! -> Note
$ -> Affected files
+18-Apr-2008 Janusz Dobrowolski
+! Modules admin and dimensions sealed against XSS atacks
+$ /admin/payment_terms.php
+ /admin/shipping_companies.php
+ /admin/db/company_db.inc
+ /admin/db/maintenance_db.inc
+ /admin/db/users_db.inc
+ /admin/db/voiding_db.inc
+ /dimensions/includes/dimensions_db.inc
+
18-Apr-2008 Joe Hunt
! Changed db_escape function to avoid XSS attacks via js db injection
$ /includes/db/comments_db.inc
/manufacturing/includes/db/work_order_issues_db.inc
/manufacturing/includes/db/work_order_produce_items_db.inc
-18-Apr-2008 Janusz Dobrwolski
+18-Apr-2008 Janusz Dobrowolski
! Changed db_escape function to avoid XSS attacks via js db injection
$ /includes/db/connect_db.inc
# Database inserts/updates secured against js injection
$default_dim_required)
{
$sql = "UPDATE ".TB_PREF."company SET
- debtors_act='$debtors_act', pyt_discount_act='$pyt_discount_act',
- creditors_act='$creditors_act', grn_act='$grn_act',
- exchange_diff_act='$exchange_diff_act',
- purch_exchange_diff_act='$purch_exchange_diff_act',
- retained_earnings_act='$retained_earnings_act',
- freight_act='$freight_act',
- default_sales_act='$default_sales_act',
- default_sales_discount_act='$default_sales_discount_act',
- default_prompt_payment_act='$default_prompt_payment_act',
- default_inventory_act='$default_inventory_act',
- default_cogs_act='$default_cogs_act',
- default_adj_act='$default_adj_act',
- default_inv_sales_act='$default_inv_sales_act',
- default_assembly_act='$default_assembly_act',
- payroll_act='$payroll_act',
+ debtors_act=".db_escape($debtors_act).", pyt_discount_act=".db_escape($pyt_discount_act).",
+ creditors_act=".db_escape($creditors_act).", grn_act=".db_escape($grn_act).",
+ exchange_diff_act=".db_escape($exchange_diff_act).",
+ purch_exchange_diff_act=".db_escape($purch_exchange_diff_act).",
+ retained_earnings_act=".db_escape($retained_earnings_act).",
+ freight_act=".db_escape($freight_act).",
+ default_sales_act=".db_escape($default_sales_act).",
+ default_sales_discount_act=".db_escape($default_sales_discount_act).",
+ default_prompt_payment_act=".db_escape($default_prompt_payment_act).",
+ default_inventory_act=".db_escape($default_inventory_act).",
+ default_cogs_act=".db_escape($default_cogs_act).",
+ default_adj_act=".db_escape($default_adj_act).",
+ default_inv_sales_act=".db_escape($default_inv_sales_act).",
+ default_assembly_act=".db_escape($default_assembly_act).",
+ payroll_act=".db_escape($payroll_act).",
allow_negative_stock=$allow_negative_stock,
po_over_receive=$po_over_receive,
po_over_charge=$po_over_charge,
{
if ($f_year == null)
$f_year = 0;
- $sql = "UPDATE ".TB_PREF."company SET coy_name='$coy_name',
- coy_no = '$coy_no',
- gst_no='$gst_no',
+ $sql = "UPDATE ".TB_PREF."company SET coy_name=".db_escape($coy_name).",
+ coy_no = ".db_escape($coy_no).",
+ gst_no=".db_escape($gst_no).",
tax_prd=$tax_prd,
tax_last=$tax_last,
- postal_address ='$postal_address',
- phone='$phone', fax='$fax',
- email='$email',
- coy_logo='$coy_logo',
- domicile='$domicile',
+ postal_address =".db_escape($postal_address).",
+ phone=".db_escape($phone).", fax=".db_escape($fax).",
+ email=".db_escape($email).",
+ coy_logo=".db_escape($coy_logo).",
+ domicile=".db_escape($domicile).",
use_dimension=$Dimension,
no_item_list=$no_item_list,
no_customer_list=$no_customer_list,
no_supplier_list=$no_supplier_list,
- custom1_name='$custom1_name',
- custom2_name='$custom2_name',
- custom3_name='$custom3_name',
- custom1_value='$custom1_value',
- custom2_value='$custom2_value',
- custom3_value='$custom3_value',
- curr_default='$curr_default',
+ custom1_name=".db_escape($custom1_name).",
+ custom2_name=".db_escape($custom2_name).",
+ custom3_name=".db_escape($custom3_name).",
+ custom1_value=".db_escape($custom1_value).",
+ custom2_value=".db_escape($custom2_value).",
