[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Noalyss-commit] [noalyss] 13/15: Cosmetic fix : count_by_modele
|
From: |
Dany De Bontridder |
|
Subject: |
[Noalyss-commit] [noalyss] 13/15: Cosmetic fix : count_by_modele |
|
Date: |
Mon, 25 Jan 2021 18:56:23 -0500 (EST) |
sparkyx pushed a commit to branch master
in repository noalyss.
commit 1fd5f41662680373b618b4e6f2e9509ba987d976
Author: sparkyx <danydb@noalyss.eu>
AuthorDate: Tue Jan 26 00:36:58 2021 +0100
Cosmetic
fix : count_by_modele
---
html/style-classic7.css | 11 +++++------
include/class/fiche.class.php | 4 +++-
include/constant.php | 1 +
include/lib/database_core.class.php | 18 ++++++++++++++++++
unit-test/include/class/fiche.Test.php | 8 +++-----
5 files changed, 30 insertions(+), 12 deletions(-)
diff --git a/html/style-classic7.css b/html/style-classic7.css
index c3612dc..4baeb9e 100644
--- a/html/style-classic7.css
+++ b/html/style-classic7.css
@@ -279,16 +279,15 @@ td.mtitle {
}
}
td.mtitle a.mtitle {
- color : lightgray;
+ color : lightblue;
display:block;
font-size:1rem;
font-family:OpenSansRegular;
- /*! width:100%; */
padding:0px;
margin:0px;
- height:100%;
+ height:42px;
padding:4px 0px 0px 0px;
-
+ border-radius:4px;
}
@media only screen and (max-width:1280px) {
td.mtitle a.mtitle {
@@ -368,7 +367,7 @@ a.mtitle {
text-decoration:none;
display:inline;
color: #0000FF;
- pointer:cursor;
+ cursor: pointer;
background-color: transparent;
}
a.mtitle:hover {
@@ -754,7 +753,7 @@ a#anchorbutton:hover,
.button:hover,a.button:hover,div.content a.button:hover {
}
a#smallanchorbutton, .smallbutton, a.smallbutton,div.content a.smallbutton {
color:#FFFFFF;
- font-weight: bold;
+ font-weight: normal;
text-decoration:none;
font-family: arial,verdana,sans-serif,helvetica;
/*! background-image: url("image/bg-submit2.gif"); */
diff --git a/include/class/fiche.class.php b/include/class/fiche.class.php
index d6a7549..579e5fa 100644
--- a/include/class/fiche.class.php
+++ b/include/class/fiche.class.php
@@ -291,6 +291,8 @@ class Fiche
*/
function count_by_modele($p_frd_id,$p_search="",$p_sql="")
{
+ // Scan for SQL inject
+ $this->cn->search_sql_inject($p_sql);
if ( $p_search != "" )
{
@@ -305,7 +307,7 @@ class Fiche
$result = $this->cn->get_value("select count(*)
from
fiche join fiche_Def using (fd_id)
- where frd_id=$1 ".sql_string($p_sql)
+ where frd_id=$1 ".$p_sql
,[$p_frd_id]);
return $result;
}
diff --git a/include/constant.php b/include/constant.php
index feaf081..55308e3 100644
--- a/include/constant.php
+++ b/include/constant.php
@@ -314,6 +314,7 @@ define ('EMAIL_LIMIT',1002);
define ('EXC_PARAM_VALUE',1005);
define ('EXC_PARAM_TYPE',1006);
define ('EXC_DUPLICATE',1200);
+define ('EXC_INVALID',1400);
define ("UNPINDG","");
define ("PINDG","");
diff --git a/include/lib/database_core.class.php
b/include/lib/database_core.class.php
index 2f7bc32..d7d5cb6 100644
--- a/include/lib/database_core.class.php
+++ b/include/lib/database_core.class.php
@@ -956,6 +956,24 @@ class DatabaseCore
static function nb_column($p_ret) {
return pg_num_fields($p_ret);
}
+ /**
+ * FInd if a SQL Select has a SQL stmt to inject or damage Data
+ * When a SELECT SQL string is build, this string could contain a SQL
attempt to damage data,
+ *so the statement DELETE TRUNCATE ... are forbidden. Throw an exception
EXC_INVALID
+ *
+ */
+ function search_sql_inject($p_sql)
+ {
+ $forbid_sql=array("update","delete","truncate","insert");
+ // protect against SQL inject
+ foreach ($forbid_sql as $forbid_key) {
+ if (stripos($p_sql,$forbid_key) !== false)
+ {
+ throw new Exception(_("Possible SQL inject",EXC_INVALID));
+ }
+
+ }
+ }
}
diff --git a/unit-test/include/class/fiche.Test.php
b/unit-test/include/class/fiche.Test.php
index ae08322..8cab78d 100644
--- a/unit-test/include/class/fiche.Test.php
+++ b/unit-test/include/class/fiche.Test.php
@@ -35,7 +35,6 @@ class FicheTest extends TestCase
/**
* @covers Fiche::cmp_name
- * @todo Implement testCmp_name().
*/
public function testCmp_name()
{
@@ -47,7 +46,6 @@ class FicheTest extends TestCase
/**
* @covers Fiche::get_bk_account
- * @todo Implement testGet_bk_account().
*/
public function testGet_bk_account()
{
@@ -106,10 +104,10 @@ class FicheTest extends TestCase
$this->assertEquals(7,$nb,"Purchase cards ");
// attempt to inject SQL command, you must get an error
try {
- $nb=@$this->object->count_by_modele(3,""," and 1';delete from
jrn;");
- $this->assertFalse(true,"Inject SQL command");
+ $nb=@$this->object->count_by_modele(3,""," ;delete from jrn;");
+ $this->assertFalse(true,"Inject SQL command not found");
} catch(Exception $e) {
- $this->assertTrue(true,"Inject SQL command");
+ $this->assertTrue(true,"Inject SQL command found");
}
}
}
- [Noalyss-commit] [noalyss] 10/15: Improve : Select_Box , placement, (continued)
- [Noalyss-commit] [noalyss] 10/15: Improve : Select_Box , placement, Dany De Bontridder, 2021/01/25
- [Noalyss-commit] [noalyss] 02/15: Security : constructor can take info from request, Dany De Bontridder, 2021/01/25
- [Noalyss-commit] [noalyss] 03/15: Fix : PHP compatibility with count Fix : Dossier::set_current Code cleaning ,, Dany De Bontridder, 2021/01/25
- [Noalyss-commit] [noalyss] 07/15: NEW #0001886: ANC/ANCIMP/ANCGL >> Export PDF Place properly the select_box, Dany De Bontridder, 2021/01/25
- [Noalyss-commit] [noalyss] 06/15: Bug : javascript message were unavailable, Dany De Bontridder, 2021/01/25
- [Noalyss-commit] [noalyss] 09/15: Cosmetic & code cleaning, Dany De Bontridder, 2021/01/25
- [Noalyss-commit] [noalyss] 11/15: Improve : ANCGL , type of export mandatory, Dany De Bontridder, 2021/01/25
- [Noalyss-commit] [noalyss] 12/15: Improve : add a function for detection SQL inject, Dany De Bontridder, 2021/01/25
- [Noalyss-commit] [noalyss] 14/15: Merge branch 'dev-8-cosmetic', Dany De Bontridder, 2021/01/25
- [Noalyss-commit] [noalyss] 15/15: Merge branch 'dev-8-select-box', Dany De Bontridder, 2021/01/25
- [Noalyss-commit] [noalyss] 13/15: Cosmetic fix : count_by_modele,
Dany De Bontridder <=