Protect against sql injection attacks in sql INSERT statements
This commit is contained in:
Chris Morgan
WineHQ
@@ -18,6 +18,68 @@ function query_appdb($sQuery,$sComment="")
|
||||
return $hResult;
|
||||
}
|
||||
|
||||
/*
|
||||
* Wildcard Rules
|
||||
* SCALAR (?) => 'original string quoted'
|
||||
* OPAQUE (&) => 'string from file quoted'
|
||||
* MISC (~) => original string (left 'as-is')
|
||||
*
|
||||
* NOTE: These rules convienently match those for Pear DB
|
||||
*
|
||||
* MySQL Prepare Function
|
||||
* By: Kage (Alex)
|
||||
* KageKonjou@GMail.com
|
||||
* http://us3.php.net/manual/en/function.mysql-query.php#53400
|
||||
*
|
||||
* Modified by CMM 20060622
|
||||
*
|
||||
* Values are mysql_real_escape_string()'d to prevent against injection attacks
|
||||
* See http://php.net/mysql_real_escape_string for more information about why this is the case
|
||||
*
|
||||
*/
|
||||
function query_parameters()
|
||||
{
|
||||
global $hAppdbLink;
|
||||
|
||||
if(!is_resource($hAppdbLink))
|
||||
{
|
||||
// The last argument makes sure we are really opening a new connection
|
||||
$hAppdbLink = mysql_connect(APPS_DBHOST, APPS_DBUSER, APPS_DBPASS,true);
|
||||
mysql_select_db(APPS_DB, $hAppdbLink);
|
||||
}
|
||||
|
||||
$data = func_get_args();
|
||||
$query = $data[0];
|
||||
$tokens = split("[\&\?\~]", $query);
|
||||
$preparedquery = $tokens[0];
|
||||
$count = strlen($tokens[0]);
|
||||
|
||||
for ($i=1; $i < count($tokens); $i++)
|
||||
{
|
||||
$char = substr($query, $count, 1);
|
||||
$count += (strlen($tokens[$i])+1);
|
||||
if ($char == "&")
|
||||
{
|
||||
$fp = @fopen($data[$i], 'r');
|
||||
$pdata = "";
|
||||
if ($fp)
|
||||
{
|
||||
while (($buf = fread($fp, 4096)) != false)
|
||||
{
|
||||
$pdata .= $buf;
|
||||
}
|
||||
fclose($fp);
|
||||
}
|
||||
} else
|
||||
{
|
||||
$pdata = &$data[$i];
|
||||
}
|
||||
$preparedquery .= ($char != "~" ? mysql_real_escape_string($pdata) : $pdata);
|
||||
$preparedquery .= $tokens[$i];
|
||||
}
|
||||
|
||||
return query_appdb($preparedquery);
|
||||
}
|
||||
|
||||
function query_bugzilladb($sQuery,$sComment="")
|
||||
{
|
||||
@@ -46,31 +108,6 @@ function query_error($sQuery, $sComment="")
|
||||
addmsg($sStatusMessage, "red");
|
||||
}
|
||||
|
||||
/**
|
||||
* Expects an array in this form:
|
||||
* $aFoo['field'] = 'value';
|
||||
*
|
||||
* Returns an array ready to be put in a query like this
|
||||
* $sQuery = "INSERT INTO `foo` {$aReturn['FIELDS']} VALUES {$aReturn['VALUES']}";
|
||||
*
|
||||
* Values are addslashes()'d.
|
||||
*/
|
||||
|
||||
function compile_insert_string($aData)
|
||||
{
|
||||
foreach ($aData as $k => $v)
|
||||
{
|
||||
$field_names .= "`$k`,";
|
||||
$field_values .= "'".addslashes($v)."',";
|
||||
}
|
||||
|
||||
// Get rid of the end ,
|
||||
$field_names = preg_replace( "/,$/" , "" , $field_names );
|
||||
$field_values = preg_replace( "/,$/" , "" , $field_values );
|
||||
|
||||
return array('FIELDS' => $field_names, 'VALUES' => $field_values);
|
||||
}
|
||||
|
||||
/**
|
||||
* Expects an array in this form:
|
||||
* $aFoo['field'] = 'value';
|
||||
|
||||
Reference in New Issue
Block a user