|
dolibarr 22.0.5
|
File with WAF controls WARNING: This file must have absolutely no dependency with any other code. More...
Go to the source code of this file.
Functions | |
| getArrayOfEmoji () | |
| Return array of Emojis. | |
| realCharForNumericEntities ($matches) | |
| Return the real char for a numeric entities. | |
| testSqlAndScriptInject ($val, $type) | |
| Security: WAF layer for SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, SERVER['PHP_SELF']). | |
| analyseVarsForSqlAndScriptsInjection (&$var, $type, $stopcode=1) | |
| Return true if security check on parameters are OK, false otherwise. | |
File with WAF controls WARNING: This file must have absolutely no dependency with any other code.
It should be usable in any project.
Definition in file waf.inc.php.
| analyseVarsForSqlAndScriptsInjection | ( | & | $var, |
| $type, | |||
| $stopcode = 1 ) |
Return true if security check on parameters are OK, false otherwise.
| string|array<int|string,string> | $var Variable name |
| int<0,3> | $type 0=POST, 1=GET, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test) |
| int<0,1> | $stopcode 0=No stop code, 1=Stop code (default) if injection found |
Definition at line 252 of file waf.inc.php.
References analyseVarsForSqlAndScriptsInjection(), and testSqlAndScriptInject().
Referenced by analyseVarsForSqlAndScriptsInjection().
| getArrayOfEmoji | ( | ) |
Return array of Emojis.
We can't move this function inside a common lib because we need it for security before loading any file.
Definition at line 42 of file waf.inc.php.
Referenced by realCharForNumericEntities().
| realCharForNumericEntities | ( | $matches | ) |
Return the real char for a numeric entities.
WARNING: This function is required by testSqlAndScriptInject() and the GETPOST 'restricthtml'. Regex calling must be similar.
| array<int,string> | $matches Array with a decimal numeric entity like '/' into key 0, value without the &# like 'x2f;' into the key 1 |
Definition at line 66 of file waf.inc.php.
References getArrayOfEmoji().
Referenced by testSqlAndScriptInject().
| testSqlAndScriptInject | ( | $val, | |
| $type ) |
Security: WAF layer for SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, SERVER['PHP_SELF']).
Warning: Such a protection seems enough for SERVER['PHP_SELF'] but can't be enough for GET and POST. It is not reliable as it will always be possible to bypass this. Good protection can only be guaranteed by escaping data during output.
| string | $val | Brute value found into $_GET, $_POST or PHP_SELF |
| int<0,3> | $type 0=POST, 1=GET, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test) |
| string[] | $m |
Definition at line 103 of file waf.inc.php.
References realCharForNumericEntities().
Referenced by analyseVarsForSqlAndScriptsInjection(), ImportCsv\import_insert(), ImportXlsx\import_insert(), Form\select_thirdparty_list(), and Form\selectcontacts().