wordpress does comments in queries

7dbf6a3c · mh · c7f198e2 · 7dbf6a3c
Commit 7dbf6a3c authored Oct 19, 2018 by mh
--- a/files/snuffleupagus/base.rules
+++ b/files/snuffleupagus/base.rules
@@ -46,7 +46,7 @@ sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_
 #sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop();

 # Ghetto sqli hardening
-sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
+#sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
 sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
 sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
 #sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
@@ -56,7 +56,7 @@ sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop
 #
 sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();

-sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
+#sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
 sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
 sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
 #sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
@@ -66,10 +66,10 @@ sp.disable_function.function("mysqli_query").param("query").value_r("sleep").dro
 #
 sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();

-sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
+#sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
 sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
 sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
-sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
+#sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
 sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
 sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
 # some CMS and ORM's use this to predict the current schema f.e doctrine