Changeset 8020

Show
Ignore:
Timestamp:
08/09/09 21:50:41 (3 years ago)
Author:
p_lindheimer
Message:

more escapeSimple sql escaping

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • modules/branches/2.6/core/functions.inc.php

    r7916 r8020  
    29832983  if ( !is_array($sipfields) ) { // left for compatibilty....lord knows why ! 
    29842984    $sipfields = array( 
    2985       //array($account,'account',$account), 
    2986       array($account,'accountcode',(isset($_REQUEST['accountcode']))?$_REQUEST['accountcode']:'',$flag++), 
    2987       array($account,'secret',(isset($_REQUEST['secret']))?$_REQUEST['secret']:'',$flag++), 
    2988       array($account,'canreinvite',(isset($_REQUEST['canreinvite']))?$_REQUEST['canreinvite']:'no',$flag++), 
    2989       array($account,'context',(isset($_REQUEST['context']))?$_REQUEST['context']:'from-internal',$flag++), 
    2990       array($account,'dtmfmode',(isset($_REQUEST['dtmfmode']))?$_REQUEST['dtmfmode']:'',$flag++), 
    2991       array($account,'host',(isset($_REQUEST['host']))?$_REQUEST['host']:'dynamic',$flag++), 
    2992       array($account,'type',(isset($_REQUEST['type']))?$_REQUEST['type']:'friend',$flag++), 
    2993       array($account,'mailbox',(isset($_REQUEST['mailbox']) && !empty($_REQUEST['mailbox']))?$_REQUEST['mailbox']:$account.'@device',$flag++), 
    2994       array($account,'username',(isset($_REQUEST['username']))?$_REQUEST['username']:$account,$flag++), 
    2995       array($account,'nat',(isset($_REQUEST['nat']))?$_REQUEST['nat']:'yes',$flag++), 
    2996       array($account,'port',(isset($_REQUEST['port']))?$_REQUEST['port']:'5060',$flag++), 
    2997       array($account,'qualify',(isset($_REQUEST['qualify']))?$_REQUEST['qualify']:'yes',$flag++), 
    2998       array($account,'callgroup',(isset($_REQUEST['callgroup']))?$_REQUEST['callgroup']:'',$flag++), 
    2999       array($account,'pickupgroup',(isset($_REQUEST['pickupgroup']))?$_REQUEST['pickupgroup']:'',$flag++), 
    3000       array($account,'deny',(isset($_REQUEST['deny']))?$_REQUEST['deny']:'',$flag++), 
    3001       array($account,'permit',(isset($_REQUEST['permit']))?$_REQUEST['permit']:'',$flag++),      
    3002       array($account,'disallow',(isset($_REQUEST['disallow']))?$_REQUEST['disallow']:'',$flag++), 
    3003       array($account,'allow',(isset($_REQUEST['allow']))?$_REQUEST['allow']:'',$flag++) 
    3004       //array($account,'record_in',(isset($_REQUEST['record_in']))?$_REQUEST['record_in']:'On-Demand'), 
    3005       //array($account,'record_out',(isset($_REQUEST['record_out']))?$_REQUEST['record_out']:'On-Demand'), 
    3006       //array($account,'callerid',(isset($_REQUEST['description']))?$_REQUEST['description']." <".$account.'>':'device'." <".$account.'>') 
     2985      array($account,'accountcode',$db->escapeSimple((isset($_REQUEST['accountcode']))?$_REQUEST['accountcode']:''),$flag++), 
     2986      array($account,'secret',$db->escapeSimple((isset($_REQUEST['secret']))?$_REQUEST['secret']:''),$flag++), 
     2987      array($account,'canreinvite',$db->escapeSimple((isset($_REQUEST['canreinvite']))?$_REQUEST['canreinvite']:'no'),$flag++), 
     2988      array($account,'context',$db->escapeSimple((isset($_REQUEST['context']))?$_REQUEST['context']:'from-internal'),$flag++), 
     2989      array($account,'dtmfmode',$db->escapeSimple((isset($_REQUEST['dtmfmode']))?$_REQUEST['dtmfmode']:''),$flag++), 
     2990      array($account,'host',$db->escapeSimple((isset($_REQUEST['host']))?$_REQUEST['host']:'dynamic'),$flag++), 
     2991      array($account,'type',$db->escapeSimple((isset($_REQUEST['type']))?$_REQUEST['type']:'friend'),$flag++), 
