From 15e29841be8a1d4ee7cd7b7167bfc78a2ef85aea Mon Sep 17 00:00:00 2001 From: David Anderson Date: Mon, 27 Dec 2004 03:42:11 +0000 Subject: [PATCH] *** empty log message *** svn path=/trunk/boinc/; revision=4941 --- checkin_notes | 20 ++++++++++++++++++++ html/inc/db.inc | 21 +++++++++++++++++++++ html/inc/forum.inc | 2 -- html/inc/util_ops.inc | 11 ++++++----- html/user/create_account_action.php | 16 ++++++++++++---- html/user/edit_user_info_action.php | 12 ++++++++---- html/user/forum_edit.php | 2 ++ html/user/forum_forum.php | 2 ++ html/user/forum_help_desk.php | 2 ++ html/user/forum_post.php | 2 ++ html/user/forum_rate.php | 2 ++ html/user/forum_reply.php | 2 ++ html/user/forum_sample_index.php | 2 ++ html/user/forum_subscribe.php | 3 +++ html/user/forum_text_search_action.php | 2 ++ html/user/forum_thread.php | 3 ++- html/user/forum_user_posts.php | 3 +++ 17 files changed, 91 insertions(+), 16 deletions(-) diff --git a/checkin_notes b/checkin_notes index 4ac2fb42ae..fb00171a36 100755 --- a/checkin_notes +++ b/checkin_notes @@ -21816,3 +21816,23 @@ David 25 Dec 2004 win_build/ config.h (new) win-config.h (new) + +David 26 Dec 2004 + - User web: define a function process_user_text() that + should be applied to any user-supplied text used in a SQL query. + It does trim(), stripslashes(), and boinc_real_escape_string() + - Update the account-creation and account-editing pages + to use the above; needs to be added a few other places too + - Remove the db_init() from forum.inc + and add db_init() as needed to .php files + (.inc files should NOT do db initialization) + + html/ + inc/ + db.inc + forum.inc + util_ops.inc + user/ + create_account_action.php + edit_user_info_action.php + forum*.php diff --git a/html/inc/db.inc b/html/inc/db.inc index df36e3fec3..5151e44982 100644 --- a/html/inc/db.inc +++ b/html/inc/db.inc @@ -85,6 +85,27 @@ function lookup_app($id) { return null; } + +// apply this to any user-supplied strings used in queries +// +function boinc_real_escape_string($x) { + //if (version_compare(phpversion(),"4.3.0")>=0) { + return mysql_real_escape_string($x); + //} else { + // return str_replace("\'", "'", str_replace("\\\"", "'", $x)); + //} +} + +// process user-supplied text prior to using in query +// +function process_user_text($value) { + $value = trim($value); + if (get_magic_quotes_gpc()) { + $value = stripslashes($value); + } + return boinc_real_escape_string($value); +} + // escape a string for MySQL "like" // function escape_pattern($str) { diff --git a/html/inc/forum.inc b/html/inc/forum.inc index ea96ad3c17..5abaa91557 100644 --- a/html/inc/forum.inc +++ b/html/inc/forum.inc @@ -68,8 +68,6 @@ $post_ratings['0'] = "Neutral"; $post_ratings['-1'] = "Unhelpful (-1)"; $post_ratings['-2'] = "Off topic (-2)"; -db_init(); - function getCategories() { $langID = (!empty($_SESSION['lang']['id']))?$_SESSION['lang']['id']:1; $sql = "SELECT * FROM category WHERE lang = ".$langID." AND is_helpdesk = 0 ORDER BY orderID ASC"; diff --git a/html/inc/util_ops.inc b/html/inc/util_ops.inc index c6317c6261..3636a04ec2 100644 --- a/html/inc/util_ops.inc +++ b/html/inc/util_ops.inc @@ -23,12 +23,13 @@ define("TITLE_FONT", " "); define("BODY_COLOR", " bgcolor=ffffff "); define("NOLOGIN", "Not logged in. Click here to login.\n"); +// apply this to any user-supplied strings function boinc_real_escape_string($unstripped) { - if (version_compare(phpversion(),"4.3.0")>=0) { - return mysql_real_escape_string($unstripped); - } else { - return str_replace("\'", "'", str_replace("\\\"", "'", $unstripped)); - } + if (version_compare(phpversion(),"4.3.0")>=0) { + return mysql_real_escape_string($unstripped); + } else { + return str_replace("\'", "'", str_replace("\\\"", "'", $unstripped)); + } } function admin_page_head($title) { diff --git a/html/user/create_account_action.php b/html/user/create_account_action.php index be4fe3697a..bb826e154d 100644 --- a/html/user/create_account_action.php +++ b/html/user/create_account_action.php @@ -41,12 +41,12 @@ function show_error($str) { $project_prefs = ""; } - $new_name = $_POST["new_name"]; + $new_name = process_user_text($_POST["new_name"]); if (strlen($new_name)==0) { show_error("You must supply a name for your account"); } - $new_email_addr = trim($HTTP_POST_VARS["new_email_addr"]); + $new_email_addr = process_user_text($HTTP_POST_VARS["new_email_addr"]); $new_email_addr = strtolower($new_email_addr); if (!is_valid_email_addr($new_email_addr)) { show_error("Invalid email address: @@ -64,6 +64,14 @@ function show_error($str) { } } + $country = $_POST["country"]; + if (!is_valid_country($country)) { + echo "bad country"; + exit(); + } + + $postal_code = process_user_text($_POST["postal_code"]); + $authenticator = random_string(); $cross_project_id = random_string(); $munged_email_addr = munge_email_addr($new_email_addr, $authenticator); @@ -73,8 +81,8 @@ function show_error($str) { $munged_email_addr, $new_name, $authenticator, - $_POST["country"], - $_POST["postal_code"] + $country, + $postal_code ); $result = mysql_query($query); if (!