fix: remove SQL injections in Admin

This commit is contained in:
Martin Ambrus
2017-10-19 21:17:11 +02:00
parent 529bb2209c
commit 331885a110
74 changed files with 327 additions and 221 deletions
+44 -20
View File
@@ -16,6 +16,14 @@
## Source code: https://github.com/Shadowss/TravianZ ##
## ##
#################################################################################
if (!function_exists('mysqli_result')) {
function mysqli_result($res, $row, $field=0) {
$res->data_seek($row);
$datarow = $res->fetch_array();
return $datarow[$field];
}
}
if(isset($gameinstall) && $gameinstall == 1){
include_once("../../GameEngine/config.php");
include_once("../../GameEngine/Data/buidata.php");
@@ -35,6 +43,8 @@ class adm_DB {
}
function Login($username,$password){
global $database;
list($username,$password) = $database->escape_input($username,$password);
$q = "SELECT password FROM ".TB_PREFIX."users where username = '$username' and access >= ".MULTIHUNTER;
$result = mysqli_query($this->connection,$q);
$dbarray = mysqli_fetch_array($result);
@@ -70,7 +80,7 @@ class adm_DB {
}
}
$q = "UPDATE ".TB_PREFIX."vdata set pop = $popTot where wref = $vid";
$q = "UPDATE ".TB_PREFIX."vdata set pop = $popTot where wref = ".(int) $vid;
mysqli_query($this->connection, $q);
}
@@ -85,7 +95,7 @@ class adm_DB {
$popTot += $this->buildingCP($building,$lvl);
}
}
$q = "UPDATE ".TB_PREFIX."vdata set cp = $popTot where wref = $vid";
$q = "UPDATE ".TB_PREFIX."vdata set cp = $popTot where wref = ".(int) $vid;
mysqli_query($this->connection,$q);
}
@@ -114,7 +124,7 @@ class adm_DB {
}
function getWref($x,$y) {
$q = "SELECT id FROM ".TB_PREFIX."wdata where x = $x and y = $y";
$q = "SELECT id FROM ".TB_PREFIX."wdata where x = ".(int) $x." and y = ".(int) $y;
$result = mysqli_query($this->connection,$q);
$r = mysqli_fetch_array($result);
return $r['id'];
@@ -127,7 +137,7 @@ class adm_DB {
$status = $database->getVillageState($wid);
$status = 0;
if($status == 0){
mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,".$_SESSION['id'].",'Added new village <b><a href=\'admin.php?p=village&did=$wid\'>$wid</a></b> to user <b><a href=\'admin.php?p=player&uid=$uid\'>$uid</a></b>',".time().")");
mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,".(int) $_SESSION['id'].",'Added new village <b><a href=\'admin.php?p=village&did=$wid\'>$wid</a></b> to user <b><a href=\'admin.php?p=player&uid=$uid\'>$uid</a></b>',".time().")");
$database->setFieldTaken($wid);
$database->addVillage($wid,$uid,'new village','0');
$database->addResourceFields($wid,$database->getVillageType($wid));
@@ -164,23 +174,23 @@ class adm_DB {
}
if($post['clean_ware']){
$time = time();
$q = "UPDATE ".TB_PREFIX."vdata SET `wood` = '0', `clay` = '0', `iron` = '0', `crop` = '0', `lastupdate` = '$time' WHERE wref = $vid;";
$q = "UPDATE ".TB_PREFIX."vdata SET `wood` = '0', `clay` = '0', `iron` = '0', `crop` = '0', `lastupdate` = '$time' WHERE wref = ".(int) $vid;
mysqli_query($this->connection,$q);
}
}
mysqli_query($this->connection,"Insert into ".TB_PREFIX."admin_log values (0,".$_SESSION['id'].",'Punished user: <a href=\'admin.php?p=player&uid=".$post['uid']."\'>".$post['uid']."</a> with <b>-".$post['punish']."%</b> population',".time().")");
