[Dehs-devel] r50 - trunk/www

[atomo64-guest at alioth.debian.org]

Author: atomo64-guest
Date: 2007-11-27 01:08:42 +0000 (Tue, 27 Nov 2007)
New Revision: 50

Modified:
   trunk/www/maintainer.php
Log:
Prevent possible XSS and SQL injection attacks

Modified: trunk/www/maintainer.php
===================================================================
--- trunk/www/maintainer.php	2007-11-27 00:50:53 UTC (rev 49)
+++ trunk/www/maintainer.php	2007-11-27 01:08:42 UTC (rev 50)
@@ -28,10 +28,10 @@
 <div style="text-align: center;">
 <h1>Debian External Health Status</h1>
 <? if ($_GET['maint']) {?>
-Dehs Summary for <? print $_GET['maint'];?><br>
+Dehs Summary for <? print htmlentities($_GET['maint']);?><br>
 <? }
 elseif ($_GET['name']) {?>
-Dehs for Package: <? print $_GET['name'];?><br>
+Dehs for Package: <? print htmlentities($_GET['name']);?><br>
 <? } ?>
 </div>
 <?include("menu.inc");?>
@@ -44,6 +44,10 @@
 elseif ($_GET['maint']) $maint=$_GET[maint];
 if (isset($_GET['name']) AND !$_GET[name]) exit('<span style="color: rgb(255, 0, 0);">Package name not submitted</span>');
 elseif ($_GET[name]) $name=$_GET['name'];
+
+$maint = pg_escape_string($maint);
+$name  = pg_escape_string($name);
+
 $sql=ARRAY(no_watch=>"SELECT id,mpop_inst,name,pkgs.version,pkgs.dist,tot_up_error, tot_avg_error_date,wwiz,wwiz_type,wwiz_version,maint,section,up_changes FROM pkgs INNER JOIN
 (Select max(pop_inst) as mpop_inst,SUM(up_error) as tot_up_error,AVG(avg_error_date) as tot_avg_error_date,name,dist FROM binpkgs GROUP BY name,dist HAVING max(pop_inst) IS NOT NULL) as binpkgs using(name,dist) 
 WHERE (watch IS NULL OR watch='') AND (maint LIKE '$maint' OR uploaders LIKE '%$maint%') AND name LIKE '$name' ORDER BY mpop_inst DESC;",