source: trunk/admin/picture_modify.php @ 28678

Revision 28678, 11.7 KB checked in by plg, 5 years ago (diff)

bug 3089: prevent SQL injection on photo edition

  • Property svn:eol-style set to LF
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based photo gallery                                    |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008-2014 Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24if(!defined("PHPWG_ROOT_PATH"))
25{
26  die('Hacking attempt!');
27}
28
29include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
30
31// +-----------------------------------------------------------------------+
32// | Check Access and exit when user status is not ok                      |
33// +-----------------------------------------------------------------------+
34check_status(ACCESS_ADMINISTRATOR);
35
36check_input_parameter('image_id', $_GET, false, PATTERN_ID);
37check_input_parameter('cat_id', $_GET, false, PATTERN_ID);
38
39// represent
40$query = '
41SELECT id
42  FROM '.CATEGORIES_TABLE.'
43  WHERE representative_picture_id = '.$_GET['image_id'].'
44;';
45$represented_albums = query2array($query, null, 'id');
46
47// +-----------------------------------------------------------------------+
48// |                             delete photo                              |
49// +-----------------------------------------------------------------------+
50
51if (isset($_GET['delete']))
52{
53  check_pwg_token();
54
55  delete_elements(array($_GET['image_id']), true);
56  invalidate_user_cache();
57
58  // where to redirect the user now?
59  //
60  // 1. if a category is available in the URL, use it
61  // 2. else use the first reachable linked category
62  // 3. redirect to gallery root
63
64  if (isset($_GET['cat_id']) and !empty($_GET['cat_id']))
65  {
66    redirect(
67      make_index_url(
68        array(
69          'category' => get_cat_info($_GET['cat_id'])
70          )
71        )
72      );
73  }
74
75  $query = '
76SELECT category_id
77  FROM '.IMAGE_CATEGORY_TABLE.'
78  WHERE image_id = '.$_GET['image_id'].'
79;';
80
81  $authorizeds = array_diff(
82    array_from_query($query, 'category_id'),
83    explode(',', calculate_permissions($user['id'], $user['status']))
84    );
85
86  foreach ($authorizeds as $category_id)
87  {
88    redirect(
89      make_index_url(
90        array(
91          'category' => get_cat_info($category_id)
92          )
93        )
94      );
95  }
96
97  redirect(make_index_url());
98}
99
100// +-----------------------------------------------------------------------+
101// |                          synchronize metadata                         |
102// +-----------------------------------------------------------------------+
103
104if (isset($_GET['sync_metadata']))
105{
106  sync_metadata(array( intval($_GET['image_id'])));
107  $page['infos'][] = l10n('Metadata synchronized from file');
108}
109
110//--------------------------------------------------------- update informations
111if (isset($_POST['submit']))
112{
113  $data = array();
114  $data['id'] = $_GET['image_id'];
115  $data['name'] = $_POST['name'];
116  $data['author'] = $_POST['author'];
117  $data['level'] = $_POST['level'];
118
119  if ($conf['allow_html_descriptions'])
120  {
121    $data['comment'] = @$_POST['description'];
122  }
123  else
124  {
125    $data['comment'] = strip_tags(@$_POST['description']);
126  }
127
128  if (!empty($_POST['date_creation']))
129  {
130    $data['date_creation'] = $_POST['date_creation'];
131  }
132  else
133  {
134    $data['date_creation'] = null;
135  }
136
137  $data = trigger_change('picture_modify_before_update', $data);
138 
139  single_update(
140    IMAGES_TABLE,
141    $data,
142    array('id' => $data['id'])
143    );
144
145  // time to deal with tags
146  $tag_ids = array();
147  if (!empty($_POST['tags']))
148  {
149    $tag_ids = get_tag_ids($_POST['tags']);
150  }
151  set_tags($tag_ids, $_GET['image_id']);
152
153  // association to albums
154  if (!isset($_POST['associate']))
155  {
156    $_POST['associate'] = array();
157  }
158  check_input_parameter('associate', $_POST, true, PATTERN_ID);
159  move_images_to_categories(array($_GET['image_id']), $_POST['associate']);
160
161  invalidate_user_cache();
162
163  // thumbnail for albums
164  if (!isset($_POST['represent']))
165  {
166    $_POST['represent'] = array();
167  }
168  check_input_parameter('represent', $_POST, true, PATTERN_ID);
169
170  $no_longer_thumbnail_for = array_diff($represented_albums, $_POST['represent']);
171  if (count($no_longer_thumbnail_for) > 0)
172  {
173    set_random_representant($no_longer_thumbnail_for);
174  }
175
176  $new_thumbnail_for = array_diff($_POST['represent'], $represented_albums);
177  if (count($new_thumbnail_for) > 0)
178  {
179    $query = '
180UPDATE '.CATEGORIES_TABLE.'
