http://www.mediawiki.org/wiki/Special:Code/MediaWiki/100306
Revision: 100306
Author: johnduhart
Date: 2011-10-20 00:45:32 +0000 (Thu, 20 Oct 2011)
Log Message:
-----------
Followup r100165, fix SQL injections and conditions
Modified Paths:
--------------
trunk/extensions/CheckUser/api/ApiQueryCheckUser.php
trunk/extensions/CheckUser/api/ApiQueryCheckUserLog.php
Modified: trunk/extensions/CheckUser/api/ApiQueryCheckUser.php
===================================================================
--- trunk/extensions/CheckUser/api/ApiQueryCheckUser.php 2011-10-20
00:43:43 UTC (rev 100305)
+++ trunk/extensions/CheckUser/api/ApiQueryCheckUser.php 2011-10-20
00:45:32 UTC (rev 100306)
@@ -46,7 +46,7 @@
}
$this->addFields( array( 'cuc_timestamp',
'cuc_ip', 'cuc_xff' ) );
- $this->addWhere( "cuc_user_text = '$target'" );
+ $this->addWhereFld( 'cuc_user_text', $target );
$res = $this->select( __METHOD__ );
$result = $this->getResult();
@@ -84,21 +84,21 @@
if ( !$cond ) {
$this->dieUsage( 'IP or range
is invalid', 'invalidip' );
}
- $this->addWhere( "$cond" );
+ $this->addWhere( $cond );
$log_type = array( 'ipedits-xff', 'ip'
);
} elseif ( IP::isIPAddress( $target ) ) {
$cond = CheckUser::getIpConds( $db,
$target );
if ( !$cond ) {
$this->dieUsage( 'IP or range
is invalid', 'invalidip' );
}
- $this->addWhere( "$cond" );
+ $this->addWhere( $cond );
$log_type = array( 'ipedits', 'ip' );
} else {
$user_id = User::idFromName( $target );
if ( !$user_id ) {
$this->dieUsage( 'Target user
is not exists', 'nosuchuser' );
}
- $this->addWhere( "cuc_user_text =
'$target'" );
+ $this->addWhereFld( 'cuc_user_text',
$target );
$log_type = array( 'useredits', 'user'
);
}
Modified: trunk/extensions/CheckUser/api/ApiQueryCheckUserLog.php
===================================================================
--- trunk/extensions/CheckUser/api/ApiQueryCheckUserLog.php 2011-10-20
00:43:43 UTC (rev 100305)
+++ trunk/extensions/CheckUser/api/ApiQueryCheckUserLog.php 2011-10-20
00:45:32 UTC (rev 100306)
@@ -25,24 +25,16 @@
$this->addTables( 'cu_log' );
$this->addOption( 'LIMIT', $limit + 1 );
- $this->addOption( 'ORDER BY', 'cul_timestamp DESC' );
+ $this->addWhereRange( 'cul_timestamp', 'older', $from, $to );
$this->addFields( array( 'cul_timestamp', 'cul_user_text',
'cul_reason', 'cul_type', 'cul_target_text' ) );
if ( isset( $user ) ) {
- $this->addWhere( "cul_user_text = '$user'" );
+ $this->addWhereFld( 'cul_user_text', $user );
}
if ( isset( $target ) ) {
- $this->addWhere( "cul_target_text = '$target'" );
+ $this->addWhereFld( 'cul_target_text', $target );
}
- if ( isset( $from ) && isset( $to ) ) {
- $this->addWhere( "cul_timestamp BETWEEN '$from' AND
'$to'" );
- unset( $from, $to );
- } elseif ( isset( $from ) ) {
- $this->addWhere( "cul_timestamp < $from" );
- } elseif ( isset( $to ) ) {
- $this->addWhere( "cul_timestamp > $to" );
- }
$res = $this->select( __METHOD__ );
$result = $this->getResult();
_______________________________________________
MediaWiki-CVS mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
