FSN#29330 Minder risico op SQL Injection (niet per se direct gevaarlijk)

svn path=/Website/branches/v5.4.1/; revision=21273
2014-04-09 08:40:23 +00:00
parent a03da42411
commit c21c199ade
7 changed files with 10 additions and 10 deletions
--- a/APPL/BES/addFavourites.asp
+++ b/APPL/BES/addFavourites.asp
@@ -102,7 +102,7 @@ function doSubmit()
        <td class='label'><label for="fav"><%=L("lcl_bes_favour_list")%>:</label></td>
        <td><select name="fav" id="fav"><%
          // eigen favorieten lijsten van een bepaalde categorie
-          sql = " SELECT '" + L("lcl_bes_select_fav_list") + "', 'A' FROM DUAL"
+          sql = " SELECT " + safe.quoted_sql(L("lcl_bes_select_fav_list")) + ", 'A' FROM DUAL"
              + " UNION"
              + " SELECT bf.bes_favoriet_naam"
              + ", 'B'"
--- a/APPL/CNT/cnt_show_scope.asp
+++ b/APPL/CNT/cnt_show_scope.asp
@@ -167,7 +167,7 @@ var showall = getQParamInt("showall", 0) == 1;
                  + " AND co.cnt_mld_melding_key IS NULL"
                  + " AND co.cnt_contract_key = " + cnt_key + ""
                  + " UNION"
-                  + " SELECT '" + L("lcl_location") + "' plaatsaanduiding"
+                  + " SELECT " + safe.quoted_sql(L("lcl_location")) + " plaatsaanduiding"
                  + ", null totaal_opp"
                  + ", co.cnt_contract_onrgoed_opp contract_opp"
                  + ", sr.alg_srtruimte_code tariefsrt"
--- a/APPL/FAC/fac_locale_data.asp
+++ b/APPL/FAC/fac_locale_data.asp
@@ -116,7 +116,7 @@ var maxlen = oRs(0).Value;
        for (i in lcl.languages)
        {
            if (i != db_lang)
-                talen_arr.push("SELECT '" + i + "' fac_locale_lang FROM DUAL");
+                talen_arr.push("SELECT " + safe.quoted_sql(i) + " fac_locale_lang FROM DUAL");
        }

        var talen = talen_arr.join(" UNION ");
--- a/APPL/MLD/opdr_accept_offer.asp
+++ b/APPL/MLD/opdr_accept_offer.asp
@@ -58,11 +58,11 @@ user.anything_todo_or_abort(this_opdr.canAcceptOffer); // Mag ik deze kosten afm
  <body class="modal" id="acceptoffertebody">
    <div id="accept">
 <%    // Uitvoerende omschrijving bepalen m.b.v. uitvoerende key
-      sql = "SELECT '" + L("lcl_mld_bedrijf_prefix") + "' ||  b.prs_bedrijf_naam uitv_omschr"
+      sql = "SELECT " + safe.quoted_sql(L("lcl_mld_bedrijf_prefix")) + " ||  b.prs_bedrijf_naam uitv_omschr"
            + " FROM prs_bedrijf b"
            + " WHERE b.prs_bedrijf_key = " + mld_opdr.uitvoerende_key
            + " UNION ALL"
-            + " SELECT '" + L("lcl_mld_person_prefix") + "'||" + S("prs_pers_string") + " uitv_omschr"
+            + " SELECT " + safe.quoted_sql(L("lcl_mld_person_prefix")) + "'||" + S("prs_pers_string") + " uitv_omschr"
            + " FROM prs_perslid p "
            + " WHERE p.prs_perslid_key = " + mld_opdr.uitvoerende_key;
      oRs = Oracle.Execute(sql);
--- a/APPL/MLD/opdr_reject.asp
+++ b/APPL/MLD/opdr_reject.asp
@@ -88,11 +88,11 @@ user.anything_todo_or_abort(toberejected > 0); // We klagen niet over enkele wel
        var prefix = mld_opdr.srtdiscprefix;

        // Uitvoerende omschrijving bepalen m.b.v. uitvoerende key
-        sql = "SELECT '" + L("lcl_mld_bedrijf_prefix") + "' ||  b.prs_bedrijf_naam uitv_omschr"
+        sql = "SELECT " + safe.quoted_sql(L("lcl_mld_bedrijf_prefix")) + " ||  b.prs_bedrijf_naam uitv_omschr"
              + " FROM prs_bedrijf b"
              + " WHERE b.prs_bedrijf_key = " + uitvoerende_key
              + " UNION ALL"
-              + " SELECT '" + L("lcl_mld_person_prefix") + "'||" + S("prs_pers_string") + " uitv_omschr"
+              + " SELECT " + safe.quoted_sql(L("lcl_mld_person_prefix")) + "||" + S("prs_pers_string") + " uitv_omschr"
              + " FROM prs_perslid p "
              + " WHERE p.prs_perslid_key = " + uitvoerende_key;
        oRs = Oracle.Execute(sql);
--- a/APPL/MLD/opdr_reject_offer.asp
+++ b/APPL/MLD/opdr_reject_offer.asp
@@ -85,11 +85,11 @@ var result = { opdr_key: ingesloten.join(","), message: "", success: false };
      lcl.set_dialect(mld_opdr.opdr_type, "MLD_TYPEOPDR_KEY"); // opdr_type van de laatste opdracht genomen

      // Uitvoerende omschrijving bepalen m.b.v. uitvoerende key
-      sql = "SELECT '" + L("lcl_mld_bedrijf_prefix") + "' ||  b.prs_bedrijf_naam uitv_omschr"
+      sql = "SELECT " + safe.quoted_sql(L("lcl_mld_bedrijf_prefix")) + " ||  b.prs_bedrijf_naam uitv_omschr"
            + " FROM prs_bedrijf b"
            + " WHERE b.prs_bedrijf_key = " + mld_opdr.uitvoerende_key
            + " UNION ALL"
-            + " SELECT '" + L("lcl_mld_person_prefix") + "'||" + S("prs_pers_string") + " uitv_omschr"
+            + " SELECT " + safe.quoted_sql(L("lcl_mld_person_prefix")) + " ||" + S("prs_pers_string") + " uitv_omschr"
            + " FROM prs_perslid p "
            + " WHERE p.prs_perslid_key = " + mld_opdr.uitvoerende_key;
      oRs = Oracle.Execute(sql);
--- a/APPL/Shared/Suggest/SuggestFaq.asp
+++ b/APPL/Shared/Suggest/SuggestFaq.asp
@@ -29,7 +29,7 @@ chars = chars.replace(/\*/g,"%");
 var extraInf = ", 'Extra' extra";

 // Check if person is authorized for all accounts
-sql = " SELECT '" + chars + "' zoekstr, to_char(count(*))||' resultaten' n"
+sql = " SELECT " + safe.quoted_sql(chars) + " zoekstr, to_char(count(*))||' resultaten' n"
        + " FROM fac_faq WHERE "
        + (!fronto? " fac_faq_level < 2 AND " : "")
        + fac.createOrClause("UPPER(fac_faq_question)", upperchars)