PHP InputFilter::preventSqlInjection 예제들

예제 #1

파일: class.webdav.php 프로젝트: emildev35/processmaker

 /**
  * checkLock() helper
  *
  * @param string resource path to check for locks
  * @return bool true on success
  */
 public function checkLock($path)
 {
     G::LoadSystem('inputfilter');
     $filter = new InputFilter();
     $path = $filter->validateInput($path, 'nosql');
     $result = false;
     $query = "SELECT owner, token, expires, exclusivelock\n              FROM locks\n            WHERE path = '%s' ";
     $query = $filter->preventSqlInjection($query, array($path));
     $res = mysql_query($query);
     if ($res) {
         $row = mysql_fetch_array($res);
         mysql_free_result($res);
         if ($row) {
             $result = array("type" => "write", "scope" => $row["exclusivelock"] ? "exclusive" : "shared", "depth" => 0, "owner" => $row['owner'], "token" => $row['token'], "expires" => $row['expires']);
         }
     }
     return $result;
 }

예제 #2

파일: installer.php 프로젝트: nhenderson/processmaker

    /**

     * Privates functions section, non callable by http request

     */



    private function testMySQLconnection ()

    {

        G::LoadSystem('inputfilter');

        $filter = new InputFilter();

        $info = new StdClass();

        $info->result = false;

        $info->message = '';

        if (! function_exists( "mysql_connect" )) {

            $info->message = G::LoadTranslation('ID_PHP_MYSQL_NOT _INSTALL');

            return $info;

        }

        $db_hostname = $_REQUEST['db_hostname'];

        $db_hostname = $filter->validateInput($db_hostname);

        $db_port     = $_REQUEST['db_port'];

        $db_port     = $filter->validateInput($db_port);

        $db_username = $_REQUEST['db_username'];

        $db_username = $filter->validateInput($db_username);

        $db_password = $_REQUEST['db_password'];

        $db_password = $filter->validateInput($db_password);

        $fp = @fsockopen( $db_hostname, $db_port, $errno, $errstr, 30 );

        if (! $fp) {

            $info->message .= G::LoadTranslation('ID_CONNECTION_ERROR', SYS_LANG, Array("$errstr ($errno)"));

            return $info;

        }



        $db_host = ($db_port != '' && $db_port != 1433) ? $db_hostname . ':' . $db_port : $db_hostname;

       

        $link = @mysql_connect( $db_host, $db_username, $db_password );

        if (! $link) {

            $info->message .= G::LoadTranslation('ID_MYSQL_CREDENTIALS_WRONG');

            return $info;

        }

        $db_username = $filter->validateInput($db_username, 'nosql');

        $db_hostname = $filter->validateInput($db_hostname, 'nosql');

        $query = "SELECT * FROM `information_schema`.`USER_PRIVILEGES` where (GRANTEE = \"'%s'@'%s'\" OR GRANTEE = \"'%s'@'%%'\") ";   

        $query = $filter->preventSqlInjection($query, array($db_username, $db_hostname, $db_username));

        $res = @mysql_query( $query, $link );

        $row = @mysql_fetch_array( $res );

        $hasSuper = is_array( $row );

        @mysql_free_result( $res );

        @mysql_close( $link );

        if (! $hasSuper) {

            $info->message .= G::LoadTranslation('ID_CONNECTION_ERROR_PRIVILEGE', SYS_LANG, Array($db_username));

            return $info;

        }

        $info->message .= G::LoadTranslation('ID_MYSQL_SUCCESS_CONNECT');

        $info->result = true;

        return $info;

