mirror/litebans-php
1
0
Fork 0
mirror of https://gitlab.com/ruany/litebans-php.git synced 2025-05-23 16:32:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Clean up, add query comments

Browse Source 
All user input appended to queries is either constantified or prepared - SQL injection should be impossible.
This commit is contained in:
ruan 2020-01-18 11:54:28 +02:00
parent 6df668a9fc
commit 6c40fdfeb9
4 changed files with 25 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
check.php
View File

@ -5,7 +5,7 @@ class Check {
public function run($name, $from) { public function run($name, $from) {
$page = new Page("check", false); $page = new Page("check", false);
$column = "name"; $column = "name"; // Safe user input (constants only)
// validate user input // validate user input
if ($page->is_uuid($name) && preg_match("/^[0-9a-zA-Z-]{32,36}$/", $name)) { if ($page->is_uuid($name) && preg_match("/^[0-9a-zA-Z-]{32,36}$/", $name)) {
@ -15,10 +15,10 @@ class Check {
$this->println($page->t("error.name.invalid")); $this->println($page->t("error.name.invalid"));
return; return;
} }
$history = $page->settings->table['history']; $table = $page->settings->table['history']; // Not user input
try { try {
$stmt = $page->conn->prepare("SELECT name,uuid FROM $history WHERE $column=:val ORDER BY date LIMIT 1"); $stmt = $page->conn->prepare("SELECT name,uuid FROM $table WHERE $column=:val ORDER BY date LIMIT 1");
$stmt->bindParam(':val', $name, PDO::PARAM_STR); $stmt->bindParam(':val', $name, PDO::PARAM_STR);
if ($stmt->execute()) { if ($stmt->execute()) {
if ($row = $stmt->fetch()) { if ($row = $stmt->fetch()) {

13
history.php
View File

@ -12,18 +12,16 @@ class History {
* @param string $field * @param string $field
*/ */
static function push($page, &$array, $type, $uuid, $field, $before, $after) { static function push($page, &$array, $type, $uuid, $field, $before, $after) {
$table = $page->settings->table[$type]; $table = $page->settings->table[$type]; // Not user input
$select = $page->get_selection($table); // Not user input
$sel = $page->get_selection($table); $limit = $page->settings->limit_per_page; // Not user input
$limit = $page->settings->limit_per_page;
if ($after > 0) { if ($after > 0) {
$order = "ASC"; $order = "ASC";
} else { } else {
$order = "DESC"; $order = "DESC";
} }
$st = $page->conn->prepare("SELECT $sel FROM $table WHERE $field=:uuid AND time > :after AND time < :before ORDER BY time $order LIMIT :limit"); $st = $page->conn->prepare("SELECT $select FROM $table WHERE $field=:uuid AND time > :after AND time < :before ORDER BY time $order LIMIT :limit");
$st->bindParam(":uuid", $uuid, PDO::PARAM_STR); $st->bindParam(":uuid", $uuid, PDO::PARAM_STR);
$st->bindParam(":limit", $limit, PDO::PARAM_INT); $st->bindParam(":limit", $limit, PDO::PARAM_INT);
$st->bindParam(":before", $before, PDO::PARAM_INT); $st->bindParam(":before", $before, PDO::PARAM_INT);
@ -125,11 +123,12 @@ if (isset($_GET['after']) && is_string($_GET['after'])) {
try { try {
$all = array(); $all = array();
$field = "uuid"; $field = "uuid"; // Safe user input (constants only)
if ($staffhistory) { if ($staffhistory) {
$field = "banned_by_uuid"; $field = "banned_by_uuid";
} }
// Not user input
$t = $page->settings->table; $t = $page->settings->table;
$t_bans = $t['bans']; $t_bans = $t['bans'];
$t_mutes = $t['mutes']; $t_mutes = $t['mutes'];

