*** empty log message ***

svn path=/trunk/boinc/; revision=4941

checkin_notes

@@ -21816,3 +21816,23 @@ David  25 Dec 2004
 	win_build/
 		config.h (new)
 		win-config.h (new)
+
+David  26 Dec 2004
+    - User web: define a function process_user_text() that
+        should be applied to any user-supplied text used in a SQL query.
+        It does trim(), stripslashes(), and boinc_real_escape_string()
+    - Update the account-creation and account-editing pages
+        to use the above; needs to be added a few other places too
+    - Remove the db_init() from forum.inc
+        and add db_init() as needed to .php files
+        (.inc files should NOT do db initialization)
+
+    html/
+        inc/
+            db.inc
+            forum.inc
+            util_ops.inc
+        user/
+            create_account_action.php
+            edit_user_info_action.php
+            forum*.php

html/inc/db.inc

@@ -85,6 +85,27 @@ function lookup_app($id) {
     return null;
 }
 
+
+// apply this to any user-supplied strings used in queries
+//
+function boinc_real_escape_string($x) {
+    //if (version_compare(phpversion(),"4.3.0")>=0) {
+        return mysql_real_escape_string($x);
+    //} else {
+    //    return str_replace("\'", "'", str_replace("\\\"", "'", $x));
+    //}
+}
+
+// process user-supplied text prior to using in query
+//
+function process_user_text($value) {
+    $value = trim($value);
+    if (get_magic_quotes_gpc()) {
+        $value = stripslashes($value);
+    }
+    return boinc_real_escape_string($value);
+}
+
 // escape a string for MySQL "like"
 //
 function escape_pattern($str) {

html/inc/forum.inc

@@ -68,8 +68,6 @@ $post_ratings['0'] = "Neutral";
 $post_ratings['-1'] = "Unhelpful (-1)";
 $post_ratings['-2'] = "Off topic (-2)";
 
-db_init();
-
 function getCategories() {
     $langID = (!empty($_SESSION['lang']['id']))?$_SESSION['lang']['id']:1;
     $sql = "SELECT * FROM category WHERE lang = ".$langID." AND is_helpdesk = 0 ORDER BY orderID ASC";

html/inc/util_ops.inc

@@ -23,12 +23,13 @@ define("TITLE_FONT", " <font color=ffffff> ");
 define("BODY_COLOR", " bgcolor=ffffff ");
 define("NOLOGIN", "Not logged in. Click <a href=login.php>here</a> to login.\n");
 
+// apply this to any user-supplied strings
 function boinc_real_escape_string($unstripped) {
-  if (version_compare(phpversion(),"4.3.0")>=0) {
-    return mysql_real_escape_string($unstripped);
-  } else {
-    return str_replace("\'", "'", str_replace("\\\"", "'", $unstripped));
-  }
+    if (version_compare(phpversion(),"4.3.0")>=0) {
+        return mysql_real_escape_string($unstripped);
+    } else {
+        return str_replace("\'", "'", str_replace("\\\"", "'", $unstripped));
+    }
 }
 
 function admin_page_head($title) {

html/user/create_account_action.php

@@ -41,12 +41,12 @@ function show_error($str) {
         $project_prefs = "";
     }
 
-    $new_name = $_POST["new_name"];
+    $new_name = process_user_text($_POST["new_name"]);
     if (strlen($new_name)==0) {
         show_error("You must supply a name for your account");
     }
 
-    $new_email_addr = trim($HTTP_POST_VARS["new_email_addr"]);
+    $new_email_addr = process_user_text($HTTP_POST_VARS["new_email_addr"]);
     $new_email_addr = strtolower($new_email_addr);
     if (!is_valid_email_addr($new_email_addr)) {
         show_error("Invalid email address:
@@ -64,6 +64,14 @@ function show_error($str) {
         }
     }
 
+    $country = $_POST["country"];
+    if (!is_valid_country($country)) {
+        echo "bad country";
+        exit();
+    }
+
+    $postal_code = process_user_text($_POST["postal_code"]);
+
     $authenticator = random_string();
     $cross_project_id = random_string();
     $munged_email_addr = munge_email_addr($new_email_addr, $authenticator);
@@ -73,8 +81,8 @@ function show_error($str) {
         $munged_email_addr,
         $new_name,
         $authenticator,
-        $_POST["country"],
-        $_POST["postal_code"]
+        $country,
+        $postal_code
     );
     $result = mysql_query($query);
     if (!$result) {

html/user/edit_user_info_action.php

@@ -2,15 +2,19 @@
     require_once("../inc/db.inc");
     require_once("../inc/user.inc");
     require_once("../inc/util.inc");
+    require_once("../inc/countries.inc");
 
     db_init();
     $user = get_logged_in_user();
 
