forked from science-ation/science-ation
Fix SQL Injection and XSS vulnerability - woohoo our first 0-day exploit!
http://inj3ct0r.com/exploits/12613 http://packetstorm.linuxsecurity.com/1006-exploits/fairinabox-sqlxss.txt
This commit is contained in:
james
parent
b7f3274543
commit
dc63df156c
87
winners.php
87
winners.php
@ -4,7 +4,7 @@
|
|||||||
SFIAB Website: http://www.sfiab.ca
|
SFIAB Website: http://www.sfiab.ca
|
||||||
|
|
||||||
Copyright (C) 2005 Sci-Tech Ontario Inc <info@scitechontario.org>
|
Copyright (C) 2005 Sci-Tech Ontario Inc <info@scitechontario.org>
|
||||||
Copyright (C) 2005 James Grant <james@lightbox.org>
|
Copyright (C) 2005-2010 James Grant <james@lightbox.org>
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or
|
This program is free software; you can redistribute it and/or
|
||||||
modify it under the terms of the GNU General Public
|
modify it under the terms of the GNU General Public
|
||||||
@ -33,18 +33,26 @@ if($_POST['edit']) $edit=$_POST['edit'];
|
|||||||
if($_GET['action']) $action=$_GET['action'];
|
if($_GET['action']) $action=$_GET['action'];
|
||||||
if($_POST['action']) $action=$_POST['action'];
|
if($_POST['action']) $action=$_POST['action'];
|
||||||
|
|
||||||
if($_GET['year'] && $_GET['type'])
|
if($_GET['year'] && $_GET['type']) {
|
||||||
{
|
$year=intval($_GET['year']);
|
||||||
|
$type=$_GET['type'];
|
||||||
$show_unawarded_awards="no";
|
$show_unawarded_awards="no";
|
||||||
$show_unawarded_prizes="no";
|
$show_unawarded_prizes="no";
|
||||||
|
|
||||||
echo "<h2>".i18n("%1 %2 Award Winners",array($_GET['year'],$_GET['type']))."</h2>";
|
$typeq=mysql_query("SELECT * FROM award_types WHERE type='".mysql_real_escape_string($type)."' AND year=$year");
|
||||||
$year=$_GET['year'];
|
if(!mysql_num_rows($typeq)) {
|
||||||
|
echo error(i18n("Invalid award type"));
|
||||||
|
send_footer();
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
echo "<h2>".i18n("%1 %2 Award Winners",array($year,$type))."</h2>";
|
||||||
|
|
||||||
$ok=true;
|
$ok=true;
|
||||||
//first, lets make sure someone isnt tryint to see something that they arent allowed to!
|
//first, lets make sure someone isnt tryint to see something that they arent allowed to!
|
||||||
//but only if the year they want is the FAIRYEAR. If they want a past year, thats cool
|
//but only if the year they want is the FAIRYEAR. If they want a past year, thats cool
|
||||||
if($_GET['year']>=$config['FAIRYEAR']) {
|
if($year>=$config['FAIRYEAR']) {
|
||||||
$q=mysql_query("SELECT (NOW()>'".$config['dates']['postwinners']."') AS test");
|
$q=mysql_query("SELECT (NOW()>'".$config['dates']['postwinners']."') AS test");
|
||||||
$r=mysql_fetch_object($q);
|
$r=mysql_fetch_object($q);
|
||||||
if($r->test!=1)
|
if($r->test!=1)
|
||||||
@ -54,8 +62,7 @@ if($_GET['year'] && $_GET['type'])
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if($ok)
|
if($ok) {
|
||||||
{
|
|
||||||
|
|
||||||
$q=mysql_query("SELECT
|
$q=mysql_query("SELECT
|
||||||
award_awards.id,
|
award_awards.id,
|
||||||
@ -68,19 +75,17 @@ if($_GET['year'] && $_GET['type'])
|
|||||||
WHERE
|
WHERE
|
||||||
award_awards.year='$year'
|
award_awards.year='$year'
|
||||||
AND award_awards.award_types_id=award_types.id
|
AND award_awards.award_types_id=award_types.id
|
||||||
AND award_types.type='".$_GET['type']."'
|
AND award_types.type='".$type."'
