From owner-freebsd-ports@FreeBSD.ORG Wed May 7 09:06:28 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2AAFDF12 for ; Wed, 7 May 2014 09:06:28 +0000 (UTC) Received: from avasout05.plus.net (avasout05.plus.net [84.93.230.250]) by mx1.freebsd.org (Postfix) with ESMTP id 7E756BD4 for ; Wed, 7 May 2014 09:06:26 +0000 (UTC) Received: from mail.p-o.co.uk ([80.229.143.200]) by avasout05 with smtp id yx3E1n0064Ke75s01x3GGl; Wed, 07 May 2014 10:03:17 +0100 X-CM-Score: 0.00 X-CNFS-Analysis: v=2.1 cv=WIHxXxcR c=1 sm=1 tr=0 a=8tLeWYS14DVASeLn2fT6mg==:117 a=8tLeWYS14DVASeLn2fT6mg==:17 a=DmpQJSdQAAAA:8 a=0Bzu9jTXAAAA:8 a=Ogq6XObQfOUA:10 a=mgLLJ0hNpi0A:10 a=ekGDHR-uHikA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=9iDbn-4jx3cA:10 a=cKsnjEOsciEA:10 a=NEAV23lmAAAA:8 a=E5QNVYkZZiUAx57leRIA:9 a=QEXdDO2ut3YA:10 a=6LNo9mgtzZstAV2Zuv0A:9 a=-hUydcMaExraI779:21 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=p-o.co.uk; s=mail; h=Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID; bh=coPp954NukL5654PYNUuO1YuAqOe/PevTvwii0WUhU4=; b=XZUCM8p9zDKGuGje0CdkVKcSGCTzEeSU/0z2t4L0e2msxMakZxeTkJfXUJqfIvKrmPtwf4BFUDob5dvedKlsVqE1Khs9PmOo6t+54VBUngPnvjVeK1slViZ7LEzCD1g1rAgAgiyGDy3cnteeT5RhiBdmEQanU/EyJmITuHjfrOY=; Received: from schnittke.p-o.co.uk ([192.168.202.5]) by p-o.co.uk with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.82 (FreeBSD)) (envelope-from ) id 1WhxeO-0004cw-DR for freebsd-ports@freebsd.org; Wed, 07 May 2014 09:56:34 +0100 Message-ID: <5369F53A.1050505@p-o.co.uk> Date: Wed, 07 May 2014 09:56:26 +0100 From: Alan Hicks Organization: Persistent Objects Ltd User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-ports@freebsd.org Subject: Re: www/openx: CVE-2013-7149 no patch available? References: <53693756.7050306@b1t.name> In-Reply-To: <53693756.7050306@b1t.name> Content-Type: multipart/mixed; boundary="------------050109040100010105000002" X-Authenticated-As: alan X-Spam-Score: -1.7 (-) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2014 09:06:28 -0000 This is a multi-part message in MIME format. --------------050109040100010105000002 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 06/05/2014 20:26, Volodymyr Kostyrko wrote: > Hi all. > > In case anyone is still using www/openx. > > Does anyone know about any patches for this issue? Had anyone patched > openx by himself? > The project has moved to https://github.com/revive-adserver Although I have patched my copy of OpenX for both the vulnerability and PostgreSQL support, there was no interest from the people at revive-adserver, though they have since patched the vulnerability. Having almost completed the removal of OpenX from my servers there is little interest in supporting it. Original patch attached for reference. Hope this helps, Alan --------------050109040100010105000002 Content-Type: text/x-patch; name="lib_OA_Dal_Delivery.php.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="lib_OA_Dal_Delivery.php.diff" Index: lib/OA/Dal/Delivery.php =================================================================== --- lib/OA/Dal/Delivery.php (revision 82818) +++ lib/OA/Dal/Delivery.php (working copy) @@ -120,7 +120,7 @@ $aConf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $zoneid = (int)$zoneid; + //$zoneid = (int)$zoneid; // Get the zone information $query = " @@ -151,7 +151,7 @@ ".OX_escapeIdentifier($aConf['table']['prefix'].$aConf['table']['affiliates'])." AS a, ".OX_escapeIdentifier($aConf['table']['prefix'].$aConf['table']['agency'])." AS m WHERE - z.zoneid = {$zoneid} + z.zoneid = ".