From 920b3b44f855c2dfbd2417d6effc38110c378a9d Mon Sep 17 00:00:00 2001
From: root <root@www.cacert.org>
Date: Tue, 3 Jul 2007 20:00:18 +0000
Subject: [PATCH] Fixed XSS

---
 pages/wot/7-old.php | 86 ++++++++++++++++++++++++---------------------
 1 file changed, 45 insertions(+), 41 deletions(-)

diff --git a/pages/wot/7-old.php b/pages/wot/7-old.php
index 11b4371..ca66088 100644
--- a/pages/wot/7-old.php
+++ b/pages/wot/7-old.php
@@ -27,43 +27,47 @@ if($_GET['action'] != "update")
 	echo "<a href='wot.php?id=7'>"._("Home")." ("._("Listed").": $total1)</a>\n";
 
 	$display = "";
-	if(intval($_GET['locid']) > 0)
+	$ccid=intval($_GET['ccid']);
+	$locid=intval($_GET['locid']);
+	$regid=intval($_GET['regid']);
+
+	if($locid > 0)
 	{
-		$total4 = mysql_num_rows(mysql_query("select * from `users`,`notary` where `listme`='1' and `locid`='".$_GET['locid']."' and
+		$total4 = mysql_num_rows(mysql_query("select * from `users`,`notary` where `listme`='1' and `locid`='".$locid."' and
 						`users`.`id`=`notary`.`to` group by `notary`.`to` HAVING SUM(`points`) >= 100"));
-		$loc = mysql_fetch_assoc(mysql_query("select * from `locations` where `id`='".$_GET['locid']."'"));
+		$loc = mysql_fetch_assoc(mysql_query("select * from `locations` where `id`='".$locid."'"));
 		$display = "<ul class='top'>\n<li>\n".
-			"<a href='wot.php?id=7&locid=".$_GET['locid']."'>$loc[name] ("._("Listed").": $total4)</a>\n".
+			"<a href='wot.php?id=7&locid=".$locid."'>$loc[name] ("._("Listed").": $total4)</a>\n".
 			$display;
-		$_GET['regid'] = $loc['regid'];
+		$regid = $loc['regid'];
 	}
 
-	if(intval($_GET['regid']) > 0)
+	if($regid > 0)
 	{
-		$total3 = mysql_num_rows(mysql_query("select * from `users`,`notary` where `listme`='1' and `regid`='".$_GET['regid']."' and
+		$total3 = mysql_num_rows(mysql_query("select * from `users`,`notary` where `listme`='1' and `regid`='".$regid."' and
 						`users`.`id`=`notary`.`to` group by `notary`.`to` HAVING SUM(`points`) >= 100"));
-		$reg = mysql_fetch_assoc(mysql_query("select * from `regions` where `id`='".$_GET['regid']."'"));
+		$reg = mysql_fetch_assoc(mysql_query("select * from `regions` where `id`='".$regid."'"));
 		$display = "<ul class='top'>\n<li>\n".
-			"<a href='wot.php?id=7&regid=".$_GET['regid']."'>$reg[name] ("._("Listed").": $total3)</a>\n".
+			"<a href='wot.php?id=7&regid=".$regid."'>$reg[name] ("._("Listed").": $total3)</a>\n".
 			$display;
-		$_GET['ccid'] = $reg['ccid'];
+		$ccid = $reg['ccid'];
 	}
 
-	if(intval($_GET['ccid']) > 0)
+	if($ccid > 0)
 	{
 		$total2 = mysql_num_rows(mysql_query("select * from `users`,`notary` where `listme`='1' and
-						`ccid`='".$_GET['ccid']."' and `users`.`id`=`notary`.`to`
+						`ccid`='".$ccid."' and `users`.`id`=`notary`.`to`
 						group by `notary`.`to` HAVING SUM(`points`) >= 100"));
-		$cnt = mysql_fetch_assoc(mysql_query("select * from `countries` where `id`='".$_GET['ccid']."'"));
+		$cnt = mysql_fetch_assoc(mysql_query("select * from `countries` where `id`='".$ccid."'"));
 		$display = "<ul class='top'>\n<li>\n".
-			"<a href='wot.php?id=7&ccid=".$_GET['ccid']."'>$cnt[name] ("._("Listed").": $total2)</a>\n".
+			"<a href='wot.php?id=7&ccid=".$ccid."'>$cnt[name] ("._("Listed").": $total2)</a>\n".
 			$display;
 	}
 
 	if($display)
 		echo $display;
 
