Bitrix-D7
23.9
Загрузка...
Поиск...
Не найдено
sql.php
1
<?php
9
namespace
Bitrix\Security\Filter\Auditor
;
10
18
class
Sql
19
extends
Base
20
{
21
protected
$name
=
'SQL'
;
22
23
protected
function
getFilters
()
24
{
25
$sqlStart =
'(?:(?<![a-z0-9_.-])|\/\*M?!\d+?)\K'
;
26
$sqlEnd =
'(?![a-z_])'
;
27
$sqlSpace =
"(?:[\\x00-\\x20\(\)\'\"\`*@\+\-\.~\\\ed!\d{}]|(?:\\/\\*.*?\\*\\/)|(?:\\/\\*M?!\d*)|(?:\\*\\/)|(?:#[^\\n]*[\\n]+))+"
;
28
$sqlExpEnd =
"[\\x00-\\x20\(\)\'\"\`*@\+\-\.~\\\ed!\d{}\\/]"
;
29
$sqlFunctionsSpace=
"[\\x00-\\x20]*"
;
30
$sqlSplitTo2 = $this->
getSplittingString
(2);
31
$sqlSplitTo3 = $this->
getSplittingString
(3);
32
$sqlSplitTo4 = $this->
getSplittingString
(4);
33
34
35
$filters
= array(
36
"/{$sqlStart}(uni)(on{$sqlSpace}.+?{$sqlExpEnd}sel)(ect){$sqlEnd}/is"
=> $sqlSplitTo3,
37
"/{$sqlStart}(uni)(on{$sqlSpace}sel)(ect){$sqlEnd}/is"
=> $sqlSplitTo3,
38
39
"/{$sqlStart}(sel)(ect{$sqlSpace}.+?{$sqlExpEnd}fr)(om){$sqlEnd}/is"
=> $sqlSplitTo3,
40
"/{$sqlStart}(sel)(ect{$sqlSpace}fr)(om){$sqlEnd}/is"
=> $sqlSplitTo3,
41
"/{$sqlStart}(fr)(om{$sqlSpace}.+?{$sqlExpEnd}wh)(ere){$sqlEnd}/is"
=> $sqlSplitTo3,
42
43
"/{$sqlStart}(alt)(er)({$sqlSpace})(database|table|function|procedure|server|event|view|index){$sqlEnd}/is"
=> $sqlSplitTo4,
44
"/{$sqlStart}(cre)(ate)({$sqlSpace})(database|table|function|procedure|server|event|view|index){$sqlEnd}/is"
=> $sqlSplitTo4,
45
"/{$sqlStart}(dr)(op)({$sqlSpace})(database|table|function|procedure|server|event|view|index){$sqlEnd}/is"
=> $sqlSplitTo4,
46
47
"/{$sqlStart}(upd)(ate{$sqlSpace}.+?{$sqlExpEnd}se)(t){$sqlEnd}/is"
=> $sqlSplitTo3,
48
"/{$sqlStart}(ins)(ert{$sqlSpace}.+?{$sqlExpEnd}val)(ue){$sqlEnd}/is"
=> $sqlSplitTo3,
49
"/{$sqlStart}(ins)(ert{$sqlSpace}.+?{$sqlExpEnd}se)(t){$sqlEnd}/is"
=> $sqlSplitTo3,
50
"/{$sqlStart}(i)(nto{$sqlSpace}out)(file){$sqlEnd}/is"
=> $sqlSplitTo3,
51
"/{$sqlStart}(i)(nto{$sqlSpace}dump)(file){$sqlEnd}/is"
=> $sqlSplitTo3,
52
53
"/{$sqlStart}(ins)(ert{$sqlSpace}.+?{$sqlSpace}sele)(ct){$sqlEnd}/is"
=> $sqlSplitTo3,
54
"/{$sqlStart}(ins)(ert{$sqlSpace}in)(to){$sqlEnd}/is"
=> $sqlSplitTo3,
55
"/{$sqlStart}(ins)(ert{$sqlSpace}.+?{$sqlSpace}in)(to){$sqlEnd}/is"
=> $sqlSplitTo3,
56
57
"/{$sqlStart}(load_)(file{$sqlFunctionsSpace}\()/is"
=> $sqlSplitTo2,
58
59
"/{$sqlStart}(fr)(om{$sqlSpace}.+?{$sqlExpEnd}lim)(it){$sqlEnd}/is"
=> $sqlSplitTo3,
60
);
61
62
$result = array(
63
'search'
=> array_keys(
$filters
),
64
'replace'
=>
$filters
65
);
66
return
$result;
67
}
68
69
70
public
function
process
($value)
71
{
72
if
(preg_match(
"#^[0-9a-zA-Z+/]+={0,3}$#"
, $value))
73
{
74
return
false
;
75
}
76
77
static
$regs = [
78
'/union.+?select/is'
,
79
'/select.+?from/is'
,
80
'/from.+?(?:where|limit)/is'
,
81
'/alter.+?(?:database|table|function|procedure|server|event|view|index)/is'
,
82
'/create.+?(?:database|table|function|procedure|server|event|view|index)/is'
,
83
'/drop.+?(?:database|table|function|procedure|server|event|view|index)/is'
,
84
'/update.+?set/is'
,
85
'/insert.+?(?:value|set|select|into)/is'
,
86
'/into.+?(?:outfile|dumpfile)/is'
,
87
'/load_file/is'
,
88
];
89
90
foreach
($regs as $reg)
91
{
92
if
(preg_match($reg, $value))
93
{
94
return
parent::process($value);
95
}
96
}
97
98
return
false
;
99
}
100
}
Bitrix\Security\Filter\Auditor\Base
Definition
base.php:18
Bitrix\Security\Filter\Auditor\Base\getSplittingString
getSplittingString($splitItemsCount=2, $customSplitChar='')
Definition
base.php:137
Bitrix\Security\Filter\Auditor\Base\$filters
$filters
Definition
base.php:22
Bitrix\Security\Filter\Auditor\Sql
Definition
sql.php:20
Bitrix\Security\Filter\Auditor\Sql\process
process($value)
Definition
sql.php:70
Bitrix\Security\Filter\Auditor\Sql\getFilters
getFilters()
Definition
sql.php:23
Bitrix\Security\Filter\Auditor\Sql\$name
$name
Definition
sql.php:21
Bitrix\Security\Filter\Auditor
Definition
base.php:9
modules
security
lib
filter
auditor
sql.php
Создано системой
1.10.0
1.10.0