includes/dbal.php
changeset 128 01955bf53f96
parent 91 8079b0288e8e
child 142 ca9118d9c0f2
--- a/includes/dbal.php	Sat Sep 08 15:06:28 2007 -0400
+++ b/includes/dbal.php	Sat Sep 08 22:58:38 2007 -0400
@@ -196,7 +196,7 @@
     $quotepos  = 0;
     $prev_is_quote = false;
     $just_started = false;
-    for($i=0;$i<strlen($q);$i++,$c=substr($q, $i, 1))
+    for ( $i = 0; $i < strlen($q); $i++, $c = substr($q, $i, 1) )
     {
       $next = substr($q, $i+1, 1);
       $next2 = substr($q, $i+2, 1);
@@ -206,8 +206,8 @@
       {
         if($quotechar)
         {
-          if(
-              ( $quotechar == $c && $quotechar != $next && ( $quotechar != $prev || $just_entered ) && $prev != '\\') ||
+          if (
+              ( $quotechar == $c && $quotechar != $next && ( $quotechar != $prev || $just_started ) && $prev != '\\') ||
               ( $prev2 == '\\' && $prev == $quotechar && $quotechar == $c )
             )
           {
@@ -222,17 +222,20 @@
         {
           $quotechar = $c;
           $quotepos  = $i;
-          $just_entered = true;
+          $just_started = true;
         }
         if($debug) echo '$db-&gt;check_query(): found quote char as pos: '.$i.'<br />';
         continue;
       }
-      $just_entered = false;
+      $just_started = false;
     }
     if(substr(trim($q), strlen(trim($q))-1, 1) == ';') $q = substr(trim($q), 0, strlen(trim($q))-1);
     for($i=0;$i<strlen($q);$i++,$c=substr($q, $i, 1))
     {
-      if( ( $c == ';' && $i != $sz-1 ) || $c . substr($q, $i+1, 1) == '--') // Don't permit semicolons in mid-query, and never allow comments
+      if ( 
+           ( ( $c == ';' && $i != $sz-1 ) || $c . substr($q, $i+1, 1) == '--' )
+        || ( in_array($c, Array('"', "'", '`')) )
+         ) // Don't permit semicolons in mid-query, and never allow comments
       {
         // Injection attempt!
         if($debug)
@@ -248,6 +251,11 @@
         return false;
       }
     }
+    if ( preg_match('/[\s]+(SAFE_QUOTE|[\S]+)=\\1($|[\s]+)/', $q, $match) )
+    {
+      if ( $debug ) echo 'Found always-true test in query, injection attempt caught, match:<br />' . '<pre>' . print_r($match, true) . '</pre>';
+      return false;
+    }
     return true;
   }