181  SET representative_picture_id = '.$_GET['image_id'].'
182  WHERE id IN ('.implode(',', $new_thumbnail_for).')
183;';
184    pwg_query($query);
185  }
186
187  $represented_albums = $_POST['represent'];
188
189  $page['infos'][] = l10n('Photo informations updated');
190}
191
192// tags
193$query = '
194SELECT
195    id,
196    name
197  FROM '.IMAGE_TAG_TABLE.' AS it
198    JOIN '.TAGS_TABLE.' AS t ON t.id = it.tag_id
199  WHERE image_id = '.$_GET['image_id'].'
200;';
201$tag_selection = get_taglist($query);
202
203// retrieving direct information about picture
204$query = '
205SELECT *
206  FROM '.IMAGES_TABLE.'
207  WHERE id = '.$_GET['image_id'].'
208;';
209$row = pwg_db_fetch_assoc(pwg_query($query));
210
211$storage_category_id = null;
212if (!empty($row['storage_category_id']))
213{
214  $storage_category_id = $row['storage_category_id'];
215}
216
217$image_file = $row['file'];
218
219// +-----------------------------------------------------------------------+
220// |                             template init                             |
221// +-----------------------------------------------------------------------+
222
223$template->set_filenames(
224  array(
225    'picture_modify' => 'picture_modify.tpl'
226    )
227  );
228
229$admin_url_start = $admin_photo_base_url.'-properties';
230$admin_url_start.= isset($_GET['cat_id']) ? '&amp;cat_id='.$_GET['cat_id'] : '';
231
232$template->assign(
233  array(
234    'tag_selection' => $tag_selection,
235    'U_SYNC' => $admin_url_start.'&amp;sync_metadata=1',
236    'U_DELETE' => $admin_url_start.'&amp;delete=1&amp;pwg_token='.get_pwg_token(),
237
238    'PATH'=>$row['path'],
239
240    'TN_SRC' => DerivativeImage::thumb_url($row),
241
242    'NAME' =>
243      isset($_POST['name']) ?
244        stripslashes($_POST['name']) : @$row['name'],
245
246    'TITLE' => render_element_name($row),
247
248    'DIMENSIONS' => @$row['width'].' * '.@$row['height'],
249
250    'FILESIZE' => @$row['filesize'].' KB',
251
252    'REGISTRATION_DATE' => format_date($row['date_available']),
253
254    'AUTHOR' => htmlspecialchars(
255      isset($_POST['author'])
256        ? stripslashes($_POST['author'])
257        : @$row['author']
258      ),
259
260    'DATE_CREATION' => $row['date_creation'],
261
262    'DESCRIPTION' =>
263      htmlspecialchars( isset($_POST['description']) ?
264        stripslashes($_POST['description']) : @$row['comment'] ),
265
266    'F_ACTION' =>
267        get_root_url().'admin.php'
268        .get_query_string_diff(array('sync_metadata'))
269    )
270  );
271
272$added_by = 'N/A';
273$query = '
274SELECT '.$conf['user_fields']['username'].' AS username
275  FROM '.USERS_TABLE.'
276  WHERE '.$conf['user_fields']['id'].' = '.$row['added_by'].'
277;';
278$result = pwg_query($query);
279while ($user_row = pwg_db_fetch_assoc($result))
280{
281  $row['added_by'] = $user_row['username'];
282}
283
284$intro_vars = array(
285  'file' => l10n('Original file : %s', $row['file']),
286  'add_date' => l10n('Posted %s on %s', time_since($row['date_available'], 'year'), format_date($row['date_available'], false, false)),
287  'added_by' => l10n('Added by %s', $row['added_by']),
288  'size' => $row['width'].'&times;'.$row['height'].' pixels, '.sprintf('%.2f', $row['filesize']/1024).'MB',
289  'stats' => l10n('Visited %d times', $row['hit']),
290  'id' => l10n('Numeric identifier : %d', $row['id']),
291  );
292
293if ($conf['rate'] and !empty($row['rating_score']))
294{
295  $query = '
