Fix multiple (potential) SQL Injections

src/messenger/webim/libs/chat.php

@@ -60,13 +60,13 @@ function post_message_($threadid, $kind, $message, $link, $from = null, $utime =
 {
 	global $mysqlprefix;
 	$query = sprintf(
-		"insert into ${mysqlprefix}chatmessage (threadid,ikind,tmessage,tname,agentId,dtmcreated) values (%s, %s,'%s',%s,%s,%s)",
+		"insert into ${mysqlprefix}chatmessage (threadid,ikind,tmessage,tname,agentId,dtmcreated) values (%s,%s,'%s',%s,%s,%s)",
-		$threadid,
+		intval($threadid),
-		$kind,
+		intval($kind),
 		mysql_real_escape_string($message, $link),
 		$from ? "'" . mysql_real_escape_string($from, $link) . "'" : "null",
-		$opid ? $opid : "0",
+		$opid ? intval($opid) : "0",
-		$utime ? "FROM_UNIXTIME($utime)" : "CURRENT_TIMESTAMP");
+		$utime ? "FROM_UNIXTIME(" . intval($utime) . ")" : "CURRENT_TIMESTAMP");
 
 	perform_query($query, $link);
 	return mysql_insert_id($link);
@@ -125,7 +125,7 @@ function get_messages($threadid, $meth, $isuser, &$lastid)
 	$query = sprintf(
 		"select messageid,ikind,unix_timestamp(dtmcreated) as created,tname,tmessage from ${mysqlprefix}chatmessage " .
 		"where threadid = %s and messageid > %s %s order by messageid",
-		$threadid, $lastid, $isuser ? "and ikind <> $kind_for_agent" : "");
+		intval($threadid), intval($lastid), $isuser ? "and ikind <> " . intval($kind_for_agent) : "");
 
 	$messages = array();
 	$msgs = select_multi_assoc($query, $link);
@@ -392,7 +392,7 @@ function load_canned_messages($locale, $groupid)
 	global $mysqlprefix;
 	$link = connect();
 	$result = select_multi_assoc(
-		"select vcvalue from ${mysqlprefix}chatresponses where locale = '$locale' " .
+		"select vcvalue from ${mysqlprefix}chatresponses where locale = '" . mysql_real_escape_string($locale, $link) . "' " .
 		"AND (groupid is NULL OR groupid = 0) order by vcvalue", $link);
 	if (count($result) == 0) {
 		foreach (explode("\n", getstring_('chat.predefined_answers', $locale)) as $answer) {
@@ -401,8 +401,8 @@ function load_canned_messages($locale, $groupid)
 	}
 	if ($groupid) {
 		$result2 = select_multi_assoc(
-			"select vcvalue from ${mysqlprefix}chatresponses where locale = '$locale' " .
+			"select vcvalue from ${mysqlprefix}chatresponses where locale = '" . mysql_real_escape_string($locale, $link) . "' " .
-			"AND groupid = $groupid order by vcvalue", $link);
+			"AND groupid = " . intval($groupid) . " order by vcvalue", $link);
 		foreach ($result as $r) {
 			$result2[] = $r;
 		}
@@ -461,11 +461,11 @@ function update_thread_access($threadid, $params, $link)
 	foreach ($params as $k => $v) {
 		if (strlen($clause) > 0)
 			$clause .= ", ";
-		$clause .= $k . "=" . $v;
+		$clause .= "`" . mysql_real_escape_string($k, $link) . "`='" . mysql_real_escape_string($v, $link) . "'";
 	}
 	perform_query(
 		"update ${mysqlprefix}chatthread set $clause " .
-		"where threadid = $threadid", $link);
+		"where threadid = " . intval($threadid), $link);
 }
 
 function ping_thread($thread, $isuser, $istyping)
@@ -509,11 +509,11 @@ function ping_thread($thread, $isuser, $istyping)
 function commit_thread($threadid, $params, $link)
 {
 	global $mysqlprefix;
-	$query = "update ${mysqlprefix}chatthread t set lrevision = " . next_revision($link) . ", dtmmodified = CURRENT_TIMESTAMP";
+	$query = "update ${mysqlprefix}chatthread t set lrevision = " . intval(next_revision($link)) . ", dtmmodified = CURRENT_TIMESTAMP";
 	foreach ($params as $k => $v) {
-		$query .= ", " . $k . "=" . $v;
+		$query .= ", `" . mysql_real_escape_string($k, $link) . "`='" . mysql_real_escape_string($v, $link) . "'";
 	}
-	$query .= " where threadid = $threadid";
+	$query .= " where threadid = " . intval($threadid);
 
