diff --git a/src/system/common.func.php b/src/system/common.func.php
index f0fd211d..a6073408 100755
--- a/src/system/common.func.php
+++ b/src/system/common.func.php
@@ -137,6 +137,96 @@ function dede_random_bytes($length)
}
return FALSE;
}
+//SQL语句过滤程序,由80sec提供,这里作了适当的修改
+if (!function_exists('CheckSql')) {
+ function CheckSql($db_string, $querytype = 'select')
+ {
+ global $cfg_cookie_encode;
+ $clean = '';
+ $error = '';
+ $old_pos = 0;
+ $pos = -1;
+ $enkey = substr(md5(substr($cfg_cookie_encode.'dedebiz', 0, 5)), 0, 10);
+ $log_file = DEDEDATA.'/checksql_'.$enkey.'_safe.txt';
+ $userIP = GetIP();
+ $getUrl = GetCurUrl();
+ //如果是普通查询语句,直接过滤一些特殊语法
+ if ($querytype == 'select') {
+ $notallow1 = "[^0-9a-z@\._-]{1,}(union|sleep|benchmark|load_file|outfile)[^0-9a-z@\.-]{1,}";
+ //$notallow2 = "--|/\*";
+ if (preg_match("/".$notallow1."/i", $db_string)) {
+ fputs(fopen($log_file, 'a+'), "$userIP||$getUrl||$db_string||SelectBreak\r\n");
+ exit("Safe Alert: Request Error step 1 !");
+ }
+ }
+ //完整的SQL检查
+ while (TRUE) {
+ $pos = strpos($db_string, '\'', $pos + 1);
+ if ($pos === FALSE) {
+ break;
+ }
+ $clean .= substr($db_string, $old_pos, $pos - $old_pos);
+ while (TRUE) {
+ $pos1 = strpos($db_string, '\'', $pos + 1);
+ $pos2 = strpos($db_string, '\\', $pos + 1);
+ if ($pos1 === FALSE) {
+ break;
+ } elseif ($pos2 == FALSE || $pos2 > $pos1) {
+ $pos = $pos1;
+ break;
+ }
+ $pos = $pos2 + 1;
+ }
+ $clean .= '$s$';
+ $old_pos = $pos + 1;
+ }
+ $clean .= substr($db_string, $old_pos);
+ $clean = trim(strtolower(preg_replace(array('~\s+~s'), array(' '), $clean)));
+ if (
+ strpos($clean, '@') !== FALSE or strpos($clean, 'char(') !== FALSE or strpos($clean, '"') !== FALSE
+ or strpos($clean, '$s$$s$') !== FALSE
+ ) {
+ $fail = TRUE;
+ if (preg_match("#^create table#i", $clean)) $fail = FALSE;
+ $error = "unusual character";
+ }
+ //老版本的Mysql并不支持union,常用的程序里也不使用union,但是一些黑客使用它,所以检查它
+ if (strpos($clean, 'union') !== FALSE && preg_match('~(^|[^a-z])union($|[^[a-z])~s', $clean) != 0) {
+ $fail = TRUE;
+ $error = "union detect";
+ }
+ //发布版本的程序可能比较少包括--,#这样的注释,但是黑客经常使用它们
+ elseif (strpos($clean, '/*') > 2 || strpos($clean, '--') !== FALSE || strpos($clean, '#') !== FALSE) {
+ $fail = TRUE;
+ $error = "comment detect";
+ }
+ //这些函数不会被使用,但是黑客会用它来操作文件,down掉数据库
+ elseif (strpos($clean, 'sleep') !== FALSE && preg_match('~(^|[^a-z])sleep($|[^[a-z])~s', $clean) != 0) {
+ $fail = TRUE;
+ $error = "slown down detect";
+ } elseif (strpos($clean, 'benchmark') !== FALSE && preg_match('~(^|[^a-z])benchmark($|[^[a-z])~s', $clean) != 0) {
+ $fail = TRUE;
+ $error = "slown down detect";
+ } elseif (strpos($clean, 'load_file') !== FALSE && preg_match('~(^|[^a-z])load_file($|[^[a-z])~s', $clean) != 0) {
