blind sql injection 대응 코드 수정

common.php

@@ -80,10 +80,10 @@ if (file_exists($dbconfig_file)) {
     }
 
     // sql_escape_string 적용
-    $_POST    = array_map_deep('sql_escape_string', $_POST);
-    $_GET     = array_map_deep('sql_escape_string', $_GET);
-    $_COOKIE  = array_map_deep('sql_escape_string', $_COOKIE);
-    $_REQUEST = array_map_deep('sql_escape_string', $_REQUEST);
+    $_POST    = array_map_deep(G5_ESCAPE_FUNCTION,  $_POST);
+    $_GET     = array_map_deep(G5_ESCAPE_FUNCTION,  $_GET);
+    $_COOKIE  = array_map_deep(G5_ESCAPE_FUNCTION,  $_COOKIE);
+    $_REQUEST = array_map_deep(G5_ESCAPE_FUNCTION,  $_REQUEST);
     //==============================================================================
 
     // PHP 4.1.0 부터 지원됨

lib/common.lib.php

@@ -1451,8 +1451,14 @@ function sql_select_db($db, $connect)
 // mysql_query 와 mysql_error 를 한꺼번에 처리
 function sql_query($sql, $error=G5_DISPLAY_SQL_ERROR)
 {
+    // Blind SQL Injection 취약점 해결
+    $sql = trim($sql);
+    // union의 사용을 허락하지 않습니다.
+    $sql = preg_replace("#^select.*from.*union.*#i", "select 1", $sql);
+    // `information_schema` DB로의 접근을 허락하지 않습니다.
+    $sql = preg_replace("#^select.*from.*where.*`?information_schema`?.*#i", "select 1", $sql);
     if ($error)
-        $result = @mysql_query($sql) or die("<p>$sql<p>" . mysql_errno() . " : " .  mysql_error() . "<p>error file : {$_SERVER['PHP_SELF']}");
+        $result = @mysql_query($sql) or die("<p>$sql<p>" . mysql_errno() . " : " .  mysql_error() . "<p>error file : $_SERVER[PHP_SELF]");
     else
         $result = @mysql_query($sql);
     return $result;