mysqli_query($this->connection,"Insert into ".TB_PREFIX."admin_log values (0,".(int) $_SESSION['id'].",'Punished user: <a href=\'admin.php?p=player&uid=".(int) $post['uid']."\'>".(int) $post['uid']."</a> with <b>-".(int) $post['punish']."%</b> population',".time().")");
}
function PunishBuilding($vid,$proc,$pop){
global $database;
$q = "UPDATE ".TB_PREFIX."vdata set pop = $pop where wref = $vid;";
$q = "UPDATE ".TB_PREFIX."vdata set pop = ".(int) $pop." where wref = ".(int) $vid;
mysqli_query($this->connection,$q);
$fdata = $database->getResourceLevel($vid);
for ($i = 1; $i <= 40; $i++) {
if($fdata['f'.$i]>1){
$zm = ($fdata['f'.$i]/100)*$proc;
if($zm < 1){$zm = 1;}else{$zm = floor($zm);}
$q = "UPDATE ".TB_PREFIX."fdata SET `f$i` = '$zm' WHERE `vref` = $vid;";
$q = "UPDATE ".TB_PREFIX."fdata SET `f$i` = '$zm' WHERE `vref` = ".(int) $vid;
mysqli_query($this->connection, $q);
}
}
@@ -193,24 +203,24 @@ class adm_DB {
}
function DelUnits2($vid,$unit){
$q = "UPDATE ".TB_PREFIX."units SET `u$unit` = '0' WHERE `vref` = $vid;";
$q = "UPDATE ".TB_PREFIX."units SET `u$unit` = '0' WHERE `vref` = ".(int) $vid;
mysqli_query($this->connection,$q);
}
function DelPlayer($uid,$pass){
global $database;
$ID = $_SESSION['id'];//$database->getUserField($_SESSION['username'],'id',1);
$ID = (int) $_SESSION['id'];//$database->getUserField($_SESSION['username'],'id',1);
if($this->CheckPass($pass,$ID)){
$villages = $database->getProfileVillages($uid);
for ($i = 0; $i <= count($villages)-1; $i++) {
$this->DelVillage($villages[$i]['wref'], 1);
}
$q = "DELETE FROM ".TB_PREFIX."hero where uid = $uid";
$q = "DELETE FROM ".TB_PREFIX."hero where uid = ".(int) $uid;
mysqli_query($this->connection,$q);
$name = $database->getUserField($uid,"username",0);
mysqli_query($this->connection,"Insert into ".TB_PREFIX."admin_log values (0,$ID,'Deleted user <a>$name</a>',".time().")");
$q = "DELETE FROM ".TB_PREFIX."users WHERE `id` = $uid;";
$q = "DELETE FROM ".TB_PREFIX."users WHERE `id` = ".(int) $uid;
mysqli_query($this->connection,$q);
}
}
@@ -223,7 +233,7 @@ class adm_DB {
}
function CheckPass($password,$uid){
$q = "SELECT password FROM ".TB_PREFIX."users where id = '$uid' and access = ".ADMIN;
$q = "SELECT password FROM ".TB_PREFIX."users where id = ".(int) $uid." and access = ".ADMIN;
$result = mysqli_query($this->connection, $q);
$dbarray = mysqli_fetch_array($result);
if($dbarray['password'] == md5($password)) {
@@ -235,6 +245,7 @@ class adm_DB {
function DelVillage($wref, $mode=0){
global $database;
$wref = (int) $wref;
if($mode==0){
$q = "SELECT * FROM ".TB_PREFIX."vdata WHERE `wref` = $wref and capital = 0";
}else{
@@ -242,7 +253,7 @@ class adm_DB {
}
$result = mysqli_query($this->connection, $q);
if(mysqli_num_rows($result) > 0){
mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,".$_SESSION['id'].",'Deleted village <b>$wref</b>',".time().")");
mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,".(int) $_SESSION['id'].",'Deleted village <b>$wref</b>',".time().")");
$database->clearExpansionSlot($wref);
@@ -315,8 +326,9 @@ class adm_DB {
function DelBan($uid,$id){
global $database;
$name = addslashes($database->getUserField($uid,"username",0));
mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,".$_SESSION['id'].",'Unbanned user <a href=\'admin.php?p=player&uid=$uid\'>$name</a>',".time().")");
$name = addslashes($database->getUserField($uid,"username",0));
