Security cleanup (sqli)

diff --git a/doc/TODO b/doc/TODO
index 6dcc3745b898c71f91205d911eb989ac3e7b7e53..5103e1c9a381cb990a8091cdc56bc8c4a58f2d6a 100644 (file)
--- a/doc/TODO
+++ b/doc/TODO
@@ -7,7 +7,7 @@
 - User mail -> can't delete the mails...
   Anyway move whole mail handling out of nodes.php (?)
 
-- SQL injections (many fixed, but some should be still there)
+- SQL injections (many fixed, but some are still there)
 
 - remove absolute paths from all source files (!)
 - convert to some more inteligent path system... eg.:

diff --git a/wwwroot/inc/eventz/executorlist.inc b/trash/executorlist.inc
similarity index 91%
rename from wwwroot/inc/eventz/executorlist.inc
rename to trash/executorlist.inc
index 04231bbf3a1e61b1fcb32084b2f1f4e26fc02ec3..86ac7c7cd67db466cdb3824e26c6f7b28f9fe9d2 100644 (file)
--- a/wwwroot/inc/eventz/executorlist.inc
+++ b/trash/executorlist.inc
@@ -8,7 +8,8 @@ function executorlist() {
                 return false;
         }
 
-        $executors=explode(";",$_POST['executorlist']); // XXX sqli
+        $executors=explode(";",$_POST['executorlist']);
+       $executors=array_map('mysql_real_escape_string', $executors); 
         $db->query("update node_access set node_permission='' where
                node_id=$node_id and node_permission='exec'");
         foreach ($executors as $execitpr) {

diff --git a/scripts/savelib.php b/trash/savelib.php
similarity index 100%
rename from scripts/savelib.php
rename to trash/savelib.php

diff --git a/wwwroot/backend/mysql/test.sql b/wwwroot/backend/mysql/test.sql
new file mode 100644 (file)
index 0000000..1d2b754
--- /dev/null
+++ b/wwwroot/backend/mysql/test.sql
@@ -0,0 +1,48 @@
+drop procedure if exists k_neurons;
+drop function if exists k_get_node_weigth;
+
+delimiter //
+
+create function k_get_node_weigth (node INT, user INT) returns DOUBLE
+BEGIN
+       declare vector,node2,len,n_owner,offset int;
+       declare final,n_weight,o_weight,s_weight double;
+
+       select node_vector into vector from nodes where node_id = node;
+
+       set final = 1;
+       /* select k from nodes into final where node_id = node;*/
+
+       set len = length(vector);
+       set offset = 1;
+       WHILE offset < len DO
+
+               /* XXX node length is hardcoded */
+               set node2 = substring(node2,offset,8);
+               set offset = offset + 8;
+               /* weigths from user to: 
+                       - all nodes from node to root node
+                       - all node owners from node to root node
+                       - all nodes between themselves (safe?)
+               */
+               select node_weight,node_creator into n_weight,n_owner from nodes where node_id=node2;
+               select synapse_weight into s_weight from neurons where src=user and dst=node2;
+               select synapse_weight into o_weight from neurons where src=user and dst=n_owner;
+               
+               if o_weight = NULL then set o_weight=1; end if;
+               if s_weight = NULL then set s_weight=1; end if;
+               if n_weight = NULL then set n_weight=1; end if;
+               
+               set final = final * s_weight * o_weight * n_weight;
+       END WHILE;
+
+       RETURN final;
+END//
+
+create procedure k_neurons ()
+begin
+       select k,node_id,node_name from nodes where k>0 
+               and node_created>now()-interval 20 day order by k_get_node_weigth(node_id,904) desc;
+end//
+
+delimiter ;