(int)$zoneid." AND z.affiliateid = a.affiliateid AND @@ -169,7 +169,7 @@ p.preference_id AS preference_id, p.preference_name AS preference_name FROM - {$aConf['table']['prefix']}{$aConf['table']['preferences']} AS p + ".OX_escapeIdentifier($aConf['table']['prefix'].$aConf['table']['preferences'])." AS p WHERE p.preference_name = 'default_banner_image_url' OR @@ -201,9 +201,9 @@ FROM ".OX_escapeIdentifier($aConf['table']['prefix'].$aConf['table']['account_preference_assoc'])." AS apa WHERE - apa.account_id = {$aZoneInfo['trafficker_account_id']} + apa.account_id = ".(int)$aZoneInfo['trafficker_account_id']." AND - apa.preference_id = $default_banner_destination_url_id + apa.preference_id = ".(int)$default_banner_destination_url_id." UNION SELECT 'default_banner_destination_url_manager' AS item, @@ -211,9 +211,9 @@ FROM ".OX_escapeIdentifier($aConf['table']['prefix'].$aConf['table']['account_preference_assoc'])." AS apa WHERE - apa.account_id = {$aZoneInfo['manager_account_id']} + apa.account_id = ".(int)$aZoneInfo['manager_account_id']." AND - apa.preference_id = $default_banner_destination_url_id + apa.preference_id = ".(int)$default_banner_destination_url_id." UNION SELECT 'default_banner_image_url_trafficker' AS item, @@ -221,9 +221,9 @@ FROM ".OX_escapeIdentifier($aConf['table']['prefix'].$aConf['table']['account_preference_assoc'])." AS apa WHERE - apa.account_id = {$aZoneInfo['trafficker_account_id']} + apa.account_id = ".(int)$aZoneInfo['trafficker_account_id']." AND - apa.preference_id = $default_banner_image_url_id + apa.preference_id = ".(int)$default_banner_image_url_id." UNION SELECT 'default_banner_image_url_manager' AS item, @@ -231,9 +231,9 @@ FROM ".OX_escapeIdentifier($aConf['table']['prefix'].$aConf['table']['account_preference_assoc'])." AS apa WHERE - apa.account_id = {$aZoneInfo['manager_account_id']} + apa.account_id = ".(int)$aZoneInfo['manager_account_id']." AND - apa.preference_id = $default_banner_image_url_id + apa.preference_id = ".(int)$default_banner_image_url_id." UNION SELECT 'default_banner_image_url_admin' AS item, @@ -246,7 +246,7 @@ AND a.account_type = 'ADMIN' AND - apa.preference_id = $default_banner_image_url_id + apa.preference_id = ".(int)$default_banner_image_url_id." UNION SELECT 'default_banner_destination_url_admin' AS item, @@ -259,7 +259,7 @@ AND a.account_type = 'ADMIN' AND - apa.preference_id = $default_banner_destination_url_id"; + apa.preference_id = ".(int)$default_banner_destination_url_id; $rDefaultBannerInfo = OA_Dal_Delivery_query($query); if (!is_resource($rDefaultBannerInfo)) { @@ -326,7 +326,7 @@ $conf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $publisherid = (int)$publisherid; + //$publisherid = (int)$publisherid; $rZones = OA_Dal_Delivery_query(" SELECT @@ -337,7 +337,7 @@ FROM ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['zones'])." AS z WHERE - z.affiliateid={$publisherid} + z.affiliateid=".(int)$publisherid." "); if (!is_resource($rZones)) { @@ -371,7 +371,7 @@ $conf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $zoneid = (int)$zoneid; + //$zoneid = (int)$zoneid; $aRows = OA_Dal_Delivery_getZoneInfo($zoneid); @@ -456,7 +456,7 @@ ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['clients'])." AS m ON (m.clientid = c.clientid) LEFT JOIN ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['agency'])." AS a ON (a.agencyid = m.agencyid) WHERE - az.zone_id = {$zoneid} + az.zone_id = ".