From 5ae0ef7021380552883669db8637805e0f1ebb60 Mon Sep 17 00:00:00 2001 From: sethshoultes Date: Tue, 22 Oct 2019 12:57:21 -0600 Subject: [PATCH 01/38] Add sanitization to the $catid vars --- includes/category-management/index.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/includes/category-management/index.php b/includes/category-management/index.php index f88abc6c..99170b56 100644 --- a/includes/category-management/index.php +++ b/includes/category-management/index.php @@ -20,18 +20,18 @@ function event_espresso_categories_config_mnu() { while (list($key, $value) = each($_POST['checkbox'])): $del_id = $key; //Delete category data - $sql = "DELETE FROM " . EVENTS_CATEGORY_TABLE . " WHERE id='$del_id'"; + $sql = "DELETE FROM " . EVENTS_CATEGORY_TABLE . " WHERE id='" . (int)$del_id . "'"; $wpdb->query($sql); - $sql = "DELETE FROM " . EVENTS_CATEGORY_REL_TABLE . " WHERE cat_id='$del_id'"; + $sql = "DELETE FROM " . EVENTS_CATEGORY_REL_TABLE . " WHERE cat_id='" . (int)$del_id . "'"; $wpdb->query($sql); endwhile; } if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete_category') { //Delete discount data - $sql = "DELETE FROM " . EVENTS_CATEGORY_TABLE . " WHERE id='" . $_REQUEST['id'] . "'"; + $sql = "DELETE FROM " . EVENTS_CATEGORY_TABLE . " WHERE id='" . (int)$_REQUEST['id'] . "'"; $wpdb->query($sql); - $sql = "DELETE FROM " . EVENTS_CATEGORY_REL_TABLE . " WHERE cat_id='" . $_REQUEST['id'] . "'"; + $sql = "DELETE FROM " . EVENTS_CATEGORY_REL_TABLE . " WHERE cat_id='" . (int)$_REQUEST['id'] . "'"; $wpdb->query($sql); } ?> From 46de0b037b816780266850c5097a685e255a999f Mon Sep 17 00:00:00 2001 From: sethshoultes Date: Tue, 22 Oct 2019 14:00:35 -0600 Subject: [PATCH 02/38] Sanitizing the POST and REQUEST fields --- .../admin-reports/edit_attendee_record.php | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/includes/admin-reports/edit_attendee_record.php b/includes/admin-reports/edit_attendee_record.php index 82221445..79769ddb 100644 --- a/includes/admin-reports/edit_attendee_record.php +++ b/includes/admin-reports/edit_attendee_record.php @@ -27,7 +27,7 @@ function edit_attendee_record() { if ($_REQUEST['form_action'] == 'edit_attendee') { $id = isset($_REQUEST['id']) ? absint( $_REQUEST['id'] ) : ''; - $registration_id = isset($_REQUEST['registration_id']) ? ee_sanitize_value( $_REQUEST['registration_id'] ) : ''; + $registration_id = isset($_REQUEST['registration_id']) ? sanitize_text_field($_REQUEST['registration_id']) : ''; $multi_reg = FALSE; // check for multi reg, additional attendees, and verify reg id for primary attendee @@ -61,7 +61,7 @@ function edit_attendee_record() { //wp_die( $failed_nonce_msg ); } - $upd_price = (float)number_format( abs( ee_sanitize_value( $_REQUEST['final_price'] )), 2, '.', '' ); + $upd_price = (float)number_format( abs( sanitize_text_field( $_REQUEST['final_price'] )), 2, '.', '' ); $upd_qty = absint( $_REQUEST['quantity'] ); $set_cols_and_values = array( @@ -81,7 +81,7 @@ function edit_attendee_record() { // now we need to gather all the ticket prices for all attendees for the entire registraion and calculate a new total cost $upd_total = 0; $SQL = "SELECT payment_status, amount_pd, final_price, quantity, is_primary FROM " . EVENTS_ATTENDEE_TABLE . " WHERE registration_id = %s"; - if ( $attendee_tickets = $wpdb->get_results( $wpdb->prepare( $SQL, $registration_id ))) { + if ( $attendee_tickets = $wpdb->get_results( $wpdb->prepare( $SQL, sanitize_text_field($registration_id) ))) { // loop thru tickets foreach ( $attendee_tickets as $attendee_ticket ) { // calculate total for each attendee and add to total cost @@ -166,14 +166,14 @@ function edit_attendee_record() { // get id's for all attendees from this registration $SQL = "SELECT id from " . EVENTS_ATTENDEE_TABLE . " WHERE registration_id = %s"; - $attendees = $wpdb->query( $wpdb->prepare( $SQL, $registration_id )); + $attendees = $wpdb->query( $wpdb->prepare( $SQL, sanitize_text_field($registration_id) )); if ( $attendees === FALSE ) { $notifications['error'][] = __('An error occured while attempting to retrieve additional attendee data from the database.', 'event_espresso'); } else { // update quantities for attendees $SQL = " UPDATE " . EVENTS_ATTENDEE_TABLE . " SET quantity = IF(quantity IS NULL ,NULL,IF(quantity > 0,IF(quantity-1>0,quantity-1,1),0)) "; $SQL .= "WHERE registration_id =%s"; - if ( $wpdb->query( $wpdb->prepare( $SQL, $registration_id )) === FALSE ) { + if ( $wpdb->query( $wpdb->prepare( $SQL, sanitize_text_field($registration_id) )) === FALSE ) { $notifications['error'][] = __('An error occured while attempting to update additional attendee ticket quantities.', 'event_espresso'); } event_espresso_cleanup_multi_event_registration_id_group_data(); @@ -196,23 +196,23 @@ function edit_attendee_record() { } //Update the price_option_type - do_action('action_hook_espresso_save_attendee_meta', $id, 'price_option_type', isset($_POST['price_option_type']) && !empty($_POST['price_option_type']) ? ee_sanitize_value($_POST['price_option_type']) : 'DEFAULT'); + do_action('action_hook_espresso_save_attendee_meta', $id, 'price_option_type', isset($_POST['price_option_type']) && !empty($_POST['price_option_type']) ? sanitize_text_field($_POST['price_option_type']) : 'DEFAULT'); //Move attendee do_action('action_hook_espresso_attendee_mover_move'); - $event_id = isset($_POST['event_id']) ? $_POST['event_id'] : ''; - $txn_type = isset($_POST['txn_type']) ? $_POST['txn_type'] : ''; + $event_id = isset($_POST['event_id']) ? sanitize_text_field($_POST['event_id']) : ''; + $txn_type = isset($_POST['txn_type']) ? sanitize_text_field($_POST['txn_type']) : ''; $cols_and_values = array( - 'fname' => isset($_POST['fname']) ? ee_sanitize_value($_POST['fname']) : '', - 'lname' => isset($_POST['lname']) ? ee_sanitize_value($_POST['lname']) : '', - 'address' => isset($_POST['address']) ? ee_sanitize_value($_POST['address']) : '', - 'address2' => isset($_POST['address2']) ? ee_sanitize_value($_POST['address2']) : '', - 'city' => isset($_POST['city']) ? ee_sanitize_value($_POST['city']) : '', - 'state' => isset($_POST['state']) ? ee_sanitize_value($_POST['state']) : '', - 'zip' => isset($_POST['zip']) ? ee_sanitize_value($_POST['zip']) : '', - 'phone' => isset($_POST['phone']) ? ee_sanitize_value($_POST['phone']) : '', + 'fname' => isset($_POST['fname']) ? sanitize_text_field($_POST['fname']) : '', + 'lname' => isset($_POST['lname']) ? sanitize_text_field($_POST['lname']) : '', + 'address' => isset($_POST['address']) ? sanitize_text_field($_POST['address']) : '', + 'address2' => isset($_POST['address2']) ? sanitize_text_field($_POST['address2']) : '', + 'city' => isset($_POST['city']) ? sanitize_text_field($_POST['city']) : '', + 'state' => isset($_POST['state']) ? sanitize_text_field($_POST['state']) : '', + 'zip' => isset($_POST['zip']) ? sanitize_text_field($_POST['zip']) : '', + 'phone' => isset($_POST['phone']) ? sanitize_text_field($_POST['phone']) : '', 'email' => isset($_POST['email']) ? sanitize_email($_POST['email']) : '' ); $cols_and_values_format = array( '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' ); @@ -347,7 +347,7 @@ function edit_attendee_record() { } $post_val = apply_filters( 'filter_hook_espresso_admin_question_response', $post_val, $question ); - $post_val = ee_sanitize_value( stripslashes( $post_val )); + $post_val = sanitize_text_field( stripslashes( $post_val )); break; case "MULTIPLE" : @@ -357,7 +357,7 @@ function edit_attendee_record() { $pval = apply_filters( 'filter_hook_espresso_admin_question_response', trim( $_POST[ $question->question_type . '_' . $question->q_id ][$i] ), $question ); $post_val .= $pval . ","; } - $post_val = ee_sanitize_value( substr( stripslashes( $post_val ), 0, -1 )); + $post_val = sanitize_text_field( substr( stripslashes( $post_val ), 0, -1 )); break; } @@ -414,17 +414,17 @@ function edit_attendee_record() { // are we looking for an additional attendee ? if ( isset( $_REQUEST['attendee_num'] ) && $_REQUEST['attendee_num'] > 1 && isset( $_REQUEST['id'] )) { $SQL .= "WHERE att.id = %d"; - $attendees = $wpdb->get_results( $wpdb->prepare( $SQL, ee_sanitize_value( $_REQUEST['id'] ) )); + $attendees = $wpdb->get_results( $wpdb->prepare( $SQL, sanitize_text_field($_REQUEST['id']) )); } else { // check for multi reg & additional attendees by first finding primary attendee $SQL2 = "SELECT primary_registration_id FROM " . EVENTS_MULTI_EVENT_REGISTRATION_ID_GROUP_TABLE . " WHERE registration_id = %s"; - if ( $primary_registration_id = $wpdb->get_var( $wpdb->prepare( $SQL2, ee_sanitize_value( $_REQUEST['registration_id'] )))) { + if ( $primary_registration_id = $wpdb->get_var( $wpdb->prepare( $SQL2, sanitize_text_field( $_REQUEST['registration_id'] )))) { // now find all registrations $SQL3 = "SELECT registration_id FROM " . EVENTS_MULTI_EVENT_REGISTRATION_ID_GROUP_TABLE . " WHERE primary_registration_id = %s"; $reg_ids = $wpdb->get_col( $wpdb->prepare( $SQL3, $primary_registration_id )); $reg_ids = "'" . implode("','", $reg_ids) . "'"; } else { - $reg_ids = "'" . ee_sanitize_value( $_REQUEST['registration_id'] ) . "'"; + $reg_ids = "'" . sanitize_text_field( $_REQUEST['registration_id'] ) . "'"; } $SQL .= " WHERE registration_id IN ( $reg_ids ) ORDER BY att.id"; $attendees = $wpdb->get_results( $SQL ); From 3b944deb447a3455a686907050dfb328fb226c62 Mon Sep 17 00:00:00 2001 From: sethshoultes Date: Tue, 22 Oct 2019 14:42:56 -0600 Subject: [PATCH 03/38] Sanitize post and request fields --- .../admin-reports/enter_attendee_payments.php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/includes/admin-reports/enter_attendee_payments.php b/includes/admin-reports/enter_attendee_payments.php index 1a7987b9..707099e7 100644 --- a/includes/admin-reports/enter_attendee_payments.php +++ b/includes/admin-reports/enter_attendee_payments.php @@ -57,14 +57,14 @@ function enter_attendee_payments() { $notifications['error'][] = __('An error occured. The primary attendee details could not be retrieved from the database.', 'event_espresso'); } else { - $txn_type = !empty($_POST[ 'txn_type' ]) ? $_POST[ 'txn_type' ] : apply_filters('filter_hook_event_espresso_enter_attendee_payments_remove_require_txn_type', FALSE); - $txn_id = !empty($_POST[ 'txn_id' ]) ? $_POST[ 'txn_id' ] : apply_filters('filter_hook_event_espresso_enter_attendee_payments_remove_require_txn_id', FALSE); + $txn_type = !empty($_POST[ 'txn_type' ]) ? sanitize_text_field($_POST[ 'txn_type' ]) : apply_filters('filter_hook_event_espresso_enter_attendee_payments_remove_require_txn_type', FALSE); + $txn_id = !empty($_POST[ 'txn_id' ]) ? sanitize_text_field($_POST[ 'txn_id' ]) : apply_filters('filter_hook_event_espresso_enter_attendee_payments_remove_require_txn_id', FALSE); $payment_date = !empty($_POST[ 'payment_date' ]) ? date_i18n( get_option('date_format'), strtotime( $_POST[ 'payment_date' ] )) : FALSE; - $coupon_code = isset($_POST[ 'coupon_code' ]) ? $_POST[ 'coupon_code' ] : ''; + $coupon_code = isset($_POST[ 'coupon_code' ]) ? sanitize_text_field($_POST[ 'coupon_code' ]) : ''; $total_owing = isset($_POST[ 'total_owing' ]) ? (float)number_format( sanitize_text_field( $_POST[ 'total_owing' ] ), 2, '.', '' ) : 0.00; $amount_pd = isset($_POST[ 'amount_pd' ]) ? (float)number_format( sanitize_text_field( $_POST[ 'amount_pd' ] ), 2, '.', '' ) : 0.00; $new_payment = isset($_POST[ 'new_payment' ]) && $_POST[ 'new_payment' ] != '' ? (float)number_format( sanitize_text_field( $_POST[ 'new_payment' ] ), 2, '.', '' ) : 0.00; - $upd_payment_status = isset($_POST[ 'payment_status' ]) ? $_POST[ 'payment_status' ] : 'Pending'; + $upd_payment_status = isset($_POST[ 'payment_status' ]) ? sanitize_text_field($_POST[ 'payment_status' ]) : 'Pending'; // if making a payment, we are going to require the txn type and txn id if ( $new_payment != 0.00 ) { @@ -158,7 +158,7 @@ function enter_attendee_payments() { } //Send Payment Recieved Email - $send_payment_rec = isset( $_POST[ 'send_payment_rec' ] ) ? $_POST[ 'send_payment_rec' ] : FALSE; + $send_payment_rec = isset( $_POST[ 'send_payment_rec' ] ) ? sanitize_text_field($_POST[ 'send_payment_rec' ]) : FALSE; if ( $send_payment_rec == "send_message" ) { //event_espresso_send_payment_notification( $id ); if ( count($attendees_to_email) > 0 ) { @@ -197,7 +197,7 @@ function enter_attendee_payments() { if ( $org_options["use_attendee_pre_approval"] == "Y" ) { - $pre_approve = $_POST['pre_approve']; + $pre_approve = sanitize_text_field($_POST['pre_approve']); if ( count($registration_ids) > 0 ) { foreach($registration_ids as $reg_id) { $SQL = "UPDATE " . EVENTS_ATTENDEE_TABLE . " SET pre_approve = %s WHERE registration_id = %s"; @@ -231,12 +231,12 @@ function enter_attendee_payments() { } foreach ( $reg_attendees as $reg_attendee ){ - event_espresso_send_invoice( $reg_attendee->registration_id, $_POST[ 'invoice_subject' ], $_POST[ 'invoice_message' ] ); + event_espresso_send_invoice( $reg_attendee->registration_id, sanitize_text_field($_POST[ 'invoice_subject' ]), sanitize_text_field($_POST[ 'invoice_message' ]) ); } } else { - event_espresso_send_invoice( $registration_id , $_POST[ 'invoice_subject' ], $_POST[ 'invoice_message' ] ); + event_espresso_send_invoice( $registration_id , sanitize_text_field($_POST[ 'invoice_subject' ]), sanitize_text_field($_POST[ 'invoice_message' ]) ); } $notifications['success'][] = __('Invoice Sent.', 'event_espresso'); From 45268d260e8cbf415ffd0dbba16c94f441eee4f0 Mon Sep 17 00:00:00 2001 From: sethshoultes Date: Wed, 23 Oct 2019 05:58:12 -0600 Subject: [PATCH 04/38] Add sanitization to request and post fields. Fixed a bug in the time_qty field. --- includes/event-management/add_to_calendar.php | 4 +- includes/event-management/insert_event.php | 50 ++++++++++--------- 2 files changed, 28 insertions(+), 26 deletions(-) diff --git a/includes/event-management/add_to_calendar.php b/includes/event-management/add_to_calendar.php index e23b8cca..fa9926d7 100644 --- a/includes/event-management/add_to_calendar.php +++ b/includes/event-management/add_to_calendar.php @@ -1,7 +1,7 @@ get_results("SELECT * FROM " . get_option('events_detail_tbl') . " WHERE id =" . $event_id); @@ -13,7 +13,7 @@ function add_to_calendar(){ $end_date = $result->end_date; $start_time = $result->start_time; $end_time = $result->end_time; - $calendar_category = $_REQUEST['calendar_category']; + $calendar_category = absint( $_REQUEST['calendar_category' ); $linky = home_url().'/?page_id=' . $org_options['event_page_id'] . '®event_action=register&event_id=' . $event_id . '&name_of_event=' . $event_name; $sql = "INSERT INTO " . WP_CALENDAR_TABLE . " SET event_title='" . mysql_escape_string($event_name) diff --git a/includes/event-management/insert_event.php b/includes/event-management/insert_event.php index f3f3fd94..e47e6f9e 100644 --- a/includes/event-management/insert_event.php +++ b/includes/event-management/insert_event.php @@ -53,11 +53,11 @@ function add_event_to_db($recurrence_arr = array()) { 'frequency' => sanitize_text_field($_POST['recurrence_frequency']), 'interval' => sanitize_text_field($_POST['recurrence_interval']), 'type' => sanitize_text_field($_POST['recurrence_type']), - 'weekdays' => isset($_POST['recurrence_weekday']) ? $_POST['recurrence_weekday'] : '', - 'repeat_by' => $_POST['recurrence_repeat_by'], - 'recurrence_regis_date_increment' => $_POST['recurrence_regis_date_increment'], - 'recurrence_manual_dates' => $_POST['recurrence_manual_dates'], - 'recurrence_manual_end_dates' => $_POST['recurrence_manual_end_dates'], + 'weekdays' => isset($_POST['recurrence_weekday']) ? sanitize_text_field($_POST['recurrence_weekday']) : '', + 'repeat_by' => sanitize_text_field($_POST['recurrence_repeat_by']), + 'recurrence_regis_date_increment' => sanitize_text_field($_POST['recurrence_regis_date_increment']), + 'recurrence_manual_dates' => sanitize_text_field($_POST['recurrence_manual_dates']), + 'recurrence_manual_end_dates' => sanitize_text_field($_POST['recurrence_manual_end_dates']), 'recurrence_id' => $recurrence_id, 'adding_to_db' => 'Y' ); @@ -76,7 +76,7 @@ function add_event_to_db($recurrence_arr = array()) { //Filters the event description based on user level $user_access = apply_filters( 'filter_hook_espresso_event_unfiltered_description', current_user_can('administrator') ); - $_REQUEST['event_desc'] = is_admin() || $user_access ? $_REQUEST['event_desc'] : apply_filters( 'filter_hook_espresso_event_wp_kses_post_description', wp_kses_post( $_REQUEST['event_desc'] ) ); + $_REQUEST['event_desc'] = is_admin() || $user_access ? sanitize_text_field($_REQUEST['event_desc']) : apply_filters( 'filter_hook_espresso_event_wp_kses_post_description', wp_kses_post( $_REQUEST['event_desc'] ) ); $event_code = uniqid($current_user->ID . '-'); $event_name = !empty($_REQUEST['event']) ? sanitize_text_field($_REQUEST['event']) : $event_code; @@ -85,15 +85,15 @@ function add_event_to_db($recurrence_arr = array()) { }else{ $event_identifier = sanitize_title_with_dashes($_REQUEST['event_identifier']) . $event_code; } - $event_desc = !empty($_REQUEST['event_desc']) ? $_REQUEST['event_desc'] : ''; + $event_desc = !empty($_REQUEST['event_desc']) ? sanitize_text_field($_REQUEST['event_desc']) : ''; $display_desc = !empty($_REQUEST['display_desc']) ? sanitize_text_field($_REQUEST['display_desc']) : 'Y'; $display_reg_form = !empty($_REQUEST['display_reg_form']) ? sanitize_text_field($_REQUEST['display_reg_form']) : 'Y'; $externalURL = isset($_REQUEST['externalURL']) ? sanitize_text_field($_REQUEST['externalURL']) : ''; $post_type = !empty($_REQUEST['espresso_post_type']) ? sanitize_text_field($_REQUEST['espresso_post_type']) : ''; - $reg_limit = !empty($_REQUEST['reg_limit']) ? sanitize_text_field($_REQUEST['reg_limit']) : '999999'; + $reg_limit = !empty($_REQUEST['reg_limit']) ? absint($_REQUEST['reg_limit']) : '999999'; $_REQUEST['reg_limit'] = $reg_limit; $allow_multiple = !empty($_REQUEST['allow_multiple']) ? sanitize_text_field($_REQUEST['allow_multiple']) : 'N'; - $additional_limit = !empty($_REQUEST['additional_limit']) && $_REQUEST['additional_limit'] > 0 ? sanitize_text_field($_REQUEST['additional_limit']) : '5'; + $additional_limit = !empty($_REQUEST['additional_limit']) && $_REQUEST['additional_limit'] > 0 ? absint($_REQUEST['additional_limit']) : '5'; $_REQUEST['additional_limit'] = $additional_limit; $member_only = !empty($_REQUEST['member_only']) ? sanitize_text_field($_REQUEST['member_only']) : 'N'; $is_active = !empty($_REQUEST['is_active']) ? sanitize_text_field($_REQUEST['is_active']) : 'Y'; @@ -178,8 +178,8 @@ function add_event_to_db($recurrence_arr = array()) { $registration_endT = event_date_display($_REQUEST['registration_endT'], 'H:i'); $_REQUEST['registration_start'] = !empty($_REQUEST['registration_start']) ? sanitize_text_field($_REQUEST['registration_start']) : date('Y-m-d'); $_REQUEST['registration_end'] = !empty($_REQUEST['registration_end']) ? sanitize_text_field($_REQUEST['registration_end']) : date('Y-m-d',time() + (60 * 60 * 24 * 29)); - $registration_start = array_key_exists('registration_start', $recurrence_arr) ? $recurrence_arr['registration_start'] : $_REQUEST['registration_start']; - $registration_end = array_key_exists('registration_end', $recurrence_arr) ? $recurrence_arr['registration_end'] : $_REQUEST['registration_end']; + $registration_start = array_key_exists('registration_start', $recurrence_arr) ? $recurrence_arr['registration_start'] : sanitize_text_field($_REQUEST['registration_start']); + $registration_end = array_key_exists('registration_end', $recurrence_arr) ? $recurrence_arr['registration_end'] : sanitize_text_field($_REQUEST['registration_end']); //Check which start/end date to use. Will be determined by recurring events addon, if installed. if (array_key_exists('recurrence_start_date', $recurrence_arr)) { @@ -204,12 +204,12 @@ function add_event_to_db($recurrence_arr = array()) { } elseif ( !empty($_REQUEST['end_date']) && !empty($_REQUEST['recurrence_event_end_date']) ) { //If they leave the Event Start Date empty, the First Event Date in the recurrence module is selected - $end_date = $_REQUEST['recurrence_event_end_date']; + $end_date = sanitize_text_field($_REQUEST['recurrence_event_end_date']); } elseif (isset($_POST['recurrence']) && $_POST['recurrence'] == 'Y' && !empty($_REQUEST['end_date']) ) { $end_date = $_REQUEST['recurrence_manual_end_dates'][count($_REQUEST['recurrence_manual_end_dates']) - 1]; } else { - $end_date = !empty($_REQUEST['end_date']) ? $_REQUEST['end_date'] : date('Y-m-d',time() + (60 * 60 * 24 * 30)); + $end_date = !empty($_REQUEST['end_date']) ? sanitize_text_field($_REQUEST['end_date']) : date('Y-m-d',time() + (60 * 60 * 24 * 30)); } $_REQUEST['end_date'] = $end_date; @@ -219,7 +219,7 @@ function add_event_to_db($recurrence_arr = array()) { $visible_on = $recurrence_arr['visible_on']; } elseif (isset($_REQUEST['visible_on']) && $_REQUEST['visible_on'] != '') { - $visible_on = $_REQUEST['visible_on']; + $visible_on = sanitize_text_field($_REQUEST['visible_on']); } elseif (isset($_REQUEST['visible_on']) && $_REQUEST['visible_on'] == '' && count($recurrence_dates) > 0) { $visible_on = $recurrence_dates[$start_date]['visible_on']; } else { @@ -228,10 +228,10 @@ function add_event_to_db($recurrence_arr = array()) { //Questions/question groups $question_groups = empty($_REQUEST['question_groups']) ? serialize(array(1)) : serialize($_REQUEST['question_groups']); - $add_attendee_question_groups = empty($_REQUEST['add_attendee_question_groups']) ? '' : $_REQUEST['add_attendee_question_groups']; + $add_attendee_question_groups = empty($_REQUEST['add_attendee_question_groups']) ? '' : sanitize_text_field($_REQUEST['add_attendee_question_groups']); //Process event meta data - $event_meta['venue_id'] = isset($_REQUEST['venue_id']) ? $_REQUEST['venue_id'][0] : 0; + $event_meta['venue_id'] = isset($_REQUEST['venue_id']) ? sanitize_text_field($_REQUEST['venue_id'][0]) : 0; $event_meta['additional_attendee_reg_info'] = !empty($_REQUEST['additional_attendee_reg_info']) ? sanitize_text_field($_REQUEST['additional_attendee_reg_info']) : '2'; $event_meta['add_attendee_question_groups'] = $add_attendee_question_groups; $event_meta['date_submitted'] = date("Y-m-d H:i:s"); @@ -356,7 +356,7 @@ function add_event_to_db($recurrence_arr = array()) { //Added for seating chart addon if ( isset($_REQUEST['seating_chart_id']) ){ $cls_seating_chart = new seating_chart(); - $cls_seating_chart->associate_event_seating_chart($_REQUEST['seating_chart_id'],$last_event_id); + $cls_seating_chart->associate_event_seating_chart(sanitize_text_field($_REQUEST['seating_chart_id']),$last_event_id); } //Add event to a category @@ -454,7 +454,9 @@ function add_event_to_db($recurrence_arr = array()) { //Process event times if (isset($_REQUEST['start_time']) && !empty($_REQUEST['start_time'])) { foreach ($_REQUEST['start_time'] as $k => $v) { - $time_qty = ( isset( $_REQUEST[ 'time_qty' ] ) && strlen( trim( $_REQUEST['time_qty'][$k] ) ) > 0 )? "'" . $_REQUEST['time_qty'][$k] . "'" : '0' ; + $time_qty = ( isset( $_REQUEST[ 'time_qty' ] ) && strlen( trim( $_REQUEST['time_qty'][$k] ) ) > 0 )? absint($_REQUEST['time_qty'][$k]) : '0' ; + + //print_r($_REQUEST[ 'time_qty' ]) ; $v = !empty($v) ? $v : $start_time; $_REQUEST['end_time'][$k] = !empty($_REQUEST['end_time'][$k]) ? $_REQUEST['end_time'][$k] : $end_time; @@ -474,9 +476,9 @@ function add_event_to_db($recurrence_arr = array()) { $v = (float)preg_replace('/[^0-9\.]/ui','',$v);//Removes non-integer characters $price_type = !empty($_REQUEST['price_type'][$k]) ? sanitize_text_field(stripslashes_deep($_REQUEST['price_type'][$k])) : __('General Admission', 'event_espresso'); $member_price_type = !empty($_REQUEST['member_price_type'][$k]) ? sanitize_text_field(stripslashes_deep($_REQUEST['member_price_type'][$k])) : __('Members Admission', 'event_espresso'); - $member_price = !empty($_REQUEST['member_price'][$k]) ? $_REQUEST['member_price'][$k] : $v; + $member_price = !empty($_REQUEST['member_price'][$k]) ? sanitize_text_field($_REQUEST['member_price'][$k]) : $v; - $sql_price = array('event_id' => $last_event_id, 'event_cost' => $v, 'surcharge' => $_REQUEST['surcharge'][$k], 'surcharge_type' => $_REQUEST['surcharge_type'][$k], 'price_type' => $price_type, 'member_price' => $member_price, 'member_price_type' => $member_price_type ); + $sql_price = array('event_id' => $last_event_id, 'event_cost' => $v, 'surcharge' => sanitize_text_field($_REQUEST['surcharge'][$k]), 'surcharge_type' => sanitize_text_field($_REQUEST['surcharge_type'][$k]), 'price_type' => $price_type, 'member_price' => $member_price, 'member_price_type' => $member_price_type ); $sql_price_data = array('%d', '%s', '%s', '%s', '%s', '%s', '%s'); if ( !