From 70aca8937767bd2c0e99f76f8ec94910c7d38df8 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Wed, 20 Jun 2012 22:24:25 -0500
Subject: [PATCH] Remove SQL injection vulnerabilities
Map each of the inputs from $_POST['ids'] into a separate, sanitized
database input (via the db_input() function), then implode() the array with
commas and build the SQL statement.
---
include/class.team.php | 4 +++-
scp/apikeys.php | 6 ++++--
scp/banlist.php | 12 ++++++++----
scp/canned.php | 6 ++++--
scp/categories.php | 6 ++++--
scp/departments.php | 10 +++++++---
scp/emails.php | 5 ++++-
scp/filters.php | 6 ++++--
scp/groups.php | 6 ++++--
scp/helptopics.php | 6 ++++--
scp/slas.php | 6 ++++--
scp/staff.php | 3 ++-
scp/syslogs.php | 3 ++-
scp/teams.php | 6 ++++--
scp/templates.php | 3 ++-
15 files changed, 60 insertions(+), 28 deletions(-)
diff --git a/include/class.team.php b/include/class.team.php
index 48d7b5655..1f663880d 100644
--- a/include/class.team.php
+++ b/include/class.team.php
@@ -126,7 +126,9 @@ class Team {
if($vars['remove']) {
$sql='DELETE FROM '.TEAM_MEMBER_TABLE
.' WHERE team_id='.db_input($this->getId())
- .' AND staff_id IN('.implode(',',$_POST['remove']).')';
+ .' AND staff_id IN ('
+ .implode(',', array_map('db_input', $_POST['remove']))
+ .')';
db_query($sql);
}
diff --git a/scp/apikeys.php b/scp/apikeys.php
index ece244445..f9293f605 100644
--- a/scp/apikeys.php
+++ b/scp/apikeys.php
@@ -45,7 +45,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.API_KEY_TABLE.' SET isactive=1 WHERE id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.API_KEY_TABLE.' SET isactive=1 WHERE id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected API keys enabled';
@@ -55,7 +56,8 @@ if($_POST){
$errors['err']='Unable to enable selected API keys.';
}
}elseif($_POST['disable']){
- $sql='UPDATE '.API_KEY_TABLE.' SET isactive=0 WHERE id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.API_KEY_TABLE.' SET isactive=0 WHERE id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected API keys disabled';
diff --git a/scp/banlist.php b/scp/banlist.php
index b56d05c6d..faa709fd3 100644
--- a/scp/banlist.php
+++ b/scp/banlist.php
@@ -68,8 +68,10 @@ if($_POST && !$errors && $filter){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.EMAIL_FILTER_RULE_TABLE.' SET isactive=1 WHERE filter_id='.db_input($filter->getId()).
- ' AND id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.EMAIL_FILTER_RULE_TABLE.' SET isactive=1 WHERE filter_id='.
+ db_input($filter->getId()).
+ ' AND id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected emails ban status set to enabled';
@@ -79,8 +81,10 @@ if($_POST && !$errors && $filter){
$errors['err']='Unable to enable selected emails';
}
}elseif($_POST['disable']){
- $sql='UPDATE '.EMAIL_FILTER_RULE_TABLE.' SET isactive=0 WHERE filter_id='.db_input($filter->getId()).
- ' AND id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.EMAIL_FILTER_RULE_TABLE.' SET isactive=0 WHERE filter_id='.
+ db_input($filter->getId()).
