function getProduct($productID, $db_handle) { try { $statement_handle = $db_handle->prepare("SELECT * FROM products WHERE productID=(:productID)"); if (ALL_PRODUCTS == $productID) { $statement_handle->bindParam(':productID', ALL_PRODUCTS); } else { $statement_handle->bindParam(':productID', $productID); } $statement_handle->execute(); } catch (PDOException $e) { clearAndInitErrors(); addError($e->getMessage()); } $db_handle = null; return $statement_handle->fetchAll(); displayErrors(); }
public function add() { if ($_POST) { $dbName = substr(BASEURL2, 0, -1); $name = 'topBanner' . $dbName; //Processing the SiteImage. $config['upload_path'] = './uploads/'; $config['allowed_types'] = 'gif|jpg|png|jpeg'; $config['max_size'] = '1024'; $config['max_width'] = '0'; $config['max_height'] = '0'; $config['file_name'] = $name; $config['overwrite'] = TRUE; $this->load->library('upload', $config); if (!$this->upload->do_upload('banner')) { addError(getTxt('FailMoveFile') . $this->upload->display_errors()); } else { $uploaddata = $this->upload->data(); $ext = $uploaddata['file_ext']; //Delete any other files. $this->deleteOthers($name, $ext); addSuccess(getTxt('SiteSuccessfullyEdited')); } } $data = $this->StyleData; $this->load->view('banner/add', $data); }
public static function run($input) { if (!$input) { $input = $_REQUEST; } if (!count($input)) { return false; } self::$input = $input; //die(print_r(self::$data)); $passed = true; foreach (self::$data as $fieldName => &$field) { foreach ($field['rules'] as &$rule) { $func = $rule['rule']; if (method_exists(__CLASS__, $func)) { if (isset($rule['vars'])) { $rule['passed'] = (int) call_user_func(array('MG_Validation', $func), $fieldName, $rule['vars']); } else { $rule['passed'] = (int) call_user_func(array('MG_Validation', $func), $fieldName); } } else { $rule['passed'] = (int) call_user_func($func, self::$input[$fieldName]); } if (!$rule['passed']) { addError(str_replace("%", $field['friendlyName'], MG_Lang::translate('validation_' . $rule['rule']))); $passed = 0; $field['passed'] = 0; } } } return $passed; }
function MDB2Error($MDB2Object, $msg = "") { if (PEAR::isError($MDB2Object)) { addError($msg . "<br>" . $MDB2Object->getMessage()); if (EC_DEBUG) { addError($MDB2Object->getUserinfo()); } show_errors(); die; } }
function deleteall() { $params = Core::Request(); $problemModel = $this->loadmodel('SearchModel'); if ($problemModel->query("DELETE FROM `problems`")) { $data['msg'] = addSuccess(lang('history has been deleted.')); } else { $data['msg'] = addError(lang('Unsuccess delete this history.')); } $this->index(); }
function setRating($objId, $rating, $remoteData = array()) { global $db, $page, $user; // checks if (!is_numeric($rating) || $rating < $this->minValue || $rating > $this->maxValue) { addError("invalid or empty rating"); return; } if (!empty($remoteData)) { // this rating comes from another node... // TODO } elseif ($page->loggedIn()) { // local rating from registered user $this->find($objId, $user->id); $this->set('rate', $rating); $this->set('host', getHostName()); $this->set('entered', $this->db->getTimestampTz()); if ($this->exists()) { // change existing rating $this->update(); } else { // new rating $this->set('prog_id', $objId); $this->set('user_id', $user->id); $this->set('user_node_id', 0); $this->create(); } } else { // anonymous rating // TODO: if there was a rating request from the same host within x minutes, then reject $key = $page->getAuthKey(); if ($key) { $this->findAnon($objId, $key); $this->set('rate', $rating); $this->set('host', getHostName()); $this->set('entered', $this->db->getTimestampTz()); if ($this->exists()) { // change existing rating $this->update(); } else { // new rating $this->set('prog_id', $objId); $this->set('auth_key', $key); $this->create(); } } else { addError($page->getlocalized("cannot_rate_no_authkey")); // or $this->set('problem', 'no_auth_key'); return; } } $this->updateInstant($objId); }
function getTopTopics($maxHits) { $res = $this->db->limitQuery("SELECT tc.* FROM sotf_topics_counter tc, sotf_topic_tree_defs td WHERE tc.topic_id=td.id AND td.supertopic != 0 AND total > 0 ORDER BY total DESC", 0, $maxHits); if (DB::isError($res)) { addError($res); return array(); } while (DB_OK === $res->fetchInto($item)) { $item['name'] = $this->getTopicName($item['topic_id']); $list[] = $item; } return $list; }
function delete($post) { //pre($post);exit; $office = $this->loadmodel('OfficeModel'); $office->id = $post['params']; if ($office->Delete()) { $data['msg'] = addSuccess(lang('1 office has been deleted.')); } else { $data['msg'] = addError(lang('Unsuccess delete this office.')); } $data['title'] = lang('Management office'); $data['header'] = lang('Management office'); $this->data = $data; $this->index(); $office->All(); $data['office'] = $office->variables; }
function delete($post) { //pre($post);exit; $kinerja = $this->loadmodel('KinerjaModel'); $kinerja->id = $post['params']; if ($kinerja->Delete()) { $data['msg'] = addSuccess(lang('1 kinerja has been deleted.')); } else { $data['msg'] = addError(lang('Unsuccess delete this kinerja.')); } $data['title'] = lang('Management kinerja'); $data['header'] = lang('Management kinerja'); $this->data = $data; $this->index(); $kinerja->All(); $data['kinerja'] = $kinerja->variables; }
function call($url, $method, $params) { // xmlrpc encode parameters for ($i = 0; $i < count($params); $i++) { if (get_class($params[$i]) != 'xmlrpcval') { $params[$i] = xmlrpc_encoder($params[$i]); } } // send request $message = new xmlrpcmsg($method, $params); if ($this->debug) { // $this->display_xml($message->serialize()); print "<PRE>" . htmlentities($message->serialize()) . "</PRE>\n"; //("XML-RPC message:\n $message->serialize()",0); } $addr = parse_url($url); $client = new xmlrpc_client($url, $addr['host'], $addr['port'], $this->connTimeout, $this->recvTimeout); if ($this->debug) { $client->setDebug(1); } debug("XML-RPC", "call to " . $url); $response = $client->send($message); if ($this->debug) { print "<PRE>" . htmlentities($response->serialize()) . "</PRE>\n"; } // process response //debug("XML-RPC Response", $response->serialize()); if (!$response) { addError("No response: probably host is unreachable"); } elseif ($response->faultCode() > 0) { // there was an error addError("Error response: " . $response->faultCode() . " " . $response->faultString()); } else { $retval = $response->value(); if ($retval) { $retval = xmlrpc_decoder($retval); } //debug("Response", $retval); return $retval; } return NULL; }
function check_database($password) { //Field validation succeeded. Validate against database $username = $this->input->post('username'); //query the database $result = $this->users->login($username, $password); if ($result) { foreach ($result as $row) { //Set the SESSION fetch_session(); $_SESSION['username'] = $username; $_SESSION['user_auth'] = $row->authority; addSuccess(getTxt('LogInSuccess')); } return TRUE; } else { addError(getTxt('Incorrect')); return false; } }
function doAction($action) { $forwardpage = ""; $forward = true; $loggedin = isUserLoggedIn(); if (!$loggedin && strcmp($action, "login") != 0 && strcmp($action, "register") != 0 && strcmp($action, "getTags") != 0) { addError("fatal", "user.unathorized"); outputJSON("error"); } else { if (strcmp($action, "login") == 0) { login(); } else { if (strcmp($action, "logout") == 0) { logout(); } else { if (strcmp($action, "isLoggedIn") == 0) { isLoggedIn(); } else { if (strcmp($action, "register") == 0) { register(); } else { if (strcmp($action, "addquestion") == 0) { addQuestion(); } else { if (strcmp($action, "getTags") == 0) { getTags(); } else { if (strcmp($action, "getquestions") == 0) { getQuestions(); } } } } } } } } }
