From ce2b24da8f236ec272241bbd69df104b051c0a87 Mon Sep 17 00:00:00 2001
From: slerena <slerena@gmail.com>
Date: Mon, 11 Oct 2010 10:14:03 +0000
Subject: [PATCH] 2010-10-11 Sancho Lerena <slerena@artica.es>

        * include/functions_reporting.php: Fixed problem with SQL custom reports
        because the SQL html encoding. Added a SQL check for secure user-input
        SQL code.

        * include/functions.php: Added check_sql() function to do a basic
        safety check on SQL code.




git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@3381 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
---
 pandora_console/ChangeLog                      |  9 +++++++++
 pandora_console/include/functions.php          | 18 ++++++++++++++++++
 .../include/functions_reporting.php            |  9 ++++++---
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog
index 413601ac72..f67f2ec130 100644
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@@ -1,3 +1,12 @@
+2010-10-11 Sancho Lerena <slerena@artica.es>
+
+        * include/functions_reporting.php: Fixed problem with SQL custom reports
+        because the SQL html encoding. Added a SQL check for secure user-input
+        SQL code.
+
+        * include/functions.php: Added check_sql() function to do a basic
+        safety check on SQL code.
+
 2010-10-11 Dario Rodriguez <dario.rodriguez@artica.es>
 
 	* include/functions_io.php: Added \s character in decode HTML entities
diff --git a/pandora_console/include/functions.php b/pandora_console/include/functions.php
index 884f19e9f8..4a5f232744 100644
--- a/pandora_console/include/functions.php
+++ b/pandora_console/include/functions.php
@@ -1152,4 +1152,22 @@ function string2image($string, $width, $height, $fontsize = 3,
 	$file_url = str_replace('#','%23',$file_url);
 	return $file_url;
 }
+
+/**
+* Function to restrict SQL on custom-user-defined queries 
+*
+* @param string SQL code
+* @return string SQL code validated (it will return empty if SQL is not ok)
+**/
+
+function check_sql ($sql){
+
+        // We remove "*" to avoid things like SELECT * FROM tusuario
+
+        if (preg_match("/\*|DELETE|DROP|ALTER|MODIFY|UNION|password|pass|INSERT|UPDATE/", $sql)){
+                return "";
+        }
+        return $sql;
+}
+
 ?>
diff --git a/pandora_console/include/functions_reporting.php b/pandora_console/include/functions_reporting.php
index a97ba1853e..2e32e47a74 100644
--- a/pandora_console/include/functions_reporting.php
+++ b/pandora_console/include/functions_reporting.php
@@ -1968,12 +1968,15 @@ function render_report_html_item ($content, $table, $report, $mini = false) {
 			}
 			
 			if ($content['treport_custom_sql_id'] != 0) {
-				$sql = get_db_value_filter('`sql`', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id']));
+				$sql = safe_output (get_db_value_filter('`sql`', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
 			}
 			else {
-				$sql = $content['external_source'];
+				$sql = safe_output ($content['external_source']);
 			}
-			
+
+            // Do a security check on SQL coming from the user
+            $sql = check_sql ($sql);
+
 			$result = get_db_all_rows_sql($sql);
 			if ($result === false) {
 				$result = array();