Context Navigation

← Previous Change
Next Change →

choicelist.php

Timestamp:

01/01/10 23:10:02 (2 years ago)

Author:

brieb

Message:

Fixed several SQL injection vulnerabilities
Fixed several XSS vulnerabilities due to PHP_SELF and REQUREST_URI
Fixed severa path disclosure errors

Files:

: 1 modified

trunk/phpbms/choicelist.php (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/phpbms/choicelist.php

r702	r704
37	37	+-------------------------------------------------------------------------+
38	38	*/
39		require_once("include/session.php");
40
41
42		class choiceList{
43		var $db;
44
45		function choiceList($db){
46		$this->db = $db;
47		}
48
49
50		function deleteList($listname){
51		$querystatement="DELETE FROM choices WHERE listname=\"".$listname."\" ";
52		$queryresult=$this->db->query($querystatement);
53
54		echo "ok";
55		}
56
57
58		function addToList($listname,$value){
59		$querystatement="INSERT INTO choices (listname,thevalue) VALUES(\"".$listname."\",\"".$value."\") ";
60		$queryresult=$this->db->query($querystatement);
61
62		echo "ok";
63		}
64
65
66		function displayList($queryresult,$blankvalue){
67		while($therecord=$this->db->fetchArray($queryresult)){
68		$display=$therecord["thevalue"];
69		$theclass="";
70		if($therecord["thevalue"]==""){
71		$display="<".$blankvalue.">";
72		$theclass=" class=\"choiceListBlank\" ";
73		}
74		?><option value="<?php echo $therecord["thevalue"]?>" <?php echo $theclass?>><?php echo $display?></option><?php
75		}//end while
76
77		}
78
79		function displayBox($listname,$blankvalue,$listid){
80		$blankvalue = str_replace("<","",$blankvalue);
81		$blankvalue = str_replace(">","",$blankvalue);
82
83		$querystatement = "SELECT thevalue FROM choices WHERE listname=\"".$listname."\" ORDER BY thevalue;";
84		$queryresult = $this->db->query($querystatement);
85		?>
86		<p id="MLListP">
87		<select id="MLlist" name="MLList" size="12" onchange="updateML(this)">
88		<?php $this->displayList($queryresult,$blankvalue)?>
89		</select>
90		</p>
91		<p id="MLAddDelP">
92		<input type="button" id="MLDelete" name="MLDelete" value="delete" class="Buttons" disabled onclick="delML()" /><br/>
93		<input type="button" id="MLInsert" name="MLInsert" value="insert" class="Buttons" onclick="insertML()"/>
94		</p>
95		<p id="MLAddTextP">
96		<input name="MLaddedit" id="MLaddedit" type="text"/>
97		<input name="MLblankvalue" id="MLblankvalue" type="hidden" value="<?php echo $blankvalue?>"/>
98		</p>
99		<p id="MLAddP">
100		<input type="button" id="MLaddeditbutton" name="MLaddeditbutton" value="add" class="Buttons" onclick="addeditML('<?php echo $blankvalue?>')" />
101		</p>
102		<p id="MLStatus" class="small"> </p>
103		<div align="right">
104		<input type="button" id="MLok" name="MLok" value="ok" class="Buttons" style="width:75px;" onclick="clickOK('<?php echo APP_PATH?>','<?php echo $listid?>','<?php echo $listname?>')"/>
105		<input type="button" id="MLcancel" name="MLcancel" value="cancel" class="Buttons" style="width:75px;" onclick="closeBox('<?php echo $listid?>');"/>
106		</div>
107		<?php }//end function
108
109		}//end class
110
111
112
113
114
115
116		if(!isset($_GET["cm"]))
	39
	40
	41	class choiceList{
	42
	43	var $db;
	44
	45	function choiceList($db){
	46
	47	$this->db = $db;
	48
	49	}//end function init
	50
	51
	52	function deleteList($listname){
	53
	54	$deletestatement = "
	55	DELETE FROM
	56	`choices`
	57	WHERE
	58	`listname` = '".mysql_real_escape_string($listname)."' ";
	59	$queryresult=$this->db->query($querystatement);
	60
	61	echo "ok";
	62	}//end function deleteList
	63
	64
	65	function addToList($listname, $value){
	66
	67	$insertstatement = "
	68	INSERT INTO
	69	`choices`(
	70	`listname`,
	71	`choices`
	72	) VALUES (
	73	'".mysql_real_escape_string($listname)."',
	74	'".mysql_real_escape_string($value)."'
