fixed sql injection vulnerability

Author: ngsankha

admin/createadmin.php

@@ -8,11 +8,11 @@
 			echo("<hr/>\n<h1>".$_POST['title']."</h1>\n");
 			echo($out);
 		}
-	} else if($_POST['action'] == 'code') {
+	} else if($_POST['action'] == 'code' and is_numeric($_POST['id'])) {
 		include('../functions.php');
 		connectdb();
 		echo("<hr/><h1><small>".$_POST['name']."</small></h1>\n");
-		$query = "SELECT filename, soln FROM solve WHERE (username='".$_POST['uname']."' AND problem_id='".$_POST['id']."')";
+		$query = "SELECT filename, soln FROM solve WHERE (username='".mysql_real_escape_string($_POST['uname'])."' AND problem_id='".$_POST['id']."')";
 		$result = mysql_query($query);
 		$row = mysql_fetch_array($result);
 		$str = str_replace("<", "&lt;", $row['soln']);

admin/preview.php

@@ -3,7 +3,7 @@
 	connectdb();
 	if(isset($_POST['action'])){
 		if($_POST['action']=='email') {
-			mysql_query("UPDATE users SET email='".$_POST['email']."' WHERE username='".$_SESSION['username']."'");
+			mysql_query("UPDATE users SET email='".mysql_real_escape_string($_POST['email'])."' WHERE username='".$_SESSION['username']."'");
 			header("Location: index.php?changed=1");
 		} else if($_POST['action']=='password') {
 			$query = "SELECT salt,hash FROM users WHERE username='admin'";
@@ -23,29 +23,29 @@
 			if($_POST['cpp']=='on') $cpp=1; else $cpp=0;
 			if($_POST['java']=='on') $java=1; else $java=0;
 			if($_POST['python']=='on') $python=1; else $python=0;
-			mysql_query("UPDATE prefs SET name='".$_POST['name']."', accept=$accept, c=$c, cpp=$cpp, java=$java, python=$python");
+			mysql_query("UPDATE prefs SET name='".mysql_real_escape_string($_POST['name'])."', accept=$accept, c=$c, cpp=$cpp, java=$java, python=$python");
 			header("Location: index.php?changed=1");
 		} else if($_POST['action']=='addproblem') {
-			$query="INSERT INTO `problems` ( `name` , `text`, `input`, `output`) VALUES ('".$_POST['title']."', '".$_POST['problem']."', '".$_POST['input']."', '".$_POST['output']."')";
+			$query="INSERT INTO `problems` ( `name` , `text`, `input`, `output`) VALUES ('".mysql_real_escape_string($_POST['title'])."', '".mysql_real_escape_string($_POST['problem'])."', '".mysql_real_escape_string($_POST['input'])."', '".mysql_real_escape_string($_POST['output'])."')";
 			mysql_query($query);
 			header("Location: problems.php?added=1");
-		} else if($_POST['action']=='editproblem') {
-			mysql_query("UPDATE problems SET input='".$_POST['input']."', output='".$_POST['output']."', name='".$_POST['title']."', text='".$_POST['problem']."'  WHERE sl='".$_POST['id']."'");
+		} else if($_POST['action']=='editproblem' and is_numeric($_POST['id'])) {
+			mysql_query("UPDATE problems SET input='".mysql_real_escape_string($_POST['input'])."', output='".mysql_real_escape_string($_POST['output'])."', name='".mysql_real_escape_string($_POST['title'])."', text='".mysql_real_escape_string($_POST['problem'])."'  WHERE sl='".$_POST['id']."'");
 			mysql_query($query);
 			header("Location: problems.php?updated=1&action=edit&id=".$_POST['id']);
 		}
 	}
 	else if(isset($_GET['action'])){
-		if($_GET['action']=='delete') {
+		if($_GET['action']=='delete' and is_numeric($_GET['id'])) {
 			$query="DELETE FROM problems WHERE sl=".$_GET['id'];
 			mysql_query($query);
 			header("Location: problems.php?deleted=1");
 		} else if($_GET['action']=='ban') {
-			$query="UPDATE users SET status=0 WHERE username='".$_GET['username']."'";
+			$query="UPDATE users SET status=0 WHERE username='".mysql_real_escape_string($_GET['username'])."'";
 			mysql_query($query);
 			header("Location: users.php?banned=1");
 		} else if($_GET['action']=='unban') {
-			$query="UPDATE users SET status=1 WHERE username='".$_GET['username']."'";
+			$query="UPDATE users SET status=1 WHERE username='".mysql_real_escape_string($_GET['username'])."'";
 			mysql_query($query);
 			header("Location: users.php?unbanned=1");
 		}