+ $fail = TRUE;
+ $error = "file fun detect";
+ } elseif (strpos($clean, 'into outfile') !== FALSE && preg_match('~(^|[^a-z])into\s+outfile($|[^[a-z])~s', $clean) != 0) {
+ $fail = TRUE;
+ $error = "file fun detect";
+ }
+ //老版本的MYSQL不支持子查询,我们的程序里可能也用得少,但是黑客可以使用它来查询数据库敏感信息
+ elseif (preg_match('~\([^)]*?select~s', $clean) != 0) {
+ $fail = TRUE;
+ $error = "sub select detect";
+ }
+ if (!empty($fail)) {
+ fputs(fopen($log_file, 'a+'), "$userIP||$getUrl||$db_string||$error\r\n");
+ exit("Safe Alert: Request Error step 2!");
+ } else {
+ return $db_string;
+ }
+ }
+}
/**
* 载入小助手,系统默认载入小助手
* 在/data/helper.inc.php中进行默认小助手初始化的设置
diff --git a/src/system/database/dedesqli.class.php b/src/system/database/dedesqli.class.php
index 356e07c1..7973d765 100755
--- a/src/system/database/dedesqli.class.php
+++ b/src/system/database/dedesqli.class.php
@@ -473,7 +473,9 @@ class DedeSqli
}
function RecordLog($runtime = 0)
{
- $RecordLogFile = DEDEDATA.'/mysqli_record_log.inc';
+ global $cfg_cookie_encode;
+ $enkey = substr(md5(substr($cfg_cookie_encode.'dedebiz', 0, 5)), 0, 10);
+ $RecordLogFile = DEDEDATA.'/mysqli_record_log_'.$enkey.'.inc';
$url = $this->GetCurUrl();
$savemsg = <<showError) {
$msg = str_replace(array("\r","\n"),"",addslashes($msg));
ShowMsg("{$msg}", "javascript:;", -1);
@@ -522,93 +526,4 @@ EOT;
function CopySQLiPoint(&$ndsql)
{
$GLOBALS['dsqli'] = $ndsql;
-}
-//SQL语句过滤程序,由80sec提供,这里作了适当的修改
-if (!function_exists('CheckSql')) {
- function CheckSql($db_string, $querytype = 'select')
- {
- global $cfg_cookie_encode;
- $clean = '';
- $error = '';
- $old_pos = 0;
- $pos = -1;
- $log_file = DEDEDATA.'/'.md5($cfg_cookie_encode).'_safe.txt';
- $userIP = GetIP();
- $getUrl = GetCurUrl();
- //如果是普通查询语句,直接过滤一些特殊语法
- if ($querytype == 'select') {
- $notallow1 = "[^0-9a-z@\._-]{1,}(union|sleep|benchmark|load_file|outfile)[^0-9a-z@\.-]{1,}";
- //$notallow2 = "--|/\*";
- if (preg_match("/".$notallow1."/i", $db_string)) {
- fputs(fopen($log_file, 'a+'), "$userIP||$getUrl||$db_string||SelectBreak\r\n");
- exit("Safe Alert: Request Error step 1 !");
- }
- }
- //完整的SQL检查
- while (TRUE) {
- $pos = strpos($db_string, '\'', $pos + 1);
- if ($pos === FALSE) {
- break;
- }
- $clean .= substr($db_string, $old_pos, $pos - $old_pos);
- while (TRUE) {
- $pos1 = strpos($db_string, '\'', $pos + 1);
- $pos2 = strpos($db_string, '\\', $pos + 1);
- if ($pos1 === FALSE) {
- break;
- } elseif ($pos2 == FALSE || $pos2 > $pos1) {
- $pos = $pos1;
- break;
- }
- $pos = $pos2 + 1;
- }
- $clean .= '$s$';
- $old_pos = $pos + 1;
- }
- $clean .= substr($db_string, $old_pos);
- $clean = trim(strtolower(preg_replace(array('~\s+~s'), array(' '), $clean)));
- if (
- strpos($clean, '@') !== FALSE or strpos($clean, 'char(') !== FALSE or strpos($clean, '"') !== FALSE
