author | Dan |
Wed, 21 Nov 2007 15:11:51 -0500 | |
changeset 273 | 96524a56d475 |
parent 268 | 58477ab3937f |
child 271 | f088805540ae |
child 272 | e0ec986c0af3 |
permissions | -rw-r--r-- |
1 | 1 |
<?php |
2 |
||
3 |
/* |
|
4 |
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between |
|
142
ca9118d9c0f2
Rebrand as 1.0.2 (Coblynau); internal links are now parsed by RenderMan::parse_internal_links()
Dan
parents:
128
diff
changeset
|
5 |
* Version 1.0.2 (Coblynau) |
1 | 6 |
* Copyright (C) 2006-2007 Dan Fuhry |
7 |
* |
|
8 |
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License |
|
9 |
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
|
10 |
* |
|
11 |
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied |
|
12 |
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. |
|
13 |
*/ |
|
14 |
||
15 |
function db_error_handler($errno, $errstr, $errfile = false, $errline = false, $errcontext = Array() ) |
|
16 |
{ |
|
17 |
if ( !defined('ENANO_DEBUG') ) |
|
18 |
return; |
|
19 |
$e = error_reporting(0); |
|
20 |
error_reporting($e); |
|
21 |
if ( $e < $errno ) |
|
22 |
return; |
|
23 |
$errtype = 'Notice'; |
|
24 |
switch ( $errno ) |
|
25 |
{ |
|
26 |
case E_ERROR: case E_USER_ERROR: case E_CORE_ERROR: case E_COMPILE_ERROR: $errtype = 'Error'; break; |
|
27 |
case E_WARNING: case E_USER_WARNING: case E_CORE_WARNING: case E_COMPILE_WARNING: $errtype = 'Warning'; break; |
|
28 |
} |
|
29 |
$debug = debug_backtrace(); |
|
30 |
$debug = $debug[2]['file'] . ', line ' . $debug[2]['line']; |
|
31 |
echo "<b>$errtype:</b> $errstr<br />Error source:<pre>$debug</pre>"; |
|
32 |
} |
|
33 |
||
34 |
class mysql { |
|
35 |
var $num_queries, $query_backtrace, $latest_result, $latest_query, $_conn, $sql_stack_fields, $sql_stack_values; |
|
36 |
var $row = array(); |
|
37 |
var $rowset = array(); |
|
38 |
var $errhandler; |
|
39 |
||
40 |
function enable_errorhandler() |
|
41 |
{ |
|
42 |
if ( function_exists('debug_backtrace') ) |
|
43 |
{ |
|
44 |
$this->errhandler = set_error_handler('db_error_handler'); |
|
45 |
} |
|
46 |
} |
|
47 |
||
48 |
function disable_errorhandler() |
|
49 |
{ |
|
50 |
if ( $this->errhandler ) |
|
51 |
{ |
|
52 |
set_error_handler($this->errhandler); |
|
53 |
} |
|
54 |
else |
|
55 |
{ |
|
56 |
restore_error_handler(); |
|
57 |
} |
|
58 |
} |
|
59 |
||
60 |
function sql_backtrace() { |
|
61 |
$qb = explode("\n", $this->query_backtrace); |
|
62 |
$bt = ''; |
|
63 |
//for($i=sizeof($qb)-1;$i>=0;$i--) { |
|
64 |
for($i=0;$i<sizeof($qb);$i++) { |
|
65 |
$bt .= $qb[$i]."\n"; |
|
66 |
} |
|
67 |
return $bt; |
|
68 |
} |
|
69 |
||
70 |
function ensure_connection() |
|
71 |
{ |
|
72 |
if(!$this->_conn) |
|
73 |
{ |
|
74 |
$this->connect(); |
|
75 |
} |
|
76 |
} |
|
77 |
||
78 |
function _die($t = '') { |
|
79 |
if(defined('ENANO_HEADERS_SENT')) { |
|
80 |
ob_clean(); |
|
81 |
} |
|
82 |
header('HTTP/1.1 500 Internal Server Error'); |
|
15
ad5986a53197
Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability
Dan
parents:
1
diff
changeset
|
83 |
$bt = $this->latest_query; // $this->sql_backtrace(); |
1 | 84 |
$e = htmlspecialchars(mysql_error()); |
85 |
if($e=='') $e='<none>'; |
|
91 | 86 |
$t = ( !empty($t) ) ? $t : '<No error description provided>'; |
87 |
global $email; |
|
88 |
$email_info = ( defined('ENANO_CONFIG_FETCHED') && is_object($email) ) ? ', at <' . $email->jscode() . $email->encryptEmail(getConfig('contact_email')) . '>' : ''; |
|
89 |
$internal_text = '<h3>The site was unable to finish serving your request.</h3> |
|
90 |
<p>We apologize for the inconveience, but an error occurred in the Enano database layer. Please report the full text of this page to the administrator of this site' . $email_info . '.</p> |
|
91 |
<p>Description or location of error: '.$t.'<br /> |
|
92 |
Error returned by MySQL extension: ' . $e . '<br /> |
|
93 |
Most recent SQL query:</p> |
|
94 |
<pre>'.$bt.'</pre>'; |
|
95 |
if(defined('ENANO_CONFIG_FETCHED')) die_semicritical('Database error', $internal_text); |
|
96 |
else grinding_halt('Database error', $internal_text); |
|
1 | 97 |
exit; |
98 |
} |
|
99 |
||
100 |
function die_json() |
|
101 |
{ |
|
102 |
