Report message:*
 

Proposal to secure $xoopsDB->query method

Subject: Proposal to secure $xoopsDB->query method
by nachenko on 2008/4/4 14:44:58

Remember a discussion about ->query method?

http://community.impresscms.org/modules/newbb/viewtopic.php?post_id=13353#forumpost13353

This was my proposal.

now this is the code that tries to execute this proposal

This is a test function, not related to iCMS, just wanted to try my method to detect SQL injections. This is the code:

<?php // Unsafe query for testing $test_query = "SELECT * FROM 'database' WHERE field1 = 'field1' AND field2 = \"field2\" AND field3 = `field3`; DROP UPDATE INSERT DELETE"; // Safe query - uncomment to test // $test_query = "SELECT * FROM 'database' WHERE field1 = 'field1' AND field2 = \"field2\" AND field3 = `field3`; DROP UPDATE INSERT DELETE"; echo (validate_query ($test_query)); function validate_query ($q) { $original = $q; $separators = array ('\'', '"', '`'); $forbidden = array ('drop', 'update', 'insert', 'delete'); $q = strtolower(trim($q)); // To make search PHP 4 compatible, we won't use case-insensitive search functions foreach ($separators as $s) { $first = strpos($s, $q); $next = strpos ($s, $q, $first); if ($first && $next) { $q = substr_replace ($q, '', $first, ($next - $first)); } } foreach ($forbidden as $f) { $found = strpos ($q, $f); if ($found !== false) { return ("WARNING: Suspicious query: $original"); } } return $original; } ?>



if it works, we should change two or three lines to include it in iCMS.