Test case 158178

<?php

/* 

Safe sample

input : backticks interpretation, reading the file /tmp/tainted.txt

sanitize : cast via + = 0.0

construction : use of sprintf via a %d

*/

​

​

​

/*Copyright 2015 Bertrand STIVALET 

​

Permission is hereby granted, without written agreement or royalty fee, to

​

use, copy, modify, and distribute this software and its documentation for

​

any purpose, provided that the above copyright notice and the following

​

three paragraphs appear in all copies of this software.

​

​

IN NO EVENT SHALL AUTHORS BE LIABLE TO ANY PARTY FOR DIRECT,

​

INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 

​

USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF AUTHORS HAVE

​

BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

​

​

AUTHORS SPECIFICALLY DISCLAIM ANY WARRANTIES INCLUDING, BUT NOT

​

LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A

​

PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

​

​

THE SOFTWARE IS PROVIDED ON AN "AS-IS" BASIS AND AUTHORS HAVE NO

​

OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR

​

MODIFICATIONS.*/

​

​

$tainted = `cat /tmp/tainted.txt`;

​

$tainted += 0.0 ;

​

$query = sprintf("SELECT * FROM COURSE c WHERE c.id IN (SELECT idcourse FROM REGISTRATION WHERE idstudent=%d)", $tainted);

​

$conn = mysql_connect('localhost', 'mysql_user', 'mysql_password'); // Connection to the database (address, user, password)

mysql_select_db('dbname') ;

echo "query : ". $query ."<br /><br />" ;

​

$res = mysql_query($query); //execution

​

while($data =mysql_fetch_array($res)){

print_r($data) ;

echo "<br />" ;

} 

mysql_close($conn);

​

?>