Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix sql request when using encrypt

Browse Source
This commit is contained in:
Laurent Destailleur
2021-09-02 13:25:00 +02:00
parent 8600d8d00d
commit cac1a7ba5f
11 changed files with 98 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
htdocs/core/class/conf.class.php
View File

@@ -215,26 +215,33 @@ class Conf
// modules_parts['login'], modules_parts['menus'], modules_parts['substitutions'], modules_parts['triggers'], modules_parts['tpl'], // modules_parts['login'], modules_parts['menus'], modules_parts['substitutions'], modules_parts['triggers'], modules_parts['tpl'],
// modules_parts['models'], modules_parts['theme'] // modules_parts['models'], modules_parts['theme']
// modules_parts['sms'], // modules_parts['sms'],
// modules_parts['css'], ... // modules_parts['css'], modules_parts['js'],...
$modulename = strtolower($reg[1]); $modulename = strtolower($reg[1]);
$partname = strtolower($reg[2]); $partname = strtolower($reg[2]);
if (!isset($this->modules_parts[$partname]) || !is_array($this->modules_parts[$partname])) { if (!isset($this->modules_parts[$partname]) || !is_array($this->modules_parts[$partname])) {
$this->modules_parts[$partname] = array(); $this->modules_parts[$partname] = array();
} }
$arrValue = json_decode($value, true); $arrValue = json_decode($value, true);
if (is_array($arrValue) && !empty($arrValue)) {
$value = $arrValue; if (is_array($arrValue)) {
$newvalue = $arrValue;
} elseif (in_array($partname, array('login', 'menus', 'substitutions', 'triggers', 'tpl'))) { } elseif (in_array($partname, array('login', 'menus', 'substitutions', 'triggers', 'tpl'))) {
$value = '/'.$modulename.'/core/'.$partname.'/'; $newvalue = '/'.$modulename.'/core/'.$partname.'/';
} elseif (in_array($partname, array('models', 'theme'))) { } elseif (in_array($partname, array('models', 'theme'))) {
$value = '/'.$modulename.'/'; $newvalue = '/'.$modulename.'/';
} elseif (in_array($partname, array('sms'))) { } elseif (in_array($partname, array('sms'))) {
$value = '/'.$modulename.'/'; $newvalue = '/'.$modulename.'/';
} elseif ($value == 1) { } elseif ($value == 1) {
$value = '/'.$modulename.'/core/modules/'.$partname.'/'; // ex: partname = societe $newvalue = '/'.$modulename.'/core/modules/'.$partname.'/'; // ex: partname = societe
} else {
$newvalue = $value;
}
if (!empty($newvalue)) {
$this->modules_parts[$partname] = array_merge($this->modules_parts[$partname], array($modulename => $newvalue)); // $value may be a string or an array
} }
$this->modules_parts[$partname] = array_merge($this->modules_parts[$partname], array($modulename => $value)); // $value may be a string or an array
} elseif (preg_match('/^MAIN_MODULE_([0-9A-Z_]+)$/i', $key, $reg)) { } elseif (preg_match('/^MAIN_MODULE_([0-9A-Z_]+)$/i', $key, $reg)) {
// If this is a module constant (must be at end) // If this is a module constant (must be at end)
$modulename = strtolower($reg[1]); $modulename = strtolower($reg[1]);

6
htdocs/core/db/Database.interface.php
View File

@@ -432,13 +432,13 @@ interface Database
/** /**
* Encrypt sensitive data in database * Encrypt sensitive data in database
* Warning: This function includes the escape, so it must use direct value * Warning: This function includes the escape and add the SQL simple quotes on strings.
* *
* @param string $fieldorvalue Field name or value to encrypt * @param string $fieldorvalue Field name or value to encrypt
* @param int $withQuotes Return string with quotes * @param int $withQuotes Return string including the SQL simple quotes. This param must always be 1 (Value 0 is bugged and deprecated).
* @return string XXX(field) or XXX('value') or field or 'value' * @return string XXX(field) or XXX('value') or field or 'value'
*/ */
public function encrypt($fieldorvalue, $withQuotes = 0); public function encrypt($fieldorvalue, $withQuotes = 1);
/** /**
* Validate a database transaction * Validate a database transaction

