Development

Wiki Start
Wishlist
Timeline
Roadmap
Browse Source
New Ticket
View Tickets

root/trunk/gui/include/sql.php

Revision 1327, 3.6 kB (checked in by rats, 4 months ago)

* Fixed: --scan-knownbad-files and --check-deleted are no longer supported by rkhunter
* Fixed #1471: chkrootkit should be in lenny / hardy
* Updated Chinese (simplified)
* Updated German
* Fixed #1475: typo on installation (ispcp-setup)
* Fixed: default user for rkhunter.log

Line 
1 <?php
2 /**
3  * ispCP ω (OMEGA) a Virtual Hosting Control System
4  *
5  * @copyright     2001-2006 by moleSoftware GmbH
6  * @copyright     2006-2008 by ispCP | http://isp-control.net
7  * @version     SVN: $Id$
8  * @link         http://isp-control.net
9  * @author         ispCP Team
10  *
11  * @license
12  *   This program is free software; you can redistribute it and/or modify it under
13  *   the terms of the MPL General Public License as published by the Free Software
14  *   Foundation; either version 1.1 of the License, or (at your option) any later
15  *   version.
16  *   You should have received a copy of the MPL Mozilla Public License along with
17  *   this program; if not, write to the Open Source Initiative (OSI)
18  *   http://opensource.org | osi@opensource.org
19  */
20
21 require_once(INCLUDEPATH . '/class.database.php');
22
23 Config::set('DB_TYPE', Config::get('DATABASE_TYPE'));
24 Config::set('DB_HOST', Config::get('DATABASE_HOST'));
25 Config::set('DB_USER', Config::get('DATABASE_USER'));
26 Config::set('DB_PASS', decrypt_db_password(Config::get('DATABASE_PASSWORD')));
27 Config::set('DB_NAME', Config::get('DATABASE_NAME'));
28
29
30 @$sql = Database::connect(Config::get('DB_USER'), Config::get('DB_PASS'), Config::get('DB_TYPE'), Config::get('DB_HOST'), Config::get('DB_NAME'))
31     or system_message('ERROR: Unable to connect to SQL server !<br>SQL returned: ' . $sql->ErrorMsg());
32
33 // switch optionally to utf8 based communication with the database
34 if (Config::exists('DATABASE_UTF8') && Config::get('DATABASE_UTF8') == 'yes') {
35     @$sql->Execute("SET NAMES 'utf8'");
36 }
37
38 // No longer needed - unset for safety
39 Config::set('DB_USER', null);
40 Config::set('DB_PASS', null);
41
42 function execute_query (&$sql, $query) {
43     $rs = $sql->Execute($query);
44     if (!$rs) system_message($sql->ErrorMsg());
45     return $rs;
46 }
47
48 function exec_query(&$sql, $query, $data = array(), $failDie = true) {
49     $query = $sql->Prepare($query);
50     $rs = $sql->Execute($query, $data);
51
52     if (!$rs && $failDie) {
53 //        var_dump($query);
54 //        var_dump($data);
55         if($query instanceof PDOStatement)
56             $msg = $query->errorInfo();
57         else
58             $msg = $sql->errorInfo();
59         system_message(isset($msg[2]) ? $msg[2] : $msg);
60     }
61
62     return $rs;
63 }
64
65 function quoteIdentifier($identifier) {
66     $sql = Database::getInstance();
67
68     $identifier = str_replace($sql->nameQuote, '\\' . $sql->nameQuote, $identifier);
69
70     return $sql->nameQuote . $identifier . $sql->nameQuote;
71 }
72
73 function match_sqlinjection($value, &$matches) {
74     $matches = array();
75     return (preg_match("/((DELETE)|(INSERT)|(UPDATE)|(ALTER)|(CREATE)|( TABLE)|(DROP))\s[A-Za-z0-9 ]{0,200}(\s(FROM)|(INTO)|(TABLE)\s)/i", $value, $matches) > 0);
76 }
77
78 function check_query($exclude = array()) {
79     $matches = null;
80
81     if (phpversion() <= '4.2.2') {
82         $message = "Your PHP version is older than 4.2.2!";
83         write_log($message);
84         system_message($message);
85         die('ERROR: Your PHP version is older than 4.2.2!');
86     }
87
88     if (!is_array($exclude)) {
89         $exclude = array($exclude);
90     }
91
92     foreach($_REQUEST as $key => $value) {
93         if (in_array($key, $exclude)) {
94             continue;
95         }
96
97         if (!is_array($value)) {
98             if (match_sqlinjection($value, $matches)) {
99                 $message = "Possible SQL injection detected: $key=>$value. <b>${matches[0]}</b>. Script terminated.";
100                 write_log($message);
101                 system_message($message);
102                 die('<b>WARNING</b>: Possible SQL injection detected. Script terminated.');
103             }
104         } else {
105             foreach($value as $skey => $svalue) {
106                 if (!is_array($svalue)) {
107                     if (match_sqlinjection($svalue, $matches)) {
108                         $message = "Possible SQL injection detected: $skey=>$svalue <b>${matches[0]}</b>. Script terminated.";
109                         write_log($message);
110                         system_message($message);
111                         die('<b>WARNING</b>: Possible SQL injection detected. Script terminated.');
112                     }
113                 }
114             }
115         }
116     }
117 }
118
119 ?>
Note: See TracBrowser for help on using the browser.