From: Andreas Henriksson Date: Sat, 20 Jul 2013 18:17:14 +0200 Subject: Make HTML output valid and prevent sql injection in php code. --- phphtdocs/details.php | 72 +++++++++------ phphtdocs/failures.php | 17 ++-- phphtdocs/footer.php | 9 +- phphtdocs/graph.php | 32 ++++--- phphtdocs/header.php | 11 ++- phphtdocs/include.php | 4 +- phphtdocs/location_statistics.php | 17 ++-- phphtdocs/sensors.php | 180 +++++++++++++++++++++++--------------- phphtdocs/signal_level.php | 12 +-- phphtdocs/uptime.php | 10 +-- 10 files changed, 214 insertions(+), 150 deletions(-) diff --git a/phphtdocs/details.php b/phphtdocs/details.php index cbdd380..17ffa28 100644 --- a/phphtdocs/details.php +++ b/phphtdocs/details.php @@ -2,19 +2,21 @@ include("include.php"); include("header.php"); -if (isset($_GET['sensor_id'])) +if (isset($_GET['sensor_id']) && is_numeric($_GET['sensor_id'])) $sensor_id = $_GET['sensor_id']; else { echo "
Please provide a sensor_id"; + include('footer.php'); exit(1); } if (isset($_GET['ip'])) - $ip = $_GET['ip']; + $ip = pg_escape_string($_GET['ip']); else { echo "
Please provide an ip address"; + include('footer.php'); exit(1); } @@ -26,7 +28,7 @@ else $db = ConnectDb(); -if ($ip == "0.0.0.0/0") +if ($ip == pg_escape_string("0.0.0.0/0")) { $rxtable = "bd_rx_total_log"; $txtable = "bd_tx_total_log"; @@ -62,38 +64,54 @@ group by ip) as rx where tx.ip = rx.ip;"; //echo "
$sql
";exit(0); $result = pg_query($sql); -echo "
IpNameTotalSentReceivedtcpudpicmphttpp2pftp"; +?> + + + + + + + + + +"; else - echo "Total"; + echo fmtb($r['total']).fmtb($r['sent']).fmtb($r['received']). fmtb($r['tcp']).fmtb($r['udp']).fmtb($r['icmp']).fmtb($r['http']). fmtb($r['p2p']).fmtb($r['ftp']); -echo "
IpNameTotalSentReceivedtcpudpicmphttpp2pftp
"; if (strpos($ip, "/") === FALSE) - echo "$ip".gethostbyaddr($ip); + echo "$ip".gethostbyaddr($ip) . "$ip"; + echo "Total$ip
"; +echo "
"; + +echo "

Daily

"; +echo "Send:

"; +echo '
'; +echo "Receive:

"; +echo '
'; -echo "

Daily

"; -echo "Send:

"; -echo "
"; -echo "Receive:

"; -echo "
"; +echo "

Weekly

"; +echo "Send:

"; +echo '
'; +echo "Receive:

"; +echo '
'; -echo "

Weekly

"; -echo "Send:

"; -echo "
"; -echo "Receive:

"; -echo "
"; +echo "

Monthly

"; +echo "Send:

"; +echo '
'; +echo "Receive:

"; +echo '
'; -echo "

Monthly

"; -echo "Send:

"; -echo "
"; -echo "Receive:

"; -echo "
"; +echo "

Yearly

"; +echo "Send:

"; +echo '
'; +echo "Receive:

"; +echo '
'; -echo "

Yearly

"; -echo "Send:

"; -echo "
"; -echo "Receive:

"; -echo "
"; \ No newline at end of file +include('footer.php'); +?> diff --git a/phphtdocs/failures.php b/phphtdocs/failures.php index c02dd49..b8339d2 100755 --- a/phphtdocs/failures.php +++ b/phphtdocs/failures.php @@ -1,5 +1,7 @@ - - -Failure Report - - - - +

Failed Routers

"; } + +include("footer.php"); ?> - \ No newline at end of file + + diff --git a/phphtdocs/footer.php b/phphtdocs/footer.php index 2986e81..2cae931 100644 --- a/phphtdocs/footer.php +++ b/phphtdocs/footer.php @@ -1,3 +1,6 @@ - \ No newline at end of file +Page load completed in ". (time() - $starttime) ." seconds

"); +?> + + + diff --git a/phphtdocs/graph.php b/phphtdocs/graph.php index 545f079..59a77d8 100644 --- a/phphtdocs/graph.php +++ b/phphtdocs/graph.php @@ -1,4 +1,4 @@ - diff --git a/phphtdocs/header.php b/phphtdocs/header.php index beac09f..46dda3e 100644 --- a/phphtdocs/header.php +++ b/phphtdocs/header.php @@ -1,3 +1,12 @@ + + +BandwidthD<?php if (isset($subtitle)) { echo ' - ' . $subtitle; } ?> + + + +
- +BandwidthD Logo +
+ diff --git a/phphtdocs/include.php b/phphtdocs/include.php index 81d8e1d..688b9fc 100644 --- a/phphtdocs/include.php +++ b/phphtdocs/include.php @@ -60,9 +60,9 @@ function fmtb($kbytes) $Suffix = 'T'; } - return(sprintf("%.1f%s", $Output, $Suffix)); + return(sprintf("%.1f%s", $Output, $Suffix)); } $starttime = time(); set_time_limit(300); -?> \ No newline at end of file +?> diff --git a/phphtdocs/location_statistics.php b/phphtdocs/location_statistics.php index 59d604e..c34041b 100755 --- a/phphtdocs/location_statistics.php +++ b/phphtdocs/location_statistics.php @@ -1,14 +1,9 @@ - -Location Statistics -
- - - -
+?> +