 	perform_query($query, $link);
 }
@@ -555,10 +555,16 @@ function close_old_threads($link)
 		return;
 	}
 	$next_revision = next_revision($link);
-	$query = "update ${mysqlprefix}chatthread set lrevision =  $next_revision, dtmmodified = CURRENT_TIMESTAMP, istate = $state_closed " .
+	$query = sprintf("update ${mysqlprefix}chatthread set lrevision = %s, dtmmodified = CURRENT_TIMESTAMP, istate =  %s " .
-			"where istate <> $state_closed and istate <> $state_left and lastpingagent <> 0 and lastpinguser <> 0 and " .
+			"where istate <> %s and istate <> %s and lastpingagent <> 0 and lastpinguser <> 0 and " .
-			"(ABS(UNIX_TIMESTAMP(CURRENT_TIMESTAMP) - UNIX_TIMESTAMP(lastpinguser)) > " . $settings['thread_lifetime'] . " and " .
+			"(ABS(UNIX_TIMESTAMP(CURRENT_TIMESTAMP) - UNIX_TIMESTAMP(lastpinguser)) > %s and " .
-			"ABS(UNIX_TIMESTAMP(CURRENT_TIMESTAMP) - UNIX_TIMESTAMP(lastpingagent)) > " . $settings['thread_lifetime'] . ")";
+			"ABS(UNIX_TIMESTAMP(CURRENT_TIMESTAMP) - UNIX_TIMESTAMP(lastpingagent)) > %s)",
+			intval($next_revision),
+			intval($state_closed),
+			intval($state_closed),
+			intval($state_left),
+			intval($settings['thread_lifetime']),
+			intval($settings['thread_lifetime']));
 
 	perform_query($query, $link);
 }
@@ -569,7 +575,7 @@ function thread_by_id_($id, $link)
 	return select_one_row("select threadid,userName,agentName,agentId,lrevision,istate,ltoken,userTyping,agentTyping" .
 						  ",unix_timestamp(dtmmodified) as modified, unix_timestamp(dtmcreated) as created" .
 						  ",remote,referer,locale,unix_timestamp(lastpinguser) as lpuser,unix_timestamp(lastpingagent) as lpagent, unix_timestamp(CURRENT_TIMESTAMP) as current,nextagent,shownmessageid,userid,userAgent,groupid" .
-						  " from ${mysqlprefix}chatthread where threadid = " . $id, $link);
+						  " from ${mysqlprefix}chatthread where threadid = " . intval($id), $link);
 }
 
 function ban_for_addr_($addr, $link)
@@ -591,15 +597,16 @@ function create_thread($groupid, $username, $remoteHost, $referer, $lang, $useri
 	global $mysqlprefix;
 	$query = sprintf(
 		"insert into ${mysqlprefix}chatthread (userName,userid,ltoken,remote,referer,lrevision,locale,userAgent,dtmcreated,dtmmodified,istate" . ($groupid ? ",groupid" : "") . ") values " .
-		"('%s','%s',%s,'%s','%s',%s,'%s','%s',CURRENT_TIMESTAMP,CURRENT_TIMESTAMP,$initialState" . ($groupid ? ",$groupid" : "") . ")",
+		"('%s',%s,%s,'%s','%s',%s,'%s','%s',CURRENT_TIMESTAMP,CURRENT_TIMESTAMP,%s" . ($groupid ? "," . intval($groupid) : "") . ")",
 		mysql_real_escape_string($username, $link),
-		mysql_real_escape_string($userid, $link),
+		intval($userid),
-		next_token(),
+		intval(next_token()),
 		mysql_real_escape_string($remoteHost, $link),
 		mysql_real_escape_string($referer, $link),
-		next_revision($link),
+		intval(next_revision($link)),
 		mysql_real_escape_string($lang, $link),
-		mysql_real_escape_string($userbrowser, $link));
+		mysql_real_escape_string($userbrowser, $link),
+		intval($initialState));
 
 	perform_query($query, $link);
 	$id = mysql_insert_id($link);
@@ -710,7 +717,7 @@ function notify_operators($thread, $firstmessage, $link)
 		$groupid = $thread['groupid'];
 		$query = "select ${mysqlprefix}chatoperator.operatorid as opid, inotify, vcjabbername, vcemail, (unix_timestamp(CURRENT_TIMESTAMP)-unix_timestamp(dtmlastvisited)) as time from ${mysqlprefix}chatoperator";
 		if ($groupid) {
-			$query .= ", ${mysqlprefix}chatgroupoperator where groupid = $groupid and ${mysqlprefix}chatoperator.operatorid = ${mysqlprefix}chatgroupoperator.operatorid and istatus = 0";
+			$query .= ", ${mysqlprefix}chatgroupoperator where groupid = " . intval($groupid) . " and ${mysqlprefix}chatoperator.operatorid = ${mysqlprefix}chatgroupoperator.operatorid and istatus = 0";
 		} else {
 			$query .= " where istatus = 0";
 		}
@@ -739,7 +746,7 @@ function check_connections_from_remote($remote, $link)
 	}
 	$result = select_one_row(
 		"select count(*) as opened from ${mysqlprefix}chatthread " .
-		"where remote = '" . mysql_real_escape_string($remote, $link) . "' AND istate <> $state_closed AND istate <> $state_left", $link);
+		"where remote = '" . mysql_real_escape_string($remote, $link) . "' AND istate <> " . intval($state_closed) . " AND istate <> " . intval($state_left), $link);
 	if ($result && isset($result['opened'])) {
 		return $result['opened'] < $settings['max_connections_from_one_host'];
 	}

src/messenger/webim/libs/common.php

@@ -352,7 +352,7 @@ function connect()
 		or die('Could not connect: ' . mysql_error());
 	mysql_select_db($mysqldb, $link) or die('Could not select database');
 	if ($force_charset_in_connection) {
-		mysql_query("SET NAMES '$dbencoding'", $link);
+		mysql_query("SET NAMES '" . mysql_real_escape_string($dbencoding, $link) . "'", $link);
 	}
 	return $link;
 }

