mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

webui: Allow full search on devices page (#8364)

Browse Source 
* Update devices.inc.php

* Update devices.inc.php

* Replace $_POST with $vars

Better protection for SQL injection attempts; Need to verify other files for same issue.

* Fixed whitespace.

*sigh*

* More search options & sql injection fixes.

+Allow full search on devices page;
+Allow sysName search on alertlog page;
+Allow sysName search on alerts page;
+Allow sysName search on eventlog page;
+Allow sysName search on poll-log page;
+Allow sysName search on ports page;

*Replaced all occurrences of $_POST with $vars in librenms/html/includes/table. ($vars are sanity-checked).

* Whitespace fix

* Fixed $where & $param

* Add files via upload

* Whitespaces....

Sometimes you want'em, sometimes you hate'em.
This commit is contained in:
Maurice den Braber
2018-03-25 22:50:09 +02:00
committed by Neil Lathwood
parent 2044f9bd14
commit 9f5b42b028
32 changed files with 195 additions and 195 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
html/includes/table/inventory.inc.php
View File

@@ -16,29 +16,29 @@ if (isset($searchPhrase) && !empty($searchPhrase)) {
$sql .= " AND (`D`.`hostname` LIKE '%$searchPhrase%' OR `E`.`entPhysicalDescr` LIKE '%$searchPhrase%' OR `E`.`entPhysicalModelName` LIKE '%$searchPhrase%' OR `E`.`entPhysicalSerialNum` LIKE '%$searchPhrase%')";
}
if (isset($_POST['string']) && strlen($_POST['string'])) {
if (isset($vars['string']) && strlen($vars['string'])) {
$sql .= ' AND E.entPhysicalDescr LIKE ?';
$param[] = '%'.$_POST['string'].'%';
$param[] = '%'.$vars['string'].'%';
}
if (isset($_POST['device_string']) && strlen($_POST['device_string'])) {
if (isset($vars['device_string']) && strlen($vars['device_string'])) {
$sql .= ' AND D.hostname LIKE ?';
$param[] = '%'.$_POST['device_string'].'%';
$param[] = '%'.$vars['device_string'].'%';
}
if (isset($_POST['part']) && strlen($_POST['part'])) {
if (isset($vars['part']) && strlen($vars['part'])) {
$sql .= ' AND E.entPhysicalModelName = ?';
$param[] = $_POST['part'];
$param[] = $vars['part'];
}
if (isset($_POST['serial']) && strlen($_POST['serial'])) {
if (isset($vars['serial']) && strlen($vars['serial'])) {
$sql .= ' AND E.entPhysicalSerialNum LIKE ?';
$param[] = '%'.$_POST['serial'].'%';
$param[] = '%'.$vars['serial'].'%';
}
if (isset($_POST['device']) && is_numeric($_POST['device'])) {
if (isset($vars['device']) && is_numeric($vars['device'])) {
$sql .= ' AND D.device_id = ?';
$param[] = $_POST['device'];
$param[] = $vars['device'];
}
$count_sql = "SELECT COUNT(`entPhysical_id`) $sql";