admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FSN#33658 potentiële SQL-injections aangepast

Browse Source 
svn path=/Website/trunk/; revision=27933
This commit is contained in:
Jos Groot Lipman
2016-01-27 09:18:40 +00:00
parent 41961511cd
commit cff82da95f
9 changed files with 42 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
APPL/BES/bes_search.asp
View File

@@ -297,17 +297,17 @@ oRs.Close();
if (minfo)
{ // <!-- Groepering1 -->
sql = "SELECT 12, '', 0 FROM DUAL"
+ " UNION SELECT 0, '" + L("lcl_bes_RFOs") + "', 1 FROM DUAL"
+ " UNION SELECT 3,' " + L("lcl_bes_RFOs") + " - " + L("lcl_bes_Catalogus") + "', 2 FROM DUAL"
+ " UNION SELECT 4, '" + L("lcl_bes_RFOs") + " - " + L("lcl_bes_srtgroup") + "', 3 FROM DUAL"
+ " UNION SELECT 5, '" + L("lcl_bes_RFOs") + " - " + L("lcl_bes_srtdeel") + "', 4 FROM DUAL"
+ " UNION SELECT 2, '" + L("lcl_bes_RFOs") + " - " + L("lcl_dep_name_level1") + "', 5 FROM DUAL"
+ " UNION SELECT 7, '" + L("lcl_bes_RFOs") + " - " + L("lcl_dep_name_level2") + "', 6 FROM DUAL"
+ " UNION SELECT 8, '" + L("lcl_bes_RFOs") + " - " + L("lcl_bes_ordernr") + "', 7 FROM DUAL"
+ " UNION SELECT 1, '" + L("lcl_shared_order") + "', 8 FROM DUAL"
+ " UNION SELECT 6, '" + L("lcl_shared_order") + " - " + L("lcl_bes_Supplier") + "', 9 FROM DUAL"
+ " UNION SELECT 10, '" + L("lcl_district") + "', 10 FROM DUAL"
+ " UNION SELECT 11, '" + L("lcl_mi_location") + "', 11 FROM DUAL"
+ " UNION SELECT 0, " + safe.qL("lcl_bes_RFOs") + ", 1 FROM DUAL"
+ " UNION SELECT 3, " + safe.qL("lcl_bes_RFOs") + "||' - '||" + safe.qL("lcl_bes_Catalogus") + ", 2 FROM DUAL"
+ " UNION SELECT 4, " + safe.qL("lcl_bes_RFOs") + "||' - '||" + safe.qL("lcl_bes_srtgroup") + ", 3 FROM DUAL"
+ " UNION SELECT 5, " + safe.qL("lcl_bes_RFOs") + "||' - '||" + safe.qL("lcl_bes_srtdeel") + ", 4 FROM DUAL"
+ " UNION SELECT 2, " + safe.qL("lcl_bes_RFOs") + "||' - '||" + safe.qL("lcl_dep_name_level1") + ", 5 FROM DUAL"
+ " UNION SELECT 7, " + safe.qL("lcl_bes_RFOs") + "||' - '||" + safe.qL("lcl_dep_name_level2") + ", 6 FROM DUAL"
+ " UNION SELECT 8, " + safe.qL("lcl_bes_RFOs") + "||' - '||" + safe.qL("lcl_bes_ordernr") + ", 7 FROM DUAL"
+ " UNION SELECT 1, " + safe.qL("lcl_shared_order") + ", 8 FROM DUAL"
+ " UNION SELECT 6, " + safe.qL("lcl_shared_order") + "||' - '||" + safe.qL("lcl_bes_Supplier") + ", 9 FROM DUAL"
+ " UNION SELECT 10, " + safe.qL("lcl_district") + ", 10 FROM DUAL"
+ " UNION SELECT 11, " + safe.qL("lcl_mi_location") + ", 11 FROM DUAL"
+ " ORDER BY 3";
FCLTselector("groupby",
sql,
@@ -318,9 +318,9 @@ oRs.Close();
});
// <!-- Groepering2 -->
sql = "SELECT 8,' " + L("lcl_bes_RFOs") + " - " + L("lcl_bes_ordernr") + "', 2 FROM DUAL"
+ " UNION SELECT 10, '" + L("lcl_district") + "', 5 FROM DUAL"
+ " UNION SELECT 11, '" + L("lcl_mi_location") + "', 5 FROM DUAL"
sql = "SELECT 8, " + safe.qL("lcl_bes_RFOs") + "||' - '||" + safe.qL("lcl_bes_ordernr") + ", 2 FROM DUAL"
+ " UNION SELECT 10, " + safe.qL("lcl_district") + ", 5 FROM DUAL"
+ " UNION SELECT 11, " + safe.qL("lcl_mi_location") + ", 5 FROM DUAL"
+ " ORDER BY 3";
FCLTselector("groupby2",
sql,