$e = addslashes(htmlspecialchars(mysql_error())); |
|
103 |
$q = addslashes($this->latest_query); |
|
104 |
$t = "{'mode':'error','error':'An error occurred during database query.\nQuery was:\n $q\n\nError returned by MySQL: $e'}"; |
|
105 |
die($t); |
|
106 |
} |
|
107 |
||
108 |
function get_error($t = '') { |
|
109 |
header('HTTP/1.1 500 Internal Server Error'); |
|
110 |
$bt = $this->sql_backtrace(); |
|
111 |
$e = htmlspecialchars(mysql_error()); |
|
112 |
if($e=='') $e='<none>'; |
|
91 | 113 |
global $email; |
114 |
$email_info = ( defined('ENANO_CONFIG_FETCHED') && is_object($email) ) ? ', at <' . $email->jscode() . $email->encryptEmail(getConfig('contact_email')) . '>' : ''; |
|
115 |
$internal_text = '<h3>The site was unable to finish serving your request.</h3> |
|
116 |
<p>We apologize for the inconveience, but an error occurred in the Enano database layer. Please report the full text of this page to the administrator of this site' . $email_info . '.</p> |
|
117 |
<p>Description or location of error: '.$t.'<br /> |
|
118 |
Error returned by MySQL extension: ' . $e . '<br /> |
|
119 |
Most recent SQL query:</p> |
|
120 |
<pre>'.$bt.'</pre>'; |
|
121 |
return $internal_text; |
|
1 | 122 |
} |
123 |
||
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
124 |
function connect() |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
125 |
{ |
1 | 126 |
$this->enable_errorhandler(); |
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
127 |
|
1 | 128 |
dc_here('dbal: trying to connect....'); |
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
129 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
130 |
if ( defined('IN_ENANO_INSTALL') ) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
131 |
{ |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
132 |
@include(ENANO_ROOT.'/config.new.php'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
133 |
} |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
134 |
else |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
135 |
{ |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
136 |
@include(ENANO_ROOT.'/config.php'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
137 |
} |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
138 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
139 |
if ( isset($crypto_key) ) |
1 | 140 |
unset($crypto_key); // Get this sucker out of memory fast |
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
141 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
142 |
if ( !defined('ENANO_INSTALLED') && !defined('MIDGET_INSTALLED') && !defined('IN_ENANO_INSTALL') ) |
1 | 143 |
{ |
144 |
dc_here('dbal: oops, looks like Enano isn\'t set up. Constants ENANO_INSTALLED, MIDGET_INSTALLED, and IN_ENANO_INSTALL are all undefined.'); |
|
145 |
header('Location: install.php'); |
|
146 |
exit; |
|
147 |
} |
|
148 |
$this->_conn = @mysql_connect($dbhost, $dbuser, $dbpasswd); |
|
149 |
unset($dbuser); |
|
150 |
unset($dbpasswd); // Security |
|
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
151 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
152 |
if ( !$this->_conn ) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
153 |
{ |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
154 |
dc_here('dbal: uhoh!<br />'.mysql_error()); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
155 |
grinding_halt('Enano is having a problem', '<p>Error: couldn\'t connect to MySQL.<br />'.mysql_error().'</p>'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
156 |
} |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
157 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
158 |
// Reset some variables |
1 | 159 |
$this->query_backtrace = ''; |
160 |
$this->num_queries = 0; |
|
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
161 |
|
1 | 162 |
dc_here('dbal: we\'re in, selecting database...'); |
250
acb9d021b860
Database name can now contain dashes (as per requested at http://forum.enanocms.org/viewtopic.php?f=5&t=14); corrected some installer behavior issues with connecting as root and setting up permissions resulting in logs not being flushed, configs not being inserted, and what have you.