src/messenger/webim/libs/groups.php

@@ -20,7 +20,7 @@ function group_by_id($id)
 	global $mysqlprefix;
 	$link = connect();
 	$group = select_one_row(
-		"select * from ${mysqlprefix}chatgroup where groupid = $id", $link);
+		"select * from ${mysqlprefix}chatgroup where groupid = " . intval($id), $link);
 	mysql_close($link);
 	return $group;
 }
@@ -53,7 +53,7 @@ function get_operator_groupslist($operatorid, $link)
 	global $settings, $mysqlprefix;
 	if ($settings['enablegroups'] == '1') {
 		$groupids = array(0);
-		$allgroups = select_multi_assoc("select groupid from ${mysqlprefix}chatgroupoperator where operatorid = $operatorid order by groupid", $link);
+		$allgroups = select_multi_assoc("select groupid from ${mysqlprefix}chatgroupoperator where operatorid = " . intval($operatorid) . " order by groupid", $link);
 		foreach ($allgroups as $g) {
 			$groupids[] = $g['groupid'];
 		}

src/messenger/webim/libs/notify.php

@@ -20,12 +20,12 @@ function log_notification($locale, $kind, $to, $subj, $text, $refop, $link)
 	global $mysqlprefix;
 	$query = sprintf(
 		"insert into ${mysqlprefix}chatnotification (locale,vckind,vcto,vcsubject,tmessage,refoperator,dtmcreated) values ('%s','%s','%s','%s','%s',%s,%s)",
-		$locale,
+		mysql_real_escape_string($locale, $link),
-		$kind,
+		mysql_real_escape_string($kind, $link),
 		mysql_real_escape_string($to, $link),
 		mysql_real_escape_string($subj, $link),
 		mysql_real_escape_string($text, $link),
-		$refop ? $refop : "0",
+		$refop ? intval($refop) : "0",
 		"CURRENT_TIMESTAMP");
 
 	perform_query($query, $link);

src/messenger/webim/libs/operator.php

@@ -53,7 +53,7 @@ function operator_by_id_($id, $link)
 {
 	global $mysqlprefix;
 	return select_one_row(
-		"select * from ${mysqlprefix}chatoperator where operatorid = $id", $link);
+		"select * from ${mysqlprefix}chatoperator where operatorid = " . intval($id), $link);
 }
 
 function operator_by_id($id)
@@ -102,14 +102,14 @@ function update_operator($operatorid, $login, $email, $jabber, $password, $local
 		"update ${mysqlprefix}chatoperator set vclogin = '%s',%s vclocalename = '%s', vccommonname = '%s'" .
 		", vcemail = '%s', vcjabbername= '%s', inotify = %s" .
 		" where operatorid = %s",
-		mysql_real_escape_string($login),
+		mysql_real_escape_string($login, $link),
 		($password ? " vcpassword='" . md5($password) . "'," : ""),
-		mysql_real_escape_string($localename),
+		mysql_real_escape_string($localename, $link),
-		mysql_real_escape_string($commonname),
+		mysql_real_escape_string($commonname, $link),
-		mysql_real_escape_string($email),
+		mysql_real_escape_string($email, $link),
-		mysql_real_escape_string($jabber),
+		mysql_real_escape_string($jabber, $link),
-		$notify,
+		intval($notify),
-		$operatorid);
+		intval($operatorid));
 
 	perform_query($query, $link);
 	mysql_close($link);
@@ -121,7 +121,7 @@ function update_operator_avatar($operatorid, $avatar)
 	$link = connect();
 	$query = sprintf(
 		"update ${mysqlprefix}chatoperator set vcavatar = '%s' where operatorid = %s",
-		mysql_real_escape_string($avatar), $operatorid);
+		mysql_real_escape_string($avatar, $link), intval($operatorid));
 
 	perform_query($query, $link);
 	mysql_close($link);
@@ -132,19 +132,19 @@ function create_operator_($login, $email, $jabber, $password, $localename, $comm
 	global $mysqlprefix;
 	$query = sprintf(
 		"insert into ${mysqlprefix}chatoperator (vclogin,vcpassword,vclocalename,vccommonname,vcavatar,vcemail,vcjabbername,inotify) values ('%s','%s','%s','%s','%s','%s','%s',%s)",
-		mysql_real_escape_string($login),
+		mysql_real_escape_string($login, $link),
 		md5($password),
-		mysql_real_escape_string($localename),
+		mysql_real_escape_string($localename, $link),
-		mysql_real_escape_string($commonname),
+		mysql_real_escape_string($commonname, $link),
-		mysql_real_escape_string($avatar),
+		mysql_real_escape_string($avatar, $link),
-		mysql_real_escape_string($email),
+		mysql_real_escape_string($email, $link),
-		mysql_real_escape_string($jabber),
+		mysql_real_escape_string($jabber, $link),
-		$notify);
+		intval($notify));
 
 	perform_query($query, $link);
 	$id = mysql_insert_id($link);
 
-	return select_one_row("select * from ${mysqlprefix}chatoperator where operatorid = $id", $link);
+	return select_one_row("select * from ${mysqlprefix}chatoperator where operatorid = " . intval($id), $link);
 }
 
 function create_operator($login, $email, $jabber, $password, $localename, $commonname, $notify, $avatar)
@@ -159,7 +159,7 @@ function notify_operator_alive($operatorid, $istatus)
 {
 	global $mysqlprefix;
 	$link = connect();
-	perform_query("update ${mysqlprefix}chatoperator set istatus = $istatus, dtmlastvisited = CURRENT_TIMESTAMP where operatorid = $operatorid", $link);
+	perform_query(sprintf("update ${mysqlprefix}chatoperator set istatus = %s, dtmlastvisited = CURRENT_TIMESTAMP where operatorid = %s", intval($istatus), intval($operatorid)), $link);
 	mysql_close($link);
 }
 
