Changeset 4304


Ignore:
Timestamp:
11/18/09 21:07:20 (10 years ago)
Author:
Eric
Message:

Escape all login and username characters in database
Display correctly usernames

(I hope not to have made mistakes)

Location:
trunk
Files:
19 edited

Legend:

Unmodified
Added
Removed
  • trunk/admin/comments.php

    r3452 r4304  
    161161  else 
    162162  { 
    163     $author_name = $row['username']; 
     163    $author_name = stripslashes($row['username']); 
    164164  } 
    165165  $template->append( 
  • trunk/admin/history.php

    r4265 r4304  
    260260    while ($row = mysql_fetch_assoc($result)) 
    261261    { 
    262       $username_of[$row['id']] = $row['username']; 
     262      $username_of[$row['id']] = stripslashes($row['username']); 
    263263    } 
    264264  } 
  • trunk/admin/include/c13y_internal.class.php

    r4265 r4304  
    196196              array( 
    197197                'id'       => $id, 
    198                 'username' => $name, 
     198                'username' => addslashes($name), 
    199199                'password' => $password 
    200200                ), 
  • trunk/admin/include/functions.php

    r4265 r4304  
    21132113  } 
    21142114 
    2115   return $username; 
     2115  return stripslashes($username); 
    21162116} 
    21172117 
  • trunk/admin/include/functions_notification_by_mail.inc.php

    r4265 r4304  
    289289 
    290290  $env_nbm['sent_mail_count'] += 1; 
    291   array_push($page['infos'], sprintf($env_nbm['msg_info'], $nbm_user['username'], $nbm_user['mail_address'])); 
     291  array_push($page['infos'], sprintf($env_nbm['msg_info'], stripslashes($nbm_user['username']), $nbm_user['mail_address'])); 
    292292} 
    293293 
     
    302302 
    303303  $env_nbm['error_on_mail_count'] += 1; 
    304   array_push($page['errors'], sprintf($env_nbm['msg_error'], $nbm_user['username'], $nbm_user['mail_address'])); 
     304  array_push($page['errors'], sprintf($env_nbm['msg_error'], stripslashes($nbm_user['username']), $nbm_user['mail_address'])); 
    305305} 
    306306 
     
    339339    array 
    340340    ( 
    341       'USERNAME' => $nbm_user['username'], 
     341      'USERNAME' => stripslashes($nbm_user['username']), 
    342342 
    343343      'SEND_AS_NAME' => $env_nbm['send_as_name'], 
     
    428428        if (pwg_mail 
    429429            ( 
    430               format_email($nbm_user['username'], $nbm_user['mail_address']), 
     430              format_email(stripslashes($nbm_user['username']), $nbm_user['mail_address']), 
    431431              array 
    432432              ( 
     
    466466        ); 
    467467        $updated_data_count += 1; 
    468         array_push($page['infos'], sprintf($msg_info, $nbm_user['username'], $nbm_user['mail_address'])); 
     468        array_push($page['infos'], sprintf($msg_info, stripslashes($nbm_user['username']), $nbm_user['mail_address'])); 
    469469      } 
    470470      else 
    471471      { 
    472472        $error_on_updated_data_count += 1; 
    473         array_push($page['errors'], sprintf($msg_error, $nbm_user['username'], $nbm_user['mail_address'])); 
     473        array_push($page['errors'], sprintf($msg_error, stripslashes($nbm_user['username']), $nbm_user['mail_address'])); 
    474474      } 
    475475 
  • trunk/admin/notification_by_mail.php

    r4265 r4304  
    176176        sprintf( 
    177177          l10n('nbm_user_x_added'), 
    178           $nbm_user['username'], 
     178          stripslashes($nbm_user['username']), 
    179179          get_email_address_as_display_text($nbm_user['mail_address']) 
    180180        ) 
     
    389389              if (pwg_mail 
    390390                  ( 
    391                     format_email($nbm_user['username'], $nbm_user['mail_address']), 
     391                    format_email(stripslashes($nbm_user['username']), $nbm_user['mail_address']), 
    392392                    array 
    393393                    ( 
     
    666666      if (get_boolean($nbm_user['enabled'])) 
    667667      { 
    668         $opt_true[ $nbm_user['check_key'] ] = $nbm_user['username'].'['.get_email_address_as_display_text($nbm_user['mail_address']).']'; 
     668        $opt_true[ $nbm_user['check_key'] ] = stripslashes($nbm_user['username']).'['.get_email_address_as_display_text($nbm_user['mail_address']).']'; 
    669669        if ((isset($_POST['falsify']) and isset($_POST['cat_true']) and in_array($nbm_user['check_key'], $_POST['cat_true']))) 
    670670        { 
     