15
htdocs/core/db/mysqli.class.php
View File

@@ -523,14 +523,13 @@ class DoliDBMysqli extends DoliDB
/** /**
* Encrypt sensitive data in database * Encrypt sensitive data in database
* Warning: This function includes the escape, so it must use direct value * Warning: This function includes the escape and add the SQL simple quotes on strings.
* *
* @param string $fieldorvalue Field name or value to encrypt * @param string $fieldorvalue Field name or value to encrypt
* @param int $withQuotes Return string with quotes * @param int $withQuotes Return string including the SQL simple quotes. This param must always be 1 (Value 0 is bugged and deprecated).
* @return string XXX(field) or XXX('value') or field or 'value' * @return string XXX(field) or XXX('value') or field or 'value'
*
*/ */
public function encrypt($fieldorvalue, $withQuotes = 0) public function encrypt($fieldorvalue, $withQuotes = 1)
{ {
global $conf; global $conf;
@@ -540,17 +539,17 @@ class DoliDBMysqli extends DoliDB
//Encryption key //Encryption key
$cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey) ? $conf->db->dolibarr_main_db_cryptkey : ''); $cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey) ? $conf->db->dolibarr_main_db_cryptkey : '');
$return = ($withQuotes ? "'" : "").$this->escape($fieldorvalue).($withQuotes ? "'" : ""); $escapedstringwithquotes = ($withQuotes ? "'" : "").$this->escape($fieldorvalue).($withQuotes ? "'" : "");
if ($cryptType && !empty($cryptKey)) { if ($cryptType && !empty($cryptKey)) {
if ($cryptType == 2) { if ($cryptType == 2) {
$return = 'AES_ENCRYPT('.$return.',\''.$cryptKey.'\')'; $escapedstringwithquotes = "AES_ENCRYPT(".$escapedstringwithquotes.", '".$this->escape($cryptKey)."')";
} elseif ($cryptType == 1) { } elseif ($cryptType == 1) {
$return = 'DES_ENCRYPT('.$return.',\''.$cryptKey.'\')'; $escapedstringwithquotes = "DES_ENCRYPT(".$escapedstringwithquotes.", '".$this->escape($cryptKey)."')";
} }
} }
return $return; return $escapedstringwithquotes;
} }
/** /**

10
htdocs/core/db/pgsql.class.php
View File

@@ -824,21 +824,21 @@ class DoliDBPgsql extends DoliDB
/** /**
* Encrypt sensitive data in database * Encrypt sensitive data in database
* Warning: This function includes the escape, so it must use direct value * Warning: This function includes the escape and add the SQL simple quotes on strings.
* *
* @param string $fieldorvalue Field name or value to encrypt * @param string $fieldorvalue Field name or value to encrypt
* @param int $withQuotes Return string with quotes * @param int $withQuotes Return string including the SQL simple quotes. This param must always be 1 (Value 0 is bugged and deprecated).
* @return string XXX(field) or XXX('value') or field or 'value' * @return string XXX(field) or XXX('value') or field or 'value'
*/ */
public function encrypt($fieldorvalue, $withQuotes = 0) public function encrypt($fieldorvalue, $withQuotes = 1)
{ {
global $conf; global $conf;
// Type of encryption (2: AES (recommended), 1: DES , 0: no encryption) // Type of encryption (2: AES (recommended), 1: DES , 0: no encryption)
$cryptType = ($conf->db->dolibarr_main_db_encryption ? $conf->db->dolibarr_main_db_encryption : 0); //$cryptType = ($conf->db->dolibarr_main_db_encryption ? $conf->db->dolibarr_main_db_encryption : 0);
//Encryption key //Encryption key
$cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey) ? $conf->db->dolibarr_main_db_cryptkey : ''); //$cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey) ? $conf->db->dolibarr_main_db_cryptkey : '');
$return = $fieldorvalue; $return = $fieldorvalue;
return ($withQuotes ? "'" : "").$this->escape($return).($withQuotes ? "'" : ""); return ($withQuotes ? "'" : "").$this->escape($return).($withQuotes ? "'" : "");

