From 6c2e3922b1718e462fb5a0f5e83b5fc1f3a83d4a Mon Sep 17 00:00:00 2001
From: "Paul S. Owen" <psotfx@users.sourceforge.net>
Date: Fri, 21 Dec 2001 15:51:31 +0000
Subject: [PATCH] Hopefully this addresses the \' and '' problems with MSSQL,
 etc. ... I'd like opinions on the security of doing this.

git-svn-id: file:///svn/phpbb/trunk@1661 89ea8834-ac86-4346-8a33-228a782c2dd0
---
 phpBB/groupcp.php |  2 +-
 phpBB/login.php   |  2 +-
 phpBB/posting.php | 33 +++++++++++----------------------
 phpBB/search.php  |  6 +++---
 4 files changed, 16 insertions(+), 27 deletions(-)

diff --git a/phpBB/groupcp.php b/phpBB/groupcp.php
index 0789834749..4e9b41fea2 100644
--- a/phpBB/groupcp.php
+++ b/phpBB/groupcp.php
@@ -316,7 +316,7 @@ else if( $group_id )
 			
 			$sql = "SELECT user_id, user_email 
 				FROM " . USERS_TABLE . " 
-				WHERE username = '$username'";
+				WHERE username = '" . str_replace("\'", "''", $username) . "'";
 			if( !$result = $db->sql_query($sql) )
 			{
 				message_die(GENERAL_ERROR, "Could not get user information", $lang['Error'], __LINE__, __FILE__, $sql);
diff --git a/phpBB/login.php b/phpBB/login.php
index 3f9645a1e8..110a822802 100644
--- a/phpBB/login.php
+++ b/phpBB/login.php
@@ -49,7 +49,7 @@ if( isset($HTTP_POST_VARS['login']) || isset($HTTP_GET_VARS['login']) || isset($
 
 		$sql = "SELECT user_id, username, user_password, user_active, user_level 
 			FROM ".USERS_TABLE."
-			WHERE username = '$username'";
+			WHERE username = '" . str_replace("\'", "''", $username) . "'";
 		$result = $db->sql_query($sql);
 		if(!$result)
 		{
diff --git a/phpBB/posting.php b/phpBB/posting.php
index a7146090f8..4b9760ea02 100644
--- a/phpBB/posting.php
+++ b/phpBB/posting.php
@@ -280,7 +280,6 @@ function add_search_words($post_id, $post_text, $post_title = "")
 	$stopword_array = @file($phpbb_root_path . "language/lang_" . $board_config['default_lang'] . "/search_stopwords.txt"); 
 	$synonym_array = @file($phpbb_root_path . "language/lang_" . $board_config['default_lang'] . "/search_synonyms.txt"); 
 
-	// 0.3s
 	$search_text = clean_words($post_text, $stopword_array, $synonym_array);
 	$search_matches = split_words($search_text);
 
@@ -371,16 +370,6 @@ function add_search_words($post_id, $post_text, $post_title = "")
 		}
 	}
 
-/*
-	$mtime = explode(" ",microtime());
-	$starttime = $mtime[1] + $mtime[0];
-
-	$mtime = explode(" ", microtime());
-	$endtime = $mtime[1] + $mtime[0];
-	echo "<BR><BR> TIMING1 >>>>>>>>> " .  ($endtime - $starttime) . "<BR><BR>\n";
-
-*/
-
 	remove_common(0.15, $word_id_list);
 
 	return;
@@ -1204,7 +1193,7 @@ if( ( $submit || $confirm || $mode == "delete"  ) && !$error )
 		if( $mode == "newtopic" )
 		{
 			$sql  = "INSERT INTO " . TOPICS_TABLE . " (topic_title, topic_poster, topic_time, forum_id, topic_status, topic_type, topic_vote)
-				VALUES ('$post_subject', " . $userdata['user_id'] . ", $current_time, $forum_id, " . TOPIC_UNLOCKED . ", $topic_type, $topic_vote)";
+				VALUES ('" . str_replace("\'", "''", $post_subject) . "', " . $userdata['user_id'] . ", $current_time, $forum_id, " . TOPIC_UNLOCKED . ", $topic_type, $topic_vote)";
 