    674674      else 
    675675      { 
    676         $opt_false[ $nbm_user['check_key'] ] = $nbm_user['username'].'['.get_email_address_as_display_text($nbm_user['mail_address']).']'; 
     676        $opt_false[ $nbm_user['check_key'] ] = stripslashes($nbm_user['username']).'['.get_email_address_as_display_text($nbm_user['mail_address']).']'; 
    677677        if (isset($_POST['trueify']) and isset($_POST['cat_false']) and in_array($nbm_user['check_key'], $_POST['cat_false'])) 
    678678        { 
     
    719719                              !in_array($nbm_user['check_key'], $_POST['send_selection']) // not selected 
    720720                            )   ? '' : 'checked="checked"', 
    721               'USERNAME'=> $nbm_user['username'], 
     721              'USERNAME'=> stripslashes($nbm_user['username']), 
    722722              'EMAIL' => get_email_address_as_display_text($nbm_user['mail_address']), 
    723723              'LAST_SEND'=> $nbm_user['last_send'] 
  • trunk/admin/rating.php

    r4265 r4304  
    9797while ($row = mysql_fetch_assoc($result)) 
    9898{ 
    99   $users[$row['id']]=$row['username']; 
     99  $users[$row['id']]=stripslashes($row['username']); 
    100100} 
    101101 
  • trunk/admin/upload.php

    r4265 r4304  
    178178      'PREVIEW_URL_IMG'=>$preview_url, 
    179179      'UPLOAD_EMAIL'=>get_email_address_as_display_text($row['mail_address']), 
    180       'UPLOAD_USERNAME'=>$row['username'] 
     180      'UPLOAD_USERNAME'=>stripslashes($row['username']) 
    181181    ); 
    182182 
  • trunk/admin/user_list.php

    r4265 r4304  
    703703      'U_PROFILE' => $profile_url.$local_user['id'], 
    704704      'U_PERM' => $perm_url.$local_user['id'], 
    705       'USERNAME' => $local_user['username'] 
     705      'USERNAME' => stripslashes($local_user['username']) 
    706706        .($local_user['id'] == $conf['guest_id'] 
    707707          ? '<br>['.l10n('is_the_guest').']' : '') 
  • trunk/feed.php

    r3282 r4304  
    107107$rss->encoding=get_pwg_charset(); 
    108108$rss->title = $conf['gallery_title']; 
    109 $rss->title.= ' (as '.$user['username'].')'; 
     109$rss->title.= ' (as '.stripslashes($user['username']).')'; 
    110110 
    111111$rss->link = $conf['gallery_url']; 
  • trunk/include/functions_comment.inc.php

    r3600 r4304  
    100100SELECT COUNT(*) AS user_exists 
    101101  FROM '.USERS_TABLE.' 
    102   WHERE '.$conf['user_fields']['username']." = '".$comm['author']."'"; 
     102  WHERE '.$conf['user_fields']['username']." = '".addslashes($comm['author'])."'"; 
    103103      $row = mysql_fetch_assoc( pwg_query( $query ) ); 
    104104      if ( $row['user_exists'] == 1 ) 
  • trunk/include/functions_mail.inc.php

    r4265 r4304  
    365365    $keyargs_content_admin_info = array 
    366366    ( 
    367       get_l10n_args('Connected user: %s', $user['username']), 
     367      get_l10n_args('Connected user: %s', stripslashes($user['username'])), 
    368368      get_l10n_args('IP: %s', $_SERVER['REMOTE_ADDR']), 
    369369      get_l10n_args('Browser: %s', $_SERVER['HTTP_USER_AGENT']) 
     
    484484          if (!empty($row['mail_address'])) 
    485485          { 
    486             array_push($Bcc, format_email($row['username'], $row['mail_address'])); 
     486            array_push($Bcc, format_email(stripslashes($row['username']), $row['mail_address'])); 
    487487          } 
    488488        } 
     
    795795    if ( mkgetdir( $dir,  MKGETDIR_DEFAULT&~MKGETDIR_DIE_ON_ERROR) ) 
    796796    { 
    797       $filename = $dir.'/mail.'.$user['username'].'.'.$lang_info['code'].'.'.$args['template'].'.'.$args['theme']; 
     797      $filename = $dir.'/mail.'.stripslashes($user['username']).'.'.$lang_info['code'].'.'.$args['template'].'.'.$args['theme']; 
    798798      if ($args['content_format'] == 'text/plain') 
    799799      { 
  • trunk/include/functions_user.inc.php

    r4265 r4304  
    171171      $keyargs_content = array 
    172172      ( 
    173         get_l10n_args('User: %s', $login), 
     173        get_l10n_args('User: %s', stripslashes($login)), 
    174174        get_l10n_args('Email: %s', $_POST['mail_address']), 
    175175        get_l10n_args('', ''), 
     
    179179      pwg_mail_notification_admins 
    180180      ( 
    181         get_l10n_args('Registration of %s', $login), 
     181        get_l10n_args('Registration of %s', stripslashes($login)), 
    182182        $keyargs_content 
    183183      ); 
     
    934934  { 
    935935    $row = mysql_fetch_assoc($result); 
    936     $username = $row['username']; 
    937     $data = $time.$row['username'].$row['password']; 
     936    $username = stripslashes($row['username']); 
     937    $data = $time.stripslashes($row['username']).$row['password']; 
    938938    $key = base64_encode( 
    939939      pack('H*', sha1($data)) 
     
    10191019      { 
    10201020        log_user($cookie[0], true); 
    1021         trigger_action('login_success', $username); 
     1021        trigger_action('login_success', stripslashes($username)); 
    10221022        return true; 
    10231023      } 
     
    10401040       '.$conf['user_fields']['password'].' AS password 
    10411041  FROM '.USERS_TABLE.' 
    1042   WHERE '.$conf['user_fields']['username'].' = \''.$username.'\' 
     1042  WHERE '.$conf['user_fields']['username'].' = \''.mysql_real_escape_string($username).'\' 
    10431043;'; 
    10441044  $row = mysql_fetch_assoc(pwg_query($query)); 
     
    10461046  { 
    10471047    log_user($row['id'], $remember_me); 
    1048     trigger_action('login_success', $username); 
     1048    trigger_action('login_success', stripslashes($username)); 
    10491049    return true; 
    10501050  } 
    1051   trigger_action('login_failure', $username); 
     1051  trigger_action('login_failure', stripslashes($username)); 
    10521052  return false; 
    10531053} 
  • trunk/include/menubar.inc.php

    r3282 r4304  
    282282  else 
    283283  { 
    284     $template->assign('USERNAME', $user['username']); 
     284    $template->assign('USERNAME', stripslashes($user['username'])); 
    285285    if (is_autorize_status(ACCESS_CLASSIC)) 
    286286    { 
  • trunk/include/picture_comment.inc.php

    r4265 r4304  
    4747 
    4848  $comm = array( 
    49     'author' => trim(@$_POST['author']), 
    50     'content' => trim($_POST['content']), 
     49    'author' => trim( stripslashes(@$_POST['author']) ), 
     50    'content' => trim( stripslashes($_POST['content']) ), 
    5151    'image_id' => $page['image_id'], 
    5252   ); 
     
    153153      else 
    154154      { 
    155         $author = $row['username']; 
     155        $author = stripslashes($row['username']); 
    156156      } 
    157157 
  • trunk/include/ws_functions.inc.php

    r3720 r4304  
    524524 
    525525  $comm = array( 
    526     'author' => trim($params['author']), 
    527     'content' => trim($params['content']), 
     526    'author' => trim( stripslashes($params['author']) ), 
     527    'content' => trim( stripslashes($params['content']) ), 
    528528    'image_id' => $params['image_id'], 
    529529   ); 
     
    701701      ) 
    702702  { 
    703     $comment_post_data['author'] = $user['username']; 
     703    $comment_post_data['author'] = stripslashes($user['username']); 
    704704    $comment_post_data['key'] = get_comment_post_key($params['image_id']); 
    705705  } 
     
    12551255  global $user; 
    12561256  $res = array(); 
    1257   $res['username'] = is_a_guest() ? 'guest' : $user['username']; 
     1257  $res['username'] = is_a_guest() ? 'guest' : stripslashes($user['username']); 
    12581258  foreach ( array('status', 'template', 'theme', 'language') as $k ) 
    12591259  { 
  • trunk/password.php

    r4265 r4304  
    8585 
    8686        $infos = 
    87           l10n('Username').': '.$row['username'] 
     87          l10n('Username').': '.stripslashes($row['username']) 
    8888          ."\n".l10n('Password').': '.$new_password 
    8989          ; 
  • trunk/profile.php

    r4014 r4304  
    244244  $template->assign( 
    245245    array( 
    246       'USERNAME'=>$userdata['username'], 
     246      'USERNAME'=>stripslashes($userdata['username']), 
    247247      'EMAIL'=>get_email_address_as_display_text(@$userdata['email']), 
    248248      'NB_IMAGE_LINE'=>$userdata['nb_image_line'], 
  • trunk/upload.php

    r4265 r4304  
    361361  array( 
    362362    'ADVISE_TITLE' => $advise_title, 
    363     'NAME' => $username, 
     363    'NAME' => stripslashes($username), 
    364364    'EMAIL' => $mail_address, 
    365365    'NAME_IMG' => $name, 
    366     'AUTHOR_IMG' => $author, 
     366    'AUTHOR_IMG' => stripslashes($author), 
    367367    'DATE_IMG' => $date_creation, 
    368368    'COMMENT_IMG' => $comment, 
Note: See TracChangeset for help on using the changeset viewer.