	75	)";
	76
	77	$this->db->query($insertstatement);
	78
	79	echo "ok";
	80
	81	}//end function addToList
	82
	83
	84	function displayList($queryresult, $blankvalue){
	85
	86	while($therecord = $this->db->fetchArray($queryresult)){
	87
	88	$display = $therecord["thevalue"];
	89	$theclass = "";
	90
	91	if($therecord["thevalue"]==""){
	92
	93	$display = "<".$blankvalue.">";
	94	$theclass = ' class="choiceListBlank" ';
	95
	96	}
	97
	98	?><option value="<?php echo $therecord["thevalue"]?>" <?php echo $theclass?>><?php echo $display?></option><?php
	99
	100	}//end while
	101
	102	}//end function displayList
	103
	104
	105	function displayBox($listname, $blankvalue, $listid){
	106
	107	$blankvalue = str_replace("<","",$blankvalue);
	108	$blankvalue = str_replace(">","",$blankvalue);
	109
	110	$querystatement = "
	111	SELECT
	112	thevalue
	113	FROM
	114	choices
	115	WHERE
	116	listname='".mysql_real_escape_string($listname)."'
	117	ORDER BY
	118	thevalue";
	119
	120	$queryresult = $this->db->query($querystatement);
	121
	122	?>
	123	<p id="MLListP">
	124	<select id="MLlist" name="MLList" size="12" onchange="updateML(this)">
	125	<?php $this->displayList($queryresult, $blankvalue)?>
	126	</select>
	127	</p>
	128	<p id="MLAddDelP">
	129	<input type="button" id="MLDelete" name="MLDelete" value="delete" class="Buttons" disabled onclick="delML()" /><br/>
	130	<input type="button" id="MLInsert" name="MLInsert" value="insert" class="Buttons" onclick="insertML()"/>
	131	</p>
	132	<p id="MLAddTextP">
	133	<input name="MLaddedit" id="MLaddedit" type="text"/>
	134	<input name="MLblankvalue" id="MLblankvalue" type="hidden" value="<?php echo $blankvalue?>"/>
	135	</p>
	136	<p id="MLAddP">
	137	<input type="button" id="MLaddeditbutton" name="MLaddeditbutton" value="add" class="Buttons" onclick="addeditML('<?php echo $blankvalue?>')" />
	138	</p>
	139	<p id="MLStatus" class="small"> </p>
	140	<div align="right">
	141	<input type="button" id="MLok" name="MLok" value="ok" class="Buttons" style="width:75px;" onclick="clickOK('<?php echo APP_PATH?>','<?php echo $listid?>','<?php echo $listname?>')"/>
	142	<input type="button" id="MLcancel" name="MLcancel" value="cancel" class="Buttons" style="width:75px;" onclick="closeBox('<?php echo $listid?>');"/>
	143	</div>
	144	<?php
	145
	146	}//end function
	147
	148	}//end class
	149
	150
	151
	152
	153
	154	if(!isset($noOutput)){
	155
	156	require_once("include/session.php");
	157	$thelist = new choiceList($db);
	158
	159	if(!isset($_GET["cm"]))
	160	$error = new appError(200, "passed parameters not set");
	161
	162	switch($_GET["cm"]){
	163
	164	case "shw":
	165
	166	if(!isset($_GET["ln"]))
	167	$_GET["ln"]="shippingmethod";
	168
	169	if(!isset($_GET["bv"]))
	170	$_GET["bv"]="none";
	171
	172	if(!isset($_GET["lid"]))
	173	$_GET["lid"]=NULL;
	174
	175	$thelist->displayBox($_GET["ln"],$_GET["bv"],$_GET["lid"]);
	176	break;
	177
	178	case "del":
	179
	180	if(!isset($_GET["ln"]))
	181	$error = new appError(200, "passed parameters not set");
	182
	183	$thelist->deleteList($_GET["ln"]);
	184	break;
	185
	186	case "add":
	187
	188	if(!isset($_GET["ln"]) \|\| !isset($_GET["val"]))
	189	$error = new appError(200, "passed parameters not set");
	190
	191	$thelist->addToList($_GET["ln"], $_GET["val"]);
	192	break;
	193
	194	}//endswitch
	195
	196	}//endif
	197
	198	if(!isset($_GET["cm"]))
117	199	$_GET["cm"]="shw";
118
119		if(!isset($_GET["ln"]))
120		$_GET["ln"]="shippingmethod";
121
122		if(!isset($_GET["bv"]))
123		$_GET["bv"]="none";
124
	200
	201
	202
125	203	$theList = new choiceList($db);
126
	204
127	205	switch($_GET["cm"]){
128	206	case "shw":
…	…
136	214	break;
137	215	}
138
	216
139	217	?>

phpBMS

Context Navigation

Changeset 704 for trunk/phpbms/choicelist.php

Legend:

trunk/phpbms/choicelist.php

Download in other formats: