Exemplo n.º 1
0
/**
 * Security: Return true if OK, false otherwise.
 *
 * @param		string		&$var		Variable name
 * @param		string		$type		1=GET, 0=POST, 2=PHP_SELF
 * @return		boolean					true if ther is an injection
 */
function analyse_sql_and_script(&$var, $type) {
    if (is_array($var)) {
        foreach ($var as $key => $value) {
            if (analyse_sql_and_script($value, $type)) {
                $var[$key] = $value;
            } else {
                print 'Access refused by SQL/Script injection protection in main.inc.php';
                exit;
            }
        }
        return true;
    } else {
        return (test_sql_and_script_inject($var, $type) <= 0);
    }
}
Exemplo n.º 2
0
/**
 * Return true if security check on parameters are OK, false otherwise.
 *
 * @param		string			$var		Variable name
 * @param		string			$type		1=GET, 0=POST, 2=PHP_SELF
 * @return		boolean||null				true if there is an injection. Stop code if injection found.
 */
function analyseVarsForSqlAndScriptsInjection(&$var, $type)
{
    if (is_array($var)) {
        foreach ($var as $key => $value) {
            if (analyseVarsForSqlAndScriptsInjection($value, $type)) {
                $var[$key] = $value;
            } else {
                print 'Access refused by SQL/Script injection protection in main.inc.php (type=' . htmlentities($type) . ' key=' . htmlentities($key) . ' value=' . htmlentities($value) . ' page=' . htmlentities($_SERVER["REQUEST_URI"]) . ')';
                exit;
            }
        }
        return true;
    } else {
        return test_sql_and_script_inject($var, $type) <= 0;
    }
}
Exemplo n.º 3
0
 /**
  * testSqlAndScriptInject
  *
  * @return  void
  */
 public function testSqlAndScriptInject()
 {
     global $dolibarr_main_prod;
     global $dolibarr_main_url_root;
     global $dolibarr_main_data_root;
     global $dolibarr_main_document_root;
     global $dolibarr_main_data_root_alt;
     global $dolibarr_main_document_root_alt;
     global $dolibarr_main_db_host;
     global $dolibarr_main_db_port;
     global $dolibarr_main_db_type;
     global $dolibarr_main_db_prefix;
     // This is code copied from main.inc.php
     /**
      * Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF).
      *
      * @param       string $val     Value
      * @param       string $type    1=GET, 0=POST, 2=PHP_SELF
      * @return      int             >0 if there is an injection
      */
     function test_sql_and_script_inject($val, $type)
     {
         $sql_inj = 0;
         // For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests)
         if ($type != 2) {
             $sql_inj += preg_match('/delete[\\s]+from/i', $val);
             $sql_inj += preg_match('/create[\\s]+table/i', $val);
             $sql_inj += preg_match('/update.+set.+=/i', $val);
             $sql_inj += preg_match('/insert[\\s]+into/i', $val);
             $sql_inj += preg_match('/select.+from/i', $val);
             $sql_inj += preg_match('/union.+select/i', $val);
             $sql_inj += preg_match('/(\\.\\.%2f)+/i', $val);
         }
         // For XSS Injection done by adding javascript with script
         // This is all cases a browser consider text is javascript:
         // When it found '<script', 'javascript:', '<style', 'onload\s=' on body tag, '="&' on a tag size with old browsers
         // All examples on page: http://ha.ckers.org/xss.html#XSScalc
         $sql_inj += preg_match('/<script/i', $val);
         if (!defined('NOSTYLECHECK')) {
             $sql_inj += preg_match('/<style/i', $val);
         }
         $sql_inj += preg_match('/base[\\s]+href/i', $val);
         if ($type == 1) {
             $sql_inj += preg_match('/javascript:/i', $val);
             $sql_inj += preg_match('/vbscript:/i', $val);
         }
         // For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
         if ($type == 1) {
             $sql_inj += preg_match('/"/i', $val);
         }
         // We refused " in GET parameters value
         if ($type == 2) {
             $sql_inj += preg_match('/[\\s;"]/', $val);
         }
         // PHP_SELF is an url and must match url syntax
         return $sql_inj;
     }
     //type=2 key=0 value=/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices
     $_SERVER["PHP_SELF"] = '/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices';
     $result = test_sql_and_script_inject($_SERVER["PHP_SELF"], 2);
     $expectedresult = 1;
     $this->assertEquals($result, $expectedresult);
 }