296SELECT
297    COUNT(*)
298  FROM '.RATE_TABLE.'
299  WHERE element_id = '.$_GET['image_id'].'
300;';
301  list($row['nb_rates']) = pwg_db_fetch_row(pwg_query($query));
302
303  $intro_vars['stats'].= ', '.sprintf(l10n('Rated %d times, score : %.2f'), $row['nb_rates'], $row['rating_score']);
304}
305
306$template->assign('INTRO', $intro_vars);
307
308
309if (in_array(get_extension($row['path']),$conf['picture_ext']))
310{
311  $template->assign('U_COI', get_root_url().'admin.php?page=picture_coi&amp;image_id='.$_GET['image_id']);
312}
313
314// image level options
315$selected_level = isset($_POST['level']) ? $_POST['level'] : $row['level'];
316$template->assign(
317    array(
318      'level_options'=> get_privacy_level_options(),
319      'level_options_selected' => array($selected_level)
320    )
321  );
322
323// categories
324$query = '
325SELECT category_id, uppercats
326  FROM '.IMAGE_CATEGORY_TABLE.' AS ic
327    INNER JOIN '.CATEGORIES_TABLE.' AS c
328      ON c.id = ic.category_id
329  WHERE image_id = '.$_GET['image_id'].'
330;';
331$result = pwg_query($query);
332
333while ($row = pwg_db_fetch_assoc($result))
334{
335  $name =
336    get_cat_display_name_cache(
337      $row['uppercats'],
338      get_root_url().'admin.php?page=album-'
339      );
340
341  if ($row['category_id'] == $storage_category_id)
342  {
343    $template->assign('STORAGE_CATEGORY', $name);
344  }
345  else
346  {
347    $template->append('related_categories', $name);
348  }
349}
350
351// jump to link
352//
353// 1. find all linked categories that are reachable for the current user.
354// 2. if a category is available in the URL, use it if reachable
355// 3. if URL category not available or reachable, use the first reachable
356//    linked category
357// 4. if no category reachable, no jumpto link
358
359$query = '
360SELECT category_id
361  FROM '.IMAGE_CATEGORY_TABLE.'
362  WHERE image_id = '.$_GET['image_id'].'
363;';
364
365$authorizeds = array_diff(
366  array_from_query($query, 'category_id'),
367  explode(
368    ',',
369    calculate_permissions($user['id'], $user['status'])
370    )
371  );
372
373if (isset($_GET['cat_id'])
374    and in_array($_GET['cat_id'], $authorizeds))
375{
376  $url_img = make_picture_url(
377    array(
378      'image_id' => $_GET['image_id'],
379      'image_file' => $image_file,
380      'category' => $cache['cat_names'][ $_GET['cat_id'] ],
381      )
382    );
383}
384else
385{
386  foreach ($authorizeds as $category)
387  {
388    $url_img = make_picture_url(
389      array(
390        'image_id' => $_GET['image_id'],
391        'image_file' => $image_file,
392        'category' => $cache['cat_names'][ $category ],
393        )
394      );
395    break;
396  }
397}
398
399if (isset($url_img))
400{
401  $template->assign( 'U_JUMPTO', $url_img );
402}
403
404// associate to albums
405$query = '
406SELECT id
407  FROM '.CATEGORIES_TABLE.'
408    INNER JOIN '.IMAGE_CATEGORY_TABLE.' ON id = category_id
409  WHERE image_id = '.$_GET['image_id'].'
410;';
411$associated_albums = query2array($query, null, 'id');
412
413$template->assign(array(
414  'associated_albums' => $associated_albums,
415  'represented_albums' => $represented_albums,
416  'STORAGE_ALBUM' => $storage_category_id,
417  'CACHE_KEYS' => get_admin_client_cache_keys(array('tags', 'categories')),
418  ));
419
420trigger_notify('loc_end_picture_modify');
421
422//----------------------------------------------------------- sending html code
423
424$template->assign_var_from_handle('ADMIN_CONTENT', 'picture_modify');
425?>
Note: See TracBrowser for help on using the repository browser.