From: Janusz Dobrowolski Date: Fri, 18 Apr 2008 16:02:56 +0000 (+0000) Subject: Admin and dimensions modules sealed against XSS atacks X-Git-Tag: v2.4.2~19^2~2100 X-Git-Url: https://delta.frontaccounting.com/gitweb/?p=fa-stable.git;a=commitdiff_plain;h=f00216978947d0fd076550f1969430265a270ce7 Admin and dimensions modules sealed against XSS atacks --- diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 619b82fe..be952195 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -19,6 +19,16 @@ Legend: ! -> Note $ -> Affected files +18-Apr-2008 Janusz Dobrowolski +! Modules admin and dimensions sealed against XSS atacks +$ /admin/payment_terms.php + /admin/shipping_companies.php + /admin/db/company_db.inc + /admin/db/maintenance_db.inc + /admin/db/users_db.inc + /admin/db/voiding_db.inc + /dimensions/includes/dimensions_db.inc + 18-Apr-2008 Joe Hunt ! Changed db_escape function to avoid XSS attacks via js db injection $ /includes/db/comments_db.inc @@ -35,7 +45,7 @@ $ /includes/db/comments_db.inc /manufacturing/includes/db/work_order_issues_db.inc /manufacturing/includes/db/work_order_produce_items_db.inc -18-Apr-2008 Janusz Dobrwolski +18-Apr-2008 Janusz Dobrowolski ! Changed db_escape function to avoid XSS attacks via js db injection $ /includes/db/connect_db.inc # Database inserts/updates secured against js injection diff --git a/admin/db/company_db.inc b/admin/db/company_db.inc index 29c1caf9..9ce6cee0 100644 --- a/admin/db/company_db.inc +++ b/admin/db/company_db.inc @@ -22,21 +22,21 @@ function update_company_gl_setup($debtors_act, $pyt_discount_act, $creditors_act $default_dim_required) { $sql = "UPDATE ".TB_PREF."company SET - debtors_act='$debtors_act', pyt_discount_act='$pyt_discount_act', - creditors_act='$creditors_act', grn_act='$grn_act', - exchange_diff_act='$exchange_diff_act', - purch_exchange_diff_act='$purch_exchange_diff_act', - retained_earnings_act='$retained_earnings_act', - freight_act='$freight_act', - default_sales_act='$default_sales_act', - default_sales_discount_act='$default_sales_discount_act', - default_prompt_payment_act='$default_prompt_payment_act', - default_inventory_act='$default_inventory_act', - default_cogs_act='$default_cogs_act', - default_adj_act='$default_adj_act', - default_inv_sales_act='$default_inv_sales_act', - default_assembly_act='$default_assembly_act', - payroll_act='$payroll_act', + debtors_act=".db_escape($debtors_act).", pyt_discount_act=".db_escape($pyt_discount_act).", + creditors_act=".db_escape($creditors_act).", grn_act=".db_escape($grn_act).", + exchange_diff_act=".db_escape($exchange_diff_act).", + purch_exchange_diff_act=".db_escape($purch_exchange_diff_act).", + retained_earnings_act=".db_escape($retained_earnings_act).", + freight_act=".db_escape($freight_act).", + default_sales_act=".db_escape($default_sales_act).", + default_sales_discount_act=".db_escape($default_sales_discount_act).", + default_prompt_payment_act=".db_escape($default_prompt_payment_act).", + default_inventory_act=".db_escape($default_inventory_act).", + default_cogs_act=".db_escape($default_cogs_act).", + default_adj_act=".db_escape($default_adj_act).", + default_inv_sales_act=".db_escape($default_inv_sales_act).", + default_assembly_act=".db_escape($default_assembly_act).", + payroll_act=".db_escape($payroll_act).", allow_negative_stock=$allow_negative_stock, po_over_receive=$po_over_receive, po_over_charge=$po_over_charge, @@ -56,27 +56,27 @@ function update_company_setup($coy_name, $coy_no, $gst_no, $tax_prd, $tax_last, { if ($f_year == null) $f_year = 0; - $sql = "UPDATE ".TB_PREF."company SET