@@ -170,7 +170,7 @@ function has_online_operators($groupid = "")
 	$link = connect();
 	$query = "select count(*) as total, min(unix_timestamp(CURRENT_TIMESTAMP)-unix_timestamp(dtmlastvisited)) as time from ${mysqlprefix}chatoperator";
 	if ($groupid) {
-		$query .= ", ${mysqlprefix}chatgroupoperator where groupid = $groupid and ${mysqlprefix}chatoperator.operatorid = " .
+		$query .= ", ${mysqlprefix}chatgroupoperator where groupid = " . intval($groupid) . " and ${mysqlprefix}chatoperator.operatorid = " .
 				  "${mysqlprefix}chatgroupoperator.operatorid and istatus = 0";
 	} else {
 		$query .= " where istatus = 0";
@@ -185,7 +185,7 @@ function is_operator_online($operatorid, $link)
 	global $settings, $mysqlprefix;
 	loadsettings_($link);
 	$query = "select count(*) as total, min(unix_timestamp(CURRENT_TIMESTAMP)-unix_timestamp(dtmlastvisited)) as time " .
-			 "from ${mysqlprefix}chatoperator where operatorid = $operatorid";
+			 "from ${mysqlprefix}chatoperator where operatorid = " . intval($operatorid);
 	$row = select_one_row($query, $link);
 	return $row['time'] < $settings['online_timeout'] && $row['total'] == 1;
 }
@@ -289,7 +289,7 @@ function setup_redirect_links($threadid, $token)
 
 	$operators = select_multi_assoc(db_build_select(
 										"operatorid, vclogin, vclocalename, vccommonname, istatus, (unix_timestamp(CURRENT_TIMESTAMP)-unix_timestamp(dtmlastvisited)) as time",
-										"${mysqlprefix}chatoperator", array(), "order by vclogin $limit"), $link);
+										"${mysqlprefix}chatoperator", array(), "order by vclogin " . $limit), $link);
 
 	$groups = array_slice($groups, $p['start'], $p['end'] - $p['start']);
 	mysql_close($link);
@@ -398,7 +398,7 @@ function get_operator_groupids($operatorid)
 {
 	global $mysqlprefix;
 	$link = connect();
-	$query = "select groupid from ${mysqlprefix}chatgroupoperator where operatorid = $operatorid";
+	$query = "select groupid from ${mysqlprefix}chatgroupoperator where operatorid = " . intval($operatorid);
 	$result = select_multi_assoc($query, $link);
 	mysql_close($link);
 	return $result;

src/messenger/webim/libs/pagination.php

@@ -36,13 +36,15 @@ function prepare_pagination($items_count, $default_items_per_page = 15)
 {
 	global $page;
 
+	$items_count = intval($items_count);
+
 	if ($items_count) {
-		$items_per_page = verifyparam("items", "/^\d{1,3}$/", $default_items_per_page);
+		$items_per_page = intval(verifyparam("items", "/^\d{1,3}$/", $default_items_per_page));
 		if ($items_per_page < 2)
 			$items_per_page = 2;
 
 		$total_pages = div($items_count + $items_per_page - 1, $items_per_page);
-		$curr_page = verifyparam("page", "/^\d{1,6}$/", 1);
+		$curr_page = intval(verifyparam("page", "/^\d{1,6}$/", 1));
 
 		if ($curr_page < 1)
 			$curr_page = 1;

src/messenger/webim/libs/settings.php

@@ -21,9 +21,9 @@ function update_settings()
 	$link = connect();
 	foreach ($settings as $key => $value) {
 		if (!isset($settings_in_db[$key])) {
-			perform_query("insert into ${mysqlprefix}chatconfig (vckey) values ('$key')", $link);
+			perform_query("insert into ${mysqlprefix}chatconfig (vckey) values ('" . mysql_real_escape_string($key, $link) . "')", $link);
 		}
-		$query = sprintf("update ${mysqlprefix}chatconfig set vcvalue='%s' where vckey='$key'", mysql_real_escape_string($value));
+		$query = sprintf("update ${mysqlprefix}chatconfig set vcvalue='%s' where vckey='%s'", mysql_real_escape_string($value, $link), mysql_real_escape_string($key, $link));
 		perform_query($query, $link);
 	}
 

