Added DB_FILTER

3 years ago · fca0d6af11
parent a4aa232110
commit fca0d6af11
3 changed files with 32 additions and 8 deletions
--- a/src/bootstrap/safer_io.php
+++ b/src/bootstrap/safer_io.php
@ -52,6 +52,11 @@ enum INPUTS: int {
    }
 }

+enum DB_FILTER {
+    case ON; // Tries to Filter out SQL from User Input
+    case OFF; // Normal pass thourgh...
+}
+
 enum FIELD_FILTER: string {
    case raw_string = "string";
    case array_of_strings = "strings";
@ -335,6 +340,7 @@ final class safer_io {
        $meta = [];
        $meta['missing'] = [];
        $safer_data = [];
+        $safer_db_data = [];
        $safer_html_data = [];
        $rules = [];
        $messages = [];
@ -404,12 +410,23 @@ final class safer_io {
            }
            if ($field_type == FIELD_FILTER::floating_point) {
                $safer_data[$input_field_name] = floatval($safer_data[$input_field_name]);
-            }            
+            }
+            if ($field_type == FIELD_FILTER::integer_number || $field_type == FIELD_FILTER::floating_point) {
+                $safer_db_data[$input_field_name] = $safer_data[$input_field_name];
+            } else {
+                if (isset($a['db']) && $a['db'] == DB_FILTER::ON) {
+                    $safe_for_db = \tts\safer_sql::get_safer_sql_text($safer_data[$input_field_name]);
+                    $text = $safe_for_db["text"];
+                } else {
+                    $text = $safer_data[$input_field_name];
+                }
+                $safer_db_data[$input_field_name] = $text;
+            }
            
        }
        $errors = (count($rules)) ? \tts\validator::validate($safer_data, $rules, $messages) : [];

-        return ['meta' => $meta, 'fields' => $safer_data, 'html' => $safer_html_data, 'errors' => $errors];
+        return ['meta' => $meta, 'fields' => $safer_data, 'db'=>$safer_db_data, 'html' => $safer_html_data, 'errors' => $errors];
    }

 }
--- a/src/classes/database/help_save.php
+++ b/src/classes/database/help_save.php
@ -90,8 +90,8 @@ final class help_save {
            $this->missing = $data['meta']['missing'];
        }
        
-        if (count($data['fields'])) {
-            foreach($data['fields'] as $key => $value) {
+        if (count($data['db'])) {
+            foreach($data['db'] as $key => $value) {
                $meta = $data['meta'][$key] ?? false;
                if ($meta !== false) {
                    $skip_db = $meta['skip_db'] ?? false;
--- a/src/classes/safer_sql.php
+++ b/src/classes/safer_sql.php
@ -9,6 +9,12 @@ declare(strict_types=1);

 namespace tts;

+enum SQL_SAFETY_FLAG {
+    case good;  // All Okey
+    case filtered; // Found isseues but tried to filter them out
+    case dangerious; // May still be bad
+}
+
 class safer_sql {

    /**
@ -198,6 +204,7 @@ class safer_sql {
        if (preg_match("/case when/i", $string) === 1) return true;
        if (preg_match("/extractvalue/i", $string) === 1) return true;
        if (preg_match("/\/etc\/passwd/i", $string) === 1) return true;
+        if (preg_match("/\/var\/log/i", $string) === 1) return true;
        if (preg_match("/binary_checksum\s*\(/i", $string) === 1) return true; // ID MSSQL DB Engine
        if (preg_match("/user\s*\(\)/i", $string) === 1) return true; // Get current user
        if (preg_match("/system_user[\s]+\(\)/i", $string) === 1) return true; // Get current user
@ -235,7 +242,7 @@ class safer_sql {
            'not_in', 'not_like', 'not_regexp', 'or', 'regexp', 'sounds_like',
            'floor', 'md5', 'rand', 'rlike', 'row', 'xor',
            // https://dev.mysql.com/doc/refman/8.0/en/string-functions.html
-            'bit_length', 'elt', 'export_set', 'from_base64', 'hex', 'load_file', 
+            'bit_length', 'let', 'export_set', 'from_base64', 'hex', 'load_file', 
            'make_set', 'match', 'oct', 'octet_length', 'ord', 'quote', 'regexp',
            'regexp_instr', 'regexp_like', 'regexp_replace', 'regexp_substr',
            'select', 'soundex', 'to_base64', 'unhex', 'weight_string'
@ -442,11 +449,11 @@ class safer_sql {
            $safer = preg_replace('/[^a-zA-Z0-9.\s]/', "", $cleaner);
            
            if (self::found_sql_keyword($safer)) {
-                throw new \Exception("MySQL keyword found after injection, attempt!");
+                return ["text"=>$safer, "status"=>SQL_SAFETY_FLAG::dangerious];
            }
-            return ["text"=>$safer, "danger"=>true];
+            return ["text"=>$safer, "status"=>SQL_SAFETY_FLAG::filtered];
        }
-        return ["text"=>$string, "danger"=>false];
+        return ["text"=>$string, "status"=>SQL_SAFETY_FLAG::good];
    }
    
 }