diff options
| author | plegall <plg@piwigo.org> | 2005-12-24 15:31:25 +0000 |
|---|---|---|
| committer | plegall <plg@piwigo.org> | 2005-12-24 15:31:25 +0000 |
| commit | 2268adf642f149a08c6123aef7effcfd05f58bc4 (patch) | |
| tree | 1bf3dffbaaf4d7eb3f49c553bb440b146a653f34 | |
| parent | a4b2bcbb80d66966acaec63756f90a5c35d88b58 (diff) | |
bug 245 fixed : GET parameters "since", "sort_by", "sort_order",
"items_number", and "cat" are now checked before being used in SQL queries.
git-svn-id: http://piwigo.org/svn/branches/branch-1_5@987 68402e56-0260-453c-a942-63ccdbb3a9ee
| -rw-r--r-- | comments.php | 81 |
1 files changed, 65 insertions, 16 deletions
diff --git a/comments.php b/comments.php index c78d5f2ad..fa240aa29 100644 --- a/comments.php +++ b/comments.php @@ -61,7 +61,20 @@ $since_options = array( 'clause' => '1=1') // stupid but generic ); -$page['since'] = isset($_GET['since']) ? $_GET['since'] : 1; +// since +// +$page['since'] = 1; +if (isset($_GET['since'])) +{ + if (!isset($since_options{ $_GET['since'] })) + { + die('Hacking attempt on "since" GET parameter'); + } + else + { + $page['since'] = $_GET['since']; + } +} // on which field sorting // @@ -69,7 +82,14 @@ $page['sort_by'] = 'date'; // if the form was submitted, it overloads default behaviour if (isset($_GET['sort_by'])) { - $page['sort_by'] = $_GET['sort_by']; + if (!isset($sort_by{ $_GET['sort_by'] })) + { + die('Hacking attempt on "sort_by" GET parameter'); + } + else + { + $page['sort_by'] = $_GET['sort_by']; + } } // order to sort @@ -78,7 +98,14 @@ $page['sort_order'] = $sort_order['descending']; // if the form was submitted, it overloads default behaviour if (isset($_GET['sort_order'])) { - $page['sort_order'] = $sort_order[$_GET['sort_order']]; + if (!isset($sort_order{ $_GET['sort_order'] })) + { + die('Hacking attempt on "sort_order" GET parameter'); + } + else + { + $page['sort_order'] = $sort_order[$_GET['sort_order']]; + } } // number of items to display @@ -86,15 +113,35 @@ if (isset($_GET['sort_order'])) $page['items_number'] = 5; if (isset($_GET['items_number'])) { - $page['items_number'] = $_GET['items_number']; + if (!in_array($_GET['items_number'], $items_number)) + { + die('Hacking attempt on "items_number" GET parameter'); + } + else + { + $page['items_number'] = $_GET['items_number']; + } } // which category to filter on ? $page['cat_clause'] = '1=1'; -if (isset($_GET['cat']) and 0 != $_GET['cat']) +if (isset($_GET['cat'])) { - $page['cat_clause'] = - 'category_id IN ('.implode(',', get_subcat_ids(array($_GET['cat']))).')'; + if (''.intval($_GET['cat']) != ''.$_GET['cat']) + { + die('Hacking attempt on "cat" GET parameter'); + } + else if (0 != $_GET['cat']) + { + $page['cat_clause'] = + 'category_id IN ('. + implode( + ',', + get_subcat_ids(array($_GET['cat'])) + ). + ')' + ; + } } // search a particular author @@ -127,16 +174,18 @@ if (isset($_GET['keyword']) and !empty($_GET['keyword'])) } $page['keyword_clause'] = '('. - implode(' AND ', - array_map( - create_function( - '$s', - 'return "content LIKE \'%$s%\'";' - ), - preg_split('/[\s,;]+/', $keyword) - ) + implode( + ' AND ', + array_map( + create_function( + '$s', + 'return "content LIKE \'%$s%\'";' + ), + preg_split('/[\s,;]+/', $keyword) + ) ). - ')'; + ')' + ; } // +-----------------------------------------------------------------------+ |