     2992      array($account,'mailbox',$db->escapeSimple((isset($_REQUEST['mailbox']) && !empty($_REQUEST['mailbox']))?$_REQUEST['mailbox']:$account.'@device'),$flag++), 
     2993      array($account,'username',$db->escapeSimple((isset($_REQUEST['username']))?$_REQUEST['username']:$account),$flag++), 
     2994      array($account,'nat',$db->escapeSimple((isset($_REQUEST['nat']))?$_REQUEST['nat']:'yes'),$flag++), 
     2995      array($account,'port',$db->escapeSimple((isset($_REQUEST['port']))?$_REQUEST['port']:'5060'),$flag++), 
     2996      array($account,'qualify',$db->escapeSimple((isset($_REQUEST['qualify']))?$_REQUEST['qualify']:'yes'),$flag++), 
     2997      array($account,'callgroup',$db->escapeSimple((isset($_REQUEST['callgroup']))?$_REQUEST['callgroup']:''),$flag++), 
     2998      array($account,'pickupgroup',$db->escapeSimple((isset($_REQUEST['pickupgroup']))?$_REQUEST['pickupgroup']:''),$flag++), 
     2999      array($account,'deny',$db->escapeSimple((isset($_REQUEST['deny']))?$_REQUEST['deny']:''),$flag++), 
     3000      array($account,'permit',$db->escapeSimple((isset($_REQUEST['permit']))?$_REQUEST['permit']:''),$flag++),       
     3001      array($account,'disallow',$db->escapeSimple((isset($_REQUEST['disallow']))?$_REQUEST['disallow']:''),$flag++), 
     3002      array($account,'allow',$db->escapeSimple((isset($_REQUEST['allow']))?$_REQUEST['allow']:''),$flag++) 
    30073003    ); 
    30083004  } 
    30093005 
    30103006  // Very bad 
    3011   $sipfields[] = array($account,'account',$account,$flag++);   
    3012   $sipfields[] = array($account,'callerid',(isset($_REQUEST['description']) && $_REQUEST['description'])?$_REQUEST['description']." <".$account.'>':'device'." <".$account.'>',$flag++); 
     3007  $sipfields[] = array($account,'account',$db->escapeSimple($account),$flag++);  
     3008  $sipfields[] = array($account,'callerid',$db->escapeSimple((isset($_REQUEST['description']) && $_REQUEST['description'])?$_REQUEST['description']." <".$account.'>':'device'." <".$account.'>'),$flag++); 
    30133009   
    30143010  // Where is this in the interface ?????? 
    3015   $sipfields[] = array($account,'record_in',($_REQUEST['record_in'])?$_REQUEST['record_in']:'On-Demand',$flag++); 
    3016   $sipfields[] = array($account,'record_out',($_REQUEST['record_out'])?$_REQUEST['record_out']:'On-Demand',$flag++); 
     3011  $sipfields[] = array($account,'record_in',$db->escapeSimple(($_REQUEST['record_in'])?$_REQUEST['record_in']:'On-Demand'),$flag++); 
     3012  $sipfields[] = array($account,'record_out',$db->escapeSimple(($_REQUEST['record_out'])?$_REQUEST['record_out']:'On-Demand'),$flag++); 
    30173013 
    30183014  $compiled = $db->prepare('INSERT INTO sip (id, keyword, data, flags) values (?,?,?,?)'); 
     
    30673063    $flag = 2; 
    30683064    $iaxfields = array( 
    3069       //array($account,'account',$account), 
    3070       array($account,'secret',($_REQUEST['secret'])?$_REQUEST['secret']:'',$flag++), 
    3071       array($account,'notransfer',($_REQUEST['notransfer'])?$_REQUEST['notransfer']:'yes',$flag++), 
    3072       array($account,'context',($_REQUEST['context'])?$_REQUEST['context']:'from-internal',$flag++), 
    3073       array($account,'host',($_REQUEST['host'])?$_REQUEST['host']:'dynamic',$flag++), 
    3074       array($account,'type',($_REQUEST['type'])?$_REQUEST['type']:'friend',$flag++), 
    3075       array($account,'mailbox',($_REQUEST['mailbox'])?$_REQUEST['mailbox']:$account.'@device',$flag++), 
    3076       array($account,'username',($_REQUEST['username'])?$_REQUEST['username']:$account,$flag++), 
