diff --git a/code/defines/procs/forum_activation.dm b/code/defines/procs/forum_activation.dm index b87127ae4c..88e9705e5e 100644 --- a/code/defines/procs/forum_activation.dm +++ b/code/defines/procs/forum_activation.dm @@ -35,12 +35,8 @@ return // Sanitize inputs to avoid SQL injection attacks - accname = dd_replacetext(accname, "'", "''") - accname = dd_replacetext(accname, ";", "") - accname = dd_replacetext(accname, "&", "") - playerkey = dd_replacetext(playerkey, "'", "''") - playerkey = dd_replacetext(playerkey, ";", "") - playerkey = dd_replacetext(playerkey, "&", "") + accname = sanitizeSQL(accname) + playerkey = sanitizeSQL(playerkey) var/DBQuery/query = dbcon.NewQuery("SELECT user_id FROM [forumsqldb].phpbb_users WHERE username = '[accname]'") @@ -52,7 +48,7 @@ dbcon.Disconnect() return - query = dbcon.NewQuery("SELECT pf_byondkey FROM [forumsqldb].phpbb_profile_fields_data WHERE user_id = [uid]") + query = dbcon.NewQuery("SELECT pf_byondkey FROM [forumsqldb].phpbb_profile_fields_data WHERE user_id = '[uid]'") if(!query.Execute()) src << "Unable to verify whether account is already associated with a BYOND key or not. This error shouldn't occur, please contact an administrator." dbcon.Disconnect() @@ -65,7 +61,7 @@ dbcon.Disconnect() return - query = dbcon.NewQuery("SELECT * FROM [forumsqldb].phpbb_user_group WHERE user_id = [uid] AND group_id = [forum_authenticated_group]") + query = dbcon.NewQuery("SELECT * FROM [forumsqldb].phpbb_user_group WHERE user_id = '[uid]' AND group_id = '[forum_authenticated_group]'") if(!query.Execute()) src << "Unable to verify whether account is already part of the authenticated group or not. This error should not occur, please contact an administrator." dbcon.Disconnect() @@ -75,19 +71,19 @@ dbcon.Disconnect() return - query = dbcon.NewQuery("INSERT INTO [forumsqldb].phpbb_profile_fields_data (user_id, pf_byondkey) VALUES ([uid], '[playerkey]')") // Remember which key is associated with the account + query = dbcon.NewQuery("INSERT INTO [forumsqldb].phpbb_profile_fields_data (user_id, pf_byondkey) VALUES ('[uid]', '[playerkey]')") // Remember which key is associated with the account if(!query.Execute()) src << "Unable to associate key with account. Authentication failed." dbcon.Disconnect() return - query = dbcon.NewQuery("UPDATE [forumsqldb].phpbb_user_group SET group_id = [forum_authenticated_group] WHERE user_id = [uid] AND group_id = [forum_activated_group]") // Replace 'Registered Users' group with 'Activated Users' + query = dbcon.NewQuery("UPDATE [forumsqldb].phpbb_user_group SET group_id = '[forum_authenticated_group]' WHERE user_id = '[uid]' AND group_id = '[forum_activated_group]'") // Replace 'Registered Users' group with 'Activated Users' if(!query.Execute()) src << "Unable to move account into authenticated group. This error shouldn't occur, contact an administrator for help. Authentication failed." dbcon.Disconnect() return - query = dbcon.NewQuery("UPDATE [forumsqldb].phpbb_users SET group_id = [forum_authenticated_group] WHERE user_id = [uid]") // Change 'default group' the the authenticated group. Not doing so was causing many authenticated accounts to retain their unauthenticated permissions, despite being succesfully authenticated. + query = dbcon.NewQuery("UPDATE [forumsqldb].phpbb_users SET group_id = '[forum_authenticated_group]' WHERE user_id = '[uid]'") // Change 'default group' the the authenticated group. Not doing so was causing many authenticated accounts to retain their unauthenticated permissions, despite being succesfully authenticated. if(!query.Execute()) src << "Unable to modify default group for account. This error should never occur, contact an administrator for help. Authentication failed." else @@ -95,8 +91,12 @@ dbcon.Disconnect() +// This actually opens up a bunch of security holes to the forum DB. Given that it's not used much in the first place, +// I'm going to keep this commented out until we're sure everything's secure. -- TLE +/* /client/verb/activate_forum_account(var/a as text) set name = "Activate Forum Account" set category = "Special Verbs" set desc = "Associate a tgstation forum account with your BYOND key to enable posting." - associate_key_with_forum(a, src.key) \ No newline at end of file + associate_key_with_forum(a, src.key) +*/ \ No newline at end of file diff --git a/code/defines/procs/statistics.dm b/code/defines/procs/statistics.dm index 5cb9367626..08183aaf17 100644 --- a/code/defines/procs/statistics.dm +++ b/code/defines/procs/statistics.dm @@ -55,19 +55,19 @@ proc/sql_report_death(var/mob/living/carbon/human/H) return var/turf/T = H.loc - var/area/placeofdeath = T.loc + var/area/placeofdeath = get_area(T.loc) var/podname = placeofdeath.name - var/sqlname = dd_replacetext(H.real_name, "'", "''") - var/sqlkey = dd_replacetext(H.key, "'", "''") - var/sqlpod = dd_replacetext(podname, "'", "''") - var/sqlspecial = dd_replacetext(H.mind.special_role, "'", "''") - var/sqljob = dd_replacetext(H.mind.assigned_role, "'", "''") + var/sqlname = sanitizeSQL(H.real_name) + var/sqlkey = sanitizeSQL(H.key) + var/sqlpod = sanitizeSQL(podname) + var/sqlspecial = sanitizeSQL(H.mind.special_role) + var/sqljob = sanitizeSQL(H.mind.assigned_role) var/laname var/lakey if(H.lastattacker) - laname = dd_replacetext(H.lastattacker:real_name, "'", "''") - lakey = dd_replacetext(H.lastattacker:key, "'", "''") + laname = sanitizeSQL(H.lastattacker:real_name) + lakey = sanitizeSQL(H.lastattacker:key) var/sqltime = time2text(world.realtime, "YYYY-MM-DD hh:mm:ss") var/coord = "[H.x], [H.y], [H.z]" //world << "INSERT INTO death (name, byondkey, job, special, pod, tod, laname, lakey, gender, bruteloss, fireloss, brainloss, oxyloss) VALUES ('[sqlname]', '[sqlkey]', '[sqljob]', '[sqlspecial]', '[sqlpod]', '[sqltime]', '[laname]', '[lakey]', '[H.gender]', [H.bruteloss], [H.getFireLoss()], [H.brainloss], [H.getOxyLoss()])" @@ -92,19 +92,19 @@ proc/sql_report_cyborg_death(var/mob/living/silicon/robot/H) return var/turf/T = H.loc - var/area/placeofdeath = T.loc + var/area/placeofdeath = get_area(T.loc) var/podname = placeofdeath.name - var/sqlname = dd_replacetext(H.real_name, "'", "''") - var/sqlkey = dd_replacetext(H.key, "'", "''") - var/sqlpod = dd_replacetext(podname, "'", "''") - var/sqlspecial = dd_replacetext(H.mind.special_role, "'", "''") - var/sqljob = dd_replacetext(H.mind.assigned_role, "'", "''") + var/sqlname = sanitizeSQL(H.real_name) + var/sqlkey = sanitizeSQL(H.key) + var/sqlpod = sanitizeSQL(podname) + var/sqlspecial = sanitizeSQL(H.mind.special_role) + var/sqljob = sanitizeSQL(H.mind.assigned_role) var/laname var/lakey if(H.lastattacker) - laname = dd_replacetext(H.lastattacker:real_name, "'", "''") - lakey = dd_replacetext(H.lastattacker:key, "'", "''") + laname = sanitizeSQL(H.lastattacker:real_name) + lakey = sanitizeSQL(H.lastattacker:key) var/sqltime = time2text(world.realtime, "YYYY-MM-DD hh:mm:ss") var/coord = "[H.x], [H.y], [H.z]" //world << "INSERT INTO death (name, byondkey, job, special, pod, tod, laname, lakey, gender, bruteloss, fireloss, brainloss, oxyloss) VALUES ('[sqlname]', '[sqlkey]', '[sqljob]', '[sqlspecial]', '[sqlpod]', '[sqltime]', '[laname]', '[lakey]', '[H.gender]', [H.bruteloss], [H.getFireLoss()], [H.brainloss], [H.getOxyLoss()])" diff --git a/code/game/magic/library.dm b/code/game/magic/library.dm index 4cdef6e855..416a473108 100644 --- a/code/game/magic/library.dm +++ b/code/game/magic/library.dm @@ -50,6 +50,12 @@ // - Books shouldn't print straight from the library computer. Make it synch with a machine like the book binder to print instead. This should consume some sort of resource. +// Run all strings to be used in an SQL query through this proc first to properly escape out injection attempts. +/proc/sanitizeSQL(var/t as text) + var/sanitized_text = dd_replacetext(t, "'", "\\'") + sanitized_text = dd_replacetext(sanitized_text, "\"", "\\\"") + return sanitized_text + /obj/structure/bookcase