 			if( $result = $db->sql_query($sql, BEGIN_TRANSACTION) )
 			{
@@ -1221,7 +1210,7 @@ if( ( $submit || $confirm || $mode == "delete"  ) && !$error )
 			if( $is_auth['auth_pollcreate'] && $topic_vote )
 			{
 				$sql = "INSERT INTO " . VOTE_DESC_TABLE . " (topic_id, vote_text, vote_start, vote_length) 
-					VALUES ($new_topic_id, '$poll_title', $current_time, " . ( $poll_length * 86400 ) . ")";
+					VALUES ($new_topic_id, '" . str_replace("\'", "''", $poll_title) . "', $current_time, " . ( $poll_length * 86400 ) . ")";
 				if( $result = $db->sql_query($sql) )
 				{
 					$new_vote_id = $db->sql_nextid();
@@ -1230,7 +1219,7 @@ if( ( $submit || $confirm || $mode == "delete"  ) && !$error )
 					while( list($option_id, $option_text) = each($poll_option_list) )
 					{
 						$sql = "INSERT INTO " . VOTE_RESULTS_TABLE . " (vote_id, vote_option_id, vote_option_text, vote_result)
-							VALUES ($new_vote_id, $poll_option_id, '$option_text', 0)";
+							VALUES ($new_vote_id, $poll_option_id, '" . str_replace("\'", "''", $option_text) . "', 0)";
 						if( !$result = $db->sql_query($sql) )
 						{
 							// Rollback ...
@@ -1267,7 +1256,7 @@ if( ( $submit || $confirm || $mode == "delete"  ) && !$error )
 		}
 
 		$sql = "INSERT INTO " . POSTS_TABLE . " (topic_id, forum_id, poster_id, post_username, post_time, poster_ip, enable_bbcode, enable_html, enable_smilies, enable_sig)
-			VALUES ($new_topic_id, $forum_id, " . $userdata['user_id'] . ", '$post_username', $current_time, '$user_ip', $bbcode_on, $html_on, $smilies_on, $attach_sig)";
+			VALUES ($new_topic_id, $forum_id, " . $userdata['user_id'] . ", '" . str_replace("\'", "''", $post_username) . "', $current_time, '$user_ip', $bbcode_on, $html_on, $smilies_on, $attach_sig)";
 		$result = ($mode == "reply") ? $db->sql_query($sql, BEGIN_TRANSACTION) : $db->sql_query($sql);
 
 		if( $result )
@@ -1275,7 +1264,7 @@ if( ( $submit || $confirm || $mode == "delete"  ) && !$error )
 			$new_post_id = $db->sql_nextid();
 
 			$sql = "INSERT INTO " . POSTS_TEXT_TABLE . " (post_id, post_subject, bbcode_uid, post_text)
-				VALUES ($new_post_id, '$post_subject', '$bbcode_uid', '$post_message')";
+				VALUES ($new_post_id, '" . str_replace("\'", "''", $post_subject) . "', '$bbcode_uid', '" . str_replace("\'", "''", $post_message) . "')";
 
 			if( $db->sql_query($sql) )
 			{
@@ -1904,7 +1893,7 @@ if( ( $submit || $confirm || $mode == "delete"  ) && !$error )
 			if($db->sql_query($sql))
 			{
 				$sql = "UPDATE " . POSTS_TEXT_TABLE . "
-					SET post_text = '$post_message',  bbcode_uid = '$bbcode_uid', post_subject = '$post_subject'
+					SET post_text = '" . str_replace("\'", "''", $post_message) . "',  bbcode_uid = '$bbcode_uid', post_subject = '" . str_replace("\'", "''", $post_subject) . "'
 					WHERE post_id = $post_id"; 
 
