function acquia_spi_security_review_check_field in Acquia Connector 7.2
Same name and namespace in other branches
- 7.3 acquia_spi/security_review.inc \acquia_spi_security_review_check_field()
1 string reference to 'acquia_spi_security_review_check_field'
- _acquia_spi_security_review_security_checks in acquia_spi/
security_review.inc - Checks for acquia_spi_security_review_get_checks().
File
- acquia_spi/
security_review.inc, line 437 - Stand-alone security checks and review system.
Code
function acquia_spi_security_review_check_field($last_check = NULL) {
$check_result = TRUE;
$check_result_value = $tables = $found = array();
$timestamp = NULL;
$instances = field_info_instances();
// Loop through instances checking for fields of type text.
foreach ($instances as $entity_type => $type_bundles) {
foreach ($type_bundles as $bundle => $bundle_instances) {
foreach ($bundle_instances as $field_name => $instance) {
$field = field_info_field($field_name);
// Check into text fields that are stored in SQL.
if ($field['module'] == 'text' && $field['storage']['module'] == 'field_sql_storage') {
// Build array of tables and columns to search.
$current_table = key($field['storage']['details']['sql'][FIELD_LOAD_CURRENT]);
$revision_table = key($field['storage']['details']['sql'][FIELD_LOAD_REVISION]);
if (!array_key_exists($current_table, $tables)) {
$tables[$current_table] = $field['storage']['details']['sql'][FIELD_LOAD_CURRENT][$current_table]['value'];
}
if (!array_key_exists($revision_table, $tables)) {
$tables[$revision_table] = $field['storage']['details']['sql'][FIELD_LOAD_REVISION][$revision_table]['value'];
}
}
}
}
}
if (empty($tables)) {
return array(
'result' => $check_result,
'value' => $check_result_value,
);
}
// Search for PHP or Javascript tags in text columns.
foreach ($tables as $table => $column) {
$sql = "SELECT DISTINCT entity_id, entity_type FROM {" . $table . "} WHERE " . $column . " LIKE :text";
// Handle changed? @todo
foreach (array(
'Javascript' => '%<script%',
'PHP' => '%<?php%',
) as $description => $comparison) {
$results = db_query($sql, array(
':text' => $comparison,
));
// @pager query?
foreach ($results as $result) {
$check_result = FALSE;
if (!isset($check_result_value[$result->entity_type]) || !array_key_exists($result->entity_id, $check_result_value[$result->entity_type])) {
$check_result_value[$result->entity_type][$result->entity_id] = $description;
}
}
}
}
return array(
'result' => $check_result,
'value' => $check_result_value,
);
}