Fixed sqli in sqlite3

tonythomas01 · tonythomas01 · commit 7a8430df7927 · 2014-10-05T21:50:51.000+05:30
diff --git a/assets/php/delegateRegistration.php b/assets/php/delegateRegistration.php
@@ -51,21 +51,21 @@ function __construct()
 		$myDateTime = new DateTime( Date( '' ), new DateTimeZone( 'GMT' ) );
 		$myDateTime->setTimezone( new DateTimeZone( 'Asia/Kolkata' ) );
 		$date = $myDateTime->format( 'Y-m-d H:i:s' );
-		$name = $_POST['del-name'];
+		$name = SQLite3::escapeString($_POST['del-name']);
 		if ( empty( $_POST['del-email'] ) )
 		{
 			$emailerror = "Required Field";
 		}
 		else
 		{
-			$email = $_POST['del-email'];
+			$email = SQLite3::escapeString($_POST['del-email']);
 			if ( !preg_match( "/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email ) )
 			{
 				$emailerror = "Invalid Format";
 			}
 		}
-		$org = $_POST['del-org'];
-		$city = $_POST['del-city'];
+		$org = SQLite3::escapeString($_POST['del-org']);
+		$city = SQLite3::escapeString($_POST['del-city']);
 		if ( !preg_match( '/$^|^[a-zA-Z]+[0-9]*[\. ,]*[a-zA-Z0-9]*$/', $city ) )
 		{
 			$cityerror = "City name must start with a letter and can contain only alphanumerics, spaces, periods and commas";
@@ -76,23 +76,23 @@ function __construct()
 			$arrivalerror = "No arriving date given";
 		} else {
 
-			$arrival = $_POST['del-arrival'];
+			$arrival = SQLite3::escapeString($_POST['del-arrival']);
 		}
 		if ( empty( $_POST['del-depart'] ) ) {
 			$departureerror = "No departure date given";
 		} else {
-			$departure = $_POST['del-depart'];
+			$departure = SQLite3::escapeString($_POST['del-depart']);
 		}
 		$lap = 1;
 		if ( empty( $_POST['del-accom'] ) ) {
 			$accom = "0";
 		} else {
-			$accom = $_POST['del-accom'];
+			$accom = SQLite3::escapeString($_POST['del-accom']);
 		}
 		if ( empty( $_POST['del-tshirt'] ) ) {
 			$tshirt = "0";
 		} else {
-			$tshirt = $_POST['del-tshirt'];
+			$tshirt = SQLite3::escapeString($_POST['del-tshirt']);
 		}
 
 		if ( $nameerror == "" && $emailerror == "" && $arrivalerror == "" && $departureerror == "" && $orgerror == "" && $cityerror == "" )
diff --git a/assets/php/speakerRegistration.php b/assets/php/speakerRegistration.php
@@ -1,6 +1,5 @@
 <?php
-error_reporting( E_ALL );
-ini_set( 'display_errors', '1' );
+error_reporting(0);
 # Database Connection
 class database extends SQLite3
 {
@@ -54,62 +53,62 @@ function __construct()
 		$myDateTime = new DateTime( Date( '' ), new DateTimeZone( 'GMT' ) );
 		$myDateTime->setTimezone( new DateTimeZone( 'Asia/Kolkata' ) );
 		$date = $myDateTime->format( 'Y-m-d H:i:s' );
-		$name = $_POST['sp-name'];
+		$name = SQLite3::escapeString( $_POST['sp-name'] );
 		if ( empty( $_POST['sp-email'] ) )
 		{
 			$emailerror = "Required Field";
 		}
 		else
 		{
-			$email = $_POST['sp-email'];
+			$email = SQLite3::escapeString( $_POST['sp-email'] );