16
htdocs/core/db/sqlite3.class.php
View File

@@ -745,33 +745,33 @@ class DoliDBSqlite3 extends DoliDB
/** /**
* Encrypt sensitive data in database * Encrypt sensitive data in database
* Warning: This function includes the escape, so it must use direct value * Warning: This function includes the escape and add the SQL simple quotes on strings.
* *
* @param string $fieldorvalue Field name or value to encrypt * @param string $fieldorvalue Field name or value to encrypt
* @param int $withQuotes Return string with quotes * @param int $withQuotes Return string including the SQL simple quotes. This param must always be 1 (Value 0 is bugged and deprecated).
* @return string XXX(field) or XXX('value') or field or 'value' * @return string XXX(field) or XXX('value') or field or 'value'
*/ */
public function encrypt($fieldorvalue, $withQuotes = 0) public function encrypt($fieldorvalue, $withQuotes = 1)
{ {
global $conf; global $conf;
// Type of encryption (2: AES (recommended), 1: DES , 0: no encryption) // Type of encryption (2: AES (recommended), 1: DES , 0: no encryption)
$cryptType = ($conf->db->dolibarr_main_db_encryption ? $conf->db->dolibarr_main_db_encryption : 0); $cryptType = (!empty($conf->db->dolibarr_main_db_encryption) ? $conf->db->dolibarr_main_db_encryption : 0);
//Encryption key //Encryption key
$cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey) ? $conf->db->dolibarr_main_db_cryptkey : ''); $cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey) ? $conf->db->dolibarr_main_db_cryptkey : '');
$return = ($withQuotes ? "'" : "").$this->escape($fieldorvalue).($withQuotes ? "'" : ""); $escapedstringwithquotes = ($withQuotes ? "'" : "").$this->escape($fieldorvalue).($withQuotes ? "'" : "");
if ($cryptType && !empty($cryptKey)) { if ($cryptType && !empty($cryptKey)) {
if ($cryptType == 2) { if ($cryptType == 2) {
$return = 'AES_ENCRYPT('.$return.',\''.$cryptKey.'\')'; $escapedstringwithquotes = "AES_ENCRYPT(".$escapedstringwithquotes.", '".$this->escape($cryptKey)."')";
} elseif ($cryptType == 1) { } elseif ($cryptType == 1) {
$return = 'DES_ENCRYPT('.$return.',\''.$cryptKey.'\')'; $escapedstringwithquotes = "DES_ENCRYPT(".$escapedstringwithquotes.", '".$this->escape($cryptKey)."')";
} }
} }
return $return; return $escapedstringwithquotes;
} }
/** /**