/** * Validate an array * * @param array $array * @param string $message * @param integer/null $lowerLimit * @param integer/null $upperLimit * @return boolean * * @author Liviu * @since May 07, 2009 */ function validateArray($array, $message = null, $lowerLimit = null, $upperLimit = null) { if (!is_array($array)) { $message != null ? addError($message) : null; return false; } if (is_array($array) and $lowerLimit != null and count($array) < $lowerLimit) { $message != null ? addError($message) : null; return false; } if (is_array($array) and $upperLimit != null and count($array) > $upperLimit) { $message != null ? addError($message) : null; return false; } return true; }
if (isset($_POST['flubber_submit'])) { $username = isset($_POST['flubber_username']) ? $_POST['flubber_username'] : ""; $password = isset($_POST['flubber_password']) ? $_POST['flubber_password'] : ""; if ($username == "") { addError("login.username.missing"); } if ($password == "") { addError("login.password.missing"); } if (getErrorCount() > 0) { $forwardpage = "views\\index.php"; } else { if (validate($username, $password) == true) { $_SESSION['username'] = $username; if (isset($_SESSION['current_url'])) { $curl = $_SESSION['current_url']; unset($_SESSION['current_url']); doAction("redirect", $curl); } else { doAction("home"); } $forward = false; } else { addError("login.account.invalid"); $forwardpage = "views\\index.php"; } } } else { $_SESSION['current_url'] = currentURL(); $forwardpage = "views/index.php"; }
function delete($post) { $jurnal = $this->loadmodel('JurnalModel'); $jurnal->id_jurnal = $post['params']; $jurnal->Find(); $filepath = $jurnal->variables['filepath']; $filetext = $jurnal->variables['filetext']; if ($jurnal->Delete()) { if (!empty($filepath) && file_exists(FILE_PATH . $filepath)) { $unlink = unlink(FILE_PATH . $filepath); } if (!empty($filetext) && file_exists(FILE_DIR . 'xml' . DS . $filetext)) { $unlink = unlink(FILE_DIR . 'xml' . DS . $filetext); } $data['msg'] = addSuccess(lang('1 jurnal has been deleted.')); } else { $data['msg'] = addError(lang('Unsuccess delete this jurnal.')); } $data['title'] = lang('Management jurnal'); $data['header'] = lang('Management jurnal'); $data['layout'] = 'adminhtml'; $this->data = $data; $this->index(); $jurnal->All(); $data['jurnal'] = $jurnal->variables; }
function parse() { // scan all tokens for ($i = 0, $tokencount = count($this->tokens); $i < $tokencount; $i++, $this->tif++) { if (is_array($this->tokens[$i])) { $token_name = $this->tokens[$i][0]; $token_value = $this->tokens[$i][1]; $line_nr = $this->tokens[$i][2]; // add preloader info for big files if ($line_nr % PRELOAD_SHOW_LINE == 0) { echo $GLOBALS['fit'] . '|' . $GLOBALS['file_amount'] . '|' . $this->file_pointer . ' (line ' . $line_nr . ')|' . $GLOBALS['timeleft'] . '|' . "\n"; @ob_flush(); flush(); } # debug #echo "file:".$file_name.",line:".$line_nr.",token:".token_name($token_name).","; #echo "value:".htmlentities($token_value).","; #echo "in_function:".$in_function.",in_class:".$in_class."<br>"; /************************* T_VARIABLE *************************/ if ($token_name === T_VARIABLE) { // $var() if ($this->tokens[$i + 1][0] === '(') { $this->variable_scan($i, 0, 'eval', 'Userinput is used as dynamic function name. Arbitrary functions may be called.'); } else { if (($this->tokens[$i - 1] === '$' || $this->tokens[$i - 1] === '{' && $this->tokens[$i - 2] === '$') && ($this->tokens[$i + 1] === '=' || in_array($this->tokens[$i + 1][0], Tokens::$T_ASSIGNMENT))) { $this->variable_scan($i, $this->tokens[$i - 1] === '{' ? 2 : 1, 'extract', 'Userinput is used to build the variable name. Arbitrary variables may be overwritten/initialized which may lead to further vulnerabilities.'); } else { if ($this->tokens[$i - 1][0] === T_AS || $this->tokens[$i - 1][0] === T_DOUBLE_ARROW && $this->tokens[$i - 2][0] === T_VARIABLE && $this->tokens[$i - 3][0] === T_AS) { $c = 3; while ($this->tokens[$i - $c][0] !== T_FOREACH) { $c++; if ($i - $c < 0 || $this->tokens[$i - $c] === ';') { addError('Could not find FOREACH token before AS token', array_slice($this->tokens, $i - 5, 10), $this->tokens[$i - 1][2], $this->file_pointer); break; } } $this->variable_add($token_value, array_slice($this->tokens, $i - $c, $c + Analyzer::getBraceEnd($this->tokens, $i)), '', 0, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array()); } else { if ($this->tokens[$i - 2][0] === T_FOR && ($this->tokens[$i + 1] === '=' || in_array($this->tokens[$i + 1][0], Tokens::$T_ASSIGNMENT))) { $c = 1; $newbraceopen = 1; $firstsemi = 0; // do not use getBraceEnd() here, because we dont want to stop at ';' in for(;;) while ($newbraceopen !== 0) { // watch function calls in function call if ($this->tokens[$i + $c] === '(') { $newbraceopen++; } else { if ($this->tokens[$i + $c] === ')') { $newbraceopen--; } else { if ($this->tokens[$i + $c] === ';' && $firstsemi < 1) { $firstsemi = $c; } } } $c++; if (!isset($this->tokens[$i + $c])) { addError('Could not find closing parenthesis of for-statement.', array_slice($this->tokens, $i - 2, 10), $this->tokens[$i - 2][2], $this->file_pointer); break; } } // overwrite value of first var because it is looped // this is an assumption, other vars could be declared for($var1=1;$var2=2;...) $this->tokens[$i + 2][0] = T_ENCAPSED_AND_WHITESPACE; $this->tokens[$i + 2][1] = '*'; $this->variable_add($token_value, array_slice($this->tokens, $i - 2, $c + 2), '', 1, 2 + $firstsemi, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array()); } else { if ($this->tokens[$i + 1] === '=' || in_array($this->tokens[$i + 1][0], Tokens::$T_ASSIGNMENT)) { $vardeclare = array(); // $var = array(1,2,3,4); if ($this->tokens[$i + 2][0] === T_ARRAY && $this->tokens[$i + 3] === '(' && $this->tokens[$i + 4] !== ')') { $d = 4; $keyindex = 0; $newbraceopen = 1; $keytokens = array(); $valuetokens = array(); while (!($newbraceopen === 0 || $this->tokens[$i + $d] === ';') && $keyindex < MAX_ARRAY_ELEMENTS) { // count parameters if ($newbraceopen === 1 && ($this->tokens[$i + $d] === ',' || $this->tokens[$i + $d] === ')')) { $newindexvar = $this->tokens[$i]; $newindexvar[3][] = empty($keytokens) ? $keyindex : $keytokens; $this->variable_add($token_value, array_merge(array($newindexvar, $this->tokens[$i + 1]), $valuetokens), ' array() ', in_array($this->tokens[$i + 1][0], Tokens::$T_ASSIGNMENT) ? 0 : 1, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array(), empty($keytokens) ? $keyindex : $keytokens); $keyindex++; $keytokens = array(); $valuetokens = array(); } else { if ($this->tokens[$i + $d] === '(') { $newbraceopen++; } else { if ($this->tokens[$i + $d] === ')') { $newbraceopen--; } else { if ($this->tokens[$i + $d][0] === T_DOUBLE_ARROW) { $keytokens = $valuetokens; $valuetokens = array(); } else { $valuetokens[] = $this->tokens[$i + $d]; } } } } $d++; if (!isset($this->tokens[$i + $d])) { addError('Could not find closing parenthesis of array()-declaration.', array_slice($this->tokens, $i, 10), $this->tokens[$i + 2][2], $this->file_pointer); break; } } $vardeclare['end'] = Analyzer::getBraceEnd($this->tokens, $i) + 1; // $var = anything; } else { $this->variable_add($token_value, array_slice($this->tokens, $i, $vardeclare['end'] = Analyzer::getBraceEnd($this->tokens, $i) + 1), '', in_array($this->tokens[$i + 1][0], Tokens::$T_ASSIGNMENT) ? 0 : 1, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array()); } // save var and var declare scope for data leak scan $vardeclare['start'] = $i; $vardeclare['name'] = $token_value; $vardeclare['linenr'] = $line_nr; $vardeclare['end'] += $i - 1; } } } } } // $class->var //else if ($token_name === T_STRING && $tokens[$i-1][0] === T_OBJECT_OPERATOR && $tokens[$i-2][0] === T_VARIABLE) // add user input variables to global finding list if (in_array($token_value, Sources::$V_USERINPUT)) { if (isset($this->tokens[$i][3])) { if (!is_array($this->tokens[$i][3][0])) { $GLOBALS['user_input'][$token_value . '[' . $this->tokens[$i][3][0] . ']'][$this->file_pointer][] = $line_nr; } else { $GLOBALS['user_input'][$token_value . '[' . Analyzer::get_tokens_value($this->file_pointer, $this->tokens[$i][3][0], $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i) . ']'][$this->file_pointer][] = $line_nr; } } else { $GLOBALS['user_input'][$token_value][$this->file_pointer][] = $line_nr; } // count found userinput in function for graphs if ($this->in_function) { $GLOBALS['user_functions_offset'][$this->function_obj->name][5]++; } else { $GLOBALS['user_functions_offset']['__main__'][5]++; } } } else { if (in_array($token_name, Tokens::$T_FUNCTIONS) || in_array($token_name, Tokens::$T_XSS) && ($_POST['vector'] == 'client' || $_POST['vector'] == 'xss' || $_POST['vector'] == 'all')) { $class = ''; /************************* T_STRING *************************/ if ($token_name === T_STRING && $this->tokens[$i + 1] === '(') { // define("FOO", $_GET['asd']); if ($token_value === 'define') { $c = 1; while ($this->tokens[$i + $c] !