Lanmikeman/openvk
Lanmikeman/openvk
1
1
Fork 0
mirror of https://github.com/openvk/openvk synced 2025-03-14 21:45:22 +03:00
Code Issues Projects Releases Packages Wiki Activity

Защита от SQLi и доработка поиска

Browse source
This commit is contained in:
n1rwana 2023-08-12 00:38:51 +03:00
parent ee15ee617d
commit 5353ef3543
No known key found for this signature in database
GPG key ID: 184A60085ABF17D8
1 changed files with 153 additions and 153 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
Web/Presenters/NoSpamPresenter.php
View file

@ -177,26 +177,25 @@ final class NoSpamPresenter extends OpenVKPresenter
if ($conditions) { if ($conditions) {
$logs = $db->query("SELECT * FROM `ChandlerLogs` $whereStart $conditions GROUP BY `object_id`, `object_model`"); $logs = $db->query("SELECT * FROM `ChandlerLogs` $whereStart $conditions GROUP BY `object_id`, `object_model`");
if (!$where) {
foreach ($logs as $log) {
$log = (new Logs)->get($log->id);
$response[] = $log->getObject()->unwrap();
}
} else {
foreach ($logs as $log) { foreach ($logs as $log) {
$log = (new Logs)->get($log->id); $log = (new Logs)->get($log->id);
$object = $log->getObject()->unwrap(); $object = $log->getObject()->unwrap();
if (!$object) continue; if (!$object) continue;
if ($where) {
if (str_starts_with($where, " AND")) { if (str_starts_with($where, " AND")) {
$where = substr_replace($where, "", 0, strlen(" AND")); $where = substr_replace($where, "", 0, strlen(" AND"));
} }
foreach ($db->query("SELECT * FROM `$table` WHERE $where")->fetchAll() as $o) { $a = $db->query("SELECT * FROM `$table` WHERE $where")->fetchAll();
if ($object->id === $o["id"]) { foreach ($a as $o) {
if ($object->id == $o["id"]) {
$response[] = $object; $response[] = $object;
} }
} }
} else {
$response[] = $object;
} }
} }
} }
@ -210,12 +209,16 @@ final class NoSpamPresenter extends OpenVKPresenter
$processed = 0; $processed = 0;
$where = $this->postParam("where"); $where = $this->postParam("where");
$ip = $this->postParam("ip"); $ip = addslashes($this->postParam("ip"));
$useragent = $this->postParam("useragent"); $useragent = addslashes($this->postParam("useragent"));
$searchTerm = $this->postParam("q"); $searchTerm = addslashes($this->postParam("q"));
$ts = (int)$this->postParam("ts"); $ts = (int)$this->postParam("ts");
$te = (int)$this->postParam("te"); $te = (int)$this->postParam("te");
$user = $this->postParam("user"); $user = addslashes($this->postParam("user"));
if ($where) {
$where = explode(";", $where)[0];
}
if (!$ip && !$useragent && !$searchTerm && !$ts && !$te && !$where && !$searchTerm && !$user) if (!$ip && !$useragent && !$searchTerm && !$ts && !$te && !$where && !$searchTerm && !$user)
$this->returnJson(["success" => false, "error" => "Нет запроса. Заполните поле \"подстрока\" или введите запрос \"WHERE\" в поле под ним."]); $this->returnJson(["success" => false, "error" => "Нет запроса. Заполните поле \"подстрока\" или введите запрос \"WHERE\" в поле под ним."]);
@ -256,12 +259,7 @@ final class NoSpamPresenter extends OpenVKPresenter
} }
$rows = []; $rows = [];
if ($ip || $useragent || $ts || $te || $user) {
$rows = searchByAdditionalParams($table, $where, $ip, $useragent, $ts, $te, $user);
}
if (count($rows) === 0) {
if (!$searchTerm) {
if (str_starts_with($where, " AND")) { if (str_starts_with($where, " AND")) {
if ($searchTerm && !$this->postParam("where")) { if ($searchTerm && !$this->postParam("where")) {
$where = substr_replace($where, "", 0, strlen(" AND")); $where = substr_replace($where, "", 0, strlen(" AND"));
@ -270,6 +268,9 @@ final class NoSpamPresenter extends OpenVKPresenter
} }
} }
if ($ip || $useragent || $ts || $te || $user) {
$rows = searchByAdditionalParams($table, $where, $ip, $useragent, $ts, $te, $user);
} else {
if (!$where) { if (!$where) {
$rows = []; $rows = [];
} else { } else {
@ -277,7 +278,6 @@ final class NoSpamPresenter extends OpenVKPresenter
$rows = $result->fetchAll(); $rows = $result->fetchAll();
} }
} }
}
if (!in_array((int)$this->postParam("ban"), [1, 2, 3])) { if (!in_array((int)$this->postParam("ban"), [1, 2, 3])) {
foreach ($rows as $key => $object) { foreach ($rows as $key => $object) {
@ -347,9 +347,9 @@ final class NoSpamPresenter extends OpenVKPresenter
} }
if (in_array((int)$this->postParam("ban"), [2, 3])) { if (in_array((int)$this->postParam("ban"), [2, 3])) {
$reason = mb_strlen(trim($this->postParam("ban_reason"))) > 0 ? $this->postParam("ban_reason") : ("**content-noSpamTemplate-" . $log->getId() . "**"); $reason = mb_strlen(trim($this->postParam("ban_reason"))) > 0 ? addslashes($this->postParam("ban_reason")) : ("**content-noSpamTemplate-" . $log->getId() . "**");
$is_forever = (string) $this->postParam("is_forever") === "true"; $is_forever = (string)$this->postParam("is_forever") === "true";
$unban_time = $is_forever ? 0 : (int) $this->postParam("unban_time") ?? NULL; $unban_time = $is_forever ? 0 : (int)$this->postParam("unban_time") ?? NULL;
if ($owner) { if ($owner) {
$_id = ($owner instanceof Club ? $owner->getId() * -1 : $owner->getId()); $_id = ($owner instanceof Club ? $owner->getId() * -1 : $owner->getId());