$wpdb->insert(EVENTS_PRICES_TABLE, $sql_price, $sql_price_data) ) { @@ -496,7 +498,7 @@ function add_event_to_db($recurrence_arr = array()) { //Process blog or custom post if ( isset($_REQUEST['create_post']) && $_REQUEST['create_post'] == 'Y' ) { - $post_type = !empty($_REQUEST['espresso_post_type']) ? $_REQUEST['espresso_post_type'] : 'post'; + $post_type = !empty($_REQUEST['espresso_post_type']) ? sanitize_text_field($_REQUEST['espresso_post_type']) : 'post'; if ($post_type == 'post') { if (file_exists(EVENT_ESPRESSO_TEMPLATE_DIR . "event_post.php") || file_exists(EVENT_ESPRESSO_PLUGINFULLPATH . "templates/event_post.php")) { @@ -525,9 +527,9 @@ function add_event_to_db($recurrence_arr = array()) { $my_post['post_title'] = sanitize_text_field($_REQUEST['event']); $my_post['post_content'] = $post_content; $my_post['post_status'] = 'publish'; - $my_post['post_author'] = !empty($_REQUEST['user']) ? $_REQUEST['user'] : ''; - $my_post['post_category'] = !empty($_REQUEST['post_category']) ? $_REQUEST['post_category'] : ''; - $my_post['tags_input'] = !empty($_REQUEST['post_tags']) ? $_REQUEST['post_tags'] : ''; + $my_post['post_author'] = !empty($_REQUEST['user']) ? absint($_REQUEST['user']) : ''; + $my_post['post_category'] = !empty($_REQUEST['post_category']) ? sanitize_text_field($_REQUEST['post_category']) : ''; + $my_post['tags_input'] = !empty($_REQUEST['post_tags']) ? sanitize_text_field($_REQUEST['post_tags']) : ''; $my_post['post_type'] = !empty($post_type) ? $post_type : 'post'; //print_r($my_post); // Insert the post into the database From 51024e9246c40e843f9c1cf3d4e70687df8002aa Mon Sep 17 00:00:00 2001 From: sethshoultes Date: Wed, 23 Oct 2019 06:49:38 -0600 Subject: [PATCH 05/38] Sanitize request and post fields --- includes/event-management/update_event.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/includes/event-management/update_event.php b/includes/event-management/update_event.php index 9c4678f0..4bf48a0e 100644 --- a/includes/event-management/update_event.php +++ b/includes/event-management/update_event.php @@ -99,7 +99,7 @@ function update_event($recurrence_arr = array()) { //'Soft delete' any events that are not within the current series when using the 'All events in this series' option. if ($delete_in != '') { $DEL_SQL = "UPDATE " . EVENTS_DETAIL_TABLE . " SET event_status = 'D' WHERE start_date NOT IN (" . $delete_in .") AND recurrence_id = %d"; - $wpdb->query($wpdb->prepare($DEL_SQL, $_POST['recurrence_id'])); + $wpdb->query($wpdb->prepare($DEL_SQL, sanitize_text_field($_POST['recurrence_id']))); } /* //Permanently delete events not within the current formula @@ -192,12 +192,12 @@ function update_event($recurrence_arr = array()) { $event_meta = array(); //will be used to hold event meta data $event_id = array_key_exists('event_id', $recurrence_arr) ? $recurrence_arr['event_id'] : (int)$_REQUEST['event_id']; $event_name = sanitize_text_field($_REQUEST['event']); - $event_desc = !empty($_REQUEST['event_desc']) ? $_REQUEST['event_desc'] : ''; + $event_desc = !empty($_REQUEST['event_desc']) ? sanitize_text_field($_REQUEST['event_desc']) : ''; $display_desc = sanitize_text_field($_REQUEST['display_desc']); $display_reg_form = sanitize_text_field($_REQUEST['display_reg_form']); $externalURL = !empty($_REQUEST['externalURL']) ? esc_html($_REQUEST['externalURL']):''; $reg_limit = (int)$_REQUEST['reg_limit']; - $allow_multiple = $_REQUEST['allow_multiple']; + $allow_multiple = sanitize_text_field($_REQUEST['allow_multiple']); $overflow_event_id = (empty($_REQUEST['overflow_event_id'])) ? '0' : (int)$_REQUEST['overflow_event_id']; $allow_overflow = empty($_REQUEST['allow_overflow']) ? 'N' : sanitize_text_field($_REQUEST['allow_overflow']); $additional_limit = !empty($_REQUEST['additional_limit']) && $_REQUEST['additional_limit'] > 0 ? (int)$_REQUEST['additional_limit'] : '5'; @@ -239,11 +239,11 @@ function update_event($recurrence_arr = array()) { $registration_start = array_key_exists('registration_start', $recurrence_arr) ? $recurrence_arr['registration_start'] : sanitize_text_field($_REQUEST['registration_start']); $registration_end = array_key_exists('registration_end', $recurrence_arr) ? $recurrence_arr['registration_end'] : sanitize_text_field($_REQUEST['registration_end']); - $start_date = array_key_exists('recurrence_start_date', $recurrence_arr) ? $recurrence_arr['recurrence_start_date'] : (empty($_REQUEST['start_date']) ? $_REQUEST['recurrence_start_date'] : sanitize_text_field($_REQUEST['start_date'])); + $start_date = array_key_exists('recurrence_start_date', $recurrence_arr) ? $recurrence_arr['recurrence_start_date'] : (empty($_REQUEST['start_date']) ? sanitize_text_field($_REQUEST['recurrence_start_date']) : sanitize_text_field($_REQUEST['start_date'])); $end_date = array_key_exists('recurrence_event_end_date', $recurrence_arr) ? $recurrence_arr['recurrence_event_end_date'] : (empty($_REQUEST['end_date']) ? sanitize_text_field($_REQUEST['recurrence_start_date']) : sanitize_text_field($_REQUEST['end_date'])); $question_groups = serialize($_REQUEST['question_groups']); - $add_attendee_question_groups = empty($_REQUEST['add_attendee_question_groups']) ? '' : $_REQUEST['add_attendee_question_groups']; + $add_attendee_question_groups = empty($_REQUEST['add_attendee_question_groups']) ? '' : sanitize_text_field($_REQUEST['add_attendee_question_groups']); //Venue Information $venue_title = isset($_REQUEST['venue_title']) ? sanitize_text_field($_REQUEST['venue_title']):''; @@ -607,7 +607,7 @@ function update_event($recurrence_arr = array()) { $post_id = $wpdb->last_result[0]->post_id; - $post_type = $_REQUEST['espresso_post_type']; + $post_type = sanitize_text_field($_REQUEST['espresso_post_type']); if ($post_id > 0) $my_post['ID'] = $post_id; From 9ad3ede1db890ec78f25927886c52e55786fd842 Mon Sep 17 00:00:00 2001 From: sethshoultes Date: Wed, 23 Oct 2019 07:39:20 -0600 Subject: [PATCH 06/38] =?UTF-8?q?What=E2=80=99s=20the=20best=20method=20to?= =?UTF-8?q?=20sanitize=20here=3F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- includes/admin-reports/event_list_attendees.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/admin-reports/event_list_attendees.php b/includes/admin-reports/event_list_attendees.php index f4165ecd..18ffc879 100644 --- a/includes/admin-reports/event_list_attendees.php +++ b/includes/admin-reports/event_list_attendees.php @@ -32,7 +32,7 @@ function event_list_attendees() { $SQL = "DELETE FROM " . EVENTS_ATTENDEE_META_TABLE . " WHERE attendee_id = '%d'"; $wpdb->query($wpdb->prepare($SQL, $att_id)); $SQL = "DELETE FROM " . EVENTS_ANSWER_TABLE . " WHERE attendee_id = '%d'"; - $wpdb->query($wpdb->prepare($SQL, $att_id)); + $wpdb->query($wpdb->prepare($SQL, $att_id)); //What's the best way to sanitize here? //hook for after delete do_action('action_hook_espresso_after_delete_attendee_event_list', $att_id, $EVT_ID); From 0b8563437fbc55c20be3878c5e9cac9d613bb990 Mon Sep 17 00:00:00 2001 From: sethshoultes Date: Wed, 23 Oct 2019 10:03:38 -0600 Subject: [PATCH 07/38] Remove sanitization where not needed. --- includes/admin-reports/edit_attendee_record.php | 10 +++++----- includes/admin-reports/event_list_attendees.php | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/includes/admin-reports/edit_attendee_record.php b/includes/admin-reports/edit_attendee_record.php index 79769ddb..c8219f1d 100644 --- a/includes/admin-reports/edit_attendee_record.php +++ b/includes/admin-reports/edit_attendee_record.php @@ -81,7 +81,7 @@ function edit_attendee_record() { // now we need to gather all the ticket prices for all attendees for the entire registraion and calculate a new total cost $upd_total = 0; $SQL = "SELECT payment_status, amount_pd, final_price, quantity, is_primary FROM " . EVENTS_ATTENDEE_TABLE . " WHERE registration_id = %s"; - if ( $attendee_tickets = $wpdb->get_results( $wpdb->prepare( $SQL, sanitize_text_field($registration_id) ))) { + if ( $attendee_tickets = $wpdb->get_results( $wpdb->prepare( $SQL, $registration_id ))) { // loop thru tickets foreach ( $attendee_tickets as $attendee_ticket ) { // calculate total for each attendee and add to total cost @@ -166,14 +166,14 @@ function edit_attendee_record() { // get id's for all attendees from this registration $SQL = "SELECT id from " . EVENTS_ATTENDEE_TABLE . " WHERE registration_id = %s"; - $attendees = $wpdb->query( $wpdb->prepare( $SQL, sanitize_text_field($registration_id) )); + $attendees = $wpdb->query( $wpdb->prepare( $SQL, $registration_id )); if ( $attendees === FALSE ) { $notifications['error'][] = __('An error occured while attempting to retrieve additional attendee data from the database.', 'event_espresso'); } else { // update quantities for attendees $SQL = " UPDATE " . EVENTS_ATTENDEE_TABLE . " SET quantity = IF(quantity IS NULL ,NULL,IF(quantity > 0,IF(quantity-1>0,quantity-1,1),0)) "; $SQL .= "WHERE registration_id =%s"; - if ( $wpdb->query( $wpdb->prepare( $SQL, sanitize_text_field($registration_id) )) === FALSE ) { + if ( $wpdb->query( $wpdb->prepare( $SQL, $registration_id )) === FALSE ) { $notifications['error'][] = __('An error occured while attempting to update additional attendee ticket quantities.', 'event_espresso'); } event_espresso_cleanup_multi_event_registration_id_group_data(); @@ -414,11 +414,11 @@ function edit_attendee_record() { // are we looking for an additional attendee ? if ( isset( $_REQUEST['attendee_num'] ) && $_REQUEST['attendee_num'] > 1 && isset( $_REQUEST['id'] )) { $SQL .= "WHERE att.id = %d"; - $attendees = $wpdb->get_results( $wpdb->prepare( $SQL, sanitize_text_field($_REQUEST['id']) )); + $attendees = $wpdb->get_results( $wpdb->prepare( $SQL, $_REQUEST['id'] )); } else { // check for multi reg & additional attendees by first finding primary attendee $SQL2 = "SELECT primary_registration_id FROM " . EVENTS_MULTI_EVENT_REGISTRATION_ID_GROUP_TABLE . " WHERE registration_id = %s"; - if ( $primary_registration_id = $wpdb->get_var( $wpdb->prepare( $SQL2, sanitize_text_field( $_REQUEST['registration_id'] )))) { + if ( $primary_registration_id = $wpdb->get_var( $wpdb->prepare( $SQL2, $_REQUEST['registration_id'] ))) { // now find all registrations $SQL3 = "SELECT registration_id FROM " . EVENTS_MULTI_EVENT_REGISTRATION_ID_GROUP_TABLE . " WHERE primary_registration_id = %s"; $reg_ids = $wpdb->get_col( $wpdb->prepare( $SQL3, $primary_registration_id )); diff --git a/includes/admin-reports/event_list_attendees.php b/includes/admin-reports/event_list_attendees.php index 18ffc879..f4165ecd 100644 --- a/includes/admin-reports/event_list_attendees.php +++ b/includes/admin-reports/event_list_attendees.php @@ -32,7 +32,7 @@ function event_list_attendees() { $SQL = "DELETE FROM " . EVENTS_ATTENDEE_META_TABLE . " WHERE attendee_id = '%d'"; $wpdb->query($wpdb->prepare($SQL, $att_id)); $SQL = "DELETE FROM " . EVENTS_ANSWER_TABLE . " WHERE attendee_id = '%d'"; - $wpdb->query($wpdb->prepare($SQL, $att_id)); //What's the best way to sanitize here? + $wpdb->query($wpdb->prepare($SQL, $att_id)); //hook for after delete do_action('action_hook_espresso_after_delete_attendee_event_list', $att_id, $EVT_ID); From f9bdb0df5201f9139f6fe14dcf78d640438f9160 Mon Sep 17 00:00:00 2001 From: Josh Feck Date: Wed, 23 Oct 2019 14:19:17 -0400 Subject: [PATCH 08/38] add validation and sanitize query for updating question groups --- includes/form-builder/groups/update_group.php | 27 +++++++++++++------ 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/includes/form-builder/groups/update_group.php b/includes/form-builder/groups/update_group.php index c3106e05..96f60cdc 100644 --- a/includes/form-builder/groups/update_group.php +++ b/includes/form-builder/groups/update_group.php @@ -5,20 +5,31 @@ function event_espresso_form_group_update($group_id) { global $wpdb; //$group_id = $_POST['group_id']; - $group_order = $_POST['group_order']; - $group_name = $_POST['group_name']; - $group_description = $_POST['group_description']; + $group_order = (int)$_POST['group_order']; + $group_name = sanitize_text_field($_POST['group_name']); + $group_description = wp_kses_post($_POST['group_description']); $show_group_name = isset($_POST['show_group_name']) && $_POST['show_group_name'] != '' ? 1 : 0; $show_group_description = isset($_POST['show_group_description']) && $_POST['show_group_description'] != '' ? 