Automattic\WooCommerce\Blueprint\Importers
ImportRunSql::contains_sql_injection_patterns
Check for common SQL injection patterns.
Method of the class: ImportRunSql{}
No Hooks.
Returns
true|false. True if potential injection patterns found, false otherwise.
Usage
// private - for code of main (parent) class only $result = $this->contains_sql_injection_patterns( $sql_content ): bool;
- $sql_content(string) (required)
- The SQL query to check.
ImportRunSql::contains_sql_injection_patterns() ImportRunSql::contains sql injection patterns code WC 9.9.5
private function contains_sql_injection_patterns( string $sql_content ): bool {
$patterns = array(
'/UNION\s+(?:ALL\s+)?SELECT/i', // UNION-based injections.
'/OR\s+1\s*=\s*1/i', // OR 1=1 condition.
'/AND\s+0\s*=\s*0/i', // AND 0=0 condition.
'/;\s*--/i', // Inline comment terminations.
'/SLEEP\s*\(/i', // Time-based injections.
'/BENCHMARK\s*\(/i', // Benchmark-based injections.
'/LOAD_FILE\s*\(/i', // File access.
'/INTO\s+OUTFILE/i', // File write.
'/INTO\s+DUMPFILE/i', // File dump.
'/CREATE\s+(?:TEMPORARY\s+)?TABLE/i', // Table creation.
'/DROP\s+TABLE/i', // Table deletion.
'/ALTER\s+TABLE/i', // Table alteration.
'/INFORMATION_SCHEMA/i', // Database metadata access.
'/EXEC\s*\(/i', // Stored procedure execution.
'/SCHEMA_NAME/i', // Schema access.
'/DATABASE\(\)/i', // Current database name.
'/CHR\s*\(/i', // Character function for evasion.
'/CHAR\s*\(/i', // Character function for evasion.
'/FROM\s+mysql\./i', // Direct MySQL system table access.
'/FROM\s+information_schema\./i', // Direct information schema access.
);
foreach ( $patterns as $pattern ) {
if ( preg_match( $pattern, $sql_content ) ) {
return true;
}
}
return false;
}