src/messenger/webim/operator/ban.php

@@ -63,16 +63,17 @@ if (isset($_POST['address'])) {
 		if (!$banId) {
 			$query = sprintf(
 				"insert into ${mysqlprefix}chatban (dtmcreated,dtmtill,address,comment) values (CURRENT_TIMESTAMP,%s,'%s','%s')",
-				"FROM_UNIXTIME($utime)",
+				"FROM_UNIXTIME(" . intval($utime) . ")",
 				mysql_real_escape_string($address, $link),
 				mysql_real_escape_string($comment, $link));
 			perform_query($query, $link);
 		} else {
 			$query = sprintf(
-				"update ${mysqlprefix}chatban set dtmtill = %s,address = '%s',comment = '%s' where banid = $banId",
+				"update ${mysqlprefix}chatban set dtmtill = %s,address = '%s',comment = '%s' where banid = %s",
-				"FROM_UNIXTIME($utime)",
+				"FROM_UNIXTIME(" . intval($utime) . ")",
 				mysql_real_escape_string($address, $link),
-				mysql_real_escape_string($comment, $link));
+				mysql_real_escape_string($comment, $link),
+				intval($banId));
 			perform_query($query, $link);
 		}
 		mysql_close($link);
@@ -94,7 +95,7 @@ if (isset($_POST['address'])) {
 } else if (isset($_GET['id'])) {
 	$banId = verifyparam('id', "/^\d{1,9}$/");
 	$link = connect();
-	$ban = select_one_row("select banid,(unix_timestamp(dtmtill)-unix_timestamp(CURRENT_TIMESTAMP)) as days,address,comment from ${mysqlprefix}chatban where banid = $banId", $link);
+	$ban = select_one_row("select banid,(unix_timestamp(dtmtill)-unix_timestamp(CURRENT_TIMESTAMP)) as days,address,comment from ${mysqlprefix}chatban where banid = " . intval($banId), $link);
 	mysql_close($link);
 
 	if ($ban) {

src/messenger/webim/operator/blocked.php

@@ -38,7 +38,7 @@ if (isset($_GET['act']) && $_GET['act'] == 'del') {
 	}
 
 	if (count($errors) == 0) {
-		perform_query("delete from ${mysqlprefix}chatban where banid = $banId", $link);
+		perform_query("delete from ${mysqlprefix}chatban where banid = " . intval($banId), $link);
 		header("Location: $webimroot/operator/blocked.php");
 		exit;
 	}

src/messenger/webim/operator/canned.php

@@ -33,9 +33,9 @@ function load_canned_messages($locale, $groupid)
 	global $mysqlprefix;
 	$link = connect();
 	$query = "select id, vcvalue from ${mysqlprefix}chatresponses " .
-			 "where locale = '" . $locale . "' AND (" .
+			 "where locale = '" . mysql_real_escape_string($locale, $link) . "' AND (" .
 			 ($groupid
-					 ? "groupid = $groupid"
+					 ? "groupid = " . intval($groupid)
 					 : "groupid is NULL OR groupid = 0") .
 			 ") order by vcvalue";
 
@@ -50,7 +50,7 @@ function load_canned_messages($locale, $groupid)
 				if ($i > 0) {
 					$updatequery .= ", ";
 				}
-				$updatequery .= "('" . mysql_real_escape_string($result[$i]['vcvalue'], $link) . "','$locale', NULL)";
+				$updatequery .= "('" . mysql_real_escape_string($result[$i]['vcvalue'], $link) . "','". mysql_real_escape_string($locale, $link) . "', NULL)";
 			}
 			perform_query($updatequery, $link);
 			$result = select_multi_assoc($query, $link);
@@ -108,7 +108,7 @@ if (isset($_GET['act']) && $_GET['act'] == 'delete') {
 
 	if (count($errors) == 0) {
 		$link = connect();
-		perform_query("delete from ${mysqlprefix}chatresponses where id = $key", $link);
+		perform_query("delete from ${mysqlprefix}chatresponses where id = " . intval($key), $link);
 		mysql_close($link);
 		header("Location: $webimroot/operator/canned.php?lang=$lang&group=$groupid");
 		exit;

src/messenger/webim/operator/cannededit.php

@@ -23,7 +23,7 @@ function load_message($key)
 {
 	global $mysqlprefix;
 	$link = connect();
-	$result = select_one_row("select vcvalue from ${mysqlprefix}chatresponses where id = $key", $link);
+	$result = select_one_row("select vcvalue from ${mysqlprefix}chatresponses where id = " . intval($key), $link);
 	mysql_close($link);
 	return $result ? $result['vcvalue'] : null;
 }
@@ -33,7 +33,7 @@ function save_message($key, $message)
 	global $mysqlprefix;
 	$link = connect();
 	perform_query("update ${mysqlprefix}chatresponses set vcvalue = '" . mysql_real_escape_string($message, $link) . "' " .
-				  "where id = $key", $link);
+				  "where id = " . intval($key), $link);
 	mysql_close($link);
 }
 
@@ -41,8 +41,8 @@ function add_message($locale, $groupid, $message)
 {
 	global $mysqlprefix;
 	$link = connect();
-	perform_query("insert into ${mysqlprefix}chatresponses (locale,groupid,vcvalue) values ('$locale'," .
+	perform_query("insert into ${mysqlprefix}chatresponses (locale,groupid,vcvalue) values ('" . mysql_real_escape_string($locale, $link) . "'," .
-				  ($groupid ? "$groupid, " : "null, ") .
+				  ($groupid ? intval($groupid) . ", " : "null, ") .
 				  "'" . mysql_real_escape_string($message, $link) . "')", $link);
 	mysql_close($link);
 }

src/messenger/webim/operator/group.php

@@ -41,16 +41,16 @@ function create_group($name, $descr, $commonname, $commondescr, $email)
 	$link = connect();
 	$query = sprintf(
 		"insert into ${mysqlprefix}chatgroup (vclocalname,vclocaldescription,vccommonname,vccommondescription,vcemail) values ('%s','%s','%s','%s','%s')",
-		mysql_real_escape_string($name),
+		mysql_real_escape_string($name, $link),
-		mysql_real_escape_string($descr),
+		mysql_real_escape_string($descr, $link),
-		mysql_real_escape_string($commonname),
+		mysql_real_escape_string($commonname, $link),
-		mysql_real_escape_string($commondescr),
+		mysql_real_escape_string($commondescr, $link),
-		mysql_real_escape_string($email));
+		mysql_real_escape_string($email, $link));
 
 	perform_query($query, $link);
 	$id = mysql_insert_id($link);
 