1 : 0; $group_identifier = empty($_REQUEST['group_identifier']) ? $group_identifier = sanitize_title_with_dashes($group_name . '-' . time()) : $group_identifier = sanitize_title_with_dashes($_REQUEST['group_identifier']); $sql = "UPDATE " . EVENTS_QST_GROUP_TABLE . - " SET group_name = '" . $group_name . "', group_order = '" . $group_order . "', group_identifier = '" . $group_identifier . "', group_description = '" . $group_description . "', - show_group_name = " . $show_group_name . ", - show_group_description = " . $show_group_description . " - WHERE id = '" . $group_id . "'"; - $wpdb->query($sql); + " SET group_name = %s, group_order = %d, group_identifier = %s, group_description = %s, + show_group_name = %d, + show_group_description = %d + WHERE id = %d"; + $wpdb->query( + $wpdb->prepare( + $sql, + $group_name, + $group_order, + $group_identifier, + $group_description, + $show_group_name, + $show_group_description, + $group_id + ) + ); $del_group_rels = "DELETE FROM " . EVENTS_QST_GROUP_REL_TABLE . " WHERE group_id = '" . $group_id . "'"; $wpdb->query($del_group_rels); From f86e5b7aae039c60a117d1cf40b599f27739be4e Mon Sep 17 00:00:00 2001 From: sethshoultes Date: Wed, 23 Oct 2019 14:35:21 -0600 Subject: [PATCH 09/38] Adding sugested fixes from @mnelson --- .../admin-reports/edit_attendee_record.php | 26 +++++++++---------- .../admin-reports/enter_attendee_payments.php | 4 +-- includes/event-management/insert_event.php | 6 ++--- includes/event-management/update_event.php | 4 +-- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/includes/admin-reports/edit_attendee_record.php b/includes/admin-reports/edit_attendee_record.php index c8219f1d..ca797d88 100644 --- a/includes/admin-reports/edit_attendee_record.php +++ b/includes/admin-reports/edit_attendee_record.php @@ -27,7 +27,7 @@ function edit_attendee_record() { if ($_REQUEST['form_action'] == 'edit_attendee') { $id = isset($_REQUEST['id']) ? absint( $_REQUEST['id'] ) : ''; - $registration_id = isset($_REQUEST['registration_id']) ? sanitize_text_field($_REQUEST['registration_id']) : ''; + $registration_id = isset($_REQUEST['registration_id']) ? ee_sanitize_value($_REQUEST['registration_id']) : ''; $multi_reg = FALSE; // check for multi reg, additional attendees, and verify reg id for primary attendee @@ -61,7 +61,7 @@ function edit_attendee_record() { //wp_die( $failed_nonce_msg ); } - $upd_price = (float)number_format( abs( sanitize_text_field( $_REQUEST['final_price'] )), 2, '.', '' ); + $upd_price = (float)number_format( abs( ee_sanitize_value( $_REQUEST['final_price'] )), 2, '.', '' ); $upd_qty = absint( $_REQUEST['quantity'] ); $set_cols_and_values = array( @@ -201,19 +201,19 @@ function edit_attendee_record() { //Move attendee do_action('action_hook_espresso_attendee_mover_move'); - $event_id = isset($_POST['event_id']) ? sanitize_text_field($_POST['event_id']) : ''; + $event_id = isset($_POST['event_id']) ? intval($_POST['event_id']) : ''; $txn_type = isset($_POST['txn_type']) ? sanitize_text_field($_POST['txn_type']) : ''; $cols_and_values = array( - 'fname' => isset($_POST['fname']) ? sanitize_text_field($_POST['fname']) : '', - 'lname' => isset($_POST['lname']) ? sanitize_text_field($_POST['lname']) : '', - 'address' => isset($_POST['address']) ? sanitize_text_field($_POST['address']) : '', - 'address2' => isset($_POST['address2']) ? sanitize_text_field($_POST['address2']) : '', - 'city' => isset($_POST['city']) ? sanitize_text_field($_POST['city']) : '', - 'state' => isset($_POST['state']) ? sanitize_text_field($_POST['state']) : '', - 'zip' => isset($_POST['zip']) ? sanitize_text_field($_POST['zip']) : '', - 'phone' => isset($_POST['phone']) ? sanitize_text_field($_POST['phone']) : '', - 'email' => isset($_POST['email']) ? sanitize_email($_POST['email']) : '' + 'fname' => isset($_POST['fname']) ? ee_sanitize_value($_POST['fname']) : '', + 'lname' => isset($_POST['lname']) ? ee_sanitize_value($_POST['lname']) : '', + 'address' => isset($_POST['address']) ? ee_sanitize_value($_POST['address']) : '', + 'address2' => isset($_POST['address2']) ? ee_sanitize_value($_POST['address2']) : '', + 'city' => isset($_POST['city']) ? ee_sanitize_value($_POST['city']) : '', + 'state' => isset($_POST['state']) ? ee_sanitize_value($_POST['state']) : '', + 'zip' => isset($_POST['zip']) ? ee_sanitize_value($_POST['zip']) : '', + 'phone' => isset($_POST['phone']) ? ee_sanitize_value($_POST['phone']) : '', + 'email' => isset($_POST['email']) ? ee_sanitize_value($_POST['email']) : '' ); $cols_and_values_format = array( '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' ); @@ -424,7 +424,7 @@ function edit_attendee_record() { $reg_ids = $wpdb->get_col( $wpdb->prepare( $SQL3, $primary_registration_id )); $reg_ids = "'" . implode("','", $reg_ids) . "'"; } else { - $reg_ids = "'" . sanitize_text_field( $_REQUEST['registration_id'] ) . "'"; + $reg_ids = "'" . ee_sanitize_value( $_REQUEST['registration_id'] ) . "'"; } $SQL .= " WHERE registration_id IN ( $reg_ids ) ORDER BY att.id"; $attendees = $wpdb->get_results( $SQL ); diff --git a/includes/admin-reports/enter_attendee_payments.php b/includes/admin-reports/enter_attendee_payments.php index 707099e7..8035e227 100644 --- a/includes/admin-reports/enter_attendee_payments.php +++ b/includes/admin-reports/enter_attendee_payments.php @@ -197,10 +197,10 @@ function enter_attendee_payments() { if ( $org_options["use_attendee_pre_approval"] == "Y" ) { - $pre_approve = sanitize_text_field($_POST['pre_approve']); + $pre_approve = int()$_POST['pre_approve']; if ( count($registration_ids) > 0 ) { foreach($registration_ids as $reg_id) { - $SQL = "UPDATE " . EVENTS_ATTENDEE_TABLE . " SET pre_approve = %s WHERE registration_id = %s"; + $SQL = "UPDATE " . EVENTS_ATTENDEE_TABLE . " SET pre_approve = %d WHERE registration_id = %s"; $wpdb->query( $wpdb->prepare( $SQL, $pre_approve, $reg_id['registration_id'] )); } diff --git a/includes/event-management/insert_event.php b/includes/event-management/insert_event.php index e47e6f9e..62249d01 100644 --- a/includes/event-management/insert_event.php +++ b/includes/event-management/insert_event.php @@ -231,7 +231,7 @@ function add_event_to_db($recurrence_arr = array()) { $add_attendee_question_groups = empty($_REQUEST['add_attendee_question_groups']) ? '' : sanitize_text_field($_REQUEST['add_attendee_question_groups']); //Process event meta data - $event_meta['venue_id'] = isset($_REQUEST['venue_id']) ? sanitize_text_field($_REQUEST['venue_id'][0]) : 0; + $event_meta['venue_id'] = isset($_REQUEST['venue_id']) ? (int)$_REQUEST['venue_id'][0] : 0; $event_meta['additional_attendee_reg_info'] = !empty($_REQUEST['additional_attendee_reg_info']) ? sanitize_text_field($_REQUEST['additional_attendee_reg_info']) : '2'; $event_meta['add_attendee_question_groups'] = $add_attendee_question_groups; $event_meta['date_submitted'] = date("Y-m-d H:i:s"); @@ -356,7 +356,7 @@ function add_event_to_db($recurrence_arr = array()) { //Added for seating chart addon if ( isset($_REQUEST['seating_chart_id']) ){ $cls_seating_chart = new seating_chart(); - $cls_seating_chart->associate_event_seating_chart(sanitize_text_field($_REQUEST['seating_chart_id']),$last_event_id); + $cls_seating_chart->associate_event_seating_chart((int)$_REQUEST['seating_chart_id'],$last_event_id); } //Add event to a category @@ -476,7 +476,7 @@ function add_event_to_db($recurrence_arr = array()) { $v = (float)preg_replace('/[^0-9\.]/ui','',$v);//Removes non-integer characters $price_type = !empty($_REQUEST['price_type'][$k]) ? sanitize_text_field(stripslashes_deep($_REQUEST['price_type'][$k])) : __('General Admission', 'event_espresso'); $member_price_type = !empty($_REQUEST['member_price_type'][$k]) ? sanitize_text_field(stripslashes_deep($_REQUEST['member_price_type'][$k])) : __('Members Admission', 'event_espresso'); - $member_price = !empty($_REQUEST['member_price'][$k]) ? sanitize_text_field($_REQUEST['member_price'][$k]) : $v; + $member_price = !empty($_REQUEST['member_price'][$k]) ? (float)$_REQUEST['member_price'][$k] : $v; $sql_price = array('event_id' => $last_event_id, 'event_cost' => $v, 'surcharge' => sanitize_text_field($_REQUEST['surcharge'][$k]), 'surcharge_type' => sanitize_text_field($_REQUEST['surcharge_type'][$k]), 'price_type' => $price_type, 'member_price' => $member_price, 'member_price_type' => $member_price_type ); $sql_price_data = array('%d', '%s', '%s', '%s', '%s', '%s', '%s'); diff --git a/includes/event-management/update_event.php b/includes/event-management/update_event.php index 4bf48a0e..9a7f4efc 100644 --- a/includes/event-management/update_event.php +++ b/includes/event-management/update_event.php @@ -99,7 +99,7 @@ function update_event($recurrence_arr = array()) { //'Soft delete' any events that are not within the current series when using the 'All events in this series' option. if ($delete_in != '') { $DEL_SQL = "UPDATE " . EVENTS_DETAIL_TABLE . " SET event_status = 'D' WHERE start_date NOT IN (" . $delete_in .") AND recurrence_id = %d"; - $wpdb->query($wpdb->prepare($DEL_SQL, sanitize_text_field($_POST['recurrence_id']))); + $wpdb->query($wpdb->prepare($DEL_SQL, (int)$_POST['recurrence_id'])); } /* //Permanently delete events not within the current formula @@ -197,7 +197,7 @@ function update_event($recurrence_arr = array()) { $display_reg_form = sanitize_text_field($_REQUEST['display_reg_form']); $externalURL = !empty($_REQUEST['externalURL']) ? esc_html($_REQUEST['externalURL']):''; $reg_limit = (int)$_REQUEST['reg_limit']; - $allow_multiple = sanitize_text_field($_REQUEST['allow_multiple']); + $allow_multiple = (boolean)$_REQUEST['allow_multiple']; $overflow_event_id = (empty($_REQUEST['overflow_event_id'])) ? '0' : (int)$_REQUEST['overflow_event_id']; $allow_overflow = empty($_REQUEST['allow_overflow']) ? 'N' : sanitize_text_field($_REQUEST['allow_overflow']); $additional_limit = !empty($_REQUEST['additional_limit']) && $_REQUEST['additional_limit'] > 0 ? (int)$_REQUEST['additional_limit'] : '5'; From 4cbc22fa8443f4cd008fe175bdc33db65747b20e Mon Sep 17 00:00:00 2001 From: sethshoultes Date: Wed, 23 Oct 2019 15:35:32 -0600 Subject: [PATCH 10/38] Adding prepare to the queries --- includes/category-management/index.php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/includes/category-management/index.php b/includes/category-management/index.php index 99170b56..ee550d0a 100644 --- a/includes/category-management/index.php +++ b/includes/category-management/index.php @@ -20,19 +20,19 @@ function event_espresso_categories_config_mnu() { while (list($key, $value) = each($_POST['checkbox'])): $del_id = $key; //Delete category data - $sql = "DELETE FROM " . EVENTS_CATEGORY_TABLE . " WHERE id='" . (int)$del_id . "'"; - $wpdb->query($sql); + $sql = "DELETE FROM " . EVENTS_CATEGORY_TABLE . " WHERE id = %d"; + $wpdb->query($wpdb->prepare( $sql, (int)$del_id )); - $sql = "DELETE FROM " . EVENTS_CATEGORY_REL_TABLE . " WHERE cat_id='" . (int)$del_id . "'"; - $wpdb->query($sql); + $sql = "DELETE FROM " . EVENTS_CATEGORY_REL_TABLE . " WHERE cat_id = %d"; + $wpdb->query($wpdb->prepare( $sql, (int)$del_id )); endwhile; } if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete_category') { //Delete discount data - $sql = "DELETE FROM " . EVENTS_CATEGORY_TABLE . " WHERE id='" . (int)$_REQUEST['id'] . "'"; - $wpdb->query($sql); - $sql = "DELETE FROM " . EVENTS_CATEGORY_REL_TABLE . " WHERE cat_id='" . (int)$_REQUEST['id'] . "'"; - $wpdb->query($sql); + $sql = "DELETE FROM " . EVENTS_CATEGORY_TABLE . " WHERE id = %d"; + $wpdb->query($wpdb->prepare( $sql, (int)$_REQUEST['id'] )); + $sql = "DELETE FROM " . EVENTS_CATEGORY_REL_TABLE . " WHERE cat_id = %d"; + $wpdb->query($wpdb->prepare( $sql, (int)$_REQUEST['id'] )); } ?>
