3
I am looking for a function that identifies (return true) if there is a Mysql function in a string. These would be some examples of possibility of input to function.
<?php
$randomstrings = [
"foo", //String comum
"NOW()", //Função sem parâmetros
"CONCAT_WS('foo','doo','boo')", //fun. com parâmetros
"ST_AsText(ST_GeomFromGeoJSON('{\"type\":\"Point\",\"coordinates\":[-48.23456,20.12345]}'))", //Funções dentro de funções
"ST_AsText(ST_GeomFromGeoJSON(@json))", //Variávies dentro da função
"patrimony", //Não identificar paTRIMony como a function TRIM()
]
foreach ($randomstrings as $value) {
$functionList = array('LOAD_FILE', 'sql_to_decimal', '@userid', 'COALESCE', 'getVersaoEO', 'getPessoaById', 'CONVERT', 'IS NULL', 'IS NOT NULL',
'ST_GeomFromText', 'ST_AsGeoJSON', 'ST_GeomFromGeoJSON', 'ST_AsText', 'CONCAT_WS', 'CONCAT', /*'TRIM',*/ 'json_extract', 'JSON_OBJECT', 'CURRENT_TIMESTAMP');
foreach ($functionList as $function) {
$find = strpos(strtolower($value), strtolower($function));
if (!($find === false)) {
return true;
}
}
}
I believe this can be done with regular expressions or some other comparison function.
Just as a note, this function should not be used to bar some type of SQL-Injection. Its purpose is only to identify within a string whether there is an occurrence of a specific character in function format or Mysql variable.
– LeonanCarvalho