Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2025-12-26 21:46:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix SQL injections

Browse Source 
Signed-off-by: Mcat12 <newtoncat12@yahoo.com>
This commit is contained in:
Mcat12
2018-01-19 17:40:04 -05:00
parent a2b30e9fe9
commit f89cbee1aa
1 changed files with 38 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
api_db.php
View File

@@ -70,7 +70,10 @@ if (isset($_GET['getAllQueries']) && $auth)
{
$from = intval($_GET["from"]);
$until = intval($_GET["until"]);
$results = $db->query('SELECT timestamp,type,domain,client,status FROM queries WHERE timestamp >= '.$from.' AND timestamp <= '.$until.' ORDER BY timestamp ASC');
$stmt = $db->prepare("SELECT timestamp, type, domain, client, status FROM queries WHERE timestamp >= :from AND timestamp <= :until ORDER BY timestamp ASC");
$stmt->bindValue(":from", $from);
$stmt->bindValue(":until", $until);
$results = $stmt->execute();
if(!is_bool($results))
while ($row = $results->fetchArray())
{
@@ -87,17 +90,20 @@ if (isset($_GET['topClients']) && $auth)
$limit = "";
if(isset($_GET["from"]) && isset($_GET["until"]))
{
$limit = "WHERE timestamp >= ".$_GET["from"]." AND timestamp <= ".$_GET["until"];
$limit = "WHERE timestamp >= :from AND timestamp <= :until";
}
elseif(isset($_GET["from"]) && !isset($_GET["until"]))
{
$limit = "WHERE timestamp >= ".$_GET["from"];
$limit = "WHERE timestamp >= :from";
}
elseif(!isset($_GET["from"]) && isset($_GET["until"]))
{
$limit = "WHERE timestamp <= ".$_GET["until"];
$limit = "WHERE timestamp <= :until";
}
$results = $db->query('SELECT client,count(client) FROM queries '.$limit.' GROUP by client order by count(client) desc limit 20');
$stmt = $db->prepare('SELECT client,count(client) FROM queries '.$limit.' GROUP by client order by count(client) desc limit 20');
$stmt->bindValue(":from", $_GET['from']);
$stmt->bindValue(":until", $_GET['until']);
$results = $stmt->execute();
$clients = array();
@@ -134,17 +140,20 @@ if (isset($_GET['topDomains']) && $auth)
if(isset($_GET["from"]) && isset($_GET["until"]))
{
$limit = " AND timestamp >= ".$_GET["from"]." AND timestamp <= ".$_GET["until"];
$limit = " AND timestamp >= :from AND timestamp <= :until";
}
elseif(isset($_GET["from"]) && !isset($_GET["until"]))
{
$limit = " AND timestamp >= ".$_GET["from"];
$limit = " AND timestamp >= :from";
}
elseif(!isset($_GET["from"]) && isset($_GET["until"]))
{
$limit = " AND timestamp <= ".$_GET["until"];
$limit = " AND timestamp <= :until";
}
$results = $db->query('SELECT domain,count(domain) FROM queries WHERE (STATUS == 2 OR STATUS == 3)'.$limit.' GROUP by domain order by count(domain) desc limit 20');
$stmt = $db->prepare('SELECT domain,count(domain) FROM queries WHERE (STATUS == 2 OR STATUS == 3)'.$limit.' GROUP by domain order by count(domain) desc limit 20');
$stmt->bindValue(":from", $_GET['from']);
$stmt->bindValue(":until", $_GET['until']);
$results = $stmt->execute();
$domains = array();
@@ -181,17 +190,20 @@ if (isset($_GET['topAds']) && $auth)
if(isset($_GET["from"]) && isset($_GET["until"]))
{
$limit = " AND timestamp >= ".$_GET["from"]." AND timestamp <= ".$_GET["until"];
$limit = " AND timestamp >= :from AND timestamp <= :until";
}
elseif(isset($_GET["from"]) && !isset($_GET["until"]))
{
$limit = " AND timestamp >= ".$_GET["from"];
$limit = " AND timestamp >= :from";
}
elseif(!isset($_GET["from"]) && isset($_GET["until"]))
{
$limit = " AND timestamp <= ".$_GET["until"];
$limit = " AND timestamp <= :until";
}
$results = $db->query('SELECT domain,count(domain) FROM queries WHERE (STATUS == 1 OR STATUS == 4)'.$limit.' GROUP by domain order by count(domain) desc limit 10');
$stmt = $db->prepare('SELECT domain,count(domain) FROM queries WHERE (STATUS == 1 OR STATUS == 4)'.$limit.' GROUP by domain order by count(domain) desc limit 10');
$stmt->bindValue(":from", $_GET['from']);
$stmt->bindValue(":until", $_GET['until']);
$results = $stmt->execute();
$addomains = array();
@@ -253,15 +265,15 @@ if (isset($_GET['getGraphData']) && $auth)
if(isset($_GET["from"]) && isset($_GET["until"]))
{
$limit = " AND timestamp >= ".intval($_GET["from"])." AND timestamp <= ".intval($_GET["until"]);
$limit = " AND timestamp >= :from AND timestamp <= :until";
}
elseif(isset($_GET["from"]) && !isset($_GET["until"]))
{
$limit = " AND timestamp >= ".intval($_GET["from"]);
$limit = " AND timestamp >= :from";
}
elseif(!isset($_GET["from"]) && isset($_GET["until"]))
{
$limit = " AND timestamp <= ".intval($_GET["until"]);
$limit = " AND timestamp <= :until";
}
$interval = 600;
@@ -274,7 +286,11 @@ if (isset($_GET['getGraphData']) && $auth)
}
// Count permitted queries in intervals
$results = $db->query('SELECT (timestamp/'.$interval.')*'.$interval.' interval, COUNT(*) FROM queries WHERE (status != 0 )'.$limit.' GROUP by interval ORDER by interval');
$stmt = $db->prepare('SELECT (timestamp/:interval)*:interval interval, COUNT(*) FROM queries WHERE (status != 0 )'.$limit.' GROUP by interval ORDER by interval');
$stmt->bindValue(":from", intval($_GET['from']));
$stmt->bindValue(":until", intval($_GET['until']));
$stmt->bindValue(":interval", $interval);
$results = $stmt->execute();
$domains = array();
@@ -287,7 +303,11 @@ if (isset($_GET['getGraphData']) && $auth)
$data = array_merge($data, $result);
// Count blocked queries in intervals
$results = $db->query('SELECT (timestamp/'.$interval.')*'.$interval.' interval, COUNT(*) FROM queries WHERE (status == 1 OR status == 4 OR status == 5)'.$limit.' GROUP by interval ORDER by interval');
$stmt = $db->prepare('SELECT (timestamp/:interval)*:interval interval, COUNT(*) FROM queries WHERE (status == 1 OR status == 4 OR status == 5)'.$limit.' GROUP by interval ORDER by interval');
$stmt->bindValue(":from", intval($_GET['from']));
$stmt->bindValue(":until", intval($_GET['until']));
$stmt->bindValue(":interval", $interval);
$results = $stmt->execute();
$addomains = array();