From e062bda761a21fa33c6977d908ee8112f533f985 Mon Sep 17 00:00:00 2001
From: Chen Ran <crccw@moonux.org>
Date: Mon, 25 Jul 2016 22:39:54 +0800
Subject: [PATCH] Fix server SQLi and XSS and other problems...

---
 ajax/contest_data.php          |  8 ++++----
 ajax/contest_status_data.php   |  4 ++--
 ajax/discuss_data.php          |  5 ++---
 ajax/mail_data.php             |  8 ++++----
 ajax/news_data.php             |  8 ++++----
 ajax/problem_category_data.php | 10 +++++-----
 ajax/problem_data.php          |  6 +++---
 ajax/problem_leader.php        |  8 ++++----
 ajax/ranklist_data.php         | 16 ++++++++--------
 ajax/status_data.php           |  4 ++--
 ajax/topic_new.php             |  4 ++--
 contest.php                    |  6 +++---
 contest_prob.php               |  6 +++---
 contest_show.php               |  4 ++--
 contest_status.php             |  4 ++--
 discuss.php                    |  2 +-
 functions/discuss.php          |  6 +++---
 problem.php                    |  2 +-
 problem_category_result.php    |  6 +++---
 problem_show.php               |  4 ++--
 problem_stat.php               |  3 +--
 status.php                     |  4 ++--
 userinfo.php                   |  4 ++--
 23 files changed, 65 insertions(+), 67 deletions(-)

diff --git a/ajax/contest_data.php b/ajax/contest_data.php
index 412e6d29..4f33bfc7 100644
--- a/ajax/contest_data.php
+++ b/ajax/contest_data.php
@@ -10,8 +10,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 //ordering
@@ -23,10 +23,10 @@
         if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
         {
             $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
-                ".convert_str( $_GET['sSortDir_'.$i] ) .", ";
+                ".( $_GET['sSortDir_'.$i] == "asc" ? "asc" : "desc") .", ";
         }
     }
-    
+
     $sOrder = substr_replace( $sOrder, "", -2 );
     if ( $sOrder == "ORDER BY" )
     {
diff --git a/ajax/contest_status_data.php b/ajax/contest_status_data.php
index 50c36527..01db6206 100644
--- a/ajax/contest_status_data.php
+++ b/ajax/contest_status_data.php
@@ -15,8 +15,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 foreach ((array)contest_get_problem_basic($cid) as $row) {
diff --git a/ajax/discuss_data.php b/ajax/discuss_data.php
index 9403069c..21219b80 100644
--- a/ajax/discuss_data.php
+++ b/ajax/discuss_data.php
@@ -1,9 +1,8 @@
 <?php
 include_once(dirname(__FILE__)."/../functions/global.php");
 include_once(dirname(__FILE__)."/../functions/discuss.php");
-$proid = convert_str($_GET['pid']);
-$page = convert_str($_GET['page']);
-if($page == "") $page = 0;
+$proid = intval($_GET['pid']);
+$page = intval($_GET['page']);
 
 $res=discuss_load_list($page,$proid);
 //print_r($res);
diff --git a/ajax/mail_data.php b/ajax/mail_data.php
index 5d1cf5a5..2a2cd59e 100644
--- a/ajax/mail_data.php
+++ b/ajax/mail_data.php
@@ -10,8 +10,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 if(!$current_user->match($user)||!$current_user->is_valid()) $sLimit = "LIMIT 0,0";
 
