Changeset 4304


Ignore:
Timestamp:
Nov 18, 2009, 9:07:20 PM (14 years ago)
Author:
Eric
Message:

Escape all login and username characters in database
Display correctly usernames

(I hope not to have made mistakes)

Location:
trunk
Files:
19 edited

Legend:

Unmodified
Added
Removed
  • trunk/admin/comments.php

    r3452 r4304  
    161161  else
    162162  {
    163     $author_name = $row['username'];
     163    $author_name = stripslashes($row['username']);
    164164  }
    165165  $template->append(
  • trunk/admin/history.php

    r4265 r4304  
    260260    while ($row = mysql_fetch_assoc($result))
    261261    {
    262       $username_of[$row['id']] = $row['username'];
     262      $username_of[$row['id']] = stripslashes($row['username']);
    263263    }
    264264  }
  • trunk/admin/include/c13y_internal.class.php

    r4265 r4304  
    196196              array(
    197197                'id'       => $id,
    198                 'username' => $name,
     198                'username' => addslashes($name),
    199199                'password' => $password
    200200                ),
  • trunk/admin/include/functions.php

    r4265 r4304  
    21132113  }
    21142114
    2115   return $username;
     2115  return stripslashes($username);
    21162116}
    21172117
  • trunk/admin/include/functions_notification_by_mail.inc.php

    r4265 r4304  
    289289
    290290  $env_nbm['sent_mail_count'] += 1;
    291   array_push($page['infos'], sprintf($env_nbm['msg_info'], $nbm_user['username'], $nbm_user['mail_address']));
     291  array_push($page['infos'], sprintf($env_nbm['msg_info'], stripslashes($nbm_user['username']), $nbm_user['mail_address']));
    292292}
    293293
     
    302302
    303303  $env_nbm['error_on_mail_count'] += 1;
    304   array_push($page['errors'], sprintf($env_nbm['msg_error'], $nbm_user['username'], $nbm_user['mail_address']));
     304  array_push($page['errors'], sprintf($env_nbm['msg_error'], stripslashes($nbm_user['username']), $nbm_user['mail_address']));
    305305}
    306306
     
    339339    array
    340340    (
    341       'USERNAME' => $nbm_user['username'],
     341      'USERNAME' => stripslashes($nbm_user['username']),
    342342
    343343      'SEND_AS_NAME' => $env_nbm['send_as_name'],
     
    428428        if (pwg_mail
    429429            (
    430               format_email($nbm_user['username'], $nbm_user['mail_address']),
     430              format_email(stripslashes($nbm_user['username']), $nbm_user['mail_address']),
    431431              array
    432432              (
     
    466466        );
    467467        $updated_data_count += 1;
    468         array_push($page['infos'], sprintf($msg_info, $nbm_user['username'], $nbm_user['mail_address']));
     468        array_push($page['infos'], sprintf($msg_info, stripslashes($nbm_user['username']), $nbm_user['mail_address']));
    469469      }
    470470      else
    471471      {
    472472        $error_on_updated_data_count += 1;
    473         array_push($page['errors'], sprintf($msg_error, $nbm_user['username'], $nbm_user['mail_address']));
     473        array_push($page['errors'], sprintf($msg_error, stripslashes($nbm_user['username']), $nbm_user['mail_address']));
    474474      }
    475475
  • trunk/admin/notification_by_mail.php

    r4265 r4304  
    176176        sprintf(
    177177          l10n('nbm_user_x_added'),
    178           $nbm_user['username'],
     178          stripslashes($nbm_user['username']),
    179179          get_email_address_as_display_text($nbm_user['mail_address'])
    180180        )
     
    389389              if (pwg_mail
    390390                  (
    391                     format_email($nbm_user['username'], $nbm_user['mail_address']),
     391                    format_email(stripslashes($nbm_user['username']), $nbm_user['mail_address']),
    392392                    array
    393393                    (
     
    666666      if (get_boolean($nbm_user['enabled']))
    667667      {
    668         $opt_true[ $nbm_user['check_key'] ] = $nbm_user['username'].'['.get_email_address_as_display_text($nbm_user['mail_address']).']';
     668        $opt_true[ $nbm_user['check_key'] ] = stripslashes($nbm_user['username']).'['.get_email_address_as_display_text($nbm_user['mail_address']).']';
    669669        if ((isset($_POST['falsify']) and isset($_POST['cat_true']) and in_array($nbm_user['check_key'], $_POST['cat_true'])))
    670670        {
     
