@@ -62,26 +62,40 @@ function stripslashes_deep($value)
6262 }
6363}
6464
65- // Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST)
66- function test_sql_and_script_inject ($ val ,$ get )
65+
66+ /**
67+ * Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF)
68+ *
69+ * @param string $val Value
70+ * @param string $type 1=GET, 0=POST, 2=PHP_SELF
71+ * @return boolean true if there is an injection
72+ */
73+ function test_sql_and_script_inject ($ val , $ type )
6774{
6875 $ sql_inj = 0 ;
69- // For SQL Injection
70- $ sql_inj += preg_match ('/delete[\s]+from/i ' , $ val );
71- $ sql_inj += preg_match ('/create[\s]+table/i ' , $ val );
72- $ sql_inj += preg_match ('/update.+set.+=/i ' , $ val );
73- $ sql_inj += preg_match ('/insert[\s]+into/i ' , $ val );
74- $ sql_inj += preg_match ('/select.+from/i ' , $ val );
75- $ sql_inj += preg_match ('/union.+select/i ' , $ val );
76- $ sql_inj += preg_match ('/(\.\.%2f)+/i ' , $ val );
76+ // For SQL Injection (onyl GET and POST are used to be included into bad escaped SQL requests)
77+ if ($ type != 2 )
78+ {
79+ $ sql_inj += preg_match ('/delete[\s]+from/i ' , $ val );
80+ $ sql_inj += preg_match ('/create[\s]+table/i ' , $ val );
81+ $ sql_inj += preg_match ('/update.+set.+=/i ' , $ val );
82+ $ sql_inj += preg_match ('/insert[\s]+into/i ' , $ val );
83+ $ sql_inj += preg_match ('/select.+from/i ' , $ val );
84+ $ sql_inj += preg_match ('/union.+select/i ' , $ val );
85+ $ sql_inj += preg_match ('/(\.\.%2f)+/i ' , $ val );
86+ }
7787 // For XSS Injection done by adding javascript with script
78- $ sql_inj += preg_match ('/<script/i ' , $ val );
79- $ sql_inj += preg_match ('/base[\s]+href/i ' , $ val );
80- if ($ get ) $ sql_inj += preg_match ('/img[\s]+src/i ' , $ val );
81- if ($ get ) $ sql_inj += preg_match ('/style[\s]*=/i ' , $ val );
82- if ($ get ) $ sql_inj += preg_match ('/javascript:/i ' , $ val );
83- // For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
84- if ($ get ) $ sql_inj += preg_match ('/"/i ' , $ val ); // We refused " in GET parameters value
88+ $ sql_inj += preg_match ('/<script/i ' , $ val );
89+ $ sql_inj += preg_match ('/base[\s]+href/i ' , $ val );
90+ if ($ type == 1 )
91+ {
92+ $ sql_inj += preg_match ('/img[\s]+src/i ' , $ val );
93+ $ sql_inj += preg_match ('/style[\s]*=/i ' , $ val );
94+ $ sql_inj += preg_match ('/javascript:/i ' , $ val );
95+ }
96+ // For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
97+ if ($ type == 1 ) $ sql_inj += preg_match ('/"/i ' , $ val ); // We refused " in GET parameters value
98+ if ($ type == 2 ) $ sql_inj += preg_match ('/[\s;"]/ ' , $ val ); // PHP_SELF is an url and must match url syntax
8599 return $ sql_inj ;
86100}
87101// Security: Return true if OK, false otherwise
@@ -112,7 +126,7 @@ function analyse_sql_and_script(&$var,$get)
112126if (! empty ($ _SERVER ["PHP_SELF " ]))
113127{
114128 $ morevaltochecklikepost =array ($ _SERVER ["PHP_SELF " ]);
115- analyse_sql_and_script ($ morevaltochecklikepost ,0 );
129+ analyse_sql_and_script ($ morevaltochecklikepost ,2 );
116130}
117131// Sanity check on GET parameters
118132if (! empty ($ _SERVER ["QUERY_STRING " ]))
0 commit comments