Removing/Avoiding possible injection errors

[q2apro]

I got another Russian hack bot on my site, it caused the following errors by attempting to POST malicious db queries. The errors might be helpful to solve some security issues:

These two errors are hundreds of times in the error_log:

1. PHP Notice: Trying to access array offset on value of type null in /qa-include/pages/question-view.php on line 810

2. PHP Notice: Trying to access array offset on value of type null in /qa-include/pages/question-view.php on line 656

These errors only a few times:

• PHP Parse error: syntax error, unexpected '=', expecting ')' in /qa-include/qa-base.php(729) : eval()'d code on line 28
• PHP Parse error: syntax error, unexpected '=', expecting ')' in /qa-include/qa-base.php(729) : eval()'d code on line 28
• PHP Parse error: syntax error, unexpected 'if' (T_IF) in /qa-include/qa-base.php(729) : eval()'d code on line 28
• PHP Parse error: syntax error, unexpected 'qa' (T_STRING), expecting function (T_FUNCTION) or const (T_CONST) in /qa-include/qa-base.php(729) : eval()'d code on line 83
• PHP Parse error: syntax error, unexpected '0' (T_LNUMBER), expecting ')' in /qa-include/qa-base.php(729) : eval()'d code on line 28
• PHP Parse error: syntax error, unexpected ';', expecting ')' in /qa-include/qa-base.php(729) : eval()'d code on line 28
• PHP Parse error: syntax error, unexpected '=' in /qa-include/qa-base.php(729) : eval()'d code on line 28
• PHP Parse error: syntax error, unexpected ')' in /qa-include/qa-base.php(729) : eval()'d code on line 28
• PHP Parse error: syntax error, unexpected '"', expecting ')' in /qa-include/qa-base.php(729) : eval()'d code on line 28
• PHP Warning: Header may not contain NUL bytes in /qa-include/qa-base.php on line 1861

From my Q2A files:

question-view.php on line 810

$showduplicate = $question['hidden'] && $commentfollow['closedbyid'] == $parentid;

question-view.php on line 656

$htmloptions['q_request'] = qa_q_request($question['postid'], $question['title']);

qa-base.php on line 729

eval('?' . '>' . $eval);

qa-base.php on line 1861

header('Location: ' . $url);

I hope someone can see the issues and maybe fix them.

[pupi1985]

I searched in the dev, master and bugfix branches for the line 810 in question-view.php file. However, none of them had the same line you have. This suggests you've made changes to that file (or others). Those changes might be the cause of the issues.

Also, probably PHP 8.1 might bring some warnings or notices as well. Things work pretty well with PHP 7.x versions and the bugfix branch.

[q2apro]

Here it is: https://github.com/q2a/question2answer/blob/dev/qa-include/pages/question-view.php#L815

$showduplicate = $question['hidden'] && $commentfollow['closedbyid'] == $parentid;

[pupi1985]

I never said I couldn't find the line. What I said is that it is not where it should be, and that might be the cause of your issues.

What are the step by step instructions to replicate this issue in any of the branches I mentioned?

[q2apro]

I guess this would help converting the incoming data to int would help to prevent some of the errors above.

/qa-include/ajax/click-comment.php

$commentid = (int)qa_post_text('commentid');
$questionid = (int)qa_post_text('questionid');
$parentid = (int)qa_post_text('parentid');

And also in the same file after list($comment, ...):

if (empty($comment) || empty($question) || empty($parent))
{
    echo "QA_AJAX_RESPONSE\nError\n";
    return;
}

Casting to int for incoming data is also needed for:

• /qa-include/ajax/click-answer.php
• /qa-include/ajax/comment.php
• /qa-include/ajax/show-comments.php