== ',') { $c++; if ($this->tokens[$i + $c] === ';' || !isset($this->tokens[$i + $c])) { addError('Second parameter of define() is missing.', array_slice($this->tokens, $i, $c), $this->tokens[$i][2], $this->file_pointer); break; } } $this->variable_add(str_replace(array('"', "'"), '', $this->tokens[$i + 2][1]), array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i) + 1), ' define() ', $c, 0, $line_nr, $i); } else { if ($token_value === 'ini_set') { $setting = str_replace(array("'", '"'), '', $this->tokens[$i + 2][1]); // ini_set('include_path', 'foo/bar') if ($setting === 'include_path') { $path = Analyzer::get_tokens_value($this->file_pointer, array_slice($this->tokens, $i + 4, Analyzer::getBraceEnd($this->tokens, $i + 4) + 1), $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i); $this->include_paths = array_unique(array_merge($this->include_paths, Analyzer::get_ini_paths($path))); } } else { if ($token_value === 'set_include_path') { $path = Analyzer::get_tokens_value($this->file_pointer, array_slice($this->tokens, $i + 1, Analyzer::getBraceEnd($this->tokens, $i + 1) + 1), $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i); $this->include_paths = array_unique(array_merge($this->include_paths, Analyzer::get_ini_paths($path))); } else { if ($token_value === 'set_error_handler') { $token_value = str_replace(array('"', "'"), '', $this->tokens[$i + 2][1]); } else { if ($token_value === 'compact' && $this->tokens[$i - 2][0] === T_VARIABLE) { $f = 2; while ($this->tokens[$i + $f] !== ')') { // for all array keys save new variable declarations if ($this->tokens[$i + $f][0] === T_CONSTANT_ENCAPSED_STRING) { $this->variable_add($this->tokens[$i - 2][1], array(array(T_VARIABLE, $this->tokens[$i - 2][1], $line_nr, array(str_replace(array('"', "'"), '', $this->tokens[$i + $f][1]))), '=', array(T_VARIABLE, '$' . str_replace(array('"', "'"), '', $this->tokens[$i + $f][1]), $line_nr), ';'), ' compact() ', 2, 0, $line_nr, $i, $tokens[$i - 2][3], str_replace(array('"', "'"), '', $this->tokens[$i + $f][1])); } $f++; if ($this->tokens[$i + $f] === ';' || !isset($this->tokens[$i + $f])) { addError('Closing parenthesis of compact() is missing.', array_slice($this->tokens, $i, $f), $this->tokens[$i][2], $this->file_pointer); break; } } } else { if ($token_value === 'preg_match' || $token_value === 'preg_match_all') { $c = 2; $parameter = 1; $newbraceopen = 1; while ($newbraceopen !== 0) { if (is_array($this->tokens[$i + $c]) && $this->tokens[$i + $c][0] === T_VARIABLE && $parameter == 3) { // add variable declaration to beginning of varlist // fake assignment parameter so it will not get traced $this->variable_add($this->tokens[$i + $c][1], array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i + 2) + 3), ' preg_match() ', 0, $c - 1, $this->tokens[$i + $c][2], $i, isset($this->tokens[$i + $c][3]) ? $this->tokens[$i + $c][3] : array()); } else { if ($newbraceopen === 1 && $this->tokens[$i + $c] === ',') { $parameter++; } else { if ($this->tokens[$i + $c] === '(') { $newbraceopen++; } else { if ($this->tokens[$i + $c] === ')') { $newbraceopen--; } else { if ($this->tokens[$i + $c] === ';' || !isset($this->tokens[$i + $c])) { addError('Closing parenthesis of ' . $token_value . '() is missing.', array_slice($this->tokens, $i, $c), $this->tokens[$i][2], $this->file_pointer); break; } } } } } $c++; } } else { if ($token_value === 'import_request_variables') { // add register_globals implementation $this->variable_add('register_globals', array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i + 1) + 1), 'register_globals implementation', 0, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array()); } else { if ($token_value === 'parse_str') { $c = 2; $parameter = 1; $newbraceopen = 1; while ($newbraceopen !== 0) { if (is_array($this->tokens[$i + $c]) && $this->tokens[$i + $c][0] === T_VARIABLE && $parameter == 2) { // add variable declaration to beginning of varlist // fake assignment parameter so it will not get traced $this->variable_add($this->tokens[$i + $c][1], array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i + 2) + 3), ' parse_str() ', 0, $c - 1, $this->tokens[$i + $c][2], $i, isset($this->tokens[$i + $c][3]) ? $this->tokens[$i + $c][3] : array()); } else { if ($newbraceopen === 1 && $this->tokens[$i + $c] === ',') { $parameter++; } else { if ($this->tokens[$i + $c] === '(') { $newbraceopen++; } else { if ($this->tokens[$i + $c] === ')') { $newbraceopen--; } else { if ($this->tokens[$i + $c] === ';' || !isset($this->tokens[$i + $c])) { addError('Closing parenthesis of ' . $token_value . '() is missing.', array_slice($this->tokens, $i, $c), $this->tokens[$i][2], $this->file_pointer); break; } } } } } $c++; } } } } } } } } } //add interesting function calls to info gathering if (isset($this->info_functions[$token_value])) { $GLOBALS['info'][] = $this->info_functions[$token_value]; } else { if ($this->tokens[$i - 1][0] !== T_NEW && isset($this->vuln_classes[$token_value])) { $this->class_vars[$this->tokens[$i - 2][1]] = $token_value; } else { // $classvar->bla() if ($this->tokens[$i - 1][0] === T_OBJECT_OPERATOR) { $classvar = $this->tokens[$i - 2][1]; if ($classvar[0] !== '$') { $classvar = '$' . $classvar; } $class = $classvar === '$this' || $classvar === '$self' ? $this->class_name : $this->class_vars[$classvar]; } else { if ($this->tokens[$i - 1][0] === T_DOUBLE_COLON) { $class = $this->tokens[$i - 2][1]; } } // save function call for graph if (isset($GLOBALS['user_functions_offset'][($class ? $class . '::' : '') . $token_value])) { $GLOBALS['user_functions_offset'][($class ? $class . '::' : '') . $token_value][3][] = array($this->file_pointer, $line_nr); if ($this->in_function) { $GLOBALS['user_functions_offset'][$this->function_obj->name][4][] = $token_value; } else { $GLOBALS['user_functions_offset']['__main__'][4][] = $token_value; } } // check if token is function call that affects variable scope (global) if (isset($this->globals_from_function[$token_value])) { // put all previously saved global var assignments to global scope foreach ($this->globals_from_function[$token_value] as $var_name => $new_vars) { foreach ($new_vars as $new_var) { $new_var->comment = $new_var->comment . " by {$token_value}()"; if (!isset($this->var_declares_global[$var_name])) { $this->var_declares_global[$var_name] = array($new_var); } else { array_unshift($this->var_declares_global[$var_name], $new_var); } } } } } } } else { if (in_array($token_name, Tokens::$T_INCLUDES) && !