4
APPL/CNT/cnt_edit_contract.asp
View File

@@ -286,8 +286,8 @@ else // nieuw contract
if (cnt_key > -1 && cnt_info.isAbonnement)
{ // Het is een abonnement contract
sql_verlengen = "SELECT -1,' " + L("lcl_unknown") + "', 1 FROM DUAL"
+ " UNION SELECT " + (cnt_info.verlenging > 1? "3" : "1") + ",' " + L("lcl_Yes") + "', 2 FROM DUAL"
+ " UNION SELECT " + (cnt_info.verlenging > 1? "2" : "0") + ", '" + L("lcl_No") + "', 3 FROM DUAL"
+ " UNION SELECT " + (cnt_info.verlenging > 1? "3" : "1") + ", " + safe.qL("lcl_Yes") + ", 2 FROM DUAL"
+ " UNION SELECT " + (cnt_info.verlenging > 1? "2" : "0") + ", " + safe.qL("lcl_No") + ", 3 FROM DUAL"
+ " ORDER BY 3";
FCLTselector("cntverlengen", sql_verlengen,
{ label: L("lcl_cnt_verlengen"),

4
APPL/CNT/cnt_show_contract.asp
View File

@@ -302,8 +302,8 @@ var urlMail = "../shared/queuemail.asp?pcode=CNTMAI&defemail_key=" + defemail_ke
if (cnt_info.isAbonnement)
{ // Het is een abonnement contract
sql_verlengen = "SELECT -1,' " + L("lcl_unknown") + "', 1 FROM DUAL"
+ " UNION SELECT " + (cnt_info.verlenging > 1? "3" : "1") + ",' " + L("lcl_Yes") + "', 2 FROM DUAL"
+ " UNION SELECT " + (cnt_info.verlenging > 1? "2" : "0") + ", '" + L("lcl_No") + "', 3 FROM DUAL"
+ " UNION SELECT " + (cnt_info.verlenging > 1? "3" : "1") + ", " + safe.qL("lcl_Yes") + ", 2 FROM DUAL"
+ " UNION SELECT " + (cnt_info.verlenging > 1? "2" : "0") + ", " + safe.qL("lcl_No") + ", 3 FROM DUAL"
+ " ORDER BY 3";
FCLTselector("cntverlengen", sql_verlengen,
{ label: L("lcl_cnt_verlengen"),