+ custom3_value=".db_escape($custom3_value).",
+ curr_default=".db_escape($curr_default).",
f_year=$f_year
WHERE coy_code=1";
$to = date2sql($to_date);
$sql = "INSERT INTO ".TB_PREF."fiscal_year (begin, end, closed)
- VALUES ('$from', '$to', $closed)";
+ VALUES (".db_escape($from).",".db_escape($to).", $closed)";
db_query($sql, "could not add fiscal year");
}
$from = date2sql($from_date);
$sql = "UPDATE ".TB_PREF."fiscal_year SET closed=$closed
- WHERE begin='$from'";
+ WHERE begin=".db_escape($from);
db_query($sql, "could not update fiscal year");
}
{
$from = date2sql($from_date);
- $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE begin='$from'";
+ $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE begin=".db_escape($from);
$result = db_query($sql, "could not get fiscal year");
$from = date2sql($from_date);
begin_transaction();
- $sql="DELETE FROM ".TB_PREF."fiscal_year WHERE begin='$from'";
+ $sql="DELETE FROM ".TB_PREF."fiscal_year WHERE begin=".db_escape($from);
db_query($sql, "could not delete fiscal year");
// run through each field
for ($k = 0; $k < $nf = db_num_fields($res2); $k++)
{
- // identify null values and save them as null instead of ''
- if ($field_type[$k] != "" && $field_type[$k] != "NO" && $row2[$k] == "")
- $out .= "NULL";
- else
- $out .= db_escape($row2[$k]);
+ $out .= db_escape($row2[$k], true);
if ($k < ($nf - 1))
$out .= ", ";
}
function add_user($user_id, $real_name, $password, $phone, $email, $full_access, $language)
{
$sql = "INSERT INTO ".TB_PREF."users (user_id, real_name, password, phone, email, full_access, language)
- VALUES ('$user_id', '$real_name', '" . $password ."', '$phone', '$email', $full_access, '$language')";
+ VALUES (".db_escape($user_id).",
+ ".db_escape($real_name).", ".db_escape($password) .",".db_escape($phone).",
+ ".db_escape($email).", $full_access, ".db_escape($language).")";
db_query($sql, "could not add user for $user_id");
}
function update_user_password($user_id, $password)
{
- $sql = "UPDATE ".TB_PREF."users SET password='" . $password . "'
- WHERE user_id = '$user_id'";
+ $sql = "UPDATE ".TB_PREF."users SET password=".db_escape($password) . "
+ WHERE user_id = ".db_escape($user_id);
db_query($sql, "could not update user password for $user_id");
}
function update_user($user_id, $real_name, $phone, $email, $full_access, $language)
{
- $sql = "UPDATE ".TB_PREF."users SET real_name='$real_name', phone='$phone',
- email='$email',
+ $sql = "UPDATE ".TB_PREF."users SET real_name=".db_escape($real_name).
+ ", phone=".db_escape($phone).",
+ email=".db_escape($email).",
full_access=$full_access,
- language='$language'
- WHERE user_id = '$user_id'";
+ language=".db_escape($language)."
+ WHERE user_id = ".db_escape($user_id);
db_query($sql, "could not update user for $user_id");
}
$showcodes, $date_format, $date_sep, $tho_sep, $dec_sep, $theme, $pagesize)
{
$sql = "UPDATE ".TB_PREF."users SET
- prices_dec=$price_dec,
- qty_dec=$qty_dec,
- rates_dec=$exrate_dec,
- percent_dec=$percent_dec,
- show_gl=$showgl,
- show_codes=$showcodes,
- date_format=$date_format,
- date_sep=$date_sep,
- tho_sep=$tho_sep,
- dec_sep=$dec_sep,
- theme='$theme',
- page_size='$pagesize'
- WHERE user_id = '$user_id'";
+ prices_dec=".db_escape($price_dec).",
+ qty_dec=".db_escape($qty_dec).",
+ rates_dec=".db_escape($exrate_dec).",
+ percent_dec=".db_escape($percent_dec).",
+ show_gl=".db_escape($showgl).",
+ show_codes=".db_escape($showcodes).",
+ date_format=".db_escape($date_format).",
+ date_sep=".db_escape($date_sep).",
+ tho_sep=".db_escape($tho_sep).",
+ dec_sep=".db_escape($dec_sep).",
+ theme=".db_escape($theme).",
+ page_size=".db_escape($pagesize)."
+ WHERE user_id = ".db_escape($user_id);
db_query($sql, "could not update user display prefs for $user_id");
}
function update_user_visitdate($user_id)
{
$sql = "UPDATE ".TB_PREF."users SET last_visit_date='". date("Y-m-d H:i:s") ."'
