Browse code

Warnung im dev-branch bzgl. unsicheren SQL-Statements

Bernd Wurst authored on 02/02/2014 10:44:48
Showing 2 changed files
... ...
@@ -43,6 +43,13 @@ class DB extends PDO {
43 43
       $response->execute($params);
44 44
       return $response;
45 45
     } else {
46
+      if (strtoupper(substr($stmt, 0, 6)) == "INSERT" ||
47
+          strpos(strtoupper($stmt), "WHERE") > 0) { // Das steht nie am Anfang
48
+        $backtrace = debug_backtrace();
49
+        if (config("enable_debug")) {
50
+          warning("Unsafe SQL statement in {$backtrace[1]['file']} line {$backtrace[1]['line']}");
51
+        }
52
+      }
46 53
       return parent::query($stmt);
47 54
     }
48 55
   }
... ...
@@ -359,7 +359,7 @@ function save_vhost($vhost)
359 359
   else {
360 360
     logger(LOG_INFO, 'modules/vhosts/include/vhosts', 'vhosts', 'Creating vhost '.$vhost['hostname'].'.'.$vhost['domain'].'');
361 361
     $result = db_query("INSERT INTO vhosts.vhost (user, hostname, domain, docroot, php, cgi, `ssl`, hsts, `suexec_user`, `server`, logtype, errorlog, certid, ipv4, autoipv6, options, stats) VALUES ({$_SESSION['userinfo']['uid']}, {$hostname}, {$domain}, {$docroot}, {$php}, {$cgi}, {$ssl}, {$hsts}, {$suexec_user}, {$server}, {$logtype}, {$errorlog}, {$cert}, {$ipv4}, {$autoipv6}, '{$options}', {$stats})");
362
-    $id = mysql_insert_id();
362
+    $id = db_insert_id();
363 363
   }
364 364
   $oldvhost = get_vhost_details($id);
365 365
   /*