20
htdocs/core/lib/admin.lib.php
View File

@@ -345,7 +345,7 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
for ($j = 0; $j < $num; $j++) { for ($j = 0; $j < $num; $j++) {
$from = $reg[0][$j]; $from = $reg[0][$j];
$to = $db->encrypt($reg[1][$j], 1); $to = $db->encrypt($reg[1][$j]);
$newsql = str_replace($from, $to, $newsql); $newsql = str_replace($from, $to, $newsql);
} }
$sqlmodified++; $sqlmodified++;
@@ -481,10 +481,10 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
/** /**
* Effacement d'une constante dans la base de donnees * Delete a constant
* *
* @param DoliDB $db Database handler * @param DoliDB $db Database handler
* @param string $name Name of constant or rowid of line * @param string|int $name Name of constant or rowid of line
* @param int $entity Multi company id, -1 for all entities * @param int $entity Multi company id, -1 for all entities
* @return int <0 if KO, >0 if OK * @return int <0 if KO, >0 if OK
* *
@@ -502,7 +502,7 @@ function dolibarr_del_const($db, $name, $entity = 1)
$sql = "DELETE FROM ".MAIN_DB_PREFIX."const"; $sql = "DELETE FROM ".MAIN_DB_PREFIX."const";
$sql .= " WHERE (".$db->decrypt('name')." = '".$db->escape($name)."'"; $sql .= " WHERE (".$db->decrypt('name')." = '".$db->escape($name)."'";
if (is_numeric($name)) { if (is_numeric($name)) {
$sql .= " OR rowid = '".$db->escape($name)."'"; $sql .= " OR rowid = ".((int) $name);
} }
$sql .= ")"; $sql .= ")";
if ($entity >= 0) { if ($entity >= 0) {
@@ -536,7 +536,7 @@ function dolibarr_get_const($db, $name, $entity = 1)
$sql = "SELECT ".$db->decrypt('value')." as value"; $sql = "SELECT ".$db->decrypt('value')." as value";
$sql .= " FROM ".MAIN_DB_PREFIX."const"; $sql .= " FROM ".MAIN_DB_PREFIX."const";
$sql .= " WHERE name = '".$db->escape($db->encrypt($name))."'"; $sql .= " WHERE name = ".$db->encrypt($name);
$sql .= " AND entity = ".((int) $entity); $sql .= " AND entity = ".((int) $entity);
dol_syslog("admin.lib::dolibarr_get_const", LOG_DEBUG); dol_syslog("admin.lib::dolibarr_get_const", LOG_DEBUG);
@@ -583,7 +583,7 @@ function dolibarr_set_const($db, $name, $value, $type = 'chaine', $visible = 0,
$db->begin(); $db->begin();
$sql = "DELETE FROM ".MAIN_DB_PREFIX."const"; $sql = "DELETE FROM ".MAIN_DB_PREFIX."const";
$sql .= " WHERE name = '".$db->escape($db->encrypt($name))."'"; $sql .= " WHERE name = ".$db->encrypt($name);
if ($entity >= 0) { if ($entity >= 0) {
$sql .= " AND entity = ".((int) $entity); $sql .= " AND entity = ".((int) $entity);
} }
@@ -594,8 +594,8 @@ function dolibarr_set_const($db, $name, $value, $type = 'chaine', $visible = 0,
if (strcmp($value, '')) { // true if different. Must work for $value='0' or $value=0 if (strcmp($value, '')) { // true if different. Must work for $value='0' or $value=0
$sql = "INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity)"; $sql = "INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity)";
$sql .= " VALUES ("; $sql .= " VALUES (";
$sql .= $db->encrypt($name, 1); $sql .= $db->encrypt($name);
$sql .= ", ".$db->encrypt($value, 1); $sql .= ", ".$db->encrypt($value);
$sql .= ",'".$db->escape($type)."',".((int) $visible).",'".$db->escape($note)."',".((int) $entity).")"; $sql .= ",'".$db->escape($type)."',".((int) $visible).",'".$db->escape($note)."',".((int) $entity).")";
//print "sql".$value."-".pg_escape_string($value)."-".$sql;exit; //print "sql".$value."-".pg_escape_string($value)."-".$sql;exit;
@@ -753,7 +753,7 @@ function security_prepare_head()
$sql = "SELECT COUNT(r.id) as nb"; $sql = "SELECT COUNT(r.id) as nb";
$sql .= " FROM ".MAIN_DB_PREFIX."rights_def as r"; $sql .= " FROM ".MAIN_DB_PREFIX."rights_def as r";
$sql .= " WHERE r.libelle NOT LIKE 'tou%'"; // On ignore droits "tous" $sql .= " WHERE r.libelle NOT LIKE 'tou%'"; // On ignore droits "tous"
$sql .= " AND entity = ".$conf->entity; $sql .= " AND entity = ".((int) $conf->entity);
$sql .= " AND bydefault = 1"; $sql .= " AND bydefault = 1";
if (empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { if (empty($conf->global->MAIN_USE_ADVANCED_PERMS)) {
$sql .= " AND r.perms NOT LIKE '%_advance'"; // Hide advanced perms if option is not enabled $sql .= " AND r.perms NOT LIKE '%_advance'"; // Hide advanced perms if option is not enabled
@@ -1839,7 +1839,7 @@ function delDocumentModel($name, $type)
$sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model"; $sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model";
$sql .= " WHERE nom = '".$db->escape($name)."'"; $sql .= " WHERE nom = '".$db->escape($name)."'";
$sql .= " AND type = '".$db->escape($type)."'"; $sql .= " AND type = '".$db->escape($type)."'";
$sql .= " AND entity = ".$conf->entity; $sql .= " AND entity = ".((int) $conf->entity);
dol_syslog("admin.lib::delDocumentModel", LOG_DEBUG); dol_syslog("admin.lib::delDocumentModel", LOG_DEBUG);
$resql = $db->query($sql); $resql = $db->query($sql);

31
htdocs/core/modules/DolibarrModules.class.php
View File

@@ -994,9 +994,9 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
$note = json_encode(array('authorid'=>(is_object($user) ? $user->id : 0), 'ip'=>(empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR']))); $note = json_encode(array('authorid'=>(is_object($user) ? $user->id : 0), 'ip'=>(empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR'])));
$sql = "INSERT INTO ".MAIN_DB_PREFIX."const (name, value, visible, entity, note) VALUES"; $sql = "INSERT INTO ".MAIN_DB_PREFIX."const (name, value, visible, entity, note) VALUES";
$sql .= " (".$this->db->encrypt($this->const_name, 1); $sql .= " (".$this->db->encrypt($this->const_name);
$sql .= ", ".$this->db->encrypt('1', 1); $sql .= ", ".$this->db->encrypt('1');
$sql .= ", 0, ".$entity; $sql .= ", 0, ".((int) $entity);
$sql .= ", '".$this->db->escape($note)."')"; $sql .= ", '".$this->db->escape($note)."')";
dol_syslog(get_class($this)."::_active insert activation constant", LOG_DEBUG); dol_syslog(get_class($this)."::_active insert activation constant", LOG_DEBUG);
@@ -1555,9 +1555,9 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
$sql .= ", entity"; $sql .= ", entity";
$sql .= ")"; $sql .= ")";
$sql .= " VALUES ("; $sql .= " VALUES (";
$sql .= $this->db->encrypt($this->const_name."_TABS_".$i, 1); $sql .= $this->db->encrypt($this->const_name."_TABS_".$i);
$sql .= ", 'chaine'"; $sql .= ", 'chaine'";
$sql .= ", ".$this->db->encrypt($newvalue, 1); $sql .= ", ".$this->db->encrypt($newvalue);
$sql .= ", null"; $sql .= ", null";
$sql .= ", '0'"; $sql .= ", '0'";
$sql .= ", ".$entity; $sql .= ", ".$entity;
@@ -1627,9 +1627,9 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
if ($row[0] == 0) { // If not found if ($row[0] == 0) { // If not found
$sql = "INSERT INTO ".MAIN_DB_PREFIX."const (name,type,value,note,visible,entity)"; $sql = "INSERT INTO ".MAIN_DB_PREFIX."const (name,type,value,note,visible,entity)";
$sql .= " VALUES ("; $sql .= " VALUES (";
$sql .= $this->db->encrypt($name, 1); $sql .= $this->db->encrypt($name);
$sql .= ",'".$this->db->escape($type)."'"; $sql .= ",'".$this->db->escape($type)."'";
$sql .= ",".(($val != '') ? $this->db->encrypt($val, 1) : "''"); $sql .= ",".(($val != '') ? $this->db->encrypt($val) : "''");
$sql .= ",".($note ? "'".$this->db->escape($note)."'" : "null"); $sql .= ",".($note ? "'".$this->db->escape($note)."'" : "null");
$sql .= ",'".$this->db->escape($visible)."'"; $sql .= ",'".$this->db->escape($visible)."'";
$sql .= ",".$entity; $sql .= ",".$entity;
@@ -2064,8 +2064,8 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
$row = $this->db->fetch_row($result); $row = $this->db->fetch_row($result);
if ($row[0] == 0) { if ($row[0] == 0) {
$sql = "INSERT INTO ".MAIN_DB_PREFIX."const (name,type,value,note,visible,entity)"; $sql = "INSERT INTO ".MAIN_DB_PREFIX."const (name, type, value, note, visible, entity)";
$sql .= " VALUES ('".$this->db->escape($this->db->encrypt($name))."', 'chaine', '".$this->db->escape($this->db->encrypt($dir))."', 'Directory for module ".$this->name."', '0', ".((int) $conf->entity).")"; $sql .= " VALUES (".$this->db->encrypt($name).", 'chaine', ".$this->db->encrypt($dir).", '".$this->db->escape("Directory for module ".$this->name)."', '0', ".((int) $conf->entity).")";