    3077       array($account,'port',($_REQUEST['port'])?$_REQUEST['port']:'4569',$flag++), 
    3078       array($account,'qualify',($_REQUEST['qualify'])?$_REQUEST['qualify']:'yes',$flag++), 
    3079       array($account,'deny',(isset($_REQUEST['deny']))?$_REQUEST['deny']:'',$flag++), 
    3080       array($account,'permit',(isset($_REQUEST['permit']))?$_REQUEST['permit']:'',$flag++),      
    3081       array($account,'disallow',($_REQUEST['disallow'])?$_REQUEST['disallow']:'',$flag++), 
    3082       array($account,'allow',($_REQUEST['allow'])?$_REQUEST['allow']:'',$flag++), 
    3083       array($account,'accountcode',($_REQUEST['accountcode'])?$_REQUEST['accountcode']:'',$flag++) 
    3084       //array($account,'record_in',($_REQUEST['record_in'])?$_REQUEST['record_in']:'On-Demand'), 
    3085       //array($account,'record_out',($_REQUEST['record_out'])?$_REQUEST['record_out']:'On-Demand'), 
    3086       //array($account,'callerid',($_REQUEST['description'])?$_REQUEST['description']." <".$account.'>':'device'." <".$account.'>') 
     3065      array($account,'secret',$db->escapeSimple(($_REQUEST['secret'])?$_REQUEST['secret']:''),$flag++), 
     3066      array($account,'notransfer',$db->escapeSimple(($_REQUEST['notransfer'])?$_REQUEST['notransfer']:'yes'),$flag++), 
     3067      array($account,'context',$db->escapeSimple(($_REQUEST['context'])?$_REQUEST['context']:'from-internal'),$flag++), 
     3068      array($account,'host',$db->escapeSimple(($_REQUEST['host'])?$_REQUEST['host']:'dynamic'),$flag++), 
     3069      array($account,'type',$db->escapeSimple(($_REQUEST['type'])?$_REQUEST['type']:'friend'),$flag++), 
     3070      array($account,'mailbox',$db->escapeSimple(($_REQUEST['mailbox'])?$_REQUEST['mailbox']:$account.'@device'),$flag++), 
     3071      array($account,'username',$db->escapeSimple(($_REQUEST['username'])?$_REQUEST['username']:$account),$flag++), 
     3072      array($account,'port',$db->escapeSimple(($_REQUEST['port'])?$_REQUEST['port']:'4569'),$flag++), 
     3073      array($account,'qualify',$db->escapeSimple(($_REQUEST['qualify'])?$_REQUEST['qualify']:'yes'),$flag++), 
     3074      array($account,'deny',$db->escapeSimple((isset($_REQUEST['deny']))?$_REQUEST['deny']:''),$flag++), 
     3075      array($account,'permit',$db->escapeSimple((isset($_REQUEST['permit']))?$_REQUEST['permit']:''),$flag++),       
     3076      array($account,'disallow',$db->escapeSimple(($_REQUEST['disallow'])?$_REQUEST['disallow']:''),$flag++), 
     3077      array($account,'allow',$db->escapeSimple(($_REQUEST['allow'])?$_REQUEST['allow']:''),$flag++), 
     3078      array($account,'accountcode',$db->escapeSimple(($_REQUEST['accountcode'])?$_REQUEST['accountcode']:''),$flag++) 
    30873079    ); 
    30883080  } 
    30893081 
    30903082  // Very bad 
    3091   $iaxfields[] = array($account,'account',$account,$flag++);   
    3092   $iaxfields[] = array($account,'callerid',(isset($_REQUEST['description']) && $_REQUEST['description'] != '')?$_REQUEST['description']." <".$account.'>':'device'." <".$account.'>',$flag++); 
     3083  $iaxfields[] = array($account,'account',$db->escapeSimple($account),$flag++);  
     3084  $iaxfields[] = array($account,'callerid',$db->escapeSimple((isset($_REQUEST['description']) && $_REQUEST['description'] != '')?$_REQUEST['description']." <".$account.'>':'device'." <".$account.'>'),$flag++); 
    30933085  // Asterisk treats no caller ID from an IAX device as 'hide callerid', and ignores the caller ID 
    30943086  // set in iax.conf. As we rely on this for pretty much everything, we need to specify the  
    30953087  // callerid as a variable which gets picked up in macro-callerid. 
