/** * Method to check the fixed param keyword for validity and further more escape the free text elems (even if this is not semantic) * @param array $whereParam * @param ParameterObject $d * @param bool $escapeFreeText if the function shall also escape the free text of the where clause * @return boolean */ public static function isWhereClauseValid($whereParam, $d, $escapeFreeText = true) { if (Config::useSecureMode() && $whereParam) { //error_log(print_r($whereParam,true)); $validFields = Config::getValidTables()[$d->getAttribute(PO::ATTR_TABLE)]; $validOperators = array('LIKE', '=', '<=', '>=', '!='); $validConcaters = array('OR', 'AND'); foreach ($whereParam as $param_group) { if (in_array($param_group[0], $validFields)) { if (in_array($param_group[1], $validOperators)) { if (in_array($param_group[3], $validConcaters) || $param_group[3] === null) { continue; } } } return false; } if ($escapeFreeText) { // secure free text elems $whereParam = array_map(function ($i) { $i[2] = sprintf('"%s"', addslashes($i[2])); return $i; }, $whereParam); $d->setAttribute(PO::ATTR_CONDITION, $whereParam); } return true; } else { return true; } }
require_once 'inheritance/iConnector.inter.php'; require_once 'inheritance/bConnector.class.php'; require_once 'inheritance/iConfig.inter.php'; // helper require_once 'helper/ConnectorSelector.class.php'; require_once 'helper/ParameterObject.class.php'; require_once 'helper/SecureModeHelper.class.php'; $dObj = new ParameterObject($_POST['options']); require_once 'config.class.inc.php'; // the point where the user config is loaded (removed dynamic path configuration from js for security reasons) $desired_connector = $dObj->getAttribute(PO::ATTR_CONNECTOR); $cs = new ConnectorSelector(); $connector = $cs->getConector($desired_connector); // try to select the connector // host, username, password, db $authRes = $connector->authenticate(Config::getHost(), Config::getUsername(), Config::getPassword(), $dObj->getAttribute(PO::ATTR_DATABASE_NAME)); $checkRes = SecureModeHelper::checkTable($dObj->getAttribute(PO::ATTR_TABLE), $dObj); if (is_numeric($checkRes)) { // we are returned a string in valid case or an int in failure case $data = array('success' => false); if ($checkRes === SecureModeHelper::FAILURE_TABLE_INVALID) { $data['error_str'] = 'You tried to us a table which is not on the whitelist due Secure Mode. Disable Secure Mode or add ' . $dObj->getAttribute(PO::ATTR_TABLE) . ' to the list of allowed tables'; } elseif ($checkRes === SecureModeHelper::FAILURE_FIELD_INVALID) { $data['error_str'] = 'You tried to us a table field which is not on the whitelist due Secure Mode. Disable Secure Mode or add all desired fields to the list of allowed fields'; } elseif ($checkRes === SecureModeHelper::FAILURE_DB_INVALID) { $data['error_str'] = 'You tried to select a DB which is not on the whitelist due Secure Mode. Disable Secure Mode or add ' . $dObj->getAttribute(PO::ATTR_DATABASE_NAME) . ' to the list of allowed DBs'; } } elseif (!is_numeric($dObj->getAttribute(PO::ATTR_ELEMENTS_PER_PAGE))) { $data = array('success' => false, 'error_str' => 'You configured Elements-PerPage failed the Security rules'); } elseif (!is_numeric($dObj->getAttribute(PO::ATTR_PAGE)) && !is_null($dObj->getAttribute(PO::ATTR_PAGE))) { $data = array('success' => false, 'error_str' => 'You desired page failed the Security rules');