coy_name='$coy_name', - coy_no = '$coy_no', - gst_no='$gst_no', + $sql = "UPDATE ".TB_PREF."company SET coy_name=".db_escape($coy_name).", + coy_no = ".db_escape($coy_no).", + gst_no=".db_escape($gst_no).", tax_prd=$tax_prd, tax_last=$tax_last, - postal_address ='$postal_address', - phone='$phone', fax='$fax', - email='$email', - coy_logo='$coy_logo', - domicile='$domicile', + postal_address =".db_escape($postal_address).", + phone=".db_escape($phone).", fax=".db_escape($fax).", + email=".db_escape($email).", + coy_logo=".db_escape($coy_logo).", + domicile=".db_escape($domicile).", use_dimension=$Dimension, no_item_list=$no_item_list, no_customer_list=$no_customer_list, no_supplier_list=$no_supplier_list, - custom1_name='$custom1_name', - custom2_name='$custom2_name', - custom3_name='$custom3_name', - custom1_value='$custom1_value', - custom2_value='$custom2_value', - custom3_value='$custom3_value', - curr_default='$curr_default', + custom1_name=".db_escape($custom1_name).", + custom2_name=".db_escape($custom2_name).", + custom3_name=".db_escape($custom3_name).", + custom1_value=".db_escape($custom1_value).", + custom2_value=".db_escape($custom2_value).", + custom3_value=".db_escape($custom3_value).", + curr_default=".db_escape($curr_default).", f_year=$f_year WHERE coy_code=1"; @@ -107,7 +107,7 @@ function add_fiscalyear($from_date, $to_date, $closed) $to = date2sql($to_date); $sql = "INSERT INTO ".TB_PREF."fiscal_year (begin, end, closed) - VALUES ('$from', '$to', $closed)"; + VALUES (".db_escape($from).",".db_escape($to).", $closed)"; db_query($sql, "could not add fiscal year"); } @@ -117,7 +117,7 @@ function update_fiscalyear($from_date, $closed) $from = date2sql($from_date); $sql = "UPDATE ".TB_PREF."fiscal_year SET closed=$closed - WHERE begin='$from'"; + WHERE begin=".db_escape($from); db_query($sql, "could not update fiscal year"); } @@ -133,7 +133,7 @@ function get_fiscalyear($from_date) { $from = date2sql($from_date); - $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE begin='$from'"; + $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE begin=".db_escape($from); $result = db_query($sql, "could not get fiscal year"); @@ -156,7 +156,7 @@ function delete_fiscalyear($from_date) $from = date2sql($from_date); begin_transaction(); - $sql="DELETE FROM ".TB_PREF."fiscal_year WHERE begin='$from'"; + $sql="DELETE FROM ".TB_PREF."fiscal_year WHERE begin=".db_escape($from); db_query($sql, "could not delete fiscal year"); diff --git a/admin/db/maintenance_db.inc b/admin/db/maintenance_db.inc index 27d36f21..b2583d5c 100644 --- a/admin/db/maintenance_db.inc +++ b/admin/db/maintenance_db.inc @@ -411,11 +411,7 @@ function db_export($conn, $filename, $zip='no', $comment='') // run through each field for ($k = 0; $k < $nf = db_num_fields($res2); $k++) { - // identify null values and save them as null instead of '' - if ($field_type[$k] != "" && $field_type[$k] != "NO" && $row2[$k] == "") - $out .= "NULL"; - else - $out .= db_escape($row2[$k]); + $out .= db_escape($row2[$k], true); if ($k < ($nf - 1)) $out .