Commit 5d32bc0c authored by Bate's avatar Bate

Secu contre injection sql de planning2

parent 14f9f16b
...@@ -39,13 +39,13 @@ class planning2 extends stdentity ...@@ -39,13 +39,13 @@ class planning2 extends stdentity
function add ( $name, $group, $admin_group, $weekly, $start, $end, $is_public = true ) function add ( $name, $group, $admin_group, $weekly, $start, $end, $is_public = true )
{ {
$this->name = $name; $this->name = mysql_real_escape_string($name);
$this->group = $group; $this->group = intval($group);
$this->admin_group = $admin_group; $this->admin_group = intval($admin_group);
$this->weekly = $weekly; $this->weekly = intval($weekly);
$this->start = $start; $this->start = mysql_real_escape_string($start);
$this->end = $end; $this->end = mysql_real_escape_string($end);
$this->is_public= $is_public; $this->is_public= ((bool)$is_public);
$sql = new insert ($this->dbrw, $sql = new insert ($this->dbrw,
"pl2_planning", "pl2_planning",
...@@ -72,12 +72,12 @@ class planning2 extends stdentity ...@@ -72,12 +72,12 @@ class planning2 extends stdentity
function update ( $name, $group, $admin_group, $start, $end , $is_public) function update ( $name, $group, $admin_group, $start, $end , $is_public)
{ {
$this->name = $name; $this->name = mysql_real_escape_string($name);
$this->group = $group; $this->group = intval($group);
$this->admin_group = $admin_group; $this->admin_group = intval($admin_group);
$this->start = $start; $this->start = mysql_real_escape_string($start);
$this->end = $end; $this->end = mysql_real_escape_string($end);
$this->is_public = $is_public; $this->is_public = ((bool)$is_public);
$sql = new update ($this->dbrw, $sql = new update ($this->dbrw,
"pl2_planning", "pl2_planning",
...@@ -117,6 +117,11 @@ class planning2 extends stdentity ...@@ -117,6 +117,11 @@ class planning2 extends stdentity
function add_gap( $start, $end, $gap_name, $max_users ) function add_gap( $start, $end, $gap_name, $max_users )
{ {
$start = mysql_real_escape_string($start);
$end = mysql_real_escape_string($end);
$gap_name = mysql_real_escape_string($gap_name);
$max_users = intval($max_users);
$gap_name = trim($gap_name); $gap_name = trim($gap_name);
if( $max_users <= 0 ) if( $max_users <= 0 )
return -1; return -1;
...@@ -153,6 +158,11 @@ class planning2 extends stdentity ...@@ -153,6 +158,11 @@ class planning2 extends stdentity
function update_gap( $gap_id, $start, $end, $gap_name, $max_users ) function update_gap( $gap_id, $start, $end, $gap_name, $max_users )
{ {
$gap_id = intval($gap_id);
$start = mysql_real_escape_string($start);
$end = mysql_real_escape_string($end);
$gap_name = mysql_real_escape_string($gap_name);
$max_users = intval($max_users);
if($gap_id <= 0 ) if($gap_id <= 0 )
return -1; return -1;
if( $max_users <= 0 ) if( $max_users <= 0 )
...@@ -188,6 +198,7 @@ class planning2 extends stdentity ...@@ -188,6 +198,7 @@ class planning2 extends stdentity
function delete_gap( $gap_id ) function delete_gap( $gap_id )
{ {
$gap_id = intval($gap_id);
$sql = new delete($this->dbrw, "pl2_user_gap", $sql = new delete($this->dbrw, "pl2_user_gap",
array( array(
"id_gap" => $gap_id "id_gap" => $gap_id
...@@ -205,7 +216,7 @@ class planning2 extends stdentity ...@@ -205,7 +216,7 @@ class planning2 extends stdentity
function get_max_users_for( $gap_id, $start, $end ) function get_max_users_for( $gap_id, $start, $end )
{ {
$gap_id = mysql_escape_string($gap_id); $gap_id = intval($gap_id);
$start = mysql_escape_string($start); $start = mysql_escape_string($start);
$end = mysql_escape_string($end); $end = mysql_escape_string($end);
if(!$this->weekly) if(!$this->weekly)
...@@ -283,6 +294,11 @@ class planning2 extends stdentity ...@@ -283,6 +294,11 @@ class planning2 extends stdentity
function is_user_addable( $gap_id, $user_id, $start, $end ) function is_user_addable( $gap_id, $user_id, $start, $end )
{ {
$gap_id = intval($gap_id);
$user_id = $intval($user_id);
$start = mysql_real_escape_string($start);
$end = mysql_real_escape_string($end);
$sql = new requete($this->db, $sql = new requete($this->db,
"SELECT * from pl2_user_gap "SELECT * from pl2_user_gap
WHERE id_gap = '$gap_id' WHERE id_gap = '$gap_id'
...@@ -358,6 +374,10 @@ class planning2 extends stdentity ...@@ -358,6 +374,10 @@ class planning2 extends stdentity
function add_user_to_gap( $gap_id, $user_id, $start, $end) function add_user_to_gap( $gap_id, $user_id, $start, $end)