Dan
parents:
142
diff
changeset
|
163 |
$q = $this->sql_query('USE `'.$dbname.'`;'); |
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
164 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
165 |
if ( !$q ) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
166 |
$this->_die('The database could not be selected.'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
167 |
|
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
168 |
// We're in! |
1 | 169 |
dc_here('dbal: connected to MySQL'); |
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
170 |
|
1 | 171 |
$this->disable_errorhandler(); |
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
172 |
return true; |
1 | 173 |
} |
174 |
||
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
175 |
function sql_query($q) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
176 |
{ |
1 | 177 |
$this->enable_errorhandler(); |
178 |
$this->num_queries++; |
|
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
179 |
$this->query_backtrace .= $q . "\n"; |
1 | 180 |
$this->latest_query = $q; |
181 |
dc_here('dbal: making SQL query:<br /><tt>'.$q.'</tt>'); |
|
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
182 |
// First make sure we have a connection |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
183 |
if ( !$this->_conn ) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
184 |
{ |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
185 |
$this->_die('A database connection has not yet been established.'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
186 |
} |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
187 |
// Does this query look malicious? |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
188 |
if ( !$this->check_query($q) ) |
1 | 189 |
{ |
190 |
$this->report_query($q); |
|
191 |
grinding_halt('SQL Injection attempt', '<p>Enano has caught and prevented an SQL injection attempt. Your IP address has been recorded and the administrator has been notified.</p><p>Query was:</p><pre>'.htmlspecialchars($q).'</pre>'); |
|
192 |
} |
|
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
193 |
|
1 | 194 |
$r = mysql_query($q, $this->_conn); |
195 |
$this->latest_result = $r; |
|
196 |
$this->disable_errorhandler(); |
|
197 |
return $r; |
|
198 |
} |
|
199 |
||
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
200 |
function sql_unbuffered_query($q) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
201 |
{ |
1 | 202 |
$this->enable_errorhandler(); |
203 |
$this->num_queries++; |
|
204 |
$this->query_backtrace .= '(UNBUFFERED) ' . $q."\n"; |
|
205 |
$this->latest_query = $q; |
|
206 |
dc_here('dbal: making SQL query:<br /><tt>'.$q.'</tt>'); |
|
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
207 |
// First make sure we have a connection |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
208 |
if ( !$this->_conn ) |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
209 |
{ |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
210 |
$this->_die('A database connection has not yet been established.'); |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
211 |
} |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
212 |
// Does this query look malicious? |
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
213 |
if ( !$this->check_query($q) ) |
1 | 214 |
{ |
215 |
$this->report_query($q); |
