#false confirmation :) $_POST = Array_Map('stripslashes', $_POST); extract($_POST, EXTR_SKIP, 'u'); if (in_array($email, ['*****@*****.**'])) { block('scanner'); r404(); die; } Adds($nom); Adds($tel); Adds($email); Adds($ms); Adds($k); #if(ereg("seflow.it",HOST)or(ereg("email@",$email))or if (Preg_Match("#(\\[url|href)=#i", $message)) { r404(); } $ms = "Nom: {$nom} ({$tel}) <br>email : {$email}<br>{$city}<br>{$message}<br><br>--- {$k} {$t}" . IP; $ms = str_replace('"', '', $ms); #if(admin)die($ms); #SQL5("insert into ben.contact(`nom`,`tel`,`email`,`message`,`key`,`date`)values(\"$nom\",\"$tel\",\"$email\",\"$ms\",\"$k\",NOW())"); $as = $de = $email; /*email renseigné dans form*/ $headers = "MIME-Version: 1.0{$s}Content-type: text/html; charset=iso-8859-1{$s}From:{$as}{$s}Return-Path:{$as}{$s}Reply-To:{$as}{$s}"; $msg = $ms; $x = wmail($mail, $subject, $msg, $headers); if (!$x) { $subject .= ' (try#2 -> bmail)'; $x = Bmail(compact('subject', 'msg', 'mail', 'de', 'as')); } if (!$x) {
function sql($sql, $bd = null, $opt = null) { if (is_array($opt)) { extract($opt); } $param = 'old'; if (substr($sql, -4) == '#' . $param) { $sql = str_replace('#' . $param, '', $sql); ${$param} = 1; } #usage mysql court #if(substr_count($sql,"'")%2==1){db('injection : '.substr_count($sql,"'").$sql);return;} #str_replace("'",'’',$within the quoted space) static $status, $bdsel, $host, $conn; if ($status == 'dead') { return; } #connexion dropped if ($bd == 1 or $opt == 1) { $close = 1; unset($p, $nt); } if (strpos($sql, '.s3db')) { Preg_match('~[^ ]+\\.s3db\\.~i', $sql, $m); $bd = trim($m[0], '.'); $sql = str_replace($m[0], '', $sql); } if (strpos($bd, '.s3db')) { return sqlite($sql, $bd, $close); } #if(function_exists('div_sql'))av(div_sql($sql,$bd));#addition ksv1:list($sql,$bd,$a)=div_sql($sql,$bd);#fonction divergentes if (function_exists('div_sql')) { list($sql, $bd, $a) = div_sql($sql, $bd); } #addition ksv1:list($sql,$bd,$a)=div_sql($sql,$bd);#fonction divergentes if (!$bd && strpos($sql, ' ciel.')) { $bd = 'ciel'; } elseif (!$bd && strpos($sql, ' p.')) { $bd = 'p'; } elseif (!$bd && strpos($sql, ' ben.')) { $bd = 'ben'; } ReM($bd, array($_ENV['defaultdb'], $_GET['defaultdb'], DB, 'localhost')); #av($sql,$bd); if (!$a) { $a = $_ENV['c']['sql'][$bd]; } #si non fournie par div_sql() if (!$a) { db("5.sqldb not defined : {$bd} {$sql}"); return; } #if(J9){echo'<pre>';print_r([$sql,$sa,$bd,SIP,$a,'dfdeb'=>$_ENV['defaultdb'],'getdef'=>$_GET['defaultdb'],'db'=>DB]);die;}#,ben,aws #$bd=ben,SIP=aws if (preg_match("~(/\\*|--|\\(\\{) '|\\x(00|1a)|;(drop|select|delete|update)|'? union select~i", $sql, $m)) { av('injection match', $m); FPC(ERLOGS, "\nsql injection:{$sql}", 4); return; } #injection tester - never add those $Stamp = substr($sql, 4, 15) . " " . substr($sql, -7); if (GT($Stamp) > 10000 and Preg_Match("~update |insert ~i", $sql)) { FAP(LOGS . "sql.decalees", $sql); return; } #check for these ones with a cron if (!e(',sqlon', 1)) { $bdsel = ''; } #could have been killed ..... if ($bd != $bdsel) { GT("sqlon" . $bd); $bdsel = $bd; #on recrée la connexion $_ENV['dbe'][] = $sql; if ($a[0] == '94.23.226.97') { return; } #server offline - returns null - Db(NU.'