Fix server SQLi and XSS and other problems...

ajax/contest_data.php

@@ -10,8 +10,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 //ordering
@@ -23,10 +23,10 @@
         if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
         {
             $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
-                ".convert_str( $_GET['sSortDir_'.$i] ) .", ";
+                ".( $_GET['sSortDir_'.$i] == "asc" ? "asc" : "desc") .", ";
         }
     }
-    
+
     $sOrder = substr_replace( $sOrder, "", -2 );
     if ( $sOrder == "ORDER BY" )
     {

ajax/contest_status_data.php

@@ -15,8 +15,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 foreach ((array)contest_get_problem_basic($cid) as $row) {

ajax/discuss_data.php

@@ -1,9 +1,8 @@
 <?php
 include_once(dirname(__FILE__)."/../functions/global.php");
 include_once(dirname(__FILE__)."/../functions/discuss.php");
-$proid = convert_str($_GET['pid']);
-$page = convert_str($_GET['page']);
-if($page == "") $page = 0;
+$proid = intval($_GET['pid']);
+$page = intval($_GET['page']);
 
 $res=discuss_load_list($page,$proid);
 //print_r($res);

ajax/mail_data.php

@@ -10,8 +10,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 if(!$current_user->match($user)||!$current_user->is_valid()) $sLimit = "LIMIT 0,0";
 
@@ -24,10 +24,10 @@
         if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
         {
             $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
-                ".convert_str( $_GET['sSortDir_'.$i] ) .", ";
+                ".( $_GET['sSortDir_'.$i] == "asc" ? "asc" : "desc" ) .", ";
         }
     }
-    
+
     $sOrder = substr_replace( $sOrder, "", -2 );
     if ( $sOrder == "ORDER BY" )
     {

ajax/news_data.php

@@ -9,8 +9,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 //ordering
@@ -22,10 +22,10 @@
         if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
         {
             $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
-                ".convert_str( $_GET['sSortDir_'.$i] ) .", ";
+                ".( $_GET['sSortDir_'.$i] == "asc" ? "asc" : "desc") .", ";
         }
     }
-    
+
     $sOrder = substr_replace( $sOrder, "", -2 );
     if ( $sOrder == "ORDER BY" )
     {

ajax/problem_category_data.php

@@ -25,8 +25,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 //ordering
@@ -38,10 +38,10 @@
         if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
         {
             $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
-                ".convert_str( $_GET['sSortDir_'.$i] ) .", ";
+                ".( $_GET['sSortDir_'.$i] == "asc" : "asc" ? "desc") .", ";
         }
     }
-    
+
     $sOrder = substr_replace( $sOrder, "", -2 );
     if ( $sOrder == "ORDER BY" )
     {
@@ -137,7 +137,7 @@
 
 foreach ( (array)$db->get_results( $sQuery,ARRAY_N ) as $aRow )
 {
-    $row = array(); 
+    $row = array();
     //var_dump($aRow);
     for ( $i=0 ; $i<count($aColumns) ; $i++ )
     {

ajax/problem_data.php

@@ -10,8 +10,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 //ordering
@@ -24,7 +24,7 @@
         if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
         {
             $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
-                ".convert_str( $_GET['sSortDir_'.$i] ) .", ";
+                ".( $_GET['sSortDir_'.$i] == "asc" ? "asc" : "desc") .", ";
         }
     }
 

ajax/problem_leader.php

@@ -9,8 +9,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 //ordering
@@ -22,10 +22,10 @@
         if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
         {
             $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
-                ".convert_str( $_GET['sSortDir_'.$i] ) .", ";
+                ".( $_GET['sSortDir_'.$i] == "asc" ? "asc" : "desc") .", ";
         }
     }
-    
+
     $sOrder = substr_replace( $sOrder, "", -2 );
     if ( $sOrder == "ORDER BY" )
     {