|
216 |
grinding_halt('SQL Injection attempt', '<p>Enano has caught and prevented an SQL injection attempt. Your IP address has been recorded and the administrator has been notified.</p><p>Query was:</p><pre>'.htmlspecialchars($q).'</pre>'); |
|
217 |
} |
|
268
58477ab3937f
Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
Dan
parents:
256
diff
changeset
|
218 |
|
1 | 219 |
$r = mysql_unbuffered_query($q, $this->_conn); |
220 |
$this->latest_result = $r; |
|
221 |
$this->disable_errorhandler(); |
|
222 |
return $r; |
|
223 |
} |
|
224 |
||
225 |
/** |
|
226 |
* Checks a SQL query for possible signs of injection attempts |
|
227 |
* @param string $q the query to check |
|
228 |
* @return bool true if query passed check, otherwise false |
|
229 |
*/ |
|
230 |
||
231 |
function check_query($q, $debug = false) |
|
232 |
{ |
|
233 |
if($debug) echo "\$db->check_query(): checking query: ".htmlspecialchars($q).'<br />'."\n"; |
|
234 |
$sz = strlen($q); |
|
235 |
$quotechar = false; |
|
236 |
$quotepos = 0; |
|
237 |
$prev_is_quote = false; |
|
238 |
$just_started = false; |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
239 |
for ( $i = 0; $i < strlen($q); $i++, $c = substr($q, $i, 1) ) |
1 | 240 |
{ |
241 |
$next = substr($q, $i+1, 1); |
|
242 |
$next2 = substr($q, $i+2, 1); |
|
243 |
$prev = substr($q, $i-1, 1); |
|
244 |
$prev2 = substr($q, $i-2, 1); |
|
245 |
if(isset($c) && in_array($c, Array('"', "'", '`'))) |
|
246 |
{ |
|
247 |
if($quotechar) |
|
248 |
{ |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
249 |
if ( |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
250 |
( $quotechar == $c && $quotechar != $next && ( $quotechar != $prev || $just_started ) && $prev != '\\') || |
1 | 251 |
( $prev2 == '\\' && $prev == $quotechar && $quotechar == $c ) |
252 |
) |
|
253 |
{ |
|
254 |
$quotechar = false; |
|
255 |
if($debug) echo('$db->check_query(): just finishing a quote section, quoted string: '.htmlspecialchars(substr($q, $quotepos, $i - $quotepos + 1)) . '<br />'); |
|
256 |
$q = substr($q, 0, $quotepos) . 'SAFE_QUOTE' . substr($q, $i + 1, strlen($q)); |
|
257 |
if($debug) echo('$db->check_query(): Filtered query: '.$q.'<br />'); |
|
258 |
$i = $quotepos; |
|
259 |
} |
|
260 |
} |
|
261 |
else |
|
262 |
{ |
|
263 |
$quotechar = $c; |
|
264 |
$quotepos = $i; |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
265 |
$just_started = true; |
1 | 266 |
} |
267 |
if($debug) echo '$db->check_query(): found quote char as pos: '.$i.'<br />'; |
|
268 |
continue; |
|
269 |
} |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
270 |
$just_started = false; |
1 | 271 |
} |
272 |
if(substr(trim($q), strlen(trim($q))-1, 1) == ';') $q = substr(trim($q), 0, strlen(trim($q))-1); |
|
273 |
for($i=0;$i<strlen($q);$i++,$c=substr($q, $i, 1)) |
|
274 |
{ |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
275 |
if ( |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
276 |
( ( $c == ';' && $i != $sz-1 ) || $c . substr($q, $i+1, 1) == '--' ) |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
277 |
|| ( in_array($c, Array('"', "'", '`')) ) |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
278 |
) // Don't permit semicolons in mid-query, and never allow comments |
1 | 279 |
{ |
280 |
// Injection attempt! |
|
281 |
if($debug) |
|
282 |
{ |
|
283 |
$e = ''; |
|
284 |