- or strpos($clean, '$s$$s$') !== FALSE
- ) {
- $fail = TRUE;
- if (preg_match("#^create table#i", $clean)) $fail = FALSE;
- $error = "unusual character";
- }
- //老版本的Mysql并不支持union,常用的程序里也不使用union,但是一些黑客使用它,所以检查它
- if (strpos($clean, 'union') !== FALSE && preg_match('~(^|[^a-z])union($|[^[a-z])~s', $clean) != 0) {
- $fail = TRUE;
- $error = "union detect";
- }
- //发布版本的程序可能比较少包括--,#这样的注释,但是黑客经常使用它们
- elseif (strpos($clean, '/*') > 2 || strpos($clean, '--') !== FALSE || strpos($clean, '#') !== FALSE) {
- $fail = TRUE;
- $error = "comment detect";
- }
- //这些函数不会被使用,但是黑客会用它来操作文件,down掉数据库
- elseif (strpos($clean, 'sleep') !== FALSE && preg_match('~(^|[^a-z])sleep($|[^[a-z])~s', $clean) != 0) {
- $fail = TRUE;
- $error = "slown down detect";
- } elseif (strpos($clean, 'benchmark') !== FALSE && preg_match('~(^|[^a-z])benchmark($|[^[a-z])~s', $clean) != 0) {
- $fail = TRUE;
- $error = "slown down detect";
- } elseif (strpos($clean, 'load_file') !== FALSE && preg_match('~(^|[^a-z])load_file($|[^[a-z])~s', $clean) != 0) {
- $fail = TRUE;
- $error = "file fun detect";
- } elseif (strpos($clean, 'into outfile') !== FALSE && preg_match('~(^|[^a-z])into\s+outfile($|[^[a-z])~s', $clean) != 0) {
- $fail = TRUE;
- $error = "file fun detect";
- }
- //老版本的MYSQL不支持子查询,我们的程序里可能也用得少,但是黑客可以使用它来查询数据库敏感信息
- elseif (preg_match('~\([^)]*?select~s', $clean) != 0) {
- $fail = TRUE;
- $error = "sub select detect";
- }
- if (!empty($fail)) {
- fputs(fopen($log_file, 'a+'), "$userIP||$getUrl||$db_string||$error\r\n");
- exit("Safe Alert: Request Error step 2!");
- } else {
- return $db_string;
- }
- }
}
\ No newline at end of file
diff --git a/src/system/database/dedesqlite.class.php b/src/system/database/dedesqlite.class.php
index d8a09e5e..36e3d438 100755
--- a/src/system/database/dedesqlite.class.php
+++ b/src/system/database/dedesqlite.class.php
@@ -487,7 +487,9 @@ class DedeSqlite
}
function RecordLog($runtime = 0)
{
- $RecordLogFile = DEDEDATA.'/mysqli_record_log.inc';
+ global $cfg_cookie_encode;
+ $enkey = substr(md5(substr($cfg_cookie_encode.'dedebiz', 0, 5)), 0, 10);
+ $RecordLogFile = DEDEDATA.'/mysqli_record_log_'.$enkey.'.inc';
$url = $this->GetCurUrl();
$savemsg = <<showError) {
$msg = str_replace(array("\r","\n"),"",addslashes($msg));
ShowMsg("{$msg}", "javascript:;", -1);
@@ -536,93 +540,4 @@ EOT;
function CopySQLiPoint(&$ndsql)
{
$GLOBALS['dsqlite'] = $ndsql;
-}
-//SQL语句过滤程序,由80sec提供,这里作了适当的修改
-if (!function_exists('CheckSql')) {
- function CheckSql($db_string, $querytype = 'select')
- {
- global $cfg_cookie_encode;
- $clean = '';
- $error = '';
- $old_pos = 0;
- $pos = -1;
- $log_file = DEDEINC.'/../data/'.md5($cfg_cookie_encode).'_safe.txt';