 			if ( !preg_match( "/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email ) )
 			{
 				$emailerror = "Invalid Format";
 			}
 		}
-		$org = $_POST['sp-org'];
-		$city = $_POST['sp-city'];
+		$org = SQLite3::escapeString( $_POST['sp-org'] );
+		$city = SQLite3::escapeString( $_POST['sp-city'] );
 		if ( !preg_match( '/$^|^[a-zA-Z]+[0-9]*[\. ,]*[a-zA-Z0-9]*$/', $city ) )
 		{
 			$cityerror = "City name must start with a letter and can contain only alphanumerics, spaces, periods and commas";
 		}
 		if ( empty( $_POST['sp-profile'] ) ) {
 			$profilerror = "No profile";
 		} else {
-			$profile = $_POST['sp-profile'];
+			$profile = SQLite3::escapeString( $_POST['sp-profile'] );
 		}
 
 		if ( empty( $_POST['sp-tshirt'] ) ) {
 			$tshirt = "0";
 		} else {
-			$tshirt = $_POST['sp-tshirt'];
+			$tshirt = SQLite3::escapeString( $_POST['sp-tshirt'] );
 		}
 
 		if ( empty( $_POST['sp-arrival'] ) ) {
 			$arrivalerror = "No arriving date given";
 		} else {
-			$arrival = $_POST['sp-arrival'];
+			$arrival = SQLite3::escapeString( $_POST['sp-arrival'] );
 		}
 		if ( empty( $_POST['sp-depart'] ) ) {
 			$departureerror = "No departure date given";
 		} else {
-			$departure = $_POST['sp-depart'];
+			$departure = SQLite3::escapeString( $_POST['sp-depart'] );
 		}
 		$lap = 1;
 		if ( empty( $_POST['sp-accom'] ) ) {
 			$accom = "0";
 		} else {
-			$accom = $_POST['sp-accom'];
+			$accom = SQLite3::escapeString( $_POST['sp-accom'] );
 		}
-		$pretitle = $_POST['sp-title'];
+		$pretitle = SQLite3::escapeString( $_POST['sp-title'] );
 		if ( empty( $pretitle ) )
 		{
 			$titleerror = "Required Field";
 		}
 		else
 		{
-			$title = $_POST['sp-title'];
-			$desc = $_POST['sp-desc'];
+			$title = SQLite3::escapeString( $_POST['sp-title'] );
+			$desc = SQLite3::escapeString( $_POST['sp-desc'] );
 
 		}
 		if ( $nameerror == "" && $emailerror == "" && $arrivalerror == "" && $departureerror == "" && $orgerror == "" && $cityerror == "" && $titleerror == "" && $profilerror == "" )
@@ -123,11 +122,11 @@ function __construct()
 				header( 'location:../../registration_success.html' );
 			} else {
 				echo "fail";
-//				header( 'location:../../registration_fail.html' );
+				header( 'location:../../registration_fail.html' );
 			}
 		} else {
 			echo "fail";
-//			header( 'location:../../registration_fail.html' );
+			header( 'location:../../registration_fail.html' );
 		}
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -51,21 +51,21 @@ function __construct()`
`51`	`51`	`$myDateTime = new DateTime( Date( '' ), new DateTimeZone( 'GMT' ) );`
`52`	`52`	`$myDateTime->setTimezone( new DateTimeZone( 'Asia/Kolkata' ) );`
`53`	`53`	`$date = $myDateTime->format( 'Y-m-d H:i:s' );`
`54`		`- $name = $_POST['del-name'];`
	`54`	`+ $name = SQLite3::escapeString($_POST['del-name']);`
`55`	`55`	`if ( empty( $_POST['del-email'] ) )`
`56`	`56`	`{`
`57`	`57`	`$emailerror = "Required Field";`