    30963088  // Ref - http://bugs.digium.com/view.php?id=456 
    3097   $iaxfields[] = array($account,'setvar',"REALCALLERIDNUM=$account",$flag++); 
     3089  $iaxfields[] = array($account,'setvar',$db->escapeSimple("REALCALLERIDNUM=$account"),$flag++); 
    30983090   
    30993091  // Where is this in the interface ?????? 
    3100   $iaxfields[] = array($account,'record_in',($_REQUEST['record_in'])?$_REQUEST['record_in']:'On-Demand',$flag++); 
    3101   $iaxfields[] = array($account,'record_out',($_REQUEST['record_out'])?$_REQUEST['record_out']:'On-Demand',$flag++); 
     3092  $iaxfields[] = array($account,'record_in',$db->escapeSimple(($_REQUEST['record_in'])?$_REQUEST['record_in']:'On-Demand'),$flag++); 
     3093  $iaxfields[] = array($account,'record_out',$db->escapeSimple(($_REQUEST['record_out'])?$_REQUEST['record_out']:'On-Demand'),$flag++); 
    31023094   
    31033095  $compiled = $db->prepare('INSERT INTO iax (id, keyword, data, flags) values (?,?,?,?)'); 
     
    31513143  if ( !is_array($zapfields) ) { // left for compatibilty....lord knows why ! 
    31523144    $zapfields = array( 
    3153       //array($account,'account',$account), 
    3154       array($account,'context',($_REQUEST['context'])?$_REQUEST['context']:'from-internal'), 
    3155       array($account,'mailbox',($_REQUEST['mailbox'])?$_REQUEST['mailbox']:$account.'@device'), 
    3156       //array($account,'callerid',($_REQUEST['description'])?$_REQUEST['description']." <".$account.'>':'device'." <".$account.'>'), 
    3157       array($account,'immediate',($_REQUEST['immediate'])?$_REQUEST['immediate']:'no'), 
    3158       array($account,'signalling',($_REQUEST['signalling'])?$_REQUEST['signalling']:'fxo_ks'), 
    3159       array($account,'echocancel',($_REQUEST['echocancel'])?$_REQUEST['echocancel']:'yes'), 
    3160       array($account,'echocancelwhenbridged',($_REQUEST['echocancelwhenbridged'])?$_REQUEST['echocancelwhenbridged']:'no'), 
    3161       array($account,'immediate',($_REQUEST['immediate'])?$_REQUEST['immediate']:'no'),  
    3162       array($account,'echotraining',($_REQUEST['echotraining'])?$_REQUEST['echotraining']:'800'), 
    3163       array($account,'busydetect',($_REQUEST['busydetect'])?$_REQUEST['busydetect']:'no'), 
    3164       array($account,'busycount',($_REQUEST['busycount'])?$_REQUEST['busycount']:'7'), 
    3165       array($account,'callprogress',($_REQUEST['callprogress'])?$_REQUEST['callprogress']:'no'), 
    3166       //array($account,'record_in',($_REQUEST['record_in'])?$_REQUEST['record_in']:'On-Demand'),   
    3167       //array($account,'record_out',($_REQUEST['record_out'])?$_REQUEST['record_out']:'On-Demand'), 
    3168       array($account,'accountcode',(isset($_REQUEST['accountcode']))?$_REQUEST['accountcode']:''), 
    3169       array($account,'callgroup',(isset($_REQUEST['callgroup']))?$_REQUEST['callgroup']:''), 
    3170       array($account,'pickupgroup',(isset($_REQUEST['pickupgroup']))?$_REQUEST['pickupgroup']:''), 
    3171       array($account,'channel',($_REQUEST['channel'])?$_REQUEST['channel']:'') 
     3145      array($account,'context',$db->escapeSimple(($_REQUEST['context'])?$_REQUEST['context']:'from-internal')), 
