Mascali
/
raspisms
mirror of https://github.com/RaspbianFrance/raspisms.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix injection on fieldname descartes

This commit is contained in:
osaajani 2019-11-04 17:45:16 +01:00
parent 1865072b73
commit 628527c70f
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
descartes/Model.php
View File

@ -126,10 +126,11 @@
$values = count($values) ? $values : array(); $values = count($values) ? $values : array();
foreach ($values as $clef => $value) foreach ($values as $key => $value)
{ {
$return['PARAMS']['in_value_' . $clef] = $value; $key = preg_replace('#[^a-zA-Z0-9_]#', '', $key);
$flags[] = ':in_value_' . $clef; $return['PARAMS']['in_value_' . $key] = $value;
$flags[] = ':in_value_' . $key;
} }
$return['QUERY'] .= ' IN(' . implode(', ', $flags) . ')'; $return['QUERY'] .= ' IN(' . implode(', ', $flags) . ')';
@ -191,6 +192,9 @@
$operator = '='; $operator = '=';
} }
//Protect against injection in fieldname
$true_fieldname = preg_replace('#[^a-zA-Z0-9_]#', '', $true_fieldname);
$query = '`' . $true_fieldname . '` ' . $operator . ' :where_' . $true_fieldname; $query = '`' . $true_fieldname . '` ' . $operator . ' :where_' . $true_fieldname;
$param = ['where_' . $true_fieldname => $value]; $param = ['where_' . $true_fieldname => $value];
@ -328,6 +332,7 @@
foreach ($datas as $label => $value) foreach ($datas as $label => $value)
{ {
$label = preg_replace('#[^a-zA-Z0-9_]#', '', $label);
$params['set_' . $label] = $value; $params['set_' . $label] = $value;
$sets[] = '`' . $label . '` = :set_' . $label . ' '; $sets[] = '`' . $label . '` = :set_' . $label . ' ';
} }
@ -381,6 +386,8 @@
foreach ($datas as $field_name => $value) foreach ($datas as $field_name => $value)
{ {
//Protect against injection in fieldname
$field_name = preg_replace('#[^a-zA-Z0-9_]#', '', $field_name);
$params[$field_name] = $value; $params[$field_name] = $value;
$field_names[] = $field_name; $field_names[] = $field_name;
} }