-    $name = $HTTP_POST_VARS["user_name"];
-    $url = $HTTP_POST_VARS["url"];
+    $name = process_user_text($HTTP_POST_VARS["user_name"]);
+    $url = process_user_text($HTTP_POST_VARS["url"]);
     $country = $HTTP_POST_VARS["country"];
-    $postal_code = $HTTP_POST_VARS["postal_code"];
-    //$signature = $HTTP_POST_VARS["signature"];
+    if (!is_valid_country($country)) {
+        echo "bad country";
+        exit();
+    }
+    $postal_code = process_user_text($HTTP_POST_VARS["postal_code"]);
 
     $result = mysql_query("update user set name='$name', url='$url', country='$country', postal_code='$postal_code' where id=$user->id");
     if ($result) {

html/user/forum_edit.php

@@ -3,6 +3,8 @@
 require_once('../inc/forum.inc');
 require_once('../inc/util.inc');
 
+db_init();
+
 $logged_in_user = get_logged_in_user();
 if ($_POST['submit']) {    
     

html/user/forum_forum.php

@@ -5,6 +5,8 @@ require_once('../inc/util.inc');
 require_once('../inc/time.inc');
 require_once('../inc/forum_show.inc');
 
+db_init();
+
 if (empty($_GET['id'])) {
     // TODO: Standard error page
     echo "Invalid forum ID.<br>";

html/user/forum_help_desk.php

@@ -4,6 +4,8 @@ require_once('../inc/forum.inc');
 require_once('../inc/util.inc');
 require_once('../inc/time.inc');
 
+db_init();
+
 page_head(PROJECT.': Questions and problems');
 
 show_forum_title(NULL, NULL, true);

html/user/forum_post.php

@@ -4,6 +4,8 @@ require_once('../inc/forum.inc');
 require_once('../inc/util.inc');
 require_once('../inc/subscribe.inc');
 
+db_init();
+
 $logged_in_user = get_logged_in_user(true);
 $logged_in_user = getForumPreferences($logged_in_user);
 

html/user/forum_rate.php

@@ -3,6 +3,8 @@
 require_once('../inc/forum.inc');
 require_once('../inc/util.inc');
 
+db_init();
+
 if (!empty($_GET['post'])) {
     $postId = $_GET['post'];
     $choice = $_POST['submit'];

html/user/forum_reply.php

@@ -4,6 +4,8 @@ require_once('../inc/forum.inc');
 require_once('../inc/util.inc');
 require_once('../inc/subscribe.inc');
 
+db_init();
+
 $logged_in_user = get_logged_in_user(true);
 $logged_in_user = getForumPreferences($logged_in_user);
 

html/user/forum_sample_index.php

@@ -4,6 +4,8 @@ require_once('../inc/forum.inc');
 require_once('../inc/util.inc');
 require_once('../inc/time.inc');
 
+db_init();
+
 page_head('Message boards');
 
 show_forum_title(NULL, NULL, false);

html/user/forum_subscribe.php

@@ -1,7 +1,10 @@
 <?php
+
 require_once('../inc/subscribe.inc');
 require_once('../inc/util.inc');
 
+db_init();
+
 $action = $_GET['action'];
 $thread = $_GET['thread'];
 

html/user/forum_text_search_action.php

@@ -3,6 +3,8 @@
 require_once("../inc/forum.inc");
 require_once("../inc/time.inc");
 
+db_init();
+
 $search_string = $_GET['search_string'];
 $offset = $_GET['offset'];
 if (!$offset) $offset=0;

html/user/forum_thread.php

@@ -3,7 +3,8 @@
 require_once('../inc/forum.inc');
 require_once('../inc/util.inc');
 
-/* sanitize variable */
+db_init();
+
 if (empty($_GET['id'])) {
 	// TODO: Standard error page
 	echo "No thread was specified.<br>";

html/user/forum_user_posts.php

@@ -1,8 +1,11 @@
 <?php
+
 require_once('../inc/util.inc');
 require_once('../inc/time.inc');
 require_once('../inc/forum.inc');
 
+db_init();
+
 $userid = $_GET['userid'];
 $offset = $_GET['offset'];
 if (!$offset) $offset=0;