API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 22nd, 2018
221
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.06 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2.  
  3.  
  4. /* Determine the root of the entire project.
  5. * Recall this file is in the "includes" folder so its "2 levels deep". */
  6. define('__SITE_ROOT__', dirname(dirname(__FILE__)));
  7.  
  8. /* Read database configuration file and populate class parameters */
  9. require_once(__SITE_ROOT__ . '/includes/database-config.php');
  10.  
  11. class MySQLHandler {
  12.  
  13. /**************************/
  14. /* Database Configuration */
  15. /**************************/
  16. /* If there is any problem connecting, it is almost always one of these values. */
  17.  
  18. /* ----------------------------------------------
  19. * DATABASE HOST
  20. * ----------------------------------------------
  21. * This is the host/server which has the database.
  22. * If using XAMPP, this is almost certainly localhost.
  23. * 127.0.0.1 might work.
  24. * */
  25. static public $mMySQLDatabaseHost = DB_HOST;
  26.  
  27. /* ----------------------------------------------
  28. * DATABASE USER NAME
  29. * ----------------------------------------------
  30. * This is the user name of the account on the database
  31. * which OWASP Mutillidae II will use to connect. If this is set
  32. * incorrectly, OWASP Mutillidae II is not going to be able to connect
  33. * to the database.
  34. * */
  35. static public $mMySQLDatabaseUsername = DB_USERNAME;
  36.  
  37. /* ----------------------------------------------
  38. * DATABASE PASSWORD
  39. * ----------------------------------------------
  40. * This is the password of the account on the database
  41. * which OWASP Mutillidae II will use to connect. If this is set
  42. * incorrectly, OWASP Mutillidae II is not going to be able to connect
  43. * to the database. On XAMPP, the password for user
  44. * account root is typically blank.
  45. * On Samurai, the $dbpass password is "samurai" rather
  46. * than blank.
  47. * */
  48. static public $mMySQLDatabasePassword = DB_PASSWORD;
  49.  
  50. /* ----------------------------------------------
  51. * DATABASE NAME (NOT SERVER NAME)
  52. * ----------------------------------------------
  53. * This is the name of the database which will be created
  54. * by the installation script. You can choose this name.
  55. * */
  56. static public $mMySQLDatabaseName = DB_NAME;
  57.  
  58. /* ------------------------------------------
  59. * OBJECT PROPERTIES
  60. * ------------------------------------------ */
  61. //default insecure: no output encoding.
  62. protected $encodeOutput = FALSE;
  63. protected $stopSQLInjection = FALSE;
  64. protected $mSecurityLevel = 0;
  65. protected $ESAPI = null;
  66. protected $Encoder = null;
  67.  
  68. /* Helper Objects */
  69. protected $mCustomErrorHandler = null;
  70. protected $mLogHandler = null;
  71.  
  72. /* MySQL Object */
  73. protected $mMySQLConnection = null;
  74.  
  75. /* ------------------------------------------
  76. * STATIC PROPERTIES
  77. * ------------------------------------------ */
  78. public static $mDatabaseAvailableMessage = "";
  79.  
  80. /* ------------------------------------------
  81. * CONSTRUCTOR METHOD
  82. * ------------------------------------------ */
  83. public function __construct($pPathToESAPI, $pSecurityLevel){
  84.  
  85. $this->doSetSecurityLevel($pSecurityLevel);
  86.  
  87. /* initialize OWASP ESAPI for PHP */
  88. require_once $pPathToESAPI . 'ESAPI.php';
  89. $this->ESAPI = new ESAPI($pPathToESAPI . 'ESAPI.xml');
  90. $this->Encoder = $this->ESAPI->getEncoder();
  91.  
  92. /* initialize custom error handler */
  93. require_once 'CustomErrorHandler.php';
  94. $this->mCustomErrorHandler = new CustomErrorHandler($pPathToESAPI, $pSecurityLevel);
  95.  
  96. $this->doOpenDatabaseConnection();
  97.  
  98. }// end function __construct()
  99.  