dol_syslog(get_class($this)."::insert_dirs", LOG_DEBUG); dol_syslog(get_class($this)."::insert_dirs", LOG_DEBUG);
$this->db->query($sql); $this->db->query($sql);
@@ -2126,7 +2126,7 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
$entity = $conf->entity; // Reset the current entity $entity = $conf->entity; // Reset the current entity
$newvalue = $value; $newvalue = $value;
var_dump($newvalue);
// Serialize array parameters // Serialize array parameters
if (is_array($value)) { if (is_array($value)) {
// Can defined other parameters // Can defined other parameters
@@ -2141,11 +2141,12 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
if (isset($value['entity'])) { if (isset($value['entity'])) {
$entity = $value['entity']; $entity = $value['entity'];
} }
} else // when hook is declared with syntax 'hook'=>array('hookcontext1','hookcontext2',...) } else { // when hook is declared with syntax 'hook'=>array('hookcontext1','hookcontext2',...)
{
$newvalue = json_encode($value); $newvalue = json_encode($value);
} }
} }
var_dump($newvalue);
var_dump($this->db->escape($newvalue));
$sql = "INSERT INTO ".MAIN_DB_PREFIX."const ("; $sql = "INSERT INTO ".MAIN_DB_PREFIX."const (";
$sql .= "name"; $sql .= "name";
@@ -2156,14 +2157,14 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
$sql .= ", entity"; $sql .= ", entity";
$sql .= ")"; $sql .= ")";
$sql .= " VALUES ("; $sql .= " VALUES (";
$sql .= "'".$this->db->escape($this->db->encrypt($this->const_name."_".strtoupper($key)))."'"; $sql .= " ".$this->db->encrypt($this->const_name."_".strtoupper($key));
$sql .= ", 'chaine'"; $sql .= ", 'chaine'";
$sql .= ", '".$this->db->escape($this->db->encrypt($newvalue))."'"; $sql .= ", ".$this->db->encrypt($newvalue);
$sql .= ", null"; $sql .= ", null";
$sql .= ", '0'"; $sql .= ", '0'";
$sql .= ", ".((int) $entity); $sql .= ", ".((int) $entity);
$sql .= ")"; $sql .= ")";
print $sql;
dol_syslog(get_class($this)."::insert_module_parts for key=".$this->const_name."_".strtoupper($key), LOG_DEBUG); dol_syslog(get_class($this)."::insert_module_parts for key=".$this->const_name."_".strtoupper($key), LOG_DEBUG);
$resql = $this->db->query($sql, 1); $resql = $this->db->query($sql, 1);

4
htdocs/core/modules/modApi.class.php
View File

@@ -245,8 +245,8 @@ class modApi extends DolibarrModules
{ {
// Remove old constants with entity fields different of 0 // Remove old constants with entity fields different of 0
$sql = array( $sql = array(
"DELETE FROM ".MAIN_DB_PREFIX."const WHERE name = '".$this->db->escape($this->db->encrypt('MAIN_MODULE_API'))."'", "DELETE FROM ".MAIN_DB_PREFIX."const WHERE name = ".$this->db->encrypt('MAIN_MODULE_API'), // API can't be enabled per environment. Why ?
"DELETE FROM ".MAIN_DB_PREFIX."const WHERE name = '".$this->db->escape($this->db->encrypt('API_PRODUCTION_MODE'))."'" "DELETE FROM ".MAIN_DB_PREFIX."const WHERE name = ".$this->db->encrypt('API_PRODUCTION_MODE') // Not in production mode by default at activation
); );
return $this->_remove($sql, $options); return $this->_remove($sql, $options);