- $userIP = GetIP();
- $getUrl = GetCurUrl();
- //如果是普通查询语句,直接过滤一些特殊语法
- if ($querytype == 'select') {
- $notallow1 = "[^0-9a-z@\._-]{1,}(union|sleep|benchmark|load_file|outfile)[^0-9a-z@\.-]{1,}";
- //$notallow2 = "--|/\*";
- if (preg_match("/".$notallow1."/i", $db_string)) {
- fputs(fopen($log_file, 'a+'), "$userIP||$getUrl||$db_string||SelectBreak\r\n");
- exit("Safe Alert: Request Error step 1 !");
- }
- }
- //完整的SQL检查
- while (TRUE) {
- $pos = strpos($db_string, '\'', $pos + 1);
- if ($pos === FALSE) {
- break;
- }
- $clean .= substr($db_string, $old_pos, $pos - $old_pos);
- while (TRUE) {
- $pos1 = strpos($db_string, '\'', $pos + 1);
- $pos2 = strpos($db_string, '\\', $pos + 1);
- if ($pos1 === FALSE) {
- break;
- } elseif ($pos2 == FALSE || $pos2 > $pos1) {
- $pos = $pos1;
- break;
- }
- $pos = $pos2 + 1;
- }
- $clean .= '$s$';
- $old_pos = $pos + 1;
- }
- $clean .= substr($db_string, $old_pos);
- $clean = trim(strtolower(preg_replace(array('~\s+~s'), array(' '), $clean)));
- if (
- strpos($clean, '@') !== FALSE or strpos($clean, 'char(') !== FALSE or strpos($clean, '"') !== FALSE
- or strpos($clean, '$s$$s$') !== FALSE
- ) {
- $fail = TRUE;
- if (preg_match("#^create table#i", $clean)) $fail = FALSE;
- $error = "unusual character";
- }
- //老版本的Mysql并不支持union,常用的程序里也不使用union,但是一些黑客使用它,所以检查它
- if (strpos($clean, 'union') !== FALSE && preg_match('~(^|[^a-z])union($|[^[a-z])~s', $clean) != 0) {
- $fail = TRUE;
- $error = "union detect";
- }
- //发布版本的程序可能比较少包括--,#这样的注释,但是黑客经常使用它们
- elseif (strpos($clean, '/*') > 2 || strpos($clean, '--') !== FALSE || strpos($clean, '#') !== FALSE) {
- $fail = TRUE;
- $error = "comment detect";
- }
- //这些函数不会被使用,但是黑客会用它来操作文件,down掉数据库
- elseif (strpos($clean, 'sleep') !== FALSE && preg_match('~(^|[^a-z])sleep($|[^[a-z])~s', $clean) != 0) {
- $fail = TRUE;
- $error = "slown down detect";
- } elseif (strpos($clean, 'benchmark') !== FALSE && preg_match('~(^|[^a-z])benchmark($|[^[a-z])~s', $clean) != 0) {
- $fail = TRUE;
- $error = "slown down detect";
- } elseif (strpos($clean, 'load_file') !== FALSE && preg_match('~(^|[^a-z])load_file($|[^[a-z])~s', $clean) != 0) {
- $fail = TRUE;
- $error = "file fun detect";
- } elseif (strpos($clean, 'into outfile') !== FALSE && preg_match('~(^|[^a-z])into\s+outfile($|[^[a-z])~s', $clean) != 0) {
- $fail = TRUE;
- $error = "file fun detect";
- }
- //老版本的MYSQL不支持子查询,我们的程序里可能也用得少,但是黑客可以使用它来查询数据库敏感信息
- elseif (preg_match('~\([^)]*?select~s', $clean) != 0) {
- $fail = TRUE;
- $error = "sub select detect";
- }
- if (!empty($fail)) {
- fputs(fopen($log_file, 'a+'), "$userIP||$getUrl||$db_string||$error\r\n");
- exit("Safe Alert: Request Error step 2!");
- } else {
- return $db_string;
- }
- }
}
\ No newline at end of file