Rewrites on security functions (do not call them for your own)

diff --git a/inc/db/lib-mysql3.php b/inc/db/lib-mysql3.php
index a3b5af0dd2bd8c8c9879f84ef051f17255253e85..c7cc26c7fae8ee02da7c98dd0d3e0e6d7f889995 100644 (file)
--- a/inc/db/lib-mysql3.php
+++ b/inc/db/lib-mysql3.php
@@ -225,7 +225,7 @@ function SQL_CONNECT ($host, $login, $password, $F, $L) {
        SQL_SET_LINK($connect);
 
        // Destroy cache
        SQL_SET_LINK($connect);
 
        // Destroy cache

-       unset($GLOBALS['sql_link_res']);
+       unset($GLOBALS['is_sql_link_up']);

 }
 
 // SQL select database
 }
 
 // SQL select database


@@ -252,7 +252,7 @@ function SQL_CLOSE ($F, $L) {
        SQL_SET_LINK(null);
 
        // Destroy cache
        SQL_SET_LINK(null);
 
        // Destroy cache

-       unset($GLOBALS['sql_link_res']);
+       unset($GLOBALS['is_sql_link_up']);

 
        // Return the result
        return $close;
 
        // Return the result
        return $close;


@@ -530,15 +530,15 @@ function SQL_IS_LINK_UP () {
        $linkUp = false;
 
        // Do we have cached this?
        $linkUp = false;
 
        // Do we have cached this?

-       if (isset($GLOBALS['sql_link_res'])) {
+       if (isset($GLOBALS['is_sql_link_up'])) {

                // Then use this
                // Then use this

-               $linkUp = $GLOBALS['sql_link_res'];
+               $linkUp = $GLOBALS['is_sql_link_up'];

        } else {
                // Get it
                $linkUp = is_resource(SQL_GET_LINK());
 
                // And cache it
        } else {
                // Get it
                $linkUp = is_resource(SQL_GET_LINK());
 
                // And cache it

-               $GLOBALS['sql_link_res'] = $linkUp;
+               $GLOBALS['is_sql_link_up'] = $linkUp;

        }
 
        // Return the result
        }
 
        // Return the result

diff --git a/inc/libs/security_functions.php b/inc/libs/security_functions.php
index 1d1327364d43522cddf478e239486ae2d90e156d..da415b965fbf152b4e603e372912d6f786e0d8e4 100644 (file)
--- a/inc/libs/security_functions.php
+++ b/inc/libs/security_functions.php
@@ -37,7 +37,7 @@
  * MA  02110-1301  USA                                                  *
  ************************************************************************/
 
  * MA  02110-1301  USA                                                  *
  ************************************************************************/
 

-// Run only once this security check/exchange
+// Run only once this security check/replacement

 if (defined('__SECURITY')) return;
 
 // Some security stuff...
 if (defined('__SECURITY')) return;
 
 // Some security stuff...


@@ -69,6 +69,68 @@ function secureString ($str, $strip = true, $encode = false) {
        return $str;
 }
 
