diff --git a/html/pages/ipv4.inc.php b/html/pages/ipv4.inc.php
index 32fd2c17d..6ae3e8d91 100644
--- a/html/pages/ipv4.inc.php
+++ b/html/pages/ipv4.inc.php
@@ -40,9 +40,8 @@ print_optionbar_end();
echo('
');
-# FIXME SQL INJECTION!!
-if ($_POST['device_id']) { $where .= " AND I.device_id = '".$_POST['device_id']."'"; }
-if ($_POST['interface']) { $where .= " AND I.ifDescr LIKE '".$_POST['interface']."'"; }
+if (is_numeric($_POST['device_id'])) { $where .= " AND I.device_id = '".$_POST['device_id']."'"; }
+if ($_POST['interface']) { $where .= " AND I.ifDescr LIKE '".mres($_POST['interface'])."'"; }
$sql = "SELECT * FROM `ipv4_addresses` AS A, `ports` AS I, `devices` AS D, `ipv4_networks` AS N WHERE I.interface_id = A.interface_id AND I.device_id = D.device_id AND N.ipv4_network_id = A.ipv4_network_id $where ORDER BY A.ipv4_address";
diff --git a/html/pages/ipv6.inc.php b/html/pages/ipv6.inc.php
index 5df8ec287..775f7d282 100644
--- a/html/pages/ipv6.inc.php
+++ b/html/pages/ipv6.inc.php
@@ -40,9 +40,8 @@ print_optionbar_end();
echo('');
-# FIXME SQL INJECTION!!
-if ($_POST['device_id']) { $where .= " AND I.device_id = '".$_POST['device_id']."'"; }
-if ($_POST['interface']) { $where .= " AND I.ifDescr LIKE '".$_POST['interface']."'"; }
+if (is_numeric($_POST['device_id'])) { $where .= " AND I.device_id = '".$_POST['device_id']."'"; }
+if ($_POST['interface']) { $where .= " AND I.ifDescr LIKE '".mres($_POST['interface'])."'"; }
$sql = "SELECT * FROM `ipv6_addresses` AS A, `ports` AS I, `devices` AS D, `ipv6_networks` AS N WHERE I.interface_id = A.interface_id AND I.device_id = D.device_id AND N.ipv6_network_id = A.ipv6_network_id $where ORDER BY A.ipv6_address";
diff --git a/html/pages/ports/default.inc.php b/html/pages/ports/default.inc.php
index a31a2e059..1b2931532 100644
--- a/html/pages/ports/default.inc.php
+++ b/html/pages/ports/default.inc.php
@@ -85,6 +85,7 @@
# $sql = "SELECT * FROM `ports` AS I, `devices` AS D, `devices_perms` AS P WHERE I.device_id = D.device_id AND D.device_id = P.device_id AND P.user_id = '" . $_SESSION['user_id'] . "' ORDER BY D.hostname, I.ifDescr";
#}
+# FIXME block below is not totally used, at least the iftype stuff is bogus?
if ($_GET['opta'] == "down" || $_GET['type'] == "down" || $_POST['state'] == "down")
{
$where .= "AND I.ifAdminStatus = 'up' AND I.ifOperStatus = 'down' AND I.ignore = '0'";
@@ -110,11 +111,10 @@ if ($_GET['opta'] == "down" || $_GET['type'] == "down" || $_POST['state'] == "do
$where .= " AND I.ifType = 'ppp'";
}
-# FIXME SQL Injection!
-if ($_POST['device_id']) { $where .= " AND I.device_id = '".$_POST['device_id']."'"; }
-if ($_POST['ifType']) { $where .= " AND I.ifType = '".$_POST['ifType']."'"; }
-if ($_POST['ifSpeed']) { $where .= " AND I.ifSpeed = '".$_POST['ifSpeed']."'"; }
-if ($_POST['ifAlias']) { $where .= " AND I.ifAlias LIKE '%".$_POST['ifAlias']."%'"; }
+if (is_numeric($_POST['device_id'])) { $where .= " AND I.device_id = '".$_POST['device_id']."'"; }
+if ($_POST['ifType']) { $where .= " AND I.ifType = '".mres($_POST['ifType'])."'"; }
+if (is_numeric($_POST['ifSpeed'])) { $where .= " AND I.ifSpeed = '".$_POST['ifSpeed']."'"; }
+if ($_POST['ifAlias']) { $where .= " AND I.ifAlias LIKE '%".mres($_POST['ifAlias'])."%'"; }
if ($_POST['deleted'] || $_GET['type'] == "deleted") { $where .= " AND I.deleted = '1'"; }
$sql = "SELECT * FROM `ports` AS I, `devices` AS D WHERE I.device_id = D.device_id $where ORDER BY D.hostname, I.ifIndex";