X-Git-Url: https://git.harvie.cz/?a=blobdiff_plain;f=wwwroot%2Finc%2Fdatabase.inc;h=16a527c81c4ec7d1e761ac4f62c6d50b7ee5f418;hb=78c3f2a8428825a268fc2e3b8a4643eaa0efcc42;hp=815f03fa66ce54e810d0ec2d29b44895ff9dfc68;hpb=c6f21b69e8210bdd0e80cf87f1c2f06dfc848a75;p=mirrors%2FKyberia-bloodline.git
diff --git a/wwwroot/inc/database.inc b/wwwroot/inc/database.inc
index 815f03f..16a527c 100644
--- a/wwwroot/inc/database.inc
+++ b/wwwroot/inc/database.inc
@@ -63,38 +63,44 @@ function closeMysql() {
function query($sql) {
-// if (preg_match("/^select/i",$sql) && (rand(0,1000)>MASTER2SLAVE) && $this->Master) {
-// every select query goes to onyx + opraveny regexp, aby matchoval vnorene selecty (br)
-/* if (preg_match('/^\(?select/i',$sql) && $this->Master) {
- $this->_linkId = false;
- $this->connect(SLAVE_HOST,SLAVE_USER,SLAVE_PASS,SLAVE_DATABASE);
- $this->Master = false;
-
- }
-
- elseif (!preg_match("/^select/i",$sql) && !$this->Master) {
-*/ $this->_linkId = false;
- $this->connect(DB_HOST,DB_USER,DB_PASS,DB_DATABASE);
- $this->Master = true;
-// }
-
- $this->_queryId = mysql_query($sql,$this->_linkId);
+ $this->_linkId = false;
+ $this->connect(DB_HOST,DB_USER,DB_PASS,DB_DATABASE);
+ $this->Master = true;
+
+ // Simple IDS, against automats
+ // When possible attack is detected,
+ // query & session information is stored into log
+ // Looking for following string in SQL query:
+ // - "user()" (get cur. user)
+ // - "@@version" (get mysql version)
+ // - "AND 1=1" (blind sqli) (too many false positives?)
+ // - "information_schema" (for listing of tables, columns...)
+
+ // - "/*" (comment) (too many false positives?)
+ // - "--" (comment) (too many false positives?)
+
+ if (preg_match('/user\(\)/',$sql) || preg_match('/@@version/',$sql)
+ || preg_match('/information_schema/',$sql)|| preg_match('/AND 1=1/',$sql)
+ ) {
+ logger::log('SQL ALARM',$sql);
+
+ }
- if ($_SESSION['debugging']) {
- if ($this->Master) echo "Master::";
- else echo "Slave::";
- echo $sql;
- global $timer_start;
- echo "
".SubStr((Time()+SubStr(MicroTime(),0,8)-$timer_start),0,7);
- }
+ $this->_queryId = mysql_query($sql,$this->_linkId);
- if ($this->_queryId == false) {
- $this->exception("query failed ::$sql::");
- }
+ if ($_SESSION['debugging']) {
+ echo $sql;
+ global $timer_start;
+ echo "
".SubStr((Time()+SubStr(MicroTime(),0,8)-$timer_start),0,7);
+ }
- return new result($this->_queryId, $sql);
+ if ($this->_queryId == false) {
+ $this->exception("query failed ::$sql::");
}
+ return new result($this->_queryId, $sql);
+}
+
function executequery($sql) {
return($this->query($sql));