admin/update.php

@@ -8,14 +8,17 @@
         $query = "SELECT status FROM users WHERE username='".$_SESSION['username']."'";
         $result = mysql_query($query);
         $status = mysql_fetch_array($result);
-        if($accept['accept'] == 1 and $status['status'] == 1) {
+        if($accept['accept'] == 1 and $status['status'] == 1 and is_numeric($_POST['id'])) {
+        	$soln = mysql_real_escape_string($_POST['soln']);
+        	$filename = mysql_real_escape_string($_POST['filename']);
+        	$lang = mysql_real_escape_string($_POST['lang']);
 		if($_POST['ctype']=='new')
-			$query = "INSERT INTO `solve` ( `problem_id` , `username`, `soln`, `filename`, `lang`) VALUES ('".$_POST['id']."', '".$_SESSION['username']."', '".mysql_real_escape_string($_POST['soln'])."', '".mysql_real_escape_string($_POST['filename'])."', '".$_POST['lang']."')";
+			$query = "INSERT INTO `solve` ( `problem_id` , `username`, `soln`, `filename`, `lang`) VALUES ('".$_POST['id']."', '".$_SESSION['username']."', '".$soln."', '".$filename."', '".$lang."')";
 		else {
 			$tmp = "SELECT attempts FROM solve WHERE (problem_id='".$_POST['id']."' AND username='".$_SESSION['username']."')";
 			$result = mysql_query($tmp);
 			$fields = mysql_fetch_array($result);
-			$query = "UPDATE solve SET lang='".$_POST['lang']."', attempts='".($fields['attempts']+1)."', soln='".mysql_real_escape_string($_POST['soln'])."', filename='".mysql_real_escape_string($_POST['filename'])."' WHERE (username='".$_SESSION['username']."' AND problem_id='".$_POST['id']."')";
+			$query = "UPDATE solve SET lang='".$lang."', attempts='".($fields['attempts']+1)."', soln='".$soln."', filename='".$filename."' WHERE (username='".$_SESSION['username']."' AND problem_id='".$_POST['id']."')";
 		}
 		mysql_query($query);
 		$socket = fsockopen($compilerhost, $compilerport);
@@ -28,7 +31,7 @@
 			$fields = mysql_fetch_array($result);
 			$input = str_replace("\n", '$_n_$', treat($fields['input']));
 			fwrite($socket, $input."\n");
-			fwrite($socket, $_POST['lang']."\n");
+			fwrite($socket, $lang."\n");
 			$status = fgets($socket);
 			$contents = "";
 			while(!feof($socket))

eval.php

@@ -3,27 +3,29 @@
 	if(loggedin())
 		header("Location: index.php");
 	else if(isset($_POST['action'])) {
+		$username = mysql_real_escape_string($_POST['username']);
 		if($_POST['action']=='login') {
 			connectdb();
-			$query = "SELECT salt,hash FROM users WHERE username='".$_POST['username']."'";
+			$query = "SELECT salt,hash FROM users WHERE username='".$username."'";
 			$result = mysql_query($query);
 			$fields = mysql_fetch_array($result);
 			$currhash = crypt($_POST['password'], $fields['salt']);
 			if($currhash == $fields['hash']) {
-				$_SESSION['username'] = $_POST['username'];
+				$_SESSION['username'] = $username;
 				header("Location: index.php");
 			} else
 				header("Location: login.php?error=1");
 		} else if($_POST['action']=='register') {
+			$email = mysql_real_escape_string($_POST['email']);
 			connectdb();
-			$query = "SELECT salt,hash FROM users WHERE username='".$_POST['username']."'";
+			$query = "SELECT salt,hash FROM users WHERE username='".$username."'";
 			$result = mysql_query($query);
 			if(mysql_num_rows($result)!=0)
 				header("Location: login.php?exists=1");
 			else {
 				$salt = randomAlphaNum(5);
 				$hash = crypt($_POST['password'], $salt);
-				$sql="INSERT INTO `users` ( `username` , `salt` , `hash` , `email` ) VALUES ('".$_POST['username']."', '$salt', '$hash', '".$_POST['email']."')";
+				$sql="INSERT INTO `users` ( `username` , `salt` , `hash` , `email` ) VALUES ('".$username."', '$salt', '$hash', '".$email."')";
 				mysql_query($sql);
 				header("Location: login.php?registered=1");
 			}

login.php

@@ -41,7 +41,7 @@
       ?>
     <h1><small>Submit Solution</small></h1>
       <?php
-      	if(isset($_GET['id'])) {
+      	if(isset($_GET['id']) and is_numeric($_GET['id'])) {
       		$query = "SELECT * FROM problems WHERE sl='".$_GET['id']."'";
           	$result = mysql_query($query);
           	$row = mysql_fetch_array($result);
@@ -52,18 +52,20 @@
       ?>
       <hr/>
       <?php
-        $query = "SELECT * FROM solve WHERE (problem_id='".$_GET['id']."' AND username='".$_SESSION['username']."')";
-        $result = mysql_query($query);
-        $num = mysql_num_rows($result);
-        $fields = mysql_fetch_array($result);
+        if(is_numeric($_GET['id'])) {
+          $query = "SELECT * FROM solve WHERE (problem_id='".$_GET['id']."' AND username='".$_SESSION['username']."')";
+          $result = mysql_query($query);
+          $num = mysql_num_rows($result);
+          $fields = mysql_fetch_array($result);
+        }
       ?>
       <form method="post" action="eval.php">
       <?php if($num == 0)
           echo('<input type="hidden" name="ctype" value="new"/>');
         else
           echo('<input type="hidden" name="ctype" value="change"/>');
       ?>
-      <input type="hidden" name="id" value="<?php echo($_GET['id']);?>"/>
+      <input type="hidden" name="id" value="<?php if(is_numeric($_GET['id'])) echo($_GET['id']);?>"/>
       <input type="hidden" name="lang" id="hlang" value="<?php if($num == 0) echo('c'); else echo($fields['lang']);?>"/>
       <div class="btn-group">
         <div id="blank"></div>

solve.php

@@ -2,7 +2,7 @@
 	include('functions.php');
 	connectdb();
 	if($_POST['action']=='email') {
-		mysql_query("UPDATE users SET email='".$_POST['email']."' WHERE username='".$_SESSION['username']."'");
+		mysql_query("UPDATE users SET email='".mysql_real_escape_string($_POST['email'])."' WHERE username='".$_SESSION['username']."'");
 		header("Location: account.php?changed=1");
 	} else if($_POST['action']=='password') {
 		$query = "SELECT salt,hash FROM users WHERE username='".$_SESSION['username']."'";