$this->in_function) { $GLOBALS['count_inc']++; // include('xxx') if ($this->tokens[$i + 1] === '(' && $this->tokens[$i + 2][0] === T_CONSTANT_ENCAPSED_STRING && $this->tokens[$i + 3] === ')' || is_array($this->tokens[$i + 1]) && $this->tokens[$i + 1][0] === T_CONSTANT_ENCAPSED_STRING && $this->tokens[$i + 2] === ';') { // include('file') if ($this->tokens[$i + 1] === '(') { $inc_file = substr($this->tokens[$i + 2][1], 1, -1); $skip = 5; } else { $inc_file = substr($this->tokens[$i + 1][1], 1, -1); $skip = 3; } } else { $inc_file = Analyzer::get_tokens_value($this->file_pointer, array_slice($this->tokens, $i + 1, $c = Analyzer::getBraceEnd($this->tokens, $i + 1) + 1), $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i); // in case the get_var_value added several php files, take the first $several = explode('.php', $inc_file); if (count($several) > 1) { $try_file = $several[0] . '.php'; } $skip = $c + 1; // important to save $c+1 here } $try_file = $inc_file; // try absolute include path foreach ($this->include_paths as $include_path) { if (is_file("{$include_path}/{$try_file}")) { $try_file = "{$include_path}/{$try_file}"; break; } } // if dirname(__FILE__) appeared it was an absolute path if (!is_file($try_file)) { // check relativ path $try_file = dirname($this->file_name) . '/' . $inc_file; if (!is_file($try_file)) { $other_try_file = dirname($this->file_pointer) . '/' . $inc_file; // if file can not be found check include_path if set if (!is_file($other_try_file)) { if (isset($this->include_paths[0])) { foreach ($this->include_paths as $include_path) { if (is_file(dirname($this->file_name) . '/' . $include_path . '/' . $inc_file)) { $try_file = dirname($this->file_name) . '/' . $include_path . '/' . $inc_file; break; } else { if (is_file(dirname($this->file_pointer) . '/' . $include_path . '/' . $inc_file)) { $try_file = dirname($this->file_pointer) . '/' . $include_path . '/' . $inc_file; break; } } } } // if still not a valid file, look a directory above if (!is_file($try_file)) { $try_file = str_replace('\\', '/', $try_file); $pos = strlen($try_file); // replace each found / with /../, start from the end of file name for ($c = 1; $c < substr_count($try_file, '/'); $c++) { $pos = strripos(substr($try_file, 1, $pos), '/'); if (is_file(substr_replace($try_file, '/../', $pos + 1, 1))) { $try_file = substr_replace($try_file, '/../', $pos + 1, 1); break; } } if (!is_file($try_file)) { $try_file = str_replace('\\', '/', $other_try_file); $pos = strlen($try_file); // replace each found / with /../, start from the end of file name for ($c = 1; $c < substr_count($try_file, '/'); $c++) { $pos = strripos(substr($try_file, 1, $pos), '/'); if (is_file(substr_replace($try_file, '/../', $pos + 1, 1))) { $try_file = substr_replace($try_file, '/../', $pos + 1, 1); break; } } // if still not a valid file, guess it if (!is_file($try_file)) { $searchfile = basename($try_file); if (!strstr($searchfile, '$_USERINPUT')) { foreach ($GLOBALS['files'] as $cfile) { if (basename($cfile) == $searchfile) { $try_file = $cfile; break; } } } } } } } else { $try_file = $other_try_file; } } } $try_file_unreal = $try_file; $try_file = realpath($try_file); // file is valid if (!empty($try_file_unreal) && !empty($try_file) && ($inc_lines = @file($try_file_unreal))) { // file name has not been included if (!in_array($try_file, $this->inc_map)) { // Tokens $tokenizer = new Tokenizer($try_file); $inc_tokens = $tokenizer->tokenize(implode('', $inc_lines)); unset($tokenizer); // if(include('file')) { - include tokens after { and not into the condition :S if ($this->in_condition) { $this->tokens = array_merge(array_slice($this->tokens, 0, $this->in_condition + 1), $inc_tokens, array(array(T_INCLUDE_END, 0, 1)), array_slice($this->tokens, $this->in_condition + 1)); } else { // insert included tokens in current tokenlist and mark end $this->tokens = array_merge(array_slice($this->tokens, 0, $i + $skip), $inc_tokens, array(array(T_INCLUDE_END, 0, 1)), array_slice($this->tokens, $i + $skip)); } $tokencount = count($this->tokens); // set lines pointer to included lines, save last pointer // (the following tokens will be the included ones) $this->lines_stack[] = $inc_lines; $this->lines_pointer = end($this->lines_stack); // tokennr in file $this->tif_stack[] = $this->tif; $this->tif = -$skip; // set the current file pointer $this->file_pointer = $try_file; if (!isset($GLOBALS['file_sinks_count'][$this->file_pointer])) { $GLOBALS['file_sinks_count'][$this->file_pointer] = 0; } echo $GLOBALS['fit'] . '|' . $GLOBALS['file_amount'] . '|' . $this->file_pointer . '|' . $GLOBALS['timeleft'] . '|' . "\n"; @ob_flush(); flush(); $this->comment = basename($inc_file); $this->inc_file_stack[] = $try_file; // build include map for file list $this->inc_map[] = $try_file; // all basic includes } } else { $GLOBALS['count_inc_fail']++; // add information about include error in debug mode if ($GLOBALS['verbosity'] == 5) { // add include command to output $found_value = highlightline(array_slice($this->tokens, $i, $skip), $this->comment, $line_nr, $token_value); $new_find = new InfoTreeNode($found_value); $new_find->lines[] = $line_nr; $new_find->filename = $this->file_pointer; $new_find->title = "Include error: tried to include: " . $try_file_unreal; if (isset($GLOBALS['output'][$this->file_name]['inc'])) { $GLOBALS['output'][$this->file_name]['inc']->treenodes[] = $new_find; } else { $new_block = new VulnBlock($this->tif . '_' . $this->tokens[$i][2] . '_' . basename($this->file_pointer), 'Debug'); $new_block->treenodes[] = $new_find; $new_block->vuln = true; $GLOBALS['output'][$this->file_name]['inc'] = $new_block; } } } } } /************************* TAINT ANALYSIS *************************/ if (isset($this->scan_functions[$token_value]) && $GLOBALS['verbosity'] != 5 && (empty($class) || ($this->in_function && is_array($function_obj->parameters) && in_array($classvar, $function_obj->parameters) || @in_array($token_value, $this->vuln_classes[$class])))) { if (!$this->already_scanned($i)) { // build new find $new_find = new VulnTreeNode(); $new_find->name = $token_value; $new_find->lines[] = $line_nr; // add dependencies (already here, because checked during var trace foreach ($this->dependencies as $deplinenr => $dependency) { if (!empty($dependency)) { $new_find->dependencies[$deplinenr] = $dependency; } } // count sinks $GLOBALS['file_sinks_count'][$this->file_pointer]++; if ($this->in_function) { $GLOBALS['user_functions_offset'][$this->function_obj->name][6]++; } else { $GLOBALS['user_functions_offset']['__main__'][6]++; } $parameter = 1; $var_counter = 0; $vulnparams = array(0); $has_vuln_parameters = false; $parameter_has_userinput = false; $parameter_func_depend = false; $secured_by_start = false; // function calls without quotes (require $inc;) --> no brace count $parentheses_open = $this->tokens[$i + 1] === '(' ? 1 : -2; // -2: detection of braces doesnt matter $parentheses_save = -1; $in_securing = false; $ignore_securing = false; $c = $this->tokens[$i + 1] === '(' ? 2 : 1; // important $tainted_vars = array(); $reconstructstr = ''; $addtitle = ''; $this->securedby = array(); // get all variables in parameter list between (...) // not only until ';' because: system(get($a),$b,strstr($c)); while ($parentheses_open !== 0 && $this->tokens[$i + $c] !== ';') { $this_one_is_secure = false; if (is_array($this->tokens[$i + $c])) { // scan variables and constants if ($this->tokens[$i + $c][0] === T_VARIABLE && $this->tokens[$i + $c + 1][0] !== T_OBJECT_OPERATOR || $this->tokens[$i + $c][0] === T_STRING && $this->tokens[$i + $c + 1] !== '(') { $var_counter++; // scan only potential vulnerable parameters of function call if (in_array($parameter, $this->scan_functions[$token_value][0]) || isset($this->scan_functions[$token_value][0][0]) && $this->scan_functions[$token_value][0][0] === 0) { $has_vuln_parameters = true; if (is_array($this->tokens[$i + $c - 1]) && in_array($this->tokens[$i + $c - 1][0], Tokens::$T_CASTS) || is_array($this->tokens[$i + $c + 1]) && in_array($this->tokens[$i + $c + 1][0], Tokens::$T_ARITHMETIC) || $in_securing) { $secured_by_start = true; $this_one_is_secure = true; } if ($in_securing && !$ignore_securing) { $this->securedby[] = $securing_function; } // trace back parameters and look for userinput, trace constants globally $userinput = $this->scan_parameter($new_find, $new_find, $this->tokens[$i + $c], $this->tokens[$i + $c][3], $i + $c, $this->in_function && $this->tokens[$i + $c][1][0] === '$' ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, false, $this->scan_functions[$token_value][1], false, $ignore_securing, $this_one_is_secure || $in_securing); $reconstructstr .