• Welcome to Valhalla Legends Archive.
 

What is this?

Started by idoL, September 01, 2004, 11:36 PM

Previous topic - Next topic
Print
|
Go Down Pages1
User actions

idoL

September 01, 2004, 11:36 PM Last Edit: September 02, 2004, 01:47 AM by Arta[vL]
Explain what this code is exactly. Thank you.

Code Select

function secure_query($query, $filename, $linenum)
{
 if (eregi("<[^>]*\"?[^>]*>|\(|\)|\<|\>", $query))
 {
   logErrors("Hack", "Possible XSS Attack Detected - " .  $query, $filename, $linenum);
 }
 elseif (eregi("(^|[^a-zA-Z0-9])union(\ )+(all\ |distinct\ )?(\ )*select\ |\/\*|\*\/|\"|\'", $query))
 {
   logErrors("Hack", "Possible SQL Injection Attempt Detected - " . $query, $filename, $linenum);
 }
 elseif (eregi("\.\/|\.\.\/|\/", $query))
 {
   logErrors("Hack", "Possible Directory Traversal Detected - " . $query, $filename, $linenum);
 }
 elseif (eregi("\\x([a-zA-Z0-9]|\|)", $query))
 {
   logErrors("Hack", "Possible Shell Code Detected - " . $query, $filename, $linenum);
 }
 elseif (strlen($query) > 256)
 {
   logErrors("Hack", "Possible Overflow Attempt Detected - " . $query, $filename, $linenum);
 }
 else
 {
   return $query;
 }
}

Eibro

#1
September 01, 2004, 11:46 PM
Have a search for Regular Expressions on google.
Eibro of Yeti Lovers.

Arta

#2
September 02, 2004, 01:45 AM Last Edit: September 02, 2004, 01:49 AM by Arta[vL]
It looks like input validation to me.

Odd that they're doing all that in one function, though. It's checking for directory traversal and for sql injection in the same function, but you wouldn't find directory traversal in a query or sql injection in a file path. I'd split that up into separate functions.
Print
|
Go Up Pages1
User actions