for($j=$i-5;$j<$i+5;$j++) |
|
285 |
{ |
|
286 |
if($j == $i) $e .= '<span style="color: red; text-decoration: underline;">' . $c . '</span>'; |
|
287 |
else $e .= $c; |
|
288 |
} |
|
289 |
echo 'Injection attempt caught at pos: '.$i.'<br />'; |
|
290 |
} |
|
291 |
return false; |
|
292 |
} |
|
293 |
} |
|
128
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
294 |
if ( preg_match('/[\s]+(SAFE_QUOTE|[\S]+)=\\1($|[\s]+)/', $q, $match) ) |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
295 |
{ |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
296 |
if ( $debug ) echo 'Found always-true test in query, injection attempt caught, match:<br />' . '<pre>' . print_r($match, true) . '</pre>'; |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
297 |
return false; |
01955bf53f96
Improved ban control page and allowed multiple entries/IP ranges; changed some parameters on jBox; user level changes are logged now
Dan
parents:
91
diff
changeset
|
298 |
} |
1 | 299 |
return true; |
300 |
} |
|
301 |
||
302 |
/** |
|
303 |
* Set the internal result pointer to X |
|
304 |
* @param int $pos The number of the row |
|
305 |
* @param resource $result The MySQL result resource - if not given, the latest cached query is assumed |
|
306 |
* @return true on success, false on failure |
|
307 |
*/ |
|
308 |
||
309 |
function sql_data_seek($pos, $result = false) |
|
310 |
{ |
|
311 |
$this->enable_errorhandler(); |
|
312 |
if(!$result) |
|
313 |
$result = $this->latest_result; |
|
314 |
if(!$result) |
|
315 |
{ |
|
316 |
$this->disable_errorhandler(); |
|
317 |
return false; |
|
318 |
} |
|
319 |
if(mysql_data_seek($result, $pos)) |
|
320 |
{ |
|
321 |
$this->disable_errorhandler(); |
|
322 |
return true; |
|
323 |
} |
|
324 |
else |
|
325 |
{ |
|
326 |
$this->disable_errorhandler(); |
|
327 |
return false; |
|
328 |
} |
|
329 |
} |
|
330 |
||
331 |
/** |
|
332 |
* Reports a bad query to the admin |
|
333 |
* @param string $query the naughty query |
|
334 |
* @access private |
|
335 |
*/ |
|
336 |
||
337 |
function report_query($query) |
|
338 |
{ |
|
339 |
global $session; |
|
340 |
if(is_object($session) && defined('ENANO_MAINSTREAM')) |
|
341 |
$username = $session->username; |
|
342 |
else |
|
343 |
$username = 'Unavailable'; |
|
344 |
$query = $this->escape($query); |
|
345 |
$q = $this->sql_query('INSERT INTO '.table_prefix.'logs(log_type, action, time_id, date_string, page_text, author, edit_summary) |
|
346 |
VALUES(\'security\', \'sql_inject\', '.time().', \'\', \''.$query.'\', \''.$username.'\', \''.$_SERVER['REMOTE_ADDR'].'\');'); |
|
347 |
} |
|
348 |
||
73
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
349 |
/** |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
350 |
* Returns the ID of the row last inserted. |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
351 |
* @return int |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
352 |
*/ |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
353 |
|
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
354 |
function insert_id() |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
355 |
{ |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
356 |
return @mysql_insert_id(); |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
357 |
} |
0a74676a2f2f
Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
Dan
parents:
21