= Analyzer::get_var_value($this->file_pointer, $this->tokens[$i + $c], $this->in_function && $this->tokens[$i + $c][1][0] === '$' ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i + $c, $this->source_functions); if ($userinput) { $vulnparams[] = $parameter; if ($userinput == 1) { $parameter_has_userinput = true; } else { if ($userinput == 2) { $parameter_func_depend = true; } } $tainted_vars[] = $var_counter; } } // mark userinput for quote analysis if (in_array($this->tokens[$i + $c][1], Sources::$V_USERINPUT)) { $reconstructstr .= '$_USERINPUT'; } } else { if ($this->tokens[$i + $c][0] === T_STRING && in_array($this->tokens[$i + $c][1], $this->source_functions) && (in_array($parameter, $this->scan_functions[$token_value][0]) || isset($this->scan_functions[$token_value][0][0]) && $this->scan_functions[$token_value][0][0] === 0)) { $has_vuln_parameters = true; $parameter_has_userinput = true; $new_find->marker = 1; $reconstructstr .= '$_USERINPUT'; $new_find->title = 'Userinput returned by function <i>' . $this->tokens[$i + $c][1] . '</i> reaches sensitive sink'; $this->addtriggerfunction($new_find); } else { if ($this->tokens[$i + $c][0] === T_STRING && isset($this->tokens[$i + $c][1]) && in_array($this->tokens[$i + $c][1], $GLOBALS['F_INSECURING_STRING']) && $parentheses_save == -1) { $parentheses_save = $parentheses_open; $ignore_securing = true; } else { if (!$ignore_securing && ($this->tokens[$i + $c][0] === T_STRING && (is_array($this->scan_functions[$token_value][1]) && in_array($this->tokens[$i + $c][1], $this->scan_functions[$token_value][1]) || in_array($this->tokens[$i + $c][1], $GLOBALS['F_SECURING_STRING']))) || in_array($this->tokens[$i + $c][0], Tokens::$T_CASTS) && $this->tokens[$i + $c + 1] === '(') { $securing_function = $this->tokens[$i + $c][1]; $parentheses_save = $parentheses_open; $in_securing = true; $secured_by_start = true; } else { if ($this->tokens[$i + $c][0] === T_CONSTANT_ENCAPSED_STRING) { $reconstructstr .= substr($this->tokens[$i + $c][1], 1, -1); } else { if ($this->tokens[$i + $c][0] === T_ENCAPSED_AND_WHITESPACE) { $reconstructstr .= $this->tokens[$i + $c][1]; } } } } } } } else { if ($parentheses_open === 1 && $this->tokens[$i + $c] === ',') { $parameter++; } else { if ($this->tokens[$i + $c] === '(') { $parentheses_open++; } else { if ($this->tokens[$i + $c] === ')') { $parentheses_open--; if ($parentheses_open === $parentheses_save) { $parentheses_save = -1; $in_securing = false; $securing_function = ''; $ignore_securing = false; } } else { if (!isset($this->tokens[$i + $c])) { addError('Closing parenthesis of ' . $token_value . '() is missing.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->file_pointer); break; } } } } } $c++; } // quote analysis for securing functions F_QUOTE_ANALYSIS // they only protect when return value is embedded into quotes if ($this->quote_analysis_needed() && substr_count($reconstructstr, '$_USERINPUT') > 0) { // idea: explode on $_USERINPUT and count quotes in SQL query before // if not even, then the $_USERINPUT is in an open quote $parts = explode('$_USERINPUT', $reconstructstr); foreach ($this->securedby as $var => $securefunction) { if (in_array($securefunction, $GLOBALS['F_QUOTE_ANALYSIS'])) { // extract the string before the userinput $checkstring = ''; $d = 1; foreach ($parts as $part) { $checkstring .= $part; if ($d >= $var) { break; } $d++; } // even amount of quotes (or none) in string // --> no quotes around userinput // --> securing function is useless if (substr_count($checkstring, "'") % 2 === 0 && substr_count($checkstring, '"') % 2 === 0) { $has_vuln_parameters = true; $parameter_has_userinput = true; $new_find->title .= "Userinput reaches sensitive sink due to insecure usage of {$securefunction}() without quotes"; } } } } // add find to output if function call has variable parameters (With userinput) if ($has_vuln_parameters && ($parameter_has_userinput || $parameter_func_depend) || $GLOBALS['verbosity'] == 4 || isset($this->scan_functions[$token_value][3])) { $vulnstart = $i; $vulnadd = 1; // prepend $var assignment if (isset($vardeclare)) { $vulnstart = $vardeclare['start']; $vulnadd = $vardeclare['end'] - $vardeclare['start'] - $c + 1; //3; } else { if (isset($GLOBALS['F_XSS'][$this->tokens[$i - 1][1]])) { $vulnstart = $i - 1; $vulnadd = 2; } else { if ($this->tokens[$i - 1][0] === T_DOUBLE_COLON || $this->tokens[$i - 1][0] === T_OBJECT_OPERATOR) { $vulnstart = $i - 2; $vulnadd = 2; } } } if (isset($GLOBALS['user_functions'][$this->file_name][$token_value])) { $found_line = '<A NAME="' . $token_value . '_call" class="jumplink"></A>'; $found_line .= highlightline(array_slice($this->tokens, $vulnstart, $c + $vulnadd), $this->comment, $line_nr, false, $token_value); } else { $found_line = highlightline(array_slice($this->tokens, $vulnstart, $c + $vulnadd), $this->comment, $line_nr, $token_value, false, $tainted_vars); } $new_find->value = $found_line; $new_find->filename = $this->file_pointer; if ($secured_by_start) { $new_find->marker = 2; } // only show vuln user defined functions // if call with userinput has been found if (isset($GLOBALS['user_functions'][$this->file_name][$token_value])) { $GLOBALS['user_functions'][$this->file_name][$token_value]['called'] = true; } if ($this->in_function) { $this->ignore_securing_function = true; // mark function in class as vuln if ($this->in_class) { $this->vuln_classes[$this->class_name][] = $this->function_obj->name; } } // putenv with userinput --> getenv is treated as userinput if ($token_value === 'putenv') { $this->source_functions[] = 'getenv'; $GLOBALS['source_functions'][] = 'getenv'; $new_find->title = 'User can set PHP enviroment variables. Adding getenv() to tainting functions'; } else { if ($token_value === 'apache_setenv') { $this->source_functions[] = 'apache_getenv'; $GLOBALS['source_functions'][] = 'apache_getenv'; $new_find->title = 'User can set Apache enviroment variables. Adding apache_getenv() to tainting functions'; } else { if ($token_value === 'extract' || $token_value === 'parse_str' || $token_value === 'mb_parse_str') { // add register_globals implementation $this->variable_add('register_globals', array_slice($this->tokens, $vulnstart, $c + $vulnadd), 'register_globals implementation', 0, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array()); } } } // add to output if (isset($GLOBALS['user_functions'][$this->file_name][$token_value])) { if (!empty($GLOBALS['output'][$this->file_name])) { foreach ($GLOBALS['output'][$this->file_name] as $block) { $calleesadded = array(); foreach ($block->treenodes as $tree) { if ($tree->funcdepend === $token_value && (array_intersect($tree->funcparamdepend, $vulnparams) || isset($this->scan_functions[$token_value][3]))) { // if funcdependend already found and added, just add foundcallee=true and continue // dont add tree again, it is already added to the vulnblock if (in_array($tree->funcdepend, $calleesadded)) { $tree->foundcallee = true; continue; } if (isset($this->scan_functions[$token_value][3])) { $new_find->title = 'Call triggers vulnerability in function <i>' . $token_value . '()</i>'; } else { if (empty($new_find->title)) { $new_find->title = 'Userinput is passed through function parameters.'; } } $block->treenodes[] = $new_find; if (!