* Add an sql_xlat function
* Add a nas administration page for sql based clients
* Fix small bugs in accounting.php3 and user_stats.php3. Add nas_admin.php3 to the buttons page
-
-TODO: Check out the sql queries in lin/sql for sql injection.
+* Add da_sql_escape_string for all relevant variables in lib/sql files
Ver 1.68:
* Huge PostgreSQL compatibility patch by Guy Fraser <guy@incentre.net>
while(isset($$name)){
$val=$$name;
+ $val = da_sql_escape_string($val);
$op_name = $name . '_op';
$i++;
$j++;
"SELECT username FROM $config[sql_user_info_table] WHERE
username = '$login';");
if ($res){
+ $Fcn = da_sql_escape_string($Fcn);
+ $Fmail = da_sql_escape_string($Fmail);
+ $Fou = da_sql_escape_string($Fou);
+ $Ftelephonenumber = da_sql_escape_string($Ftelephonenumber);
+ $Fhomephone = da_sql_escape_string($Fhomephone);
+ $Fmobile = da_sql_escape_string($Fmobile);
+
if (!@da_sql_num_rows($res,$config)){
$res = @da_sql_query($link,$config,
"INSERT INTO $config[sql_user_info_table]
$Members = preg_split("/[\n\s]+/",$members,-1,PREG_SPLIT_NO_EMPTY);
if (!empty($Members)){
foreach ($Members as $member){
+ $member = da_sql_escape_string($member);
$res = @da_sql_query($link,$config,
"INSERT INTO $config[sql_usergroup_table] (username,groupname)
VALUES ('$member','$login');");
$type = 2;
}
$val = $$attrmap["$key"];
+ $val = da_sql_escape_string($val);
$op_name = $attrmap["$key"] . '_op';
$op_val = $$op_name;
if ($op_val != ''){
username = '$login';");
if ($res){
if (!@da_sql_num_rows($res,$config)){
+ $Fcn = da_sql_escape_string($Fcn);
+ $Fmail = da_sql_escape_string($Fmail);
+ $Fou = da_sql_escape_string($Fou);
+ $Fhomephone = da_sql_escape_string($Fhomephone);
+ $Fworkphone = da_sql_escape_string($Fworkphone);
+ $Fmobile = da_sql_escape_string($Fmobile);
$res = @da_sql_query($link,$config,
"INSERT INTO $config[sql_user_info_table]
(username,name,mail,department,homephone,workphone,mobile) VALUES
echo "<b>Could not add user information in user info table: " . da_sql_error($link,$config) . "</b><br>\n";
}
if ($Fgroup != ''){
+ $Fgroup = da_sql_escape_string($Fgroup);
$res = @da_sql_query($link,$config,
"SELECT username FROM $config[sql_usergroup_table]
WHERE username = '$login' AND groupname = '$Fgroup';");
$type = 2;
}
$val = $$attrmap["$key"];
+ $val = da_sql_escape_string($val);
$op_name = $attrmap["$key"] . '_op';
$op_val = $$op_name;
if ($op_val != ''){
$link = @da_sql_pconnect($config);
if ($link){
+ $search = da_sql_escape_string($search);
+ if (!is_int($max_results))
+ $max_results = 10;
if (($search_IN == 'name' || $search_IN == 'ou') && $config[sql_use_user_info_table] == 'true'){
$attr = ($search_IN == 'name') ? 'name' : 'department';
$res = @da_sql_query($link,$config,
function get_user_info($link,$user,$config)
{
if ($link && $config[sql_use_user_info_table] == 'true'){
+ $user = da_sql_escape_string($user);
$res=@da_sql_query($link,$config,
"SELECT name FROM $config[sql_user_info_table] WHERE username = '$user';");
if ($res){
if ($link){
if (isset($del_members)){
foreach ($del_members as $del){
+ $del = da_sql_escape_string($del);
$res = @da_sql_query($link,$config,
"DELETE FROM $config[sql_usergroup_table] WHERE username = '$del' AND groupname = '$login';");
if (!$res)
$Members = preg_split("/[\n\s]+/",$new_members,-1,PREG_SPLIT_NO_EMPTY);
if (!empty($Members)){
foreach ($Members as $new_member){
+ $new_member = da_sql_escape_string($new_member);
$res = @da_sql_query($link,$config,
"SELECT username FROM $config[sql_usergroup_table] WHERE
username = '$new_member' AND groupname = '$login';");