 				if( $is_first_post_topic )
@@ -1918,7 +1907,7 @@ if( ( $submit || $confirm || $mode == "delete"  ) && !$error )
 						// Update topics table here 
 						//
 						$sql = "UPDATE " . TOPICS_TABLE . "
-							SET topic_title = '$post_subject', topic_type = $topic_type" . $sql_topic_vote_edit . " 
+							SET topic_title = '" . str_replace("\'", "''", $post_subject) . "', topic_type = $topic_type" . $sql_topic_vote_edit . " 
 							WHERE topic_id = $topic_id";
 						if($db->sql_query($sql, END_TRANSACTION))
 						{
@@ -1950,7 +1939,7 @@ if( ( $submit || $confirm || $mode == "delete"  ) && !$error )
 										// Previous entry with no results (or a moderator), update
 										//
 										$sql = "UPDATE " . VOTE_DESC_TABLE . " 
-											SET vote_text = '$poll_title', vote_length = " . ( $poll_length * 86400 ) . " 
+											SET vote_text = '" . str_replace("\'", "''", $poll_title) . "', vote_length = " . ( $poll_length * 86400 ) . " 
 											WHERE topic_id = $topic_id";
 										if( $result = $db->sql_query($sql, BEGIN_TRANSACTION) )
 										{
@@ -1964,7 +1953,7 @@ if( ( $submit || $confirm || $mode == "delete"  ) && !$error )
 													$vote_result = ( $old_poll_result[$option_id] ) ? $old_poll_result[$option_id] : 0;
 
 													$sql = "INSERT INTO " . VOTE_RESULTS_TABLE . " (vote_id, vote_option_id, vote_option_text, vote_result)
-														VALUES ($vote_id, $poll_option_id, '$option_text', $vote_result)";
+														VALUES ($vote_id, $poll_option_id, '" . str_replace("\'", "''", $option_text) . "', $vote_result)";
 													if( !$result = $db->sql_query($sql) )
 													{
 														message_die(GENERAL_ERROR, "Couldn't insert new poll options", "", __LINE__, __FILE__, $sql);
@@ -1989,7 +1978,7 @@ if( ( $submit || $confirm || $mode == "delete"  ) && !$error )
 									// No previous entry, create new
 									//
 									$sql = "INSERT INTO " . VOTE_DESC_TABLE . " (topic_id, vote_text, vote_start, vote_length) 
-										VALUES ($topic_id, '$poll_title', $current_time, " . ( $poll_length * 86400 ) . ")";
+										VALUES ($topic_id, '" . str_replace("\'", "''", $poll_title) . "', $current_time, " . ( $poll_length * 86400 ) . ")";
 									if( $result = $db->sql_query($sql, BEGIN_TRANSACTION) )
 									{
 										$new_vote_id = $db->sql_nextid();
@@ -1998,7 +1987,7 @@ if( ( $submit || $confirm || $mode == "delete"  ) && !$error )
 										while( list($option_id, $option_text) = each($poll_option_list) )
 										{
 											$sql = "INSERT INTO " . VOTE_RESULTS_TABLE . " (vote_id, vote_option_id, vote_option_text, vote_result)
-												VALUES ($new_vote_id, $poll_option_id, '$option_text', 0)";
+												VALUES ($new_vote_id, $poll_option_id, '" . str_replace("\'", "''", $option_text) . "', 0)";
 											if( !$result = $db->sql_query($sql) )
 											{
 												// Rollback ...
diff --git a/phpBB/search.php b/phpBB/search.php
index cdde5fde63..bb40d6a4c1 100644
--- a/phpBB/search.php
+++ b/phpBB/search.php
@@ -294,7 +294,7 @@ else if( $query_keywords != "" || $query_author != "" || $search_id )
 			
 			$sql = "SELECT user_id
 				FROM ".USERS_TABLE."
-				WHERE username LIKE '$query_author'";
+				WHERE username LIKE '" . str_replace("\'", "''", $query_author) . "'";
 			$result = $db->sql_query($sql);
 			if( !$result )
 			{
@@ -507,7 +507,7 @@ else if( $query_keywords != "" || $query_author != "" || $search_id )
 		//
 		if( $query_author != "" )
 		{
-			$query_author = str_replace("*", "%", trim($query_author));
+			$query_author = str_replace("*", "%", trim(str_replace("\'", "''", $query_author)));
 		}
 
 		//
@@ -734,7 +734,7 @@ else if( $query_keywords != "" || $query_author != "" || $search_id )
 			if( !$result || !$db->sql_affectedrows() )
 			{
 				$sql = "INSERT INTO " . SEARCH_TABLE . " (search_id, session_id, search_array) 
-					VALUES($search_id, '" . $userdata['session_id'] . "', '$result_array')";
+					VALUES($search_id, '" . $userdata['session_id'] . "', '" . str_replace("\'", "''", $result_array) . "')";
 				if( !$result = $db->sql_query($sql) )
 				{
 					message_die(GENERAL_ERROR, "Couldn't insert search results", "", __LINE__, __FILE__, $sql);