$uid = (int) $uid;
mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,".(int) $_SESSION['id'].",'Unbanned user <a href=\'admin.php?p=player&uid=$uid\'>$name</a>',".time().")");
$q = "UPDATE ".TB_PREFIX."users SET `access` = '".USER."' WHERE `id` = $uid;";
mysqli_query($this->connection, $q);
$q = "UPDATE ".TB_PREFIX."banlist SET `active` = '0' WHERE `id` = $id;";
@@ -326,41 +338,53 @@ class adm_DB {
function AddBan($uid,$end,$reason){
global $database;
$name = addslashes($database->getUserField($uid,"username",0));
mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,".$_SESSION['id'].",'Banned user <a href=\'admin.php?p=player&uid=$uid\'>$name</a>',".time().")");
$q = "UPDATE ".TB_PREFIX."users SET `access` = '0' WHERE `id` = $uid;";
list($end,$reason) = $database->escape_input($end,$reason);
$uid = (int) $uid;
mysqli_query("Insert into ".TB_PREFIX."admin_log values (0,".(int) $_SESSION['id'].",'Banned user <a href=\'admin.php?p=player&uid=$uid\'>$name</a>',".time().")");
$q = "UPDATE ".TB_PREFIX."users SET `access` = '0' WHERE `id` = $uid";
mysqli_query($this->connection, $q);
$time = time();
$admin = $_SESSION['id']; //$database->getUserField($_SESSION['username'],'id',1);
$admin = (int) $_SESSION['id']; //$database->getUserField($_SESSION['username'],'id',1);
$name = addslashes($database->getUserField($uid,'username',0));
$q = "INSERT INTO ".TB_PREFIX."banlist (`uid`, `name`, `reason`, `time`, `end`, `admin`, `active`) VALUES ($uid, '$name' , '$reason', '$time', '$end', '$admin', '1');";
mysqli_query($this->connection, $q);
}
function search_player($player){
global $database;
$player = $database->escape($player);
$q = "SELECT id,username FROM ".TB_PREFIX."users WHERE `username` LIKE '%$player%' and username != 'support'";
$result = mysqli_query($this->connection, $q);
return $this->mysqli_fetch_all($result);
}
function search_email($email){
global $database;
$email = $database->escape($email);
$q = "SELECT id,email FROM ".TB_PREFIX."users WHERE `email` LIKE '%$email%' and username != 'support'";
$result = mysqli_query($this->connection, $q);
return $this->mysqli_fetch_all($result);
}
function search_village($village){
global $database;
$village = $database->escape($village);
$q = "SELECT * FROM ".TB_PREFIX."vdata WHERE `name` LIKE '%$village%' or `wref` LIKE '%$village%'";
$result = mysqli_query($this->connection, $q);
return $this->mysqli_fetch_all($result);
}
function search_alliance($alliance){
global $database;
$alliance = $database->escape($alliance);
$q = "SELECT * FROM ".TB_PREFIX."alidata WHERE `name` LIKE '%$alliance%' or `tag` LIKE '%$alliance%' or `id` LIKE '%$alliance%'";
$result = mysqli_query($this->connection, $q);
return $this->mysqli_fetch_all($result);
}
function search_ip($ip){
global $database;
$ip = $database->escape($ip);
$q = "SELECT * FROM ".TB_PREFIX."login_log WHERE `ip` LIKE '%$ip%'";
$result = mysqli_query($this->connection, $q);
return $this->mysqli_fetch_all($result);
@@ -519,7 +543,7 @@ class adm_DB {
}
if( intval($enforce['hero']) > 0){
$q = "SELECT * FROM ".TB_PREFIX."hero WHERE uid = ".$from['owner']."";
$q = "SELECT * FROM ".TB_PREFIX."hero WHERE uid = ".(int) $from['owner']."";
$result = mysqli_query($q);
$hero_f=mysqli_fetch_array($result);
$hero_unit=$hero_f['unit'];