Security update of SQL injection and file deletion

admin/AJAX_check_id.php

@@ -18,7 +18,7 @@
 if (isset($_POST['id']) AND !empty($_POST['id'])) {
   $id = $dbs->escape_string(trim($_POST['id']));
 } else {
-  die('<strong style="color: #FF0000;">' . __('No ID Supplied!') . '</strong>');
+  die('<strong style="color: #FF0000;">' . __('No ID Supplied!') . '</strong>');
 }
 
 // sql string

admin/admin_template/default-dz/function.php

@@ -112,7 +112,7 @@ function get_shortcuts_menu()
 {
     global $dbs;
     $shortcuts = array();
-    $shortcuts_q = $dbs->query('SELECT * FROM setting WHERE setting_name LIKE \'shortcuts_'.$_SESSION['uid'].'\'');
+    $shortcuts_q = $dbs->query('SELECT * FROM setting WHERE setting_name LIKE \'shortcuts_'.$dbs->escape_string($_SESSION['uid']).'\'');
     $shortcuts_d = $shortcuts_q->fetch_assoc();
     if ($shortcuts_q->num_rows > 0) {
       $shortcuts = unserialize($shortcuts_d['setting_value']);

admin/admin_template/default/function.php

@@ -117,7 +117,7 @@ function get_shortcuts_menu()
 {
     global $dbs;
     $shortcuts = array();
-    $shortcuts_q = $dbs->query('SELECT * FROM setting WHERE setting_name LIKE \'shortcuts_'.$_SESSION['uid'].'\'');
+    $shortcuts_q = $dbs->query('SELECT * FROM setting WHERE setting_name LIKE \'shortcuts_'.$dbs->escape_string($_SESSION['uid']).'\'');
     $shortcuts_d = $shortcuts_q->fetch_assoc();
     if ($shortcuts_q->num_rows > 0) {
       $shortcuts = unserialize($shortcuts_d['setting_value']);

admin/modules/bibliography/biblio.inc.php

@@ -209,6 +209,7 @@ public function marc_export($input_id = 0, $offset = 0, $total = 10000, $format
       if ($total < 1) {
         $total = 1000000;
       }
+      $input_id = $dbs->escape_string($input_id);
       if ($input_id == 'BATCH') {
         $records = $this->getRecords(null, $offset, $total);
       } else {

admin/modules/bibliography/biblio_utils.inc.php

@@ -25,6 +25,7 @@ function getAuthorID($str_author_name, $str_author_type, &$arr_cache = false)
 {
   global $dbs;
   $str_value = trim($str_author_name);
+  $str_author_type = $dbs->escape_string($str_author_type);
   if ($arr_cache) {
       if (isset($arr_cache[$str_value])) {
           return $arr_cache[$str_value];

admin/modules/bibliography/index.php

@@ -81,7 +81,9 @@ function getimagesizefromstring($string_data)
   $_delete = $dbs->query(sprintf('UPDATE biblio SET image=NULL WHERE biblio_id=%d', $_POST['bimg']));
   $_delete2 = $dbs->query(sprintf('UPDATE search_biblio SET image=NULL WHERE biblio_id=%d', $_POST['bimg']));
   if ($_delete) {
-    @unlink(sprintf(IMGBS.'docs/%s',$_POST['img']));
+    $postImage = stripslashes($_POST['img']);
+    $postImage = str_replace('/', '', $postImage);
+    @unlink(sprintf(IMGBS.'docs/%s',$postImage));
     exit('<script type="text/javascript">alert(\''.$_POST['img'].' successfully removed!\'); $(\'#biblioImage, #imageFilename\').remove();</script>');
   }
   exit();

lib/contents/member.inc.php

@@ -101,15 +101,15 @@
             header('Location: index.php?p=member');
             exit();
         } else {
-            // md5 password
-            $md5_password = MD5($password);
-            // query password
-            $_pass_q = $dbs->query('SELECT mpasswd FROM member WHERE member_id = \''.$username.'\'');
-            $_pass_d = $_pass_q->fetch_row();
-            if ($_pass_d[0] === $md5_password) {
+            $_member_sql = sprintf('SELECT member_name FROM member
+            WHERE mpasswd=MD5(\'%s\') AND member_id=\'%s\'',
+            $dbs->escape_string(trim($password)), $dbs->escape_string(trim($username)));
+            $_member_q = $dbs->query($_member_sql);
+            if ($_member_q->num_rows > 0) {
+                $_member_d = $_member_q->fetch_row();
                 $msg  = '';
                 $msg .= '<div class="panel panel-danger">';
-                $msg .= '<div class="panel-heading">'.__('Please update your password!').'</div>';
+                $msg .= '<div class="panel-heading">Hi, '. $_member_d[0] .'! '.__('Please update your password!').'</div>';
                 $msg .= '<div class="panel-body">';
                 $msg .= '<form method="post" action="index.php?p=member">';
                 $msg .= '<div class="form-group">';