(int)$zoneid." AND d.status <= 0 AND @@ -540,7 +540,7 @@ $conf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $zoneid = (int)$zoneid; + //$zoneid = (int)$zoneid; $aRows['xAds'] = array(); $aRows['ads'] = array(); @@ -584,7 +584,7 @@ ."c.ecpm_enabled AS ecpm_enabled, " ."c.ecpm AS ecpm, " ."ct.status AS tracker_status, " - .OX_Dal_Delivery_regex("d.htmlcache", "src\\s?=\\s?[\\'\"]http:")." AS html_ssl_unsafe, " + .OX_Dal_Delivery_regex("d.htmlcache", OX_escapeString('src\s?=\s?['."'".'"]http:'))." AS html_ssl_unsafe, " .OX_Dal_Delivery_regex("d.imageurl", "^http:")." AS url_ssl_unsafe " ."FROM " .OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['banners'])." AS d JOIN " @@ -592,7 +592,7 @@ .OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['campaigns'])." AS c ON (c.campaignid = d.campaignid) LEFT JOIN " .OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['campaigns_trackers'])." AS ct ON (ct.campaignid = c.campaignid) " ."WHERE " - ."az.zone_id = {$zoneid} " + ."az.zone_id = ".(int)$zoneid." " ."AND " ."d.status <= 0 " ."AND " @@ -650,7 +650,7 @@ $campaignid = (int)$campaignid; if ($campaignid > 0) { - $precondition = " AND d.campaignid = '".$campaignid."' "; + $precondition = " AND d.campaignid = ".(int)$campaignid." "; } else { $precondition = ''; } @@ -722,7 +722,7 @@ $campaignid = (int)$campaignid; if ($campaignid > 0) { - $precondition = " AND d.campaignid = '".$campaignid."' "; + $precondition = " AND d.campaignid = ".(int)$campaignid." "; } else { $precondition = ''; } @@ -816,7 +816,7 @@ $conf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $ad_id = (int)$ad_id; + //$ad_id = (int)$ad_id; $query = " SELECT @@ -870,7 +870,7 @@ ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['campaigns'])." AS c, ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['clients'])." AS m WHERE - d.bannerid={$ad_id} + d.bannerid=".(int)$ad_id." AND d.campaignid = c.campaignid AND @@ -895,7 +895,7 @@ $conf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $channelid = (int)$channelid; + //$channelid = (int)$channelid; $rLimitation = OA_Dal_Delivery_query(" SELECT @@ -903,7 +903,7 @@ FROM ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['channel'])." WHERE - channelid={$channelid}"); + channelid=".(int)$channelid); if (!is_resource($rLimitation)) { return (defined('OA_DELIVERY_CACHE_FUNCTION_ERROR')) ? OA_DELIVERY_CACHE_FUNCTION_ERROR : null; } @@ -949,7 +949,7 @@ $conf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $trackerid = (int)$trackerid; + //$trackerid = (int)$trackerid; $rTracker = OA_Dal_Delivery_query(" SELECT @@ -965,7 +965,7 @@ FROM ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['trackers'])." AS t WHERE - t.trackerid={$trackerid} + t.trackerid=".(int)$trackerid." "); if (!is_resource($rTracker)) { return (defined('OA_DELIVERY_CACHE_FUNCTION_ERROR')) ? OA_DELIVERY_CACHE_FUNCTION_ERROR : null; @@ -979,7 +979,7 @@ $aConf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $trackerid = (int)$trackerid; + //$trackerid = (int)$trackerid; $rCreatives = OA_Dal_Delivery_query(" SELECT @@ -998,7 +998,7 @@ ct.trackerid=t.trackerid AND c.campaignid=b.campaignid AND b.campaignid = ct.campaignid - " . ((!empty($trackerid)) ? ' AND t.trackerid='.$trackerid : '') . " + " . ((!empty($trackerid)) ? ' AND t.trackerid='.(int)$trackerid : '') . " "); if (!is_resource($rCreatives)) { return (defined('OA_DELIVERY_CACHE_FUNCTION_ERROR')) ? OA_DELIVERY_CACHE_FUNCTION_ERROR : null; @@ -1022,7 +1022,7 @@ $conf = $GLOBALS['_MAX']['CONF']; // Sanitise parameteres - $trackerid = (int)$trackerid; + //$trackerid = (int)$trackerid; $rVariables = OA_Dal_Delivery_query(" SELECT @@ -1038,7 +1038,7 @@ FROM ".OX_escapeIdentifier($conf['table']['prefix'].