make sure CAS attributes are MySQL safe
Project: http://git-wip-us.apache.org/repos/asf/vcl/repo Commit: http://git-wip-us.apache.org/repos/asf/vcl/commit/2f0d04c7 Tree: http://git-wip-us.apache.org/repos/asf/vcl/tree/2f0d04c7 Diff: http://git-wip-us.apache.org/repos/asf/vcl/diff/2f0d04c7 Branch: refs/heads/VCL-1087_VCL_CAS_SSO Commit: 2f0d04c7651bee851c7f2524fcbff9a98501c1c0 Parents: db85a01 Author: Junaid Ali <[email protected]> Authored: Wed Oct 17 09:06:56 2018 -0500 Committer: Junaid Ali <[email protected]> Committed: Wed Oct 17 09:06:56 2018 -0500 ---------------------------------------------------------------------- web/.ht-inc/authmethods/casauth.php | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/vcl/blob/2f0d04c7/web/.ht-inc/authmethods/casauth.php ---------------------------------------------------------------------- diff --git a/web/.ht-inc/authmethods/casauth.php b/web/.ht-inc/authmethods/casauth.php index 2558185..31325ac 100644 --- a/web/.ht-inc/authmethods/casauth.php +++ b/web/.ht-inc/authmethods/casauth.php @@ -102,7 +102,12 @@ function checkCASUserInDatabase($type, $userid) { function addCASUser($userinfo) { global $authMechs, $mysql_link_vcl; $now = unixToDatetime(time()); - + if(array_key_exists('firstname', $userinfo)) + $esc_firstname = mysql_real_escape_string($userinfo['firstname']); + if(array_key_exists('lastname', $userinfo)) + $esc_lastname = mysql_real_escape_string($userinfo['lastname']); + if(array_key_exists('preferredname', $userinfo)) + $esc_preferredname = mysql_real_escape_string($userinfo['preferredname']); $query = "INSERT INTO user (unityid, affiliationid"; if(array_key_exists('firstname', $userinfo)) $query .= ", firstname"; @@ -114,11 +119,11 @@ function addCASUser($userinfo) { $query .= ", email"; $query .= ", lastupdated) VALUES ( '{$userinfo['unityid']}', {$userinfo['affiliationid']}"; if(array_key_exists('firstname', $userinfo)) - $query .= ",'{$userinfo['firstname']}'"; + $query .= ",'{$esc_firstname}'"; if(array_key_exists('lastname', $userinfo)) - $query .= ",'{$userinfo['lastname']}'"; + $query .= ",'{$esc_lastname}'"; if(array_key_exists('preferredname', $userinfo)) - $query .= ",'{$userinfo['preferredname']}'"; + $query .= ",'{$esc_preferredname}'"; if(array_key_exists('email', $userinfo)) $query .= ",'{$userinfo['email']}'"; $query .= ",'{$now}')"; @@ -158,13 +163,19 @@ function updateCASUser($userinfo) { global $mysql_link_vcl; $now = unixToDatetime(time()); $esc_userid = mysql_real_escape_string($userinfo['unityid']); + if(array_key_exists('firstname', $userinfo)) + $esc_firstname = mysql_real_escape_string($userinfo['firstname']); + if(array_key_exists('lastname', $userinfo)) + $esc_lastname = mysql_real_escape_string($userinfo['lastname']); + if(array_key_exists('preferredname', $userinfo)) + $esc_preferredname = mysql_real_escape_string($userinfo['preferredname']); $query = "UPDATE user SET unityid = '{$userinfo['unityid']}', lastupdated = '{$now}'"; if(array_key_exists('firstname', $userinfo)) - $query .= ", firstname = '{$userinfo['firstname']}' "; + $query .= ", firstname = '{$esc_firstname}' "; if(array_key_exists('lastname', $userinfo)) - $query .= ", lastname = '{$userinfo['lastname']}' "; + $query .= ", lastname = '{$esc_lastname}' "; if(array_key_exists('preferredname', $userinfo)) - $query .= ", preferredname = '{$userinfo['preferredname']}' "; + $query .= ", preferredname = '{$esc_preferredname}' "; if(array_key_exists('email', $userinfo)) $query .= ", email = '{$userinfo['email']}' "; $query .= "WHERE unityid = '{$esc_userid}' AND affiliationid = {$userinfo['affiliationid']}";