|
||||||
AND award_types.year='$year'
|
AND award_types.year='$year'
|
||||||
ORDER BY
|
ORDER BY
|
||||||
awards_order");
|
awards_order");
|
||||||
|
|
||||||
echo mysql_error();
|
echo mysql_error();
|
||||||
|
|
||||||
if(mysql_num_rows($q))
|
if(mysql_num_rows($q)) {
|
||||||
{
|
|
||||||
echo "<a href=\"winners.php\">".i18n("Back to Winners main page")."</a>";
|
echo "<a href=\"winners.php\">".i18n("Back to Winners main page")."</a>";
|
||||||
echo "<br />";
|
echo "<br />";
|
||||||
while($r=mysql_fetch_object($q))
|
while($r=mysql_fetch_object($q)) {
|
||||||
{
|
|
||||||
$pq=mysql_query("SELECT
|
$pq=mysql_query("SELECT
|
||||||
award_prizes.prize,
|
award_prizes.prize,
|
||||||
award_prizes.number,
|
award_prizes.number,
|
||||||
@ -102,37 +107,31 @@ if($_GET['year'] && $_GET['type'])
|
|||||||
`order`");
|
`order`");
|
||||||
echo mysql_error();
|
echo mysql_error();
|
||||||
$awarded_count = 0;
|
$awarded_count = 0;
|
||||||
if($show_unawarded_awards=="no")
|
if($show_unawarded_awards=="no") {
|
||||||
{
|
if(mysql_num_rows($pq)) {
|
||||||
while($pr=mysql_fetch_object($pq))
|
while($pr=mysql_fetch_object($pq)) {
|
||||||
{
|
if($pr->projectnumber) {
|
||||||
if($pr->projectnumber)
|
$awarded_count++;
|
||||||
{
|
}
|
||||||
$awarded_count++;
|
|
||||||
}
|
}
|
||||||
|
mysql_data_seek($pq, 0);
|
||||||
}
|
}
|
||||||
mysql_data_seek($pq, 0);
|
|
||||||
}
|
}
|
||||||
if($show_unawarded_awards=="yes" || $awarded_count > 0)
|
if($show_unawarded_awards=="yes" || $awarded_count > 0) {
|
||||||
{
|
|
||||||
echo "<h3>".i18n($r->name)."</h3> \n";
|
echo "<h3>".i18n($r->name)."</h3> \n";
|
||||||
}
|
}
|
||||||
|
|
||||||
$prevprizeid=-1;
|
$prevprizeid=-1;
|
||||||
while($pr=mysql_fetch_object($pq))
|
while($pr=mysql_fetch_object($pq)) {
|
||||||
{
|
if(!($pr->projectnumber) && $show_unawarded_prizes=="no") {
|
||||||
if(!($pr->projectnumber) && $show_unawarded_prizes=="no")
|
|
||||||
{
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if($prevprizeid!=$pr->id)
|
if($prevprizeid!=$pr->id) {
|
||||||
{
|
|
||||||
echo " ";
|
echo " ";
|
||||||
echo " ";
|
echo " ";
|
||||||
echo "<b>";
|
echo "<b>";
|
||||||
echo i18n($pr->prize);
|
echo i18n($pr->prize);
|
||||||
if(($pr->cash || $pr->scholarship) && $config['winners_show_prize_amounts'] == 'yes')
|
if(($pr->cash || $pr->scholarship) && $config['winners_show_prize_amounts'] == 'yes') {
|
||||||
{
|
|
||||||
echo " (";
|
echo " (";
|
||||||
if($pr->cash && $pr->scholarship)
|
if($pr->cash && $pr->scholarship)
|
||||||
echo i18n("\$%1 cash / \$%2 scholarship",array($pr->cash,$pr->scholarship),array("Cash dollar value","Scholarship dollar value"));
|
echo i18n("\$%1 cash / \$%2 scholarship",array($pr->cash,$pr->scholarship),array("Cash dollar value","Scholarship dollar value"));
|
||||||
@ -148,8 +147,7 @@ if($_GET['year'] && $_GET['type'])
|
|||||||
$prevprizeid=$pr->id;
|
$prevprizeid=$pr->id;
|
||||||
}
|
}
|
||||||
|
|
||||||
if($pr->projectnumber)
|
if($pr->projectnumber) {
|
||||||
{
|
|
||||||
echo "  ";
|
echo "  ";
|
||||||
echo "($pr->projectnumber) $pr->title";
|
echo "($pr->projectnumber) $pr->title";
|
||||||
|
|
||||||
@ -171,8 +169,7 @@ if($_GET['year'] && $_GET['type'])
