Security POT security warning!

Recently it was found, there's an important security hole in POT (for newbies: Gesior/Unnamed AAC uses it) which displays database connection information. Here's a fast solution for XAMPP users from Xampy, which everyone using POT for their AAC should apply:

(...) I will tell you how to prevent hacks in your server:

MySQL Users
Go to C:\xampp\htdocs\pot and open the file OTS_DB_MySQL. Go to line 96~ and:
Change:

        // PDO constructor
        parent::__construct('mysql:' . implode(';', $dns), $user, $password);
    }

with:

        // PDO constructor
	try
	{
		parent::__construct('mysql:' . implode(';', $dns), $user, $password);
	}
	catch(PDOException $error)
	{
		echo 'Can\'t connect to MySQL database.</font>';
			exit;
	}
    }

And save the file.


SQLite Users
Go to C:\xampp\htdocs\pot and open the file OTS_DB_SQLite. Go to line 54~ and:
Change:

        // PDO constructor
        parent::__construct('sqlite:' . $params['database']);

with:

        // PDO constructor
	try
	{
		parent::__construct('sqlite:' . $params['database']);
	}
	catch(PDOException $error)
	{
		echo 'Can\'t connect to SQLite database.</font>';
			exit;
	}

And save the file.

Basicaly, file names DO NOT change if you don't use XAMPP, only path (whats logic, btw...) to POT directory.

 

[misery]

i'm getting this error now when i try to get on my acc maker site:

Parse error: syntax error, unexpected '}' in C:\xampp\htdocs\pot\OTS_DB_MySQL.php on line 110

V highlighted in bold where i entered it

<?php

/**#@+
 * @version 0.0.1
 * @since 0.0.1
 */

/**
 * @package POT
 * @version 0.0.6
 * @author 

Wrzasq <[email protected]>
 * @copyright 2007 (C) by Wrzasq
 * @license 

http://www.gnu.org/licenses/lgpl-3.0.txt GNU Lesser General Public License, Version 3
 */

/**
 * MySQL 

connection interface.
 * 
 * @package POT
 * @version 0.0.6
 */
class OTS_DB_MySQL extends PDO implements 

IOTS_DB
{
/**
 * Tables prefix.
 * 
 * @var string
 */
    private $prefix = '';

/**
 * Creates database 

connection.
 * 
 * Connects to MySQL database on given arguments.
 * 
 * <p>
 * List of parameters for 

this drivers:
 * </p>
 * 
 * - <var>host</var> - database server.
 * - <var>port</var> - port (optional, 

also it is possible to use host:port in <var>host</var> parameter).
 * - <var>database</var> - database 

name.
 * - <var>user</var> - user login.
 * - <var>password</var> - user password.
 * 
 * @version 0.0.6
 

* @param array $params Connection parameters.
 * @see POT::connect()
 */
    public function 

__construct($params)
    {
        $user = null;
        $password = null;
        $dns = array();

      

  // host:port support
        if( strpos(':', $params['host']) !== false)
        {
            $host = 

explode(':', $params['host'], 2);

            $params['host'] = $host[0];
            $params['port'] = 

$host[1];
        }

        if( isset($params['host']) )
        {
            $dns[] = 'host=' . 

$params['host'];
        }

        if( isset($params['port']) )
        {
            $dns[] = 'port=' . 

$params['port'];
        }

        if( isset($params['database']) )
        {
            $dns[] = 

'dbname=' . $params['database'];
        }

        if( isset($params['user']) )
        {
            

$user = $params['user'];
        }

        if( isset($params['password']) )
        {
            

$password = $params['password'];
        }

        if( isset($params['prefix']) )
        {
            

$this->prefix = $params['prefix'];
        }

                [b]// PDO constructor
	try
	{
		parent::__construct('mysql:' . implode(';', $dns), $user, $password);
	}
	catch(PDOException $error)
	{
		echo 'Can\'t connect to MySQL database.</font>';
			exit;
	}
    }[/b]