`58`	`58`	`}`
`59`	`59`	`else`
`60`	`60`	`{`
`61`		`- $email = $_POST['del-email'];`
	`61`	`+ $email = SQLite3::escapeString($_POST['del-email']);`
`62`	`62`	`if ( !preg_match( "/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email ) )`
`63`	`63`	`{`
`64`	`64`	`$emailerror = "Invalid Format";`
`65`	`65`	`}`
`66`	`66`	`}`
`67`		`- $org = $_POST['del-org'];`
`68`		`- $city = $_POST['del-city'];`
	`67`	`+ $org = SQLite3::escapeString($_POST['del-org']);`
	`68`	`+ $city = SQLite3::escapeString($_POST['del-city']);`
`69`	`69`	`if ( !preg_match( '/$^\|^[a-zA-Z]+[0-9][\. ,][a-zA-Z0-9]*$/', $city ) )`
`70`	`70`	`{`
`71`	`71`	`$cityerror = "City name must start with a letter and can contain only alphanumerics, spaces, periods and commas";`
`@@ -76,23 +76,23 @@ function __construct()`
`76`	`76`	`$arrivalerror = "No arriving date given";`
`77`	`77`	`} else {`
`78`	`78`
`79`		`- $arrival = $_POST['del-arrival'];`
	`79`	`+ $arrival = SQLite3::escapeString($_POST['del-arrival']);`
`80`	`80`	`}`
`81`	`81`	`if ( empty( $_POST['del-depart'] ) ) {`
`82`	`82`	`$departureerror = "No departure date given";`
`83`	`83`	`} else {`
`84`		`- $departure = $_POST['del-depart'];`
	`84`	`+ $departure = SQLite3::escapeString($_POST['del-depart']);`
`85`	`85`	`}`
`86`	`86`	`$lap = 1;`
`87`	`87`	`if ( empty( $_POST['del-accom'] ) ) {`
`88`	`88`	`$accom = "0";`
`89`	`89`	`} else {`
`90`		`- $accom = $_POST['del-accom'];`
	`90`	`+ $accom = SQLite3::escapeString($_POST['del-accom']);`
`91`	`91`	`}`
`92`	`92`	`if ( empty( $_POST['del-tshirt'] ) ) {`
`93`	`93`	`$tshirt = "0";`
`94`	`94`	`} else {`
`95`		`- $tshirt = $_POST['del-tshirt'];`
	`95`	`+ $tshirt = SQLite3::escapeString($_POST['del-tshirt']);`
`96`	`96`	`}`
`97`	`97`
`98`	`98`	`if ( $nameerror == "" && $emailerror == "" && $arrivalerror == "" && $departureerror == "" && $orgerror == "" && $cityerror == "" )`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,5 @@`
`1`	`1`	`<?php`
`2`		`-error_reporting( E_ALL );`
`3`		`-ini_set( 'display_errors', '1' );`
	`2`	`+error_reporting(0);`
`4`	`3`	`# Database Connection`
`5`	`4`	`class database extends SQLite3`
`6`	`5`	`{`
`@@ -54,62 +53,62 @@ function __construct()`
`54`	`53`	`$myDateTime = new DateTime( Date( '' ), new DateTimeZone( 'GMT' ) );`
`55`	`54`	`$myDateTime->setTimezone( new DateTimeZone( 'Asia/Kolkata' ) );`
`56`	`55`	`$date = $myDateTime->format( 'Y-m-d H:i:s' );`
`57`		`- $name = $_POST['sp-name'];`
	`56`	`+ $name = SQLite3::escapeString( $_POST['sp-name'] );`
`58`	`57`	`if ( empty( $_POST['sp-email'] ) )`
`59`	`58`	`{`
`60`	`59`	`$emailerror = "Required Field";`
`61`	`60`	`}`
`62`	`61`	`else`
`63`	`62`	`{`
`64`		`- $email = $_POST['sp-email'];`
	`63`	`+ $email = SQLite3::escapeString( $_POST['sp-email'] );`
`65`	`64`	`if ( !preg_match( "/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email ) )`
`66`	`65`	`{`
`67`	`66`	`$emailerror = "Invalid Format";`