$block->vuln && ($parameter_has_userinput || isset($this->scan_functions[$token_value][3]) || $GLOBALS['verbosity'] == 4)) { $block->vuln = true; increaseVulnCounter($block->sink); } $tree->foundcallee = true; $calleesadded[] = $token_value; } } } // else: dont use the result } } else { if (empty($new_find->title)) { $new_find->title = 'Userinput reaches sensitive sink. For more information, press the help icon on the left side.'; } $block = new VulnBlock($this->tif . '_' . $this->tokens[$i][2] . '_' . basename($this->file_pointer), getVulnNodeTitle($token_value), $token_value); $block->treenodes[] = $new_find; if ($parameter_has_userinput || $GLOBALS['verbosity'] == 4) { $block->vuln = true; increaseVulnCounter($token_value); } // if sink in var declare, offer a data leak scan - save infos for that if (isset($vardeclare)) { $block->dataleakvar = array($vardeclare['linenr'], $vardeclare['name']); } $GLOBALS['output'][$this->file_name][] = $block; } } // if classvar depends on function parameter, add this parameter to list if (isset($this->classvar) && $this->in_function && in_array($this->classvar, $this->function_obj->parameters)) { $param = array_search($this->classvar, $this->function_obj->parameters); $GLOBALS['user_functions'][$this->file_name][$this->function_obj->name][0][$param] = $param + 1; } } } // taint analysis } else { if (in_array($token_name, Tokens::$T_LOOP_CONTROL)) { // ignore in requirements output: while, for, foreach // DO..WHILE was rewritten to WHILE in tokenizer $this->ignore_requirement = true; $c = 1; // get variables in loop condition while ($this->tokens[$i + $c] !== '{') { if ($this->tokens[$i + $c][0] === T_VARIABLE) { $this->tokens[$i + $c][3][] = '*'; } else { if (!isset($this->tokens[$i + $c])) { addError('Could not find opening brace after ' . $token_value . '-statement.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->file_pointer); break; } } $c++; } } else { if (in_array($token_name, Tokens::$T_FLOW_CONTROL)) { $c = 1; while ($this->tokens[$i + $c] !== '{') { $c++; if (!isset($this->tokens[$i + $c])) { addError('Could not find opening brace after ' . $token_value . '-statement.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->file_pointer); break; } } $this->in_condition = $i + $c; $this->dependencytokens = array_slice($this->tokens, $i, $c); } else { if ($token_name === T_FUNCTION) { if ($this->in_function) { #addError('New function declaration in function declaration of '.$this->function_obj->name.'() found. This is valid PHP syntax but not supported by RIPS now.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->file_pointer); } else { $this->in_function++; // the next token is the "function name()" $i++; $function_name = isset($this->tokens[$i][1]) ? $this->tokens[$i][1] : $this->tokens[$i + 1][1]; $ref_name = ($this->in_class ? $this->class_name . '::' : '') . $function_name; // add POP gadgets to info if (isset($this->info_functions[$function_name])) { $GLOBALS['info'][] = $ref_name; // add gadget to output $found_line = highlightline(array_slice($this->tokens, $i - 1, 4), $this->comment, $line_nr, $function_name, false, $function_name); $new_find = new InfoTreeNode($found_line); $new_find->title = "POP gadget {$ref_name}"; $new_find->lines[] = $line_nr; $new_find->filename = $this->file_pointer; if (isset($GLOBALS['output'][$this->file_name]['gadgets'])) { $GLOBALS['output'][$this->file_name]['gadgets']->treenodes[] = $new_find; } else { $block = new VulnBlock($this->tif . '_' . $this->tokens[$i][2] . '_' . basename($this->file_pointer), 'POP gadgets'); $block->vuln = true; $block->treenodes[] = $new_find; $GLOBALS['output'][$this->file_name]['gadgets'] = $block; } } $c = 3; while ($this->tokens[$i + $c] !== '{' && $this->tokens[$i + $c] !== ';') { $c++; } // abstract functions ended if ($this->tokens[$i + $c] === ';') { $this->in_function--; } // write to user_functions offset list for referencing in output $GLOBALS['user_functions_offset'][$ref_name][0] = $this->file_pointer; $GLOBALS['user_functions_offset'][$ref_name][1] = $line_nr - 1; // save function as object $this->function_obj = new FunctionDeclare($this->dependencytokens = array_slice($this->tokens, $i - 1, $c + 1)); $this->function_obj->lines[] = $line_nr; $this->function_obj->name = $function_name; // save all function parameters $this->function_obj->parameters = array(); $e = 1; // until function test(...) { // OR // interface test { public function test(...); } while ($this->tokens[$i + $e] !== '{' && $this->tokens[$i + $e] !== ';') { if (is_array($this->tokens[$i + $e]) && $this->tokens[$i + $e][0] === T_VARIABLE) { $this->function_obj->parameters[] = $this->tokens[$i + $e][1]; } $e++; } // now skip the params from rest of scan, // or function test($a=false, $b=false) will be detected as var declaration $i += $e - 1; // -1, because '{' must be evaluated again } } else { if ($token_name === T_GLOBAL && $this->in_function) { $this->globals_from_function[$this->function_obj->name] = array(); // get all globaled variables $b = 1; while ($this->tokens[$i + $b] !== ';') { if ($this->tokens[$i + $b][0] === T_VARIABLE) { // mark variable as global scope affecting $this->put_in_global_scope[] = $this->tokens[$i + $b][1]; // add variable declaration to beginning of varlist $new_var = new VarDeclare(array(array(T_GLOBAL, 'global', $line_nr), array(T_VARIABLE, $this->tokens[$i + $b][1], $line_nr), ';'), $this->comment); $new_var->line = $line_nr; $new_var->id = $i; // overwrite old local vars $this->var_declares_local[$this->tokens[$i + $b][1]] = array($new_var); } $b++; } } else { if ($token_name === T_RETURN && $this->in_function == 1) { $GLOBALS['userfunction_taints'] = false; $GLOBALS['userfunction_secures'] = false; $c = 1; // get all variables in parameter list while ($this->tokens[$i + $c] !== ';') { if (is_array($this->tokens[$i + $c])) { if ($this->tokens[$i + $c][0] === T_VARIABLE) { // check if returned var is secured --> securing function $new_find = new VulnTreeNode(); $userinput = $this->scan_parameter($new_find, $new_find, $this->tokens[$i + $c], $this->tokens[$i + $c][3], $i + $c, $this->var_declares_local, $this->var_declares_global, false, $GLOBALS['F_SECURES_ALL'], TRUE); // add function to securing functions // if it returns no userinput/function param if ((!$userinput || $GLOBALS['userfunction_secures']) && !$this->ignore_securing_function) { $GLOBALS['F_SECURING_STRING'][] = $this->function_obj->name; } // add function to userinput functions if userinput // is fetched in the function and then returned (userinput == 1) if ($userinput == 1 || $GLOBALS['userfunction_taints']) { $this->source_functions[] = $this->function_obj->name; } } else { if (in_array($this->tokens[$i + $c][1], $GLOBALS['F_SECURES_ALL']) || in_array($this->tokens[$i + $c][0], Tokens::$T_CASTS)) { $GLOBALS['F_SECURING_STRING'][] = $this->function_obj->name; break; } } } $c++; } } else { if ($token_name === T_CLASS) { $i++; $this->class_name = $this->tokens[$i][1]; $this->vuln_classes[$this->class_name] = array(); $this->in_class = true; $GLOBALS['info'][] = '<font color="red">Code is object-oriented. This is not supported yet and can lead to false negatives.</font>'; } else { if ($token_name === T_NEW && $this->tokens[$i - 2][0] === T_VARIABLE) { $this->class_vars[$this->tokens[$i - 2][1]] = $this->tokens[$i + 1][1]; } else { if ($token_name === T_EXTENDS && $this->in_class) { $this->vuln_classes[$this->class_name] = $this->vuln_classes[$this->tokens[$i + 1][1]]; } else { if ($token_name === T_LIST) { $d = 2; while ($this->tokens[$i + $d] !== ')' && $this->tokens[$i + $d] !== ';') { $d++; if ($this->tokens[$i + $d] === ';' || !isset($this->tokens[$i + $d])) { addError('Closing parenthesis of list() is missing.