25
inc/page.php
View File

@ -137,8 +137,8 @@ class Page {
function run_query() { function run_query() {
try { try {
$table = $this->table; $table = $this->table; // Safe user input (constants only)
$limit = $this->settings->limit_per_page; $limit = $this->settings->limit_per_page; // Not user input
$offset = 0; $offset = 0;
if ($this->settings->show_pager) { if ($this->settings->show_pager) {
@ -146,14 +146,12 @@ class Page {
$offset = ($limit * $page); $offset = ($limit * $page);
} }
$sel = $this->get_selection($table); $select = $this->get_selection($table); // Not user input
$where = $this->where_append($this->name === "kicks" ? "" : $this->settings->active_query); $where = $this->where_append($this->name === "kicks" ? "" : $this->settings->active_query); // Not user input
$where .= "(uuid <> '#offline#' AND uuid IS NOT NULL)"; $where .= "(uuid <> '#offline#' AND uuid IS NOT NULL)";
$query = "SELECT $sel FROM $table $where GROUP BY $table.id ORDER BY time DESC LIMIT :limit OFFSET :offset"; $st = $this->conn->prepare("SELECT $select FROM $table $where GROUP BY $table.id ORDER BY time DESC LIMIT :limit OFFSET :offset");
$st = $this->conn->prepare($query);
$st->bindParam(':offset', $offset, PDO::PARAM_INT); $st->bindParam(':offset', $offset, PDO::PARAM_INT);
$st->bindParam(':limit', $limit, PDO::PARAM_INT); $st->bindParam(':limit', $limit, PDO::PARAM_INT);
@ -188,8 +186,7 @@ class Page {
if ($phpIsBroken === true) { if ($phpIsBroken === true) {
foreach ($bitColumns as $column) { foreach ($bitColumns as $column) {
unset($columns[$column]); unset($columns[$column]);
$alias = $column; array_push($columns, "CAST($column AS UNSIGNED) AS $column");
array_push($columns, "CAST($column AS UNSIGNED) AS $alias");
} }
} }
$selection = implode(",", $columns); $selection = implode(",", $columns);
@ -268,9 +265,9 @@ class Page {
if (array_key_exists($uuid, $this->uuid_name_cache)) return $this->uuid_name_cache[$uuid]; if (array_key_exists($uuid, $this->uuid_name_cache)) return $this->uuid_name_cache[$uuid];
$result = null; $result = null;
$history = $this->settings->table['history']; $table = $this->settings->table['history']; // Not user input
$stmt = $this->conn->prepare("SELECT name FROM $history WHERE uuid=:uuid ORDER BY date DESC LIMIT 1"); $stmt = $this->conn->prepare("SELECT name FROM $table WHERE uuid=:uuid ORDER BY date DESC LIMIT 1");
$stmt->bindParam(":uuid", $uuid, PDO::PARAM_STR); $stmt->bindParam(":uuid", $uuid, PDO::PARAM_STR);
if ($stmt->execute() && $row = $stmt->fetch()) { if ($stmt->execute() && $row = $stmt->fetch()) {
$result = $row['name']; $result = $row['name'];
@ -507,8 +504,10 @@ class Page {
echo ' echo '
<div class="row litebans-check"> <div class="row litebans-check">
<div class="litebans-check litebans-check-form"> <div class="litebans-check litebans-check-form">
<form action="check.php" onsubmit="captureForm(event);" class="form-inline"><div class="form-group"> <form action="check.php" onsubmit="captureForm(event);" class="form-inline">
<input type="text" class="form-control" name="name" id="user" placeholder="' . $this->t("generic.player-name") . '"></div> <div class="form-group">
<input type="text" class="form-control" name="name" id="user" placeholder="' . $this->t("generic.player-name") . '">
</div>
<input type="hidden" name="table" value="' . $this->name . '"> <input type="hidden" name="table" value="' . $this->name . '">
<button type="submit" class="btn btn-primary" style="margin-left: 5px;">' . $this->t("action.check") . '</button> <button type="submit" class="btn btn-primary" style="margin-left: 5px;">' . $this->t("action.check") . '</button>
</form> </form>

7
info.php
View File

@ -127,12 +127,13 @@ filter_var($id, FILTER_VALIDATE_INT) or die("Invalid ID");
$id = (int)$id; $id = (int)$id;
// Safe user input (constants only)
$type = $page->type; $type = $page->type;
$table = $page->table; $table = $page->table;
$sel = $page->get_selection($table);
$query = "SELECT $sel FROM $table WHERE id=:id LIMIT 1";
$st = $page->conn->prepare($query); $select = $page->get_selection($table); // Not user input
$st = $page->conn->prepare("SELECT $select FROM $table WHERE id=:id LIMIT 1");
$st->bindParam(":id", $id, PDO::PARAM_INT); $st->bindParam(":id", $id, PDO::PARAM_INT);
if ($st->execute()) { if ($st->execute()) {