns, "CAST($column AS UNSIGNED) AS $column"); } } $selection = implode(",", $columns); @@ -268,9 +265,9 @@ class Page { if (array_key_exists($uuid, $this->uuid_name_cache)) return $this->uuid_name_cache[$uuid]; $result = null; - $history = $this->settings->table['history']; + $table = $this->settings->table['history']; // Not user input - $stmt = $this->conn->prepare("SELECT name FROM $history WHERE uuid=:uuid ORDER BY date DESC LIMIT 1"); + $stmt = $this->conn->prepare("SELECT name FROM $table WHERE uuid=:uuid ORDER BY date DESC LIMIT 1"); $stmt->bindParam(":uuid", $uuid, PDO::PARAM_STR); if ($stmt->execute() && $row = $stmt->fetch()) { $result = $row['name']; @@ -507,8 +504,10 @@ class Page { echo '
-
-
+ +
+ +
diff --git a/info.php b/info.php index ff4b3a4..20b4e2a 100644 --- a/info.php +++ b/info.php @@ -127,12 +127,13 @@ filter_var($id, FILTER_VALIDATE_INT) or die("Invalid ID"); $id = (int)$id; +// Safe user input (constants only) $type = $page->type; $table = $page->table; -$sel = $page->get_selection($table); -$query = "SELECT $sel FROM $table WHERE id=:id LIMIT 1"; -$st = $page->conn->prepare($query); +$select = $page->get_selection($table); // Not user input + +$st = $page->conn->prepare("SELECT $select FROM $table WHERE id=:id LIMIT 1"); $st->bindParam(":id", $id, PDO::PARAM_INT); if ($st->execute()) {