From 4ddd09df85d588d996b282f8bba6c6744c75f1f6 Mon Sep 17 00:00:00 2001
From: chicpro <chicpro@gmail.com>
Date: Tue, 18 Mar 2014 15:35:21 +0900
Subject: [PATCH] =?UTF-8?q?Blind=20SQL=20Injection=20=EB=8C=80=EC=9D=91=20?=
 =?UTF-8?q?=EC=BD=94=EB=93=9C=20=EC=B6=94=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 common.php         | 20 ++++++++++----------
 lib/common.lib.php | 12 ++++++++++++
 2 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/common.php b/common.php
index e28288fe8..abd7fc1d5 100644
--- a/common.php
+++ b/common.php
@@ -69,21 +69,21 @@ if (file_exists($dbconfig_file)) {
     if (defined(G5_TIMEZONE)) @mysql_query(" set time_zone = '".G5_TIMEZONE."'");
 
     //==============================================================================
-    // SQL Injection 등으로 부터 보호를 위해 mysql_real_escape_string() 적용
+    // SQL Injection 등으로 부터 보호를 위해 sql_escape_string() 적용
     //------------------------------------------------------------------------------
     // magic_quotes_gpc 에 의한 backslashes 제거
     if (get_magic_quotes_gpc()) {
-        $_POST    = array_map_deep('stripslashes', $_POST);
-        $_GET     = array_map_deep('stripslashes', $_GET);
-        $_COOKIE  = array_map_deep('stripslashes', $_COOKIE);
-        $_REQUEST = array_map_deep('stripslashes', $_REQUEST);
+        $_POST    = array_map_deep('stripslashes',  $_POST);
+        $_GET     = array_map_deep('stripslashes',  $_GET);
+        $_COOKIE  = array_map_deep('stripslashes',  $_COOKIE);
+        $_REQUEST = array_map_deep('stripslashes',  $_REQUEST);
     }
 
-    // mysql_real_escape_string 적용
-    $_POST    = array_map_deep(G5_ESCAPE_FUNCTION, $_POST);
-    $_GET     = array_map_deep(G5_ESCAPE_FUNCTION, $_GET);
-    $_COOKIE  = array_map_deep(G5_ESCAPE_FUNCTION, $_COOKIE);
-    $_REQUEST = array_map_deep(G5_ESCAPE_FUNCTION, $_REQUEST);
+    // sql_escape_string 적용
+    $_POST    = array_map_deep('sql_escape_string', $_POST);
+    $_GET     = array_map_deep('sql_escape_string', $_GET);
+    $_COOKIE  = array_map_deep('sql_escape_string', $_COOKIE);
+    $_REQUEST = array_map_deep('sql_escape_string', $_REQUEST);
     //==============================================================================
 
     // PHP 4.1.0 부터 지원됨
diff --git a/lib/common.lib.php b/lib/common.lib.php
index 978f38e09..1d8ff1d3d 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -25,6 +25,18 @@ function array_map_deep($fn, $array)
     return $array;
 }
 
+// SQL Injection 대응 문자열 필터링
+function sql_escape_string($str)
+{
+    $pattern = '/(and|or).*(union|select|insert|update|delete|from|where|limit|create|drop).*/i';
+    $replace = '';
+
+    $str = preg_replace($pattern, $replace, $str);
+    $str = call_user_func(G5_ESCAPE_FUNCTION, $str);
+
+    return $str;
+}
+
 // 마이크로 타임을 얻어 계산 형식으로 만듦
 function get_microtime()
 {