Fix SQL injection vulnerability in DB deletion

[sql-web.git] / lib / security.lib.php

diff --git a/lib/security.lib.php b/lib/security.lib.php
index 0b7c384da06da09ec7a4860dd72c5b40037de23f..1ac28492f3d6fd8dc6f6be2e6026da3cf24e4e86 100644 (file)
--- a/lib/security.lib.php
+++ b/lib/security.lib.php
@@ -12,9 +12,9 @@ class Login {
                if (empty($u)) return;
                $this->u = $u;
                $this->p = $p;
-               if (is_numeric($u)) {
+               if (is_null($p)) {
                        $this->id = $u;
-                       $opt = sprintf(" Username = '%s' OR UserId = '%s'", mysql_escape_string($u), mysql_escape_string($u));
+                       $opt = sprintf(" UserId = '%s'", mysql_escape_string($u));
                } else {
                        $opt = sprintf(" Username = '%s'", mysql_escape_string($u));
                        $opt .= (is_null($p)?'':sprintf(" AND Password='%s'", mysql_escape_string(base64_encode($p))));
@@ -58,13 +58,6 @@ class Login {
     function expire() {
         $this->info = null;
     }
-    function refresh() {
-               if (!empty($this->id)) {
-                       $this->Login($this->id);
-               } else {
-                       $this->Login($this->u,$this->p);
-               }
-    }
     function update($name=null,$email=null) {
         if (!$this->exists()) return;
         $arr = array();
@@ -73,7 +66,7 @@ class Login {
         is_null($name) || $arr['Name'] = $name;
         is_null($email) || $arr['Email'] = $email;
                $upd = buildSQLSet($arr);
-        $sql = sprintf("UPDATE User %s WHERE UserId = '%s'",
+        $sql = sprintf("UPDATE User SET %s WHERE UserId = '%s'",
                         $upd, mysql_escape_string($this->getUserId()));
                if (!empty($upd) && $upd != 'SET')
                        DBUpdate($sql);
@@ -126,6 +119,9 @@ class User {
     function isOverQuota() {
         return $this->exists()?($this->info['bOverQuota']>0?true:false):'';
     }
+    function getDBQuotaHard() {
+        return $this->exists()?$this->info['nDatabasesHard']:0;
+    }
     function getBytes() {
         if($this->exists()) {
                        $arr['nBytes'] = $this->info['nBytes'];
@@ -136,7 +132,7 @@ class User {
     }
        function setPassword($pwd) {
                $arr['Password'] = base64_encode($pwd);
-        $sql = sprintf("UPDATE User %s WHERE UserId = '%s'",
+        $sql = sprintf("UPDATE User SET %s WHERE UserId = '%s'",
                         buildSQLSet($arr), mysql_escape_string($this->getUserId()));
         DBUpdate($sql);
                $sql = sprintf('SET PASSWORD FOR \'%s\'@\'%%\'=PASSWORD(\'%s\')',
@@ -149,7 +145,7 @@ class User {
                $arr['Password'] = base64_encode($pwd);
                $arr['bEnabled'] = 1;
                $arr['dSignup'] = 'NOW()';
-        $sql = sprintf("UPDATE User %s WHERE UserId = '%s'",
+        $sql = sprintf("UPDATE User SET %s WHERE UserId = '%s'",
                         buildSQLSet($arr), mysql_escape_string($this->getUserId()));
         DBUpdate($sql);
 
@@ -278,7 +274,7 @@ function getSSLCert() {
         $email = trim($fu[1]);
     } else {
         $name = isset($_SERVER['SSL_CLIENT_S_DN_CN'])?$_SERVER['SSL_CLIENT_S_DN_CN']:null;
-        $email = isset($_SERVER['SSL_CLIENT_S_DN_Email'])?$_SERVER['SSL_CLIENT_S_DN_Email']:null;
+        $email = isset($_SERVER['REMOTE_USER'])?$_SERVER['REMOTE_USER']:null;
     }
     if (!is_null($email)) {
         $user = explode('@',$email);
@@ -289,26 +285,31 @@ function getSSLCert() {
        }
 }
 
+function getUsernameID($username) {
+       $sql = sprintf("SELECT UserId FROM User USE INDEX (UsernameID) WHERE Username = '%s'", mysql_escape_string($username));
+       $r = fetchRows(DBSelect($sql), 'UserId');
+       $r = array_shift($r);
+       return count($r)?$r['UserId']:null;
+}
+
 ## 302 REDIRECTS
 
 function redirect($target=null,$secure=null) {
-    $base = (is_null($target)||substr($target,0,1)=='?')?$_SERVER['REDIRECT_URL']:(dirname($_SERVER['REDIRECT_URL']).'/');
+    $base = (is_null($target)||substr($target,0,1)=='?')?URI:((strlen(dirname(URI))>1?dirname(URI).'/':'/'));
     redirectFull(is_null($target)?$base:($base.$target),$secure);
 }
 function redirectStart() {
        redirectFull(BASE_URL,null);
 }
 function redirectFull($target,$secure) {
-       //redirect2((((isSSL()&&is_null($secure))||$secure==true)?'https://':'http://').$_SERVER['SERVER_NAME'].$target);
-       redirect2((((isSSL()&&is_null($secure))||$secure==true)?'https://scripts-cert.mit.edu':'http://scripts.mit.edu').$target);
+       redirect2((((isSSL()&&is_null($secure))||$secure==true)?BASE_HTTPS:BASE_HTTP).$target);
 }
 function redirect2($target) {
        header('Location: '.$target);
        exit;
 }
 function flipSSL() {
-       //return (isSSL()?'http://':'https://').$_SERVER['SERVER_NAME'].$_SERVER['REDIRECT_URL'];
-       return (isSSL()?'http://scripts.mit.edu':'https://scripts-cert.mit.edu').$_SERVER['REDIRECT_URL'];
+       return (isSSL()?BASE_HTTP:BASE_HTTPS).URI;
 }
 
 ## USER SCRIPTS
@@ -358,7 +359,7 @@ function addDB($dbname,$userid) {
                } else {
                        return false;
                }
-               $sql = sprintf("UPDATE DB %s WHERE DB.DatabaseId = '%s'",
+               $sql = sprintf("UPDATE DB SET %s WHERE DB.DatabaseId = '%s'",
                                                buildSQLSet($arr),
                                                $DBId);
                DBUpdate($sql);
@@ -389,9 +390,9 @@ function delDB($dbname) {
        DBCreate(sprintf('DROP DATABASE `%s`', mysql_escape_string($dbname)));
 
        $arr['bEnabled'] = 0;
-       $sql = sprintf("UPDATE DB %s WHERE DB.Name = '%s'",
+       $sql = sprintf("UPDATE DB SET %s WHERE DB.Name = '%s'",
                                        buildSQLSet($arr),
-                                       $dbname);
+                                       mysql_escape_string($dbname));
        DBUpdate($sql);
 
        return true;