You are here

Home » API reference » Acquia Connector 7.3 » security_review.inc

function acquia_spi_security_review_check_field in Acquia Connector 7.3

Same name and namespace in other branches
  1. 7.2 acquia_spi/security_review.inc \acquia_spi_security_review_check_field()

Needs comment.

1 string reference to 'acquia_spi_security_review_check_field'
_acquia_spi_security_review_security_checks in acquia_spi/security_review.inc
Checks for acquia_spi_security_review_get_checks().

File

acquia_spi/security_review.inc, line 470
Stand-alone security checks and review system.

Code

function acquia_spi_security_review_check_field($last_check = NULL) {
  $check_result = TRUE;
  $check_result_value = $tables = $found = array();
  $timestamp = NULL;
  $instances = field_info_instances();

  // Loop through instances checking for fields of type text.
  foreach ($instances as $entity_type => $type_bundles) {
    foreach ($type_bundles as $bundle => $bundle_instances) {
      foreach ($bundle_instances as $field_name => $instance) {
        $field = field_info_field($field_name);

        // Check into text fields that are stored in SQL.
        if ($field['module'] == 'text' && $field['storage']['module'] == 'field_sql_storage') {

          // Build array of tables and columns to search.
          $current_table = key($field['storage']['details']['sql'][FIELD_LOAD_CURRENT]);
          $revision_table = key($field['storage']['details']['sql'][FIELD_LOAD_REVISION]);
          if (!array_key_exists($current_table, $tables)) {
            $tables[$current_table] = $field['storage']['details']['sql'][FIELD_LOAD_CURRENT][$current_table]['value'];
          }
          if (!array_key_exists($revision_table, $tables)) {
            $tables[$revision_table] = $field['storage']['details']['sql'][FIELD_LOAD_REVISION][$revision_table]['value'];
          }
        }
      }
    }
  }
  if (empty($tables)) {
    return array(
      'result' => $check_result,
      'value' => $check_result_value,
    );
  }

  // Search for PHP or Javascript tags in text columns.
  foreach ($tables as $table => $column) {
    $sql = "SELECT DISTINCT entity_id, entity_type FROM {" . $table . "} WHERE " . $column . " LIKE :text";

    // Handle changed? @todo
    foreach (array(
      'Javascript' => '%<script%',
      'PHP' => '%<?php%',
    ) as $description => $comparison) {

      // @pager query?
      $results = db_query($sql, array(
        ':text' => $comparison,
      ));
      foreach ($results as $result) {
        $check_result = FALSE;
        if (!isset($check_result_value[$result->entity_type]) || !array_key_exists($result->entity_id, $check_result_value[$result->entity_type])) {
          $check_result_value[$result->entity_type][$result->entity_id] = $description;
        }
      }
    }
  }
  return array(
    'result' => $check_result,
    'value' => $check_result_value,
  );
}