include/SugarSQLValidate.php

Show:

inherited

Classes
- \SugarSQLValidate

Table of Contents

\SugarSQLValidate
jump to top

Package: SugarCRM

SQL Validator class

Api

Properties

array
                 $bad_functions= 'array("benchmark", "encode", "sleep",
	"generate_series", "load_file", "sys_eval", "user_name",
	"xp_cmdshell", "sys_exec", "sp_replwritetovarbin")'

Prohibited functions

Default value

array("benchmark", "encode", "sleep",
	"generate_series", "load_file", "sys_eval", "user_name",
	"xp_cmdshell", "sys_exec", "sp_replwritetovarbin")

Details

Type: array

array
                 $subquery_allowed_tables= 'array(
		'email_addr_bean_rel' => true,
		'email_addresses' => true,
		'emails' => true,
		'emails_beans' => true,
		'emails_text' => true,
		'teams' => true,
		'team_sets_teams' => true)'

Tables allowed in subqueries

Default value

array(
		'email_addr_bean_rel' => true,
		'email_addresses' => true,
		'emails' => true,
		'emails_beans' => true,
		'emails_text' => true,
		'teams' => true,
		'team_sets_teams' => true)

Details

Type: array

Methods

allowedSubquery(
          array $term
          )
        
        :
          void

Allow some subqueries to pass Needed since OPI uses subqueries for email searches... sigh

Parameters

Name	Type	Description
$term	array	term structure of the subquery

validateColumnName(
          \$name $name
          )
        
        :
          boolean

validateColumnName This method validates the column name portion of the SQL statement and returns true if it is deemed safe.

We check against querying for the user_hash column.

Parameters

Name	Type	Description
$name	\$name	String portion of the column name from SQL

Returns

Type	Description
boolean	True if column name is deemed safe, false otherwise

validateExpression(
          array $expr,  $allow_some_subqueries
              =
              false
          )
        
        :
          bool

Validate parsed SQL expression

Parameters

Name	Type	Description
$expr	array	Parsed expression
$allow_some_subqueries

Returns

Type	Description
bool

validateQueryClauses(
          string $where, string $order_by
              =
              ''
          )
        
        :
          bool

Parse SQL query WHERE and ORDER BY clauses and validate that nothing bad is happening there

Parameters

Name	Type	Description
$where	string
$order_by	string

Returns

Type	Description
bool

include/SugarSQLValidate.php

\SugarSQLValidatejump to top

Properties

Methods

\SugarSQLValidate
jump to top