I like pushing boundaries.
Lady Gaga
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 | ...snip... </style> <?php // We do some checking to see what we're doing if (isset($_POST['mode']) && $_POST['mode'] == 'add') { // Proceed with the save $sql = "INSERT INTO " . WP_CALENDAR_CATEGORIES_TABLE . "SET category_name='".mysql_escape_string($_POST['category_name'])."',category_colour='".mysql_escape_string($_POST['category_colour'])."'"; $wpdb->get_results($sql); echo "<div class=\"updated\"><p><strong>".__('Category added successfully','calendar')."</strong></p></div>"; } else if (isset($_GET['mode']) && isset($_GET['category_id']) && $_GET['mode'] == 'delete') { $sql = "DELETE FROM " . WP_CALENDAR_CATEGORIES_TABLE . "WHERE category_id=".mysql_escape_string($_GET['category_id']); $wpdb->get_results($sql); $sql = "UPDATE " . WP_CALENDAR_TABLE . "SET event_category=1 WHERE event_category=".mysql_escape_string($_GET['category_id']); $wpdb->get_results($sql); echo "<div class=\"updated\"><p><strong>".__('Category deleted successfully','calendar')."</strong></p></div>"; } else if (isset($_GET['mode']) && isset($_GET['category_id']) && $_GET['mode'] == 'edit' && !isset($_POST['mode'])) { $sql = "SELECT * FROM " . WP_CALENDAR_CATEGORIES_TABLE . "WHERE category_id=".mysql_escape_string($_GET['category_id']); $cur_cat = $wpdb->get_row($sql); ?> <div class="wrap"> <h2><?php _e('Edit Category','calendar'); ?></h2> <form name="catform"id="catform"class="wrap"method="post"action="<?php echo bloginfo('wpurl'); ?>/wp-admin/admin.php?page=calendar-categories"> <input type="hidden"name="mode"value="edit"/> <input type="hidden"name="category_id"value="<?php echo stripslashes($cur_cat->category_id) ?>"/> <div id="linkadvanceddiv"class="postbox"> <div style="float:left;width:98%;clear:both;"class="inside"> <table cellpadding="5"cellspacing="5"> <tr> <td><legend><?php _e('Category Name','calendar'); ?>:</legend></td> <td><input type="text"name="category_name"class="input"size="30"maxlength="30"value="<?php echo stripslashes($cur_cat->category_name) ?>"/></td> </tr> <tr> <td><legend><?php _e('Category Colour (Hex format)','calendar'); ?>:</legend></td> <td><input type="text"name="category_colour"class="input"size="10"maxlength="7"value="<?php echo stripslashes($cur_cat->category_colour) ?>"/></td> </tr> </table> </div> <div style="clear:both;height:1px;"> </div> </div> <input type="submit"name="save"class="button bold"value="<?php _e('Save','calendar'); ?> »"/> </form> </div> <?php } else if (isset($_POST['mode']) && isset($_POST['category_id']) && isset($_POST['category_name']) && isset($_POST['category_colour']) && $_POST['mode'] == 'edit') { // Proceed with the save $sql = "UPDATE " . WP_CALENDAR_CATEGORIES_TABLE . "SET category_name='".mysql_escape_string($_POST['category_name'])."',category_colour='".mysql_escape_string($_POST['category_colour'])."' WHERE category_id=".mysql_escape_string($_POST['category_id']); $wpdb->get_results($sql); echo "<div class=\"updated\"><p><strong>".__('Category edited successfully','calendar')."</strong></p></div>"; } $get_mode = 0; $post_mode = 0; if (isset($_GET['mode'])) { if ($_GET['mode'] == 'edit') { $get_mode = 1; } } if (isset($_POST['mode'])) { if ($_POST['mode'] == 'edit') { $post_mode = 1; } } if ($get_mode != 1 || $post_mode == 1) { ?> <div class="wrap"> <h2><?php _e('Add Category','calendar'); ?></h2> <form name="catform"id="catform"class="wrap"method="post"action="<?php echo bloginfo('wpurl'); ?>/wp-admin/admin.php?page=calendar-categories"> <input type="hidden"name="mode"value="add"/> <input type="hidden"name="category_id"value=""> <div id="linkadvanceddiv"class="postbox"> <div style="float:left;width:98%;clear:both;"class="inside"> <table cellspacing="5"cellpadding="5"> <tr> <td><legend><?php _e('Category Name','calendar'); ?>:</legend></td> <td><input type="text"name="category_name"class="input"size="30"maxlength="30"value=""/></td> </tr> <tr> <td><legend><?php _e('Category Colour (Hex format)','calendar'); ?>:</legend></td> <td><input type="text"name="category_colour"class="input"size="10"maxlength="7"value=""/></td> </tr> </table> </div> <div style="clear:both;height:1px;"> </div> </div> <input type="submit"name="save"class="button bold"value="<?php _e('Save','calendar'); ?> »"/> </form> <h2><?php _e('Manage Categories','calendar'); ?></h2> ...snip... |
If you enjoyed this post,make sure you subscribe to my RSS feed!
Rampant use of deprecated function mysql_escape_string() which “does not escape % and _”according to the linked man page. Especially bad is that % which is MySQL wildcard.
Any of the queries passed directly to MySQL with this could result in rampantly bad behavior…
WHERE category_id=”.mysql_escape_string($_POST['category_id']);
If $_POST['category_id'] where say iterated from 0% …9%
Wow,this one is tougher. The only thing I can see,aside from not knowing where some of the variables are defined,is that the coder uses mysql_escape_string,which has a great big red danger sign on the documentation page saying that it’s deprecated. It doesn’t escape % or _. Does this open us up to injection? It also says that the new function escapes according to the current character set.
Can WP_CALENDAR_CATEGORIES_TABLE or WP_CALENDAR_TABLE be changed by an attacker? I’m sort of assuming not,but assuming can get one in trouble.
If they can be,though,then it could be an SQL injection.
Related to SQL injection,but not to this particular code:Would it completely eliminate SQL vulnerabilities to use a function that sanitises inclusively instead of exclusively? For example,instead of looking for specific characters to escape,it woulde escape everything not on a “whitelist”of allowable characters –or scold the user if they try to use anything other than what we want them to use,say letters and numbers only. It could limit globalisation,but it would be more secure. Just an idea.
I just realised something about this. If mysql_escape_string doesn’t escape the % character,would that allow us to put in something like,say,%22 for a double-quote character? It would be the same as with some URLs having %20 in place of a space character,wouldn’t it? Or would that work with this? Just a thought.