Warnung im dev-branch bzgl. unsicheren SQL-Statements
Bernd Wurst commited on 2014-02-02 10:44:48
Zeige 2 geänderte Dateien mit 8 Einfügungen und 1 Löschungen.
- class/database.php 81339e7..150d848
- modules/vhosts/include/vhosts.php 0b2d8c7..44ac47f
| ... | ... |
@@ -43,6 +43,13 @@ class DB extends PDO {
|
| 43 | 43 |
$response->execute($params); |
| 44 | 44 |
return $response; |
| 45 | 45 |
} else {
|
| 46 |
+ if (strtoupper(substr($stmt, 0, 6)) == "INSERT" || |
|
| 47 |
+ strpos(strtoupper($stmt), "WHERE") > 0) { // Das steht nie am Anfang
|
|
| 48 |
+ $backtrace = debug_backtrace(); |
|
| 49 |
+ if (config("enable_debug")) {
|
|
| 50 |
+ warning("Unsafe SQL statement in {$backtrace[1]['file']} line {$backtrace[1]['line']}");
|
|
| 51 |
+ } |
|
| 52 |
+ } |
|
| 46 | 53 |
return parent::query($stmt); |
| 47 | 54 |
} |
| 48 | 55 |
} |
| ... | ... |
@@ -359,7 +359,7 @@ function save_vhost($vhost) |
| 359 | 359 |
else {
|
| 360 | 360 |
logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'vhosts', 'Creating vhost '.$vhost['hostname'].'.'.$vhost['domain'].''); |
| 361 | 361 |
$result = db_query("INSERT INTO vhosts.vhost (user, hostname, domain, docroot, php, cgi, `ssl`, hsts, `suexec_user`, `server`, logtype, errorlog, certid, ipv4, autoipv6, options, stats) VALUES ({$_SESSION['userinfo']['uid']}, {$hostname}, {$domain}, {$docroot}, {$php}, {$cgi}, {$ssl}, {$hsts}, {$suexec_user}, {$server}, {$logtype}, {$errorlog}, {$cert}, {$ipv4}, {$autoipv6}, '{$options}', {$stats})");
|
| 362 |
- $id = mysql_insert_id(); |
|
| 362 |
+ $id = db_insert_id(); |
|
| 363 | 363 |
} |
| 364 | 364 |
$oldvhost = get_vhost_details($id); |
| 365 | 365 |
/* |
| 366 | 366 |