hardening: prepared statements, PHP 7.4 idioms, and security fixes

audit.php

@@ -24,6 +24,7 @@
 
 chdir('../../');
 include_once('./include/auth.php');
+require_once(__DIR__ . '/audit_helpers.php');
 
 set_default_action();
 
@@ -51,13 +52,13 @@
 		if ($data['action'] == 'cli') {
 			$width = 'wide';
 			$output .= '<table style="width:100%" class="' . $width . '"><tr><td>';
-			$output .= '<span><b>' . __('Page:', 'audit') . '</b>  <i>' . $data['page'] . '</i></span>';
-			$output .= '<br><span><b>' . __('User:', 'audit') . '</b>  <i>' . $data['user_agent'] . '</i></span>';
-			$output .= '<br><span><b>' . __('IP Address:', 'audit') . '</b>  <i>' . $data['ip_address'] . '</i></span>';
-			$output .= '<br><span><b>' . __('Date:', 'audit') . '</b>  <i>' . $data['event_time'] . '</i></span>';
-			$output .= '<br><span><b>' . __('Action:', 'audit') . '</b>  <i>' . $data['action'] . '</i></span>';
+			$output .= '<span><b>' . __('Page:', 'audit') . '</b>  <i>' . html_escape($data['page']) . '</i></span>';
+			$output .= '<br><span><b>' . __('User:', 'audit') . '</b>  <i>' . html_escape($data['user_agent']) . '</i></span>';
+			$output .= '<br><span><b>' . __('IP Address:', 'audit') . '</b>  <i>' . html_escape($data['ip_address']) . '</i></span>';
+			$output .= '<br><span><b>' . __('Date:', 'audit') . '</b>  <i>' . html_escape($data['event_time']) . '</i></span>';
+			$output .= '<br><span><b>' . __('Action:', 'audit') . '</b>  <i>' . html_escape($data['action']) . '</i></span>';
 			$output .= '<hr>';
-			$output .= '<span><b>' . __('Script:', 'audit') . '</b>  <i>' . $data['post'] . '</i></span>';
+			$output .= '<span><b>' . __('Script:', 'audit') . '</b>  <i>' . html_escape($data['post']) . '</i></span>';
 		} elseif (cacti_sizeof($data)) {
 			$attribs = json_decode($data['post']);
 
@@ -74,11 +75,11 @@
 			}
 
 			$output .= '<table style="width:100%" class="' . $width . '"><tr><td>';
-			$output .= '<span><b>' . __('Page:', 'audit') . '</b>  <i>' . $data['page'] . '</i></span>';
-			$output .= '<br><span><b>' . __('User:', 'audit') . '</b>  <i>' . get_username($data['user_id']) . '</i></span>';
-			$output .= '<br><span><b>' . __('IP Address:', 'audit') . '</b>  <i>' . $data['ip_address'] . '</i></span>';
-			$output .= '<br><span><b>' . __('Date:', 'audit') . '</b>  <i>' . $data['event_time'] . '</i></span>';
-			$output .= '<br><span><b>' . __('Action:', 'audit') . '</b>  <i>' . $data['action'] . '</i></span>';
+			$output .= '<span><b>' . __('Page:', 'audit') . '</b>  <i>' . html_escape($data['page']) . '</i></span>';
+			$output .= '<br><span><b>' . __('User:', 'audit') . '</b>  <i>' . html_escape(get_username($data['user_id'])) . '</i></span>';
+			$output .= '<br><span><b>' . __('IP Address:', 'audit') . '</b>  <i>' . html_escape($data['ip_address']) . '</i></span>';
+			$output .= '<br><span><b>' . __('Date:', 'audit') . '</b>  <i>' . html_escape($data['event_time']) . '</i></span>';
+			$output .= '<br><span><b>' . __('Action:', 'audit') . '</b>  <i>' . html_escape($data['action']) . '</i></span>';
 			$output .= '<hr>';
 			$output .= '<table style="width:100%">';
 
