From b2c7499db871ef43de83148f8f5635395cb4719b Mon Sep 17 00:00:00 2001 From: Matthieu Barba Date: Sat, 23 Mar 2024 11:59:00 +0000 Subject: [PATCH] Add checks for upload --- lib_db.php | 18 +++++++++++------ upload_db_add.php | 49 +++++++++++++++++++++++++++++++---------------- 2 files changed, 44 insertions(+), 23 deletions(-) diff --git a/lib_db.php b/lib_db.php index c74c8fd..3bfaa74 100755 --- a/lib_db.php +++ b/lib_db.php @@ -5,6 +5,9 @@ require_once("common.php"); $dbdir = get_setting("db_dir"); + +class DbException extends Exception {} + /**********************************************************/ // Check variable type (convert if necessary) function parseVal($dat) { @@ -71,13 +74,16 @@ function get_db($version = null) { function get_db_connection($db) { global $dbdir; $dbh; - $dbpath = $db; - if (! preg_match("/\.sqlite$/i", $dbpath)) { - $dbpath = "$dbpath.sqlite"; - } - error_log('['.date('YYYY-MM-dd HH:mm:ss').']'."Get db connection to $dbpath in $dbdir"); + $dbpath = $db; + if (! preg_match("/\.sqlite$/i", $dbpath)) { + $dbpath = "$dbpath.sqlite"; + } + if (!str_starts_with($db, "/")) { + $dbpath = "$dbdir/$dbpath"; + } + error_log('['.date('YYYY-MM-dd HH:mm:ss').']'."Get db connection to $dbpath in $dbdir"); try { - $dbh = new PDO("sqlite:$dbdir/" . $dbpath, '', '', array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION)); + $dbh = new PDO("sqlite:$dbpath", '', '', array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION)); } catch(PDOException $ex) { die_msg('Unable to connect to database.', $ex->getMessage()); diff --git a/upload_db_add.php b/upload_db_add.php index 9cb1139..160b49f 100755 --- a/upload_db_add.php +++ b/upload_db_add.php @@ -3,6 +3,7 @@ File is empty"; $nerrors++; } else { - # Just in case, to avoid collisions - $num = 1; - $new_id = $id; - $new_db_path = $final_db_path; - while(file_exists($final_db_path)) { - $new_id = $id . "_" . $num; - $new_db_path = str_replace("$id.sqlite", "$new_id.sqlite", $final_db_path); - $num++; - if ($num > 10) { - $errormsg .= "
  • ID collision detected.
  • "; - $nerrors++; - break; + # Check there is data in the database + try { + $dbh = get_db_connection($tmp_name); + $info = get_database_data($dbh); + if (count($info) == 0) { + throw new DbException("Content of the db doesn't look right"); } + } catch(Exception $e) { + $errormsg .= "
  • Exception: ".$e->getMessage()."
  • "; + $nerrors++; } + if ($nerrors == 0) { - if ( move_uploaded_file($tmp_name, $new_db_path) ) { - $uploaded_array[] .= "Uploaded file '".$name."'.
    \n"; - } else { - $errormsg .= "
  • Could not move uploaded file '".$tmp_name."' to '".$name."'
  • "; - $nerrors++; + # Just in case, to avoid collisions + $num = 1; + $new_id = $id; + $new_db_path = $final_db_path; + while(file_exists($new_db_path)) { + $new_id = $id . "_" . $num; + $new_db_path = str_replace("$id.sqlite", "$new_id.sqlite", $final_db_path); + $num++; + if ($num > 10) { + $errormsg .= "
  • ID collision detected with $new_id in $new_db_path.
  • "; + $nerrors++; + break; + } + } + if ($nerrors == 0) { + if ( move_uploaded_file($tmp_name, $new_db_path) ) { + $uploaded_array[] .= "Uploaded file '".$name."'.
    \n"; + } else { + $errormsg .= "
  • Could not move uploaded file '".$tmp_name."' to '".$name."'
  • "; + $nerrors++; + } } } }