    }

예제 #3

파일: appCacheViewAjax.php 프로젝트: emildev35/processmaker

function testConnection($type, $server, $user, $passwd, $port = 'none', $dbName = "")
{
    if ($port == 'none' || $port == '' || $port == 0) {
        //setting defaults ports
        switch ($type) {
            case 'mysql':
                $port = 3306;
                break;
            case 'pgsql':
                $port = 5432;
                break;
            case 'mssql':
                $port = 1433;
                break;
            case 'oracle':
                $port = 1521;
                break;
        }
    }
    G::LoadClass('net');
    $Server = new NET($server);
    G::LoadSystem('inputfilter');
    $filter = new InputFilter();
    if ($Server->getErrno() == 0) {
        $Server->scannPort($port);
        if ($Server->getErrno() == 0) {
            $Server->loginDbServer($user, $passwd);
            $Server->setDataBase($dbName, $port);
            if ($Server->errno == 0) {
                $response = $Server->tryConnectServer($type);
                if ($response->status == 'SUCCESS') {
                    if ($Server->errno == 0) {
                        $message = "";
                        $response = $Server->tryConnectServer($type);
                        $server = $filter->validateInput($server);
                        $user = $filter->validateInput($user);
                        $passwd = $filter->validateInput($passwd);
                        $connDatabase = @mysql_connect($server, $user, $passwd);
                        $dbNameTest = "PROCESSMAKERTESTDC";
                        $dbNameTest = $filter->validateInput($dbNameTest, 'nosql');
                        $query = "CREATE DATABASE %s";
                        $query = $filter->preventSqlInjection($query, array($dbNameTest), $connDatabase);
                        $db = @mysql_query($query, $connDatabase);
                        $success = false;
                        if (!$db) {
                            $message = mysql_error();
                        } else {
                            $usrTest = "wfrbtest";
                            $chkG = "GRANT ALL PRIVILEGES ON `%s`.* TO %s@'%%' IDENTIFIED BY 'sample' WITH GRANT OPTION";
                            $chkG = $filter->preventSqlInjection($chkG, array($dbNameTest, $usrTest), $connDatabase);
                            $ch = @mysql_query($chkG, $connDatabase);
                            if (!$ch) {
                                $message = mysql_error();
                            } else {
                                $sqlCreateUser = "******";
                                $user = $filter->validateInput($user, 'nosql');
                                $sqlCreateUser = $filter->preventSqlInjection($sqlCreateUser, array($user . "_usertest", "sample"), $connDatabase);
                                $result = @mysql_query($sqlCreateUser, $connDatabase);
                                if (!$result) {
                                    $message = mysql_error();
                                } else {
                                    $success = true;
                                    $message = G::LoadTranslation('ID_SUCCESSFUL_CONNECTION');
                                }
                                $sqlDropUser = "******";
                                $user = $filter->validateInput($user, 'nosql');
                                $sqlDropUser = $filter->preventSqlInjection($sqlDropUser, array($user . "_usertest"), $connDatabase);
                                @mysql_query($sqlDropUser, $connDatabase);
                                $sqlDropUser = "******";
                                $usrTest = $filter->validateInput($usrTest, 'nosql');
                                $sqlDropUser = $filter->preventSqlInjection($sqlDropUser, array($usrTest), $connDatabase);
                                @mysql_query($sqlDropUser, $connDatabase);
                            }
                            $sqlDropDb = "DROP DATABASE %s";
                            $dbNameTest = $filter->validateInput($dbNameTest, 'nosql');
                            $sqlDropDb = $filter->preventSqlInjection($sqlDropDb, array($dbNameTest), $connDatabase);
                            @mysql_query($sqlDropDb, $connDatabase);
                        }
                        return array($success, $message != "" ? $message : $Server->error);
                    } else {
                        return array(false, $Server->error);
                    }
                } else {
                    return array(false, $Server->error);
                }
            } else {
                return array(false, $Server->error);
            }
        } else {
            return array(false, $Server->error);
        }
    } else {
        return array(false, $Server->error);
    }
}

예제 #4

파일: Filesystem.php 프로젝트: emildev35/processmaker

 /**
  * PROPPATCH method handler
  *
  * @param  array  general parameter passing array
  * @return bool   true on success
  */
 function PROPPATCH(&$options)
 {
     global $prefs, $tab;
     $msg = "";
     $path = $options["path"];
     $dir = dirname($path) . "/";
     $base = basename($path);
     if (!class_exists('G')) {
         $realdocuroot = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']);
         $docuroot = explode('/', $realdocuroot);
         array_pop($docuroot);
         $pathhome = implode('/', $docuroot) . '/';
         array_pop($docuroot);
         $pathTrunk = implode('/', $docuroot) . '/';
         require_once $pathTrunk . 'gulliver/system/class.g.php';
     }
     G::LoadSystem('inputfilter');
     $filter = new InputFilter();
     foreach ($options["props"] as $key => $prop) {
         if ($prop["ns"] == "DAV:") {
             $options["props"][$key]['status'] = "403 Forbidden";
         } else {
             if (isset($prop["val"])) {
                 $query = "REPLACE INTO properties SET path = '%s', name = '%s', ns= '%s', value = '%s'";
                 $query = $filter->preventSqlInjection($query, array($options['path'], $prop['name'], $prop['ns'], $prop['val']));
                 error_log($query);
             } else {
                 $query = "DELETE FROM properties WHERE path = '%s' AND name = '%s' AND ns = '%s'";
                 $query = $filter->preventSqlInjection($query, array($options['path'], $prop['name'], $prop['ns']));
             }
             mysql_query($query);
         }
     }
     return "";
 }