@@ -98,9 +99,9 @@
 					}
 
 					if (is_array($content)) {
-						$output .= '<td style="font-weight:bold;white-space:nowrap;">' . $field . '</td><td">' . implode(',', $content) . '</td>';
+						$output .= '<td style="font-weight:bold;white-space:nowrap;">' . audit_html_escape($field) . '</td><td>' . audit_html_escape(implode(',', $content)) . '</td>';
 					} else {
-						$output .= '<td style="font-weight:bold;white-space:nowrap;">' . $field . '</td><td>' . $content . '</td>';
+						$output .= '<td style="font-weight:bold;white-space:nowrap;">' . audit_html_escape($field) . '</td><td>' . audit_html_escape($content) . '</td>';
 					}
 
 					$i++;
@@ -119,7 +120,7 @@
 				$output .= '<tr><td colspan="' . ($columns * 2) . '"><b>' . __('Record Data:', 'audit') . '</b></td></tr>';
 
 				foreach ($recordData as $record) {
-					$output .= '<tr><td colspan="' . ($columns * 2) . '"><pre>' . json_encode($record, JSON_PRETTY_PRINT) . '</pre></td></tr>';
+					$output .= '<tr><td colspan="' . ($columns * 2) . '"><pre>' . audit_html_escape(json_encode($record, JSON_PRETTY_PRINT)) . '</pre></td></tr>';
 				}
 			} else {
 				$output .= '</table>';
@@ -163,8 +164,9 @@ function audit_export_rows() {
 		$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' page = ' . db_qstr(get_request_var('event_page'));
 	}
 
-	if (!isempty_request_var('user_id') && get_request_var('user_id') > '-1') {
-		$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' user_id = ' . get_request_var('user_id');
+	$user_id = audit_normalize_int(get_request_var('user_id'), -1);
+	if ($user_id > -1) {
+		$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' user_id = ' . $user_id;
 	}
 
 	$events = db_fetch_assoc("SELECT audit_log.*, user_auth.username
@@ -357,8 +359,9 @@ function audit_log() {
 		$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' page = ' . db_qstr(get_request_var('event_page'));
 	}
 
-	if (!isempty_request_var('user_id') && get_request_var('user_id') > '-1') {
-		$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' user_id = ' . get_request_var('user_id');
+	$user_id = audit_normalize_int(get_request_var('user_id'), -1);
+	if ($user_id > -1) {
+		$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' user_id = ' . $user_id;
 	}
 
 	$total_rows = db_fetch_cell("SELECT
@@ -463,4 +466,3 @@ function audit_log() {
 	<script type='text/javascript' src='plugins/audit/js/functions.js'></script>
 	<?php
 }
-

audit_functions.php

@@ -157,7 +157,7 @@ function audit_config_insert() {
 
 		$post        = json_encode($post);
 		$page        = basename($_SERVER['SCRIPT_NAME']);
-		$user_id     = (isset($_SESSION['sess_user_id']) ? $_SESSION['sess_user_id'] : 0);
+		$user_id     = ($_SESSION['sess_user_id'] ?? 0);
 		$event_time  = date('Y-m-d H:i:s');
 
 		/* Retrieve IP address */

audit_helpers.php

@@ -0,0 +1,34 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ |                                                                         |
+ | Shared helpers for audit request normalization and output escaping.     |
+ +-------------------------------------------------------------------------+
+ */
+
+if (!function_exists('audit_normalize_int')) {
+	function audit_normalize_int($value, $default = -1) {
+		if (is_int($value)) {
+			return $value;
+		}
+
+		if (is_string($value) && preg_match('/^-?[0-9]+$/', $value)) {
+			return (int)$value;
+		}
+
+		return (int)$default;
+	}
+}
+
+if (!function_exists('audit_html_escape')) {
+	function audit_html_escape($value) {
+		$value = (string)$value;
+
+		if (function_exists('html_escape')) {
+			return html_escape($value);
+		}
+
+		return htmlspecialchars($value, ENT_QUOTES, 'UTF-8');
+	}
+}

setup.php

@@ -154,7 +154,7 @@ function audit_poller_bottom() {
 		$retention = read_config_option('audit_retention');
 
 		if ($retention > 0) {
-			db_execute('DELETE FROM audit_log WHERE event_time < FROM_UNIXTIME(' . (time() - ($retention * 86400)) . ')');
+			db_execute_prepared('DELETE FROM audit_log WHERE event_time < FROM_UNIXTIME(?)', array(time() - ($retention * 86400)));
 			$rows = db_affected_rows();
 			cacti_log('NOTE: Purged ' . $rows . ' Audit Log Records from Cacti', false, 'POLLER');
 		}