|
|||||||
$studnum=0;
|
$studnum=0;
|
||||||
$students="";
|
$students="";
|
||||||
$schools=array();
|
$schools=array();
|
||||||
while($studentinfo=mysql_fetch_object($sq))
|
while($studentinfo=mysql_fetch_object($sq)) {
|
||||||
{
|
|
||||||
if($studnum>0 && $prev) $students.=", ";
|
if($studnum>0 && $prev) $students.=", ";
|
||||||
|
|
||||||
if($studentinfo->webfirst=="yes")
|
if($studentinfo->webfirst=="yes")
|
||||||
@ -212,8 +209,7 @@ if($_GET['year'] && $_GET['type'])
|
|||||||
echo $schoollist;
|
echo $schoollist;
|
||||||
echo "<br />";
|
echo "<br />";
|
||||||
}
|
}
|
||||||
else
|
else {
|
||||||
{
|
|
||||||
echo "  ";
|
echo "  ";
|
||||||
echo i18n("Prize not awarded");
|
echo i18n("Prize not awarded");
|
||||||
echo "<br />";
|
echo "<br />";
|
||||||
@ -240,12 +236,9 @@ else
|
|||||||
ORDER BY
|
ORDER BY
|
||||||
year DESC");
|
year DESC");
|
||||||
$first=true;
|
$first=true;
|
||||||
if(mysql_num_rows($q))
|
if(mysql_num_rows($q)) {
|
||||||
{
|
while($r=mysql_fetch_object($q)) {
|
||||||
while($r=mysql_fetch_object($q))
|
if($first && $r->year != $config['FAIRYEAR']) {
|
||||||
{
|
|
||||||
if($first && $r->year != $config['FAIRYEAR'])
|
|
||||||
{
|
|
||||||
list($d,$t)=split(" ",$config['dates']['postwinners']);
|
list($d,$t)=split(" ",$config['dates']['postwinners']);
|
||||||
echo "<h2>".i18n("%1 Winners",array($config['FAIRYEAR']))."</h2>";
|
echo "<h2>".i18n("%1 Winners",array($config['FAIRYEAR']))."</h2>";
|
||||||
echo i18n("Winners of the %1 %2 will be posted here on %3 at %4",array($config['FAIRYEAR'],$config['fairname'],format_date($d),format_time($t)));
|
echo i18n("Winners of the %1 %2 will be posted here on %3 at %4",array($config['FAIRYEAR'],$config['fairname'],format_date($d),format_time($t)));
|
||||||
@ -274,16 +267,14 @@ else
|
|||||||
award_types.order
|
award_types.order
|
||||||
");
|
");
|
||||||
echo mysql_error();
|
echo mysql_error();
|
||||||
while($tr=mysql_fetch_object($tq))
|
while($tr=mysql_fetch_object($tq)) {
|
||||||
{
|
|
||||||
echo " <a href=\"winners.php?year=$r->year&type=$tr->type\">".i18n("%1 %2 award winners",array($r->year,$tr->type))."</a><br />";
|
echo " <a href=\"winners.php?year=$r->year&type=$tr->type\">".i18n("%1 %2 award winners",array($r->year,$tr->type))."</a><br />";
|
||||||
}
|
}
|
||||||
echo "<br />";
|
echo "<br />";
|
||||||
$first=false;
|
$first=false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else {
|
||||||
{
|
|
||||||
list($d,$t)=split(" ",$config['dates']['postwinners']);
|
list($d,$t)=split(" ",$config['dates']['postwinners']);
|
||||||
echo "<h2>".i18n("%1 Winners",array($config['FAIRYEAR']))."</h2>";
|
echo "<h2>".i18n("%1 Winners",array($config['FAIRYEAR']))."</h2>";
|
||||||
echo i18n("Winners of the %1 %2 will be posted here on %3 at %4",array($config['FAIRYEAR'],$config['fairname'],format_date($d),format_time($t)));
|
echo i18n("Winners of the %1 %2 will be posted here on %3 at %4",array($config['FAIRYEAR'],$config['fairname'],format_date($d),format_time($t)));
|
||||||
@ -291,6 +282,6 @@ else
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
send_footer();
|
send_footer();
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user