Hello There, Guest! Login Register


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Bug] Block update and delete command on query builder
#1
Hai, we found a bug when creating a manual query builder, appcore not block query command such as update and delete, so that the user can perform an update on a table through a query builder, query builder should only be used to select the command, because a few days ago a demo user password has been changed. we already patch this bug, please see the description below how to patch this bug:

1. open the file generator located in application/controllers/builtin/manage/Generators.php
2. then find a private function ___concatQuery()
3. replace function with this one:
PHP Code:
private function ___concatQuery($moduleName) {
 
   $querySelect    $this->input->post('querySelect');
 
   $queryCondition $this->input->post('queryCondition');
 
   $queryGroup     $this->input->post('queryGroup');

 
   /**
     * patch bug, block update and delete command
     */
 
   $blockCommand   = array('update''delete');
 
   $detected       false;
 
   if (is_array($blockCommand) && !empty($blockCommand)) {
 
       foreach ($blockCommand as $bc) {
 
           if (stripos($querySelect$bc) !== FALSE ||
 
               stripos($queryCondition$bc) !== FALSE ||
 
               stripos($queryGroup$bc) !== FALSE) {
 
               $detected true;
 
               break;
 
           }
 
       }
 
   }

 
   if ($detected) { return null; }
 
   /** end patch*/

 
   if (!sessionExists(SESSION_NAME.'_generators')) { setSession(SESSION_NAME.'_generators', array()); }

 
   if (!empty($querySelect)) {
 
       setSession("{$moduleName}_querySelect"$querySelect);
 
       setSession("{$moduleName}_queryCondition"$queryCondition);
 
       setSession("{$moduleName}_queryGroup"$queryGroup);
 
       return $querySelect ' ' $queryCondition ' ' $queryGroup;
 
   }

 
   return null;


4. then save. Ok that's it.
Reply


Forum Jump:


Users browsing this thread:
1 Guest(s)