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->file_pointer); break; } } $tokenscanstart = 0; if ($this->tokens[$i + $d + 1] === '=' || in_array($this->tokens[$i + $d + 1][0], Tokens::$T_ASSIGNMENT)) { $tokenscanstart = $d + 1; } $c = 2; for ($c = 2; $c < $d; $c++) { if (is_array($this->tokens[$i + $c]) && $this->tokens[$i + $c][0] === T_VARIABLE) { $this->variable_add($this->tokens[$i + $c][1], array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i) + 1), ' list() ', $tokenscanstart, 0, $this->tokens[$i + $c][2], $i, isset($this->tokens[$i + $c][3]) ? $this->tokens[$i + $c][3] : array()); } } $i = $i + $c + 2; } else { if ($token_name === T_INCLUDE_END) { array_pop($this->lines_stack); $this->lines_pointer = end($this->lines_stack); array_pop($this->inc_file_stack); $this->file_pointer = end($this->inc_file_stack); $this->comment = basename($this->file_pointer) == basename($this->file_name) ? '' : basename($this->file_pointer); $this->tif = array_pop($this->tif_stack); } } } } } } } } } } } } } else { /************************* BRACES *************************/ // keep track of { program blocks } // get current dependencies in program flow if ($this->tokens[$i] === '{' && ($this->tokens[$i - 1] === ')' || $this->tokens[$i - 1] === ':' || $this->tokens[$i - 1] === ';' || is_array($this->tokens[$i - 1]) && ($this->tokens[$i - 1][0] === T_DO || $this->tokens[$i - 1][0] === T_ELSE || $this->tokens[$i - 1][0] === T_STRING || $this->tokens[$i - 1][0] === T_TRY || $this->tokens[$i - 1][0] === T_CATCH))) { // save brace amount at start of function if ($this->in_function && $this->brace_save_func < 0) { $this->brace_save_func = $this->braces_open; } // save brace amount at start of class if ($this->in_class && $this->brace_save_class < 0) { $this->brace_save_class = $this->braces_open; } $this->in_condition = 0; if (empty($e)) { if (!$this->ignore_requirement) { if (!empty($this->dependencytokens) && $this->dependencytokens[0][0] === T_ELSE && $this->dependencytokens[1][0] !== T_IF) { $this->dependencytokens = $this->last_dependency; $this->dependencytokens[] = array(T_ELSE, 'else', $this->dependencytokens[0][2]); } } else { $this->ignore_requirement = false; } // add dependency (even push empty dependency on stack, it will get poped again) $this->dependencies[$line_nr] = $this->dependencytokens; $this->dependencytokens = array(); } else { unset($e); } $this->braces_open++; } else { if ($this->tokens[$i] === '}' && ($this->tokens[$i - 1] === ';' || $this->tokens[$i - 1] === '}' || $this->tokens[$i - 1] === '{')) { $this->braces_open--; // delete current dependency $this->last_dependency = array_pop($this->dependencies); $this->dependencytokens = array(); // end of function found if brace amount = amount before function start if ($this->in_function && $this->brace_save_func === $this->braces_open) { $ref_name = ($this->in_class ? $this->class_name . '::' : '') . $this->function_obj->name; // write ending to user_function list for referencing functions in output $GLOBALS['user_functions_offset'][$ref_name][2] = $line_nr; // reset vars for next function declaration $this->brace_save_func = -1; $this->ignore_securing_function = false; $this->in_function--; $this->function_obj = null; $this->var_declares_local = array(); $this->put_in_global_scope = array(); // load new found vulnerable user functions to current scanlist if (isset($GLOBALS['user_functions'][$this->file_name])) { $this->scan_functions = array_merge($this->scan_functions, $GLOBALS['user_functions'][$this->file_name]); } } // end of class found if ($this->in_class && $this->brace_save_class === $this->braces_open) { $this->brace_save_class = -1; $this->in_class = false; } } } } // token scanned // detect if still in a vardeclare, otherwise delete saved infos if (isset($vardeclare) && $vardeclare['end'] === $i) { unset($vardeclare); } } // all tokens scanned. return $this->inc_map; }
/** Deletes a jingle */ function deleteJingle($file, $index = '') { if (!preg_match("/^jingle/", $file)) { raiseError("Invalid filename"); } $file = sotf_Utils::getFileInDir($this->getMetaDir(), $file); debug("delete file", $file); if (!unlink($file)) { addError("Could not delete jingle {$index}!"); } // TODO: delete from SQL??? }
function saveMetadataFile() { global $permissions; if (!is_dir($this->getMetaDir())) { addError("Programme dir not found", $this->getMetaDir()); return false; } $name = get_class($this); $name = str_replace("sotf_", "", $name); $xml = "<{$name}>"; $xml .= sotf_Utils::writeXML('data', $this->data, 1); $roles = $this->getRoles(); $xml .= sotf_Utils::writeXML('role', $roles, 1); $perms = $permissions->listUsersAndPermissions($this->id); $xml .= sotf_Utils::writeXML('permission', $perms, 1); $links = $this->getAssociatedObjects('sotf_links', 'caption'); $xml .= sotf_Utils::writeXML('link', $links, 1); $rights = $this->getAssociatedObjects('sotf_rights', 'start_time'); $xml .= sotf_Utils::writeXML('right', $rights, 1); $topics = $this->getTopics(); $xml .= sotf_Utils::writeXML('topic', $topics, 1); $xml = $xml . "\n</{$name}>\n"; // TODO: save more data from other tables as well !!!!! $file = $this->getMetaDir() . '/metadump.xml'; debug("dumping metadata xml in", $file); $fp = fopen("{$file}", "w"); if (!$fp) { logError("Could not dump metadata into {$file}"); // TODO: in this case the prg has been deleted in the meantime?? } else { fwrite($fp, $xml); fclose($fp); } // save XBMF if (is_writable($this->getMetaDir())) { $meta = new sotf_Metadata($this); $xbmf = $meta->getXBMFMetadata(); $file = $this->getMetaDir() . '/metadata.xml'; sotf_Utils::save($file, $xbmf); } // to change modify_date $this->update(); return true; }
/** creates db record with all fields from 'data' */ function create() { global $db, $repository; reset($this->data); while (list($key, $val) = each($this->data)) { $keys[] = $key; if ($val === NULL) { $values[] = "NULL"; } else { if (in_array($key, $this->binaryFields)) { $values[] = "'" . addslashes($val) . "'"; } else { $values[] = "'" . sotf_Utils::magicQuotes($val) . "'"; } } } if ($this->id) { // because ''==0 in PHP :-( if (!$keys || !in_array($this->idKey, $keys)) { $keys[] = $this->idKey; $values[] = "'" . sotf_Utils::magicQuotes($this->id) . "'"; } } $keys = implode(",", $keys); $values = implode(",", $values); //execute query $res = $db->query("INSERT INTO " . $this->tablename . "(" . $keys . ") VALUES(" . $values . ")"); //if the query is dead, stop executio, output error if (DB::isError($res)) { addError($res); $this->error = $res->message . '(' . $res->code . ')'; return false; } $this->exists = true; $this->changed = false; // mark if this change requires a refresh in the metadata.xml file $this->markParentToUpdate(); return true; }
} if($_GET['action'] == 'deletecategory') { //check if category has products $error = false; $results = dbQuery('SELECT * FROM store_products WHERE categories_id = ' . $_GET['id']); if(dbNumRows($results)) $error = true; if(!$error) { dbQuery('DELETE FROM store_categories WHERE categories_id = ' . $_GET['id']); addMessage("Deleted category successfully"); } else { addError("Whoops, your must delete the products within the category before you can delete it"); } redirect(PAGE_STORE."?section=categories"); } if($_POST['action'] == 'addspecial' || $_POST['action'] == 'editspecial') { /* Array ( [action] => addspecial [id] => [products_specials_title] => St. Patricks Day [products_specials_discount] => 20 [products_specials_discount_type] => percentage [ products_specials_shipping] => 1 [products_specials_description] => gdfgdfgdf [products_calendar_date_start] => 05/28/2009 [products_calendar_date_end] => 31/12/1969 [button] => Add Special ) */ $row['products_specials_title'] = $_POST['products_specials_title']; $row['products_specials_discount'] = $_POST['products_specials_discount']; $row['products_specials_discount_type'] = $_POST['products_specials_discount_type'];
