Merge pull request #160 from ComplementaryPogo/develop

Fix critical SQL injection vulnerabilities

Author: bbdoc

actions/channel_sync.php

@@ -5,14 +5,21 @@
 
 if (isset($_POST['sync'])) {
 
-    foreach ($_POST as $key => $value) {  
+    foreach ($_POST as $key => $value) {
       if (substr($key, 0, 7) == "target_") {
 	      $target = ltrim($key, 'target_');
 	      $target_fields = explode("|", $target);
 	      $target_db=$target_fields[0];
 	      $target_id=$target_fields[1];
 	      $target_id=str_replace("_com", ".com", $target_id);
 
+              // Database names cannot be parameterized in prepared statements (they are identifiers, not values)
+              // so we use a whitelist to validate the database name before using string interpolation
+              $allowed_dbs = explode(",", $dbname);
+              if (!in_array($target_db, $allowed_dbs)) {
+                  die("Invalid database");
+              }
+
               // Delete All Previous Trackings
 	      $stmt = $conn->prepare("DELETE FROM ".$target_db.".monsters WHERE id = ?");
 	      $rs = $stmt->bind_param("s", $target_id);

actions/set_language.php

@@ -11,8 +11,10 @@
 
 // Update Language in DB
 
-$sql = "UPDATE humans set language  = '".$_GET['lng']."'  WHERE id = '" . $_SESSION['id'] . "'"; 
-$result = $conn->query($sql) or die(mysqli_error($conn));
+$stmt = $conn->prepare("UPDATE humans SET language = ? WHERE id = ?");
+$stmt->bind_param("ss", $_GET['lng'], $_SESSION['id']);
+$stmt->execute() or die(mysqli_error($conn));
+$stmt->close();
 
 header("Location: $redirect_url");
 

actions/set_location.php

@@ -10,16 +10,26 @@
   $lat = "0.0000000000";
   $lon = "0.0000000000";
 
-  $sql = "UPDATE monsters set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'";
-  $result = $conn->query($sql);
-  $sql = "UPDATE raid set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'";
-  $result = $conn->query($sql);
-  $sql = "UPDATE egg set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'";
-  $result = $conn->query($sql);
-  $sql = "UPDATE quest set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'";
-  $result = $conn->query($sql);
-  $sql = "UPDATE invasion set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'";
-  $result = $conn->query($sql);
+  $stmt = $conn->prepare("UPDATE monsters set distance = 0 WHERE id = ? AND profile_no = ?");
+  $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']);
+  $stmt->execute();
+  $stmt->close();
+  $stmt = $conn->prepare("UPDATE raid set distance = 0 WHERE id = ? AND profile_no = ?");
+  $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']);
+  $stmt->execute();
+  $stmt->close();
+  $stmt = $conn->prepare("UPDATE egg set distance = 0 WHERE id = ? AND profile_no = ?");
+  $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']);
+  $stmt->execute();
+  $stmt->close();
+  $stmt = $conn->prepare("UPDATE quest set distance = 0 WHERE id = ? AND profile_no = ?");
+  $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']);
+  $stmt->execute();
+  $stmt->close();
+  $stmt = $conn->prepare("UPDATE invasion set distance = 0 WHERE id = ? AND profile_no = ?");
+  $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']);
+  $stmt->execute();
+  $stmt->close();
 
 } else if ( isset($_GET['lat']) &&  isset($_GET['lon']) ) {
 

actions/switch_profile.php

@@ -11,23 +11,23 @@
 	  $_SESSION['profile'] = $_POST['profile'];
   }
 
-  if ( isset($_POST['activate']) ) { 
-
-	  $sql = "SELECT area, latitude, longitude from profiles WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_POST['profile']."'";
-          $result = $conn->query($sql); 
-	  while ($row = $result->fetch_assoc()) { 
-		  $area = $row['area']; 
-		  $latitude = $row['latitude']; 
-		  $longitude = $row['longitude']; 
+  if ( isset($_POST['activate']) ) {
+
+	  $stmt = $conn->prepare("SELECT area, latitude, longitude from profiles WHERE id = ? AND profile_no = ?");
+	  $stmt->bind_param("si", $_SESSION['id'], $_POST['profile']);
+	  $stmt->execute();
+	  $result = $stmt->get_result();
+	  while ($row = $result->fetch_assoc()) {
+		  $area = $row['area'];
+		  $latitude = $row['latitude'];
+		  $longitude = $row['longitude'];
 	  }
+	  $stmt->close();
 