+ ' AND id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected emails ban status set to disabled';
diff --git a/scp/canned.php b/scp/canned.php
index cb6da802e..fa208a273 100644
--- a/scp/canned.php
+++ b/scp/canned.php
@@ -71,7 +71,8 @@ if($_POST && $thisstaff->canManageCannedResponses()) {
} else {
$count=count($_POST['ids']);
if($_POST['enable']) {
- $sql='UPDATE '.CANNED_TABLE.' SET isenabled=1 WHERE canned_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.CANNED_TABLE.' SET isenabled=1 WHERE canned_id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected canned replies enabled';
@@ -81,7 +82,8 @@ if($_POST && $thisstaff->canManageCannedResponses()) {
$errors['err']='Unable to enable selected canned replies.';
}
} elseif($_POST['disable']) {
- $sql='UPDATE '.CANNED_TABLE.' SET isenabled=0 WHERE canned_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.CANNED_TABLE.' SET isenabled=0 WHERE canned_id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected canned replies disabled';
diff --git a/scp/categories.php b/scp/categories.php
index 787b81b5f..ed98da897 100644
--- a/scp/categories.php
+++ b/scp/categories.php
@@ -52,7 +52,8 @@ if($_POST){
} else {
$count=count($_POST['ids']);
if($_POST['public']) {
- $sql='UPDATE '.FAQ_CATEGORY_TABLE.' SET ispublic=1 WHERE category_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.FAQ_CATEGORY_TABLE.' SET ispublic=1 WHERE category_id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected categories made PUBLIC';
@@ -62,7 +63,8 @@ if($_POST){
$errors['err']='Unable to enable selected categories public.';
}
} elseif($_POST['private']) {
- $sql='UPDATE '.FAQ_CATEGORY_TABLE.' SET ispublic=0 WHERE category_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.FAQ_CATEGORY_TABLE.' SET ispublic=0 WHERE category_id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected categories made PRIVATE';
diff --git a/scp/departments.php b/scp/departments.php
index d0869cdf7..ae03b6385 100644
--- a/scp/departments.php
+++ b/scp/departments.php
@@ -45,7 +45,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['public']){
- $sql='UPDATE '.DEPT_TABLE.' SET ispublic=1 WHERE dept_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.DEPT_TABLE.' SET ispublic=1 WHERE dept_id IN ('
+ .implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected departments made public';
@@ -56,7 +57,9 @@ if($_POST){
}
}elseif($_POST['private']){
$sql='UPDATE '.DEPT_TABLE.' SET ispublic=0 '.
- 'WHERE dept_id IN ('.implode(',',$_POST['ids']).') AND dept_id!='.db_input($cfg->getDefaultDeptId());
+ 'WHERE dept_id IN ('
+ .implode(',', array_map('db_input', $_POST['ids']))
+ .') AND dept_id!='.db_input($cfg->getDefaultDeptId());
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected departments made private';
@@ -68,7 +71,8 @@ if($_POST){
}elseif($_POST['delete']){
//Deny all deletes if one of the selections has members in it.
- $sql='SELECT count(staff_id) FROM '.STAFF_TABLE.' WHERE dept_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='SELECT count(staff_id) FROM '.STAFF_TABLE.' WHERE dept_id IN ('
+ .implode(',', array_map('db_input', $_POST['ids'])).')';
list($members)=db_fetch_row(db_query($sql));
if($members)
$errors['err']='Dept. with users can not be deleted. Move staff first.';
diff --git a/scp/emails.php b/scp/emails.php
index ddc626fb3..fa8a150d7 100644
--- a/scp/emails.php
+++ b/scp/emails.php
@@ -46,7 +46,10 @@ if($_POST){
$count=count($_POST['ids']);
$sql='SELECT count(dept_id) FROM '.DEPT_TABLE.' dept '.
- 'WHERE email_id IN ('.implode(',',$_POST['ids']).') OR autoresp_email_id IN ('.implode(',',$_POST['ids']).')';
+ 'WHERE email_id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).