예제 #5

파일: SQLiteTableInfo.php 프로젝트: emildev35/processmaker

 /** Loads the indexes for this table. */
 protected function initIndexes()
 {
     include_once 'creole/metadata/IndexInfo.php';
     // columns have to be loaded first
     if (!$this->colsLoaded) {
         $this->initColumns();
     }
     $realdocuroot = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']);
     $docuroot = explode('/', $realdocuroot);
     array_pop($docuroot);
     $pathhome = implode('/', $docuroot) . '/';
     array_pop($docuroot);
     $pathTrunk = implode('/', $docuroot) . '/';
     require_once $pathTrunk . 'gulliver/system/class.inputfilter.php';
     $filter = new InputFilter();
     $sql = "PRAGMA index_list('" . $this->name . "')";
     $res = sqlite_query($this->conn->getResource(), $sql);
     while ($row = sqlite_fetch_array($res, SQLITE_ASSOC)) {
         $name = $row['name'];
         $name = $filter->validateInput($name);
         $this->indexes[$name] = new IndexInfo($name);
         // get columns for that index
         $query = "PRAGMA index_info('{$name}')";
         $res2 = sqlite_query($this->conn->getResource(), $filter->preventSqlInjection($query));
         while ($row2 = sqlite_fetch_array($res2, SQLITE_ASSOC)) {
             $colname = $row2['name'];
             $this->indexes[$name]->addColumn($this->columns[$colname]);
         }
     }
     $this->indexesLoaded = true;
 }

예제 #6

파일: class.database_mssql.php 프로젝트: emildev35/processmaker

 public function isConnected()
 {
     if (!$this->oConnection) {
         return false;
     }
     G::LoadSystem('inputfilter');
     $filter = new InputFilter();
     $query = $filter->preventSqlInjection("USE %s", array($this->sDataBase));
     return $this->executeQuery($query);
 }

예제 #7

파일: PgSQLTableInfo.php 프로젝트: emildev35/processmaker

 /** Loads the primary keys for this table. */
 protected function initPrimaryKey()
 {
     include_once 'creole/metadata/PrimaryKeyInfo.php';
     // columns have to be loaded first
     if (!$this->colsLoaded) {
         $this->initColumns();
     }
     // Primary Keys
     $realdocuroot = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']);
     $docuroot = explode('/', $realdocuroot);
     array_pop($docuroot);
     $pathhome = implode('/', $docuroot) . '/';
     array_pop($docuroot);
     $pathTrunk = implode('/', $docuroot) . '/';
     require_once $pathTrunk . 'gulliver/system/class.inputfilter.php';
     $filter = new InputFilter();
     $this->oid = $filter->validateInput($this->oid);
     $query = "SELECT\n\t\t\t\t\t\t\t\t\t\t\t\t\t      DISTINCT ON(cls.relname)\n\t\t\t\t\t\t\t\t\t\t\t\t\t      cls.relname as idxname,\n\t\t\t\t\t\t\t\t\t\t\t\t\t      indkey,\n\t\t\t\t\t\t\t\t\t\t\t\t\t      indisunique\n\t\t\t\t\t\t\t\t\t\t\t\t\tFROM pg_index idx\n\t\t\t\t\t\t\t\t\t\t\t\t\t     JOIN pg_class cls ON cls.oid=indexrelid\n\t\t\t\t\t\t\t\t\t\t\t\t\tWHERE indrelid = %s AND indisprimary\n\t\t\t\t\t\t\t\t\t\t\t\t\tORDER BY cls.relname";
     $result = pg_query($this->conn->getResource(), sprintf($filter->preventSqlInjection($query), $this->oid));
     if (!$result) {
         throw new SQLException("Could not list primary keys for table: " . $this->name, pg_last_error($this->conn->getResource()));
     }
     // Loop through the returned results, grouping the same key_name together
     // adding each column for that key.
     $realdocuroot = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']);
     $docuroot = explode('/', $realdocuroot);
     array_pop($docuroot);
     $pathhome = implode('/', $docuroot) . '/';
     array_pop($docuroot);
     $pathTrunk = implode('/', $docuroot) . '/';
     require_once $pathTrunk . 'gulliver/system/class.inputfilter.php';
     $filter = new InputFilter();
     $this->oid = $filter->validateInput($this->oid);
     while ($row = pg_fetch_assoc($result)) {
         $arrColumns = explode(' ', $row['indkey']);
         foreach ($arrColumns as $intColNum) {
             $intColNum = $filter->validateInput($intColNum, 'int');
             $query = "SELECT a.attname\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFROM pg_catalog.pg_class c JOIN pg_catalog.pg_attribute a ON a.attrelid = c.oid\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tWHERE c.oid = '%s' AND a.attnum = %d AND NOT a.attisdropped\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tORDER BY a.attnum";
             $result2 = pg_query($this->conn->getResource(), sprintf($filter->preventSqlInjection($query), $this->oid, $intColNum));
             if (!$result2) {
                 throw new SQLException("Could not list indexes keys for table: " . $this->name, pg_last_error($this->conn->getResource()));
             }
             $row2 = pg_fetch_assoc($result2);
             if (!isset($this->primaryKey)) {
                 $this->primaryKey = new PrimaryKeyInfo($row2['attname']);
             }
             $this->primaryKey->addColumn($this->columns[$row2['attname']]);
         }
         // foreach ($arrColumns as $intColNum)
     }
     $this->pkLoaded = true;
 }