[Mapbender-commits] r7090 - in trunk/mapbender/http: classes
javascripts php plugins
svn_mapbender at osgeo.org
svn_mapbender at osgeo.org
Thu Nov 4 10:39:22 EDT 2010
Author: apour
Date: 2010-11-04 07:39:22 -0700 (Thu, 04 Nov 2010)
New Revision: 7090
Modified:
trunk/mapbender/http/classes/class_georss_geometry.php
trunk/mapbender/http/classes/class_metadata.php
trunk/mapbender/http/javascripts/mod_poi.php
trunk/mapbender/http/php/mod_changeEPSG_dynamic.php
trunk/mapbender/http/php/mod_coordsLookup_server.php
trunk/mapbender/http/php/mod_saveWKT.php
trunk/mapbender/http/plugins/mb_extendedSearch_server.php
Log:
Added some pg_escape_string functions.
Modified: trunk/mapbender/http/classes/class_georss_geometry.php
===================================================================
--- trunk/mapbender/http/classes/class_georss_geometry.php 2010-11-04 14:09:57 UTC (rev 7089)
+++ trunk/mapbender/http/classes/class_georss_geometry.php 2010-11-04 14:39:22 UTC (rev 7090)
@@ -17,12 +17,12 @@
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#TODO:Check if the following line is enough:
-#require_once(dirname(__FILE__)."/../../core/globalSettings.php");
-require_once(dirname(__FILE__)."/../../conf/mapbender.conf");
-require_once(dirname(__FILE__)."/../classes/class_connector.php");
-require_once(dirname(__FILE__)."/../classes/class_json.php");
+#require_once(dirname(__FILE__)."/../../core/globalSettings.php");
+require_once(dirname(__FILE__)."/../../conf/mapbender.conf");
+require_once(dirname(__FILE__)."/../classes/class_connector.php");
+require_once(dirname(__FILE__)."/../classes/class_json.php");
require_once(dirname(__FILE__)."/../classes/class_gml2.php");
-
+
class geoRSS {
var $doc;
var $importItems = array("title","link","description");
@@ -321,7 +321,12 @@
"password=" . GEOS_PW;
$con = pg_connect($con_string) or die ("Error while connecting
database");
-
+
+ /*
+ * @security_patch sqli open
+ * Where is x,y... coming from?
+ */
+
$sqlMinx = "SELECT X(transform(GeometryFromText('POINT(".$x."
".$y.")',".$oldEPSG."),".$newEPSG.")) as minx";
$resMinx = pg_query($con,$sqlMinx);
Modified: trunk/mapbender/http/classes/class_metadata.php
===================================================================
--- trunk/mapbender/http/classes/class_metadata.php 2010-11-04 14:09:57 UTC (rev 7089)
+++ trunk/mapbender/http/classes/class_metadata.php 2010-11-04 14:39:22 UTC (rev 7090)
@@ -1340,7 +1340,9 @@
function intersect($s_minx, $s_miny, $s_maxx, $s_maxy, $db_minx, $db_miny, $db_maxx, $db_maxy, $epsg){
global $con;
-
+ /*
+ * @security_patch sqli done
+ */
$result="";
$sqlint = "SELECT intersects(envelope(geometryFROMtext('LINESTRING(".$s_minx." ".$s_miny.", ".$s_maxx." ".$s_maxy.")',".str_replace("EPSG:","",$epsg).")) " .
Modified: trunk/mapbender/http/javascripts/mod_poi.php
===================================================================
--- trunk/mapbender/http/javascripts/mod_poi.php 2010-11-04 14:09:57 UTC (rev 7089)
+++ trunk/mapbender/http/javascripts/mod_poi.php 2010-11-04 14:39:22 UTC (rev 7090)
@@ -236,9 +236,11 @@
}
$con = pg_connect ($con_string) or die ("Error while connecting database $dbname");
-
+ /*
+ * @security_patch sqli done
+ */
#$sql = "SELECT DISTINCT identificationinfo,minscale, md_fileidentifier ,search_columns, search_result FROM tab_metadata WHERE public = '1' and not identificationinfo = 'Rasterebene' and not identificationinfo = 'rasterlayer'";
- $sql = "SELECT DISTINCT identificationinfo,minscale, md_fileidentifier ,".$title.",search_columns, search_result,search_keywords, wms_title FROM tab_metadata WHERE public = '1' and not identificationinfo = 'Rasterebene' and not identificationinfo = 'rasterlayer'";
+ $sql = "SELECT DISTINCT identificationinfo,minscale, md_fileidentifier ,".pg_escape_string($title).",search_columns, search_result,search_keywords, wms_title FROM tab_metadata WHERE public = '1' and not identificationinfo = 'Rasterebene' and not identificationinfo = 'rasterlayer'";