  100. /* ------------------------------------------
  101. * PRIVATE METHODS
  102. * ------------------------------------------ */
  103. private function doSetSecurityLevel($pSecurityLevel){
  104. $this->mSecurityLevel = $pSecurityLevel;
  105.  
  106. switch ($this->mSecurityLevel){
  107. case "0": // This code is insecure, we are not encoding output
  108. case "1": // This code is insecure, we are not encoding output
  109. $this->encodeOutput = FALSE;
  110. $this->stopSQLInjection = FALSE;
  111. break;
  112.  
  113. case "2":
  114. case "3":
  115. case "4":
  116. case "5": // This code is fairly secure
  117. // If we are secure, then we encode all output.
  118. $this->encodeOutput = TRUE;
  119. $this->stopSQLInjection = TRUE;
  120. break;
  121. }// end switch
  122. }// end function
  123.  
  124. private function doOpenDatabaseConnection(){
  125.  
  126. $ACCESS_DENIED = "Access denied for user";
  127. $USERNAME = self::$mMySQLDatabaseUsername;
  128. $PASSWORD = self::$mMySQLDatabasePassword;
  129. $SAMURAI_WTF_PASSWORD = "samurai";
  130. $HOSTNAME = self::$mMySQLDatabaseHost;
  131.  
  132. try{
  133. $this->mMySQLConnection = new mysqli($HOSTNAME, $USERNAME, $PASSWORD);
  134.  
  135. if (strlen($this->mMySQLConnection->connect_error) > 0) {
  136. /* If error is "Access denied for user", it could just be an incorrect password. On samurai
  137. * the password is "samurai". Try that password.
  138. */
  139. if (substr_count($this->mMySQLConnection->connect_error, $ACCESS_DENIED) > 0){
  140. $this->mMySQLConnection = new mysqli($HOSTNAME, $USERNAME, $SAMURAI_WTF_PASSWORD);
  141. if (strlen($this->mMySQLConnection->connect_error) > 0) {
  142. throw (new Exception("Could not connect with password '".$SAMURAI_WTF_PASSWORD."' either."));
  143. }// end if
  144. }else{
  145. throw (new Exception("Database settings might be incorect."));
  146. }//end if
  147. }// end if
  148. } catch (Exception $e) {
  149. throw(new Exception("CRITICAL. Error attempting to open MySQL connection. Try checking the connection settings in the MySQLHandler.php class file. If there is a problem connecting, usually one of these settings is incorrect (i.e. - username, password, database name). It is also a good idea to make sure the database is running and that the web site (Mutillidae) is allowed to connect. This error was generated by public function __construct(). Tried to connect with username " . self::$mMySQLDatabaseUsername . ", password ". self::$mMySQLDatabasePassword . ", and hostname " . self::$mMySQLDatabaseHost . ". " . $this->mCustomErrorHandler->getExceptionMessage($e)));
  150. }// end try
  151. }// end function doOpenDatabaseConnection
  152.  
  153. private function doCloseDatabaseConnection(){
  154.  
  155. try{
  156. $lResult = $this->mMySQLConnection->close();
  157. if (!$lResult) {
  158. throw (new Exception("Error executing query. Connection error: ".$this->mMySQLConnection->connect_errorno." - ".$this->mMySQLConnection->connect_error." Error: ".$this->mMySQLConnection->errorno." - ".$this->mMySQLConnection->error, $this->mMySQLConnection->errorno));
  159. }// end if
  160. }catch (Exception $e){
  161. throw(new Exception($this->mCustomErrorHandler->getExceptionMessage($e, "Error attempting to close MySQL connection.")));
  162. }// end try
  163.  
  164. }// end public private doCloseDatabaseConnection
  165.  
  166. private function serializeMySQLImprovedObjectProperties(){
  167. $lErrorMessage = "<br /><br />";
  168. if (isset($this->mMySQLConnection->connect_errno)) {
  169. $lErrorMessage .= "connect_errno: " . $this->mMySQLConnection->connect_errno . "<br />";
  170. }// end if isset()
  171. if (isset($this->mMySQLConnection->connect_error)) {
  172. $lErrorMessage .= "connect_error: " . $this->mMySQLConnection->connect_error . "<br />";
  173. }// end if isset()
  174. if (isset($this->mMySQLConnection->errno)) {
  175. $lErrorMessage .= "errno: " . $this->mMySQLConnection->errno . "<br />";
  176. }// end if isset()
  177. if (isset($this->mMySQLConnection->error)) {
  178. $lErrorMessage .= "error: " . $this->mMySQLConnection->error . "<br />";
  179. }// end if isset()
  180. if (isset($this->mMySQLConnection->client_info)) {
  181. $lErrorMessage .= "client_info: " . $this->mMySQLConnection->client_info . "<br />";
  182. }// end if isset()
  183. if (isset($this->mMySQLConnection->host_info)) {
  184. $lErrorMessage .= "host_info: " . $this->mMySQLConnection->host_info . "<br /><br />";
  185. }// end if isset()
  186. return $lErrorMessage;
  187. }// end private function serializeMySQLImprovedObjectProperties()
  188.  
  189. private function doExecuteQuery($pQueryString){
  190. try {
  191. $lResult = $this->mMySQLConnection->query($pQueryString);
  192.  
  193. if (!$lResult) {
  194. throw (new Exception("Error executing query: ".$this->serializeMySQLImprovedObjectProperties().")"));
  195. }// end if there are no results
  196.  
  197. return $lResult;
  198. } catch (Exception $e) {
  199. throw(new Exception($this->mCustomErrorHandler->getExceptionMessage($e, "Query: " . $this->Encoder->encodeForHTML($pQueryString))));
  200. }// end function
  201.  
  202. }// end private function executeQuery
  203.  
  204. /* ------------------------------------------
  205. * PUBLIC METHODS
  206. * ------------------------------------------ */
  207. public static function databaseAvailable(){
  208.  
  209. self::$mDatabaseAvailableMessage = "AVAILABLE";
  210. $lMySQLConnection = null;
  211. $UNKNOWN_DATABASE = "Unknown database";
  212. $ACCESS_DENIED = "Access denied for user";
  213. $USERNAME = self::$mMySQLDatabaseUsername;
  214. $PASSWORD = self::$mMySQLDatabasePassword;
  215. $SAMURAI_WTF_PASSWORD = "samurai";
  216. $HOSTNAME = self::$mMySQLDatabaseHost;
  217. $INCORRECT_DATABASE_CONFIGURATION_MESSAGE = "Error connecting to MySQL database on host '".$HOSTNAME."' with username '".$USERNAME."' and password '".$PASSWORD."'. First, try to reset the database (ResetDB button on menu). Next, check that the database service is running and that the database username, password, database name, and database location are configured correctly. Note: File /mutillidae/classes/MySQLHandler.php contains the database configuration.";
  218. $INCORRECT_DATABASE_CONFIGURATION_MESSAGE_SAMURAI = "Error connecting to MySQL database on host '".$HOSTNAME."' with username '".$USERNAME."' and password '".$PASSWORD."'. Note: In addition to the configured password '".$PASSWORD."', the password 'samurai' was tried as well. First, try to reset the database (ResetDB button on menu). Next, check that the database service is running and that the database username, password, database name, and database location are configured correctly. Note: File /mutillidae/classes/MySQLHandler.php contains the database configuration.";
  219. $UNKNOWN_DATABASE_MESSAGE = "Unable to select default database " . self::$mMySQLDatabaseName. ". It appears that the database to which Mutillidae is configured to connect has not been created. Try to <a href=\"set-up-database.php\">setup/reset the DB</a> to see if that helps. Next, check that the database service is running and that the database username, password, database name, and database location are configured correctly. Note: File /mutillidae/classes/MySQLHandler.php contains the database configuration.";
  220.  
  221. try{
  222. $lMySQLConnection = new mysqli($HOSTNAME, $USERNAME, $PASSWORD);
  223. if (strlen($lMySQLConnection->connect_error) > 0) {
  224. /* If error is "Access denied for user", it could just be an incorrect password. On samurai
  225. * the password is "samurai". Try that password.
