From ee467fe734f543fff048cf9c6f8ec6962d7d67dc Mon Sep 17 00:00:00 2001
From: Martin Ambrus <martin@martinambrus.com>
Date: Tue, 17 Oct 2017 13:18:26 +0200
Subject: [PATCH] fix: sanitization of username in session where used directly
 in queries

---
 GameEngine/Session.php          | 13 +++++++------
 Templates/Ajax/quest_core.tpl   |  9 +++++----
 Templates/Ajax/quest_core25.tpl |  9 +++++----
 3 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/GameEngine/Session.php b/GameEngine/Session.php
index e398fcb0..444dd89d 100755
--- a/GameEngine/Session.php
+++ b/GameEngine/Session.php
@@ -85,17 +85,18 @@ class Session {
 				$this->logged_in = true;
 				$_SESSION['sessid'] = $generator->generateRandID();
 				$_SESSION['username'] = $user;
+				$user_sanitized = $database->escape($user);
 				$_SESSION['checker'] = $generator->generateRandStr(3);
 				$_SESSION['mchecker'] = $generator->generateRandStr(5);
-				$_SESSION['qst'] = $database->getUserField($_SESSION['username'], "quest", 1);
-                $result = mysqli_query($GLOBALS['link'],"SELECT village_select FROM `". TB_PREFIX."users` WHERE `username`='".$_SESSION['username']."'");
+				$_SESSION['qst'] = $database->getUserField($user_sanitized, "quest", 1);
+				$result = mysqli_query($GLOBALS['link'],"SELECT village_select FROM `". TB_PREFIX."users` WHERE `username`='".$user_sanitized."'");
                 $dbarray = mysqli_fetch_assoc($result);
                 $selected_village=$dbarray['village_select'];
                 if(!isset($_SESSION['wid'])) {
                     if($selected_village!='') {
                         $query = mysqli_query($GLOBALS['link'],'SELECT * FROM `' . TB_PREFIX . 'vdata` WHERE `wref` = '.$selected_village);
                     }else{
-                        $query = mysqli_query($GLOBALS['link'],'SELECT * FROM `' . TB_PREFIX . 'vdata` WHERE `owner` = ' . $database->getUserField($_SESSION['username'], "id", 1) . ' LIMIT 1');
+                        $query = mysqli_query($GLOBALS['link'],'SELECT * FROM `' . TB_PREFIX . 'vdata` WHERE `owner` = ' . $database->getUserField($user_sanitized, "id", 1) . ' LIMIT 1');
                     }
                     $data = mysqli_fetch_assoc($query);
                     $_SESSION['wid'] = $data['wref'];
@@ -104,7 +105,7 @@ class Session {
                         if($selected_village!='') {
                             $query = mysqli_query($GLOBALS['link'],'SELECT * FROM `' . TB_PREFIX . 'vdata` WHERE `wref` = '.$selected_village);
                         }else{
-                            $query = mysqli_query($GLOBALS['link'],'SELECT * FROM `' . TB_PREFIX . 'vdata` WHERE `owner` = ' . $database->getUserField($_SESSION['username'], "id", 1) . ' LIMIT 1');
+                            $query = mysqli_query($GLOBALS['link'],'SELECT * FROM `' . TB_PREFIX . 'vdata` WHERE `owner` = ' . $database->getUserField($user_sanitized, "id", 1) . ' LIMIT 1');
                         }
                         $data = mysqli_fetch_assoc($query);
                         $_SESSION['wid'] = $data['wref'];
@@ -112,8 +113,8 @@ class Session {
 				$this->PopulateVar();
 
 				$logging->addLoginLog($this->uid, $_SERVER['REMOTE_ADDR']);
-				$database->addActiveUser($_SESSION['username'], $this->time);
-				$database->updateUserField($_SESSION['username'], "sessid", $_SESSION['sessid'], 0);
+				$database->addActiveUser($user_sanitized, $this->time);
+				$database->updateUserField($user_sanitized, "sessid", $_SESSION['sessid'], 0);
 
 				header("Location: dorf1.php");
 			}
diff --git a/Templates/Ajax/quest_core.tpl b/Templates/Ajax/quest_core.tpl
index c6b533f8..65f58b49 100644
--- a/Templates/Ajax/quest_core.tpl
+++ b/Templates/Ajax/quest_core.tpl
@@ -19,6 +19,7 @@
 include("GameEngine/Village.php");
 include("GameEngine/Data/cp.php");
 
+$user_sanitized = $database->escape($_SESSION['username']);
 $uArray = $database->getUserArray($_SESSION['username'],0);
 $check_quest=$database->getUserField($_SESSION['username'],'quest','username');
 