-	if(intval($_GET['ccid']) <= 0)
+	if($ccid <= 0)
 	{
 		echo "<ul>\n";
 		$query = "select * from `countries` order by `name`";
@@ -72,44 +76,44 @@ if($_GET['action'] != "update")
 			echo "<li><a href='wot.php?id=7&ccid=$row[id]'>$row[name]</a></li>\n";
 
 		echo "</ul>\n</li>\n</ul></div>\n<br>\n";
-	} elseif(intval($_GET['regid']) <= 0) {
+	} elseif($regid <= 0) {
 		echo "<ul>\n";
-		$query = "select * from `regions` where `ccid`='".$_GET['ccid']."' order by `name`";
+		$query = "select * from `regions` where `ccid`='".$ccid."' order by `name`";
 		$res = mysql_query($query);
 		while($row = mysql_fetch_assoc($res))
 			echo "<li><a href='wot.php?id=7&regid=$row[id]'>$row[name]</a></li>\n";
 
 		echo "</ul>\n</li>\n</ul>\n</li>\n</ul></div>\n<br>\n";
-	} elseif(intval($_GET['locid']) <= 0) {
+	} elseif($locid <= 0) {
 		echo "<ul>\n";
 		if($town != "")
 		{
-			$query = "select * from `locations` where `regid`='".$_GET['regid']."' and `name` < '$town'";
+			$query = "select * from `locations` where `regid`='".$regid."' and `name` < '$town'";
 			$start = mysql_num_rows(mysql_query($query));
 		}
-		$query = "select * from `locations` where `regid`='".$_GET['regid']."' order by `name` limit $start, $limit";
+		$query = "select * from `locations` where `regid`='".$regid."' order by `name` limit $start, $limit";
 		$res = mysql_query($query);
 		while($row = mysql_fetch_assoc($res))
 			echo "<li><a href='wot.php?id=7&locid=$row[id]'>$row[name]</a></li>\n";
 
 		echo "</ul>\n</li>\n</ul>\n</li>\n</ul></div>\n<br>\n";
-		$rc = mysql_num_rows(mysql_query("select * from `locations` where `regid`='".$_GET['regid']."'"));
+		$rc = mysql_num_rows(mysql_query("select * from `locations` where `regid`='".$regid."'"));
 		if($start > 0)
 		{
 			$prev = $start - $limit;
 			if($prev < 0)
 				$prev = 0;
 
-			$st = "[ <a href='wot.php?id=7&regid=".$_GET['regid']."'><< Start</a> ] ";
-			$prev = "[ <a href='wot.php?id=7&regid=".$_GET['regid']."&start=$prev'>< Previous $limit</a> ] ";
+			$st = "[ <a href='wot.php?id=7&regid=".$regid."'><< Start</a> ] ";
+			$prev = "[ <a href='wot.php?id=7&regid=".$regid."&start=$prev'>< Previous $limit</a> ] ";
 		}
 		if($start < $rc - $limit)
 		{
 			$next = $start + $limit;
 			$last = $rc - $limit;
 