  226. */
  227. try {
  228. $lMySQLConnection = new mysqli($HOSTNAME, $USERNAME, $SAMURAI_WTF_PASSWORD);
  229. if (strlen($lMySQLConnection->connect_error) > 0) {
  230. self::$mDatabaseAvailableMessage = $INCORRECT_DATABASE_CONFIGURATION_MESSAGE_SAMURAI . " Connection error: ".$lMySQLConnection->connect_error;
  231. throw new Exception(self::$mDatabaseAvailableMessage);
  232. }// end if
  233. } catch (Exception $e) {
  234. self::$mDatabaseAvailableMessage = $INCORRECT_DATABASE_CONFIGURATION_MESSAGE . " Connection error: ".$lMySQLConnection->connect_error;
  235. throw new Exception(self::$mDatabaseAvailableMessage);
  236. }
  237. }// end if there was an error right away
  238.  
  239. if(!$lMySQLConnection->select_db(self::$mMySQLDatabaseName)) {
  240. self::$mDatabaseAvailableMessage = $UNKNOWN_DATABASE_MESSAGE . " Connection error: ".$lMySQLConnection->connect_error;
  241. throw new Exception(self::$mDatabaseAvailableMessage);
  242. }//end if
  243.  
  244. $lResult = $lMySQLConnection->query("SELECT 'test connection';");
  245. if(!$lResult){
  246. self::$mDatabaseAvailableMessage = "Failed to execute test query on MySQL database but we appear to be connected " . $lMySQLConnection->error."<br /><br />First, try to reset the database (ResetDB button on menu)<br /><br />Check if the database configuration is correct. If the system made it this far, the username and password are probably correct. Perhaps the database name is wrong.<br /><br />";
  247. throw new Exception(self::$mDatabaseAvailableMessage);
  248. }// end if
  249.  
  250. $lResult = $lMySQLConnection->query("SELECT cid FROM blogs_table;");
  251. if(!$lResult){
  252. self::$mDatabaseAvailableMessage = "Failed to execute test query on blogs_table in the MySQL database but we appear to be connected " . $lMySQLConnection->error."<br /><br />First, try to reset the database (ResetDB button on menu)<br /><br />The blogs table should exist in the ".self::$mMySQLDatabaseName." database if the database configuration is correct. If the system made it this far, the username and password are probably correct. Perhaps the database name is wrong.<br /><br />";
  253. throw new Exception(self::$mDatabaseAvailableMessage);
  254. }// end if
  255.  
  256. $lMySQLConnection->close();
  257.  
  258. } catch (Exception $e) {
  259. self::$mDatabaseAvailableMessage = "Failed to connect to MySQL database. " . $e->getMessage();
  260. throw new Exception(self::$mDatabaseAvailableMessage);
  261. }// end try
  262.  
  263. return TRUE;
  264.  
  265. } //end public function databaseAvailable(){
  266.  
  267. public function connectToDefaultDatabase(){
  268. $this->mMySQLConnection->select_db(self::$mMySQLDatabaseName);
  269. }//end function
  270.  
  271. public function setSecurityLevel($pSecurityLevel){
  272. $this->doSetSecurityLevel($pSecurityLevel);
  273. }// end function
  274.  
  275. public function getSecurityLevel(){
  276. return $this->mSecurityLevel;
  277. }// end function
  278.  
  279. public function openDatabaseConnection(){
  280. $this->doOpenDatabaseConnection();
  281. }// end function
  282.  
  283. public function escapeDangerousCharacters($pString){
  284. return $this->mMySQLConnection->real_escape_string($pString);
  285. }//end function
  286.  
  287. public function affected_rows(){
  288. return $this->mMySQLConnection->affected_rows;
  289. }//end function
  290.  
  291. public function executeQuery($pQueryString){
  292. return $this->doExecuteQuery($pQueryString);
  293. }// end public function executeQuery
  294.  
  295. public function closeDatabaseConnection(){
  296. $this->doCloseDatabaseConnection();
  297. }// end public function closeDatabaseConnection
  298.  
  299. }// end class
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!