= ", "; } diff --git a/admin/db/users_db.inc b/admin/db/users_db.inc index 694b49d7..13e36ec7 100644 --- a/admin/db/users_db.inc +++ b/admin/db/users_db.inc @@ -3,7 +3,9 @@ function add_user($user_id, $real_name, $password, $phone, $email, $full_access, $language) { $sql = "INSERT INTO ".TB_PREF."users (user_id, real_name, password, phone, email, full_access, language) - VALUES ('$user_id', '$real_name', '" . $password ."', '$phone', '$email', $full_access, '$language')"; + VALUES (".db_escape($user_id).", + ".db_escape($real_name).", ".db_escape($password) .",".db_escape($phone).", + ".db_escape($email).", $full_access, ".db_escape($language).")"; db_query($sql, "could not add user for $user_id"); } @@ -12,8 +14,8 @@ function add_user($user_id, $real_name, $password, $phone, $email, $full_access, function update_user_password($user_id, $password) { - $sql = "UPDATE ".TB_PREF."users SET password='" . $password . "' - WHERE user_id = '$user_id'"; + $sql = "UPDATE ".TB_PREF."users SET password=".db_escape($password) . " + WHERE user_id = ".db_escape($user_id); db_query($sql, "could not update user password for $user_id"); } @@ -22,11 +24,12 @@ function update_user_password($user_id, $password) function update_user($user_id, $real_name, $phone, $email, $full_access, $language) { - $sql = "UPDATE ".TB_PREF."users SET real_name='$real_name', phone='$phone', - email='$email', + $sql = "UPDATE ".TB_PREF."users SET real_name=".db_escape($real_name). + ", phone=".db_escape($phone).", + email=".db_escape($email).", full_access=$full_access, - language='$language' - WHERE user_id = '$user_id'"; + language=".db_escape($language)." + WHERE user_id = ".db_escape($user_id); db_query($sql, "could not update user for $user_id"); } @@ -37,19 +40,19 @@ function update_user_display_prefs($user_id, $price_dec, $qty_dec, $exrate_dec, $showcodes, $date_format, $date_sep, $tho_sep, $dec_sep, $theme, $pagesize) { $sql = "UPDATE ".TB_PREF."users SET - prices_dec=$price_dec, - qty_dec=$qty_dec, - rates_dec=$exrate_dec, - percent_dec=$percent_dec, - show_gl=$showgl, - show_codes=$showcodes, - date_format=$date_format, - date_sep=$date_sep, - tho_sep=$tho_sep, - dec_sep=$dec_sep, - theme='$theme', - page_size='$pagesize' - WHERE user_id = '$user_id'"; + prices_dec=".db_escape($price_dec).", + qty_dec=".db_escape($qty_dec).", + rates_dec=".db_escape($exrate_dec).", + percent_dec=".db_escape($percent_dec).", + show_gl=".db_escape($showgl).", + show_codes=".db_escape($showcodes).", + date_format=".db_escape($date_format).", + date_sep=".db_escape($date_sep).", + tho_sep=".db_escape($tho_sep).", + dec_sep=".db_escape($dec_sep).", + theme=".db_escape($theme).", + page_size=".db_escape($pagesize)." + WHERE user_id = ".db_escape($user_id); db_query($sql, "could not update user display prefs for $user_id"); } @@ -100,7 +103,7 @@ function get_user_for_login($user_id, $password) function update_user_visitdate($user_id) { $sql = "UPDATE ".TB_PREF."users SET last_visit_date='". date("Y-m-d H:i:s") ."' - WHERE user_id='$user_id'"; + WHERE user_id=".db_escape($user_id); db_query($sql, "could not update last visit date for user $user_id"); } diff --git a/admin/db/voiding_db.inc b/admin/db/voiding_db.inc index f978ebfc..b90194ff 100644 --- a/admin/db/voiding_db.inc +++ b/admin/db/voiding_db.inc @@ -105,7 +105,7 @@ function add_voided_entry($type, $type_no, $date_, $memo_) { $date = date2sql($date_); $sql = "INSERT INTO ".TB_PREF."voided (type, id, date_, memo_) - VALUES ($type, $type_no, '$date', '$memo_')"; + VALUES ($type, $type_no, ".db_escape($date).", ".db_escape($memo_).")"; db_query($sql, "could not add voided transaction entry"); } diff --git a/admin/payment_terms.php b/admin/payment_terms.php index 1edaa025..33ddf118 100644 --- a/admin/payment_terms.php +++ b/admin/payment_terms.php @@ -61,17 +61,17 @@ if (isset($_POST['ADD_ITEM']) OR isset($_POST['UPDATE_ITEM'])) { if (check_value('DaysOrFoll')) { - $sql = "UPDATE ".TB_PREF."payment_terms SET terms='" . $_POST['terms'] . "', + $sql = "UPDATE ".TB_PREF."payment_terms SET terms=" . db_escape($_POST['terms']) . ", day_in_following_month=0, - days_before_due=" . $_POST['DayNumber'] . " - WHERE