diff options
| author | hugetoad <hugetoad@97f52cf1-0a1b-0410-bd0e-c28be96e8082> | 2006-02-02 06:37:42 +0000 |
|---|---|---|
| committer | hugetoad <hugetoad@97f52cf1-0a1b-0410-bd0e-c28be96e8082> | 2006-02-02 06:37:42 +0000 |
| commit | 6baf1bdda009c10acadac93035e38d2c431ca324 (patch) | |
| tree | 23b4b96974ed388574da5560a7b51588b9ee3941 /frontends/php/include/graphs.inc.php | |
| parent | bf94a21c0a8d09d4da1f0c8ee0fe851a0053c6b2 (diff) | |
| download | zabbix-6baf1bdda009c10acadac93035e38d2c431ca324.tar.gz zabbix-6baf1bdda009c10acadac93035e38d2c431ca324.tar.xz zabbix-6baf1bdda009c10acadac93035e38d2c431ca324.zip | |
- GUI made immune to SQL injection attacks (Alexei)
git-svn-id: svn://svn.zabbix.com/trunk@2600 97f52cf1-0a1b-0410-bd0e-c28be96e8082
Diffstat (limited to 'frontends/php/include/graphs.inc.php')
| -rw-r--r-- | frontends/php/include/graphs.inc.php | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/frontends/php/include/graphs.inc.php b/frontends/php/include/graphs.inc.php index a06d80c0..f60a8838 100644 --- a/frontends/php/include/graphs.inc.php +++ b/frontends/php/include/graphs.inc.php @@ -74,7 +74,7 @@ return 0; } - $sql="insert into graphs (name,width,height,yaxistype,yaxismin,yaxismax) values ('$name',$width,$height,$yaxistype,$yaxismin,$yaxismax)"; + $sql="insert into graphs (name,width,height,yaxistype,yaxismin,yaxismax) values ('".zbx_ads($name)."',$width,$height,$yaxistype,$yaxismin,$yaxismax)"; $result=DBexecute($sql); return DBinsert_id($result,"graphs","graphid"); } @@ -88,7 +88,7 @@ error("Insufficient permissions"); return 0; } - $sql="update graphs set name='$name',width=$width,height=$height,yaxistype=$yaxistype,yaxismin=$yaxismin,yaxismax=$yaxismax where graphid=$graphid"; + $sql="update graphs set name='".zbx_ads($name)."',width=$width,height=$height,yaxistype=$yaxistype,yaxismin=$yaxismin,yaxismax=$yaxismax where graphid=$graphid"; return DBexecute($sql); } @@ -162,14 +162,14 @@ function add_item_to_graph($graphid,$itemid,$color,$drawtype,$sortorder,$yaxisside) { - $sql="insert into graphs_items (graphid,itemid,color,drawtype,sortorder,yaxisside) values ($graphid,$itemid,'$color',$drawtype,$sortorder,$yaxisside)"; + $sql="insert into graphs_items (graphid,itemid,color,drawtype,sortorder,yaxisside) values ($graphid,$itemid,'".zbx_ads($color)."',$drawtype,$sortorder,$yaxisside)"; $result=DBexecute($sql); return DBinsert_id($result,"graphs_items","gitemid"); } function update_graph_item($gitemid,$itemid,$color,$drawtype,$sortorder,$yaxisside) { - $sql="update graphs_items set itemid=$itemid,color='$color',drawtype=$drawtype,sortorder=$sortorder,yaxisside=$yaxisside where gitemid=$gitemid"; + $sql="update graphs_items set itemid=$itemid,color='".zbx_ads($color)."',drawtype=$drawtype,sortorder=$sortorder,yaxisside=$yaxisside where gitemid=$gitemid"; return DBexecute($sql); } @@ -254,7 +254,7 @@ { if($host["graphs"]&2 == 0) continue; - $sql="select i.itemid from items i where i.key_='".$template_item["key_"]."' and i.hostid=".$host["hostid"]; + $sql="select i.itemid from items i where i.key_='".zbx_ads($template_item["key_"])."' and i.hostid=".$host["hostid"]; $items=DBselect($sql); if(DBnum_rows($items)==0) continue; $item=DBfetch($items); @@ -306,12 +306,12 @@ { if($row["graphs"]&2 == 0) continue; - $sql="select i.itemid from items i where i.key_='".$item["key_"]."' and i.hostid=".$row["hostid"]; + $sql="select i.itemid from items i where i.key_='".zbx_ads($item["key_"])."' and i.hostid=".$row["hostid"]; $result2=DBselect($sql); if(DBnum_rows($result2)==0) continue; $row2=DBfetch($result2); - $sql="select distinct gi.gitemid,gi.graphid from graphs_items gi,items i where i.itemid=gi.itemid and i.hostid=".$row["hostid"]." and i.itemid=".$row2["itemid"]." and gi.drawtype=".$graph_item["drawtype"]." and gi.sortorder=".$graph_item["sortorder"]." and gi.color='".$graph_item["color"]."' and gi.yaxisside= ".