diff
changeset
|
358 |
|
1 | 359 |
function fetchrow($r = false) { |
360 |
$this->enable_errorhandler(); |
|
361 |
if(!$this->_conn) return false; |
|
362 |
if(!$r) $r = $this->latest_result; |
|
363 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
364 |
$row = mysql_fetch_assoc($r); |
|
365 |
$this->disable_errorhandler(); |
|
366 |
return $row; |
|
367 |
} |
|
368 |
||
369 |
function fetchrow_num($r = false) { |
|
370 |
$this->enable_errorhandler(); |
|
371 |
if(!$r) $r = $this->latest_result; |
|
372 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
373 |
$row = mysql_fetch_row($r); |
|
374 |
$this->disable_errorhandler(); |
|
375 |
return $row; |
|
376 |
} |
|
377 |
||
378 |
function numrows($r = false) { |
|
379 |
$this->enable_errorhandler(); |
|
380 |
if(!$r) $r = $this->latest_result; |
|
381 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
382 |
$n = mysql_num_rows($r); |
|
383 |
$this->disable_errorhandler(); |
|
384 |
return $n; |
|
385 |
} |
|
386 |
||
387 |
function escape($str) |
|
388 |
{ |
|
389 |
$this->enable_errorhandler(); |
|
390 |
$str = mysql_real_escape_string($str); |
|
391 |
$this->disable_errorhandler(); |
|
392 |
return $str; |
|
393 |
} |
|
394 |
||
395 |
function free_result($result = false) |
|
396 |
{ |
|
397 |
$this->enable_errorhandler(); |
|
398 |
if(!$result) |
|
399 |
$result = $this->latest_result; |
|
400 |
if(!$result) |
|
401 |
{ |
|
402 |
$this->disable_errorhandler(); |
|
403 |
return null; |
|
404 |
} |
|
405 |
mysql_free_result($result); |
|
406 |
$this->disable_errorhandler(); |
|
407 |
return null; |
|
408 |
} |
|
409 |
||
410 |
function close() { |
|
411 |
dc_here('dbal: closing MySQL connection'); |
|
412 |
mysql_close($this->_conn); |
|
413 |
unset($this->_conn); |
|
414 |
} |
|
415 |
||
416 |
// phpBB DBAL compatibility |
|
417 |
function sql_fetchrow($r = false) |
|
418 |
{ |
|
419 |
return $this->fetchrow($r); |
|
420 |
} |
|
421 |
function sql_freeresult($r = false) |
|
422 |
{ |
|
423 |
if(!$this->_conn) return false; |
|
424 |
if(!$r) $r = $this->latest_result; |
|
425 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
426 |
mysql_free_result($r); |
|
427 |
} |
|
428 |
function sql_numrows($r = false) |
|
429 |
{ |
|
430 |
if(!$this->_conn) return false; |
|
431 |
if(!$r) $r = $this->latest_result; |
|
432 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
433 |
return mysql_num_rows($r); |
|
434 |
} |
|
435 |
function sql_affectedrows($r = false, $f, $n) |
|
436 |
{ |
|
437 |
if(!$this->_conn) return false; |
|
438 |
if(!$r) $r = $this->latest_result; |
|
439 |
if(!$r) $this->_die('$db->fetchrow(): an invalid MySQL resource was passed.'); |
|
440 |
return mysql_affected_rows(); |
|
441 |
} |
|
442 |
||
443 |
function sql_type_cast(&$value) |
|
444 |
{ |
|
445 |
if ( is_float($value) ) |
|
446 |
{ |
|
447 |
return doubleval($value); |
|
448 |
} |
|
449 |
if ( is_integer($value) || is_bool($value) ) |
|
450 |
{ |
|
451 |
return intval($value); |
|
452 |
} |
|
453 |
if ( is_string($value) || empty($value) ) |
|
454 |
{ |
|
455 |
return '\'' . $this->sql_escape_string($value) . '\''; |
|
456 |
} |
|
457 |
// uncastable var : let's do a basic protection on it to prevent sql injection attempt |
|
458 |
return '\'' . $this->sql_escape_string(htmlspecialchars($value)) . '\''; |
|
459 |
} |
|
460 |
||
461 |
function sql_statement(&$fields, $fields_inc='') |
|
462 |
{ |
|
463 |
// init result |
|
464 |
$this->sql_fields = $this->sql_values = $this->sql_update = ''; |
|
465 |
if ( empty($fields) && empty($fields_inc) ) |
|
466 |
{ |
|
467 |
return; |
|
468 |
} |
|
469 |
||
470 |
// process |
|
471 |
if ( !empty($fields) ) |
|
472 |
{ |
|
473 |
$first = true; |
|
474 |
foreach ( $fields as $field => $value ) |
|
475 |
{ |
|
476 |
// field must contain a field name |
|
477 |
if ( !empty($field) && is_string($field) ) |
|
478 |
{ |
|
479 |
$value = $this->sql_type_cast($value); |
|
480 |
$this->sql_fields .= ( $first ? '' : ', ' ) . $field; |
|
481 |
$this->sql_values .= ( $first ? '' : ', ' ) . $value; |
|
482 |
$this->sql_update .= ( $first ? '' : ', ' ) . $field . ' = ' . $value; |
|
483 |
$first = false; |
|
484 |
} |
|
485 |
} |
|
486 |
} |
|
487 |
if ( !empty($fields_inc) ) |
|
488 |
{ |
|
489 |
foreach ( $fields_inc as $field => $indent ) |
|
490 |
{ |
|
491 |
if ( $indent != 0 ) |
|
492 |
{ |
|
493 |
$this->sql_update .= (empty($this->sql_update) ? '' : ', ') . $field . ' = ' . $field . ($indent < 0 ? ' - ' : ' + ') . abs($indent); |
|
494 |
} |
|
495 |
} |
|
496 |
} |
|
497 |
} |
|
498 |
||
499 |
function sql_stack_reset($id='') |
|
500 |
{ |
|
501 |
if ( empty($id) ) |
|
502 |
{ |
|
503 |
$this->sql_stack_fields = array(); |
|
504 |
$this->sql_stack_values = array(); |
|
505 |
} |
|
506 |
else |
|
507 |
{ |
|
508 |
$this->sql_stack_fields[$id] = array(); |
|
509 |
$this->sql_stack_values[$id] = array(); |
|
510 |
} |
|
511 |
} |
|
512 |
||
513 |
function sql_stack_statement(&$fields, $id='') |
|
514 |
{ |
|
515 |
$this->sql_statement($fields); |
|
516 |
if ( empty($id) ) |
|
517 |
{ |
|
518 |
$this->sql_stack_fields = $this->sql_fields; |
|
519 |
$this->sql_stack_values[] = '(' . $this->sql_values . ')'; |
|
520 |
} |
|
521 |
else |
|
522 |
{ |
|
523 |
$this->sql_stack_fields[$id] = $this->sql_fields; |
|
524 |
$this->sql_stack_values[$id][] = '(' . $this->sql_values . ')'; |
|
525 |
} |
|
526 |
} |
|
527 |
||
528 |
function sql_stack_insert($table, $transaction=false, $line='', $file='', $break_on_error=true, $id='') |
|
529 |
{ |
|
530 |
if ( (empty($id) && empty($this->sql_stack_values)) || (!empty($id) && empty($this->sql_stack_values[$id])) ) |
|
531 |
{ |
|
532 |
return false; |
|
533 |
} |
|
534 |
switch( SQL_LAYER ) |
|
535 |
{ |
|
536 |
case 'mysql': |
|
537 |
case 'mysql4': |
|
538 |
if ( empty($id) ) |
|
539 |
{ |
|
540 |
$sql = 'INSERT INTO ' . $table . ' |
|
541 |
(' . $this->sql_stack_fields . ') VALUES ' . implode(",\n", $this->sql_stack_values); |
|
542 |
} |
|
543 |
else |
|
544 |
{ |
|
545 |
$sql = 'INSERT INTO ' . $table . ' |
|
546 |
(' . $this->sql_stack_fields[$id] . ') VALUES ' . implode(",\n", $this->sql_stack_values[$id]); |
|
547 |
} |
|
548 |
$this->sql_stack_reset($id); |
|
549 |
return $this->sql_query($sql, $transaction, $line, $file, $break_on_error); |
|
550 |
break; |
|
551 |
default: |
|
552 |
$count_sql_stack_values = empty($id) ? count($this->sql_stack_values) : count($this->sql_stack_values[$id]); |
|
553 |
$result = !empty($count_sql_stack_values); |
|
554 |
for ( $i = 0; $i < $count_sql_stack_values; $i++ ) |
|
555 |
{ |
|
556 |
if ( empty($id) ) |
|
557 |
{ |
|
558 |
$sql = 'INSERT INTO ' . $table . ' |
|
559 |
(' . $this->sql_stack_fields . ') VALUES ' . $this->sql_stack_values[$i]; |
