From 97e3e4a7882a97f1c008ad53745d25b6293868ec Mon Sep 17 00:00:00 2001 From: grandeljay Date: Wed, 22 Jun 2022 21:19:01 +0200 Subject: [PATCH] Add sanitisation --- src/api/statistics.php | 4 ++- src/api/wishes.php | 27 +++++++------- src/api/wishlists-saved.php | 6 ++-- src/api/wishlists.php | 17 +++++---- src/classes/options.php | 7 ++-- src/classes/sanitiser.php | 70 +++++++++++++++++++++++++++++++++++++ src/pages/login-as.php | 2 +- src/pages/login.php | 8 ++--- src/pages/profile.php | 2 +- src/pages/register.php | 24 +++++++------ 10 files changed, 125 insertions(+), 42 deletions(-) create mode 100644 src/classes/sanitiser.php diff --git a/src/api/statistics.php b/src/api/statistics.php index c1d1ef54..03585a76 100644 --- a/src/api/statistics.php +++ b/src/api/statistics.php @@ -36,10 +36,12 @@ switch ($_SERVER['REQUEST_METHOD']) { $response['data'][$table] = $count->get(); } } else { + $table = Sanitiser::getTable($_GET['table']); + $count = $database ->query( 'SELECT COUNT(`id`) AS "count" - FROM `' . $_GET['table'] . '`;' + FROM `' . $table . '`;' ) ->fetch(); diff --git a/src/api/wishes.php b/src/api/wishes.php index 9f529b75..c42d4c60 100644 --- a/src/api/wishes.php +++ b/src/api/wishes.php @@ -59,11 +59,11 @@ switch ($_SERVER['REQUEST_METHOD']) { break; } - $wish_title = trim($_POST['wish_title']); - $wish_description = trim($_POST['wish_description']); - $wish_image = trim($_POST['wish_image']); - $wish_url = trim($_POST['wish_url']); - $wish_priority = isset($_POST['wish_priority']) && $_POST['wish_priority'] ? $_POST['wish_priority'] : 'NULL'; + $wish_title = Sanitiser::getTitle($_POST['wish_title']); + $wish_description = Sanitiser::getText($_POST['wish_description']); + $wish_image = Sanitiser::getURL($_POST['wish_image']); + $wish_url = Sanitiser::getURL($_POST['wish_url']); + $wish_priority = !empty(Sanitiser::getNumber($_POST['wish_priority'])) ? Sanitiser::getNumber($_POST['wish_priority']) : 'NULL'; $wish_is_purchasable = isset($_POST['wish_is_purchasable']) ? 'true' : 'false'; if (Wish::NO_IMAGE === $wish_image) { @@ -127,7 +127,7 @@ switch ($_SERVER['REQUEST_METHOD']) { */ $wish_price = empty($_POST['wish_price']) || 'false' === $wish_is_purchasable ? 'NULL' - : $_POST['wish_price']; + : Sanitiser::getNumber($_POST['wish_price']); $database ->query( @@ -207,7 +207,7 @@ switch ($_SERVER['REQUEST_METHOD']) { * Product */ $wish_id = $database->lastInsertId(); - $wish_price = floatval($_POST['wish_price']); + $wish_price = Sanitiser::getNumber($_POST['wish_price']); if ($wish_price > 0) { $database @@ -235,7 +235,8 @@ switch ($_SERVER['REQUEST_METHOD']) { /** * Update Wish Status */ - $status = $_PUT['wish_status']; + $status = Sanitiser::getStatus($_PUT['wish_status']); + $wish_id = Sanitiser::getNumber($_PUT['wish_id']); if (Wish::STATUS_TEMPORARY === $status) { $status = time(); @@ -243,8 +244,8 @@ switch ($_SERVER['REQUEST_METHOD']) { $database->query( 'UPDATE `wishes` - SET `status` = "' . $status . '" - WHERE `id` = ' . $_PUT['wish_id'] . ';' + SET `status` = "' . $status . '" + WHERE `id` = ' . $wish_id . ';' ); $response['success'] = true; @@ -254,8 +255,8 @@ switch ($_SERVER['REQUEST_METHOD']) { */ $database->query( 'UPDATE `wishes` - SET `url` = "' . $_PUT['wish_url_proposed'] . '" - WHERE `url` = "' . $_PUT['wish_url_current'] . '";' + SET `url` = "' . Sanitiser::getURL($_PUT['wish_url_proposed']) . '" + WHERE `url` = "' . Sanitiser::getURL($_PUT['wish_url_current']) . '";' ); $response['success'] = true; @@ -268,7 +269,7 @@ switch ($_SERVER['REQUEST_METHOD']) { if (isset($_DELETE['wish_id'])) { $database->query( 'DELETE FROM `wishes` - WHERE `id` = ' . $_DELETE['wish_id'] . ';' + WHERE `id` = ' . Sanitiser::getNumber($_DELETE['wish_id']) . ';' ); } diff --git a/src/api/wishlists-saved.php b/src/api/wishlists-saved.php index 46170098..4d5778d1 100644 --- a/src/api/wishlists-saved.php +++ b/src/api/wishlists-saved.php @@ -26,7 +26,7 @@ switch ($_SERVER['REQUEST_METHOD']) { $wishlist = $database ->query('SELECT * FROM `wishlists_saved` - WHERE `wishlist` = ' . $_POST['wishlist'] . ' + WHERE `wishlist` = ' . Sanitiser::getNumber($_POST['wishlist']) . ' ;') ->fetch(); @@ -34,7 +34,7 @@ switch ($_SERVER['REQUEST_METHOD']) { /** Delete */ $database ->query('DELETE FROM `wishlists_saved` - WHERE `wishlist` = ' . $_POST['wishlist'] . ' + WHERE `wishlist` = ' . Sanitiser::getNumber($_POST['wishlist']) . ' ;'); $response['action'] = 'deleted'; @@ -46,7 +46,7 @@ switch ($_SERVER['REQUEST_METHOD']) { `wishlist` ) VALUES ( ' . $user->id . ', - ' . $_POST['wishlist'] . ' + ' . Sanitiser::getNumber($_POST['wishlist']) . ' ) ;'); diff --git a/src/api/wishlists.php b/src/api/wishlists.php index b0d344ff..a67c1a8e 100644 --- a/src/api/wishlists.php +++ b/src/api/wishlists.php @@ -21,15 +21,18 @@ switch ($_SERVER['REQUEST_METHOD']) { /** * Create */ + $user_id = Sanitiser::getNumber($_SESSION['user']['id']); + $wish_name = Sanitiser::getTitle($_POST['wishlist-name']); + $database->query('INSERT INTO `wishlists` ( `user`, `name`, `hash` ) VALUES ( - ' . $_SESSION['user']['id'] . ', - "' . $_POST['wishlist-name'] . '", - "' . sha1(time() . $_SESSION['user']['id'] . $_POST['wishlist-name']) . '" + ' . $user_id . ', + "' . $wish_name . '", + "' . sha1(time() . $user_id . $wish_name) . '" ) ;'); @@ -40,7 +43,7 @@ switch ($_SERVER['REQUEST_METHOD']) { /** * Request more wishes */ - $wishlistID = $_POST['wishlist-id']; + $wishlistID = Sanitiser::getNumber($_POST['wishlist-id']); /** Get last notification time */ $wishlistQuery = $database @@ -148,8 +151,8 @@ switch ($_SERVER['REQUEST_METHOD']) { $database ->query('UPDATE `wishlists` - SET `name` = "' . $_PUT['wishlist_title'] . '" - WHERE `id` = ' . $_PUT['wishlist_id'] . ' + SET `name` = "' . Sanitiser::getTitle($_PUT['wishlist_title']) . '" + WHERE `id` = ' . Sanitiser::getNumber($_PUT['wishlist_id']) . ' ;'); $response['success'] = true; @@ -159,7 +162,7 @@ switch ($_SERVER['REQUEST_METHOD']) { parse_str(file_get_contents("php://input"), $_DELETE); $database->query('DELETE FROM `wishlists` - WHERE `id` = ' . $_DELETE['wishlistID'] . ' + WHERE `id` = ' . Sanitiser::getNumber($_DELETE['wishlistID']) . ' ;'); $response['success'] = true; diff --git a/src/classes/options.php b/src/classes/options.php index b8883f56..2185b4ec 100644 --- a/src/classes/options.php +++ b/src/classes/options.php @@ -28,12 +28,12 @@ class Options try { $option = $this->database->query( 'SELECT * FROM `options` - WHERE `key` = "' . $key . '";' + WHERE `key` = "' . Sanitiser::getOption($key) . '";' )->fetch(); $value = $option['value'] ?? ''; } catch (\Throwable $th) { - //throw $th; + throw $th; } return $value; @@ -41,6 +41,9 @@ class Options public function setOption(string $key, string $value): void { + $key = Sanitiser::getOption($key); + $value = Sanitiser::getText($value); + $optionExists = 0 !== $this->database ->query('SELECT * FROM `options` diff --git a/src/classes/sanitiser.php b/src/classes/sanitiser.php new file mode 100644 index 00000000..2e088c1e --- /dev/null +++ b/src/classes/sanitiser.php @@ -0,0 +1,70 @@ +query( diff --git a/src/pages/login.php b/src/pages/login.php index 99672c5e..80c8f080 100644 --- a/src/pages/login.php +++ b/src/pages/login.php @@ -14,7 +14,7 @@ $page = new Page(__FILE__, __('Login')); * Login */ if (isset($_POST['login'], $_POST['email'], $_POST['password'])) { - $email = $_POST['email']; + $email = Sanitiser::getEmail($_POST['email']); $password = User::generatePassword($_POST['password']); $database->query('UPDATE `users` @@ -54,7 +54,7 @@ if (isset($_POST['reset'], $_POST['email'])) { $user = $database ->query('SELECT * FROM `users` - WHERE `email` = "' . $_POST['email'] . '";') + WHERE `email` = "' . Sanitiser::getEmail($_POST['email']) . '";') ->fetch(); if ($user) { @@ -68,7 +68,7 @@ if (isset($_POST['reset'], $_POST['email'])) { WHERE `id` = ' . $user['id'] . ' ;'); - $emailReset = new Email($_POST['email'], __('Password reset link'), 'default', 'password-reset'); + $emailReset = new Email($user['email'], __('Password reset link'), 'default', 'password-reset'); $emailReset->setPlaceholder('TEXT_HELLO', __('Hello,')); $emailReset->setPlaceholder( 'TEXT_PASSWORD_RESET', @@ -84,7 +84,7 @@ if (isset($_POST['reset'], $_POST['email'])) { 'password-reset-link', $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST'] . - Page::PAGE_REGISTER . '&password-reset=' . $_POST['email'] . '&token=' . $token + Page::PAGE_REGISTER . '&password-reset=' . $user['email'] . '&token=' . $token ); $emailReset->send(); diff --git a/src/pages/profile.php b/src/pages/profile.php index 2cd3ad0d..242573cd 100644 --- a/src/pages/profile.php +++ b/src/pages/profile.php @@ -108,7 +108,7 @@ if (isset($_POST['user-id'], $_POST['section'])) { $database ->query('UPDATE `users` SET ' . implode(',', $set) . ' - WHERE `id` = ' . $_POST['user-id']); + WHERE `id` = ' . Sanitiser::getNumber($_POST['user-id'])); } if ($loginRequired) { diff --git a/src/pages/register.php b/src/pages/register.php index 47a31523..692e8f98 100644 --- a/src/pages/register.php +++ b/src/pages/register.php @@ -16,16 +16,17 @@ $buttonSubmit = $passwordReset ? __('Reset') : __('Register'); $page = new Page(__FILE__, $pageTitle); if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) { - $users = $database->query('SELECT * FROM `users`;')->fetchAll(); - $emails = array_map( + $users = $database->query('SELECT * FROM `users`;')->fetchAll(); + $emails = array_map( function ($user) { return $user['email']; }, $users ); + $user_email = Sanitiser::getEmail($_POST['email']); $isHuman = false; - $planet = strtolower($_POST['planet']); + $planet = Sanitiser::getTitle($_POST['planet']); $planetName = strtoupper($planet[0]) . substr($planet, 1); $planets = array( strtolower(__('Mercury')), @@ -57,14 +58,17 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) { $userRegistered = false; if (isset($_GET['password-reset'], $_GET['token'])) { + $user_email = Sanitiser::getEmail($_GET['password-reset']); + $user_token = Sanitiser::getSHA1($_GET['token']); + /** * Password reset */ $user = $database ->query( 'SELECT * FROM `users` - WHERE `email` = "' . $_GET['password-reset'] . '" - AND `password_reset_token` = "' . $_GET['token'] . '";' + WHERE `email` = "' . $user_email . '" + AND `password_reset_token` = "' . $user_token . '";' ) ->fetch(); @@ -80,7 +84,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) { ); $page->messages[] = Page::success( - 'Password has been successfully reset for ' . $_GET['password-reset'] . '.', + 'Password has been successfully reset for ' . $user_email . '.', 'Success' ); } else { @@ -101,7 +105,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) { `password`, `power` ) VALUES ( - "' . $_POST['email'] . '", + "' . $user_email . '", "' . User::generatePassword($_POST['password']) . '", 100 ) @@ -109,7 +113,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) { ); $userRegistered = true; } else { - if (in_array($_POST['email'], $emails)) { + if (in_array($user_email, $emails)) { $page->messages[] = Page::error( __('An account with this email address already exists.'), __('Invalid email address') @@ -121,7 +125,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) { `email`, `password` ) VALUES ( - "' . $_POST['email'] . '", + "' . $user_email . '", "' . User::generatePassword($_POST['password']) . '" ) ;' @@ -138,7 +142,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) { */ if ($userRegistered) { $userID = $database->lastInsertID(); - $wishlistName = __('My hopes and dreams'); + $wishlistName = Sanitiser::getTitle(__('My hopes and dreams')); $database ->query(