@@ -24,10 +24,10 @@
         if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
         {
             $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
-                ".convert_str( $_GET['sSortDir_'.$i] ) .", ";
+                ".( $_GET['sSortDir_'.$i] == "asc" ? "asc" : "desc" ) .", ";
         }
     }
-    
+
     $sOrder = substr_replace( $sOrder, "", -2 );
     if ( $sOrder == "ORDER BY" )
     {
diff --git a/ajax/news_data.php b/ajax/news_data.php
index 00ca634f..98719da4 100644
--- a/ajax/news_data.php
+++ b/ajax/news_data.php
@@ -9,8 +9,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 //ordering
@@ -22,10 +22,10 @@
         if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
         {
             $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
-                ".convert_str( $_GET['sSortDir_'.$i] ) .", ";
+                ".( $_GET['sSortDir_'.$i] == "asc" ? "asc" : "desc") .", ";
         }
     }
-    
+
     $sOrder = substr_replace( $sOrder, "", -2 );
     if ( $sOrder == "ORDER BY" )
     {
diff --git a/ajax/problem_category_data.php b/ajax/problem_category_data.php
index 3271c761..b13e2264 100644
--- a/ajax/problem_category_data.php
+++ b/ajax/problem_category_data.php
@@ -25,8 +25,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 //ordering
@@ -38,10 +38,10 @@
         if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
         {
             $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
-                ".convert_str( $_GET['sSortDir_'.$i] ) .", ";
+                ".( $_GET['sSortDir_'.$i] == "asc" : "asc" ? "desc") .", ";
         }
     }
-    
+
     $sOrder = substr_replace( $sOrder, "", -2 );
     if ( $sOrder == "ORDER BY" )
     {
@@ -137,7 +137,7 @@
 
 foreach ( (array)$db->get_results( $sQuery,ARRAY_N ) as $aRow )
 {
-    $row = array(); 
+    $row = array();
     //var_dump($aRow);
     for ( $i=0 ; $i<count($aColumns) ; $i++ )
     {
diff --git a/ajax/problem_data.php b/ajax/problem_data.php
index 5b0914c4..64c8ec0b 100644
--- a/ajax/problem_data.php
+++ b/ajax/problem_data.php
@@ -10,8 +10,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 //ordering
@@ -24,7 +24,7 @@
         if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
         {
             $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
-                ".convert_str( $_GET['sSortDir_'.$i] ) .", ";
+                ".( $_GET['sSortDir_'.$i] == "asc" ? "asc" : "desc") .", ";
         }
     }
 
diff --git a/ajax/problem_leader.php b/ajax/problem_leader.php
index d87d7b47..35c1774a 100644
--- a/ajax/problem_leader.php
+++ b/ajax/problem_leader.php
@@ -9,8 +9,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 //ordering
@@ -22,10 +22,10 @@
         if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
         {
             $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
-                ".convert_str( $_GET['sSortDir_'.$i] ) .", ";
+                ".( $_GET['sSortDir_'.$i] == "asc" ? "asc" : "desc") .", ";
         }
     }
-    
+
     $sOrder = substr_replace( $sOrder, "", -2 );
     if ( $sOrder == "ORDER BY" )
     {
diff --git a/ajax/ranklist_data.php b/ajax/ranklist_data.php
index bef32e10..3595eadd 100644
--- a/ajax/ranklist_data.php
+++ b/ajax/ranklist_data.php
@@ -6,7 +6,7 @@
 $sIndexColumn = "uid";
 $sTable = "ranklist";
 // $sTable = "(
-//     SELECT @rownum := @rownum +1 rownum, ranklist . * 
+//     SELECT @rownum := @rownum +1 rownum, ranklist . *
 //     FROM (
 //         SELECT @rownum :=0
 //     )r, ranklist
@@ -16,8 +16,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 //ordering
@@ -33,10 +33,10 @@
                 else $sOrder .= "local_ac, total_ac, total_submit desc, username desc, ";
             }
             else $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
-                ".convert_str( $_GET['sSortDir_'.$i] ) .", ";
+                ".( $_GET['sSortDir_'.$i] == "asc" ? "asc" : "desc") .", ";
         }
     }
-    
+
     $sOrder = substr_replace( $sOrder, "", -2 );
     if ( $sOrder == "ORDER BY" )
     {
@@ -118,9 +118,9 @@
 foreach ( (array)$db->get_results( $sQuery,ARRAY_A ) as $aRow )
 {
     $row = array();
-    list($rank)=$db->get_row("select count(*)+1 from user where local_ac>".$aRow["local_ac"]." or 
-        (local_ac=".$aRow["local_ac"]." and total_ac>".$aRow["total_ac"].") or 
-        (local_ac=".$aRow["local_ac"]." and total_ac=".$aRow["total_ac"]." and total_submit<".$aRow["total_submit"].") or 
+    list($rank)=$db->get_row("select count(*)+1 from user where local_ac>".$aRow["local_ac"]." or
+        (local_ac=".$aRow["local_ac"]." and total_ac>".$aRow["total_ac"].") or
+        (local_ac=".$aRow["local_ac"]." and total_ac=".$aRow["total_ac"]." and total_submit<".$aRow["total_submit"].") or
         (local_ac=".$aRow["local_ac"]." and total_ac=".$aRow["total_ac"]." and total_submit=".$aRow["total_submit"]." and username<'".$aRow["username"]."' )",ARRAY_N);
     $row[]=$rank;
     for ( $i=1 ; $i<count($aColumns) ; $i++ )
diff --git a/ajax/status_data.php b/ajax/status_data.php
index 76735edd..c53685ca 100644
--- a/ajax/status_data.php
+++ b/ajax/status_data.php
@@ -9,8 +9,8 @@
 $sLimit = "";
 if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
 {
-    $sLimit = "LIMIT ".convert_str( $_GET['iDisplayStart'] ).", ".
-        convert_str( $_GET['iDisplayLength'] );
+    $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+        intval( $_GET['iDisplayLength'] );
 }
 
