Text only | Text with Images

Valhalla Legends Archive

Programming => General Programming => Topic started by: idoL on September 01, 2004, 11:36 PM

Title: What is this?
Post by: idoL on September 01, 2004, 11:36 PM
Explain what this code is exactly. Thank you.

Code Select

function secure_query($query, $filename, $linenum)
{
 if (eregi("<[^>]*\"?[^>]*>|\(|\)|\<|\>", $query))
 {
   logErrors("Hack", "Possible XSS Attack Detected - " .  $query, $filename, $linenum);
 }
 elseif (eregi("(^|[^a-zA-Z0-9])union(\ )+(all\ |distinct\ )?(\ )*select\ |\/\*|\*\/|\"|\'", $query))
 {
   logErrors("Hack", "Possible SQL Injection Attempt Detected - " . $query, $filename, $linenum);
 }
 elseif (eregi("\.\/|\.\.\/|\/", $query))
 {
   logErrors("Hack", "Possible Directory Traversal Detected - " . $query, $filename, $linenum);
 }
 elseif (eregi("\\x([a-zA-Z0-9]|\|)", $query))
 {
   logErrors("Hack", "Possible Shell Code Detected - " . $query, $filename, $linenum);
 }
 elseif (strlen($query) > 256)
 {
   logErrors("Hack", "Possible Overflow Attempt Detected - " . $query, $filename, $linenum);
 }
 else
 {
   return $query;
 }
}
Title: Re:What is this?
Post by: Eibro on September 01, 2004, 11:46 PM
Have a search for Regular Expressions on google.
Title: Re:What is this?
Post by: Arta on September 02, 2004, 01:45 AM
It looks like input validation to me.

Odd that they're doing all that in one function, though. It's checking for directory traversal and for sql injection in the same function, but you wouldn't find directory traversal in a query or sql injection in a file path. I'd split that up into separate functions.
Text only | Text with Images