ajax/ranklist_data.php

@@ -6,7 +6,7 @@
 $sIndexColumn = "uid";
 $sTable = "ranklist";
 // $sTable = "(
-//     SELECT @rownum := @rownum +1 rownum, ranklist . * 
+//     SELECT @rownum := @rownum +1 rownum, ranklist . *
 //     FROM (
 //         SELECT @rownum :=0
 //     )r, ranklist
@@ -16,8 +16,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 //ordering
@@ -33,10 +33,10 @@
                 else $sOrder .= "local_ac, total_ac, total_submit desc, username desc, ";
             }
             else $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
-                ".convert_str( $_GET['sSortDir_'.$i] ) .", ";
+                ".( $_GET['sSortDir_'.$i] == "asc" ? "asc" : "desc") .", ";
         }
     }
-    
+
     $sOrder = substr_replace( $sOrder, "", -2 );
     if ( $sOrder == "ORDER BY" )
     {
@@ -118,9 +118,9 @@
 foreach ( (array)$db->get_results( $sQuery,ARRAY_A ) as $aRow )
 {
     $row = array();
-    list($rank)=$db->get_row("select count(*)+1 from user where local_ac>".$aRow["local_ac"]." or 
-        (local_ac=".$aRow["local_ac"]." and total_ac>".$aRow["total_ac"].") or 
-        (local_ac=".$aRow["local_ac"]." and total_ac=".$aRow["total_ac"]." and total_submit<".$aRow["total_submit"].") or 
+    list($rank)=$db->get_row("select count(*)+1 from user where local_ac>".$aRow["local_ac"]." or
+        (local_ac=".$aRow["local_ac"]." and total_ac>".$aRow["total_ac"].") or
+        (local_ac=".$aRow["local_ac"]." and total_ac=".$aRow["total_ac"]." and total_submit<".$aRow["total_submit"].") or
         (local_ac=".$aRow["local_ac"]." and total_ac=".$aRow["total_ac"]." and total_submit=".$aRow["total_submit"]." and username<'".$aRow["username"]."' )",ARRAY_N);
     $row[]=$rank;
     for ( $i=1 ; $i<count($aColumns) ; $i++ )

ajax/status_data.php

@@ -9,8 +9,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 $sOrder = "ORDER BY runid desc";

ajax/topic_new.php

@@ -13,8 +13,8 @@
     $ret["msg"]="No Title.";
 }
 else{
-    $pid = convert_str($_GET['pid']);
-    if ($pid!=""&&!problem_exist($pid)) {
+    $pid = intval($_GET['pid']);
+    if ($pid!=0&&!problem_exist($pid)) {
         $ret["msg"]="No Such Problem!";
         echo json_encode($ret);
         die();

contest.php

@@ -23,7 +23,7 @@
             <button id="showtprivate" class="btn btn-info">Private</button>
             <button id="showtpassword" class="btn btn-info">Password</button>
           </div>
-          
+
           <div id="flip-scroll">
               <table width="100%" class="table table-hover table-striped cf basetable" id="contestlist">
                 <thead>
@@ -109,9 +109,9 @@
 var timezone = jstz.determine_timezone();
 $("#localtz").html(timezone.name()+" GMT"+timezone.offset());
 $("#tzinp").val(timezone.name());
-var searchstr='<?=$_GET['search']?>';
+var searchstr=<?=json_encode($_GET['search'])?>;
 var conperpage=<?=$config["limits"]["contests_per_page"]?>;
-var cshowtype='<?=$_GET['type']?>';
+var cshowtype=<?=json_encode($_GET['type'])?>;
 $.fn.problemlist.ojoptions="<?=addslashes($ojoptions)?>";
 </script>
 <script type="text/javascript" src="js/moment.min.js"></script>

contest_prob.php

@@ -33,7 +33,7 @@
   } else {
 ?>
 <?php
-  if (in_array($show_problem->get_val('vname'),array('UESTC','HDU'))) {
+  if (in_array($show_problem->get_val('vname'),array('UESTC','HDU', 'BNU'))) {
 ?>
         <script src="js/Mathjax/MathJax.js?config=TeX-AMS_HTML"></script>
         <script type="text/x-mathjax-config">
@@ -225,8 +225,8 @@
                   <option value="9">Ruby</option>
                   <option value="10">Ada</option>
                   <option value="11">SML</option>
-                  <option value="12">Visual C</option>
-                  <option value="13">Visual C++</option>
+                  <option value="12">Visual C++</option>
+                  <option value="13">Visual C</option>
                   <option value="14">CLang</option>
                   <option value="15">CLang++</option>
                 </select>

contest_show.php

@@ -1,6 +1,6 @@
 <?php
 include_once("functions/contests.php");
-$cid = convert_str($_GET['cid']);
+$cid = intval($_GET['cid']);
 if (contest_exist($cid)) $pagetitle=strip_tags(contest_get_val($cid,"title"));
 else $pagetitle="No Such Contest.";
 include_once("header.php");
@@ -127,7 +127,7 @@
 ?>
         <div class="span12">
           <form id="cpasssub">
-            <div class="input-append"><input type="password" name="cpass" id="contest_password" placeholder="Input password" /><button class="btn btn-primary" type="submit">Confirm</button></div> 
+            <div class="input-append"><input type="password" name="cpass" id="contest_password" placeholder="Input password" /><button class="btn btn-primary" type="submit">Confirm</button></div>
           </form>
         </div>
 

contest_status.php

@@ -61,8 +61,8 @@
                   <option value="9">Ruby</option>
                   <option value="10">Ada</option>
                   <option value="11">SML</option>
-                  <option value="12">Visual C</option>
-                  <option value="13">Visual C++</option>
+                  <option value="12">Visual C++</option>
+                  <option value="13">Visual C</option>
                 </select>
               </label>
               <button type='submit' class="btn btn-primary">Show</button>

discuss.php

@@ -2,7 +2,7 @@
 include_once('functions/global.php');
 include_once('functions/sidebars.php');
 