        return $str;
 }
 

+/**
+ * Secures $_SERVER['PHP_SELF'] against attacks
+ *
+ * @return     void
+ */
+function securePhpSelf () {
+       // Did it run before?
+       if (isset($GLOBALS['php_self_secured'])) {
+               // Please do not call this twice!
+               die('PHP_SELF is already secured. Please do not call ' . __FUNCTION__ . ' for your self.');
+       } // END - if
+
+       // Secure the string
+       $_SERVER['PHP_SELF'] = secureString($_SERVER['PHP_SELF']);
+
+       // Split it up into path and filename
+       $phpSelfDirectory = dirname($_SERVER['PHP_SELF']);
+       $phpSelfFile      = basename($_SERVER['PHP_SELF']);
+
+       // Check for a .php inside the $phpSelfDirectory...
+       while (ereg('.php', $phpSelfDirectory)) {
+               // Correct the dirname
+               $phpSelfDirectory = substr($phpSelfDirectory, 0, (strpos($phpSelfDirectory, '.php') + 4));
+               // Rewrite filename...
+               $phpSelfFile = basename($phpSelfDirectory);
+               // ... and dirname
+               $phpSelfDirectory = dirname($phpSelfDirectory);
+       } // END - while
+
+       // Put both together again and let's pray it is secured now...
+       $_SERVER['PHP_SELF'] = $phpSelfDirectory . '/' . $phpSelfFile;
+
+       // Did run...
+       $GLOBALS['php_self_secured'] = true;
+
+       // Remove uneccessary variables
+       unset($phpSelfDirectory);
+       unset($phpSelfFile);
+}
+
+/**
+ * Detects caching in PHP
+ *
+ * @return     void
+ */
+function detectPhpCaching () {
+       // Activate caching or transparent compressing when it is not already done
+       if (phpversion() >= '4.0.4pl1' && (strstr(getenv('HTTP_USER_AGENT'),'compatible') || (strstr(getenv('HTTP_USER_AGENT'), 'Mozilla')))) {
+               if ((extension_loaded('zlib')) && (function_exists('ob_start'))) {
+                       // Start caching
+                       $GLOBALS['php_caching'] = 'on';
+                       ob_start();
+               } else {
+                       // Extension not loaded or required function is missing
+                       $GLOBALS['php_caching'] = '404';
+               }
+       } else {
+               // Old PHP version
+               $GLOBALS['php_caching'] = 'old';
+       }
+}
+

 // Runtime/GPC quoting is off now...
 set_magic_quotes_runtime(false);
 ini_set('magic_quotes_gpc', false); // This may not work on some systems
 // Runtime/GPC quoting is off now...
 set_magic_quotes_runtime(false);
 ini_set('magic_quotes_gpc', false); // This may not work on some systems


@@ -149,44 +211,11 @@ if (is_array($_GET)) {
        } // END - foreach
 } // END - if
 
        } // END - foreach
 } // END - if
 

-// Activate caching or transparent compressing when it is not already done
-if (phpversion() >= '4.0.4pl1' && (strstr(getenv('HTTP_USER_AGENT'),'compatible') || (strstr(getenv('HTTP_USER_AGENT'), 'Mozilla')))) {
-       if ((extension_loaded('zlib')) && (function_exists('ob_start'))) {
-               // Start caching
-               $GLOBALS['php_caching'] = 'on';
-               ob_start();
-       } else {
-               // Extension not loaded or required function is missing
-               $GLOBALS['php_caching'] = '404';
-       }
-} else {
-       // Old PHP version
-       $GLOBALS['php_caching'] = 'old';
-}
+// Detect PHP caching
+detectPhpCaching();

 
 // At last secure the $_SERVER['PHP_SELF'] element
 
 // At last secure the $_SERVER['PHP_SELF'] element

-$_SERVER['PHP_SELF'] = secureString($_SERVER['PHP_SELF']);
-
-// Split it up into path and filename
-$phpSelfDirectory = dirname($_SERVER['PHP_SELF']);
-$phpSelfFile      = basename($_SERVER['PHP_SELF']);
-
-// Check for a .php inside the $phpSelfDirectory...
-while (ereg('.php', $phpSelfDirectory)) {
-       // Correct the dirname
-       $phpSelfDirectory = substr($phpSelfDirectory, 0, (strpos($phpSelfDirectory, '.php') + 4));
-       // Rewrite filename...
-       $phpSelfFile = basename($phpSelfDirectory);
-       // ... and dirname
-       $phpSelfDirectory = dirname($phpSelfDirectory);
-} // END - while
-
-// Put both together again and let's pray it is secured now...
-$_SERVER['PHP_SELF'] = $phpSelfDirectory . '/' . $phpSelfFile;
-
-// Remove uneccessary variables
-unset($phpSelfDirectory);
-unset($phpSelfFile);
+securePhpSelf();

 
 // Security system loaded...
 define('__SECURITY', 1);
 
 // Security system loaded...
 define('__SECURITY', 1);