mirror of
https://github.com/stylersnico/librenms.git
synced 2026-07-12 16:06:25 +02:00
clean up all known sql injection
git-svn-id: http://www.observium.org/svn/observer/trunk@1975 61d68cd4-352d-0410-923a-c4978735b2b8
This commit is contained in:
@@ -40,9 +40,8 @@ print_optionbar_end();
|
||||
|
||||
echo('<table width="100%" cellspacing="0" cellpadding="2">');
|
||||
|
||||
# FIXME SQL INJECTION!!
|
||||
if ($_POST['device_id']) { $where .= " AND I.device_id = '".$_POST['device_id']."'"; }
|
||||
if ($_POST['interface']) { $where .= " AND I.ifDescr LIKE '".$_POST['interface']."'"; }
|
||||
if (is_numeric($_POST['device_id'])) { $where .= " AND I.device_id = '".$_POST['device_id']."'"; }
|
||||
if ($_POST['interface']) { $where .= " AND I.ifDescr LIKE '".mres($_POST['interface'])."'"; }
|
||||
|
||||
$sql = "SELECT * FROM `ipv4_addresses` AS A, `ports` AS I, `devices` AS D, `ipv4_networks` AS N WHERE I.interface_id = A.interface_id AND I.device_id = D.device_id AND N.ipv4_network_id = A.ipv4_network_id $where ORDER BY A.ipv4_address";
|
||||
|
||||
|
||||
@@ -40,9 +40,8 @@ print_optionbar_end();
|
||||
|
||||
echo('<table width="100%" cellspacing="0" cellpadding="2">');
|
||||
|
||||
# FIXME SQL INJECTION!!
|
||||
if ($_POST['device_id']) { $where .= " AND I.device_id = '".$_POST['device_id']."'"; }
|
||||
if ($_POST['interface']) { $where .= " AND I.ifDescr LIKE '".$_POST['interface']."'"; }
|
||||
if (is_numeric($_POST['device_id'])) { $where .= " AND I.device_id = '".$_POST['device_id']."'"; }
|
||||
if ($_POST['interface']) { $where .= " AND I.ifDescr LIKE '".mres($_POST['interface'])."'"; }
|
||||
|
||||
$sql = "SELECT * FROM `ipv6_addresses` AS A, `ports` AS I, `devices` AS D, `ipv6_networks` AS N WHERE I.interface_id = A.interface_id AND I.device_id = D.device_id AND N.ipv6_network_id = A.ipv6_network_id $where ORDER BY A.ipv6_address";
|
||||
|
||||
|
||||
@@ -85,6 +85,7 @@
|
||||
# $sql = "SELECT * FROM `ports` AS I, `devices` AS D, `devices_perms` AS P WHERE I.device_id = D.device_id AND D.device_id = P.device_id AND P.user_id = '" . $_SESSION['user_id'] . "' ORDER BY D.hostname, I.ifDescr";
|
||||
#}
|
||||
|
||||
# FIXME block below is not totally used, at least the iftype stuff is bogus?
|
||||
if ($_GET['opta'] == "down" || $_GET['type'] == "down" || $_POST['state'] == "down")
|
||||
{
|
||||
$where .= "AND I.ifAdminStatus = 'up' AND I.ifOperStatus = 'down' AND I.ignore = '0'";
|
||||
@@ -110,11 +111,10 @@ if ($_GET['opta'] == "down" || $_GET['type'] == "down" || $_POST['state'] == "do
|
||||
$where .= " AND I.ifType = 'ppp'";
|
||||
}
|
||||
|
||||
# FIXME SQL Injection!
|
||||
if ($_POST['device_id']) { $where .= " AND I.device_id = '".$_POST['device_id']."'"; }
|
||||
if ($_POST['ifType']) { $where .= " AND I.ifType = '".$_POST['ifType']."'"; }
|
||||
if ($_POST['ifSpeed']) { $where .= " AND I.ifSpeed = '".$_POST['ifSpeed']."'"; }
|
||||
if ($_POST['ifAlias']) { $where .= " AND I.ifAlias LIKE '%".$_POST['ifAlias']."%'"; }
|
||||
if (is_numeric($_POST['device_id'])) { $where .= " AND I.device_id = '".$_POST['device_id']."'"; }
|
||||
if ($_POST['ifType']) { $where .= " AND I.ifType = '".mres($_POST['ifType'])."'"; }
|
||||
if (is_numeric($_POST['ifSpeed'])) { $where .= " AND I.ifSpeed = '".$_POST['ifSpeed']."'"; }
|
||||
if ($_POST['ifAlias']) { $where .= " AND I.ifAlias LIKE '%".mres($_POST['ifAlias'])."%'"; }
|
||||
if ($_POST['deleted'] || $_GET['type'] == "deleted") { $where .= " AND I.deleted = '1'"; }
|
||||
|
||||
$sql = "SELECT * FROM `ports` AS I, `devices` AS D WHERE I.device_id = D.device_id $where ORDER BY D.hostname, I.ifIndex";
|
||||
|
||||
Reference in New Issue
Block a user