$res = pg_query($con,$sql);
$cnt = 0;
@@ -271,10 +273,14 @@
$has_result = false;
for($i=0; $i<count($table); $i++){
- $sql = "Select GeometryType(the_geom) as type FROM ".$table[$i]." LIMIT 1";
+ /*
+ * @security_patch sqli done
+ */
+ $sql = "Select GeometryType(the_geom) as type FROM ".pg_escape_string($table[$i])." LIMIT 1";
$res = pg_query($con,$sql);
- $type = pg_result($res,0,"type");
- $sql = "Select * FROM ".$table[$i]." LIMIT 1";
+ $type = pg_result($res,0,"type");
+
+ $sql = "Select * FROM ".pg_escape_string($table[$i])." LIMIT 1";
$res = pg_query($con,$sql);
if(mb_strtoupper($type) =='MULTIPOLYGON'){
Modified: trunk/mapbender/http/php/mod_changeEPSG_dynamic.php
===================================================================
--- trunk/mapbender/http/php/mod_changeEPSG_dynamic.php 2010-11-04 14:09:57 UTC (rev 7089)
+++ trunk/mapbender/http/php/mod_changeEPSG_dynamic.php 2010-11-04 14:39:22 UTC (rev 7090)
@@ -119,7 +119,9 @@
for($i=0; $i < count($arraymapObj); $i++){
$temp = mb_split(",",$arraymapObj[$i]);
-
+ /*
+ * @security_patch sqli open
+ */
$sqlMinx = "SELECT X(transform(GeometryFromText('POINT(".$temp[2]." ".$temp[3].")',".preg_replace("/EPSG:/","",$temp[1])."),".preg_replace("/EPSG:/","",$_REQUEST["newSRS"]).")) as minx";
$resMinx = @pg_query($con,$sqlMinx);
$minx = pg_result($resMinx,0,"minx");
Modified: trunk/mapbender/http/php/mod_coordsLookup_server.php
===================================================================
--- trunk/mapbender/http/php/mod_coordsLookup_server.php 2010-11-04 14:09:57 UTC (rev 7089)
+++ trunk/mapbender/http/php/mod_coordsLookup_server.php 2010-11-04 14:39:22 UTC (rev 7090)
@@ -45,7 +45,9 @@
" dbname=" . GEOS_DB . "user=" . GEOS_OWNER .
"password=" . GEOS_PW;
$con = pg_connect($con_string) or die ("Error while connecting database");
-
+ /*
+ * @security_patch sqli open
+ */
$sqlMinx = "SELECT X(transform(GeometryFromText('POINT(".$x." ".$y.")',".$oldEPSG."),".$newEPSG.")) as minx";
$resMinx = pg_query($con,$sqlMinx);
$minx = floatval(pg_fetch_result($resMinx,0,"minx"));
Modified: trunk/mapbender/http/php/mod_saveWKT.php
===================================================================
--- trunk/mapbender/http/php/mod_saveWKT.php 2010-11-04 14:09:57 UTC (rev 7089)
+++ trunk/mapbender/http/php/mod_saveWKT.php 2010-11-04 14:39:22 UTC (rev 7090)
@@ -100,7 +100,7 @@
*/
$sql = "SELECT f_table_name, f_geometry_column,type,srid FROM geometry_columns
- where f_table_name like '".addslashes($tblmb)."'"; //pick only certain tables (see above)
+ where f_table_name like '".pg_escape_string($tblmb)."'"; //pick only certain tables (see above)
//$sql = "SELECT f_table_name, f_geometry_column,type,srid FROM geometry_columns";
$res = pg_query($con,$sql);
$cnt = 0;
@@ -126,7 +126,7 @@
* @security_patch sqli done
*/
if(isset($tablenames)){
- $sql = "SELECT * from ".addslashes($tablenames)." limit 1";
+ $sql = "SELECT * from ".pg_escape_string($tablenames)." limit 1";
$res = pg_query($con,$sql);
$num = pg_num_fields($res);
@@ -237,7 +237,10 @@
*/
}
else{
- $sql .= "'".$_REQUEST[$myColumns[$i]]."'";
+ /*
+ * @security_patch sqli done
+ */
+ $sql .= "'".pg_escape_string($_REQUEST[$myColumns[$i]])."'";
}
}
$sql .= ")";
Modified: trunk/mapbender/http/plugins/mb_extendedSearch_server.php
===================================================================
--- trunk/mapbender/http/plugins/mb_extendedSearch_server.php 2010-11-04 14:09:57 UTC (rev 7089)
+++ trunk/mapbender/http/plugins/mb_extendedSearch_server.php 2010-11-04 14:39:22 UTC (rev 7090)
@@ -197,6 +197,10 @@
$entries['iso_cat_id'] = array();
$entries['iso_cat_name'] = array();
$entries['iso_cat_title'] = array();
+ /*
+ * @security_patch sqli open
+ * Where is langCode coming from?
+ */
$sql_cat= "SELECT * FROM md_topic_category order by md_topic_category_code_".$langCode;
$res_cat = pg_query($sql_cat);
while($row_cat = db_fetch_array($res_cat)){
More information about the Mapbender_commits
mailing list