Skip to content

Commit 629a8dd

Browse files
jnorelljnorell
committed
add db::securityScan()
1 parent 2c915ae commit 629a8dd

File tree

1 file changed

+53
-1
lines changed

1 file changed

+53
-1
lines changed

server/lib/classes/db_mysql.inc.php

Lines changed: 53 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -187,6 +187,58 @@ private function _setCharset() {
187187
mysqli_query($this->_iConnId, "SET character_set_results = '".$this->dbCharset."', character_set_client = '".$this->dbCharset."', character_set_connection = '".$this->dbCharset."', character_set_database = '".$this->dbCharset."', character_set_server = '".$this->dbCharset."'");
188188
}
189189

190+
private function securityScan($string) {
191+
global $app, $conf;
192+
193+
// get security config
194+
if(isset($app)) {
195+
$app->uses('getconf');
196+
$ids_config = $app->getconf->get_security_config('ids');
197+
198+
if($ids_config['sql_scan_enabled'] == 'yes') {
199+
200+
// Remove whitespace
201+
$string = trim($string);
202+
if(substr($string,-1) == ';') $string = substr($string,0,-1);
203+
204+
// Save original string
205+
$string_orig = $string;
206+
207+
//echo $string;
208+
$chars = array(';', '#', '/*', '*/', '--', '\\\'', '\\"');
209+
210+
$string = str_replace('\\\\', '', $string);
211+
$string = preg_replace('/(^|[^\\\])([\'"])\\2/is', '$1', $string);
212+
$string = preg_replace('/(^|[^\\\])([\'"])(.*?[^\\\])\\2/is', '$1', $string);
213+
$ok = true;
214+
215+
if(substr_count($string, "`") % 2 != 0 || substr_count($string, "'") % 2 != 0 || substr_count($string, '"') % 2 != 0) {
216+
$app->log("SQL injection warning (" . $string_orig . ")",2);
217+
$ok = false;
218+
} else {
219+
foreach($chars as $char) {
220+
if(strpos($string, $char) !== false) {
221+
$ok = false;
222+
$app->log("SQL injection warning (" . $string_orig . ")",2);
223+
break;
224+
}
225+
}
226+
}
227+
if($ok == true) {
228+
return true;
229+
} else {
230+
if($ids_config['sql_scan_action'] == 'warn') {
231+
// we return false in warning level.
232+
return false;
233+
} else {
234+
// if sql action = 'block' or anything else then stop here.
235+
$app->error('Possible SQL injection. All actions have been logged.');
236+
}
237+
}
238+
}
239+
}
240+
}
241+
190242
private function _query($sQuery = '') {
191243
global $app;
192244

@@ -227,7 +279,7 @@ private function _query($sQuery = '') {
227279

228280
$aArgs = func_get_args();
229281
$sQuery = call_user_func_array(array(&$this, '_build_query_string'), $aArgs);
230-
282+
$this->securityScan($sQuery);
231283
$this->_iQueryId = mysqli_query($this->_iConnId, $sQuery);
232284
if (!$this->_iQueryId) {
233285
$this->_sqlerror('Falsche Anfrage / Wrong Query', 'SQL-Query = ' . $sQuery);

0 commit comments

Comments
 (0)