12
APPL/FAC/job_search.asp
View File

@@ -67,7 +67,7 @@ if (!(MLDFOF_read || MLDFOF_write || BESFOF_read || BESFOF_write || MLDBOF_read
var rtype_sql = "";
if (BESFOF_read) {
sub_sql = " SELECT 1 rtable, '" + L("lcl_job_1_bestelling") + "' rtype_omschrijving FROM DUAL";
sub_sql = " SELECT 1 rtable, " + safe.qL("lcl_job_1_bestelling") + " rtype_omschrijving FROM DUAL";
if (rtype_sql == "") {
rtype_sql = sub_sql;
} else {
@@ -76,7 +76,7 @@ if (!(MLDFOF_read || MLDFOF_write || BESFOF_read || BESFOF_write || MLDBOF_read
}
if (MLDFOF_read) {
sub_sql = " SELECT 2, '" + L("lcl_job_2_melding") + "' FROM DUAL";
sub_sql = " SELECT 2, " + safe.qL("lcl_job_2_melding") + " FROM DUAL";
if (rtype_sql == "") {
rtype_sql = sub_sql;
} else {
@@ -85,7 +85,7 @@ if (!(MLDFOF_read || MLDFOF_write || BESFOF_read || BESFOF_write || MLDBOF_read
}
if (MLDBOF_read) {
sub_sql = " SELECT 3, '" + L("lcl_job_3_opdracht") + "' FROM DUAL";
sub_sql = " SELECT 3, " + safe.qL("lcl_job_3_opdracht") + " FROM DUAL";
if (rtype_sql == "") {
rtype_sql = sub_sql;
} else {
@@ -148,9 +148,9 @@ if (!(MLDFOF_read || MLDFOF_write || BESFOF_read || BESFOF_write || MLDBOF_read
whenEmpty: L("lcl_search_generic")
});
var stat_sql = "SELECT 1 stat_key, " + safe.quoted_sql(L("lcl_job_stat_1_inactief")) + " rtype_omschrijving FROM DUAL"
+ " UNION ALL SELECT 2, " + safe.quoted_sql(L("lcl_job_stat_2_actief")) + " FROM DUAL"
+ " UNION ALL SELECT 3, " + safe.quoted_sql(L("lcl_job_stat_3_1xoverslaan")) + " FROM DUAL"
var stat_sql = "SELECT 1 stat_key, " + safe.qL("lcl_job_stat_1_inactief") + " rtype_omschrijving FROM DUAL"
+ " UNION ALL SELECT 2, " + safe.qL("lcl_job_stat_2_actief") + " FROM DUAL"
+ " UNION ALL SELECT 3, " + safe.qL("lcl_job_stat_3_1xoverslaan") + " FROM DUAL"
+ " ORDER BY 1 ";
FCLTselector("stat", stat_sql,

8
APPL/IMP/imp_search_rap.asp
View File

@@ -78,10 +78,10 @@ user.auth_required_or_abort(this_imp.canReadAny);
ROFIELDTR("fld", L("lcl_imp_import_by"), import_uitvoerder);
<!-- Filter rapportage -->
sql = "SELECT 'I', '" + L("lcl_imp_rap_i") + "', 1 FROM DUAL"
+ " UNION SELECT 'E', '" + L("lcl_imp_rap_e") + "', 2 FROM DUAL"
+ " UNION SELECT 'S', '" + L("lcl_imp_rap_s") + "', 3 FROM DUAL"
+ " UNION SELECT 'W', '" + L("lcl_imp_rap_w") + "', 4 FROM DUAL"
sql = "SELECT 'I', " + safe.qL("lcl_imp_rap_i") + ", 1 FROM DUAL"
+ " UNION SELECT 'E', " + safe.qL("lcl_imp_rap_e") + ", 2 FROM DUAL"
+ " UNION SELECT 'S', " + safe.qL("lcl_imp_rap_s") + ", 3 FROM DUAL"
+ " UNION SELECT 'W', " + safe.qL("lcl_imp_rap_w") + ", 4 FROM DUAL"
+ " ORDER BY 3";
FCLTselector("rapfilter_str",
sql,