    674674      else
    675675      {
    676         $opt_false[ $nbm_user['check_key'] ] = $nbm_user['username'].'['.get_email_address_as_display_text($nbm_user['mail_address']).']';
     676        $opt_false[ $nbm_user['check_key'] ] = stripslashes($nbm_user['username']).'['.get_email_address_as_display_text($nbm_user['mail_address']).']';
    677677        if (isset($_POST['trueify']) and isset($_POST['cat_false']) and in_array($nbm_user['check_key'], $_POST['cat_false']))
    678678        {
     
    719719                              !in_array($nbm_user['check_key'], $_POST['send_selection']) // not selected
    720720                            )   ? '' : 'checked="checked"',
    721               'USERNAME'=> $nbm_user['username'],
     721              'USERNAME'=> stripslashes($nbm_user['username']),
    722722              'EMAIL' => get_email_address_as_display_text($nbm_user['mail_address']),
    723723              'LAST_SEND'=> $nbm_user['last_send']
  • trunk/admin/rating.php

    r4265 r4304  
    9797while ($row = mysql_fetch_assoc($result))
    9898{
    99   $users[$row['id']]=$row['username'];
     99  $users[$row['id']]=stripslashes($row['username']);
    100100}
    101101
  • trunk/admin/upload.php

    r4265 r4304  
    178178      'PREVIEW_URL_IMG'=>$preview_url,
    179179      'UPLOAD_EMAIL'=>get_email_address_as_display_text($row['mail_address']),
    180       'UPLOAD_USERNAME'=>$row['username']
     180      'UPLOAD_USERNAME'=>stripslashes($row['username'])
    181181    );
    182182
  • trunk/admin/user_list.php

    r4265 r4304  
    703703      'U_PROFILE' => $profile_url.$local_user['id'],
    704704      'U_PERM' => $perm_url.$local_user['id'],
    705       'USERNAME' => $local_user['username']
     705      'USERNAME' => stripslashes($local_user['username'])
    706706        .($local_user['id'] == $conf['guest_id']
    707707          ? '<br>['.l10n('is_the_guest').']' : '')
  • trunk/feed.php

    r3282 r4304  
    107107$rss->encoding=get_pwg_charset();
    108108$rss->title = $conf['gallery_title'];
    109 $rss->title.= ' (as '.$user['username'].')';
     109$rss->title.= ' (as '.stripslashes($user['username']).')';
    110110
    111111$rss->link = $conf['gallery_url'];
  • trunk/include/functions_comment.inc.php

    r3600 r4304  
    100100SELECT COUNT(*) AS user_exists
    101101  FROM '.USERS_TABLE.'
    102   WHERE '.$conf['user_fields']['username']." = '".$comm['author']."'";
     102  WHERE '.$conf['user_fields']['username']." = '".addslashes($comm['author'])."'";
    103103      $row = mysql_fetch_assoc( pwg_query( $query ) );
    104104      if ( $row['user_exists'] == 1 )
  • trunk/include/functions_mail.inc.php

    r4265 r4304  
    365365    $keyargs_content_admin_info = array
    366366    (
    367       get_l10n_args('Connected user: %s', $user['username']),
     367      get_l10n_args('Connected user: %s', stripslashes($user['username'])),
    368368      get_l10n_args('IP: %s', $_SERVER['REMOTE_ADDR']),
    369369      get_l10n_args('Browser: %s', $_SERVER['HTTP_USER_AGENT'])
     
    484484          if (!empty($row['mail_address']))
    485485          {
    486             array_push($Bcc, format_email($row['username'], $row['mail_address']));
     486            array_push($Bcc, format_email(stripslashes($row['username']), $row['mail_address']));
    487487          }
    488488        }
     
    795795    if ( mkgetdir( $dir,  MKGETDIR_DEFAULT&~MKGETDIR_DIE_ON_ERROR) )
    796796    {
    797       $filename = $dir.'/mail.'.$user['username'].'.'.$lang_info['code'].'.'.$args['template'].'.'.$args['theme'];
     797      $filename = $dir.'/mail.'.stripslashes($user['username']).'.'.$lang_info['code'].'.'.$args['template'].'.'.$args['theme'];
    798798      if ($args['content_format'] == 'text/plain')
    799799      {
  • trunk/include/functions_user.inc.php

    r4265 r4304  
    171171      $keyargs_content = array
    172172      (
    173         get_l10n_args('User: %s', $login),
     173        get_l10n_args('User: %s', stripslashes($login)),
    174174        get_l10n_args('Email: %s', $_POST['mail_address']),
    175175        get_l10n_args('', ''),
     
