firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

Blind SQL Injection 대응 코드 추가

Browse Source
This commit is contained in:
chicpro
2014-03-18 15:35:21 +09:00
parent b52d3dd331
commit 4ddd09df85
2 changed files with 22 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
common.php
View File

@ -69,21 +69,21 @@ if (file_exists($dbconfig_file)) {
if (defined(G5_TIMEZONE)) @mysql_query(" set time_zone = '".G5_TIMEZONE."'"); if (defined(G5_TIMEZONE)) @mysql_query(" set time_zone = '".G5_TIMEZONE."'");
//============================================================================== //==============================================================================
// SQL Injection 등으로 부터 보호를 위해 mysql_real_escape_string() 적용 // SQL Injection 등으로 부터 보호를 위해 sql_escape_string() 적용
//------------------------------------------------------------------------------ //------------------------------------------------------------------------------
// magic_quotes_gpc 에 의한 backslashes 제거 // magic_quotes_gpc 에 의한 backslashes 제거
if (get_magic_quotes_gpc()) { if (get_magic_quotes_gpc()) {
$_POST = array_map_deep('stripslashes', $_POST); $_POST = array_map_deep('stripslashes', $_POST);
$_GET = array_map_deep('stripslashes', $_GET); $_GET = array_map_deep('stripslashes', $_GET);
$_COOKIE = array_map_deep('stripslashes', $_COOKIE); $_COOKIE = array_map_deep('stripslashes', $_COOKIE);
$_REQUEST = array_map_deep('stripslashes', $_REQUEST); $_REQUEST = array_map_deep('stripslashes', $_REQUEST);
} }
// mysql_real_escape_string 적용 // sql_escape_string 적용
$_POST = array_map_deep(G5_ESCAPE_FUNCTION, $_POST); $_POST = array_map_deep('sql_escape_string', $_POST);
$_GET = array_map_deep(G5_ESCAPE_FUNCTION, $_GET); $_GET = array_map_deep('sql_escape_string', $_GET);
$_COOKIE = array_map_deep(G5_ESCAPE_FUNCTION, $_COOKIE); $_COOKIE = array_map_deep('sql_escape_string', $_COOKIE);
$_REQUEST = array_map_deep(G5_ESCAPE_FUNCTION, $_REQUEST); $_REQUEST = array_map_deep('sql_escape_string', $_REQUEST);
//============================================================================== //==============================================================================
// PHP 4.1.0 부터 지원됨 // PHP 4.1.0 부터 지원됨

12
lib/common.lib.php
View File

@ -25,6 +25,18 @@ function array_map_deep($fn, $array)
return $array; return $array;
} }
// SQL Injection 대응 문자열 필터링
function sql_escape_string($str)
{
$pattern = '/(and|or).*(union|select|insert|update|delete|from|where|limit|create|drop).*/i';
$replace = '';
$str = preg_replace($pattern, $replace, $str);
$str = call_user_func(G5_ESCAPE_FUNCTION, $str);
return $str;
}
// 마이크로 타임을 얻어 계산 형식으로 만듦 // 마이크로 타임을 얻어 계산 형식으로 만듦
function get_microtime() function get_microtime()
{ {