tests/Integration/test_detail_render_escaping.php

@@ -0,0 +1,45 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ |                                                                         |
+ | Integration checks for audit detail escaping helpers.                   |
+ |                                                                         |
+ | Run: php tests/integration/test_detail_render_escaping.php              |
+ +-------------------------------------------------------------------------+
+ */
+
+$pass = 0;
+$fail = 0;
+
+function assert_true($label, $value) {
+	global $pass, $fail;
+
+	if ($value) {
+		echo "PASS  $label\n";
+		$pass++;
+	} else {
+		echo "FAIL  $label\n";
+		$fail++;
+	}
+}
+
+require_once __DIR__ . '/../../audit_helpers.php';
+
+$rendered_field = audit_html_escape('"><img src=x onerror=alert(1)>');
+$rendered_json  = audit_html_escape(json_encode(array('payload' => '<svg onload=alert(1)>')));
+
+assert_true(
+	'field names are escaped before rendering',
+	strpos($rendered_field, '<img') === false && strpos($rendered_field, '&lt;img') !== false
+);
+
+assert_true(
+	'record data json is escaped before rendering',
+	strpos($rendered_json, '<svg') === false && strpos($rendered_json, '&lt;svg') !== false
+);
+
+echo "\n";
+echo "Results: $pass passed, $fail failed\n";
+
+exit($fail > 0 ? 1 : 0);

tests/Unit/test_security_helpers.php

@@ -0,0 +1,47 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ |                                                                         |
+ | Unit checks for audit security helpers.                                 |
+ |                                                                         |
+ | Run: php tests/unit/test_security_helpers.php                           |
+ +-------------------------------------------------------------------------+
+ */
+
+$pass = 0;
+$fail = 0;
+
+function assert_true($label, $value) {
+	global $pass, $fail;
+
+	if ($value) {
+		echo "PASS  $label\n";
+		$pass++;
+	} else {
+		echo "FAIL  $label\n";
+		$fail++;
+	}
+}
+
+require_once __DIR__ . '/../../audit_helpers.php';
+
+assert_true(
+	'integer normalization keeps valid integers',
+	audit_normalize_int('42', -1) === 42
+);
+
+assert_true(
+	'integer normalization rejects mixed payloads',
+	audit_normalize_int('0 OR 1=1', -1) === -1
+);
+
+assert_true(
+	'html escaping encodes script payloads',
+	audit_html_escape('<script>alert(1)</script>') === '&lt;script&gt;alert(1)&lt;/script&gt;'
+);
+
+echo "\n";
+echo "Results: $pass passed, $fail failed\n";
+
+exit($fail > 0 ? 1 : 0);

tests/e2e/test_security_wiring.php

@@ -0,0 +1,48 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ |                                                                         |
+ | End-to-end wiring checks for audit security fixes.                      |
+ |                                                                         |
+ | Run: php tests/e2e/test_security_wiring.php                             |
+ +-------------------------------------------------------------------------+
+ */
+
+$pass = 0;
+$fail = 0;
+
+function assert_true($label, $value) {
+	global $pass, $fail;
+
+	if ($value) {
+		echo "PASS  $label\n";
+		$pass++;
+	} else {
+		echo "FAIL  $label\n";
+		$fail++;
+	}
+}
+
+$source = file_get_contents(__DIR__ . '/../../audit.php');
+
+assert_true(
+	'user_id filter uses integer normalization before SQL concatenation',
+	substr_count($source, "audit_normalize_int(get_request_var('user_id'), -1)") === 2
+);
+
+assert_true(
+	'detail popup escapes field names and values',
+	strpos($source, "audit_html_escape(\$field)") !== false &&
+	strpos($source, "audit_html_escape(\$content)") !== false
+);
+
+assert_true(
+	'record data json is escaped before rendering',
+	strpos($source, "audit_html_escape(json_encode(\$record, JSON_PRETTY_PRINT))") !== false
+);
+
+echo "\n";
+echo "Results: $pass passed, $fail failed\n";
+
+exit($fail > 0 ? 1 : 0);