Valhalla Legends Forums Archive | General Programming | What is this?

AuthorMessageTime
idoL
Explain what this code is exactly. Thank you.

[code]
function secure_query($query, $filename, $linenum)
{
if (eregi("<[^>]*\"?[^>]*>|\(|\)|\<|\>", $query))
{
logErrors("Hack", "Possible XSS Attack Detected - " . $query, $filename, $linenum);
}
elseif (eregi("(^|[^a-zA-Z0-9])union(\ )+(all\ |distinct\ )?(\ )*select\ |\/\*|\*\/|\"|\'", $query))
{
logErrors("Hack", "Possible SQL Injection Attempt Detected - " . $query, $filename, $linenum);
}
elseif (eregi("\.\/|\.\.\/|\/", $query))
{
logErrors("Hack", "Possible Directory Traversal Detected - " . $query, $filename, $linenum);
}
elseif (eregi("\\x([a-zA-Z0-9]|\|)", $query))
{
logErrors("Hack", "Possible Shell Code Detected - " . $query, $filename, $linenum);
}
elseif (strlen($query) > 256)
{
logErrors("Hack", "Possible Overflow Attempt Detected - " . $query, $filename, $linenum);
}
else
{
return $query;
}
}
[/code]
September 2, 2004, 4:36 AM
Eibro
Have a search for Regular Expressions on google.
September 2, 2004, 4:46 AM
Arta
It looks like input validation to me.

Odd that they're doing all that in one function, though. It's checking for directory traversal and for sql injection in the same function, but you wouldn't find directory traversal in a query or sql injection in a file path. I'd split that up into separate functions.
September 2, 2004, 6:45 AM

Search