-	$newdep = select_one_row("select * from ${mysqlprefix}chatgroup where groupid = $id", $link);
+	$newdep = select_one_row("select * from ${mysqlprefix}chatgroup where groupid = " . intval($id), $link);
 	mysql_close($link);
 	return $newdep;
 }
@@ -61,12 +61,12 @@ function update_group($groupid, $name, $descr, $commonname, $commondescr, $email
 	$link = connect();
 	$query = sprintf(
 		"update ${mysqlprefix}chatgroup set vclocalname = '%s', vclocaldescription = '%s', vccommonname = '%s', vccommondescription = '%s', vcemail = '%s' where groupid = %s",
-		mysql_real_escape_string($name),
+		mysql_real_escape_string($name, $link),
-		mysql_real_escape_string($descr),
+		mysql_real_escape_string($descr, $link),
-		mysql_real_escape_string($commonname),
+		mysql_real_escape_string($commonname, $link),
-		mysql_real_escape_string($commondescr),
+		mysql_real_escape_string($commondescr, $link),
-		mysql_real_escape_string($email),
+		mysql_real_escape_string($email, $link),
-		$groupid);
+		intval($groupid));
 
 	perform_query($query, $link);
 	mysql_close($link);

src/messenger/webim/operator/groupmembers.php

@@ -26,7 +26,7 @@ function get_group_members($groupid)
 {
 	global $mysqlprefix;
 	$link = connect();
-	$query = "select operatorid from ${mysqlprefix}chatgroupoperator where groupid = $groupid";
+	$query = "select operatorid from ${mysqlprefix}chatgroupoperator where groupid = " . intval($groupid);
 	$result = select_multi_assoc($query, $link);
 	mysql_close($link);
 	return $result;
@@ -36,9 +36,9 @@ function update_group_members($groupid, $newvalue)
 {
 	global $mysqlprefix;
 	$link = connect();
-	perform_query("delete from ${mysqlprefix}chatgroupoperator where groupid = $groupid", $link);
+	perform_query("delete from ${mysqlprefix}chatgroupoperator where groupid = " . intval($groupid), $link);
 	foreach ($newvalue as $opid) {
-		perform_query("insert into ${mysqlprefix}chatgroupoperator (groupid, operatorid) values ($groupid,$opid)", $link);
+		perform_query(sprintf("insert into ${mysqlprefix}chatgroupoperator (groupid, operatorid) values (%s, %s)", intval($groupid), intval($opid)), $link);
 	}
 	mysql_close($link);
 }

src/messenger/webim/operator/groups.php

@@ -35,9 +35,9 @@ if (isset($_GET['act']) && $_GET['act'] == 'del') {
 
 	if (count($errors) == 0) {
 		$link = connect();
-		perform_query("delete from ${mysqlprefix}chatgroup where groupid = $groupid", $link);
+		perform_query("delete from ${mysqlprefix}chatgroup where groupid = " . intval($groupid), $link);
-		perform_query("delete from ${mysqlprefix}chatgroupoperator where groupid = $groupid", $link);
+		perform_query("delete from ${mysqlprefix}chatgroupoperator where groupid = " . intval($groupid), $link);
-		perform_query("update ${mysqlprefix}chatthread set groupid = 0 where groupid = $groupid", $link);
+		perform_query("update ${mysqlprefix}chatthread set groupid = 0 where groupid = " . intval($groupid), $link);
 		mysql_close($link);
 		header("Location: $webimroot/operator/groups.php");
 		exit;

src/messenger/webim/operator/notification.php

@@ -31,7 +31,7 @@ function notification_info($id)
 	$link = connect();
 	$notification = select_one_row(db_build_select(
 									   "id, locale, vckind, vcto, unix_timestamp(dtmcreated) as created, vcsubject, tmessage, refoperator", "${mysqlprefix}chatnotification",
-									   array("id = $id"), ""), $link);
+									   array("id = " . intval($id)), ""), $link);
 	mysql_close($link);
 	return $notification;
 }

src/messenger/webim/operator/notifications.php

@@ -54,10 +54,10 @@ $page['allkinds'] = array('', 'mail', 'xmpp');
 
 $conditions = array();
 if ($kind) {
-	$conditions[] = "vckind = '$kind'";
+	$conditions[] = "vckind = '" . mysql_real_escape_string($kind, $link) . "'";
 }
 if ($lang) {
-	$conditions[] = "locale = '$lang'";
+	$conditions[] = "locale = '" . mysql_real_escape_string($lang, $link) . "'";
 }
 
