Automattic\WooCommerce\Blueprint\Importers
ImportRunSql::contains_suspicious_comments
Check for suspicious comment patterns that might hide malicious code.
This method detects various types of SQL comments that might be used to hide malicious SQL commands or bypass security filters.
Method of the class: ImportRunSql{}
No Hooks.
Returns
true|false. True if suspicious comments found, false otherwise.
Usage
// private - for code of main (parent) class only $result = $this->contains_suspicious_comments( $sql_content ): bool;
- $sql_content(string) (required)
- The SQL query to check.
ImportRunSql::contains_suspicious_comments() ImportRunSql::contains suspicious comments code WC 9.9.5
private function contains_suspicious_comments( string $sql_content ): bool {
// Quick check if there are any comments at all before running regex.
if (
strpos( $sql_content, '--' ) === false &&
strpos( $sql_content, '/*' ) === false &&
strpos( $sql_content, '#' ) === false
) {
return false;
}
// List of potentially dangerous SQL commands to check for in comments.
$dangerous_commands = array(
'DELETE',
'DROP',
'ALTER',
'CREATE',
'TRUNCATE',
'GRANT',
'REVOKE',
'EXEC',
'EXECUTE',
'CALL',
'INTO OUTFILE',
'INTO DUMPFILE',
'LOAD_FILE',
'LOAD DATA',
'BENCHMARK',
'SLEEP',
'INFORMATION_SCHEMA',
'USER\\(',
'DATABASE\\(',
'SCHEMA\\(',
);
$dangerous_pattern = implode( '|', $dangerous_commands );
// Check for SQL comments that might be hiding malicious code.
$patterns = array(
// Single-line comments (-- style) containing dangerous commands.
'/--.*?(' . $dangerous_pattern . ')/i',
// Single-line comments (# style) containing dangerous commands.
'/#.*?(' . $dangerous_pattern . ')/i',
// Multi-line comments hiding dangerous commands.
'/\/\*.*?(' . $dangerous_pattern . ').*?\*\//is',
// MySQL-specific execution comments (version-specific code execution).
'/\/\*![0-9]*.*?\*\//',
);
foreach ( $patterns as $pattern ) {
if ( preg_match( $pattern, $sql_content ) ) {
return true;
}
}
return false;
}