6
htdocs/debugbar/class/TraceableDB.php
View File

@@ -596,13 +596,13 @@ class TraceableDB extends DoliDB
/** /**
* Encrypt sensitive data in database * Encrypt sensitive data in database
* Warning: This function includes the escape, so it must use direct value * Warning: This function includes the escape and add the SQL simple quotes on strings.
* *
* @param string $fieldorvalue Field name or value to encrypt * @param string $fieldorvalue Field name or value to encrypt
* @param int $withQuotes Return string with quotes * @param int $withQuotes Return string including the SQL simple quotes. This param must always be 1 (Value 0 is bugged and deprecated).
* @return string XXX(field) or XXX('value') or field or 'value' * @return string XXX(field) or XXX('value') or field or 'value'
*/ */
public function encrypt($fieldorvalue, $withQuotes = 0) public function encrypt($fieldorvalue, $withQuotes = 1)
{ {
return $this->db->encrypt($fieldorvalue, $withQuotes); return $this->db->encrypt($fieldorvalue, $withQuotes);
} }

10
htdocs/install/step5.php
View File

@@ -234,7 +234,7 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) {
// Insert MAIN_VERSION_FIRST_INSTALL in a dedicated transaction. So if it fails (when first install was already done), we can do other following requests. // Insert MAIN_VERSION_FIRST_INSTALL in a dedicated transaction. So if it fails (when first install was already done), we can do other following requests.
$db->begin(); $db->begin();
dolibarr_install_syslog('step5: set MAIN_VERSION_FIRST_INSTALL const to '.$targetversion, LOG_DEBUG); dolibarr_install_syslog('step5: set MAIN_VERSION_FIRST_INSTALL const to '.$targetversion, LOG_DEBUG);
$resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name, value, type, visible, note, entity) values('".$db->escape($db->encrypt('MAIN_VERSION_FIRST_INSTALL'))."', '".$db->escape($db->encrypt($targetversion))."', 'chaine', 0, 'Dolibarr version when first install', 0)"); $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name, value, type, visible, note, entity) values(".$db->encrypt('MAIN_VERSION_FIRST_INSTALL').", ".$db->encrypt($targetversion).", 'chaine', 0, 'Dolibarr version when first install', 0)");
if ($resql) { if ($resql) {
$conf->global->MAIN_VERSION_FIRST_INSTALL = $targetversion; $conf->global->MAIN_VERSION_FIRST_INSTALL = $targetversion;
$db->commit(); $db->commit();
@@ -250,7 +250,7 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) {
if (!$resql) { if (!$resql) {
dol_print_error($db, 'Error in setup program'); dol_print_error($db, 'Error in setup program');
} }
$resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) values('".$db->escape($db->encrypt('MAIN_VERSION_LAST_INSTALL'))."', '".$db->escape($db->encrypt($targetversion))."', 'chaine', 0, 'Dolibarr version when last install', 0)"); $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_VERSION_LAST_INSTALL').", ".$db->encrypt($targetversion).", 'chaine', 0, 'Dolibarr version when last install', 0)");
if (!$resql) { if (!$resql) {
dol_print_error($db, 'Error in setup program'); dol_print_error($db, 'Error in setup program');
} }
@@ -262,7 +262,7 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) {
if (!$resql) { if (!$resql) {
dol_print_error($db, 'Error in setup program'); dol_print_error($db, 'Error in setup program');
} }
$resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) values('".$db->escape($db->encrypt('MAIN_REMOVE_INSTALL_WARNING'))."', '".$db->escape($db->encrypt(1))."', 'chaine', 1, 'Disable install warnings', 0)"); $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_REMOVE_INSTALL_WARNING').", ".$db->encrypt(1).", 'chaine', 1, 'Disable install warnings', 0)");
if (!$resql) { if (!$resql) {
dol_print_error($db, 'Error in setup program'); dol_print_error($db, 'Error in setup program');
} }
@@ -330,7 +330,7 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) {
if (!$resql) { if (!$resql) {
dol_print_error($db, 'Error in setup program'); dol_print_error($db, 'Error in setup program');
} }
$resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name, value, type, visible, note, entity) VALUES ('".$db->escape($db->encrypt('MAIN_VERSION_LAST_UPGRADE'))."', '".$db->escape($db->encrypt($targetversion))."', 'chaine', 0, 'Dolibarr version for last upgrade', 0)"); $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name, value, type, visible, note, entity) VALUES (".$db->encrypt('MAIN_VERSION_LAST_UPGRADE').", ".$db->encrypt($targetversion).", 'chaine', 0, 'Dolibarr version for last upgrade', 0)");
if (!$resql) { if (!$resql) {
dol_print_error($db, 'Error in setup program'); dol_print_error($db, 'Error in setup program');
} }
@@ -346,7 +346,7 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) {
} }
// May fail if parameter already defined // May fail if parameter already defined
$resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) VALUES ('".$db->escape($db->encrypt('MAIN_LANG_DEFAULT'))."', '".$db->escape($db->encrypt($setuplang))."', 'chaine', 0, 'Default language', 1)"); $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) VALUES (".$db->encrypt('MAIN_LANG_DEFAULT').", ".$db->encrypt($setuplang).", 'chaine', 0, 'Default language', 1)");
//if (! $resql) dol_print_error($db,'Error in setup program'); //if (! $resql) dol_print_error($db,'Error in setup program');
$db->close(); $db->close();