 $link = connect();

src/messenger/webim/operator/operators.php

@@ -47,8 +47,8 @@ if (isset($_GET['act']) && $_GET['act'] == 'del') {
 
 	if (count($errors) == 0) {
 		$link = connect();
-		perform_query("delete from ${mysqlprefix}chatgroupoperator where operatorid = $operatorid", $link);
+		perform_query("delete from ${mysqlprefix}chatgroupoperator where operatorid = " . intval($operatorid), $link);
-		perform_query("delete from ${mysqlprefix}chatoperator where operatorid = $operatorid", $link);
+		perform_query("delete from ${mysqlprefix}chatoperator where operatorid = " . intval($operatorid), $link);
 		mysql_close($link);
 
 		header("Location: $webimroot/operator/operators.php");

src/messenger/webim/operator/opgroups.php

@@ -26,9 +26,9 @@ function update_operator_groups($operatorid, $newvalue)
 {
 	global $mysqlprefix;
 	$link = connect();
-	perform_query("delete from ${mysqlprefix}chatgroupoperator where operatorid = $operatorid", $link);
+	perform_query("delete from ${mysqlprefix}chatgroupoperator where operatorid = " . intval($operatorid), $link);
 	foreach ($newvalue as $groupid) {
-		perform_query("insert into ${mysqlprefix}chatgroupoperator (groupid, operatorid) values ($groupid,$operatorid)", $link);
+		perform_query(sprintf("insert into ${mysqlprefix}chatgroupoperator (groupid, operatorid) values (%s,%s)", intval($groupid), intval($operatorid)), $link);
 	}
 	mysql_close($link);
 }

src/messenger/webim/operator/permissions.php

@@ -26,8 +26,7 @@ function update_operator_permissions($operatorid, $newvalue)
 {
 	global $mysqlprefix;
 	$link = connect();
-	$query = "update ${mysqlprefix}chatoperator set iperm = $newvalue where operatorid = $operatorid";
+	$query = sprintf("update ${mysqlprefix}chatoperator set iperm = %s where operatorid = %s", intval($newvalue), intval($operatorid));
-
 	perform_query($query, $link);
 	mysql_close($link);
 }

src/messenger/webim/operator/redirect.php

@@ -65,7 +65,7 @@ if (isset($_GET['nextGroup'])) {
 			$link = connect();
 			$threadupdate = array("istate" => $state_waiting, "nextagent" => $nextid, "agentId" => 0);
 			if ($thread['groupid'] != 0) {
-				if (FALSE === select_one_row("select groupid from ${mysqlprefix}chatgroupoperator where operatorid = $nextid and groupid = " . $thread['groupid'], $link)) {
+				if (FALSE === select_one_row("select groupid from ${mysqlprefix}chatgroupoperator where operatorid = " . intval($nextid) . " and groupid = " . intval($thread['groupid']), $link)) {
 					$threadupdate['groupid'] = 0;
 				}
 			}

src/messenger/webim/operator/resetpwd.php

@@ -49,7 +49,7 @@ if (count($errors) == 0 && isset($_POST['password'])) {
 		$page['isdone'] = true;
 
 		$link = connect();
-		$query = "update ${mysqlprefix}chatoperator set vcpassword = '" . md5($password) . "', vcrestoretoken = '' where operatorid = " . $opId;
+		$query = "update ${mysqlprefix}chatoperator set vcpassword = '" . md5($password) . "', vcrestoretoken = '' where operatorid = " . intval($opId);
 		perform_query($query, $link);
 		mysql_close($link);
 

src/messenger/webim/operator/restore.php

@@ -41,7 +41,7 @@ if (isset($_POST['loginoremail'])) {
 		$token = md5((time() + microtime()) . rand(0, 99999999));
 
 		$link = connect();
-		$query = "update ${mysqlprefix}chatoperator set dtmrestore = CURRENT_TIMESTAMP, vcrestoretoken = '$token' where operatorid = " . $torestore['operatorid'];
+		$query = sprintf("update ${mysqlprefix}chatoperator set dtmrestore = CURRENT_TIMESTAMP, vcrestoretoken = '%s' where operatorid = %s", mysql_real_escape_string($token, $link), intval($torestore['operatorid']));
 		perform_query($query, $link);
 
 		$href = get_app_location(true, false) . "/operator/resetpwd.php?id=" . $torestore['operatorid'] . "&token=$token";

src/messenger/webim/operator/statistics.php

@@ -65,15 +65,15 @@ if ($start > $end) {
 
 $link = connect();
 
-$page['reportByDate'] = select_multi_assoc("select DATE(dtmcreated) as date, COUNT(distinct threadid) as threads, SUM(${mysqlprefix}chatmessage.ikind = $kind_agent) as agents, SUM(${mysqlprefix}chatmessage.ikind = $kind_user) as users " .
+$page['reportByDate'] = select_multi_assoc("select DATE(dtmcreated) as date, COUNT(distinct threadid) as threads, SUM(${mysqlprefix}chatmessage.ikind = " . intval($kind_agent) . ") as agents, SUM(${mysqlprefix}chatmessage.ikind = " . intval($kind_user) . ") as users " .
-										   "from ${mysqlprefix}chatmessage where unix_timestamp(dtmcreated) >= $start AND unix_timestamp(dtmcreated) < $end group by DATE(dtmcreated) order by dtmcreated desc", $link);
+										   "from ${mysqlprefix}chatmessage where unix_timestamp(dtmcreated) >= " . intval($start) . " AND unix_timestamp(dtmcreated) < " . intval($end) . " group by DATE(dtmcreated) order by dtmcreated desc", $link);
 