 $sOrder = "ORDER BY runid desc";
diff --git a/ajax/topic_new.php b/ajax/topic_new.php
index c6f872d9..c9293a8b 100644
--- a/ajax/topic_new.php
+++ b/ajax/topic_new.php
@@ -13,8 +13,8 @@
     $ret["msg"]="No Title.";
 }
 else{
-    $pid = convert_str($_GET['pid']);
-    if ($pid!=""&&!problem_exist($pid)) {
+    $pid = intval($_GET['pid']);
+    if ($pid!=0&&!problem_exist($pid)) {
         $ret["msg"]="No Such Problem!";
         echo json_encode($ret);
         die();
diff --git a/contest.php b/contest.php
index e01a9334..f41d62c0 100644
--- a/contest.php
+++ b/contest.php
@@ -23,7 +23,7 @@
             <button id="showtprivate" class="btn btn-info">Private</button>
             <button id="showtpassword" class="btn btn-info">Password</button>
           </div>
-          
+
           <div id="flip-scroll">
               <table width="100%" class="table table-hover table-striped cf basetable" id="contestlist">
                 <thead>
@@ -109,9 +109,9 @@
 var timezone = jstz.determine_timezone();
 $("#localtz").html(timezone.name()+" GMT"+timezone.offset());
 $("#tzinp").val(timezone.name());
-var searchstr='<?=$_GET['search']?>';
+var searchstr=<?=json_encode($_GET['search'])?>;
 var conperpage=<?=$config["limits"]["contests_per_page"]?>;
-var cshowtype='<?=$_GET['type']?>';
+var cshowtype=<?=json_encode($_GET['type'])?>;
 $.fn.problemlist.ojoptions="<?=addslashes($ojoptions)?>";
 </script>
 <script type="text/javascript" src="js/moment.min.js"></script>
diff --git a/contest_prob.php b/contest_prob.php
index 42f92a3c..de396d31 100644
--- a/contest_prob.php
+++ b/contest_prob.php
@@ -33,7 +33,7 @@
   } else {
 ?>
 <?php
-  if (in_array($show_problem->get_val('vname'),array('UESTC','HDU'))) {
+  if (in_array($show_problem->get_val('vname'),array('UESTC','HDU', 'BNU'))) {
 ?>
         <script src="js/Mathjax/MathJax.js?config=TeX-AMS_HTML"></script>
         <script type="text/x-mathjax-config">
@@ -225,8 +225,8 @@
                   <option value="9">Ruby</option>
                   <option value="10">Ada</option>
                   <option value="11">SML</option>
-                  <option value="12">Visual C</option>
-                  <option value="13">Visual C++</option>
+                  <option value="12">Visual C++</option>
+                  <option value="13">Visual C</option>
                   <option value="14">CLang</option>
                   <option value="15">CLang++</option>
                 </select>
diff --git a/contest_show.php b/contest_show.php
index f32df8e4..f3171130 100644
--- a/contest_show.php
+++ b/contest_show.php
@@ -1,6 +1,6 @@
 <?php
 include_once("functions/contests.php");
-$cid = convert_str($_GET['cid']);
+$cid = intval($_GET['cid']);
 if (contest_exist($cid)) $pagetitle=strip_tags(contest_get_val($cid,"title"));
 else $pagetitle="No Such Contest.";
 include_once("header.php");
@@ -127,7 +127,7 @@
 ?>
         <div class="span12">
           <form id="cpasssub">
-            <div class="input-append"><input type="password" name="cpass" id="contest_password" placeholder="Input password" /><button class="btn btn-primary" type="submit">Confirm</button></div> 
+            <div class="input-append"><input type="password" name="cpass" id="contest_password" placeholder="Input password" /><button class="btn btn-primary" type="submit">Confirm</button></div>
           </form>
         </div>
 
