Commit 695de17a authored by nono's avatar nono 💻
Browse files

Merge branch 'preprod' into 'master'

Escape all values interpolated in SQL queries in the Perso controller

See merge request !154
parents 1470fadd bfef3d43
......@@ -22,3 +22,6 @@ tests/_output/*
!/var/log/.gitkeep
/.php_cs.cache
tests/*/_generated/*
# Vagrant machines for testing
.vagrant/
# -*- mode: ruby -*-
# vi: set ft=ruby :
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
# The most common configuration options are documented and commented below.
# For a complete reference, please see the online documentation at
# https://docs.vagrantup.com.
# Every Vagrant development environment requires a box. You can search for
# boxes at https://vagrantcloud.com/search.
config.vm.box = "debian/bullseye64"
# Disable automatic box update checking. If you disable this, then
# boxes will only be checked for updates when the user runs
# `vagrant box outdated`. This is not recommended.
# config.vm.box_check_update = false
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine. In the example below,
# accessing "localhost:8080" will access port 80 on the guest machine.
# NOTE: This will enable public access to the opened port
config.vm.network "forwarded_port", guest: 8000, host: 8383
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine and only allow access
# via 127.0.0.1 to disable public access
# config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
# Create a private network, which allows host-only access to the machine
# using a specific IP.
config.vm.network "private_network", ip: "192.168.56.1"
# Create a public network, which generally matched to bridged network.
# Bridged networks make the machine appear as another physical device on
# your network.
# config.vm.network "public_network"
# Share an additional folder to the guest VM. The first argument is
# the path on the host to the actual folder. The second argument is
# the path on the guest to mount the folder. And the optional third
# argument is a set of non-required options.
# config.vm.synced_folder "../data", "/vagrant_data"
# Provider-specific configuration so you can fine-tune various
# backing providers for Vagrant. These expose provider-specific options.
# Example for VirtualBox:
#
# config.vm.provider "virtualbox" do |vb|
# # Display the VirtualBox GUI when booting the machine
# vb.gui = true
#
# # Customize the amount of memory on the VM:
# vb.memory = "1024"
# end
#
# View the documentation for the provider you are using for more
# information on available options.
# Enable provisioning with a shell script. Additional provisioners such as
# Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
# documentation for more information about their specific syntax and use.
# config.vm.provision "shell", inline: <<-SHELL
# apt-get update
# apt-get install -y apache2
# SHELL
end
......@@ -46,7 +46,7 @@ class Perso extends Controller
$db = $f3->get('DB');
$user = $f3->get('container')['user_finder']->findById($f3->get('SESSION.id'));
$f3->set('infos', $user);
$result = $db->query("SELECT id, pdf, decimale FROM dons WHERE user_id='".$user['id']."' and pdf!='' ");
$result = $db->query("SELECT id, pdf, decimale FROM dons WHERE user_id='".\Utils::asl($user['id'])."' and pdf!='' ");
$pdfs = array();
foreach ($result->fetchAll(\PDO::FETCH_ASSOC) as $row) {
$pdfs[$row['pdf']] = $row;
......@@ -220,7 +220,7 @@ class Perso extends Controller
$hash = hash('sha256', $f3->get('password'));
// On recherche le montant cumulé jusqu'à présent. On fait la somme depuis le
// premier janvier 2013 en se basant sur l'adresse mail
$res = $db->query("SELECT sum(dons.somme) as somme FROM dons INNER JOIN users WHERE dons.user_id = users.id AND users.email='".$f3->get('email')."' and dons.status in (1, 4, 102) and dons.datec>'2013-01-01';");
$res = $db->query("SELECT sum(dons.somme) as somme FROM dons INNER JOIN users WHERE dons.user_id = users.id AND users.email='".\Utils::asl($f3->get('email'))."' and dons.status in (1, 4, 102) and dons.datec>'2013-01-01';");
$total = $res->fetch(\PDO::FETCH_ASSOC);
$total = (int) $total['somme'];
// Création de l'utilisateur
......@@ -250,7 +250,7 @@ class Perso extends Controller
$hash = hash('sha256', $f3->get('password'));
$sql .= ", hash='".$hash."'";
}
$sql .= " WHERE id='".$f3->get('SESSION.id')."'";
$sql .= " WHERE id='".\Utils::asl($f3->get('SESSION.id'))."'";
$db->query($sql);
}
} else {
......@@ -390,7 +390,7 @@ class Perso extends Controller
$db = $f3->get('DB');
$id = $params['id'];
$command = "pdftk ";
$args = " ../www/receipt.pdf fill_form ../tmp/".$id.".xfdf output ../tmp/".$id.".pdf flatten dont_ask";
$args = " ../www/receipt.pdf fill_form ../tmp/".escapeshellarg($id).".xfdf output ../tmp/".escapeshellarg($id).".pdf flatten dont_ask";
$logger->write($command . " " .$args);
// Vérification que le don appartient bien à l'utilisateur connecté
......@@ -405,7 +405,7 @@ class Perso extends Controller
FROM dons
INNER JOIN users ON users.id = dons.user_id
LEFT OUTER JOIN adresses ON adresses.user_id = users.id
WHERE users.id=".$f3->get('SESSION.id')." AND dons.id=".\Utils::asl($id).";";
WHERE users.id='".\Utils::asl($f3->get('SESSION.id'))."' AND dons.id='".\Utils::asl($id)."';";
$result = $db->query($query);
$logger->write($query);
$don = $result->fetch(\PDO::FETCH_ASSOC);
......@@ -490,8 +490,11 @@ class Perso extends Controller
public function cancel($f3, $params)
{
if (!$f3->exists('SESSION.user')) {
$f3->reroute('/login');
}
$db = $f3->get('DB');
$result = $db->query("SELECT identifier, user_id from identifiers where identifier like '".$params['id']."'");
$result = $db->query("SELECT identifier, user_id from identifiers where identifier like '".\Utils::asl($params['id'])."' and user_id='".\Utils::asl($f3->get('SESSION.id'))."'");
$result = $result->fetch(\PDO::FETCH_ASSOC);
if ($result) {
$identifier = $result['identifier'];
......@@ -523,8 +526,8 @@ class Perso extends Controller
status = '103',
datec = NOW(),
somme = 0,
user_id = '".$user_id."',
identifier = '".$identifier."',
user_id = '".\Utils::asl($user_id)."',
identifier = '".\Utils::asl($identifier)."',
cumul = 0;");
$f3->push('SESSION.message', _("Don récurrent supprimé."));
$f3->reroute('/perso');
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment