Permalink
Browse files

Fix: Sanitize PHP_SELF

  • Loading branch information...
1 parent 5027152 commit d08d28c0cda1f762a47cc205d4363de03df16675 @eldy eldy committed Nov 9, 2011
Showing with 32 additions and 18 deletions.
  1. +32 −18 htdocs/main.inc.php
View
@@ -62,26 +62,40 @@ function stripslashes_deep($value)
}
}
-// Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST)
-function test_sql_and_script_inject($val,$get)
+
+/**
+ * Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF)
+ *
+ * @param string $val Value
+ * @param string $type 1=GET, 0=POST, 2=PHP_SELF
+ * @return boolean true if there is an injection
+ */
+function test_sql_and_script_inject($val, $type)
{
$sql_inj = 0;
- // For SQL Injection
- $sql_inj += preg_match('/delete[\s]+from/i', $val);
- $sql_inj += preg_match('/create[\s]+table/i', $val);
- $sql_inj += preg_match('/update.+set.+=/i', $val);
- $sql_inj += preg_match('/insert[\s]+into/i', $val);
- $sql_inj += preg_match('/select.+from/i', $val);
- $sql_inj += preg_match('/union.+select/i', $val);
- $sql_inj += preg_match('/(\.\.%2f)+/i', $val);
+ // For SQL Injection (onyl GET and POST are used to be included into bad escaped SQL requests)
+ if ($type != 2)
+ {
+ $sql_inj += preg_match('/delete[\s]+from/i', $val);
+ $sql_inj += preg_match('/create[\s]+table/i', $val);
+ $sql_inj += preg_match('/update.+set.+=/i', $val);
+ $sql_inj += preg_match('/insert[\s]+into/i', $val);
+ $sql_inj += preg_match('/select.+from/i', $val);
+ $sql_inj += preg_match('/union.+select/i', $val);
+ $sql_inj += preg_match('/(\.\.%2f)+/i', $val);
+ }
// For XSS Injection done by adding javascript with script
- $sql_inj += preg_match('/<script/i', $val);
- $sql_inj += preg_match('/base[\s]+href/i', $val);
- if ($get) $sql_inj += preg_match('/img[\s]+src/i', $val);
- if ($get) $sql_inj += preg_match('/style[\s]*=/i', $val);
- if ($get) $sql_inj += preg_match('/javascript:/i', $val);
- // For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
- if ($get) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value
+ $sql_inj += preg_match('/<script/i', $val);
+ $sql_inj += preg_match('/base[\s]+href/i', $val);
+ if ($type == 1)
+ {
+ $sql_inj += preg_match('/img[\s]+src/i', $val);
+ $sql_inj += preg_match('/style[\s]*=/i', $val);
+ $sql_inj += preg_match('/javascript:/i', $val);
+ }
+ // For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
+ if ($type == 1) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value
+ if ($type == 2) $sql_inj += preg_match('/[\s;"]/', $val); // PHP_SELF is an url and must match url syntax
return $sql_inj;
}
// Security: Return true if OK, false otherwise
@@ -112,7 +126,7 @@ function analyse_sql_and_script(&$var,$get)
if (! empty($_SERVER["PHP_SELF"]))
{
$morevaltochecklikepost=array($_SERVER["PHP_SELF"]);
- analyse_sql_and_script($morevaltochecklikepost,0);
+ analyse_sql_and_script($morevaltochecklikepost,2);
}
// Sanity check on GET parameters
if (! empty($_SERVER["QUERY_STRING"]))

0 comments on commit d08d28c

Please sign in to comment.