diff --git a/contest_status.php b/contest_status.php
index 74957fb7..4aed23bd 100644
--- a/contest_status.php
+++ b/contest_status.php
@@ -61,8 +61,8 @@
                   <option value="9">Ruby</option>
                   <option value="10">Ada</option>
                   <option value="11">SML</option>
-                  <option value="12">Visual C</option>
-                  <option value="13">Visual C++</option>
+                  <option value="12">Visual C++</option>
+                  <option value="13">Visual C</option>
                 </select>
               </label>
               <button type='submit' class="btn btn-primary">Show</button>
diff --git a/discuss.php b/discuss.php
index 72021d3f..0e855717 100644
--- a/discuss.php
+++ b/discuss.php
@@ -2,7 +2,7 @@
 include_once('functions/global.php');
 include_once('functions/sidebars.php');
 
-$proid = convert_str($_GET['pid']);
+$proid = intval($_GET['pid']);
 $page = intval(convert_str($_GET['page']));
 if ($page<1) $page=1;
 $pagetitle="Discuss";
diff --git a/functions/discuss.php b/functions/discuss.php
index 32694da1..c79c81b7 100644
--- a/functions/discuss.php
+++ b/functions/discuss.php
@@ -22,12 +22,12 @@ function discuss_load_subject_list(&$res) {
   }
 }
 
-function discuss_load_list($page=1,$pid=null) {
+function discuss_load_list($page=1,$pid=0) {
     global $db,$config;
-    
+
     $discussperpage=$config["limits"]["discuss_per_page"];
     $start=(intval($page)-1)*$discussperpage;
-    if($pid != "") $sql = "select distinct(rid) from time_bbs where pid='$pid' order by time desc limit $start,$discussperpage";
+    if($pid > 0) $sql = "select distinct(rid) from time_bbs where pid='$pid' order by time desc limit $start,$discussperpage";
     else $sql = "select distinct(rid) from time_bbs order by time desc limit $start,$discussperpage";
     //$db->debug_all=true;
     $res=$db->get_results($sql,ARRAY_A);
diff --git a/problem.php b/problem.php
index 60a419af..510df285 100644
--- a/problem.php
+++ b/problem.php
@@ -50,7 +50,7 @@
 <script type="text/javascript">
 var probperpage=<?= $config["limits"]["problems_per_page"] ?>;
 var pstart=<?= $stp ?>;
-var searchstr="<?= isset($_GET['search']) ? $_GET['search'] : "" ?>";
+var searchstr=<?= json_encode(isset($_GET['search']) ? $_GET['search'] : "") ?>;
 var ojoptions='<?= $ojoptions ?>';
 </script>
 <script type="text/javascript" src="js/problem.js?<?=filemtime("js/problem.js") ?>"></script>
diff --git a/problem_category_result.php b/problem_category_result.php
index d7917a39..7247e409 100644
--- a/problem_category_result.php
+++ b/problem_category_result.php
@@ -6,7 +6,7 @@
 
