Correctly escape variables for sql statements

admin/manage_user_groups.php

@@ -676,9 +676,9 @@ private function switch_upd_ins($auth_id, $group_id){
 		$sql = "SELECT o.auth_value
 				FROM __auth_options o, __auth_groups u
 				WHERE (u.auth_id = o.auth_id)
-				AND (u.group_id='".$group_id."')
-				AND u.auth_id='".$auth_id."'";
-		$objQuery = $this->db->query($sql);
+				AND (u.group_id=?)
+				AND u.auth_id=?";
+		$objQuery = $this->db->prepare($sql)->execute($group_id, $auth_id);
 
 		if ( $objQuery && $objQuery->numRows > 0 )
 		{

core/data_handler/includes/modules/read/calendar_events/pdh_r_calendar_events.class.php

@@ -138,20 +138,22 @@ public function get_id_list($raids_only=false, $start_date = 0, $end_date = PHP_
 			if(($start_date != 0) || ($end_date != PHP_INT_MAX)){
 				$start_date	 = $this->time->newtime($start_date, '00:00', false);
 				$end_date	 = ($end_date != PHP_INT_MAX) ? $this->time->newtime($end_date, '23:59', false) : $end_date;
+
 				$sqlstring	 = "SELECT id FROM __calendar_events WHERE";
-				$sqlstring	.= (is_array($idfilter)) ? ' (calendar_id IN ('.implode(",", $idfilter).')) AND' : '';
+
+				$sqlstring	.= (is_array($idfilter)) ? ' (calendar_id IN ('.implode(",", $this->db->escapeParams($idfilter)).')) AND' : '';
 				$sqlstring	.= " ((timestamp_start BETWEEN ".$this->db->escapeString($start_date)." AND ".$this->db->escapeString($end_date).") OR (timestamp_end BETWEEN ".$this->db->escapeString($start_date)." AND ".$this->db->escapeString($end_date)."))";
 
 				// apply the filtering
 				switch($filter){
 					case 'mine':
-						$sqlstring	.= " AND creator=".$this->user->data['user_id'];
+						$sqlstring	.= " AND creator=".$this->db->escapeString($this->user->data['user_id']);
 					break;
 					case 'past':
-						$sqlstring	.= " AND timestamp_end<".$this->time->time;
+						$sqlstring	.= " AND timestamp_end<".$this->db->escapeString($this->time->time);
 					break;
 					case 'future':
-						$sqlstring	.= " AND timestamp_end>".$this->time->time;
+						$sqlstring	.= " AND timestamp_end>".$this->db->escapeString($this->time->time);
 					break;
 					default: $sqlstring	.= "";
 				}

core/data_handler/includes/modules/read/logs/pdh_r_logs.class.php

@@ -131,9 +131,11 @@ public function sort($id_list, $tag, $direction = 'asc', $params = array( ), $id
 			if(!method_exists($this, 'get_'.$tag) || $tag == 'viewicon' || $tag == 'value' || $tag == 'id_list' || $tag == 'lastxlogs') return $id_list;
 
 			$direction = ($direction == 'asc') ? 'ASC' : 'DESC';
-						if($tag == 'user') { 
+			if($tag == 'user') { 
 				$objQuery = $this->db->prepare("SELECT log_id FROM __logs WHERE log_id :in ORDER BY username ".$direction.";")->in($id_list)->execute();
 			} else {
+				if(!in_array($tag, array('id', 'date', 'value', 'ipaddress', 'sid', 'result', 'tag', 'plugin', 'flag', 'record', 'record_id'))) return false;
+
 				$objQuery = $this->db->prepare("SELECT log_id FROM __logs WHERE log_id :in ORDER BY log_".$tag." ".$direction.";")->in($id_list)->execute();
 			}
 			$id_list = array();

libraries/dbal/dbal.class.php

@@ -531,6 +531,11 @@ public function escapeString($strString){
 		return $objStatement->escapeString($strString);
 	}
 
+	public function escapeParams($arrParams){
+		$objStatement = $this->createStatement($this->resConnection, $this->strTablePrefix, $this->strDebugPrefix,$this->blnDisableAutocommit);
+		return $objStatement->escapeParams($arrParams);
+	}
+
 	public function replaceTablePrefix($strQuery){
 		$strQuery = preg_replace("/([\s|`|'])__([a-zA-Z])/", '$1'.$this->strTablePrefix.'$2', $strQuery);
 		return $strQuery;
@@ -892,7 +897,7 @@ protected function replaceWildcards($arrParams){
 	 * @param array
 	 * @return array
 	 */
-	protected function escapeParams($arrParams, $blnIgnoreKeys=false){
+	public function escapeParams($arrParams, $blnIgnoreKeys=false){
 		foreach ($arrParams as $k=>$v)
 		{
 			switch (gettype($v))