$conf['table']['variables'])." AS v WHERE - v.trackerid={$trackerid} + v.trackerid=".(int)$trackerid." "); if (!is_resource($rVariables)) { return (defined('OA_DELIVERY_CACHE_FUNCTION_ERROR')) ? OA_DELIVERY_CACHE_FUNCTION_ERROR : null; @@ -1193,6 +1193,8 @@ if(preg_match('#^(?:size:)?([0-9]+x[0-9]+)$#', $part_array[$k], $m)) { list($width, $height) = explode('x', $m[1]); + $width = (int) $width; + $height = (int) $height; if ($operator == 'OR') $conditions .= "OR (d.width = $width AND d.height = $height) "; @@ -1219,27 +1221,29 @@ // Only upper limit, set lower limit to make sure not text ads are delivered if ($min == '') $min = 1; + $min = (int) $min; // Only lower limit if ($max == '') { if ($operator == 'OR') - $conditions .= "OR d.width >= '".trim($min)."' "; + $conditions .= "OR d.width >= ".$min." "; elseif ($operator == 'AND') - $conditions .= "AND d.width >= '".trim($min)."' "; + $conditions .= "AND d.width >= ".$min." "; else - $conditions .= "AND d.width < '".trim($min)."' "; + $conditions .= "AND d.width < ".$min." "; } // Both lower and upper limit if ($max != '') { + $max = (int) $max; if ($operator == 'OR') - $conditions .= "OR (d.width >= '".trim($min)."' AND d.width <= '".trim($max)."') "; + $conditions .= "OR (d.width >= ".$min." AND d.width <= ".$max.") "; elseif ($operator == 'AND') - $conditions .= "AND (d.width >= '".trim($min)."' AND d.width <= '".trim($max)."') "; + $conditions .= "AND (d.width >= ".$min." AND d.width <= ".$max.") "; else - $conditions .= "AND (d.width < '".trim($min)."' OR d.width > '".trim($max)."') "; + $conditions .= "AND (d.width < ".$min." OR d.width > ".$max.") "; } } else @@ -1247,11 +1251,11 @@ // Single value if ($operator == 'OR') - $conditions .= "OR d.width = '".trim($part_array[$k])."' "; + $conditions .= "OR d.width = ".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.width = '".trim($part_array[$k])."' "; + $conditions .= "AND d.width = ".(int)$part_array[$k]." "; else - $conditions .= "AND d.width != '".trim($part_array[$k])."' "; + $conditions .= "AND d.width != ".(int)$part_array[$k]." "; } } @@ -1272,16 +1276,17 @@ // Only upper limit, set lower limit to make sure not text ads are delivered if ($min == '') $min = 1; + $min = (int)$min; // Only lower limit if ($max == '') { if ($operator == 'OR') - $conditions .= "OR d.height >= '".trim($min)."' "; + $conditions .= "OR d.height >= ".$min." "; elseif ($operator == 'AND') - $conditions .= "AND d.height >= '".trim($min)."' "; + $conditions .= "AND d.height >= ".$min." "; else - $conditions .= "AND d.height < '".trim($min)."' "; + $conditions .= "AND d.height < ".$min." "; } // Both lower and upper limit @@ -1288,11 +1293,11 @@ if ($max != '') { if ($operator == 'OR') - $conditions .= "OR (d.height >= '".trim($min)."' AND d.height <= '".trim($max)."') "; + $conditions .= "OR (d.height >= ".$min." AND d.height <= ".(int)$max.") "; elseif ($operator == 'AND') - $conditions .= "AND (d.height >= '".trim($min)."' AND d.height <= '".trim($max)."') "; + $conditions .= "AND (d.height >= ".$min." AND d.height <= ".(int)$max.") "; else - $conditions .= "AND (d.height < '".trim($min)."' OR d.height > '".trim($max)."') "; + $conditions .= "AND (d.height < ".$min." OR d.height > ".(int)$max.") "; } } else @@ -1300,11 +1305,11 @@ // Single value if ($operator == 'OR') - $conditions .= "OR d.height = '".trim($part_array[$k])."' "; + $conditions .= "OR d.height = ".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.height = '".trim($part_array[$k])."' "; + $conditions .= "AND d.height = ".(int)$part_array[$k]." "; else - $conditions .