     3146      array($account,'mailbox',$db->escapeSimple(($_REQUEST['mailbox'])?$_REQUEST['mailbox']:$account.'@device')), 
     3147      array($account,'immediate',$db->escapeSimple(($_REQUEST['immediate'])?$_REQUEST['immediate']:'no')), 
     3148      array($account,'signalling',$db->escapeSimple(($_REQUEST['signalling'])?$_REQUEST['signalling']:'fxo_ks')), 
     3149      array($account,'echocancel',$db->escapeSimple(($_REQUEST['echocancel'])?$_REQUEST['echocancel']:'yes')), 
     3150      array($account,'echocancelwhenbridged',$db->escapeSimple(($_REQUEST['echocancelwhenbridged'])?$_REQUEST['echocancelwhenbridged']:'no')), 
     3151      array($account,'immediate',$db->escapeSimple(($_REQUEST['immediate'])?$_REQUEST['immediate']:'no')),   
     3152      array($account,'echotraining',$db->escapeSimple(($_REQUEST['echotraining'])?$_REQUEST['echotraining']:'800')), 
     3153      array($account,'busydetect',$db->escapeSimple(($_REQUEST['busydetect'])?$_REQUEST['busydetect']:'no')), 
     3154      array($account,'busycount',$db->escapeSimple(($_REQUEST['busycount'])?$_REQUEST['busycount']:'7')), 
     3155      array($account,'callprogress',$db->escapeSimple(($_REQUEST['callprogress'])?$_REQUEST['callprogress']:'no')), 
     3156      array($account,'accountcode',$db->escapeSimple((isset($_REQUEST['accountcode']))?$_REQUEST['accountcode']:'')), 
     3157      array($account,'callgroup',$db->escapeSimple((isset($_REQUEST['callgroup']))?$_REQUEST['callgroup']:'')), 
     3158      array($account,'pickupgroup',$db->escapeSimple((isset($_REQUEST['pickupgroup']))?$_REQUEST['pickupgroup']:'')), 
     3159      array($account,'channel',$db->escapeSimple(($_REQUEST['channel'])?$_REQUEST['channel']:'')) 
    31723160    ); 
    31733161  } 
    31743162 
    31753163  // Very bad 
    3176   $zapfields[] = array($account,'account',$account);   
    3177   $zapfields[] = array($account,'callerid',($_REQUEST['description'])?$_REQUEST['description']." <".$account.'>':'device'." <".$account.'>'); 
     3164  $zapfields[] = array($account,'account',$db->escapeSimple($account));  
     3165  $zapfields[] = array($account,'callerid',$db->escapeSimple(($_REQUEST['description'])?$_REQUEST['description']." <".$account.'>':'device'." <".$account.'>')); 
    31783166   
    31793167  // Where is this in the interface ?????? 
    3180   $zapfields[] = array($account,'record_in',($_REQUEST['record_in'])?$_REQUEST['record_in']:'On-Demand'); 
    3181   $zapfields[] = array($account,'record_out',($_REQUEST['record_out'])?$_REQUEST['record_out']:'On-Demand'); 
     3168  $zapfields[] = array($account,'record_in',$db->escapeSimple(($_REQUEST['record_in'])?$_REQUEST['record_in']:'On-Demand')); 
     3169  $zapfields[] = array($account,'record_out',$db->escapeSimple(($_REQUEST['record_out'])?$_REQUEST['record_out']:'On-Demand')); 
    31823170 
    31833171  $compiled = $db->prepare('INSERT INTO zap (id, keyword, data) values (?,?,?)'); 
     
    39163904  foreach($confitem as $k=>$v) { 
    39173905    $seq = ($disable_flag == 1) ? 1 : $seq+1; 
    3918     $dbconfitem[]=array($k,$v,$seq); 
     3906    $dbconfitem[]=array($db->escapeSimple($k),$db->escapeSimple($v),$seq); 
    39193907  } 
    39203908  $compiled = $db->prepare("INSERT INTO $table (id, keyword, data, flags) values ('$trunknum',?,?,?)");