-
\ No newline at end of file +
+ + diff --git a/phphtdocs/sensors.php b/phphtdocs/sensors.php index 2593c86..5abafc6 100755 --- a/phphtdocs/sensors.php +++ b/phphtdocs/sensors.php @@ -1,34 +1,35 @@ - - - - -
> - + + + +
+ + + + + +
Collecting data..."; - exit; + include('footer.php'); + exit(); } ?> + - + + - + + - ->Display Graphs + + + +>Display Graphs -Subnet Filter:"> + + +Subnet Filter:"> + +
-
$sql
"; exit(0); pg_query("SET sort_mem TO 30000;"); pg_send_query($db, $sql); @@ -156,18 +181,28 @@ pg_query("set sort_mem to default;"); if ($limit == "all") $limit = pg_num_rows($result); -echo "
IpNameTotalSentReceivedtcpudpicmphttpmailp2pftp"; +?> + + + + + + + + + +"; +if (!$graphs) + $url = ""; else - $url = ""; + $url = ''; -echo "\n"; foreach (array("total", "sent", "received", "tcp", "udp", "icmp", "http", "mail", "p2p", "ftp") as $key) { for($Counter=0, $Total = 0; $Counter < pg_num_rows($result); $Counter++) @@ -183,22 +218,22 @@ echo "\n"; for($Counter=0; $Counter < pg_num_rows($result) && $Counter < $limit; $Counter++) { $r = pg_fetch_array($result, $Counter); - if ($graphs == "") - $url = ""; + if (!$graphs) + $url = ""; else - $url = ""; - echo ""; echo fmtb($r['total']).fmtb($r['sent']).fmtb($r['received']). fmtb($r['tcp']).fmtb($r['udp']).fmtb($r['icmp']).fmtb($r['http']).fmtb($r['mail']). - fmtb($r['p2p']).fmtb($r['ftp'])."\n"; + fmtb($r['p2p']).fmtb($r['ftp'])."\n"; } -echo "
IpNameTotalSentReceivedtcpudpicmphttpmailp2pftp
".$url."Total$subnet"; +echo "
".$url."Total$subnet
".$url; - echo $r['ip']."".gethostbyaddr($r['ip']); - echo ""; + $url = ''; + echo "
" . $url . $r['ip'] . "" . gethostbyaddr($r['ip']) . "
"; +echo "
"; // Stop here -if ($graphs == "") +if (!$graphs) { + include('footer.php'); exit(); +} // Output Total Graph for($Counter=0, $Total = 0; $Counter < pg_num_rows($result); $Counter++) @@ -215,34 +250,35 @@ else $sn = str_replace("/", "_", $subnet); -echo "

"; -echo "Total - Total of $subnet

"; -echo ""; -echo "Send:

"; -echo "
\n"; +echo "

"; +echo "Total - Total of $subnet

"; +echo "Send:

"; +echo '
' . "\n"; if ($subnet == "0.0.0.0/0") $total_table = "bd_rx_total_log"; else $total_table = "bd_rx_log"; -echo "Receive:

"; -echo "
\n"; -echo "[Return to Top]"; +echo "Receive:

"; +echo '
' . "\n"; +echo '[Return to Top]'; // Output Other Graphs for($Counter=0; $Counter < pg_num_rows($result) && $Counter < $limit; $Counter++) { $r = pg_fetch_array($result, $Counter); - echo "

"; + echo "

"; if ($r['ip'] == "0.0.0.0") - echo "Total - Total of all subnets

"; + echo "Total - Total of all subnets"; else - echo $r['ip']." - ".gethostbyaddr($r['ip'])."

"; - echo ""; - echo "Send:

"; - echo "
\n"; - echo "Receive:

"; - echo "
\n"; - echo "[Return to Top]"; + echo $r['ip']." - ".gethostbyaddr($r['ip']); + echo ""; + echo "Send:

"; + echo '
' . "\n"; + echo "Receive:

"; + echo '
' . "\n"; + echo '[Return to Top]'; } -include('footer.php'); \ No newline at end of file + +include('footer.php'); +?> diff --git a/phphtdocs/signal_level.php b/phphtdocs/signal_level.php index c78ec23..e236389 100755 --- a/phphtdocs/signal_level.php +++ b/phphtdocs/signal_level.php @@ -1,11 +1,6 @@ - - -Signal Level Report - - - -"; } + +include("footer.php"); ?> - \ No newline at end of file diff --git a/phphtdocs/uptime.php b/phphtdocs/uptime.php index 6ed928c..0d11e1d 100755 --- a/phphtdocs/uptime.php +++ b/phphtdocs/uptime.php @@ -1,11 +1,6 @@ - - -Uptime Report - - - "; } + +include("footer.php"); ?> - \ No newline at end of file