From 758c7f718da8d18c9c45c68da72656de636c0698 Mon Sep 17 00:00:00 2001 From: Josh Feck Date: Wed, 23 Oct 2019 20:33:24 -0400 Subject: [PATCH 11/38] validate question group ID and add prepare statements to queries --- includes/form-builder/groups/index.php | 2 +- includes/form-builder/groups/update_group.php | 22 ++++++++++++++----- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/includes/form-builder/groups/index.php b/includes/form-builder/groups/index.php index b8a5cc30..b94ade65 100644 --- a/includes/form-builder/groups/index.php +++ b/includes/form-builder/groups/index.php @@ -67,7 +67,7 @@ function event_espresso_question_groups_config_mnu() { break; case 'update_group': require_once("update_group.php"); - event_espresso_form_group_update($_REQUEST['group_id']); + event_espresso_form_group_update(absint($_REQUEST['group_id'])); break; case 'delete_group': if (file_exists(EVENT_ESPRESSO_PLUGINFULLPATH . 'includes/admin-files/form-builder/groups/delete_group.php')) { diff --git a/includes/form-builder/groups/update_group.php b/includes/form-builder/groups/update_group.php index 96f60cdc..97145cfc 100644 --- a/includes/form-builder/groups/update_group.php +++ b/includes/form-builder/groups/update_group.php @@ -4,7 +4,6 @@ function event_espresso_form_group_update($group_id) { global $wpdb; - //$group_id = $_POST['group_id']; $group_order = (int)$_POST['group_order']; $group_name = sanitize_text_field($_POST['group_name']); $group_description = wp_kses_post($_POST['group_description']); @@ -30,16 +29,27 @@ function event_espresso_form_group_update($group_id) { $group_id ) ); + $del_group_rels = "DELETE FROM " . EVENTS_QST_GROUP_REL_TABLE . " WHERE group_id = %d"; + $wpdb->query( + $wpdb->prepare( + $del_group_rels, + $group_id + ) + ); - $del_group_rels = "DELETE FROM " . EVENTS_QST_GROUP_REL_TABLE . " WHERE group_id = '" . $group_id . "'"; - $wpdb->query($del_group_rels); if (!empty($_REQUEST['question_id'])) { foreach ($_REQUEST['question_id'] as $k => $v) { if ($v != '') { - $sql_group_rel = "INSERT INTO " . EVENTS_QST_GROUP_REL_TABLE . " (group_id, question_id) VALUES ('" . $group_id . "', '" . $v . "')"; - //echo "$sql_discount
"; - $wpdb->query($sql_group_rel); + $v = absint($v); + $sql_group_rel = "INSERT INTO " . EVENTS_QST_GROUP_REL_TABLE . " (group_id, question_id) VALUES (%d, %d)"; + $wpdb->query( + $wpdb->prepare( + $sql_group_rel, + $group_id, + $v + ) + ); } } } From 242b24649b3ccffdabc29a6e4fc3ffaade09b5c2 Mon Sep 17 00:00:00 2001 From: sethshoultes Date: Thu, 24 Oct 2019 05:49:51 -0600 Subject: [PATCH 12/38] Fix typo --- includes/admin-reports/enter_attendee_payments.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/admin-reports/enter_attendee_payments.php b/includes/admin-reports/enter_attendee_payments.php index 8035e227..377eb4b3 100644 --- a/includes/admin-reports/enter_attendee_payments.php +++ b/includes/admin-reports/enter_attendee_payments.php @@ -197,7 +197,7 @@ function enter_attendee_payments() { if ( $org_options["use_attendee_pre_approval"] == "Y" ) { - $pre_approve = int()$_POST['pre_approve']; + $pre_approve = (int)$_POST['pre_approve']; if ( count($registration_ids) > 0 ) { foreach($registration_ids as $reg_id) { $SQL = "UPDATE " . EVENTS_ATTENDEE_TABLE . " SET pre_approve = %d WHERE registration_id = %s"; From 3df7f7c800d1ec28060cd7161b853b3dd7d30f3d Mon Sep 17 00:00:00 2001 From: sethshoultes Date: Mon, 4 Nov 2019 14:07:43 -0700 Subject: [PATCH 13/38] Added sanitization to the PayPal settings --- gateways/paypal/settings.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/gateways/paypal/settings.php b/gateways/paypal/settings.php index 28323924..b1599a40 100644 --- a/gateways/paypal/settings.php +++ b/gateways/paypal/settings.php @@ -3,16 +3,16 @@ function event_espresso_paypal_payment_settings() { global $active_gateways; if (isset($_POST['update_paypal'])) { - $paypal_settings['paypal_id'] = $_POST['paypal_id']; + $paypal_settings['paypal_id'] = sanitize_text_field($_POST['paypal_id']); $paypal_settings['tax_override'] = empty($_POST['tax_override']) ? false : true; $paypal_settings['shipping_override'] = empty($_POST['shipping_override']) ? false : true; - $paypal_settings['image_url'] = $_POST['image_url']; - $paypal_settings['currency_format'] = $_POST['currency_format']; + $paypal_settings['image_url'] = esc_url($_POST['image_url']); + $paypal_settings['currency_format'] = sanitize_text_field($_POST['currency_format']); $paypal_settings['use_sandbox'] = empty($_POST['use_sandbox']) ? false : true; - $paypal_settings['bypass_payment_page'] = $_POST['bypass_payment_page']; + $paypal_settings['bypass_payment_page'] = isset($_POST['bypass_payment_page']) && $_POST['bypass_payment_page'] === 'Y' ? 'Y' : 'N'; $paypal_settings['force_ssl_return'] = empty($_POST['force_ssl_return']) ? false : true; - $paypal_settings['no_shipping'] = $_POST['no_shipping']; - $paypal_settings['button_url'] = $_POST['button_url']; + $paypal_settings['no_shipping'] = (int)$_POST['no_shipping']; + $paypal_settings['button_url'] = esc_url($_POST['button_url']); update_option('event_espresso_paypal_settings', $paypal_settings); echo '

' . __('PayPal settings saved.', 'event_espresso') . '

'; } From 32c1a56b2608fa95eec7274c74bc7333406f9bda Mon Sep 17 00:00:00 2001 From: sethshoultes Date: Mon, 4 Nov 2019 14:37:16 -0700 Subject: [PATCH 14/38] Update the query to use prepare --- includes/admin-reports/add_new_attendee.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/includes/admin-reports/add_new_attendee.php b/includes/admin-reports/add_new_attendee.php index a42050c0..f7c2e564 100644 --- a/includes/admin-reports/add_new_attendee.php +++ b/includes/admin-reports/add_new_attendee.php @@ -33,11 +33,11 @@ function add_new_attendee($event_id){ wp_print_scripts('reCopy'); global $wpdb; - $sql = "SELECT * FROM " .EVENTS_DETAIL_TABLE. " WHERE is_active='Y' AND event_status != 'D' AND id = '" . $event_id . "' LIMIT 0,1"; - + $sql = "SELECT * FROM " .EVENTS_DETAIL_TABLE. " ed WHERE ed.is_active='Y' AND ed.event_status != 'D' AND ed.id = '%d' LIMIT 0,1"; + //Build the registration page - if ($wpdb->get_results($sql)){ - $events = $wpdb->get_results($sql); + if ($wpdb->get_results($wpdb->prepare( $sql, $event_id ), OBJECT_K )){ + $events = $wpdb->get_results($wpdb->prepare( $sql, $event_id ), OBJECT_K ); //These are the variables that can be used throughout the regsitration page foreach ($events as $event){ $event_id = $event->id; From 42514f3515d4e4e66755ca0afb2c777d7928a572 Mon Sep 17 00:00:00 2001 From: Tony Warwick Date: Fri, 25 Oct 2019 15:08:52 +0100 Subject: [PATCH 15/38] Sanitize PayPal settings before saving. --- gateways/paypal/settings.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/gateways/paypal/settings.php b/gateways/paypal/settings.php index b1599a40..1f271aa8 100644 --- a/gateways/paypal/settings.php +++ b/gateways/paypal/settings.php @@ -3,16 +3,16 @@ function event_espresso_paypal_payment_settings() { global $active_gateways; if (isset($_POST['update_paypal'])) { - $paypal_settings['paypal_id'] = sanitize_text_field($_POST['paypal_id']); + $paypal_settings['paypal_id'] = sanitize_email($_POST['paypal_id']); $paypal_settings['tax_override'] = empty($_POST['tax_override']) ? false : true; $paypal_settings['shipping_override'] = empty($_POST['shipping_override']) ? false : true; - $paypal_settings['image_url'] = esc_url($_POST['image_url']); - $paypal_settings['currency_format'] = sanitize_text_field($_POST['currency_format']); + $paypal_settings['image_url'] = esc_url_raw($_POST['image_url']); + $paypal_settings['currency_format'] = ee_sanitize_value($_POST['currency_format']); $paypal_settings['use_sandbox'] = empty($_POST['use_sandbox']) ? false : true; $paypal_settings['bypass_payment_page'] = isset($_POST['bypass_payment_page']) && $_POST['bypass_payment_page'] === 'Y' ? 'Y' : 'N'; $paypal_settings['force_ssl_return'] = empty($_POST['force_ssl_return']) ? false : true; $paypal_settings['no_shipping'] = (int)$_POST['no_shipping']; - $paypal_settings['button_url'] = esc_url($_POST['button_url']); + $paypal_settings['button_url'] = esc_url_raw($_POST['button_url']); update_option('event_espresso_paypal_settings', $paypal_settings); echo '

' . __('PayPal settings saved.', 'event_espresso') . '

'; } From f04f28915a58aae363b0d48b72ce3c33e55f08d6 Mon Sep 17 00:00:00 2001 From: Tony Warwick Date: Fri, 25 Oct 2019 15:09:43 +0100 Subject: [PATCH 16/38] Sanitize ueip_optin. --- includes/organization_config.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/organization_config.php b/includes/organization_config.php index 26ed35f0..8711a8ff 100644 --- a/includes/organization_config.php +++ b/includes/organization_config.php @@ -54,7 +54,7 @@ function organization_config_mnu() { $org_options['default_payment_status'] = isset($_POST['default_payment_status']) && !empty($_POST['default_payment_status']) ? sanitize_text_field($_POST['default_payment_status']) : ''; $org_options['default_promocode_usage'] = isset($_POST['default_promocode_usage']) && !empty($_POST['default_promocode_usage']) ? sanitize_text_field($_POST['default_promocode_usage']) : 'N'; $org_options['ticket_reservation_time'] = isset($_POST['ticket_reservation_time']) && !empty($_POST['ticket_reservation_time']) ? (string)intval($_POST['ticket_reservation_time']) : '30'; - $ueip_optin = isset($_POST['ueip_optin']) && !empty($_POST['ueip_optin']) ? $_POST['ueip_optin'] : 'yes'; + $ueip_optin = isset($_POST['ueip_optin']) && $_POST['ueip_optin'] === 'yes' ? 'yes' : 'no'; $org_options['default_logo_url'] = isset($_REQUEST['upload_image']) && !empty($_REQUEST['upload_image']) ? esc_url($_REQUEST['upload_image']) : ''; From 96e06122209183a1fbdd0786afe39545a7191d0a Mon Sep 17 00:00:00 2001 From: Tony Warwick Date: Fri, 25 Oct 2019 16:37:59 +0100 Subject: [PATCH 17/38] Sanitize input fields when creating a coupon; --- includes/admin-files/coupon-management/add_discount.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/includes/admin-files/coupon-management/add_discount.php b/includes/admin-files/coupon-management/add_discount.php index 31681404..2d9785c2 100644 --- a/includes/admin-files/coupon-management/add_discount.php +++ b/includes/admin-files/coupon-management/add_discount.php @@ -8,7 +8,14 @@ function add_discount_to_db(){ if (!function_exists('espresso_member_data')) $current_user->ID = 1; - $sql=array('coupon_code'=>$_REQUEST['coupon_code'], 'coupon_code_price'=>$_REQUEST['coupon_code_price'],'coupon_code_description'=>$_REQUEST['coupon_code_description'], 'use_percentage'=>$_REQUEST['use_percentage'],'apply_to_all'=>$_REQUEST['apply_to_all'], 'wp_user'=>$current_user->ID); + $sql=array( + 'coupon_code'=>sanitize_text_field($_REQUEST['coupon_code']), + 'coupon_code_price'=>abs($_REQUEST['coupon_code_price']), + 'coupon_code_description'=>sanitize_text_field($_REQUEST['coupon_code_description']), + 'use_percentage'=>$_REQUEST['use_percentage'] === 'Y' ? 'Y' : 'N', + 'apply_to_all'=>intval($_REQUEST['apply_to_all']), + 'wp_user'=>$current_user->ID + ); $sql_data = array('%s','%s','%s','%s','%d', '%d'); From ab895f07936cb0e44c86b7bd765d2f407dd7b499 Mon Sep 17 00:00:00 2001 From: Tony Warwick Date: Fri, 25 Oct 2019 16:38:34 +0100 Subject: [PATCH 18/38] Sanitize the discount_id field passed in the request and use prepare(); --- .../coupon-management/edit_discount.php | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/includes/admin-files/coupon-management/edit_discount.php b/includes/admin-files/coupon-management/edit_discount.php index 3b11fc9c..cde3c60a 100644 --- a/includes/admin-files/coupon-management/edit_discount.php +++ b/includes/admin-files/coupon-management/edit_discount.php @@ -4,17 +4,18 @@ function edit_event_discount(){ global $wpdb; - $discount_id = $_REQUEST['discount_id']; - $event_discounts = $wpdb->get_results("SELECT * FROM " . EVENTS_DISCOUNT_CODES_TABLE . " WHERE id = " . $discount_id); + $discount_id = intval($_REQUEST['discount_id']); + $sql = $wpdb->prepare("SELECT * FROM " . EVENTS_DISCOUNT_CODES_TABLE . " WHERE id = %d", array($discount_id)); + $event_discounts = $wpdb->get_results( $sql ); - foreach ($event_discounts as $event_discount){ - $discount_id = $event_discount->id; - $coupon_code = $event_discount->coupon_code; - $coupon_code_price = $event_discount->coupon_code_price; - $coupon_code_description = $event_discount->coupon_code_description; - $use_percentage = $event_discount->use_percentage; - $apply_to_all = $event_discount->apply_to_all; - } + foreach ($event_discounts as $event_discount){ + $discount_id = $event_discount->id; + $coupon_code = $event_discount->coupon_code; + $coupon_code_price = $event_discount->coupon_code_price; + $coupon_code_description = $event_discount->coupon_code_description; + $use_percentage = $event_discount->use_percentage; + $apply_to_all = $event_discount->apply_to_all; + } ?