$graph_item["yaxisside"]; + $sql="select distinct gi.gitemid,gi.graphid from graphs_items gi,items i where i.itemid=gi.itemid and i.hostid=".$row["hostid"]." and i.itemid=".$row2["itemid"]." and gi.drawtype=".$graph_item["drawtype"]." and gi.sortorder=".$graph_item["sortorder"]." and gi.color='".zbx_ads($graph_item["color"])."' and gi.yaxisside= ".$graph_item["yaxisside"]; $result3=DBselect($sql); if(DBnum_rows($result3)==0) continue; $row3=DBfetch($result3); @@ -339,12 +339,12 @@ { if($row["graphs"]&2 == 0) continue; - $sql="select i.itemid from items i where i.key_='".$item["key_"]."' and i.hostid=".$row["hostid"]; + $sql="select i.itemid from items i where i.key_='".zbx_ads($item["key_"])."' and i.hostid=".$row["hostid"]; $result2=DBselect($sql); if(DBnum_rows($result2)==0) continue; $row2=DBfetch($result2); - $sql="select distinct gi.gitemid,gi.graphid from graphs_items gi,items i where i.itemid=gi.itemid and i.hostid=".$row["hostid"]." and i.itemid=".$row2["itemid"]." and gi.drawtype=".$graph_item["drawtype"]." and gi.sortorder=".$graph_item["sortorder"]." and gi.color='".$graph_item["color"]."' and gi.yaxisside= ".$graph_item["yaxisside"]; + $sql="select distinct gi.gitemid,gi.graphid from graphs_items gi,items i where i.itemid=gi.itemid and i.hostid=".$row["hostid"]." and i.itemid=".$row2["itemid"]." and gi.drawtype=".$graph_item["drawtype"]." and gi.sortorder=".$graph_item["sortorder"]." and gi.color='".zbx_ads($graph_item["color"])."' and gi.yaxisside= ".$graph_item["yaxisside"]; $result3=DBselect($sql); if(DBnum_rows($result3)==0) continue; $row3=DBfetch($result3); @@ -373,12 +373,12 @@ { if($row["graphs"]&2 == 0) continue; - $sql="select i.itemid from items i where i.key_='".$item["key_"]."' and i.hostid=".$row["hostid"]; + $sql="select i.itemid from items i where i.key_='".zbx_ads($item["key_"])."' and i.hostid=".$row["hostid"]; $result2=DBselect($sql); if(DBnum_rows($result2)==0) continue; $row2=DBfetch($result2); - $sql="select distinct gi.gitemid,gi.graphid from graphs_items gi,items i where i.itemid=gi.itemid and i.hostid=".$row["hostid"]." and i.itemid=".$row2["itemid"]." and gi.drawtype=".$graph_item["drawtype"]." and gi.sortorder=".$graph_item["sortorder"]." and gi.color='".$graph_item["color"]."' and gi.yaxisside= ".$graph_item["yaxisside"]; + $sql="select distinct gi.gitemid,gi.graphid from graphs_items gi,items i where i.itemid=gi.itemid and i.hostid=".$row["hostid"]." and i.itemid=".$row2["itemid"]." and gi.drawtype=".$graph_item["drawtype"]." and gi.sortorder=".$graph_item["sortorder"]." and gi.color='".zbx_ads($graph_item["color"])."' and gi.yaxisside= ".$graph_item["yaxisside"]; $result3=DBselect($sql); if(DBnum_rows($result3)==0) continue; $row3=DBfetch($result3); @@ -409,13 +409,13 @@ { if($row["graphs"]&2 == 0) continue; - $sql="select i.itemid from items i where i.key_='".$item["key_"]."' and i.hostid=".$row["hostid"]; + $sql="select i.itemid from items i where i.key_='".zbx_ads($item["key_"])."' and i.hostid=".$row["hostid"]; $result2=DBselect($sql); if(DBnum_rows($result2)==0) continue; $row2=DBfetch($result2); $itemid=$row2["itemid"]; - $sql="select distinct gi.gitemid,gi.graphid from graphs_items gi,items i where i.itemid=gi.itemid and i.hostid=".$row["hostid"]." and i.itemid=".$row2["itemid"]." and gi.drawtype=".$graph_item["drawtype"]." and gi.sortorder=".$graph_item["sortorder"]." and gi.color='".$graph_item["color"]."' and gi.yaxisside= ".$graph_item["yaxisside"]; + $sql="select distinct gi.gitemid,gi.graphid from graphs_items gi,items i where i.itemid=gi.itemid and i.hostid=".$row["hostid"]." and i.itemid=".$row2["itemid"]." and gi.drawtype=".$graph_item["drawtype"]." and gi.sortorder=".$graph_item["sortorder"]." and gi.color='".zbx_ads($graph_item["color"])."' and gi.yaxisside= ".$graph_item["yaxisside"]; $result3=DBselect($sql); if(DBnum_rows($result3)==0) continue; $row3=DBfetch($result3); |