Remember a discussion about ->query method?
http://community.impresscms.org/modules/newbb/viewtopic.php?post_id=13353#forumpost13353This was my proposal.
now this is the code that tries to execute this proposalThis is a test function, not related to iCMS, just wanted to try my method to detect SQL injections. This is the code:
<?php
// Unsafe query for testing
$test_query = "SELECT * FROM 'database' WHERE field1 = 'field1' AND field2 = \"field2\" AND field3 = `field3`; DROP UPDATE INSERT DELETE";
// Safe query - uncomment to test
// $test_query = "SELECT * FROM 'database' WHERE field1 = 'field1' AND field2 = \"field2\" AND field3 = `field3`; DROP UPDATE INSERT DELETE";
echo (validate_query ($test_query));
function validate_query ($q) {
$original = $q;
$separators = array ('\'', '"', '`');
$forbidden = array ('drop', 'update', 'insert', 'delete');
$q = strtolower(trim($q)); // To make search PHP 4 compatible, we won't use case-insensitive search functions
foreach ($separators as $s) {
$first = strpos($s, $q);
$next = strpos ($s, $q, $first);
if ($first && $next) {
$q = substr_replace ($q, '', $first, ($next - $first));
}
}
foreach ($forbidden as $f) {
$found = strpos ($q, $f);
if ($found !== false) {
return ("WARNING: Suspicious query: $original");
}
}
return $original;
}
?>
if it works, we should change two or three lines to include it in iCMS.
This Post was from: https://www.impresscms.org/iforum/viewtopic.php?topic_id=1438&post_id=13457