->'.$sql,'prio'); Rem($sa, SIP, $_ENV['server']); if (SIP == $a[0]) { $a[0] = '127.0.0.1'; } #si l'on tente de connecter à une ip définie et que c'est le localhost en réalité = #Si seulement, au final, on a changé de host if ($host != $a[0]) { $host = $a[0]; $GLOBALS['mysqlconnection'] = $_ENV['sqlconn'] = $conn = mysqli_connect($a[0], $a[1], $a[2]); if ($n = mysqli_connect_error() || !$conn) { File_put_contents(ini_get('error_log'), "\n" . SU . " > {$bd}/{$sql}; pas de connexion sql : " . $n . "-" . str_replace("\n", '', print_r($a, 1)), FILE_APPEND); Db(SU . " > {$bd}/{$sql}; pas de connexion sql : " . $n . "\n" . print_r($a, 1)); return; } $n = mysqli_error($conn); } if ($n) { Db('sqlerror ' . $sql . ' ' . $n); } #if(j10)fb("connect:$a[0],$a[1],$a[2]"); if (!$conn) { DB("!sqlcon:{$a['0']},{$a['1']},{$a['2']}"); } if (!$conn || $n && !stripos('uplicate', $n)) { av("nc:bd:{$bd}/{$sql}; {$n}"); rcache(); $host = $bdsel = 'dead'; Db(SU . " 503>nc:bd:{$bd}/{$sql}; {$n} "); R503("nc:{$bd}/{$sql}; {$n} " . pre($a)); return; } mysqli_select_db($conn, $bd); e(",sqlon:{$bd}"); } #e(','.$sql);; $_ENV['sql'][] = $sql; #bug:possible bug if semicolon within some field.. if (substr_count($sql, '¤') > 0 && $safe) { $x = mysqli_multi_query($conn, str_replace('¤', ';', $sql)); } elseif (substr_count($sql, '¤') > 0) { db('unsafe injection : ¤'); r404('¤'); } else { $x = mysqli_query($conn, $sql); } $_ENV['sqlquery'] = $x; $_GET['nSQL']++; $n = mysqli_error($conn); #todo:add pdo, mysqli, mysqlnd if ($n) { $_ENV['errors'][] = $n; if (j10) { FB($_ENV['args']); } if (Preg_match("~server has gone away|access denied~i", $n)) { rcache(); $status = 'dead'; R503($n); return; return sql($sql, $bd); } elseif ($n and !strpos($n, "uplicate entry")) { db("{$sql}; {$n} {$_SERVER['SCRIPT_FILENAME']} " . SU); } elseif ($n) { $_ENV['error'] .= "sqlfail:{$_SERVER['SCRIPT_FILENAME']} : {$sql} {$n}"; db($_ENV['error'], null, 'sql'); return; } #une erreur mais ... } if (Preg_match("~(update|delete) ~i", $sql)) { $x = Mysqli_affected_rows($conn); } if (Preg_match("~insert ~i", $sql)) { $x = Mysqli_insert_id($conn); } #ahah on nettoye les congestions $Temps = GT('sql:' . $_GET['nSQL'] . ':' . $sql); //Récupère la valeur du chrono if ($Temps > 4000 and !preg_match("~OPTIMIZE|CSF|ALTER~i", $sql) && 0) { #stopped $x2 = mysql_query("SHOW PROCESSLIST"); while ($t = @mysqli_fetch_assoc($x2)) { $killed[] = $t; if ($t["Time"] > 30) { mysql_query("kill {$t['Id']}"); $Temps .= "+kill {$t['Id']}"; db("kill {$Temps} >{$sql} via {$_SERVER['SCRIPT_FILENAME']}" . SU); } } if ($killed) { Bmail('sql killed', pre($killed)); } } #if(!Preg_match("~select ~i",$sql))av($sql."<li>".$x); return $x; #mysqli_free_result($x);//else echo mysql_error().$SQL; }