= "AND d.height != '".trim($part_array[$k])."' "; + $conditions .= "AND d.height != ".(int)$part_array[$k]." "; } } @@ -1319,11 +1324,11 @@ if ($part_array[$k]) { if ($operator == 'OR') - $conditions .= "OR d.bannerid='".$part_array[$k]."' "; + $conditions .= "OR d.bannerid=".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.bannerid='".$part_array[$k]."' "; + $conditions .= "AND d.bannerid=".(int)$part_array[$k]." "; else - $conditions .= "AND d.bannerid!='".$part_array[$k]."' "; + $conditions .= "AND d.bannerid!=".(int)$part_array[$k]." "; } $onlykeywords = false; @@ -1337,11 +1342,11 @@ if ($part_array[$k]) { if ($operator == 'OR') - $conditions .= "OR d.campaignid='".trim($part_array[$k])."' "; + $conditions .= "OR d.campaignid=".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.campaignid='".trim($part_array[$k])."' "; + $conditions .= "AND d.campaignid=".(int)$part_array[$k]." "; else - $conditions .= "AND d.campaignid!='".trim($part_array[$k])."' "; + $conditions .= "AND d.campaignid!=".(int)$part_array[$k]." "; } $onlykeywords = false; @@ -1354,11 +1359,11 @@ if($part_array[$k] != '' && $part_array[$k] != ' ') { if ($operator == 'OR') - $conditions .= "OR d.contenttype='".trim($part_array[$k])."' "; + $conditions .= "OR d.contenttype=".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.contenttype='".trim($part_array[$k])."' "; + $conditions .= "AND d.contenttype=".(int)$part_array[$k]." "; else - $conditions .= "AND d.contenttype!='".trim($part_array[$k])."' "; + $conditions .= "AND d.contenttype!=".(int)$part_array[$k]." "; } $onlykeywords = false; @@ -1469,7 +1474,7 @@ 'm.ecpm_enabled AS ecpm_enabled', 'm.ecpm AS ecpm', 'ct.status AS tracker_status', - OX_Dal_Delivery_regex("d.htmlcache", "src\\s?=\\s?[\\'\"]http:")." AS html_ssl_unsafe", + OX_Dal_Delivery_regex("d.htmlcache", OX_escapeString('src\s?=\s?['."'".'"]http:'))." AS html_ssl_unsafe", OX_Dal_Delivery_regex("d.imageurl", "^http:")." AS url_ssl_unsafe", ); @@ -1519,6 +1524,8 @@ if(preg_match('#^(?:size:)?([0-9]+x[0-9]+)$#', $part_array[$k], $m)) { list($width, $height) = explode('x', $m[1]); + $width = (int) $width; + $height = (int) $height; if ($operator == 'OR') $conditions .= "OR (d.width = $width AND d.height = $height) "; @@ -1545,16 +1552,17 @@ // Only upper limit, set lower limit to make sure not text ads are delivered if ($min == '') $min = 1; + $min = (int) $min; // Only lower limit if ($max == '') { if ($operator == 'OR') - $conditions .= "OR d.width >= '".trim($min)."' "; + $conditions .= "OR d.width >= ".$min." "; elseif ($operator == 'AND') - $conditions .= "AND d.width >= '".trim($min)."' "; + $conditions .= "AND d.width >= ".$min." "; else - $conditions .= "AND d.width < '".trim($min)."' "; + $conditions .= "AND d.width < ".$min." "; } // Both lower and upper limit @@ -1561,11 +1569,11 @@ if ($max != '') { if ($operator == 'OR') - $conditions .= "OR (d.width >= '".trim($min)."' AND d.width <= '".trim($max)."') "; + $conditions .= "OR (d.width >= ".(int)$min." AND d.width <= ".(int)$max.") "; elseif ($operator == 'AND') - $conditions .= "AND (d.width >= '".trim($min)."' AND d.width <= '".trim($max)."') "; + $conditions .= "AND (d.width >= ".(int)$min." AND d.width <= ".(int)$max.") "; else - $conditions .= "AND (d.width < '".trim($min)."' OR d.width > '".trim($max)."') "; + $conditions .= "AND (d.width < ".(int)$min." OR d.width > ".(int)$max.") "; } } else @@ -1573,11 +1581,11 @@ // Single value if ($operator == 'OR') - $conditions .= "OR d.width = '".trim($part_array[$k])."' "; + $conditions .= "OR d.width = ".