/**
* Security: Return true if OK, false otherwise.
*
* @param string &$var Variable name
* @param string $type 1=GET, 0=POST, 2=PHP_SELF
* @return boolean true if ther is an injection
*/
function analyse_sql_and_script(&$var, $type) {
if (is_array($var)) {
foreach ($var as $key => $value) {
if (analyse_sql_and_script($value, $type)) {
$var[$key] = $value;
} else {
print 'Access refused by SQL/Script injection protection in main.inc.php';
exit;
}
}
return true;
} else {
return (test_sql_and_script_inject($var, $type) <= 0);
}
}
/**
* Return true if security check on parameters are OK, false otherwise.
*
* @param string $var Variable name
* @param string $type 1=GET, 0=POST, 2=PHP_SELF
* @return boolean||null true if there is an injection. Stop code if injection found.
*/
function analyseVarsForSqlAndScriptsInjection(&$var, $type)
{
if (is_array($var)) {
foreach ($var as $key => $value) {
if (analyseVarsForSqlAndScriptsInjection($value, $type)) {
$var[$key] = $value;
} else {
print 'Access refused by SQL/Script injection protection in main.inc.php (type=' . htmlentities($type) . ' key=' . htmlentities($key) . ' value=' . htmlentities($value) . ' page=' . htmlentities($_SERVER["REQUEST_URI"]) . ')';
exit;
}
}
return true;
} else {
return test_sql_and_script_inject($var, $type) <= 0;
}
}
/**
* testSqlAndScriptInject
*
* @return void
*/
public function testSqlAndScriptInject()
{
global $dolibarr_main_prod;
global $dolibarr_main_url_root;
global $dolibarr_main_data_root;
global $dolibarr_main_document_root;
global $dolibarr_main_data_root_alt;
global $dolibarr_main_document_root_alt;
global $dolibarr_main_db_host;
global $dolibarr_main_db_port;
global $dolibarr_main_db_type;
global $dolibarr_main_db_prefix;
// This is code copied from main.inc.php
/**
* Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF).
*
* @param string $val Value
* @param string $type 1=GET, 0=POST, 2=PHP_SELF
* @return int >0 if there is an injection
*/
function test_sql_and_script_inject($val, $type)
{
$sql_inj = 0;
// For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests)
if ($type != 2) {
$sql_inj += preg_match('/delete[\\s]+from/i', $val);
$sql_inj += preg_match('/create[\\s]+table/i', $val);
$sql_inj += preg_match('/update.+set.+=/i', $val);
$sql_inj += preg_match('/insert[\\s]+into/i', $val);
$sql_inj += preg_match('/select.+from/i', $val);
$sql_inj += preg_match('/union.+select/i', $val);
$sql_inj += preg_match('/(\\.\\.%2f)+/i', $val);
}
// For XSS Injection done by adding javascript with script
// This is all cases a browser consider text is javascript:
// When it found '<script', 'javascript:', '<style', 'onload\s=' on body tag, '="&' on a tag size with old browsers
// All examples on page: http://ha.ckers.org/xss.html#XSScalc
$sql_inj += preg_match('/<script/i', $val);
if (!defined('NOSTYLECHECK')) {
$sql_inj += preg_match('/<style/i', $val);
}
$sql_inj += preg_match('/base[\\s]+href/i', $val);
if ($type == 1) {
$sql_inj += preg_match('/javascript:/i', $val);
$sql_inj += preg_match('/vbscript:/i', $val);
}
// For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
if ($type == 1) {
$sql_inj += preg_match('/"/i', $val);
}
// We refused " in GET parameters value
if ($type == 2) {
$sql_inj += preg_match('/[\\s;"]/', $val);
}
// PHP_SELF is an url and must match url syntax
return $sql_inj;
}
//type=2 key=0 value=/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices
$_SERVER["PHP_SELF"] = '/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices';
$result = test_sql_and_script_inject($_SERVER["PHP_SELF"], 2);
$expectedresult = 1;
$this->assertEquals($result, $expectedresult);
}
