osm-search/Nominatim
1
1
Fork 0
mirror of https://github.com/osm-search/Nominatim.git synced 2024-11-23 13:44:36 +03:00
Code Issues Packages Projects Releases Wiki Activity

properly escape class parameter

Browse Source 
The class parameter was used as is, allowing for potential
SQL injection via the API.

Thanks to @bladeswords for finding this.
This commit is contained in:
Sarah Hoffmann 2020-05-02 21:54:14 +02:00
parent 0e1e7c7df2
commit f94828c3f4
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
website/details.php
View File

@ -37,12 +37,14 @@ if ($sOutputFormat == 'html' && !$sPlaceId && !$sOsmType) {
if ($sOsmType && $iOsmId > 0) {
$sSQL = 'SELECT place_id FROM placex WHERE osm_type = :type AND osm_id = :id';
$aSQLParams = array(':type' => $sOsmType, ':id' => $iOsmId);
// osm_type and osm_id are not unique enough
if ($sClass) {
$sSQL .= " AND class='".$sClass."'";
$sSQL .= ' AND class= :class';
$aSQLParams[':class'] = $sClass;
}
$sSQL .= ' ORDER BY class ASC';
$sPlaceId = $oDB->getOne($sSQL, array(':type' => $sOsmType, ':id' => $iOsmId));
$sPlaceId = $oDB->getOne($sSQL, $aSQLParams);
// Nothing? Maybe it's an interpolation.