-	  $sql = "UPDATE humans 
-		  SET area = '".$area."', 
-		      latitude = '".$latitude."', 
-		      longitude = '".$longitude."', 
-                      current_profile_no = '".$_POST['profile']."'
-		   WHERE id = '" . $_SESSION['id'] . "'";
-          $result = $conn->query($sql);
+	  $stmt = $conn->prepare("UPDATE humans SET area = ?, latitude = ?, longitude = ?, current_profile_no = ? WHERE id = ?");
+	  $stmt->bind_param("ssdis", $area, $latitude, $longitude, $_POST['profile'], $_SESSION['id']);
+	  $stmt->execute();
+	  $stmt->close();
 	  header("Location: $redirect_url?type=display&page=profiles&return=success_switch_profile_activate");
 
 
@@ -41,27 +41,32 @@
 
 	  // Get Next Profile Number
           #$sql = "SELECT IFNULL(max(profile_no),0)+1 next_profile from profiles WHERE id = '" . $_SESSION['id'] . "'";
-	  $sql = "SELECT MIN(t1.profile_no + 1) AS nextID
-                  FROM (select profile_no from profiles  WHERE id = '".$_SESSION['id']."' UNION select 0 profile_no) t1
-                  LEFT JOIN (select profile_no from profiles  WHERE id = '".$_SESSION['id']."' UNION select 0 profile_no) t2
+	  $stmt = $conn->prepare("SELECT MIN(t1.profile_no + 1) AS nextID
+                  FROM (select profile_no from profiles  WHERE id = ? UNION select 0 profile_no) t1
+                  LEFT JOIN (select profile_no from profiles  WHERE id = ? UNION select 0 profile_no) t2
                   ON t1.profile_no + 1 = t2.profile_no
-                  WHERE t2.profile_no IS NULL";
-
-	  $result = $conn->query($sql);
+                  WHERE t2.profile_no IS NULL");
+	  $stmt->bind_param("ss", $_SESSION['id'], $_SESSION['id']);
+	  $stmt->execute();
+	  $result = $stmt->get_result();
 	  while ($row = $result->fetch_assoc()) {
 		  $next_profile = $row['nextID'];
 	  }
+	  $stmt->close();
 
 	  if ( $next_profile == 1 ) {
              // Get Info on currently active Profile
-             $sql = "SELECT area, latitude, longitude from humans WHERE id = '" . $_SESSION['id'] . "'";
-             $result = $conn->query($sql);
+             $stmt = $conn->prepare("SELECT area, latitude, longitude from humans WHERE id = ?");
+	     $stmt->bind_param("s", $_SESSION['id']);
+	     $stmt->execute();
+             $result = $stmt->get_result();
              while ($row = $result->fetch_assoc()) {
                   $area = $row['area'];
                   $latitude = $row['latitude'];
 		  $longitude = $row['longitude'];
 		  $_SESSION['profile_name'] = $_POST['profile_name'];
              }
+	     $stmt->close();
 	  } else {
 		  $area = "[]";
 		  $latitude = "0.0000000000";
@@ -153,26 +158,32 @@
 
           // Change Active Profile if Deleting Active one
 
-          $sql = "select current_profile_no FROM humans WHERE id = '" . $_SESSION['id'] . "'";
-          $result = $conn->query($sql);
+          $stmt = $conn->prepare("SELECT current_profile_no FROM humans WHERE id = ?");
+          $stmt->bind_param("s", $_SESSION['id']);
+          $stmt->execute();
+          $result = $stmt->get_result();
           while ($row = $result->fetch_assoc()) {
              $current_profile = $row['current_profile_no'];
           }
+          $stmt->close();
 
           if ( $current_profile == $_SESSION['profile'])  {
-                  $sql = "UPDATE humans set current_profile_no =
-                          (select IFNULL(min(profile_no),1) from profiles where id = '".$_SESSION['id']."')
-			  WHERE id = '" . $_SESSION['id'] . "'";
-                  $result = $conn->query($sql); 
+                  $stmt = $conn->prepare("UPDATE humans set current_profile_no = (select IFNULL(min(profile_no),1) from profiles where id = ?) WHERE id = ?");
+                  $stmt->bind_param("ss", $_SESSION['id'], $_SESSION['id']);
+                  $stmt->execute();
+                  $stmt->close();
           }
 