 $scate=array();
 if (isset($_GET['category'])) {
-    $catarr='[{"name": "catenum", "value":"1"}, {"name": "logic", "value":"or"}, {"name":"cate0", "value":"'.$_GET['category'].'"}]';
+    $catarr='[{"name": "catenum", "value":"1"}, {"name": "logic", "value":"or"}, {"name":"cate0", "value":'.json_encode($_GET['category']).'}]';
     $scate[]=htmlspecialchars(problem_get_category_name_from_id(convert_str($_GET['category'])));
 }
 else {
@@ -15,12 +15,12 @@
     $num=0;
     foreach($_POST as $kkey=>$value) {
         if ($kkey=="logic") continue;
-        
+
         $pt=problem_get_category_parent_from_id(convert_str($value));
 
         if (isset($_POST["check".$pt])==$value) continue;
         $scate[]=htmlspecialchars(problem_get_category_name_from_id(convert_str($value)));
-        $catarr.=',{"name":"cate'.$num.'", "value":"'.$value.'"}';
+        $catarr.=',{"name":"cate'.$num.'", "value":'.json_encode($value).'}';
         $num++;
     }
     $catarr.=',{"name":"catenum", "value":"'.$num.'"} ]';
diff --git a/problem_show.php b/problem_show.php
index 1d816c61..ea2db3a4 100644
--- a/problem_show.php
+++ b/problem_show.php
@@ -277,8 +277,8 @@
                   <option value="9">Ruby</option>
                   <option value="10">Ada</option>
                   <option value="11">SML</option>
-                  <option value="12">Visual C</option>
-                  <option value="13">Visual C++</option>
+                  <option value="12">Visual C++</option>
+                  <option value="13">Visual C</option>
                   <option value="14">CLang</option>
                   <option value="15">CLang++</option>
                 </select>
diff --git a/problem_stat.php b/problem_stat.php
index e853e62b..905afee4 100644
--- a/problem_stat.php
+++ b/problem_stat.php
@@ -1,7 +1,6 @@
 <?php
 include_once('functions/problems.php');
-$pid = convert_str($_GET['pid']);
-if ($pid=="") $pid="0";
+$pid = intval($_GET['pid']);
 $show_problem=new Problem;
 $show_problem->set_problem($pid);
 if ($show_problem->is_valid() && $show_problem->get_val("hide")==0) $pagetitle="Statistics of Problem ".$pid;
diff --git a/status.php b/status.php
index be34d51a..e11c4e76 100644
--- a/status.php
+++ b/status.php
@@ -41,8 +41,8 @@
                   <option value="9">Ruby</option>
                   <option value="10">Ada</option>
                   <option value="11">SML</option>
-                  <option value="12">Visual C</option>
-                  <option value="13">Visual C++</option>
+                  <option value="12">Visual C++</option>
+                  <option value="13">Visual C</option>
                 </select>
               </label>
               <button type='submit' class="btn btn-primary">Show</button>
diff --git a/userinfo.php b/userinfo.php
index 0b02e8ae..0e89158d 100644
--- a/userinfo.php
+++ b/userinfo.php
@@ -1,5 +1,5 @@
 <?php
-$pagetitle="Information of ".$_GET['name'];
+$pagetitle="Information of ".htmlspecialchars($_GET['name']);
 include_once("header.php");
 include_once("functions/users.php");
 include_once("functions/sidebars.php");
@@ -73,7 +73,7 @@
 
 <script type="text/javascript" src="js/highcharts.js"></script>
 <script type="text/javascript">
-var nametoc="<?=$name?>";
+var nametoc=<?=json_encode($name)?>;
 </script>
 <script type="text/javascript" src="js/userinfo.js?<?php echo filemtime("js/userinfo.js"); ?>"></script>