equal
deleted
inserted
replaced
269 $this->report_query($q); |
269 $this->report_query($q); |
270 grinding_halt('SQL Injection attempt', '<p>Enano has caught and prevented an SQL injection attempt. Your IP address has been recorded and the administrator has been notified.</p><p>Query was:</p><pre>'.htmlspecialchars($q).'</pre>'); |
270 grinding_halt('SQL Injection attempt', '<p>Enano has caught and prevented an SQL injection attempt. Your IP address has been recorded and the administrator has been notified.</p><p>Query was:</p><pre>'.htmlspecialchars($q).'</pre>'); |
271 } |
271 } |
272 } |
272 } |
273 |
273 |
274 $r = mysql_query($q, $this->_conn); |
274 $r = pg_query($q, $this->_conn); |
275 |
275 |
276 if ( $log_query ) |
276 if ( $log_query ) |
277 $this->query_times[$q] = microtime_float() - $time_start; |
277 $this->query_times[$q] = microtime_float() - $time_start; |
278 |
278 |
279 $this->latest_result = $r; |
279 $this->latest_result = $r; |
324 |
324 |
325 // remove properly escaped quotes |
325 // remove properly escaped quotes |
326 $q = str_replace(array("\\\"", "\\'"), '', $q); |
326 $q = str_replace(array("\\\"", "\\'"), '', $q); |
327 |
327 |
328 // make sure quotes match |
328 // make sure quotes match |
329 foreach ( array('"', "'") as $quote ) |
329 foreach ( array("'", '"') as $quote ) |
330 { |
330 { |
331 if ( get_char_count($q, $quote) % 2 == 1 ) |
331 if ( get_char_count($q, $quote) % 2 == 1 ) |
332 { |
332 { |
333 // mismatched quotes |
333 // mismatched quotes |
334 return false; |
334 return false; |
1001 return $r; |
1001 return $r; |
1002 } |
1002 } |
1003 |
1003 |
1004 function sql_unbuffered_query($q) |
1004 function sql_unbuffered_query($q) |
1005 { |
1005 { |
1006 $this->enable_errorhandler(); |
1006 return $this->sql_query($q); |
1007 |
|
1008 $this->num_queries++; |
|
1009 $this->query_backtrace[] = '(UNBUFFERED) ' . $q; |
|
1010 $this->latest_query = $q; |
|
1011 // First make sure we have a connection |
|
1012 if ( !$this->_conn ) |
|
1013 { |
|
1014 $this->_die('A database connection has not yet been established.'); |
|
1015 } |
|
1016 // Does this query look malicious? |
|
1017 if ( !$this->check_query($q) ) |
|
1018 { |
|
1019 $this->report_query($q); |
|
1020 grinding_halt('SQL Injection attempt', '<p>Enano has caught and prevented an SQL injection attempt. Your IP address has been recorded and the administrator has been notified.</p><p>Query was:</p><pre>'.htmlspecialchars($q).'</pre>'); |
|
1021 } |
|
1022 |
|
1023 $time_start = microtime_float(); |
|
1024 $r = pg_query($q); |
|
1025 $this->query_times[$q] = microtime_float() - $time_start; |
|
1026 $this->latest_result = $r; |
|
1027 $this->disable_errorhandler(); |
|
1028 return $r; |
|
1029 } |
1007 } |
1030 |
1008 |
1031 /** |
1009 /** |
1032 * Checks a SQL query for possible signs of injection attempts |
1010 * Checks a SQL query for possible signs of injection attempts |
1033 * @param string $q the query to check |
1011 * @param string $q the query to check |
1041 |
1019 |
1042 // remove properly escaped quotes |
1020 // remove properly escaped quotes |
1043 $q = str_replace(array("\\\"", "\\'"), '', $q); |
1021 $q = str_replace(array("\\\"", "\\'"), '', $q); |
1044 |
1022 |
1045 // make sure quotes match |
1023 // make sure quotes match |
1046 foreach ( array('"', "'") as $quote ) |
1024 foreach ( array("'", '"') as $quote ) |
1047 { |
1025 { |
1048 if ( get_char_count($q, $quote) % 2 == 1 ) |
1026 if ( get_char_count($q, $quote) % 2 == 1 ) |
1049 { |
1027 { |
1050 // mismatched quotes |
1028 // mismatched quotes |
1051 return false; |
1029 return false; |