13
test/phpunit/CodingPhpTest.php
View File

@@ -290,7 +290,13 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
// with xxx that is not 'thi' (for $this->db->sanitize) and 'db-' (for $db->sanitize). It means we forget a ' if string, or an (int) if int, when forging sql request. // with xxx that is not 'thi' (for $this->db->sanitize) and 'db-' (for $db->sanitize). It means we forget a ' if string, or an (int) if int, when forging sql request.
preg_match_all('/(DELETE|OR|AND|WHERE|INSERT)\s.*([^\s][^\s][^\s])\s*=\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER); preg_match_all('/(DELETE|OR|AND|WHERE|INSERT)\s.*([^\s][^\s][^\s])\s*=\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) { foreach ($matches as $key => $val) {
if ($val[2] == 'ity' && $val[3] == 'con') { // exclude entity = $conf->entity if ($val[2] == 'ity' && $val[3] == 'con') { // exclude entity = ".$conf->entity
continue;
}
if ($val[2] == 'ame' && $val[3] == 'db-' && preg_match('/WHERE name/', $val[0])) { // exclude name = ".$db->encrypt(
continue;
}
if ($val[2] == 'ame' && $val[3] == 'thi' && preg_match('/WHERE name/', $val[0])) { // exclude name = ".$this->db->encrypt(
continue; continue;
} }
var_dump($matches); var_dump($matches);
@@ -305,7 +311,10 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
// with xxx that is not 'db-' (for $db->escape). It means we forget a ' if string, or an (int) if int, when forging sql request. // with xxx that is not 'db-' (for $db->escape). It means we forget a ' if string, or an (int) if int, when forging sql request.
preg_match_all('/(VALUES).*,\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER); preg_match_all('/(VALUES).*,\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) { foreach ($matches as $key => $val) {
if ($val[2] == 'VALUES' && $val[3] == 'db-') { // exclude $db->escape( if ($val[1] == 'VALUES' && $val[2] == 'db-') { // exclude $db->escape(
continue;
}
if ($val[1] == 'VALUES' && $val[2] == 'thi' && preg_match('/this->db->encrypt/', $val[0])) { // exclude ".$this->db->encrypt(
continue; continue;
} }
var_dump($matches); var_dump($matches);