$result) { diff --git a/html/user/edit_user_info_action.php b/html/user/edit_user_info_action.php index 1f1a1dfa0a..9a06728f4a 100644 --- a/html/user/edit_user_info_action.php +++ b/html/user/edit_user_info_action.php @@ -2,15 +2,19 @@ require_once("../inc/db.inc"); require_once("../inc/user.inc"); require_once("../inc/util.inc"); + require_once("../inc/countries.inc"); db_init(); $user = get_logged_in_user(); - $name = $HTTP_POST_VARS["user_name"]; - $url = $HTTP_POST_VARS["url"]; + $name = process_user_text($HTTP_POST_VARS["user_name"]); + $url = process_user_text($HTTP_POST_VARS["url"]); $country = $HTTP_POST_VARS["country"]; - $postal_code = $HTTP_POST_VARS["postal_code"]; - //$signature = $HTTP_POST_VARS["signature"]; + if (!is_valid_country($country)) { + echo "bad country"; + exit(); + } + $postal_code = process_user_text($HTTP_POST_VARS["postal_code"]); $result = mysql_query("update user set name='$name', url='$url', country='$country', postal_code='$postal_code' where id=$user->id"); if ($result) { diff --git a/html/user/forum_edit.php b/html/user/forum_edit.php index 9a6bec5515..6565899899 100644 --- a/html/user/forum_edit.php +++ b/html/user/forum_edit.php @@ -3,6 +3,8 @@ require_once('../inc/forum.inc'); require_once('../inc/util.inc'); +db_init(); + $logged_in_user = get_logged_in_user(); if ($_POST['submit']) { diff --git a/html/user/forum_forum.php b/html/user/forum_forum.php index 0566620364..8273ff150b 100644 --- a/html/user/forum_forum.php +++ b/html/user/forum_forum.php @@ -5,6 +5,8 @@ require_once('../inc/util.inc'); require_once('../inc/time.inc'); require_once('../inc/forum_show.inc'); +db_init(); + if (empty($_GET['id'])) { // TODO: Standard error page echo "Invalid forum ID.
"; diff --git a/html/user/forum_help_desk.php b/html/user/forum_help_desk.php index ca312ec7a2..4a1eb551bd 100644 --- a/html/user/forum_help_desk.php +++ b/html/user/forum_help_desk.php @@ -4,6 +4,8 @@ require_once('../inc/forum.inc'); require_once('../inc/util.inc'); require_once('../inc/time.inc'); +db_init(); + page_head(PROJECT.': Questions and problems'); show_forum_title(NULL, NULL, true); diff --git a/html/user/forum_post.php b/html/user/forum_post.php index a84214a449..4246159003 100644 --- a/html/user/forum_post.php +++ b/html/user/forum_post.php @@ -4,6 +4,8 @@ require_once('../inc/forum.inc'); require_once('../inc/util.inc'); require_once('../inc/subscribe.inc'); +db_init(); + $logged_in_user = get_logged_in_user(true); $logged_in_user = getForumPreferences($logged_in_user); diff --git a/html/user/forum_rate.php b/html/user/forum_rate.php index e3e1fbb5aa..25d4990b74 100644 --- a/html/user/forum_rate.php +++ b/html/user/forum_rate.php @@ -3,6 +3,8 @@ require_once('../inc/forum.inc'); require_once('../inc/util.inc'); +db_init(); + if (!empty($_GET['post'])) { $postId = $_GET['post']; $choice = $_POST['submit']; diff --git a/html/user/forum_reply.php b/html/user/forum_reply.php index c2f2b65d6a..1f6f02f096 100644 --- a/html/user/forum_reply.php +++ b/html/user/forum_reply.php @@ -4,6 +4,8 @@ require_once('../inc/forum.inc'); require_once('../inc/util.inc'); require_once('../inc/subscribe.inc'); +db_init(); + $logged_in_user = get_logged_in_user(true); $logged_in_user = getForumPreferences($logged_in_user); diff --git a/html/user/forum_sample_index.php b/html/user/forum_sample_index.php index 7d92942a29..65b6d38d26 100644 --- a/html/user/forum_sample_index.php +++ b/html/user/forum_sample_index.php @@ -4,6 +4,8 @@ require_once('../inc/forum.inc'); require_once('../inc/util.inc'); require_once('../inc/time.inc'); +db_init(); + page_head('Message boards'); show_forum_title(NULL, NULL, false); diff --git a/html/user/forum_subscribe.php b/html/user/forum_subscribe.php index 7204a77482..7f8ca4ee77 100644 --- a/html/user/forum_subscribe.php +++ b/html/user/forum_subscribe.php @@ -1,7 +1,10 @@ "; diff --git a/html/user/forum_user_posts.php b/html/user/forum_user_posts.php index 7fb3dd9ade..8817da6f7f 100644 --- a/html/user/forum_user_posts.php +++ b/html/user/forum_user_posts.php @@ -1,8 +1,11 @@