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.width = '".trim($part_array[$k])."' "; + $conditions .= "AND d.width = ".(int)$part_array[$k]." "; else - $conditions .= "AND d.width != '".trim($part_array[$k])."' "; + $conditions .= "AND d.width != ".(int)$part_array[$k]." "; } } @@ -1598,16 +1606,17 @@ // Only upper limit, set lower limit to make sure not text ads are delivered if ($min == '') $min = 1; + $min = (int) $min; // Only lower limit if ($max == '') { if ($operator == 'OR') - $conditions .= "OR d.height >= '".trim($min)."' "; + $conditions .= "OR d.height >= ".(int)$min." "; elseif ($operator == 'AND') - $conditions .= "AND d.height >= '".trim($min)."' "; + $conditions .= "AND d.height >= ".(int)$min." "; else - $conditions .= "AND d.height < '".trim($min)."' "; + $conditions .= "AND d.height < ".(int)$min." "; } // Both lower and upper limit @@ -1614,11 +1623,11 @@ if ($max != '') { if ($operator == 'OR') - $conditions .= "OR (d.height >= '".trim($min)."' AND d.height <= '".trim($max)."') "; + $conditions .= "OR (d.height >= ".(int)$min." AND d.height <= ".(int)$max.") "; elseif ($operator == 'AND') - $conditions .= "AND (d.height >= '".trim($min)."' AND d.height <= '".trim($max)."') "; + $conditions .= "AND (d.height >= ".(int)$min." AND d.height <= ".(int)$max.") "; else - $conditions .= "AND (d.height < '".trim($min)."' OR d.height > '".trim($max)."') "; + $conditions .= "AND (d.height < ".(int)$min." OR d.height > ".(int)$max.") "; } } else @@ -1626,11 +1635,11 @@ // Single value if ($operator == 'OR') - $conditions .= "OR d.height = '".trim($part_array[$k])."' "; + $conditions .= "OR d.height = ".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.height = '".trim($part_array[$k])."' "; + $conditions .= "AND d.height = ".(int)$part_array[$k]." "; else - $conditions .= "AND d.height != '".trim($part_array[$k])."' "; + $conditions .= "AND d.height != ".(int)$part_array[$k]." "; } } @@ -1645,11 +1654,11 @@ if ($part_array[$k]) { if ($operator == 'OR') - $conditions .= "OR d.bannerid='".$part_array[$k]."' "; + $conditions .= "OR d.bannerid=".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.bannerid='".$part_array[$k]."' "; + $conditions .= "AND d.bannerid=".(int)$part_array[$k]." "; else - $conditions .= "AND d.bannerid!='".$part_array[$k]."' "; + $conditions .= "AND d.bannerid!=".(int)$part_array[$k]." "; } $onlykeywords = false; @@ -1663,11 +1672,11 @@ if ($part_array[$k]) { if ($operator == 'OR') - $conditions .= "OR d.campaignid='".trim($part_array[$k])."' "; + $conditions .= "OR d.campaignid=".(int)$part_array[$k]." "; elseif ($operator == 'AND') - $conditions .= "AND d.campaignid='".trim($part_array[$k])."' "; + $conditions .= "AND d.campaignid=".(int)$part_array[$k]." "; else - $conditions .= "AND d.campaignid!='".trim($part_array[$k])."' "; + $conditions .= "AND d.campaignid!=".(int)$part_array[$k]." "; } $onlykeywords = false; @@ -1680,11 +1689,11 @@ if($part_array[$k] != '' && $part_array[$k] != ' ') { if ($operator == 'OR') - $conditions .= "OR d.contenttype='".trim($part_array[$k])."' "; + $conditions .= "OR d.contenttype='".OX_escapeString(trim($part_array[$k]))."' "; elseif ($operator == 'AND') - $conditions .= "AND d.contenttype='".trim($part_array[$k])."' "; + $conditions .= "AND d.contenttype='".OX_escapeString(trim($part_array[$k]))."' "; else - $conditions .= "AND d.contenttype!='".trim($part_array[$k])."' "; + $conditions .= "AND d.contenttype!='".OX_escapeString(trim($part_array[$k]))."' "; } $onlykeywords = false; --------------050109040100010105000002--