 	  // Check for smaller Profiles and redirect
 
-          $sql = "select IFNULL(min(profile_no),1) min from profiles WHERE id = '" . $_SESSION['id'] . "'";
-	  $result = $conn->query($sql);
+          $stmt = $conn->prepare("SELECT IFNULL(min(profile_no),1) min from profiles WHERE id = ?");
+          $stmt->bind_param("s", $_SESSION['id']);
+          $stmt->execute();
+          $result = $stmt->get_result();
           while ($row = $result->fetch_assoc()) {
              $_SESSION['profile'] = $row['min'];
           }
+          $stmt->close();
 
           header("Location: $redirect_url?type=display&page=profiles&return=success_delete_profile");
 

admin_connect.php

@@ -46,8 +46,10 @@
 }
 
 $conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $_SESSION['dbname']);
-$sql = "select id, name, type, notes FROM humans WHERE id = '".$search_id."'"; 
-$result = $conn->query($sql);
+$stmt = $conn->prepare("SELECT id, name, type, notes FROM humans WHERE id = ?");
+$stmt->bind_param("s", $search_id);
+$stmt->execute();
+$result = $stmt->get_result();
 
 if ($result->num_rows == 0) {
 	header("Location: $redirect_url?return=user_not_found");
@@ -60,6 +62,7 @@
         $_SESSION['type']=$row['type'];
         $_SESSION['notes']=$row['notes'];
 }
+$stmt->close();
 
 // Get Config Items from API and Store in Session Variables
 
@@ -108,11 +111,14 @@
 
 // Switch to active Profile
 
-$sql = "SELECT current_profile_no FROM humans WHERE id = '" . $_SESSION['id'] . "'";
-$result = $conn->query($sql);
+$stmt = $conn->prepare("SELECT current_profile_no FROM humans WHERE id = ?");
+$stmt->bind_param("s", $_SESSION['id']);
+$stmt->execute();
+$result = $stmt->get_result();
 while ($row = $result->fetch_assoc()) {
     $_SESSION['profile'] = $row['current_profile_no'];
 }
+$stmt->close();
 
 header("Location: $redirect_url");
 

admin_sync.php

@@ -94,8 +94,10 @@
                     foreach ($dbnames as &$db) {
 
                        $conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $db);
-                       $sql = "select id, name, type FROM humans WHERE type like 'discord:channel' AND id <> '".$_SESSION['id']."' ORDER by name";
-                       $result = $conn->query($sql);
+                       $stmt = $conn->prepare("SELECT id, name, type FROM humans WHERE type like 'discord:channel' AND id <> ? ORDER by name");
+                       $stmt->bind_param("s", $_SESSION['id']);
+                       $stmt->execute();
+                       $result = $stmt->get_result();
                        ?>
 
                     <?php if ($result->num_rows <> 0) { ?>
@@ -145,8 +147,10 @@
                     foreach ($dbnames as &$db) {
 
                        $conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $db);
-      		       $sql = "select id, name, type FROM humans WHERE type in ('telegram:channel','telegram:group') AND id <> '".$_SESSION['id']."' ORDER by name";
-                       $result = $conn->query($sql);
+      		       $stmt = $conn->prepare("SELECT id, name, type FROM humans WHERE type in ('telegram:channel','telegram:group') AND id <> ? ORDER by name");
+                       $stmt->bind_param("s", $_SESSION['id']);
+                       $stmt->execute();
+                       $result = $stmt->get_result();
                        ?>
 
                     <?php if ($result->num_rows <> 0) { ?>
@@ -196,8 +200,10 @@
                     foreach ($dbnames as &$db) {
 
                        $conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $db);
-                       $sql = "select id, name, type FROM humans WHERE type like 'webhook' AND id <> '".$_SESSION['id']."' ORDER by name";
-                       $result = $conn->query($sql);
+                       $stmt = $conn->prepare("SELECT id, name, type FROM humans WHERE type like 'webhook' AND id <> ? ORDER by name");
+                       $stmt->bind_param("s", $_SESSION['id']);
+                       $stmt->execute();
+                       $result = $stmt->get_result();
                        ?>
 
                     <?php if ($result->num_rows <> 0) { ?>