+ ') OR autoresp_email_id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
list($depts)=db_fetch_row(db_query($sql));
if($depts>0){
$errors['err']='One or more of the selected emails is being used by a department. Remove association first!';
diff --git a/scp/filters.php b/scp/filters.php
index f39b794d0..665f5bd1e 100644
--- a/scp/filters.php
+++ b/scp/filters.php
@@ -48,7 +48,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.EMAIL_FILTER_TABLE.' SET isactive=1 WHERE id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.EMAIL_FILTER_TABLE.' SET isactive=1 WHERE id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected filters enabled';
@@ -58,7 +59,8 @@ if($_POST){
$errors['err']='Unable to enable selected filters';
}
}elseif($_POST['disable']){
- $sql='UPDATE '.EMAIL_FILTER_TABLE.' SET isactive=0 WHERE id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.EMAIL_FILTER_TABLE.' SET isactive=0 WHERE id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected filters disabled';
diff --git a/scp/groups.php b/scp/groups.php
index 7a4f95916..4deefd48c 100644
--- a/scp/groups.php
+++ b/scp/groups.php
@@ -43,7 +43,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.GROUP_TABLE.' SET group_enabled=1, updated=NOW() WHERE group_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.GROUP_TABLE.' SET group_enabled=1, updated=NOW() WHERE group_id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected groups activated';
@@ -53,7 +54,8 @@ if($_POST){
$errors['err']='Unable to activate selected groups';
}
}elseif($_POST['disable']){
- $sql='UPDATE '.GROUP_TABLE.' SET group_enabled=0, updated=NOW() WHERE group_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.GROUP_TABLE.' SET group_enabled=0, updated=NOW() WHERE group_id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected groups disabled';
diff --git a/scp/helptopics.php b/scp/helptopics.php
index 18c34393e..45a288f41 100644
--- a/scp/helptopics.php
+++ b/scp/helptopics.php
@@ -45,7 +45,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.TOPIC_TABLE.' SET isactive=1 WHERE topic_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.TOPIC_TABLE.' SET isactive=1 WHERE topic_id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected help topics enabled';
@@ -55,7 +56,8 @@ if($_POST){
$errors['err']='Unable to enable selected help topics.';
}
}elseif($_POST['disable']){
- $sql='UPDATE '.TOPIC_TABLE.' SET isactive=0 WHERE topic_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.TOPIC_TABLE.' SET isactive=0 WHERE topic_id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected help topics disabled';
diff --git a/scp/slas.php b/scp/slas.php
index c67a4d8cd..8c7c1b4af 100644
--- a/scp/slas.php
+++ b/scp/slas.php
@@ -45,7 +45,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.SLA_TABLE.' SET isactive=1 WHERE id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.SLA_TABLE.' SET isactive=1 WHERE id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected SLA plans enabled';
@@ -55,7 +56,8 @@ if($_POST){
$errors['err']='Unable to enable selected SLA plans.';
}
}elseif($_POST['disable']){
- $sql='UPDATE '.SLA_TABLE.' SET isactive=0 WHERE id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.SLA_TABLE.' SET isactive=0 WHERE id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected SLA plans disabled';
diff --git a/scp/staff.php b/scp/staff.php
index 863a348c9..eacafb317 100644
--- a/scp/staff.php
+++ b/scp/staff.php
@@ -45,7 +45,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.STAFF_TABLE.' SET isactive=1 WHERE staff_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.STAFF_TABLE.' SET isactive=1 WHERE staff_id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected staff activated';
diff --git a/scp/syslogs.php b/scp/syslogs.php
index 843fecd84..aaaf1843c 100644
--- a/scp/syslogs.php
+++ b/scp/syslogs.php
@@ -23,7 +23,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['delete']){
- $sql='DELETE FROM '.SYSLOG_TABLE.' WHERE log_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='DELETE FROM '.SYSLOG_TABLE.' WHERE log_id IN ('
+ .implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected logs deleted successfully';
diff --git a/scp/teams.php b/scp/teams.php
index c57937219..2fcbb1b1e 100644
--- a/scp/teams.php
+++ b/scp/teams.php
@@ -43,7 +43,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.TEAM_TABLE.' SET isenabled=1 WHERE team_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.TEAM_TABLE.' SET isenabled=1 WHERE team_id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected teams activated';
@@ -53,7 +54,8 @@ if($_POST){
$errors['err']='Unable to activate selected teams';
}
}elseif($_POST['disable']){
- $sql='UPDATE '.TEAM_TABLE.' SET isenabled=0 WHERE team_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.TEAM_TABLE.' SET isenabled=0 WHERE team_id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())) {
if($num==$count)
$msg='Selected teams disabled';
diff --git a/scp/templates.php b/scp/templates.php
index 47e24dd6e..b87713662 100644
--- a/scp/templates.php
+++ b/scp/templates.php
@@ -54,7 +54,8 @@ if($_POST){
}else{
$count=count($_POST['ids']);
if($_POST['enable']){
- $sql='UPDATE '.EMAIL_TEMPLATE_TABLE.' SET isactive=1 WHERE tpl_id IN ('.implode(',',$_POST['ids']).')';
+ $sql='UPDATE '.EMAIL_TEMPLATE_TABLE.' SET isactive=1 WHERE tpl_id IN ('.
+ implode(',', array_map('db_input', $_POST['ids'])).')';
if(db_query($sql) && ($num=db_affected_rows())){
if($num==$count)
$msg='Selected templates enabled';
--
GitLab