Commented out unused functions in database backend so we will not have to reimplement...

[mirrors/Kyberia-bloodline.git] / wwwroot / inc / database.inc

diff --git a/wwwroot/inc/database.inc b/wwwroot/inc/database.inc
index e20b5fac2766133640550d4e8ebbf82baf0a92dd..e3781925afd812a1b151069f3692814e6e37584d 100644 (file)
--- a/wwwroot/inc/database.inc
+++ b/wwwroot/inc/database.inc
@@ -57,33 +57,54 @@ function connect($url,$user,$password,$database, $halt_on_error = true) {
                return true;
 }
 
+/* DEPRECATED!
 function closeMysql() {
        mysql_close($this->_linkId);
 }
+*/
 
 function query($sql) {
 
-               $this->_linkId = false;
-               $this->connect(DB_HOST,DB_USER,DB_PASS,DB_DATABASE);
-               $this->Master = true;
-
-               $this->_queryId = mysql_query($sql,$this->_linkId);
+       $this->_linkId = false;
+       $this->connect(DB_HOST,DB_USER,DB_PASS,DB_DATABASE);
+       $this->Master = true;
+
+       // Simple IDS, against automats
+       // When possible attack is detected, 
+       // query & session information is stored into log
+       // Looking for following string in SQL query:
+       // - "user()" (get cur. user)
+       // - "@@version" (get mysql version)
+       // - "AND 1=1" (blind sqli) (too many false positives?)
+       // - "information_schema" (for listing of tables, columns...)
+
+       // - "/*" (comment) (too many false positives?)
+       // - "--" (comment) (too many false positives?)
+
+       if (preg_match('/user\(\)/',$sql) || preg_match('/@@version/',$sql)
+       || preg_match('/information_schema/',$sql)|| preg_match('/AND 1=1/',$sql)
+       ) {
+               logger::log('SQL ALARM',$sql);
+               
+       }
 
-               if (isset($_SESSION['debugging'])) {
-                       echo $sql;
-                       global $timer_start;
-                       echo "<BR>".SubStr((Time()+SubStr(MicroTime(),0,8)-$timer_start),0,7);
-               }
+       $this->_queryId = mysql_query($sql,$this->_linkId);
 
-               if ($this->_queryId == false) {
-                       $this->exception("query failed ::$sql::");
-               }
+       if ((isset($_SESSION['debugging']) && $_SESSION['debugging'])) {
+               echo $sql;
+               global $timer_start;
+               echo "<BR>".SubStr((Time()+SubStr(MicroTime(),0,8)-$timer_start),0,7);
+       }
 
-               return new result($this->_queryId, $sql);
+       if ($this->_queryId == false) {
+               $this->exception("query failed ::$sql::");
        }
 
+       return new result($this->_queryId, $sql);
+}
 
-function executequery($sql) {
+/* DEPRECATED!
+function executequery($sql) { //same as query()!
        return($this->query($sql));
 }
 
@@ -101,6 +122,7 @@ function executetransaction($queries) {
 function executeupdate($sql) {
        return($this->update($sql));
 }
+*/
 
 function update($sql) {
        if (!$this->Master) {
@@ -121,7 +143,7 @@ function getLastInsertId() {
                return(@mysql_insert_id($this->_linkId));
 }
 
-function exception($errorMessage) {
+function exception($errorMessage) { //Internal only!
 
        echo "<!-- ";
        echo @mysql_error($this->_linkId)," (",@mysql_errno($this->_linkId),")";