    179179      pwg_mail_notification_admins
    180180      (
    181         get_l10n_args('Registration of %s', $login),
     181        get_l10n_args('Registration of %s', stripslashes($login)),
    182182        $keyargs_content
    183183      );
     
    934934  {
    935935    $row = mysql_fetch_assoc($result);
    936     $username = $row['username'];
    937     $data = $time.$row['username'].$row['password'];
     936    $username = stripslashes($row['username']);
     937    $data = $time.stripslashes($row['username']).$row['password'];
    938938    $key = base64_encode(
    939939      pack('H*', sha1($data))
     
    10191019      {
    10201020        log_user($cookie[0], true);
    1021         trigger_action('login_success', $username);
     1021        trigger_action('login_success', stripslashes($username));
    10221022        return true;
    10231023      }
     
    10401040       '.$conf['user_fields']['password'].' AS password
    10411041  FROM '.USERS_TABLE.'
    1042   WHERE '.$conf['user_fields']['username'].' = \''.$username.'\'
     1042  WHERE '.$conf['user_fields']['username'].' = \''.mysql_real_escape_string($username).'\'
    10431043;';
    10441044  $row = mysql_fetch_assoc(pwg_query($query));
     
    10461046  {
    10471047    log_user($row['id'], $remember_me);
    1048     trigger_action('login_success', $username);
     1048    trigger_action('login_success', stripslashes($username));
    10491049    return true;
    10501050  }
    1051   trigger_action('login_failure', $username);
     1051  trigger_action('login_failure', stripslashes($username));
    10521052  return false;
    10531053}
  • trunk/include/menubar.inc.php

    r3282 r4304  
    282282  else
    283283  {
    284     $template->assign('USERNAME', $user['username']);
     284    $template->assign('USERNAME', stripslashes($user['username']));
    285285    if (is_autorize_status(ACCESS_CLASSIC))
    286286    {
  • trunk/include/picture_comment.inc.php

    r4265 r4304  
    4747
    4848  $comm = array(
    49     'author' => trim(@$_POST['author']),
    50     'content' => trim($_POST['content']),
     49    'author' => trim( stripslashes(@$_POST['author']) ),
     50    'content' => trim( stripslashes($_POST['content']) ),
    5151    'image_id' => $page['image_id'],
    5252   );
     
    153153      else
    154154      {
    155         $author = $row['username'];
     155        $author = stripslashes($row['username']);
    156156      }
    157157
  • trunk/include/ws_functions.inc.php

    r3720 r4304  
    524524
    525525  $comm = array(
    526     'author' => trim($params['author']),
    527     'content' => trim($params['content']),
     526    'author' => trim( stripslashes($params['author']) ),
     527    'content' => trim( stripslashes($params['content']) ),
    528528    'image_id' => $params['image_id'],
    529529   );
     
    701701      )
    702702  {
    703     $comment_post_data['author'] = $user['username'];
     703    $comment_post_data['author'] = stripslashes($user['username']);
    704704    $comment_post_data['key'] = get_comment_post_key($params['image_id']);
    705705  }
     
    12551255  global $user;
    12561256  $res = array();
    1257   $res['username'] = is_a_guest() ? 'guest' : $user['username'];
     1257  $res['username'] = is_a_guest() ? 'guest' : stripslashes($user['username']);
    12581258  foreach ( array('status', 'template', 'theme', 'language') as $k )
    12591259  {
  • trunk/password.php

    r4265 r4304  
    8585
    8686        $infos =
    87           l10n('Username').': '.$row['username']
     87          l10n('Username').': '.stripslashes($row['username'])
    8888          ."\n".l10n('Password').': '.$new_password
    8989          ;
  • trunk/profile.php

    r4014 r4304  
    244244  $template->assign(
    245245    array(
    246       'USERNAME'=>$userdata['username'],
     246      'USERNAME'=>stripslashes($userdata['username']),
    247247      'EMAIL'=>get_email_address_as_display_text(@$userdata['email']),
    248248      'NB_IMAGE_LINE'=>$userdata['nb_image_line'],
  • trunk/upload.php

    r4265 r4304  
    361361  array(
    362362    'ADVISE_TITLE' => $advise_title,
    363     'NAME' => $username,
     363    'NAME' => stripslashes($username),
    364364    'EMAIL' => $mail_address,
    365365    'NAME_IMG' => $name,
    366     'AUTHOR_IMG' => $author,
     366    'AUTHOR_IMG' => stripslashes($author),
    367367    'DATE_IMG' => $date_creation,
    368368    'COMMENT_IMG' => $comment,
Note: See TracChangeset for help on using the changeset viewer.