> From bdc653e7edf4ede138e389b350e56680af73e53e Mon Sep 17 00:00:00 2001 From: Tony Warwick Date: Fri, 25 Oct 2019 16:38:55 +0100 Subject: [PATCH 19/38] Sanitize input fields when updating a coupon; --- .../admin-files/coupon-management/update_discount.php | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/includes/admin-files/coupon-management/update_discount.php b/includes/admin-files/coupon-management/update_discount.php index 3d50a1de..3c60e574 100644 --- a/includes/admin-files/coupon-management/update_discount.php +++ b/includes/admin-files/coupon-management/update_discount.php @@ -3,9 +3,15 @@ function update_event_discount() { global $wpdb, $current_user; $wpdb->show_errors(); - $sql=array('coupon_code'=>$_REQUEST['coupon_code'],'coupon_code_price'=>$_REQUEST['coupon_code_price'], 'coupon_code_description'=>$_REQUEST['coupon_code_description'], 'use_percentage'=>$_REQUEST['use_percentage'],'apply_to_all'=>intval($_REQUEST['apply_to_all'])); + $sql=array( + 'coupon_code'=>sanitize_text_field($_REQUEST['coupon_code']), + 'coupon_code_price'=>abs($_REQUEST['coupon_code_price']), + 'coupon_code_description'=>sanitize_text_field($_REQUEST['coupon_code_description']), + 'use_percentage'=>$_REQUEST['use_percentage'] === 'Y' ? 'Y' : 'N', + 'apply_to_all'=>intval($_REQUEST['apply_to_all']) + ); - $update_id = array('id'=> $_REQUEST['discount_id']); + $update_id = array('id'=> intval($_REQUEST['discount_id'])); $sql_data = array('%s','%s','%s','%s','%d'); From 6ece2e517136b49305a8f79bec85792ed6cfd869 Mon Sep 17 00:00:00 2001 From: Tony Warwick Date: Fri, 25 Oct 2019 21:04:13 +0100 Subject: [PATCH 20/38] Swap out each() with a foreach(); Use delete() to remove the rows from the DB; --- .../coupon-management/delete_discount.php | 21 +++++++------------ 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/includes/admin-files/coupon-management/delete_discount.php b/includes/admin-files/coupon-management/delete_discount.php index c29d1f0c..968985fa 100644 --- a/includes/admin-files/coupon-management/delete_discount.php +++ b/includes/admin-files/coupon-management/delete_discount.php @@ -3,24 +3,17 @@ function delete_event_discount(){ global $wpdb; if(isset($_REQUEST['delete_discount'])){ if (is_array($_POST['checkbox'])){ - while(list($key,$value)=each($_POST['checkbox'])): - $del_id=$key; + foreach($_POST['checkbox'] as $key => $value) { //Delete discount data - $sql = "DELETE FROM ".EVENTS_DISCOUNT_CODES_TABLE." WHERE id='" . $del_id . "'"; - $wpdb->query($sql); - - $sql = "DELETE FROM ".EVENTS_DISCOUNT_REL_TABLE." WHERE discount_id='" . $del_id . "'"; - $wpdb->query($sql); - endwhile; + $wpdb->delete(EVENTS_DISCOUNT_CODES_TABLE, array('id' => $key), array('%d')); + $wpdb->delete(EVENTS_DISCOUNT_REL_TABLE, array('discount_id' => $key),array('%d')); + } } } - if(isset($_REQUEST['action']) && $_REQUEST['action']== 'delete_discount'){ + if(isset($_REQUEST['action']) && $_REQUEST['action'] === 'delete_discount'){ //Delete discount data - $sql = "DELETE FROM ".EVENTS_DISCOUNT_CODES_TABLE." WHERE id='" . $_REQUEST['discount_id'] . "'"; - $wpdb->query($sql); - - $sql = "DELETE FROM ".EVENTS_DISCOUNT_REL_TABLE." WHERE discount_id='" . $_REQUEST['discount_id'] . "'"; - $wpdb->query($sql); + $wpdb->delete(EVENTS_DISCOUNT_CODES_TABLE, array('id' => $_REQUEST['discount_id']), array('%d')); + $wpdb->delete(EVENTS_DISCOUNT_REL_TABLE, array('discount_id' => $_REQUEST['discount_id']), array('%d')); } ?>
From e2162b30a2a1625081aef57a6c028a6cb6f9f0cb Mon Sep 17 00:00:00 2001 From: Tony Warwick Date: Fri, 25 Oct 2019 21:04:53 +0100 Subject: [PATCH 21/38] Sanitize the 'use_coupon' field, it should be Y, N or A; --- includes/admin-files/coupon-management/use_coupon_code.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/admin-files/coupon-management/use_coupon_code.php b/includes/admin-files/coupon-management/use_coupon_code.php index 9ef347bb..4484e34c 100644 --- a/includes/admin-files/coupon-management/use_coupon_code.php +++ b/includes/admin-files/coupon-management/use_coupon_code.php @@ -45,7 +45,7 @@ function event_espresso_coupon_payment_page( $event_id = FALSE, $event_cost = 0. // echo '

$coupon_code : ' . $coupon_code . '
' . __FILE__ . '
line no: ' . __LINE__ . '

'; if ( ! $use_coupon_code ) { - $use_coupon_code = isset( $_POST['use_coupon'][$event_id] ) ? $_POST['use_coupon'][$event_id] : 'N'; + $use_coupon_code = isset( $_POST['use_coupon'][$event_id] ) ? ee_sanitize_value($_POST['use_coupon'][$event_id]) : 'N'; } // echo '

$use_coupon_code : ' . $use_coupon_code . '
' . __FILE__ . '
line no: ' . __LINE__ . '

'; From 6c87e4c765fc65ad64256c956405f828e321aede Mon Sep 17 00:00:00 2001 From: Josh Feck Date: Mon, 11 Nov 2019 15:26:03 -0500 Subject: [PATCH 22/38] sanitize and/or validate POST fields used in template settings page --- includes/template_settings/index.php | 36 ++++++++++++++-------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/includes/template_settings/index.php b/includes/template_settings/index.php index be4ae37e..ecf966cd 100644 --- a/includes/template_settings/index.php +++ b/includes/template_settings/index.php @@ -4,28 +4,28 @@ function event_espresso_manage_templates() { global $wpdb, $org_options, $espresso_premium; //print_r($org_options); if (isset($_POST['update_org'])) { - $org_options['display_description_on_multi_reg_page'] = !empty($_POST['display_description_on_multi_reg_page']) ? $_POST['display_description_on_multi_reg_page'] : 'N'; - $org_options['display_short_description_in_event_list'] = !empty($_POST['display_short_description_in_event_list']) ? $_POST['display_short_description_in_event_list'] : 'N'; - $org_options['price_display_in_event_list'] = !empty($_POST['price_display_in_event_list']) ? $_POST['price_display_in_event_list'] : 'default'; - $org_options['display_address_in_event_list'] = !empty($_POST['display_address_in_event_list']) ? $_POST['display_address_in_event_list'] : 'N'; - $org_options['display_address_in_regform'] = !empty($_POST['display_address_in_regform']) ? $_POST['display_address_in_regform'] : 'N'; - $org_options['use_custom_post_types'] = !empty($_POST['use_custom_post_types']) ? $_POST['use_custom_post_types'] : 'N'; - $org_options['display_ical_download'] = !empty($_POST['display_ical_download']) ? $_POST['display_ical_download'] : 'Y'; -$org_options['display_featured_image'] = !empty($_POST['display_featured_image']) ? $_POST['display_featured_image'] : 'N'; - $org_options['enable_default_style'] = !empty($_POST['enable_default_style']) ? $_POST['enable_default_style'] : 'N'; - $org_options['selected_style'] = !empty($_POST['selected_style']) ? $_POST['selected_style'] : ''; - $org_options['style_color'] = !empty($_POST['style_color']) ? $_POST['style_color'] : ''; - $org_options['style_settings']['enable_default_style'] = !empty($_POST['enable_themeroller_style']) ? $_POST['enable_themeroller_style'] : 'N'; - $org_options['style_settings']['use_grid_layout'] = !empty($_POST['use_grid_layout']) ? $_POST['use_grid_layout'] : 'N'; - $org_options['themeroller']['themeroller_style'] = empty($_POST['themeroller_style']) ? 'N' : $_POST['themeroller_style']; + $org_options['display_description_on_multi_reg_page'] = !empty($_POST['display_description_on_multi_reg_page']) && $_POST['display_description_on_multi_reg_page'] === 'Y' ? 'Y' : 'N'; + $org_options['display_short_description_in_event_list'] = !empty($_POST['display_short_description_in_event_list']) && $_POST['display_short_description_in_event_list'] === 'Y' ? 'Y' : 'N'; + $org_options['price_display_in_event_list'] = !empty($_POST['price_display_in_event_list']) ? sanitize_text_field($_POST['price_display_in_event_list']) : 'default'; + $org_options['display_address_in_event_list'] = !empty($_POST['display_address_in_event_list']) && $_POST['display_address_in_event_list'] === 'Y' ? 'Y' : 'N'; + $org_options['display_address_in_regform'] = !empty($_POST['display_address_in_regform']) && $_POST['display_address_in_regform'] === 'Y' ? 'Y' : 'N'; + $org_options['use_custom_post_types'] = !empty($_POST['use_custom_post_types']) && $_POST['use_custom_post_types'] === 'Y' ? 'Y' : 'N'; + $org_options['display_ical_download'] = !empty($_POST['display_ical_download']) && $_POST['display_ical_download'] === 'N' ? 'N' : 'Y'; + $org_options['display_featured_image'] = !empty($_POST['display_featured_image']) && $_POST['display_featured_image'] === 'Y' ? 'Y' : 'N'; + $org_options['enable_default_style'] = !empty($_POST['enable_default_style']) && $_POST['enable_default_style'] === 'Y' ? 'Y' : 'N'; + $org_options['selected_style'] = !empty($_POST['selected_style']) ? sanitize_text_field($_POST['selected_style']) : ''; + $org_options['style_color'] = !empty($_POST['style_color']) ? sanitize_text_field($_POST['style_color']) : ''; + $org_options['style_settings']['enable_default_style'] = !empty($_POST['enable_themeroller_style']) && $_POST['enable_themeroller_style'] ? 'Y' : 'N'; + $org_options['style_settings']['use_grid_layout'] = !empty($_POST['use_grid_layout']) && $_POST['use_grid_layout'] === 'Y' ? 'Y' : 'N'; + $org_options['themeroller']['themeroller_style'] = empty($_POST['themeroller_style']) ? 'N' : sanitize_text_field($_POST['themeroller_style']); //FEM Settings - $org_options['fem_settings']['enable_fem_category_select'] = empty($_POST['enable_fem_category_select']) ? 'N' : $_POST['enable_fem_category_select']; - $org_options['fem_settings']['enable_fem_pricing_section'] = empty($_POST['enable_fem_pricing_section']) ? 'N' : $_POST['enable_fem_pricing_section']; - $org_options['fem_settings']['enable_fem_venue_section'] = empty($_POST['enable_fem_venue_section']) ? 'N' : $_POST['enable_fem_venue_section']; + $org_options['fem_settings']['enable_fem_category_select'] = empty($_POST['enable_fem_category_select']) || $_POST['enable_fem_category_select'] === 'N' ? 'N' : 'Y'; + $org_options['fem_settings']['enable_fem_pricing_section'] = empty($_POST['enable_fem_pricing_section']) || $_POST['enable_fem_pricing_section'] === 'N' ? 'N' : 'Y'; + $org_options['fem_settings']['enable_fem_venue_section'] = empty($_POST['enable_fem_venue_section']) || $_POST['enable_fem_venue_section'] === 'N' ? 'N' : 'Y'; //Legacy styles - $org_options['style_settings']['disable_legacy_styles'] = !empty($_POST['disable_legacy_styles']) ? $_POST['disable_legacy_styles'] : 'Y'; + $org_options['style_settings']['disable_legacy_styles'] = !empty($_POST['disable_legacy_styles']) && $_POST['disable_legacy_styles'] === 'N' ? 'N' : 'Y'; if (isset($_POST['remove_css']) && $_POST['remove_css'] == 'true') { $org_options['style_settings']['css_name'] = ''; From 19e9967c0822d3c67cb28d6509ddc12116a9edab Mon Sep 17 00:00:00 2001 From: Josh Feck Date: Thu, 14 Nov 2019 18:25:05 -0500 Subject: [PATCH 23/38] more sanitizing and validating --- includes/functions/admin.php | 2 +- includes/functions/export.php | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/includes/functions/admin.php b/includes/functions/admin.php index 1a9c7604..0d69873c 100644 --- a/includes/functions/admin.php +++ b/includes/functions/admin.php @@ -1904,7 +1904,7 @@ function espresso_data_optin_ajax_handler() { if ( isset($_POST['nonce']) && !wp_verify_nonce($_POST['nonce'], 'ee-data-optin') ) exit(); //made it here so let's save the selection - $ueip_optin = isset( $_POST['selection'] ) ? $_POST['selection'] : 'no'; + $ueip_optin = isset( $_POST['selection'] ) && $_POST['selection'] === 'yes' ? 'yes' : 'no'; //update_option('ee_ueip_optin', $ueip_optin); update_option('ee_ueip_has_notified', 1); diff --git a/includes/functions/export.php b/includes/functions/export.php index 42020aa3..1b61a9d4 100644 --- a/includes/functions/export.php +++ b/includes/functions/export.php @@ -61,8 +61,8 @@ function espresso_event_export($ename) { $sql .= " JOIN " . EVENTS_LOCALE_REL_TABLE . " l ON l.venue_id = r.venue_id "; } - $sql .= ($_POST['event_status'] != '' && $_POST['event_status'] != 'IA') ? " WHERE event_status = '" . $_POST['event_status'] . "' " : " WHERE event_status != 'D' "; - $sql .= $_REQUEST['category_id'] != '' ? " AND c.id = '" . $_REQUEST['category_id'] . "' " : ''; + $sql .= ($_POST['event_status'] != '' && $_POST['event_status'] != 'IA') ? " WHERE event_status = '" . sanitize_text_field($_POST['event_status']) . "' " : " WHERE event_status != 'D' "; + $sql .= $_REQUEST['category_id'] != '' ? " AND c.id = '" . sanitize_text_field($_REQUEST['category_id']) . "' " : ''; $sql .= $group != '' ? " AND l.locale_id IN (" . implode(",", $group) . ") " : ''; if ($_POST['month_range'] != '') { @@ -101,8 +101,8 @@ function espresso_event_export($ename) { $sql .