Esempio n. 1
0
function unsafe_array( &$my_array )
{
	foreach( $my_array as $key => &$value )
	{
		$value = unsafe( $value );
	}
	return $my_array;
}
function cleaninput($input)
{
    global $db_con, $block_attacks;
    if (get_magic_quotes_gpc()) {
        $input = stripslashes($input);
        //      delete quotes
    }
    /*
             //      prevent Directory Traversal attacks
             if(preg_match('/\.\.\/|\.\.\\\/i', $input)) {
             $input = '';
             }
    
            //      prevent SQL-injection
            if (substr_count($input,"'") != '1') {
                $input = mysql_real_escape_string($input);
            } else {
                $input = str_replace('\\','\\\\', $input);  //      if one slash is part of the query, we have to allow it  . . .
                $input = str_replace('"','\"', $input);     //      never the less we need to prevent SQL attacks
            }
    */
    //      prevent SQL-injection
    $input = $db_con->real_escape_string($input);
    if (preg_match("/%FF%FE%3C%73%63%72%69%70%74%3E/i", $input)) {
        //  tr/vb.hpq trojan
        $input = '';
    }
    if ($block_attacks == "1") {
        //	prevent XSS-attack and Shell-execute
        if (preg_match("/cmd|CREATE|DELETE|DROP|eval|EXEC|File|INSERT|printf/i", $input)) {
            $input = '';
        }
        if (preg_match("/LOCK|PROCESSLIST|SELECT|shell|SHOW|SHUTDOWN/i", $input)) {
            $input = '';
        }
        if (preg_match("/SQL|SYSTEM|TRUNCATE|UNION|UPDATE|DUMP/i", $input)) {
            $input = '';
        }
        //  suppress JavaScript execution and tag inclusions
        $input = unsafe($input);
    }
    return $input;
}