diff --git a/admin/php/admin.php b/admin/php/admin.php index 6188190..d59dfe2 100644 --- a/admin/php/admin.php +++ b/admin/php/admin.php @@ -198,6 +198,8 @@ function pegaDados($sql,$locaplic="") */ include(dirname(__FILE__)."/conexao.php"); error_reporting(0); + //$dbh deve ser definido com somente leitura, mas por prevencao: + $sql = str_ireplace(array("update","delete","insert","--","drop",";"),"",$sql); $q = $dbh->query($sql,PDO::FETCH_ASSOC); if($q) { diff --git a/admin/php/classe_arvore.php b/admin/php/classe_arvore.php index e6425d4..21bb173 100644 --- a/admin/php/classe_arvore.php +++ b/admin/php/classe_arvore.php @@ -873,6 +873,7 @@ class Arvore { //echo "
".$sql; //error_reporting(0); + $sql = str_ireplace(array("update","delete","insert","--","drop",";"),"",$sql); $q = $this->dbh->query($sql,PDO::FETCH_ASSOC); if($q) { diff --git a/admin/php/classe_metaestat.php b/admin/php/classe_metaestat.php index 8e1545e..518a791 100755 --- a/admin/php/classe_metaestat.php +++ b/admin/php/classe_metaestat.php @@ -183,8 +183,7 @@ class Metaestat{ * @return Array */ function execSQL($sql,$id="",$convTexto=true){ - $buscar = array("drop","update","insert","delete"); - $sql = str_ireplace($buscar,"",$sql); + $sql = str_ireplace(array("update","delete","insert","--","drop",";"),"",$sql); try { $q = $this->dbh->query($sql,PDO::FETCH_ASSOC); } diff --git a/admin/php/login.php b/admin/php/login.php index 678c0b8..56e2ba6 100644 --- a/admin/php/login.php +++ b/admin/php/login.php @@ -268,6 +268,8 @@ function autenticaUsuario($usuario,$senha){ include(dirname(__FILE__)."/conexao.php"); $senhamd5 = md5($senha); //verifica se o usuario esta cadastrado no ms_configura.php em $i3geomaster + //echo "select * from ".$esquemaadmin."i3geousr_usuarios where login = '$usuario' and (senha = '$senhamd5' or senha = '$senha') and ativo = 1";exit; + //exit; if(verificaMaster($usuario,$senha) == true){ $pa = pegaDados("select * from ".$esquemaadmin."i3geousr_papelusuario ",$locaplic); $op = pegadados("SELECT O.codigo FROM ".$esquemaadmin."i3geousr_operacoes AS O"); diff --git a/classesphp/pega_variaveis.php b/classesphp/pega_variaveis.php index 619faee..f34653d 100644 --- a/classesphp/pega_variaveis.php +++ b/classesphp/pega_variaveis.php @@ -60,8 +60,10 @@ if (isset($_GET)) { foreach(array_keys($_GET) as $k) { + $k = str_ireplace(array(" ","delete","drop","update","insert","exec","system",";"),"",$k); if ($_GET[$k] != "''"){ $v = strip_tags($_GET[$k]); + $v = str_ireplace(array("delete","drop","update","insert","exec","system",";"),"",$v); eval("\$".$k."='".(trim($v))."';"); } } @@ -72,8 +74,11 @@ if (isset($_POST)) //var_dump($_POST);exit; foreach(array_keys($_POST) as $k) { + $k = str_ireplace(array(" ","delete","drop","update","insert","exec","system",";"),"",$k); + $_POST[$k] = str_ireplace(array("delete","drop","update","insert","exec","system",";"),"",$_POST[$k]); if (($_POST[$k] != "''")) eval("\$".$k."='".(strip_tags(trim($_POST[$k])))."';"); + if (($_POST[$k] != "''") && ($k == "cpaint_argument")) { foreach($_POST["cpaint_argument"] as $argumento_) diff --git a/ferramentas/parametrossql/exec.php b/ferramentas/parametrossql/exec.php index b40f565..acf475e 100755 --- a/ferramentas/parametrossql/exec.php +++ b/ferramentas/parametrossql/exec.php @@ -76,9 +76,9 @@ switch (strtoupper($funcao)) $chaves = implode(",",$chaves); $filtro = $layer1->getFilterString(); if(!empty($valores)){ - $chaves = str_ireplace(array(" and ", " or ", "select","from","where","update","delete","insert","--"),"",$chaves); + $chaves = str_ireplace(array(" and ", " or ", "select","from","where","update","delete","insert","--","drop",";"),"",$chaves); $chaves = explode(",",$chaves); - $valores = str_ireplace(array(" and ", " or ", "select","from","where","update","delete","insert","--"),"",$valores); + $valores = str_ireplace(array(" and ", " or ", "select","from","where","update","delete","insert","--","drop",";"),"",$valores); $valores = explode(",",strip_tags($valores)); $n = count($chaves); for($i = 0; $i < $n; $i++){ diff --git a/ferramentas/parametrossql/index.js b/ferramentas/parametrossql/index.js index a6797cb..bea2194 100755 --- a/ferramentas/parametrossql/index.js +++ b/ferramentas/parametrossql/index.js @@ -270,12 +270,13 @@ i3GEOF.parametrossql = { p = i3GEO.editorOL.layerPorParametro("LAYERS",camada.name); //muda os parametros if(p){ + p.setVisibility(false); + p.clearGrid(); $i("i3GEOFparametrosSqlAplicar").innerHTML = "Aguarde..."; reg = new RegExp("plugin" + "([=])+([a-zA-Z0-9_]*)"); p.url = p.url.replace(reg, ""); p.url = p.url + "&plugin=" + valores.join(","); p.setUrl(p.url+"&"); - p.setVisibility(false); p.setVisibility(true); } i3GEO.janela.destroi("i3GEOF.parametrossql"); diff --git a/mashups/openlayers.php b/mashups/openlayers.php index 42aba43..231fd07 100644 --- a/mashups/openlayers.php +++ b/mashups/openlayers.php @@ -277,7 +277,7 @@ if($temas != ""){ if(in_array($tema,$visiveis)){ $visivel = "true"; } - if($nlayers == 1 && strtoupper($layern->getmetadata("cache")) == "SIM"){ + if($nlayers == 1 && strtoupper($layern->getmetadata("cache")) == "SIM" && $layern->getmetadata("PLUGINI3GEO") == ""){ if($layern->type != 2 && $layern->type != 3){ $opacidade = 1; } diff --git a/mashups/osm.php b/mashups/osm.php index 6cd2023..d3d19a3 100755 --- a/mashups/osm.php +++ b/mashups/osm.php @@ -279,7 +279,7 @@ if($temas != ""){ } // echo $visivel;exit; // var_dump($visiveis);exit; - if($nlayers == 1 && strtoupper($layern->getmetadata("cache")) == "SIM"){ + if($nlayers == 1 && strtoupper($layern->getmetadata("cache")) == "SIM" && $layern->getmetadata("PLUGINI3GEO") == ""){ if($layern->type != 2 && $layern->type != 3){ $opacidade = 1; } -- libgit2 0.21.2