Issue:SQL injection

From FollowTheScore
Jump to: navigation, search
Description: SQL injection via (Not)Created/(Last)ModifiedBy
Extension / Version: DPL   /   1.6.3
Type / Status: Bug   /   closed

Problem

Index: DynamicPageList2.php
===================================================================
--- DynamicPageList2.php        (revision 8500)
+++ DynamicPageList2.php        (revision 8589)
@@ -2410,26 +2410,26 @@
         
         // Revisions ==================================
         if ( $sCreatedBy != "" ) {
-            $sSqlCond_page_rev .= ' AND \''.$sCreatedBy.'\' = (select rev_user_text from '.$sRevisionTable
+            $sSqlCond_page_rev .= ' AND ' . $dbr->addQuotes($sCreatedBy) . ' = (select rev_user_text from '.$sRevisionTable
                                 .' where '.$sRevisionTable.'.rev_page=page_id order by '.$sRevisionTable.'.rev_timestamp ASC limit 1)';
         }
         if ( $sNotCreatedBy != "" ) {
-            $sSqlCond_page_rev .= ' AND \''.$sNotCreatedBy.'\' != (select rev_user_text from '.$sRevisionTable
+            $sSqlCond_page_rev .= ' AND ' . $dbr->addQuotes($sNotCreatedBy) . ' != (select rev_user_text from '.$sRevisionTable
                                 .' where '.$sRevisionTable.'.rev_page=page_id order by '.$sRevisionTable.'.rev_timestamp ASC limit 1)';
         }
         if ( $sModifiedBy != "" ) {
-            $sSqlCond_page_rev .= ' AND \''.$sModifiedBy.'\' in (select rev_user_text from '.$sRevisionTable
+            $sSqlCond_page_rev .= ' AND ' . $dbr->addQuotes($sModifiedBy) . ' in (select rev_user_text from '.$sRevisionTable
                                 .' where '.$sRevisionTable.'.rev_page=page_id)';
         }
         if ( $sNotModifiedBy != "" ) {
-            $sSqlCond_page_rev .= ' AND \''.$sNotModifiedBy.'\' not in (select rev_user_text from '.$sRevisionTable.' where '.$sRevisionTable.'.rev_page=page_id)';
+            $sSqlCond_page_rev .= ' AND ' . $dbr->addQuotes($sNotModifiedBy) . ' not in (select rev_user_text from '.$sRevisionTable.' where '.$sRevisionTable.'.rev_page=page_id)';
         }
         if ( $sLastModifiedBy != "" ) {
-            $sSqlCond_page_rev .= ' AND \''.$sLastModifiedBy.'\' = (select rev_user_text from '.$sRevisionTable
+            $sSqlCond_page_rev .= ' AND ' . $dbr->addQuotes($sLastModifiedBy) . ' = (select rev_user_text from '.$sRevisionTable
                                 .' where '.$sRevisionTable.'.rev_page=page_id order by '.$sRevisionTable.'.rev_timestamp DESC limit 1)';
         }
         if ( $sNotLastModifiedBy != "" ) {
-            $sSqlCond_page_rev .= ' AND \''.$sNotLastModifiedBy.'\' != (select rev_user_text from '.$sRevisionTable
+            $sSqlCond_page_rev .= ' AND ' . $dbr->addQuotes($sNotLastModifiedBy) . ' != (select rev_user_text from '.$sRevisionTable
                                 .' where '.$sRevisionTable.'.rev_page=page_id order by '.$sRevisionTable.'.rev_timestamp DESC limit 1)';
         }
     


Reply

Thank you. The change will be part of DPL rev. 1.6.6

Gero 08:13, 20 January 2008 (CET)