From: Brion Vibber Date: Tue, 30 Nov 2010 00:44:01 +0000 (-0800) Subject: General code safety: validate input and escape SQL strings in common_relative_profile() X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=3f0557aa8efa715e288c731178a27e8d4914a1a7;p=quix0rs-gnu-social.git General code safety: validate input and escape SQL strings in common_relative_profile() --- diff --git a/lib/util.php b/lib/util.php index 317a7aa42e..42762b22fb 100644 --- a/lib/util.php +++ b/lib/util.php @@ -1118,17 +1118,20 @@ function common_group_link($sender_id, $nickname) * * @param $sender the user or profile in whose context we're looking * @param string $nickname validated nickname of - * @param $dt unused mystery parameter. + * @param $dt unused mystery parameter; in Notice reply-to handling a timestamp is passed. * * @return Profile or null */ function common_relative_profile($sender, $nickname, $dt=null) { + // Will throw exception on invalid input. + $nickname = Nickname::normalize($nickname); + // Try to find profiles this profile is subscribed to that have this nickname $recipient = new Profile(); // XXX: use a join instead of a subquery - $recipient->whereAdd('EXISTS (SELECT subscribed from subscription where subscriber = '.$sender->id.' and subscribed = id)', 'AND'); - $recipient->whereAdd("nickname = '" . trim($nickname) . "'", 'AND'); + $recipient->whereAdd('EXISTS (SELECT subscribed from subscription where subscriber = '.intval($sender->id).' and subscribed = id)', 'AND'); + $recipient->whereAdd("nickname = '" . $recipient->escape($nickname) . "'", 'AND'); if ($recipient->find(true)) { // XXX: should probably differentiate between profiles with // the same name by date of most recent update @@ -1137,8 +1140,8 @@ function common_relative_profile($sender, $nickname, $dt=null) // Try to find profiles that listen to this profile and that have this nickname $recipient = new Profile(); // XXX: use a join instead of a subquery - $recipient->whereAdd('EXISTS (SELECT subscriber from subscription where subscribed = '.$sender->id.' and subscriber = id)', 'AND'); - $recipient->whereAdd("nickname = '" . trim($nickname) . "'", 'AND'); + $recipient->whereAdd('EXISTS (SELECT subscriber from subscription where subscribed = '.intval($sender->id).' and subscriber = id)', 'AND'); + $recipient->whereAdd("nickname = '" . $recipient->escape($nickname) . "'", 'AND'); if ($recipient->find(true)) { // XXX: should probably differentiate between profiles with // the same name by date of most recent update