From 35509d5644f23eb109bf41b496de730d24103da3 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Mon, 18 Nov 2013 15:30:13 -0500
Subject: [PATCH] Better variable quoting in sql queries.

---
 interface/lib/classes/tform.inc.php |   13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/interface/lib/classes/tform.inc.php b/interface/lib/classes/tform.inc.php
index 40736a3..2f5c08d 100644
--- a/interface/lib/classes/tform.inc.php
+++ b/interface/lib/classes/tform.inc.php
@@ -1048,6 +1048,8 @@
 	function getSQL($record, $tab, $action = 'INSERT', $primary_id = 0, $sql_ext_where = '') {
 
 		global $app;
+		
+		$primary_id = $app->functions->intval($primary_id);
 
 		// If there are no data records on the tab, return empty sql string
 		if(count($this->formDef['tabs'][$tab]['fields']) == 0) return '';
@@ -1272,6 +1274,7 @@
 	function getDataRecord($primary_id) {
 		global $app;
 		$escape = '`';
+		$primary_id = $app->functions->intval($primary_id);
 		$sql = "SELECT * FROM ".$escape.$this->formDef['db_table'].$escape." WHERE ".$this->formDef['db_table_idx']." = ".$primary_id." AND ".$this->getAuthSQL('r', $this->formDef['db_table']);
 		return $app->db->queryOneRecord($sql);
 	}
@@ -1285,6 +1288,11 @@
 	}
 
 	function getAuthSQL($perm, $table = '') {
+		global $app;
+		
+		$perm = $app->db->quote($perm);
+		$table = $app->db->quote($table);
+		
 		if($_SESSION["s"]["user"]["typ"] == 'admin') {
 			return '1';
 		} else {
@@ -1309,6 +1317,7 @@
 	function checkPerm($record_id, $perm) {
 		global $app;
 
+		$record_id = $app->functions->intval($record_id);
 		if($record_id > 0) {
 			// Add backticks for incomplete table names.
 			if(stristr($this->formDef['db_table'], '.')) {
@@ -1403,7 +1412,7 @@
 		if($limit_name == '') $app->error('Limit name missing in function checkClientLimit.');
 
 		// Get the limits of the client that is currently logged in
-		$client_group_id = $_SESSION["s"]["user"]["default_group"];
+		$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
 		$client = $app->db->queryOneRecord("SELECT $limit_name as number, parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
 
 		// Check if the user may add another item
@@ -1425,7 +1434,7 @@
 		if($limit_name == '') $app->error('Limit name missing in function checkClientLimit.');
 
 		// Get the limits of the client that is currently logged in
-		$client_group_id = $_SESSION["s"]["user"]["default_group"];
+		$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
 		$client = $app->db->queryOneRecord("SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
 
 		//* If the client belongs to a reseller, we will check against the reseller Limit too

--
Gitblit v1.9.1