-$proid = convert_str($_GET['pid']);
+$proid = intval($_GET['pid']);
 $page = intval(convert_str($_GET['page']));
 if ($page<1) $page=1;
 $pagetitle="Discuss";

functions/discuss.php

@@ -22,12 +22,12 @@ function discuss_load_subject_list(&$res) {
   }
 }
 
-function discuss_load_list($page=1,$pid=null) {
+function discuss_load_list($page=1,$pid=0) {
     global $db,$config;
-    
+
     $discussperpage=$config["limits"]["discuss_per_page"];
     $start=(intval($page)-1)*$discussperpage;
-    if($pid != "") $sql = "select distinct(rid) from time_bbs where pid='$pid' order by time desc limit $start,$discussperpage";
+    if($pid > 0) $sql = "select distinct(rid) from time_bbs where pid='$pid' order by time desc limit $start,$discussperpage";
     else $sql = "select distinct(rid) from time_bbs order by time desc limit $start,$discussperpage";
     //$db->debug_all=true;
     $res=$db->get_results($sql,ARRAY_A);

problem.php

@@ -50,7 +50,7 @@
 <script type="text/javascript">
 var probperpage=<?= $config["limits"]["problems_per_page"] ?>;
 var pstart=<?= $stp ?>;
-var searchstr="<?= isset($_GET['search']) ? $_GET['search'] : "" ?>";
+var searchstr=<?= json_encode(isset($_GET['search']) ? $_GET['search'] : "") ?>;
 var ojoptions='<?= $ojoptions ?>';
 </script>
 <script type="text/javascript" src="js/problem.js?<?=filemtime("js/problem.js") ?>"></script>

problem_category_result.php

@@ -6,7 +6,7 @@
 
 $scate=array();
 if (isset($_GET['category'])) {
-    $catarr='[{"name": "catenum", "value":"1"}, {"name": "logic", "value":"or"}, {"name":"cate0", "value":"'.$_GET['category'].'"}]';
+    $catarr='[{"name": "catenum", "value":"1"}, {"name": "logic", "value":"or"}, {"name":"cate0", "value":'.json_encode($_GET['category']).'}]';
     $scate[]=htmlspecialchars(problem_get_category_name_from_id(convert_str($_GET['category'])));
 }
 else {
@@ -15,12 +15,12 @@
     $num=0;
     foreach($_POST as $kkey=>$value) {
         if ($kkey=="logic") continue;
-        
+
         $pt=problem_get_category_parent_from_id(convert_str($value));
 
         if (isset($_POST["check".$pt])==$value) continue;
         $scate[]=htmlspecialchars(problem_get_category_name_from_id(convert_str($value)));
-        $catarr.=',{"name":"cate'.$num.'", "value":"'.$value.'"}';
+        $catarr.=',{"name":"cate'.$num.'", "value":'.json_encode($value).'}';
         $num++;
     }
     $catarr.=',{"name":"catenum", "value":"'.$num.'"} ]';

problem_show.php

@@ -277,8 +277,8 @@
                   <option value="9">Ruby</option>
                   <option value="10">Ada</option>
                   <option value="11">SML</option>
-                  <option value="12">Visual C</option>
-                  <option value="13">Visual C++</option>
+                  <option value="12">Visual C++</option>
+                  <option value="13">Visual C</option>
                   <option value="14">CLang</option>
                   <option value="15">CLang++</option>
                 </select>

problem_stat.php

@@ -1,7 +1,6 @@
 <?php
 include_once('functions/problems.php');
-$pid = convert_str($_GET['pid']);
-if ($pid=="") $pid="0";
+$pid = intval($_GET['pid']);
 $show_problem=new Problem;
 $show_problem->set_problem($pid);
 if ($show_problem->is_valid() && $show_problem->get_val("hide")==0) $pagetitle="Statistics of Problem ".$pid;

status.php

@@ -41,8 +41,8 @@
                   <option value="9">Ruby</option>
                   <option value="10">Ada</option>
                   <option value="11">SML</option>
-                  <option value="12">Visual C</option>
-                  <option value="13">Visual C++</option>
+                  <option value="12">Visual C++</option>
+                  <option value="13">Visual C</option>
                 </select>
               </label>
               <button type='submit' class="btn btn-primary">Show</button>