-			$next = "[ <a href='wot.php?id=7&regid=".$_GET['regid']."&start=$next'>Next $limit ></a> ] ";
-			$end = "[ <a href='wot.php?id=7&regid=".$_GET['regid']."&start=$last'>End >></a> ]";
+			$next = "[ <a href='wot.php?id=7&regid=".$regid."&start=$next'>Next $limit ></a> ] ";
+			$end = "[ <a href='wot.php?id=7&regid=".$regid."&start=$last'>End >></a> ]";
 		}
 		echo "<div id='search1'>$st</div><div id='search3'>$end</div>\n";
 		echo "<div id='search2'>$prev</div><div id='search4'>$next</div>\n";
@@ -122,20 +126,20 @@ if($_GET['action'] != "update")
   </tr>
   <tr>
     <td class="DataTD" width="125"><?=_("Location Name")?>: </td>
-    <td class="DataTD" width="125"><input type="text" name="town" value="<?=$_GET['town']?>" size="10"></td>
+    <td class="DataTD" width="125"><input type="text" name="town" value="<?=sanitizeHTML($_GET['town'])?>" size="10"></td>
   </tr>
   <tr>
     <td class="DataTD" colspan="2"><input type="submit" name="process" value="<?=_("Search")?>"></td>
   </tr>
 </table>
-<input type="hidden" name="regid" value="<?=$_GET['regid']?>">
+<input type="hidden" name="regid" value="<?=$regid?>">
 <input type="hidden" name="id" value="7">
 </form>
 </div>
 <?
 	} else {
 		echo "</ul>\n</li>\n</ul>\n</li>\n</ul>\n</li>\n</ul>\n<br>\n";
-		echo "<p><a href='wot.php?id=7&action=update&locid=".$_GET['locid']."'>";
+		echo "<p><a href='wot.php?id=7&action=update&locid=".$locid."'>";
 		echo _("Make my location here");
 		echo "</a></p>\n";
 		echo "<p>"._("If you are happy with this location, click 'Make my location here' to update your location details.")."</p><br>\n";
@@ -144,31 +148,31 @@ if($_GET['action'] != "update")
 	$total1 = mysql_num_rows(mysql_query("select * from `users`,`notary` where `listme`='1' and `users`.`id`=`notary`.`to`
 						group by `notary`.`to` HAVING SUM(`points`) >= 100"));
 
-	if(intval($_GET['locid']) > 0)
+	if($locid > 0)
 	{
-		$total4 = mysql_num_rows(mysql_query("select * from `users`,`notary` where `listme`='1' and `locid`='".$_GET['locid']."' and
+		$total4 = mysql_num_rows(mysql_query("select * from `users`,`notary` where `listme`='1' and `locid`='".$locid."' and
 						`users`.`id`=`notary`.`to` group by `notary`.`to` HAVING SUM(`points`) >= 100"));
-		$loc = mysql_fetch_assoc(mysql_query("select * from `locations` where `id`='".$_GET['locid']."'"));
-		$_GET['regid'] = $loc['regid'];
+		$loc = mysql_fetch_assoc(mysql_query("select * from `locations` where `id`='".$locid."'"));
+		$regid = $loc['regid'];
 	}
 
-	if(intval($_GET['regid']) > 0)
+	if($regid) > 0)
 	{
-		$total3 = mysql_num_rows(mysql_query("select * from `users`,`notary` where `listme`='1' and `regid`='".$_GET['regid']."' and
+		$total3 = mysql_num_rows(mysql_query("select * from `users`,`notary` where `listme`='1' and `regid`='".$regid."' and
 						`users`.`id`=`notary`.`to` group by `notary`.`to` HAVING SUM(`points`) >= 100"));
-		$reg = mysql_fetch_assoc(mysql_query("select * from `regions` where `id`='".$_GET['regid']."'"));
-		$_GET['ccid'] = $reg['ccid'];
+		$reg = mysql_fetch_assoc(mysql_query("select * from `regions` where `id`='".$regid."'"));
+		$ccid = $reg['ccid'];
 	}
 
 		$total2 = mysql_num_rows(mysql_query("select * from `users`,`notary` where `listme`='1' and
-						`ccid`='".$_GET['ccid']."' and `users`.`id`=`notary`.`to`
+						`ccid`='".$ccid."' and `users`.`id`=`notary`.`to`
 						group by `notary`.`to` HAVING SUM(`points`) >= 100"));
 
-	$_SESSION['profile']['ccid'] = $_GET['ccid'];
-	$_SESSION['profile']['regid'] = $_GET['regid'];
-	$_SESSION['profile']['locid'] = $_GET['locid'];
+	$_SESSION['profile']['ccid'] = $ccid;
+	$_SESSION['profile']['regid'] = $regid;
+	$_SESSION['profile']['locid'] = $locid;
 
-	mysql_query("update `users` set `ccid`='".$_GET['ccid']."',`regid`='".$_GET['regid']."',`locid`='".$_GET['locid']."'
+	mysql_query("update `users` set `ccid`='".$ccid."',`regid`='".$regid."',`locid`='".$locid."'
 			where `id`='".$_SESSION['profile']['id']."'");
 
 	echo _("Your details have been updated.");