includes/dbal.php
changeset 128 01955bf53f96
parent 91 8079b0288e8e
child 142 ca9118d9c0f2
equal deleted inserted replaced
127:a2b20a832447 128:01955bf53f96
   194     $sz = strlen($q);
   194     $sz = strlen($q);
   195     $quotechar = false;
   195     $quotechar = false;
   196     $quotepos  = 0;
   196     $quotepos  = 0;
   197     $prev_is_quote = false;
   197     $prev_is_quote = false;
   198     $just_started = false;
   198     $just_started = false;
   199     for($i=0;$i<strlen($q);$i++,$c=substr($q, $i, 1))
   199     for ( $i = 0; $i < strlen($q); $i++, $c = substr($q, $i, 1) )
   200     {
   200     {
   201       $next = substr($q, $i+1, 1);
   201       $next = substr($q, $i+1, 1);
   202       $next2 = substr($q, $i+2, 1);
   202       $next2 = substr($q, $i+2, 1);
   203       $prev = substr($q, $i-1, 1);
   203       $prev = substr($q, $i-1, 1);
   204       $prev2 = substr($q, $i-2, 1);
   204       $prev2 = substr($q, $i-2, 1);
   205       if(isset($c) && in_array($c, Array('"', "'", '`')))
   205       if(isset($c) && in_array($c, Array('"', "'", '`')))
   206       {
   206       {
   207         if($quotechar)
   207         if($quotechar)
   208         {
   208         {
   209           if(
   209           if (
   210               ( $quotechar == $c && $quotechar != $next && ( $quotechar != $prev || $just_entered ) && $prev != '\\') ||
   210               ( $quotechar == $c && $quotechar != $next && ( $quotechar != $prev || $just_started ) && $prev != '\\') ||
   211               ( $prev2 == '\\' && $prev == $quotechar && $quotechar == $c )
   211               ( $prev2 == '\\' && $prev == $quotechar && $quotechar == $c )
   212             )
   212             )
   213           {
   213           {
   214             $quotechar = false;
   214             $quotechar = false;
   215             if($debug) echo('$db-&gt;check_query(): just finishing a quote section, quoted string: '.htmlspecialchars(substr($q, $quotepos, $i - $quotepos + 1)) . '<br />');
   215             if($debug) echo('$db-&gt;check_query(): just finishing a quote section, quoted string: '.htmlspecialchars(substr($q, $quotepos, $i - $quotepos + 1)) . '<br />');
   220         }
   220         }
   221         else
   221         else
   222         {
   222         {
   223           $quotechar = $c;
   223           $quotechar = $c;
   224           $quotepos  = $i;
   224           $quotepos  = $i;
   225           $just_entered = true;
   225           $just_started = true;
   226         }
   226         }
   227         if($debug) echo '$db-&gt;check_query(): found quote char as pos: '.$i.'<br />';
   227         if($debug) echo '$db-&gt;check_query(): found quote char as pos: '.$i.'<br />';
   228         continue;
   228         continue;
   229       }
   229       }
   230       $just_entered = false;
   230       $just_started = false;
   231     }
   231     }
   232     if(substr(trim($q), strlen(trim($q))-1, 1) == ';') $q = substr(trim($q), 0, strlen(trim($q))-1);
   232     if(substr(trim($q), strlen(trim($q))-1, 1) == ';') $q = substr(trim($q), 0, strlen(trim($q))-1);
   233     for($i=0;$i<strlen($q);$i++,$c=substr($q, $i, 1))
   233     for($i=0;$i<strlen($q);$i++,$c=substr($q, $i, 1))
   234     {
   234     {
   235       if( ( $c == ';' && $i != $sz-1 ) || $c . substr($q, $i+1, 1) == '--') // Don't permit semicolons in mid-query, and never allow comments
   235       if ( 
       
   236            ( ( $c == ';' && $i != $sz-1 ) || $c . substr($q, $i+1, 1) == '--' )
       
   237         || ( in_array($c, Array('"', "'", '`')) )
       
   238          ) // Don't permit semicolons in mid-query, and never allow comments
   236       {
   239       {
   237         // Injection attempt!
   240         // Injection attempt!
   238         if($debug)
   241         if($debug)
   239         {
   242         {
   240           $e = '';
   243           $e = '';
   245           }
   248           }
   246           echo 'Injection attempt caught at pos: '.$i.'<br />';
   249           echo 'Injection attempt caught at pos: '.$i.'<br />';
   247         }
   250         }
   248         return false;
   251         return false;
   249       }
   252       }
       
   253     }
       
   254     if ( preg_match('/[\s]+(SAFE_QUOTE|[\S]+)=\\1($|[\s]+)/', $q, $match) )
       
   255     {
       
   256       if ( $debug ) echo 'Found always-true test in query, injection attempt caught, match:<br />' . '<pre>' . print_r($match, true) . '</pre>';
       
   257       return false;
   250     }
   258     }
   251     return true;
   259     return true;
   252   }
   260   }
   253   
   261   
   254   /**
   262   /**