@@ -71,7 +72,7 @@ if (isset($qact)){
 			$_SESSION['qst']= 3;
 			//Give Reward
 			if(!$session->plus){
-				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+86400 where `username`='".$_SESSION['username']."'") or die(mysqli_error($database->dblink));
+				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+86400 where `username`='".$user_sanitized."'") or die(mysqli_error($database->dblink));
 			} else {
 				$plus=$database->getUserField($_SESSION['username'],'plus','username');
 				$plus+=86400;
@@ -151,7 +152,7 @@ if (isset($qact)){
 			$_SESSION['qst']= 11;
 			//Give Reward
 			if(!$session->plus){
-				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+172800 where `username`='".$_SESSION['username']."'") or die(mysqli_error($database->dblink));
+				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+172800 where `username`='".$user_sanitized."'") or die(mysqli_error());
 			} else {
 				$plus=$database->getUserField($_SESSION['username'],'plus','username');
 				$plus+=172800;
@@ -338,7 +339,7 @@ if (isset($qact)){
 			$_SESSION['qst_time'] = time()+$skipp_time;
 			//Give Reward
 			if(!$session->plus){
-				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+86400 where `username`='".$_SESSION['username']."'") or die(mysqli_error($database->dblink));
+				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+86400 where `username`='".$user_sanitized."'") or die(mysqli_error());
 			} else {
 				$plus=$database->getUserField($_SESSION['username'],'plus','username');
 				$plus+=86400;
@@ -401,7 +402,7 @@ if (isset($qact)){
 			$_SESSION['qst']= 97;
 			//Give Reward 20 gold + 2 days plus
 			if(!$session->plus){
-				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+172800 where `username`='".$_SESSION['username']."'") or die(mysqli_error($database->dblink));
+				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+172800 where `username`='".$user_sanitized."'") or die(mysqli_error());
 			} else {
 				$plus=$database->getUserField($_SESSION['username'],'plus','username');
 				$plus+=172800;
diff --git a/Templates/Ajax/quest_core25.tpl b/Templates/Ajax/quest_core25.tpl
index 187004f3..b7f9c9cd 100644
--- a/Templates/Ajax/quest_core25.tpl
+++ b/Templates/Ajax/quest_core25.tpl
@@ -21,6 +21,7 @@ if (!isset($_SESSION)) {
 include_once("GameEngine/Village.php");
 include_once("GameEngine/Data/cp.php");
 
+$user_sanitized = $database->escape($_SESSION['username']);
 $uArray = $database->getUserArray($_SESSION['username'],0);
 $check_quest=$uArray['quest'];
 $_SESSION['qst_time'] = $uArray['quest_time'];
@@ -69,7 +70,7 @@ if (isset($qact)){
 			$_SESSION['qst']= 3;
 			//Give Reward
 			if(!$session->plus){
-				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+86400 where `username`='".$_SESSION['username']."'") or die(mysqli_error($database->dblink));
+				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+86400 where `username`='".$user_sanitized."'") or die(mysqli_error($database->dblink));
 			} else {
 				$plus=$database->getUserField($_SESSION['username'],'plus','username');
 				$plus+=86400;
@@ -154,7 +155,7 @@ if (isset($qact)){
 			$_SESSION['qst']= 11;
 			//Give Reward
 			if(!$session->plus){
-				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+172800 where `username`='".$_SESSION['username']."'") or die(mysqli_error($database->dblink));
+				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+172800 where `username`='".$user_sanitized."'") or die(mysqli_error($database->dblink));
 			} else {
 				$plus=$database->getUserField($_SESSION['username'],'plus','username');
 				$plus+=172800;
@@ -322,7 +323,7 @@ if (isset($qact)){
 			$_SESSION['qst_time'] = time()+$skipp_time;
 			//Give Reward
 			if(!$session->plus){
-				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+86400 where `username`='".$_SESSION['username']."'") or die(mysqli_error($database->dblink));
+				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+86400 where `username`='".$user_sanitized."'") or die(mysqli_error($database->dblink));
 			} else {
 				$plus=$database->getUserField($_SESSION['username'],'plus',1);
 				$plus+=86400;
@@ -385,7 +386,7 @@ if (isset($qact)){
 			$_SESSION['qst']= 97;
 			//Give Reward 20 gold + 2 days plus
 			if(!$session->plus){
-				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+172800 where `username`='".$_SESSION['username']."'") or die(mysqli_error($database->dblink));
+				mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users set plus = ('".mktime(date("H"),date("i"), date("s"),date("m") , date("d"), date("Y"))."')+172800 where `username`='".$user_sanitized."'") or die(mysqli_error($database->dblink));
 			} else {
 				$plus=$database->getUserField($_SESSION['username'],'plus',1);
 				$plus+=172800;