8
APPL/MLD/loadUitvoerendenOptions.asp
View File

@@ -7,7 +7,7 @@
Description: Aanmaken van de options voor een listbox met (meerdere) uitvoerenden
Parameters:
Context: Vanuit edit opdrachten scherm via uitvoerenden button
Note:
Note:
*/ %>
<%
@@ -66,14 +66,14 @@ var sql_contractoms = " SELECT '* ' || cnt.cnt_contract_nummer_intern || '-' ||
+ sql_contract2;
var sqlP = " SELECT p.prs_perslid_key uitv_key"
+ " , '" + L("lcl_mld_person_prefix") + "' || " + S("prs_pers_string") + " naam"
+ " , " + safe.qL("lcl_mld_person_prefix") + " || " + S("prs_pers_string") + " naam"
+ " , -1 cpkey"
+ " , -1 cntkey"
+ " FROM prs_v_aanwezigperslid p"
+ " WHERE p.prs_perslid_key IN (" + (uitvkeyArray.length > 0? uitvkeyArray.join(",") : "-1") + ")"
var sqlD = " SELECT b.prs_bedrijf_key uitv_key"
+ " , '" + L("lcl_mld_bedrijf_prefix") + "' || b.prs_bedrijf_naam"
+ " , " + safe.qL("lcl_mld_bedrijf_prefix") + " || b.prs_bedrijf_naam"
+ " || ' (' "
+ " || COALESCE((SELECT " + S("prs_contactpers_string")
+ " FROM prs_contactpersoon cp"
@@ -96,7 +96,7 @@ FCLTselectorOptions(sql,
{ multi: true,
size: 10,
extraParamValue: "cpkey, cntkey",
optgroup: "naam"
optgroup: "naam"
});
%>

10
APPL/RES/res_search.asp
View File

@@ -356,11 +356,11 @@ var authparams = user.checkAutorisation(autfunction);
<% if (!frontend && ! fronto)
{
//<!-- Sortering -->
sql = "SELECT 1, '" + L("lcl_location") + ", " + L("lcl_time") + "', 1 FROM DUAL"
+ " UNION SELECT 5,' " + L("lcl_time") + "', 2 FROM DUAL"
+ " UNION SELECT 2, '" + L("lcl_place") + "', 3 FROM DUAL"
+ " UNION SELECT 3, '" + L("lcl_reservation") + "', 4 FROM DUAL"
+ " UNION SELECT 4, '" + L("lcl_host") + "', 5 FROM DUAL"
sql = "SELECT 1, " + safe.qL("lcl_location") + "||', '||" + safe.qL("lcl_time") + ", 1 FROM DUAL"
+ " UNION SELECT 5, " + safe.qL("lcl_time") + ", 2 FROM DUAL"
+ " UNION SELECT 2, " + safe.qL("lcl_place") + ", 3 FROM DUAL"
+ " UNION SELECT 3, " + safe.qL("lcl_reservation") + ", 4 FROM DUAL"
+ " UNION SELECT 4, " + safe.qL("lcl_host") + ", 5 FROM DUAL"
+ " ORDER BY 3";
FCLTselector("sortout",
sql,

4
APPL/Shared/Shared.inc
View File

@@ -820,6 +820,10 @@ safe = {
tekst = tekst.substr(0, maxlen);
return "'" + tekst.replace(/\'/g,"''") + "'"; // " syntax highlight correctie
},
qL: function (p_lcl, params)
{
return safe.quoted_sql(L(p_lcl, params));
},
quoted_sql_join: function (tekstarr, toupper) // Vooral voor IN () clausules met tekstwaardes
{

2
APPL/Shared/Suggest/SuggestWerkplek.asp
View File

@@ -174,7 +174,7 @@ else // we weten veel context, we zitten binnen een bekende ruimte
sql= " SELECT w1.prs_werkplek_key, "
+ " MIN (prs_werkplek_volgnr) prs_werkplek_volgnr, "
+ " MIN (prs_werkplek_omschrijving) ||' ['"
+ " || CASE WHEN w1.prs_werkplek_virtueel = 1 THEN '" + L("lcl_estate_wp_virt") + "' ELSE MIN (wb.prs_werkplek_bezetting)||'%' END" // Laat onderscheid zien bij virtueel
+ " || CASE WHEN w1.prs_werkplek_virtueel = 1 THEN " + safe.qL("lcl_estate_wp_virt") + " ELSE MIN (wb.prs_werkplek_bezetting)||'%' END" // Laat onderscheid zien bij virtueel
//+ " MIN (wb.prs_werkplek_bezetting)||'%"
+ " || ']' naam, "
+ " COALESCE ( "