-$page['reportByDateTotal'] = select_one_row("select COUNT(distinct threadid) as threads, SUM(${mysqlprefix}chatmessage.ikind = $kind_agent) as agents, SUM(${mysqlprefix}chatmessage.ikind = $kind_user) as users " .
+$page['reportByDateTotal'] = select_one_row("select COUNT(distinct threadid) as threads, SUM(${mysqlprefix}chatmessage.ikind = " . intval($kind_agent) . ") as agents, SUM(${mysqlprefix}chatmessage.ikind = " . intval($kind_user) . ") as users " .
-											"from ${mysqlprefix}chatmessage where unix_timestamp(dtmcreated) >= $start AND unix_timestamp(dtmcreated) < $end", $link);
+											"from ${mysqlprefix}chatmessage where unix_timestamp(dtmcreated) >= " . intval($start) . " AND unix_timestamp(dtmcreated) < " . intval($end), $link);
 
-$page['reportByAgent'] = select_multi_assoc("select vclocalename as name, COUNT(distinct threadid) as threads, SUM(ikind = $kind_agent) as msgs, AVG(CHAR_LENGTH(tmessage)) as avglen " .
+$page['reportByAgent'] = select_multi_assoc("select vclocalename as name, COUNT(distinct threadid) as threads, SUM(ikind = " . intval($kind_agent) . ") as msgs, AVG(CHAR_LENGTH(tmessage)) as avglen " .
 											"from ${mysqlprefix}chatmessage, ${mysqlprefix}chatoperator " .
-											"where agentId = operatorid AND unix_timestamp(dtmcreated) >= $start AND unix_timestamp(dtmcreated) < $end group by operatorid", $link);
+											"where agentId = operatorid AND unix_timestamp(dtmcreated) >= " . intval($start) . " AND unix_timestamp(dtmcreated) < " . intval($end) . " group by operatorid", $link);
 
 $page['showresults'] = count($errors) == 0;
 

src/messenger/webim/operator/threadprocessor.php

@@ -35,7 +35,7 @@ function thread_info($id)
 							 "unix_timestamp(dtmmodified) as modified, unix_timestamp(dtmcreated) as created," .
 							 "vclocalname as groupName " .
 							 "from ${mysqlprefix}chatthread left join ${mysqlprefix}chatgroup on ${mysqlprefix}chatthread.groupid = ${mysqlprefix}chatgroup.groupid " .
-							 "where threadid = " . $id, $link);
+							 "where threadid = " . intval($id), $link);
 	mysql_close($link);
 	return $thread;
 }

src/messenger/webim/operator/update.php

@@ -98,7 +98,7 @@ $can_viewthreads, $can_takeover, $mysqlprefix;
 	$userAgent = get_useragent_version($thread['userAgent']);
 	$result .= "<useragent>" . safe_htmlspecialchars(safe_htmlspecialchars($userAgent)) . "</useragent>";
 	if ($thread["shownmessageid"] != 0) {
-		$query = "select tmessage from ${mysqlprefix}chatmessage where messageid = " . $thread["shownmessageid"];
+		$query = "select tmessage from ${mysqlprefix}chatmessage where messageid = " . intval($thread["shownmessageid"]);
 		$line = select_one_row($query, $link);
 		if ($line) {
 			$message = preg_replace("/[\r\n\t]+/", " ", $line["tmessage"]);
@@ -116,19 +116,22 @@ function print_pending_threads($groupids, $since)
 
 	$revision = $since;
 	$output = array();
+
+	$groupids = join(",", array_map("intval", preg_split('/,/', $groupids)));
+
 	$query = "select threadid, userName, agentName, unix_timestamp(dtmcreated), userTyping, " .
 			 "unix_timestamp(dtmmodified), lrevision, istate, remote, nextagent, agentId, userid, shownmessageid, userAgent, (select vclocalname from ${mysqlprefix}chatgroup where ${mysqlprefix}chatgroup.groupid = ${mysqlprefix}chatthread.groupid) as groupname " .
-			 "from ${mysqlprefix}chatthread where lrevision > $since " .
+			 "from ${mysqlprefix}chatthread where lrevision > " . intval($since) .
 			 ($since <= 0
-					 ? "AND istate <> $state_closed AND istate <> $state_left "
+					 ? " AND istate <> " . intval($state_closed) . " AND istate <> " . intval($state_left)
 					 : "") .
 			 ($settings['enablegroups'] == '1'
-					 ? "AND (groupid is NULL" . ($groupids
+					 ? " AND (groupid is NULL" . ($groupids
 							 ? " OR groupid IN ($groupids)"
 							 : "") .
-					   ") "
+					   ")"
 					 : "") .
-			 "ORDER BY threadid";
+			 " ORDER BY threadid";
 	$rows = select_multi_assoc($query, $link);
 	foreach ($rows as $row) {
 		$thread = thread_to_xml($row, $link);

src/messenger/webim/operator/userhistory.php

@@ -44,7 +44,7 @@ function threads_by_userid($userid)
 	$query = sprintf("select unix_timestamp(dtmcreated) as created, unix_timestamp(dtmmodified) as modified, " .
 					 " threadid, remote, agentName, userName " .
 					 "from ${mysqlprefix}chatthread " .
-					 "where userid=\"$userid\" order by created DESC", $userid);
+					 "where userid=%s order by created DESC", intval($userid));
 
 	$result = mysql_query($query, $link) or die(' Query failed: ' . mysql_error($link));