   }

    }

/**
 * Query-quoted field name.
 * 
 * @param string $name Field name.
 * @return string Quoted 

name.
 */
    public function fieldName($name)
    {
        return '`' . $name . '`';
    }

/**
 * 

Query-quoted table name.
 * 
 * @param string $name Table name.
 * @return string Quoted name.
 */
    

public function tableName($name)
    {
        return $this->fieldName($this->prefix . $name);
    }

/**
 * IOTS_DB method.
 * 
 * Overwrites PDO method - we won't use quoting agains other values.
 * 
 * 

@param stirng $string String to be quoted.
 * @return string Quoted string.
 * @internal bridge over 

ISQL_DB and PDO.
 * @deprecated 0.0.5 Use PDO::quote().
 * @version 0.0.7
 */
    public function 

SQLquote($string)
    {
        return parent::quote($string, PDO_PARAM_STR);
    }

/**
 * IOTS_DB 

method.
 * 
 * Overwrites PDO method.
 * 
 * @param string $query SQL query.
 * @return PDOStatement|bool 

Query results.
 * @internal bridge over ISQL_DB and PDO.
 * @deprecated 0.0.5 Use PDO::query().
 */
    

public function SQLquery($query)
    {
        return parent::query($query);
    }

/**
 * LIMIT/OFFSET 

clause for queries.
 * 
 * @param int|bool $limit Limit of rows to be affected by query (false if no 

limit).
 * @param int|bool $offset Number of rows to be skipped before applying query effects (false if 

no offset).
 * @return string LIMIT/OFFSET SQL clause for query.
 */
    public function limit($limit = 

false, $offset = false)
    {
        // by default this is empty part
        $sql = '';

        

if($limit !== false)
        {
            $sql = ' LIMIT ';

            // OFFSET has no effect if 

there is no LIMIT
            if($offset !== false)
            {
                $sql .= $offset . ', 

';
            }

            $sql .= $limit;
        }

        return $sql;
    }
}

/**#@-*/

?>

EDIT: Wow, actually took 2 seconds to look at it myself in word and just took off the two }'s after the edit. for some reason it was showin up all jumbled up and weird so it was hard to tell what was going on, but i think i fixed it!

 

[Cell]

Thank you x)

 

[Flatlander57]

Wwee Wow!

 

[tiddpd]

yes! watch out for security when you have pot!

 

[Kiman]

Thanks

 

[Oscar Lyis]

Thanks!

 

[bolero]

<?php

/**#@+
* @version 0.0.1
*/

/**
* @package POT
* @version 0.1.3
* @author Wrzasq <[email protected]>
* @copyright 2007 (C) by Wrzasq
* @license http://www.gnu.org/licenses/lgpl-3.0.txt GNU Lesser General Public License, Version 3
*/

/**
* MySQL connection interface.
*
* <p>
* At all everything that you really need to read from this class documentation is list of parameters for driver's constructor.
* </p>
*
* @package POT
* @version 0.1.3
*/
class OTS_DB_MySQL extends OTS_Base_DB
{
/**
* Creates database connection.
*
* <p>
* Connects to MySQL database on given arguments.
* </p>
*
* <p>
* List of parameters for this drivers:
* </p>
*
* <ul>
* <li><var>host</var> - database server.</li>
* <li><var>port</var> - port (optional, also it is possible to use hostort in <var>host</var> parameter).</li>
* <li><var>database</var> - database name.</li>
* <li><var>user</var> - user login.</li>
* <li><var>password</var> - user password.</li>
* </ul>
*
* @version 0.0.6
* @param array $params Connection parameters.
* @throws PDOException On PDO operation error.
*/
public function __construct($params)
{
$user = null;
$password = null;
$dns = array();

// hostort support
if( strpos(':', $params['host']) !== false)
{
$host = explode(':', $params['host'], 2);