`68`	`67`	`}`
`69`	`68`	`}`
`70`		`- $org = $_POST['sp-org'];`
`71`		`- $city = $_POST['sp-city'];`
	`69`	`+ $org = SQLite3::escapeString( $_POST['sp-org'] );`
	`70`	`+ $city = SQLite3::escapeString( $_POST['sp-city'] );`
`72`	`71`	`if ( !preg_match( '/$^\|^[a-zA-Z]+[0-9][\. ,][a-zA-Z0-9]*$/', $city ) )`
`73`	`72`	`{`
`74`	`73`	`$cityerror = "City name must start with a letter and can contain only alphanumerics, spaces, periods and commas";`
`75`	`74`	`}`
`76`	`75`	`if ( empty( $_POST['sp-profile'] ) ) {`
`77`	`76`	`$profilerror = "No profile";`
`78`	`77`	`} else {`
`79`		`- $profile = $_POST['sp-profile'];`
	`78`	`+ $profile = SQLite3::escapeString( $_POST['sp-profile'] );`
`80`	`79`	`}`
`81`	`80`
`82`	`81`	`if ( empty( $_POST['sp-tshirt'] ) ) {`
`83`	`82`	`$tshirt = "0";`
`84`	`83`	`} else {`
`85`		`- $tshirt = $_POST['sp-tshirt'];`
	`84`	`+ $tshirt = SQLite3::escapeString( $_POST['sp-tshirt'] );`
`86`	`85`	`}`
`87`	`86`
`88`	`87`	`if ( empty( $_POST['sp-arrival'] ) ) {`
`89`	`88`	`$arrivalerror = "No arriving date given";`
`90`	`89`	`} else {`
`91`		`- $arrival = $_POST['sp-arrival'];`
	`90`	`+ $arrival = SQLite3::escapeString( $_POST['sp-arrival'] );`
`92`	`91`	`}`
`93`	`92`	`if ( empty( $_POST['sp-depart'] ) ) {`
`94`	`93`	`$departureerror = "No departure date given";`
`95`	`94`	`} else {`
`96`		`- $departure = $_POST['sp-depart'];`
	`95`	`+ $departure = SQLite3::escapeString( $_POST['sp-depart'] );`
`97`	`96`	`}`
`98`	`97`	`$lap = 1;`
`99`	`98`	`if ( empty( $_POST['sp-accom'] ) ) {`
`100`	`99`	`$accom = "0";`
`101`	`100`	`} else {`
`102`		`- $accom = $_POST['sp-accom'];`
	`101`	`+ $accom = SQLite3::escapeString( $_POST['sp-accom'] );`
`103`	`102`	`}`
`104`		`- $pretitle = $_POST['sp-title'];`
	`103`	`+ $pretitle = SQLite3::escapeString( $_POST['sp-title'] );`
`105`	`104`	`if ( empty( $pretitle ) )`
`106`	`105`	`{`
`107`	`106`	`$titleerror = "Required Field";`
`108`	`107`	`}`
`109`	`108`	`else`
`110`	`109`	`{`
`111`		`- $title = $_POST['sp-title'];`
`112`		`- $desc = $_POST['sp-desc'];`
	`110`	`+ $title = SQLite3::escapeString( $_POST['sp-title'] );`
	`111`	`+ $desc = SQLite3::escapeString( $_POST['sp-desc'] );`
`113`	`112`
`114`	`113`	`}`
`115`	`114`	`if ( $nameerror == "" && $emailerror == "" && $arrivalerror == "" && $departureerror == "" && $orgerror == "" && $cityerror == "" && $titleerror == "" && $profilerror == "" )`
`@@ -123,11 +122,11 @@ function __construct()`
`123`	`122`	`header( 'location:../../registration_success.html' );`
`124`	`123`	`} else {`
`125`	`124`	`echo "fail";`
`126`		`-// header( 'location:../../registration_fail.html' );`
	`125`	`+ header( 'location:../../registration_fail.html' );`
`127`	`126`	`}`
`128`	`127`	`} else {`
`129`	`128`	`echo "fail";`
`130`		`-// header( 'location:../../registration_fail.html' );`
	`129`	`+ header( 'location:../../registration_fail.html' );`
`131`	`130`	`}`
`132`	`131`	`}`
`133`	`132`	`}`