lib/member_logon.inc.php

@@ -239,7 +239,7 @@ public function valid($obj_db) {
         // update the last login time
         $obj_db->query("UPDATE member SET last_login='".date("Y-m-d H:i:s")."',
             last_login_ip='".$_SERVER['REMOTE_ADDR']."'
-            WHERE member_id='".$this->user_info['member_id']."'");
+            WHERE member_id='".$obj_db->escape_string($this->user_info['member_id'])."'");
 
         return true;
     }

template/classic-dz/biblio_list_template.php

@@ -57,7 +57,7 @@ function biblio_list_format($dbs, $biblio_detail, $n, $settings = array(), &$ret
         if (!isset($label_cache[$label[0]]['name'])) {
           $label_q = $dbs->query('SELECT label_name, 
             label_desc, label_image FROM mst_label AS lb
-            WHERE lb.label_name=\''.$label[0].'\'');
+            WHERE lb.label_name=\''.$dbs->escape_string($label[0]).'\'');
           $label_d = $label_q->fetch_row();
           $label_cache[$label[0]] = array( 'name'  => $label_d[0], 
             'desc'  => $label_d[1], 

template/classic/biblio_list_template.php

@@ -57,7 +57,7 @@ function biblio_list_format($dbs, $biblio_detail, $n, $settings = array(), &$ret
         if (!isset($label_cache[$label[0]]['name'])) {
           $label_q = $dbs->query('SELECT label_name, 
             label_desc, label_image FROM mst_label AS lb
-            WHERE lb.label_name=\''.$label[0].'\'');
+            WHERE lb.label_name=\''.$dbs->escape_string($label[0]).'\'');
           $label_d = $label_q->fetch_row();
           $label_cache[$label[0]] = array( 'name'  => $label_d[0], 
             'desc'  => $label_d[1], 

template/default-dz/biblio_list_template.php

@@ -57,7 +57,7 @@ function biblio_list_format($dbs, $biblio_detail, $n, $settings = array(), &$ret
         if (!isset($label_cache[$label[0]]['name'])) {
           $label_q = $dbs->query('SELECT label_name, 
             label_desc, label_image FROM mst_label AS lb
-            WHERE lb.label_name=\''.$label[0].'\'');
+            WHERE lb.label_name=\''.$dbs->escape_string($label[0]).'\'');
           $label_d = $label_q->fetch_row();
           $label_cache[$label[0]] = array( 'name'  => $label_d[0], 
             'desc'  => $label_d[1], 

template/default/biblio_list_template.php

@@ -57,7 +57,7 @@ function biblio_list_format($dbs, $biblio_detail, $n, $settings = array(), &$ret
         if (!isset($label_cache[$label[0]]['name'])) {
           $label_q = $dbs->query('SELECT label_name, 
             label_desc, label_image FROM mst_label AS lb
-            WHERE lb.label_name=\''.$label[0].'\'');
+            WHERE lb.label_name=\''.$dbs->escape_string($label[0]).'\'');
           $label_d = $label_q->fetch_row();
           $label_cache[$label[0]] = array( 'name'  => $label_d[0], 
             'desc'  => $label_d[1], 

template/lightweight/biblio_list_template.php

@@ -57,7 +57,7 @@ function biblio_list_format($dbs, $biblio_detail, $n, $settings = array(), &$ret
         if (!isset($label_cache[$label[0]]['name'])) {
           $label_q = $dbs->query('SELECT label_name, 
             label_desc, label_image FROM mst_label AS lb
-            WHERE lb.label_name=\''.$label[0].'\'');
+            WHERE lb.label_name=\''.$dbs->escape_string($label[0]).'\'');
           $label_d = $label_q->fetch_row();
           $label_cache[$label[0]] = array( 'name'  => $label_d[0], 
             'desc'  => $label_d[1],