From 9994f8c18ded6bfeb3232bc60194f49840b6977b Mon Sep 17 00:00:00 2001 From: Roland Rusch Date: Wed, 19 Jul 2023 15:14:18 +0200 Subject: [PATCH 1/3] #12 Logfile::addLogFile() does not escape the given parameters --- www/pages/logfile.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/www/pages/logfile.php b/www/pages/logfile.php index 67257c53..4fe1a54e 100644 --- a/www/pages/logfile.php +++ b/www/pages/logfile.php @@ -1,4 +1,4 @@ - +*/ +?> app->DB->real_escape_string(print_r($meldung, true)); } + + // Quick fix + $dump = $this->app->DB->real_escape_string(print_r($dump, true)); + $this->app->DB->Insert( sprintf( "INSERT INTO logfile (module,action,meldung,dump,datum,bearbeiter,funktionsname) From b02da95c2f100ace5c710b76d9b585217dbd0ce6 Mon Sep 17 00:00:00 2001 From: Roland Rusch Date: Wed, 19 Jul 2023 15:18:04 +0200 Subject: [PATCH 2/3] #12 Logfile::addLogFile() does not escape the given parameters --- www/pages/logfile.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/www/pages/logfile.php b/www/pages/logfile.php index 4fe1a54e..0271a4c1 100644 --- a/www/pages/logfile.php +++ b/www/pages/logfile.php @@ -254,11 +254,14 @@ class Logfile { } } if(is_array($meldung)) { - $meldung = $this->app->DB->real_escape_string(print_r($meldung, true)); + $meldung = print_r($meldung, true); } - // Quick fix - $dump = $this->app->DB->real_escape_string(print_r($dump, true)); + $module = $this->app->DB->real_escape_string($module); + $action = $this->app->DB->real_escape_string($action); + $meldung = $this->app->DB->real_escape_string($meldung); + $dump = $this->app->DB->real_escape_string($dump); + $functionname = $this->app->DB->real_escape_string($functionname); $this->app->DB->Insert( sprintf( From e6960f003064a9541c6a3ae8397e97e18345afb7 Mon Sep 17 00:00:00 2001 From: Roland Rusch Date: Wed, 19 Jul 2023 15:31:09 +0200 Subject: [PATCH 3/3] #12 Logfile::addLogFile() does not escape the given parameters --- www/pages/logfile.php | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/www/pages/logfile.php b/www/pages/logfile.php index 0271a4c1..1e47c4ff 100644 --- a/www/pages/logfile.php +++ b/www/pages/logfile.php @@ -253,15 +253,12 @@ class Logfile { } } } - if(is_array($meldung)) { - $meldung = print_r($meldung, true); - } - $module = $this->app->DB->real_escape_string($module); - $action = $this->app->DB->real_escape_string($action); - $meldung = $this->app->DB->real_escape_string($meldung); - $dump = $this->app->DB->real_escape_string($dump); - $functionname = $this->app->DB->real_escape_string($functionname); + $module = $this->app->DB->real_escape_string(is_scalar($module) ? strval($module) : print_r($module, true)); + $action = $this->app->DB->real_escape_string(is_scalar($action) ? strval($action) : print_r($action, true)); + $meldung = $this->app->DB->real_escape_string(is_scalar($meldung) ? strval($meldung) : print_r($meldung, true)); + $dump = $this->app->DB->real_escape_string(is_scalar($dump) ? strval($dump) : print_r($dump, true)); + $functionname = $this->app->DB->real_escape_string(is_scalar($functionname) ? strval($functionname) : print_r($functionname, true)); $this->app->DB->Insert( sprintf(