$PAGE_SUBMODULE_HEADING = null; //GET PAGE CONTENT ob_start(); global $lerror; if (!$lerror) { //CONTROLLER if (!$IS_CLIENTAREA && isset($_REQUEST['modsubpage']) && file_exists(ADDON_DIR . DS . 'pages' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php')) { require ADDON_DIR . DS . 'pages' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php'; } elseif ($IS_CLIENTAREA && isset($_REQUEST['modsubpage']) && file_exists(ADDON_DIR . DS . 'pages_client' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php')) { require ADDON_DIR . DS . 'pages_client' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php'; } elseif (!$IS_CLIENTAREA && file_exists(ADDON_DIR . DS . 'pages' . DS . $PAGE . DS . $PAGE . '.php')) { require ADDON_DIR . DS . 'pages' . DS . $PAGE . DS . $PAGE . '.php'; } elseif ($IS_CLIENTAREA && file_exists(ADDON_DIR . DS . 'pages_client' . DS . $PAGE . DS . $PAGE . '.php')) { require ADDON_DIR . DS . 'pages_client' . DS . $PAGE . DS . $PAGE . '.php'; } else { die('Page does not exists!'); } //LOCATE VIEW FILE AND LOAD IT if (!$IS_CLIENTAREA && isset($_REQUEST['modsubpage']) && file_exists(ADDON_DIR . DS . 'views' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php')) { require ADDON_DIR . DS . 'views' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php'; } elseif ($IS_CLIENTAREA && isset($_REQUEST['modsubpage']) && file_exists(ADDON_DIR . DS . 'pages_views' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php')) { require ADDON_DIR . DS . 'views_client' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php'; } elseif (!$IS_CLIENTAREA && file_exists(ADDON_DIR . DS . 'views' . DS . $PAGE . DS . $PAGE . '.php')) { require ADDON_DIR . DS . 'views' . DS . $PAGE . DS . $PAGE . '.php'; } elseif ($IS_CLIENTAREA && file_exists(ADDON_DIR . DS . 'views_client' . DS . $PAGE . DS . $PAGE . '.php')) { require ADDON_DIR . DS . 'views_client' . DS . $PAGE . DS . $PAGE . '.php'; } } else { addError($lerror); } $CONTENT = ob_get_clean();
<?php $action = ""; if (isset($_GET['action'])) { $action = $_GET['action']; } if (isset($_POST['action'])) { $action = $_POST['action']; } try { if (initializeDB() == true) { doAction($action); } } catch (Exception $e) { if (strcmp($e->getMessage(), "table.initialization.error") == 0) { $forwardaction = ""; include 'installscript.php'; doAction($forwardaction); } else { addError($e->getMessage()); doAction("install"); } }
function createRSDF($intModelId) { if (!self::rsdf_key || !self::rsdf_iv) { return addError('(createRSDF) RSDF Keyfile is not defined'); } if (!isset($this->arrModel[$intModelId])) { return $this->addError('(createRSDF) Data model with Id ' . $intModelId . ' not exists'); } $strReturn = ''; $strKey = $this->base16Decode(self::rsdf_key); $strIv = $this->base16Decode(self::rsdf_iv); # Build RSDF stream $hdlRSDFCrypt = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CFB, ''); mcrypt_generic_init($hdlRSDFCrypt, $strKey, $strIv); for ($a = 0; $a < count($this->arrModel[$intModelId]['packages']); $a++) { for ($b = 0; $b < count($this->arrModel[$intModelId]['packages'][$a]['links']); $b++) { $strReturn .= base64_encode(mcrypt_generic($hdlRSDFCrypt, $this->arrModel[$intModelId]['packages'][$a]['links'][$b]['url'])); $strReturn .= "\r\n"; } } mcrypt_generic_deinit($hdlRSDFCrypt); mcrypt_module_close($hdlRSDFCrypt); unset($hdlRSDFCrypt); return $this->base16Encode($strReturn); }
exit; } $finishpublish = sotf_Utils::getParameter('finishpublish'); $finish = sotf_Utils::getParameter('finish'); $save = sotf_Utils::getParameter('save'); if ($save || $finish || $finishpublish) { $params = array('title' => 'text', 'alternative_title' => 'text', 'episode_title' => 'text', 'episode_sequence' => 'number', 'keywords' => 'text', 'abstract' => 'text', 'language' => 'text', 'genre_id' => 'number', 'spatial_coverage' => 'text', 'temporal_coverage' => 'date', 'production_date' => 'date', 'broadcast_date' => 'date', 'expiry_date' => 'date'); foreach ($params as $param => $type) { $value = sotf_Utils::getParameter($param); if ($type == 'text') { $value = strip_tags($value); } elseif ($type == 'number') { if (empty($value)) { $value = ''; } elseif (!is_numeric($value)) { addError($page->getlocalized('not_a_number') . ": {$value}"); continue; } } elseif ($type == 'date') { if (sotf_Utils::getParameter($param . '_radio1') != "unselected") { $value = sotf_Utils::getParameter($param . 'Year') . '-' . sotf_Utils::getParameter($param . 'Month') . '-' . sotf_Utils::getParameter($param . 'Day'); } } $prg->set($param, $value); } if ($finishpublish) { $prg->publish(); $page->redirect("editor.php"); } elseif ($finish) { $prg->update(); $page->redirect("editor.php");
//UTF-Module for PHP REQUIRED!!! $file = $userDir . $newname . "." . $extension; moveUploadedFile('userfile', $file); $page->redirect("manageFiles.php"); exit; } //--------- // delete files $del = sotf_Utils::getParameter('del'); if ($del) { reset($_POST); while (list($k, $fname) = each($_POST)) { debug("P", $k); if (substr($k, 0, 4) == 'sel_') { if (!unlink($user->getUserDir() . '/' . $fname)) { addError("Could not delete: {$fname}"); } } } $page->redirect("manageFiles.php"); exit; } // close $close = sotf_Utils::getParameter('close'); if ($close) { $page->redirect("closeAndRefresh.php"); exit; } // generate output $smarty->assign('USERFILES', $user->getUserFiles()); $smarty->assign("USERFTPURL", $user->getUrlForUserFTP());
function update() { $request = Core::Request(); //echo '<pre>'; print_r($request);exit; if (!empty($request)) { //$this->__validusername($request['username']); $subcriteria = $this->loadmodel('SubcriteriaModel'); $subcriteria->id = $request['params']; $subcriteria->sub_criteria = $request['sub_criteria']; $subcriteria->parent_id = $request['parent_id']; $subcriteria->kode = $request['kode']; $subcriteria->persentase = $request['persentase']; $subcriteria->value = $this->grade($request['persentase']); $subcriteria->factor = $request['factor']; //echo '<pre>'; print_r($subcriteria);exit; if ($subcriteria->Save()) { $this->data['msg'] = addSuccess(lang('This sub aspek has been updated.')); $this->index(); } else { $this->data['msg'] = addError(lang('This sub aspek unsuccess update.')); $this->index(); } } //pre($request);exit; }
http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ $page = 'mydiagrams'; require_once dirname(__FILE__) . '/common/delegate.php'; if (!isset($_SESSION)) { session_start(); } require_once dirname(__FILE__) . '/common/rememberme.php'; if (!isset($_SESSION['userId']) || !is_numeric($_SESSION['userId'])) { addError("Access denied"); redirect('./editor.php'); } $delegate = new Delegate(); $loggedUser = $delegate->userGetById($_SESSION['userId']); $allDiagrams = $delegate->diagramGetAll(); /**Exctracts the name of an email address*/ function firstName($email) { $rez = strpos($email, '@'); if ($rez) { return substr($email, 0, $rez); } else { return substr($email, 0, 5); } }
function doSystemChecks() { // Do system checking. if (version_compare(phpversion(), "5.2.1", "<")) { addError(kPHPVersion, sprintf(_('This version of PHPDevShell only supports PHP version %s and later. You are currently running version %s.'), '5.2.1', phpversion())); } if (check_apache() == false) { addWarning(kApache, _('You are not running Apache as your web server. This version of PHPDevShell does not officially support non-Apache driven webservers.')); } if (check_mysql() == false) { addError(kMYSQL, _('The MySQL extension for PHP is missing. The installation script will be unable to continue')); } if (check_gettext() == false) { addError(kGETTEXT, _('The gettext extension for PHP is missing. The installation script will be unable to continue')); } global $errors; return count($errors) == 0; }
<?php include_once './utility/error.php'; include_once './utility/user.php'; clearAndInitErrors(); if (isset($_POST['username']) && isset($_POST['password'])) { if (login($_POST['username'], $_POST['password'])) { } else { addError('Incorrect username/password combination'); } } else { } ?> <p>login</p>
public function importfile() { if ($_POST) { $result = $this->fileUploadHandler(); if ($result) { $dataset = $this->processFiles($result); if ($dataset) { $rows = count($dataset); $result = $this->datapoints->addPoints($dataset); if ($result) { addSuccess(getTxt('Success')); $this->updateSC(); } else { addError(getTxt('ProcessingError') . "Error in data input"); } } } } //GetSources $sources = $this->sources->getAll(); $sourceOptions = optionsSource($sources); //Get Variables $variables = $this->variables->getAll(); $varOptions = optionsVariable($variables); //List of CSS to pass to this view $data = $this->StyleData; $data['sourcesOptions'] = $sourceOptions; $data['variableOptions'] = $varOptions; $this->load->view('datapoint/importfile', $data); }