4811: Multiple vulnerabilities fixed as listed on the tracker.

diff --git a/docs/include/classes/DAO/LanguagesDAO.class.php b/docs/include/classes/DAO/LanguagesDAO.class.php
index 74be470..4662771 100644 (file)
--- a/docs/include/classes/DAO/LanguagesDAO.class.php
+++ b/docs/include/classes/DAO/LanguagesDAO.class.php
@@ -88,8 +88,8 @@ class LanguagesDAO extends DAO {
                if ($fieldValue == '') return false;
                
                $sql = "UPDATE ".TABLE_PREFIX."languages 
-                          SET ".$fieldName."='".$addslashes($fieldValue)."'
-                        WHERE language_code = '".$langCode."'";
+                          SET ".$addslashes($fieldName)."='".$addslashes($fieldValue)."'
+                        WHERE language_code = '".$addslashes($langCode)."'";
                return $this->execute($sql);
        }
 

diff --git a/docs/include/classes/DAO/MyownPatchesDAO.class.php b/docs/include/classes/DAO/MyownPatchesDAO.class.php
index 093f5d9..4fa9112 100644 (file)
--- a/docs/include/classes/DAO/MyownPatchesDAO.class.php
+++ b/docs/include/classes/DAO/MyownPatchesDAO.class.php
@@ -104,7 +104,7 @@ class MyownPatchesDAO extends DAO {
                        return array(_AT('TR_ERROR_EMPTY_FIELD'));
 
                $sql = "UPDATE ".TABLE_PREFIX."myown_patches 
-                          SET ".$fieldName."='".$addslashes($fieldValue)."'
+                          SET ".$addslashes($fieldName)."='".$addslashes($fieldValue)."'
                         WHERE myown_patch_id = ".$myownPatchID;
                
                return $this->execute($sql);

diff --git a/docs/include/classes/DAO/OAuthServerConsumersDAO.class.php b/docs/include/classes/DAO/OAuthServerConsumersDAO.class.php
index a7d5ccc..a8d7dee 100644 (file)
--- a/docs/include/classes/DAO/OAuthServerConsumersDAO.class.php
+++ b/docs/include/classes/DAO/OAuthServerConsumersDAO.class.php
@@ -164,7 +164,8 @@ class OAuthServerConsumersDAO extends DAO {
        */
        function getByConsumer($consumer)
        {
-           $sql = "SELECT * FROM ".TABLE_PREFIX."oauth_server_consumers WHERE consumer='".$consumer."'";
+           global $addslashes;
+           $sql = "SELECT * FROM ".TABLE_PREFIX."oauth_server_consumers WHERE consumer='".$addslashes($consumer)."'";
            return $this->execute($sql);
        }
 

diff --git a/docs/include/classes/DAO/OAuthServerTokensDAO.class.php b/docs/include/classes/DAO/OAuthServerTokensDAO.class.php
index 1b9ae96..2187ed6 100644 (file)
--- a/docs/include/classes/DAO/OAuthServerTokensDAO.class.php
+++ b/docs/include/classes/DAO/OAuthServerTokensDAO.class.php
@@ -89,9 +89,10 @@ class OAuthServerTokensDAO extends DAO {
        */
        function updateUserIDByToken($token, $user_id)
        {
+           global $addslashes;
            $sql = "UPDATE ".TABLE_PREFIX."oauth_server_tokens 
                       SET user_id = ".$user_id."
-                    WHERE token = '".$token."'";
+                    WHERE token = '".$addslashes($token)."'";
            return $this->execute($sql);
        }
 
@@ -150,9 +151,10 @@ class OAuthServerTokensDAO extends DAO {
        */
        function getByTokenAndType($token, $token_type)
        {
+           global $addslashes;
            $sql = "SELECT * FROM ".TABLE_PREFIX."oauth_server_tokens 
-                    WHERE token = '".$token."'
-                      AND token_type = '".$token_type."'";
+                    WHERE token = '".$addslashes($token)."'
+                      AND token_type = '".$addslashes($token_type)."'";
            return $this->execute($sql);
        }
 

diff --git a/docs/include/classes/DAO/UsersDAO.class.php b/docs/include/classes/DAO/UsersDAO.class.php
index f646ec0..b159ee6 100644 (file)
--- a/docs/include/classes/DAO/UsersDAO.class.php
+++ b/docs/include/classes/DAO/UsersDAO.class.php
@@ -252,8 +252,8 @@ class UsersDAO extends DAO {
                }
                                                
                $sql = "UPDATE ".TABLE_PREFIX."users 
-                          SET ".$fieldName."='".$addslashes($fieldValue)."'
-                        WHERE user_id = ".$userID;
+                          SET ".$addslashes($fieldName)."='".$addslashes($fieldValue)."'
+                        WHERE user_id = ".intval($userID);
                
                return $this->execute($sql);
        }

diff --git a/docs/search.php b/docs/search.php
index e960985..05e0cc0 100644 (file)
--- a/docs/search.php
+++ b/docs/search.php
@@ -63,10 +63,10 @@ if (is_array($errors))
 }\r
 \r
 $coursesDAO = new CoursesDAO();\r
-$results = $coursesDAO->getSearchResult($keywords, '', $start, $maxResults);\r
+$results = $coursesDAO->getSearchResult($addslashes($keywords), '', $start, $maxResults);\r
 \r
 // get total number of search results regardless of $maxResults\r
-$all_results = $coursesDAO->getSearchResult($keywords);\r
+$all_results = $coursesDAO->getSearchResult($addslashes($keywords));\r
 if (is_array($all_results)) $total_num = count($all_results);\r
 else $total_num = 0;\r
 \r