Proposal to secure $xoopsDB->query method |
Subject: Proposal to secure $xoopsDB->query method by nachenko on 2008/4/4 14:44:58 Remember a discussion about ->query method? http://community.impresscms.org/modules/newbb/viewtopic.php?post_id=13353#forumpost13353 This was my proposal. now this is the code that tries to execute this proposal This is a test function, not related to iCMS, just wanted to try my method to detect SQL injections. This is the code: <?php
// Unsafe query for testing
$test_query = "SELECT * FROM 'database' WHERE field1 = 'field1' AND field2 = \"field2\" AND field3 = `field3`; DROP UPDATE INSERT DELETE";
// Safe query - uncomment to test
// $test_query = "SELECT * FROM 'database' WHERE field1 = 'field1' AND field2 = \"field2\" AND field3 = `field3`; DROP UPDATE INSERT DELETE";
echo (validate_query ($test_query));
function validate_query ($q) {
$original = $q;
$separators = array ('\'', '"', '`');
$forbidden = array ('drop', 'update', 'insert', 'delete');
$q = strtolower(trim($q)); // To make search PHP 4 compatible, we won't use case-insensitive search functions
foreach ($separators as $s) {
$first = strpos($s, $q);
$next = strpos ($s, $q, $first);
if ($first && $next) {
$q = substr_replace ($q, '', $first, ($next - $first));
}
}
foreach ($forbidden as $f) {
$found = strpos ($q, $f);
if ($found !== false) {
return ("WARNING: Suspicious query: $original");
}
}
return $original;
}
?> if it works, we should change two or three lines to include it in iCMS. |