$params['host'] = $host[0];
$params['port'] = $host[1];
}

if( isset($params['host']) )
{
$dns[] = 'host=' . $params['host'];
}

if( isset($params['port']) )
{
$dns[] = 'port=' . $params['port'];
}

if( isset($params['database']) )
{
$dns[] = 'dbname=' . $params['database'];
}

if( isset($params['user']) )
{
$user = $params['user'];
}

if( isset($params['password']) )
{
$password = $params['password'];
}

if( isset($params['prefix']) )
{
$this->prefix = $params['prefix'];
}
// PDO constructor
try
{

parent::__construct('mysql:' . implode(';', $dns), $user, $password);
}
catch(PDOException $error)
{
echo 'Can\'t connect to MySQL database.';
exit;
}
}

/**
* Query-quoted field name.
*
* @param string $name Field name.
* @return string Quoted name.
*/
public function fieldName($name)
{
return '`' . $name . '`';
}

/**
* LIMIT/OFFSET clause for queries.
*
* @param int|bool $limit Limit of rows to be affected by query (false if no limit).
* @param int|bool $offset Number of rows to be skipped before applying query effects (false if no offset).
* @return string LIMIT/OFFSET SQL clause for query.
*/
public function limit($limit = false, $offset = false)
{
// by default this is empty part
$sql = '';

if($limit !== false)
{
$sql = ' LIMIT ';

// OFFSET has no effect if there is no LIMIT
if($offset !== false)
{
$sql .= $offset . ', ';
}

$sql .= $limit;
}

return $sql;
}
}

/**#@-*/

?>

It's good?

 

[Joulynz]

lol I've found more too

 

[hypcidsli]

I accept with information:

// PDO constructor
try
{
parent::__construct('sqlite:' . $params['database']);
}
catch(PDOException $error)
{
echo 'Can\'t connect to SQLite database.</font>';
exit;
}

 

[W33dRoCks]

download Gesior v4, we already added this fuction and the newest ACC maker from gesior was this Gesior v6

 

[frankfarmer]

Good work Elf.

 

[Nostradamus]

Now POT is safe, just get from the trunk.

 

[nguyen11]

How i know that this is working?

 

[iDELTI]

Good job.

 

[Awesomedude]

Awesome

 

[sorcerers king]

Thx

 

[Vagabond]

BAD PROGRAMMING.

Well, using exceptions to report errors is, in my opinion, a bad programming practice as well. However, it's very common practice in object-oriented languages so I tend to overlook it.

I will not overlook expensive protective operations put into a software library, moreover defining fault handling operations in-library.
Your code should have these try catches, so you can decide what to do. Adding this functionality to the library is, as I said above, BAD PROGRAMMING.

 

[fewdox]

Tanks man

 

[vpaan]

BAD PROGRAMMING.

Well, using exceptions to report errors is, in my opinion, a bad programming practice as well. However, it's very common practice in object-oriented languages so I tend to overlook it.

Exceptions are common practice in OOP languages because they make a lot of sense in them. Exceptions are much cleaner than returning error codes from functions.

For example, in the lifecycle of a website script we will connect to the database, run a couple of queries and render a page to show to the user. In case we can't get a connection to the database or a query results in an error, we can easily catch both types of errors from one place in the execution cycle instead of manually checking if mysql_connect or mysql_query returned true or false every single time we use those functions and then executing some kind of error handling logic.

 

[kingi96]

i get this problem :


Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Paris' for '2.0/DST' instead in C:\xampp\htdocs\pot\OTS_Account.php on line 396

Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Paris' for '2.0/DST' instead in C:\xampp\htdocs\pot\OTS_Account.php on line 396

Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Paris' for '2.0/DST' instead in C:\xampp\htdocs\pot\OTS_Account.php on line 396

Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Paris' for '2.0/DST' instead in C:\xampp\htdocs\pot\OTS_Account.php on line 396

Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Paris' for '2.0/DST' instead in C:\xampp\htdocs\accountmanagement.php on line 52

Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Paris' for '2.0/DST' instead in C:\xampp\htdocs\accoun