Merged Hotfix-1.3.1 into master

admin/classes/common/DBService.php

@@ -87,6 +87,67 @@ public function processQuery($sql, $type = NULL) {
 		return $data;
 	}
 
+	/**
+	 * Version of processQuery() that deals with prepared statements. As prepared
+	 * statements use variadic functions, much of this function's complexity
+	 * comes from wrapping a variadic function in a PHP 5.5 compatible way.
+	 *
+	 * @param string $query Same format as mysqli::prepare(), with usually one
+	 * or more "?" inside it.
+	 *
+	 * @param string $type Must be "num" or "assoc". Contrary to processQuery(),
+	 * it's not an optionnal argument. Due to this function being variadic.
+	 *
+	 * @param mixed ...$paramsToBind Same format as mysqli_stmt::bind_param()
+	 * It's a variadic function based on this PHP 5.5 compatible implementation
+	 * https://wiki.php.net/rfc/variadics#introduction
+	 * We will be able to simplify this once we require PHP 5.6
+	 * https://secure.php.net/manual/en/migration56.new-features.php#migration56.new-features.variadics
+	 */
+	public function processPreparedQuery($query, $type) {
+		$paramsToBind = array_slice(func_get_args(), 2); // additional arguments
+		// prepared statements specific code
+		$statement = $this->db->prepare($query);
+		$this->checkForError();
+		// The following is an implementation of the splat operator. This
+		// will be simpler with PHP 5.6
+		// https://secure.php.net/manual/en/migration56.new-features.php#migration56.new-features.splat
+		// We need to pass references to bind_param(), hence the use of refValues()
+		call_user_func_array([$statement, "bind_param"], self::refValues($paramsToBind)) ;
+		$statement->execute();
+		$result = $statement->get_result();
+
+		// same as processQuery()
+		$this->checkForError();
+		$data = array();
+
+		if ($result instanceof mysqli_result) {
+			$resultType = MYSQLI_NUM;
+			if ($type == 'assoc') {
+				$resultType = MYSQLI_ASSOC;
+			}
+			while ($row = $result->fetch_array($resultType)) {
+				if ($this->db->affected_rows > 1) {
+					array_push($data, $row);
+				} else {
+					$data = $row;
+				}
+			}
+			$result->free();
+		} else if ($result) {
+			$data = $this->db->insert_id;
+		}
+
+		return $data;
+	}
+
+	private static function refValues($arr){
+		$refs = array();
+		foreach($arr as $key => $value) {
+			$refs[$key] = &$arr[$key];
+		}
+		return $refs;
+	}
 }
 
 ?>

admin/classes/common/DatabaseObject.php

@@ -187,8 +187,10 @@ public function load() {
 
 		//if exists in the database
 		if (isset($this->primaryKey)) {
-			$query = "SELECT * FROM `$this->dbName`.`$this->tableName` WHERE `$this->primaryKeyName` = '$this->primaryKey'";
-			$result = $this->db->processQuery($query, 'assoc');
+			$query = "SELECT * FROM `$this->tableName` WHERE `$this->primaryKeyName` = ?";
+			$result = $this->db->processPreparedQuery($query, "assoc",
+													  "s",
+													  $this->primaryKey);
 
 			foreach (array_keys($result) as $attributeName) {
 				$this->addAttribute($attributeName);

install/UPGRADE_README

@@ -5,6 +5,11 @@ The following file contains notes on specific upgrades.  For full instructions
 on how to run an upgrade, refer to the technical documentation available at
 http://coral-erm.org/documentation.
 
+UPGRADING FROM CORAL ORGANIZATIONS VERSION 1.3. TO 1.3.1
+--------------------------------------------------------
+
+This is a security fix. No database changes have been made, just upgrade the code usual. 
+
 UPGRADING FROM CORAL ORGANIZATIONS VERSION 1.2 TO 1.3
 -----------------------------------------------------
 

templates/footer.php

@@ -28,6 +28,6 @@
 <div class="push">&nbsp;</div>
 </div>
 
-<div class="footer">Copyright &copy; 2015. Organizations Module version 1.3<br/><a href="http://coral-erm.org/">CORAL Project Website</a> | <a href="https://github.com/ndlibersa/organizations">GitHub Site</a></div>
+<div class="footer">Copyright &copy; 2015. Organizations Module version 1.3.1<br/><a href="http://coral-erm.org/">CORAL Project Website</a> | <a href="https://github.com/ndlibersa/organizations">GitHub Site</a></div>
 </body>
 </html>