= " JOIN " . EVENTS_CATEGORY_TABLE . " c ON c.id = r.cat_id "; } - $sql .= (isset($_POST['event_status']) && $_POST['event_status'] != '' && $_POST['event_status'] != 'IA') ? " WHERE event_status = '" . $_POST['event_status'] . "' " : " WHERE event_status != 'D' "; - $sql .= isset($_REQUEST['category_id']) && $_REQUEST['category_id'] != '' ? " AND c.id = '" . $_REQUEST['category_id'] . "' " : ''; + $sql .= (isset($_POST['event_status']) && $_POST['event_status'] != '' && $_POST['event_status'] != 'IA') ? " WHERE event_status = '" . sanitize_text_field($_POST['event_status']) . "' " : " WHERE event_status != 'D' "; + $sql .= isset($_REQUEST['category_id']) && sanitize_text_field($_REQUEST['category_id']) != '' ? " AND c.id = '" . $_REQUEST['category_id'] . "' " : ''; if (isset($_POST['month_range']) && $_POST['month_range'] != '') { $sql .= " AND start_date BETWEEN '" . date('Y-m-d', strtotime($year_r . '-' . $month_r . '-01')) . "' AND '" . date('Y-m-d', strtotime($year_r . '-' . $month_r . '-31')) . "' "; From e1de722872e0dfceade05e1267405b78c58ec075 Mon Sep 17 00:00:00 2001 From: Josh Feck Date: Mon, 2 Dec 2019 13:22:17 -0500 Subject: [PATCH 24/38] validate questions/groups re-ordering values --- includes/form-builder/groups/index.php | 2 +- includes/form-builder/index.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/includes/form-builder/groups/index.php b/includes/form-builder/groups/index.php index b94ade65..2171227f 100644 --- a/includes/form-builder/groups/index.php +++ b/includes/form-builder/groups/index.php @@ -6,7 +6,7 @@ function event_espresso_question_groups_config_mnu() { if (!empty($_REQUEST['update_sequence'])) { $rows = explode(",", $_POST['row_ids']); for ($i = 0; $i < count($rows); $i++) { - $wpdb->query("UPDATE " . EVENTS_QST_GROUP_TABLE . " SET group_order=" . $i . " WHERE id='" . $rows[$i] . "'"); + $wpdb->query("UPDATE " . EVENTS_QST_GROUP_TABLE . " SET group_order=" . $i . " WHERE id='" . (int)$rows[$i] . "'"); } die(); } diff --git a/includes/form-builder/index.php b/includes/form-builder/index.php index 48860f9e..58dadeca 100644 --- a/includes/form-builder/index.php +++ b/includes/form-builder/index.php @@ -7,7 +7,7 @@ function event_espresso_questions_config_mnu() { if (!empty($_REQUEST['update_sequence'])) { $rows = explode(",", $_POST['row_ids']); for ($i = 0; $i < count($rows); $i++) { - $wpdb->query("UPDATE " . EVENTS_QUESTION_TABLE . " SET sequence=" . $i . " WHERE id='" . $rows[$i] . "'"); + $wpdb->query("UPDATE " . EVENTS_QUESTION_TABLE . " SET sequence=" . $i . " WHERE id='" . (int)$rows[$i] . "'"); } die(); } From d59e273cfa5f5a07c33adf1dc6d07dfbf06751fa Mon Sep 17 00:00:00 2001 From: Josh Feck Date: Mon, 2 Dec 2019 15:19:27 -0500 Subject: [PATCH 25/38] add some more validation when updating categories --- includes/category-management/update_event_category.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/includes/category-management/update_event_category.php b/includes/category-management/update_event_category.php index 5d7c97d9..d269b2ff 100644 --- a/includes/category-management/update_event_category.php +++ b/includes/category-management/update_event_category.php @@ -1,11 +1,11 @@ Date: Mon, 2 Dec 2019 20:08:25 -0500 Subject: [PATCH 26/38] fix recurring events --- includes/event-management/insert_event.php | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/includes/event-management/insert_event.php b/includes/event-management/insert_event.php index 62249d01..46527aa7 100644 --- a/includes/event-management/insert_event.php +++ b/includes/event-management/insert_event.php @@ -41,9 +41,15 @@ function add_event_to_db($recurrence_arr = array()) { $recurrence_id = array_key_exists('recurrence_id', $recurrence_arr) ? $recurrence_arr['recurrence_id'] : Null; if ($_POST['recurrence'] == 'Y' && count($recurrence_arr) < 2) { - if (is_null($recurrence_id)) + if (is_null($recurrence_id)) { $recurrence_id = add_recurrence_master_record(); - + } + $re_weekday = isset($_POST['recurrence_weekday']) ? (array)$_POST['recurrence_weekday'] : array(); + $re_weekday = array_map('intval', $re_weekday); + $re_manual_dates = isset($_POST['recurrence_manual_dates']) ? (array)$_POST['recurrence_manual_dates'] : array(); + $re_manual_dates = array_map('sanitize_text_field', $re_manual_dates); + $re_manual_end_dates = isset($_POST['recurrence_manual_end_dates']) ? (array)$_POST['recurrence_manual_end_dates'] : array(); + $re_manual_end_dates = array_map('sanitize_text_field', $re_manual_end_dates); $re_params = array( 'start_date' => ($_POST['recurrence_type'] == 'a') ? sanitize_text_field($_POST['recurrence_start_date']) : sanitize_text_field($_POST['recurrence_manual_dates']), 'event_end_date' => ($_POST['recurrence_type'] == 'a') ? sanitize_text_field($_POST['recurrence_event_end_date']) : sanitize_text_field($_POST['recurrence_manual_end_dates']), @@ -51,13 +57,13 @@ function add_event_to_db($recurrence_arr = array()) { 'registration_start' => sanitize_text_field($_POST['recurrence_regis_start_date']), 'registration_end' => sanitize_text_field($_POST['recurrence_regis_end_date']), 'frequency' => sanitize_text_field($_POST['recurrence_frequency']), - 'interval' => sanitize_text_field($_POST['recurrence_interval']), + 'interval' => (int)$_POST['recurrence_interval'], 'type' => sanitize_text_field($_POST['recurrence_type']), - 'weekdays' => isset($_POST['recurrence_weekday']) ? sanitize_text_field($_POST['recurrence_weekday']) : '', + 'weekdays' => $re_weekday, 'repeat_by' => sanitize_text_field($_POST['recurrence_repeat_by']), - 'recurrence_regis_date_increment' => sanitize_text_field($_POST['recurrence_regis_date_increment']), - 'recurrence_manual_dates' => sanitize_text_field($_POST['recurrence_manual_dates']), - 'recurrence_manual_end_dates' => sanitize_text_field($_POST['recurrence_manual_end_dates']), + 'recurrence_regis_date_increment' => $_POST['recurrence_regis_date_increment'] === 'Y' ? 'Y' : 'N', + 'recurrence_manual_dates' => $re_manual_dates, + 'recurrence_manual_end_dates' => $re_manual_end_dates, 'recurrence_id' => $recurrence_id, 'adding_to_db' => 'Y' ); From e25e5f674fc8f753e25a6fc93d40b705e0f5ac43 Mon Sep 17 00:00:00 2001 From: Josh Feck Date: Mon, 2 Dec 2019 20:27:29 -0500 Subject: [PATCH 27/38] validate ID --- includes/form-builder/questions/edit_question.php | 2 +- includes/functions/admin.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/includes/form-builder/questions/edit_question.php b/includes/form-builder/questions/edit_question.php index 7a78cf46..dcb4ca3a 100644 --- a/includes/form-builder/questions/edit_question.php +++ b/includes/form-builder/questions/edit_question.php @@ -8,7 +8,7 @@ function event_espresso_form_builder_edit(){ array('id'=>'N','text'=> __('No','event_espresso')) ); - $question_id = $_REQUEST['question_id']; + $question_id = (int)$_REQUEST['question_id']; $questions = espresso_get_user_questions(null, $question_id); if ( count($questions) > 0 ) { foreach ($questions as $question) { diff --git a/includes/functions/admin.php b/includes/functions/admin.php index 0d69873c..c53eee76 100644 --- a/includes/functions/admin.php +++ b/includes/functions/admin.php @@ -125,7 +125,7 @@ function espresso_tiny_mce() { function event_espresso_delete_event($event_id = 'NULL') { global $wpdb; if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') { - $event_id = $_REQUEST['event_id']; + $event_id = (int)$_REQUEST['event_id']; } if ($event_id != 'NULL') { $sql = array('event_status' => 'D'); From 91a02c9862d086461ddb40d771e47d019860767e Mon Sep 17 00:00:00 2001 From: Josh Feck Date: Mon, 2 Dec 2019 20:28:02 -0500 Subject: [PATCH 28/38] validate IDs and sanitize text fields --- templates/multi_registration_page.php | 8 ++++---- templates/registration_page.php | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/templates/multi_registration_page.php b/templates/multi_registration_page.php index 8aa3ad81..ea1aa33f 100644 --- a/templates/multi_registration_page.php +++ b/templates/multi_registration_page.php @@ -32,13 +32,13 @@ function multi_register_attendees( $single_event_id = NULL, $event_id_sc =0, $me if ( ! $event ) { // the key we will eventually use in our query to find the event - $ID = $event_id_sc != '0' ? $event_id_sc : $_REQUEST['event_id']; + $ID = $event_id_sc != '0' ? $event_id_sc : (int)$_REQUEST['event_id']; if (!empty($_REQUEST['event_id_time'])) { $pieces = explode('|', $_REQUEST['event_id_time'], 3); - $ID = $pieces[0]; - $start_time = $pieces[1]; - $time_id = $pieces[2]; + $ID = (int)$pieces[0]; + $start_time = sanitize_text_field($pieces[1]); + $time_id = (int)$pieces[2]; $time_selected = true; } diff --git a/templates/registration_page.php b/templates/registration_page.php index 013bceb1..7a8c6c21 100644 --- a/templates/registration_page.php +++ b/templates/registration_page.php @@ -25,19 +25,19 @@ function register_attendees($single_event_id = NULL, $event_id_sc =0, $reg_form_ $default_event_id = 1; $default_event_id = apply_filters( 'filter_hook_espresso_default_event_id', $default_event_id ); - $_REQUEST['event_id'] = isset( $_REQUEST['event_id'] ) && ! empty( $_REQUEST['event_id'] ) ? $_REQUEST['event_id'] : $default_event_id; + $_REQUEST['event_id'] = isset( $_REQUEST['event_id'] ) && ! empty( $_REQUEST['event_id'] ) ? (int)$_REQUEST['event_id'] : $default_event_id; if (isset($_REQUEST['ee']) && $_REQUEST['ee'] != '') { - $_REQUEST['event_id'] = $_REQUEST['ee']; + $_REQUEST['event_id'] = (int)$_REQUEST['ee']; } - $event_id = $event_id_sc != '0' ? $event_id_sc : $_REQUEST['event_id']; + $event_id = $event_id_sc != '0' ? $event_id_sc : (int)$_REQUEST['event_id']; if (!empty($_REQUEST['event_id_time'])) { $pieces = explode('|', $_REQUEST['event_id_time'], 3); - $event_id = $pieces[0]; - $start_time = $pieces[1]; - $time_id = $pieces[2]; + $event_id = (int)$pieces[0]; + $start_time = sanitize_text_field($pieces[1]); + $time_id = (int)$pieces[2]; $time_selected = true; } From c452f466a7aafdca63b2b123e34a960cd91dad47 Mon Sep 17 00:00:00 2001 From: Josh Feck Date: Wed, 4 Dec 2019 09:08:48 -0500 Subject: [PATCH 29/38] fix discount query (per Mike's review) --- includes/admin-files/coupon-management/edit_discount.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/admin-files/coupon-management/edit_discount.php b/includes/admin-files/coupon-management/edit_discount.php index cde3c60a..2a61fcd2 100644 --- a/includes/admin-files/coupon-management/edit_discount.php +++ b/includes/admin-files/coupon-management/edit_discount.php @@ -5,7 +5,7 @@ function edit_event_discount(){ global $wpdb; $discount_id = intval($_REQUEST['discount_id']); - $sql = $wpdb->prepare("SELECT * FROM " . EVENTS_DISCOUNT_CODES_TABLE . " WHERE id = %d", array($discount_id)); + $sql = $wpdb->prepare("SELECT * FROM " . EVENTS_DISCOUNT_CODES_TABLE . " WHERE id = %d", $discount_id); $event_discounts = $wpdb->get_results( $sql ); foreach ($event_discounts as $event_discount){ From a8e70453eacab32dd41c6917b748e83fd126e5b0 Mon Sep 17 00:00:00 2001 From: Josh Feck Date: Wed, 4 Dec 2019 09:10:36 -0500 Subject: [PATCH 30/38] fix events admin query (per Mike's review) --- includes/admin-reports/add_new_attendee.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/admin-reports/add_new_attendee.php b/includes/admin-reports/add_new_attendee.php index f7c2e564..c1a80452 100644 --- a/includes/admin-reports/add_new_attendee.php +++ b/includes/admin-reports/add_new_attendee.php @@ -33,7 +33,7 @@ function add_new_attendee($event_id){ wp_print_scripts('reCopy'); global $wpdb; - $sql = "SELECT * FROM " .EVENTS_DETAIL_TABLE. " ed WHERE ed.is_active='Y' AND ed.event_status != 'D' AND ed.id = '%d' LIMIT 0,1"; + $sql = "SELECT * FROM " .EVENTS_DETAIL_TABLE. " ed WHERE ed.is_active='Y' AND ed.event_status != 'D' AND ed.id = %d LIMIT 0,1"; //Build the registration page if ($wpdb->get_results($wpdb->prepare( $sql, $event_id ), OBJECT_K )){ From c3574710427f058084c31e574c65dc4b49fafc54 Mon Sep 17 00:00:00 2001 From: Josh Feck Date: Wed, 4 Dec 2019 09:18:23 -0500 Subject: [PATCH 31/38] fix events query (per Mike's review) --- includes/admin-reports/add_new_attendee.