terms_indicator = '" . $selected_id . "'"; + days_before_due=" . db_escape($_POST['DayNumber']) . " + WHERE terms_indicator = " .db_escape($selected_id); } else { - $sql = "UPDATE ".TB_PREF."payment_terms SET terms='" . $_POST['terms'] . "', - day_in_following_month=" . $_POST['DayNumber'] . ", + $sql = "UPDATE ".TB_PREF."payment_terms SET terms=" . db_escape($_POST['terms']) . ", + day_in_following_month=" . db_escape($_POST['DayNumber']) . ", days_before_due=0 - WHERE terms_indicator = '" . $selected_id . "'"; + WHERE terms_indicator = " .db_escape( $selected_id ); } } @@ -82,15 +82,15 @@ if (isset($_POST['ADD_ITEM']) OR isset($_POST['UPDATE_ITEM'])) { $sql = "INSERT INTO ".TB_PREF."payment_terms (terms, days_before_due, day_in_following_month) - VALUES ('" . - $_POST['terms'] . "', " . $_POST['DayNumber'] . ", 0)"; + VALUES (" . + db_escape($_POST['terms']) . ", " . db_escape($_POST['DayNumber']) . ", 0)"; } else { $sql = "INSERT INTO ".TB_PREF."payment_terms (terms, days_before_due, day_in_following_month) - VALUES ('" . $_POST['terms'] . "', - 0, " . $_POST['DayNumber'] . ")"; + VALUES (" . db_escape($_POST['terms']) . ", + 0, " . db_escape($_POST['DayNumber']) . ")"; } } diff --git a/admin/shipping_companies.php b/admin/shipping_companies.php index 9fd8af59..ec9f8953 100644 --- a/admin/shipping_companies.php +++ b/admin/shipping_companies.php @@ -36,10 +36,10 @@ if (isset($_POST['ADD_ITEM']) && can_process()) { $sql = "INSERT INTO ".TB_PREF."shippers (shipper_name, contact, phone, address) - VALUES ('" . $_POST['shipper_name'] . "', '" . - $_POST['contact'] . "', '" . - $_POST['phone'] . "', '" . - $_POST['address'] . "')"; + VALUES (" . db_escape($_POST['shipper_name']) . ", " . + db_escape($_POST['contact']). ", " . + db_escape($_POST['phone']). ", " . + db_escape($_POST['address']) . ")"; db_query($sql,"The Shipping Company could not be added"); meta_forward($_SERVER['PHP_SELF']); @@ -50,10 +50,10 @@ if (isset($_POST['ADD_ITEM']) && can_process()) if (isset($_POST['UPDATE_ITEM']) && can_process()) { - $sql = "UPDATE ".TB_PREF."shippers SET shipper_name='" . $_POST['shipper_name'] . "' , - contact ='" . $_POST['contact'] . "' , - phone ='" . $_POST['phone'] . "' , - address ='" . $_POST['address'] . "' + $sql = "UPDATE ".TB_PREF."shippers SET shipper_name=" . db_escape($_POST['shipper_name']). " , + contact =" . db_escape($_POST['contact']). " , + phone =" . db_escape($_POST['phone']). " , + address =" . db_escape($_POST['address']). " WHERE shipper_id = $selected_id"; db_query($sql,"The shipping company could not be updated"); diff --git a/dimensions/includes/dimensions_db.inc b/dimensions/includes/dimensions_db.inc index 8ad1cfb1..d0299b66 100644 --- a/dimensions/includes/dimensions_db.inc +++ b/dimensions/includes/dimensions_db.inc @@ -8,7 +8,7 @@ function add_dimension($reference, $name, $type_, $date_, $due_date, $memo_) $duedate = date2sql($due_date); $sql = "INSERT INTO ".TB_PREF."dimensions (reference, name, type_, date_, due_date) - VALUES ('$reference', '$name', $type_, '$date', '$duedate')"; + VALUES (".db_escape($reference).", ".db_escape($name).", $type_, '$date', '$duedate')"; db_query($sql, "could not add dimension"); $id = db_insert_id(); @@ -29,7 +29,7 @@ function update_dimension($id, $name, $type_, $date_, $due_date, $memo_) $date = date2sql($date_); $duedate = date2sql($due_date); - $sql = "UPDATE ".TB_PREF."dimensions SET name='$name', + $sql = "UPDATE ".TB_PREF."dimensions SET name=".db_escape($name).", type_ = $type_, date_='$date', due_date='$duedate'