From 19b5e01da02aa2115ee802cf2e43a7f3e58f4eac Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Wed, 13 Aug 2014 13:28:03 -0400
Subject: [PATCH] Added function "is_superadmin" in auth library and improved other functions.

---
 interface/lib/classes/db_mysql.inc.php |   57 ++++++++++++++++++++++++++++++++++++++++++++++++++++-----
 1 files changed, 52 insertions(+), 5 deletions(-)

diff --git a/interface/lib/classes/db_mysql.inc.php b/interface/lib/classes/db_mysql.inc.php
index 1636cab..13a8633 100644
--- a/interface/lib/classes/db_mysql.inc.php
+++ b/interface/lib/classes/db_mysql.inc.php
@@ -262,12 +262,18 @@
 	public function datalogSave($db_table, $action, $primary_field, $primary_id, $record_old, $record_new, $force_update = false) {
 		global $app, $conf;
 
-		// Insert backticks only for incomplete table names.
-		if(stristr($db_table, '.')) {
-			$escape = '';
+		// Check fields
+		if(!preg_match('/^[a-zA-Z0-9\.\-]{1,64}$/',$db_table)) $app->error('Invalid table name '.$db_table);
+		if(!preg_match('/^[a-zA-Z0-9\-]{1,64}$/',$primary_field)) $app->error('Invalid primary field '.$primary_field.' in table '.$db_table);
+		
+		if(strpos($db_table, '.') !== false) {
+			$db_table = preg_replace('/^(.+)\.(.+)$/', '`$1`.`$2`', $db_table);
 		} else {
-			$escape = '`';
+			$db_table = '`' . $db_table . '`';
 		}
+		
+		$primary_field = $this->quote($primary_field);
+		$primary_id = intval($primary_id);
 
 		if($force_update == true) {
 			//* We force a update even if no record has changed
@@ -284,7 +290,7 @@
 		// Insert the server_id, if the record has a server_id
 		$server_id = (isset($record_old['server_id']) && $record_old['server_id'] > 0)?$record_old['server_id']:0;
 		if(isset($record_new['server_id'])) $server_id = $record_new['server_id'];
-
+		$server_id = intval($server_id);
 
 		if($diff_num > 0) {
 			//print_r($diff_num);
@@ -306,6 +312,18 @@
 	//** Inserts a record and saves the changes into the datalog
 	public function datalogInsert($tablename, $insert_data, $index_field) {
 		global $app;
+		
+		// Check fields
+		if(!preg_match('/^[a-zA-Z0-9\.\-]{1,64}$/',$tablename)) $app->error('Invalid table name '.$tablename);
+		if(!preg_match('/^[a-zA-Z0-9\-]{1,64}$/',$index_field)) $app->error('Invalid index field '.$index_field.' in table '.$tablename);
+		
+		if(strpos($tablename, '.') !== false) {
+			$tablename = preg_replace('/^(.+)\.(.+)$/', '`$1`.`$2`', $tablename);
+		} else {
+			$tablename = '`' . $tablename . '`';
+		}
+		
+		$index_field = $this->quote($index_field);
 
 		if(is_array($insert_data)) {
 			$key_str = '';
@@ -333,6 +351,19 @@
 	//** Updates a record and saves the changes into the datalog
 	public function datalogUpdate($tablename, $update_data, $index_field, $index_value, $force_update = false) {
 		global $app;
+		
+		// Check fields
+		if(!preg_match('/^[a-zA-Z0-9\.\-]{1,64}$/',$tablename)) $app->error('Invalid table name '.$tablename);
+		if(!preg_match('/^[a-zA-Z0-9\-]{1,64}$/',$index_field)) $app->error('Invalid index field '.$index_field.' in table '.$tablename);
+		
+		if(strpos($tablename, '.') !== false) {
+			$tablename = preg_replace('/^(.+)\.(.+)$/', '`$1`.`$2`', $tablename);
+		} else {
+			$tablename = '`' . $tablename . '`';
+		}
+		
+		$index_field = $this->quote($index_field);
+		$index_value = $this->quote($index_value);
 
 		$old_rec = $this->queryOneRecord("SELECT * FROM $tablename WHERE $index_field = '$index_value'");
 
@@ -356,6 +387,19 @@
 	//** Deletes a record and saves the changes into the datalog
 	public function datalogDelete($tablename, $index_field, $index_value) {
 		global $app;
+		
+		// Check fields
+		if(!preg_match('/^[a-zA-Z0-9\.\-]{1,64}$/',$tablename)) $app->error('Invalid table name '.$tablename);
+		if(!preg_match('/^[a-zA-Z0-9\-]{1,64}$/',$index_field)) $app->error('Invalid index field '.$index_field.' in table '.$tablename);
+		
+		if(strpos($tablename, '.') !== false) {
+			$tablename = preg_replace('/^(.+)\.(.+)$/', '`$1`.`$2`', $tablename);
+		} else {
+			$tablename = '`' . $tablename . '`';
+		}
+		
+		$index_field = $this->quote($index_field);
+		$index_value = $this->quote($index_value);
 
 		$old_rec = $this->queryOneRecord("SELECT * FROM $tablename WHERE $index_field = '$index_value'");
 		$this->query("DELETE FROM $tablename WHERE $index_field = '$index_value'");
@@ -653,6 +697,9 @@
 		case 'blob':
 			return 'blob';
 			break;
+		case 'date':
+			return 'date';
+			break;
 		}
 	}
 

--
Gitblit v1.9.1