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/includes/admin-reports/add_new_attendee.php b/includes/admin-reports/add_new_attendee.php index c1a80452..b02ac55c 100644 --- a/includes/admin-reports/add_new_attendee.php +++ b/includes/admin-reports/add_new_attendee.php @@ -36,9 +36,9 @@ function add_new_attendee($event_id){ $sql = "SELECT * FROM " .EVENTS_DETAIL_TABLE. " ed WHERE ed.is_active='Y' AND ed.event_status != 'D' AND ed.id = %d LIMIT 0,1"; //Build the registration page - if ($wpdb->get_results($wpdb->prepare( $sql, $event_id ), OBJECT_K )){ - $events = $wpdb->get_results($wpdb->prepare( $sql, $event_id ), OBJECT_K ); - //These are the variables that can be used throughout the regsitration page + $events = $wpdb->get_results($wpdb->prepare( $sql, $event_id ), OBJECT_K ); + if ($events){ + //These are the variables that can be used throughout the registration page foreach ($events as $event){ $event_id = $event->id; $event_name = stripslashes($event->event_name); From c96e9ee4776b72fd751b567d24a107307e369d92 Mon Sep 17 00:00:00 2001 From: sethshoultes Date: Thu, 5 Dec 2019 10:16:07 -0700 Subject: [PATCH 32/38] Add sanitization to text fields --- .../staff-management/add_staff_to_db.php | 20 ++++++++--------- .../staff-management/update_staff.php | 22 +++++++++---------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/includes/admin-files/staff-management/add_staff_to_db.php b/includes/admin-files/staff-management/add_staff_to_db.php index 18c2e7e8..2da6a4ca 100644 --- a/includes/admin-files/staff-management/add_staff_to_db.php +++ b/includes/admin-files/staff-management/add_staff_to_db.php @@ -4,17 +4,17 @@ function add_staff_to_db(){ $wpdb->show_errors(); if ( $_REQUEST['action'] == 'add' ){ //print_r($_REQUEST); - $staff_meta['phone'] = $_REQUEST['phone']; - $staff_meta['twitter'] = $_REQUEST['twitter']; - $staff_meta['image'] = $_REQUEST['image']; - $staff_meta['website'] = $_REQUEST['website']; + $staff_meta['phone'] = sanitize_text_field($_REQUEST['phone']); + $staff_meta['twitter'] = sanitize_text_field($_REQUEST['twitter']); + $staff_meta['image'] = sanitize_text_field($_REQUEST['image']); + $staff_meta['website'] = sanitize_text_field($_REQUEST['website']); $staff_meta['description'] = wp_kses_post( $_REQUEST['description'] ); - $staff_meta['organization'] = esc_html($_REQUEST['organization']); - $staff_meta['title'] = esc_html($_REQUEST['title']); - $staff_meta['industry'] = esc_html($_REQUEST['industry']); - $staff_meta['city'] = esc_html($_REQUEST['city']); - $staff_meta['country'] = esc_html($_REQUEST['country']); + $staff_meta['organization'] = sanitize_text_field($_REQUEST['organization']); + $staff_meta['title'] = sanitize_text_field($_REQUEST['title']); + $staff_meta['industry'] = sanitize_text_field($_REQUEST['industry']); + $staff_meta['city'] = sanitize_text_field($_REQUEST['city']); + $staff_meta['country'] = sanitize_text_field($_REQUEST['country']); $meta = serialize($staff_meta); @@ -23,7 +23,7 @@ function add_staff_to_db(){ if (!function_exists('espresso_member_data')) $current_user->ID = 1; - $sql=array('identifier'=>$identifier, 'role'=>$_REQUEST['role'], 'name'=>$_REQUEST['name'],'email'=>$_REQUEST['email'],'wp_user'=>$current_user->ID,'meta'=>$meta); + $sql=array('identifier'=>$identifier, 'role'=>sanitize_text_field($_REQUEST['role']), 'name'=>sanitize_text_field($_REQUEST['name']),'email'=>sanitize_text_field($_REQUEST['email']),'wp_user'=>$current_user->ID,'meta'=>$meta); $sql_data = array('%s', '%s', '%s','%s','%d','%s'); diff --git a/includes/admin-files/staff-management/update_staff.php b/includes/admin-files/staff-management/update_staff.php index 35f49b55..ac8b5b42 100644 --- a/includes/admin-files/staff-management/update_staff.php +++ b/includes/admin-files/staff-management/update_staff.php @@ -3,24 +3,24 @@ function update_event_staff(){ global $wpdb; $wpdb->show_errors(); //print_r($_REQUEST); - $staff_meta['phone'] = $_REQUEST['phone']; - $staff_meta['twitter'] = $_REQUEST['twitter']; - $staff_meta['image'] = $_REQUEST['image']; - $staff_meta['website'] = $_REQUEST['website']; + $staff_meta['phone'] = sanitize_text_field($_REQUEST['phone']); + $staff_meta['twitter'] = sanitize_text_field($_REQUEST['twitter']); + $staff_meta['image'] = sanitize_text_field($_REQUEST['image']); + $staff_meta['website'] = sanitize_text_field($_REQUEST['website']); $staff_meta['description'] = wp_kses_post( $_REQUEST['description'] ); - $staff_meta['organization'] = esc_html($_REQUEST['organization']); - $staff_meta['title'] = esc_html($_REQUEST['title']); - $staff_meta['industry'] = esc_html($_REQUEST['industry']); - $staff_meta['city'] = esc_html($_REQUEST['city']); - $staff_meta['country'] = esc_html($_REQUEST['country']); + $staff_meta['organization'] = sanitize_text_field($_REQUEST['organization']); + $staff_meta['title'] = sanitize_text_field($_REQUEST['title']); + $staff_meta['industry'] = sanitize_text_field($_REQUEST['industry']); + $staff_meta['city'] = sanitize_text_field($_REQUEST['city']); + $staff_meta['country'] = sanitize_text_field($_REQUEST['country']); $meta = serialize($staff_meta); - $sql=array('name'=>$_REQUEST['name'],'role'=>$_REQUEST['role'],'email'=>$_REQUEST['email'], 'meta'=>$meta); + $sql=array('name'=>sanitize_text_field($_REQUEST['name']),'role'=>sanitize_text_field($_REQUEST['role']),'email'=>sanitize_text_field($_REQUEST['email']), 'meta'=>$meta); - $update_id = array('id'=> $_REQUEST['staff_id']); + $update_id = array('id'=> (int)$_REQUEST['staff_id']); $sql_data = array('%s','%s','%s','%s'); $wpdb->update( EVENTS_PERSONNEL_TABLE, $sql, $update_id, $sql_data, array( '%d' ) ); From 510ed5d5fb595d4a3a5840a6510e554e73387b8a Mon Sep 17 00:00:00 2001 From: sethshoultes Date: Thu, 5 Dec 2019 10:43:40 -0700 Subject: [PATCH 33/38] Add sanitization --- includes/admin-files/venue-management/edit_venue.php | 2 +- includes/admin-files/venue-management/index.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/includes/admin-files/venue-management/edit_venue.php b/includes/admin-files/venue-management/edit_venue.php index bc3a9e6b..0d1b57f8 100644 --- a/includes/admin-files/venue-management/edit_venue.php +++ b/includes/admin-files/venue-management/edit_venue.php @@ -1,7 +1,7 @@ Date: Thu, 5 Dec 2019 10:54:00 -0700 Subject: [PATCH 34/38] Add sanitization --- includes/admin-reports/charts.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/includes/admin-reports/charts.php b/includes/admin-reports/charts.php index 7806338b..caace791 100644 --- a/includes/admin-reports/charts.php +++ b/includes/admin-reports/charts.php @@ -1,12 +1,12 @@

- +

Date: Thu, 5 Dec 2019 17:38:58 -0500 Subject: [PATCH 35/38] prepare query --- includes/form-builder/groups/index.php | 2 +- includes/form-builder/index.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/includes/form-builder/groups/index.php b/includes/form-builder/groups/index.php index 2171227f..819cdd1c 100644 --- a/includes/form-builder/groups/index.php +++ b/includes/form-builder/groups/index.php @@ -6,7 +6,7 @@ function event_espresso_question_groups_config_mnu() { if (!empty($_REQUEST['update_sequence'])) { $rows = explode(",", $_POST['row_ids']); for ($i = 0; $i < count($rows); $i++) { - $wpdb->query("UPDATE " . EVENTS_QST_GROUP_TABLE . " SET group_order=" . $i . " WHERE id='" . (int)$rows[$i] . "'"); + $wpdb->query($wpdb->prepare("UPDATE " . EVENTS_QST_GROUP_TABLE . " SET group_order=" . $i . " WHERE id=%d", (int)$rows[$i])); } die(); } diff --git a/includes/form-builder/index.php b/includes/form-builder/index.php index 58dadeca..cf179006 100644 --- a/includes/form-builder/index.php +++ b/includes/form-builder/index.php @@ -7,7 +7,7 @@ function event_espresso_questions_config_mnu() { if (!empty($_REQUEST['update_sequence'])) { $rows = explode(",", $_POST['row_ids']); for ($i = 0; $i < count($rows); $i++) { - $wpdb->query("UPDATE " . EVENTS_QUESTION_TABLE . " SET sequence=" . $i . " WHERE id='" . (int)$rows[$i] . "'"); + $wpdb->query($wpdb->prepare("UPDATE " . EVENTS_QUESTION_TABLE . " SET sequence=" . $i . " WHERE id=%d", (int)$rows[$i])); } die(); } From 73f49c1b1e7194adda29ce36607e62b73b758c92 Mon Sep 17 00:00:00 2001 From: Josh Feck Date: Thu, 5 Dec 2019 17:51:25 -0500 Subject: [PATCH 36/38] validate category ID --- includes/functions/export.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/includes/functions/export.php b/includes/functions/export.php index 1b61a9d4..f413e28e 100644 --- a/includes/functions/export.php +++ b/includes/functions/export.php @@ -62,7 +62,7 @@ function espresso_event_export($ename) { } $sql .= ($_POST['event_status'] != '' && $_POST['event_status'] != 'IA') ? " WHERE event_status = '" . sanitize_text_field($_POST['event_status']) . "' " : " WHERE event_status != 'D' "; - $sql .= $_REQUEST['category_id'] != '' ? " AND c.id = '" . sanitize_text_field($_REQUEST['category_id']) . "' " : ''; + $sql .= $_REQUEST['category_id'] != '' ? " AND c.id = '" . (int)$_REQUEST['category_id'] . "' " : ''; $sql .= $group != '' ? " AND l.locale_id IN (" . implode(",", $group) . ") " : ''; if ($_POST['month_range'] != '') { @@ -102,7 +102,7 @@ function espresso_event_export($ename) { } $sql .= (isset($_POST['event_status']) && $_POST['event_status'] != '' && $_POST['event_status'] != 'IA') ? " WHERE event_status = '" . sanitize_text_field($_POST['event_status']) . "' " : " WHERE event_status != 'D' "; - $sql .= isset($_REQUEST['category_id']) && sanitize_text_field($_REQUEST['category_id']) != '' ? " AND c.id = '" . $_REQUEST['category_id'] . "' " : ''; + $sql .= isset($_REQUEST['category_id']) && $_REQUEST['category_id'] != '' ? " AND c.id = '" . (int)$_REQUEST['category_id'] . "' " : ''; if (isset($_POST['month_range']) && $_POST['month_range'] != '') { $sql .= " AND start_date BETWEEN '" . date('Y-m-d', strtotime($year_r . '-' . $month_r . '-01')) . "' AND '" . date('Y-m-d', strtotime($year_r . '-' . $month_r . '-31')) . "' "; From 97f66c97a3795110e1a1475c541d085b6447a978 Mon Sep 17 00:00:00 2001 From: sethshoultes Date: Thu, 5 Dec 2019 16:19:57 -0700 Subject: [PATCH 37/38] Using esc_url_raw for URL sanitization --- includes/admin-files/staff-management/add_staff_to_db.php | 4 ++-- includes/admin-files/staff-management/update_staff.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/includes/admin-files/staff-management/add_staff_to_db.php b/includes/admin-files/staff-management/add_staff_to_db.php index 2da6a4ca..a7b3bd6d 100644 --- a/includes/admin-files/staff-management/add_staff_to_db.php +++ b/includes/admin-files/staff-management/add_staff_to_db.php @@ -6,8 +6,8 @@ function add_staff_to_db(){ //print_r($_REQUEST); $staff_meta['phone'] = sanitize_text_field($_REQUEST['phone']); $staff_meta['twitter'] = sanitize_text_field($_REQUEST['twitter']); - $staff_meta['image'] = sanitize_text_field($_REQUEST['image']); - $staff_meta['website'] = sanitize_text_field($_REQUEST['website']); + $staff_meta['image'] = esc_url_raw($_REQUEST['image']); + $staff_meta['website'] = esc_url_raw($_REQUEST['website']); $staff_meta['description'] = wp_kses_post( $_REQUEST['description'] ); $staff_meta['organization'] = sanitize_text_field($_REQUEST['organization']); diff --git a/includes/admin-files/staff-management/update_staff.php b/includes/admin-files/staff-management/update_staff.php index ac8b5b42..18c6bc74 100644 --- a/includes/admin-files/staff-management/update_staff.php +++ b/includes/admin-files/staff-management/update_staff.php @@ -5,8 +5,8 @@ function update_event_staff(){ //print_r($_REQUEST); $staff_meta['phone'] = sanitize_text_field($_REQUEST['phone']); $staff_meta['twitter'] = sanitize_text_field($_REQUEST['twitter']); - $staff_meta['image'] = sanitize_text_field($_REQUEST['image']); - $staff_meta['website'] = sanitize_text_field($_REQUEST['website']); + $staff_meta['image'] = esc_url_raw($_REQUEST['image']); + $staff_meta['website'] = esc_url_raw($_REQUEST['website']); $staff_meta['description'] = wp_kses_post( $_REQUEST['description'] ); $staff_meta['organization'] = sanitize_text_field($_REQUEST['organization']); From 8617b08d47bbe333dbdc914b9f68f140b0415bf5 Mon Sep 17 00:00:00 2001 From: Josh Feck Date: Mon, 16 Dec 2019 19:48:36 -0500 Subject: [PATCH 38/38] fix settings current time display --- includes/organization_config.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/organization_config.php b/includes/organization_config.php index 8711a8ff..c2291c69 100644 --- a/includes/organization_config.php +++ b/includes/organization_config.php @@ -239,7 +239,7 @@ function organization_config_mnu() {

  • - +