|
560 |
} |
|
561 |
else |
|
562 |
{ |
|
563 |
$sql = 'INSERT INTO ' . $table . ' |
|
564 |
(' . $this->sql_stack_fields[$id] . ') VALUES ' . $this->sql_stack_values[$id][$i]; |
|
565 |
} |
|
566 |
$result &= $this->sql_query($sql, $transaction, $line, $file, $break_on_error); |
|
567 |
} |
|
568 |
$this->sql_stack_reset($id); |
|
569 |
return $result; |
|
570 |
break; |
|
571 |
} |
|
572 |
} |
|
573 |
||
574 |
function sql_subquery($field, $sql, $line='', $file='', $break_on_error=true, $type=TYPE_INT) |
|
575 |
{ |
|
576 |
// sub-queries doable |
|
577 |
$this->sql_get_version(); |
|
578 |
if ( !in_array(SQL_LAYER, array('mysql', 'mysql4')) || (($this->sql_version[0] + ($this->sql_version[1] / 100)) >= 4.01) ) |
|
579 |
{ |
|
580 |
return $sql; |
|
581 |
} |
|
582 |
||
583 |
// no sub-queries |
|
584 |
$ids = array(); |
|
585 |
$result = $this->sql_query(trim($sql), false, $line, $file, $break_on_error); |
|
586 |
while ( $row = $this->sql_fetchrow($result) ) |
|
587 |
{ |
|
588 |
$ids[] = $type == TYPE_INT ? intval($row[$field]) : '\'' . $this->sql_escape_string($row[$field]) . '\''; |
|
589 |
} |
|
590 |
$this->sql_freeresult($result); |
|
591 |
return empty($ids) ? 'NULL' : implode(', ', $ids); |
|
592 |
} |
|
593 |
||
594 |
function sql_col_id($expr, $alias) |
|
595 |
{ |
|
596 |
$this->sql_get_version(); |
|
597 |
return in_array(SQL_LAYER, array('mysql', 'mysql4')) && (($this->sql_version[0] + ($this->sql_version[1] / 100)) <= 4.01) ? $alias : $expr; |
|
598 |
} |
|
599 |
||
600 |
function sql_get_version() |
|
601 |
{ |
|
602 |
if ( empty($this->sql_version) ) |
|
603 |
{ |
|
604 |
$this->sql_version = array(0, 0, 0); |
|
605 |
switch ( SQL_LAYER ) |
|
606 |
{ |
|
607 |
case 'mysql': |
|
608 |
case 'mysql4': |
|
609 |
if ( function_exists('mysql_get_server_info') ) |
|
610 |
{ |
|
611 |
$lo_version = explode('-', mysql_get_server_info()); |
|
612 |
$this->sql_version = explode('.', $lo_version[0]); |
|
613 |
$this->sql_version = array(intval($this->sql_version[0]), intval($this->sql_version[1]), intval($this->sql_version[2]), $lo_version[1]); |
|
614 |
} |
|
615 |
break; |
|
616 |
||
617 |
case 'postgresql': |
|
618 |
case 'mssql': |
|
619 |
case 'mssql-odbc': |
|
620 |
default: |
|
621 |
break; |
|
622 |
} |
|
623 |
} |
|
624 |
return $this->sql_version; |
|
625 |
} |
|
626 |
||
627 |
function sql_error() |
|
628 |
{ |
|
629 |
if ( $this->_conn ) |
|
630 |
{ |
|
631 |
return mysql_error(); |
|
632 |
} |
|
633 |
else |
|
634 |
{ |
|
635 |
return array(); |
|
636 |
} |
|
637 |
} |
|
638 |
function sql_escape_string($t) |
|
639 |
{ |
|
640 |
return mysql_real_escape_string($t); |
|
641 |
} |
|
642 |
function sql_close() |
|
643 |
{ |
|
644 |
$this->close(); |
|
645 |
} |
|
646 |
function sql_fetchrowset($query_id = 0) |
|
647 |
{ |
|
648 |
if( !$query_id ) |
|
649 |
{ |
|
650 |
$query_id = $this->query_result; |
|
651 |
} |
|
652 |
||
653 |
if( $query_id ) |
|
654 |
{ |
|
655 |
unset($this->rowset[$query_id]); |
|
656 |
unset($this->row[$query_id]); |
|
657 |
||
658 |
while($this->rowset[$query_id] = mysql_fetch_array($query_id, MYSQL_ASSOC)) |
|
659 |
{ |
|
660 |
$result[] = $this->rowset[$query_id]; |
|
661 |
} |
|
662 |
||
663 |
return $result; |
|
664 |
} |
|
665 |
else |
|
666 |
{ |
|
667 |
return false; |
|
668 |
} |
|
669 |
} |
|
670 |
} |
|
671 |
||
672 |
?> |