{ {
$gap_id = intval($gap_id);
$user_id = $intval($user_id);
$start = mysql_real_escape_string($start);
$end = mysql_real_escape_string($end);
if(!$this->is_user_addable($gap_id,$user_id,$start,$end)) if(!$this->is_user_addable($gap_id,$user_id,$start,$end))
return -1; return -1;
$sql = new insert ($this->dbrw, $sql = new insert ($this->dbrw,
...@@ -379,6 +399,7 @@ class planning2 extends stdentity ...@@ -379,6 +399,7 @@ class planning2 extends stdentity
function remove_user_from_gap( $user_gap_id ) function remove_user_from_gap( $user_gap_id )
{ {
$user_gap_id = intval($user_gap_id);
$sql = new delete($this->dbrw, "pl2_user_gap", $sql = new delete($this->dbrw, "pl2_user_gap",
array( array(
"id_user_gap" => $user_gap_id "id_user_gap" => $user_gap_id
...@@ -388,6 +409,7 @@ class planning2 extends stdentity ...@@ -388,6 +409,7 @@ class planning2 extends stdentity
function get_gaps_for_user( $user_id) function get_gaps_for_user( $user_id)
{ {
$user_id = intval($user_id);
return new requete($this->db, return new requete($this->db,
"SELECT id_gap FROM pl2_user_gap "SELECT id_gap FROM pl2_user_gap
WHERE id_utilisateur = $user_id"); WHERE id_utilisateur = $user_id");
...@@ -395,6 +417,8 @@ class planning2 extends stdentity ...@@ -395,6 +417,8 @@ class planning2 extends stdentity
function get_gaps( $start, $end ) function get_gaps( $start, $end )
{ {
$start = mysql_real_escape_string($start);
$end = mysql_real_escape_string($end);
if($this->weekly) if($this->weekly)
return new requete($this->db, return new requete($this->db,
"SELECT id_gap, start, end, name_gap, max_users FROM pl2_gap "SELECT id_gap, start, end, name_gap, max_users FROM pl2_gap
...@@ -411,6 +435,8 @@ class planning2 extends stdentity ...@@ -411,6 +435,8 @@ class planning2 extends stdentity
function get_gaps_time( $start, $end ) function get_gaps_time( $start, $end )
{ {
$start = mysql_real_escape_string($start);
$end = mysql_real_escape_string($end);
if($this->weekly) if($this->weekly)
return new requete($this->db, return new requete($this->db,
"SELECT start as date FROM pl2_gap "SELECT start as date FROM pl2_gap
...@@ -441,6 +467,7 @@ class planning2 extends stdentity ...@@ -441,6 +467,7 @@ class planning2 extends stdentity
function get_gap_info( $gap_id ) function get_gap_info( $gap_id )
{ {
$gap_id = intval($gap_id);
return new requete($this->db, return new requete($this->db,
"SELECT id_gap, name_gap, start, end FROM pl2_gap "SELECT id_gap, name_gap, start, end FROM pl2_gap
WHERE id_gap = $gap_id AND id_planning = $this->id"); WHERE id_gap = $gap_id AND id_planning = $this->id");
...@@ -448,6 +475,7 @@ class planning2 extends stdentity ...@@ -448,6 +475,7 @@ class planning2 extends stdentity
function get_user_gap_info( $user_gap_id ) function get_user_gap_info( $user_gap_id )
{ {
$user_gap_id = intval($user_gap_id);
return new requete($this->db, return new requete($this->db,
"SELECT id_gap, id_utilisateur, start, end FROM pl2_user_gap "SELECT id_gap, id_utilisateur, start, end FROM pl2_user_gap
WHERE id_user_gap = $user_gap_id"); WHERE id_user_gap = $user_gap_id");
...@@ -455,12 +483,14 @@ class planning2 extends stdentity ...@@ -455,12 +483,14 @@ class planning2 extends stdentity
function get_gaps_from_names( $name ) function get_gaps_from_names( $name )
{ {
$name = mysql_real_escape_string($name);
return new requete($this->db, return new requete($this->db,
"SELECT id_gap FROM pl2_gap WHERE id_planning = $this->id AND gap_name = '$name' ORDER BY start"); "SELECT id_gap FROM pl2_gap WHERE id_planning = $this->id AND gap_name = '$name' ORDER BY start");
} }
function get_week_start( $date ) function get_week_start( $date )
{ {
$date = mysql_real_escape_string($date);
if($this->weekly) if($this->weekly)
{ {
$diff = $date - $this->start; $diff = $date - $this->start;
...@@ -484,7 +514,8 @@ class planning2 extends stdentity ...@@ -484,7 +514,8 @@ class planning2 extends stdentity
function get_users_for_gap( $gap_id, $date ) function get_users_for_gap( $gap_id, $date )
{ {
$gap_id = intval($gap_id);
$date = mysql_real_escape_string($date);
$sql = new requete($this->db, $sql = new requete($this->db,
"SELECT start,end FROM pl2_gap "SELECT start,end FROM pl2_gap
WHERE id_gap = $gap_id"); WHERE id_gap = $gap_id");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment