From 1f400c49b173e126d674b9917456239620976742 Mon Sep 17 00:00:00 2001 From: tbrehm Date: Fri, 11 May 2012 10:03:21 +0000 Subject: [PATCH] Fixed: FS#2221 - SQL Injection Vulnerability --- interface/lib/classes/listform.inc.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/interface/lib/classes/listform.inc.php b/interface/lib/classes/listform.inc.php index ee91b88b5..a450df6b7 100644 --- a/interface/lib/classes/listform.inc.php +++ b/interface/lib/classes/listform.inc.php @@ -126,7 +126,7 @@ class listform { public function getSearchSQL($sql_where = '') { - global $db; + global $app, $db; //* Get config variable $list_name = $this->listDef['name']; @@ -151,9 +151,11 @@ class listform { } //* Store field in session - if(isset($_REQUEST[$search_prefix.$field])){ + if(isset($_REQUEST[$search_prefix.$field]) && !stristr($_REQUEST[$search_prefix.$field],"'")){ $_SESSION['search'][$list_name][$search_prefix.$field] = $_REQUEST[$search_prefix.$field]; - } + if(preg_match("/['\\\\]/", $_SESSION['search'][$list_name][$search_prefix.$field])) + $_SESSION['search'][$list_name][$search_prefix.$field] = ''; + } if(isset($i['formtype']) && $i['formtype'] == 'SELECT'){ if(is_array($i['value'])) { @@ -181,7 +183,7 @@ class listform { $field = $i['field']; // if($_REQUEST[$search_prefix.$field] != '') $sql_where .= " $field ".$i["op"]." '".$i["prefix"].$_REQUEST[$search_prefix.$field].$i["suffix"]."' and"; if(isset($_SESSION['search'][$list_name][$search_prefix.$field]) && $_SESSION['search'][$list_name][$search_prefix.$field] != ''){ - $sql_where .= " $field ".$i['op']." '".$i['prefix'].$_SESSION['search'][$list_name][$search_prefix.$field].$i['suffix']."' and"; + $sql_where .= " $field ".$i['op']." '".$app->db->quote($i['prefix'].$_SESSION['search'][$list_name][$search_prefix.$field].$i['suffix'])."' and"; } } } -- GitLab