From 3c6baafc5bf815824142251296e4cf8e99fa1902 Mon Sep 17 00:00:00 2001 From: "marcelo.cuiza" Date: Thu, 7 May 2015 14:29:48 -0400 Subject: [PATCH] correcciones --- gulliver/system/class.dbMaintenance.php | 70 +++---------------- .../thirdparty/pear/PEAR/Command/Package.php | 19 +++-- 2 files changed, 17 insertions(+), 72 deletions(-) diff --git a/gulliver/system/class.dbMaintenance.php b/gulliver/system/class.dbMaintenance.php index 50b2d5acb..2dfd75bee 100755 --- a/gulliver/system/class.dbMaintenance.php +++ b/gulliver/system/class.dbMaintenance.php @@ -254,9 +254,6 @@ class DataBaseMaintenance */ function dumpData ($table) { - G::LoadSystem('inputfilter'); - $filter = new InputFilter(); - $table = $filter->validateInput($table, 'nosql'); $this->outfile = $this->tmpDir . $table . '.dump'; //if the file exists delete it @@ -264,8 +261,7 @@ class DataBaseMaintenance @unlink( $this->outfile ); } - $sql = "SELECT * INTO OUTFILE '{%s}' FIELDS TERMINATED BY '\t|\t' OPTIONALLY ENCLOSED BY '\"' LINES TERMINATED BY '\t\t\r\r\n' FROM %s"; - $sql = $filter->preventSqlInjection($sql, array($this->outfile,$table)); + $sql = "SELECT * INTO OUTFILE '{$this->outfile}' FIELDS TERMINATED BY '\t|\t' OPTIONALLY ENCLOSED BY '\"' LINES TERMINATED BY '\t\t\r\r\n' FROM $table"; // The mysql_escape_string function has been DEPRECATED as of PHP 5.3.0. // Commented that is not assigned to a variable. // mysql_escape_string("';"); @@ -285,11 +281,8 @@ class DataBaseMaintenance */ function restoreData ($backupFile) { - G::LoadSystem('inputfilter'); - $filter = new InputFilter(); $tableName = str_replace( '.dump', '', basename( $backupFile ) ); - $sql = "LOAD DATA INFILE '%s' INTO TABLE %s FIELDS TERMINATED BY '\t|\t' OPTIONALLY ENCLOSED BY '\"' LINES TERMINATED BY '\t\t\r\r\n'"; - $sql = $filter->preventSqlInjection($sql, array($backupFile,$tableName)); + $sql = "LOAD DATA INFILE '$backupFile' INTO TABLE $tableName FIELDS TERMINATED BY '\t|\t' OPTIONALLY ENCLOSED BY '\"' LINES TERMINATED BY '\t\t\r\r\n'"; if (! @mysql_query( $sql )) { print mysql_error() . "\n"; return false; @@ -305,12 +298,8 @@ class DataBaseMaintenance function backupData () { $aTables = $this->getTablesList(); - G::LoadSystem('inputfilter'); - $filter = new InputFilter(); - $aTables = $filter->xssFilterHard($aTables); foreach ($aTables as $table) { if ($this->dumpData( $table ) !== false) { - $this->outfile = $filter->xssFilterHard($this->outfile); printf( "%20s %s %s\n", 'Dump of table:', $table, " in file {$this->outfile}" ); } else { return false; @@ -347,11 +336,6 @@ class DataBaseMaintenance { $aTables = $this->getTablesList(); - G::LoadSystem('inputfilter'); - $filter = new InputFilter(); - $aTables = $filter->xssFilterHard($aTables); - $this->tmpDir = $filter->xssFilterHard($this->tmpDir); - $this->infile = $filter->xssFilterHard($this->infile); foreach ($aTables as $table) { if (isset( $type ) && $type == 'sql') { @@ -419,15 +403,6 @@ class DataBaseMaintenance } /* execute multi query */ - G::LoadSystem('inputfilter'); - $filter = new InputFilter(); - - $arrayQuerys = explode(';',$query); - foreach($arrayQuerys as $v) { - $newQuery[] = $filter->preventSqlInjection($v); - } - $query = implode(';',$newQuery); - if ($mysqli->multi_query( $query )) { do { /* store first result set */ @@ -446,22 +421,11 @@ class DataBaseMaintenance function lockTables () { - G::LoadSystem('inputfilter'); - $filter = new InputFilter(); $aTables = $this->getTablesList(); if (empty( $aTables )) return false; printf( "%-70s", "LOCK TABLES" ); - - if(is_array($aTables)) { - foreach($aTables as $k => $v) { - $aTables[$k] = mysql_real_escape_string($v); - } - } - - $sQuery = 'LOCK TABLES ' . implode( ' READ, ', $aTables ) . ' READ; '; - - if (@mysql_query( $filter->preventSqlInjection($sQuery) )) { + if (@mysql_query( "LOCK TABLES " . implode( " READ, ", $aTables ) . " READ; " )) { echo " [OK]\n"; return true; } else { @@ -490,14 +454,8 @@ class DataBaseMaintenance function dumpSqlInserts ($table) { - G::LoadSystem('inputfilter'); - $filter = new InputFilter(); - $table = $filter->xssFilterHard($table); - $table = $filter->validateInput($table, 'nosql'); $bytesSaved = 0; - $query = "SELECT * FROM `%s`"; - $query = $filter->preventSqlInjection($query, array($table)); - $result = @mysql_query( $query ); + $result = @mysql_query( "SELECT * FROM `$table`" ); $num_rows = mysql_num_rows( $result ); $num_fields = mysql_num_fields( $result ); @@ -518,7 +476,6 @@ class DataBaseMaintenance $data .= ");\n"; } - $data = $filter->preventSqlInjection($data); printf( "%-59s%20s", "Dump of table $table", strlen( $data ) . " Bytes Saved\n" ); return $data; } @@ -631,15 +588,6 @@ class DataBaseMaintenance } /* execute multi query */ - G::LoadSystem('inputfilter'); - $filter = new InputFilter(); - - $arrayQuerys = explode(';',$query); - foreach($arrayQuerys as $v) { - $newQuery[] = $filter->preventSqlInjection($v); - } - $query = implode(';',$newQuery); - if ($mysqli->multi_query( $query )) { do { /* store first result set */ @@ -676,13 +624,11 @@ class DataBaseMaintenance * @return string $tableSchema */ function getSchemaFromTable ($tablename) - { - G::LoadSystem('inputfilter'); - $filter = new InputFilter(); - $tablename = $filter->validateInput($tablename, 'nosql'); + { + //$tableSchema = "/* Structure for table `$tablename` */\n"; + //$tableSchema .= "DROP TABLE IF EXISTS `$tablename`;\n\n"; $tableSchema = ""; - $sql = 'show create table `%s`; '; - $sql = $filter->preventSqlInjection($sql, array($tablename)); + $sql = "show create table `$tablename`; "; $result = @mysql_query( $sql ); if ($result) { if ($row = mysql_fetch_assoc( $result )) { diff --git a/gulliver/thirdparty/pear/PEAR/Command/Package.php b/gulliver/thirdparty/pear/PEAR/Command/Package.php index 4158cef20..9be962824 100755 --- a/gulliver/thirdparty/pear/PEAR/Command/Package.php +++ b/gulliver/thirdparty/pear/PEAR/Command/Package.php @@ -452,6 +452,15 @@ Wrote: /usr/src/redhat/RPMS/i386/PEAR::Net_Socket-1.0-1.i386.rpm function doRunTests($command, $options, $params) { + if (!class_exists('G')) { + $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); + $docuroot = explode( '/', $realdocuroot ); + array_pop( $docuroot ); + $pathhome = implode( '/', $docuroot ) . '/'; + array_pop( $docuroot ); + $pathTrunk = implode( '/', $docuroot ) . '/'; + require_once($pathTrunk.'gulliver/system/class.g.php'); + } G::LoadSystem('inputfilter'); $filter = new InputFilter(); @@ -480,16 +489,6 @@ Wrote: /usr/src/redhat/RPMS/i386/PEAR::Net_Socket-1.0-1.i386.rpm $cmd = $filter->validateInput($cmd); - if (!class_exists('G')) { - $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] ); - $docuroot = explode( '/', $realdocuroot ); - array_pop( $docuroot ); - $pathhome = implode( '/', $docuroot ) . '/'; - array_pop( $docuroot ); - $pathTrunk = implode( '/', $docuroot ) . '/'; - require_once($pathTrunk.'gulliver/system/class.g.php'); - } - system($cmd); return true; }