- WHERE user_id='$user_id'";
+ WHERE user_id=".db_escape($user_id);
db_query($sql, "could not update last visit date for user $user_id");
}
{
$date = date2sql($date_);
$sql = "INSERT INTO ".TB_PREF."voided (type, id, date_, memo_)
- VALUES ($type, $type_no, '$date', '$memo_')";
+ VALUES ($type, $type_no, ".db_escape($date).", ".db_escape($memo_).")";
db_query($sql, "could not add voided transaction entry");
}
{
if (check_value('DaysOrFoll'))
{
- $sql = "UPDATE ".TB_PREF."payment_terms SET terms='" . $_POST['terms'] . "',
+ $sql = "UPDATE ".TB_PREF."payment_terms SET terms=" . db_escape($_POST['terms']) . ",
day_in_following_month=0,
- days_before_due=" . $_POST['DayNumber'] . "
- WHERE terms_indicator = '" . $selected_id . "'";
+ days_before_due=" . db_escape($_POST['DayNumber']) . "
+ WHERE terms_indicator = " .db_escape($selected_id);
}
else
{
- $sql = "UPDATE ".TB_PREF."payment_terms SET terms='" . $_POST['terms'] . "',
- day_in_following_month=" . $_POST['DayNumber'] . ",
+ $sql = "UPDATE ".TB_PREF."payment_terms SET terms=" . db_escape($_POST['terms']) . ",
+ day_in_following_month=" . db_escape($_POST['DayNumber']) . ",
days_before_due=0
- WHERE terms_indicator = '" . $selected_id . "'";
+ WHERE terms_indicator = " .db_escape( $selected_id );
}
}
{
$sql = "INSERT INTO ".TB_PREF."payment_terms (terms,
days_before_due, day_in_following_month)
- VALUES ('" .
- $_POST['terms'] . "', " . $_POST['DayNumber'] . ", 0)";
+ VALUES (" .
+ db_escape($_POST['terms']) . ", " . db_escape($_POST['DayNumber']) . ", 0)";
}
else
{
$sql = "INSERT INTO ".TB_PREF."payment_terms (terms,
days_before_due, day_in_following_month)
- VALUES ('" . $_POST['terms'] . "',
- 0, " . $_POST['DayNumber'] . ")";
+ VALUES (" . db_escape($_POST['terms']) . ",
+ 0, " . db_escape($_POST['DayNumber']) . ")";
}
}
{
$sql = "INSERT INTO ".TB_PREF."shippers (shipper_name, contact, phone, address)
- VALUES ('" . $_POST['shipper_name'] . "', '" .
- $_POST['contact'] . "', '" .
- $_POST['phone'] . "', '" .
- $_POST['address'] . "')";
+ VALUES (" . db_escape($_POST['shipper_name']) . ", " .
+ db_escape($_POST['contact']). ", " .
+ db_escape($_POST['phone']). ", " .
+ db_escape($_POST['address']) . ")";
db_query($sql,"The Shipping Company could not be added");
meta_forward($_SERVER['PHP_SELF']);
if (isset($_POST['UPDATE_ITEM']) && can_process())
{
- $sql = "UPDATE ".TB_PREF."shippers SET shipper_name='" . $_POST['shipper_name'] . "' ,
- contact ='" . $_POST['contact'] . "' ,
- phone ='" . $_POST['phone'] . "' ,
- address ='" . $_POST['address'] . "'
+ $sql = "UPDATE ".TB_PREF."shippers SET shipper_name=" . db_escape($_POST['shipper_name']). " ,
+ contact =" . db_escape($_POST['contact']). " ,
+ phone =" . db_escape($_POST['phone']). " ,
+ address =" . db_escape($_POST['address']). "
WHERE shipper_id = $selected_id";
db_query($sql,"The shipping company could not be updated");
$duedate = date2sql($due_date);
$sql = "INSERT INTO ".TB_PREF."dimensions (reference, name, type_, date_, due_date)
- VALUES ('$reference', '$name', $type_, '$date', '$duedate')";
+ VALUES (".db_escape($reference).", ".db_escape($name).", $type_, '$date', '$duedate')";
db_query($sql, "could not add dimension");
$id = db_insert_id();
$date = date2sql($date_);
$duedate = date2sql($due_date);
- $sql = "UPDATE ".TB_PREF."dimensions SET name='$name',
+ $sql = "UPDATE ".TB_PREF."dimensions SET name=".db_escape($name).",
type_ = $type_,
date_='$date',
due_date='$duedate'
projects / fa-stable.git / commitdiff