function badbehavior_strip_passwords in Bad Behavior 6.2

Strip out reporting of values from forms containing sensitive data Looking for query like this: INSERT INTO `{bad_behavior_log}` (....,`request_entity`,...) VALUES (...,'request_entity_post_values',...) where request_entity_post_values contains specific strings. The only string coded for by default is 'form_iduser_login' which is found in login form post data (after escaping).

Parameters

string $query:

1 call to badbehavior_strip_passwords()

bb2_db_query in ./badbehavior.module: Run a query and return the results, if any.

File

./badbehavior.module, line 279: Integrates Bad Behavior with Drupal

Code

function badbehavior_strip_passwords($query) {
  if (preg_match('/INSERT INTO (.*)`request_entity`/', $query)) {
    $prohibit = variable_get('badbehavior_hide_post_strings', array(
      'form_iduser_login',
    ));
    $matches = array();
    if (preg_match('/INSERT INTO (.*) \\((.*)\\) VALUES \\((.*)\\)/', $query, $matches)) {
      if (trim($matches[1]) == '`{bad_behavior_log}`') {
        $fields = explode(',', $matches[2]);
        $values = explode(',', $matches[3]);
        foreach ($fields as $i => $f) {
          if (trim($f) == '`request_entity`') {
            foreach ($prohibit as $txt) {
              if (strstr($values[$i], $txt) !== false) {
                $values[$i] = "'(hidden)'";
                break;
              }
            }
          }
        }

        // reconstruct the query
        $query = 'INSERT INTO ' . $matches[1] . ' (' . join(',', $fields) . ') VALUES (' . join(',', $values) . ')';
      }
    }
  }
  return $query;
}

You are here

function badbehavior_strip_passwords in Bad Behavior 6.2

Parameters

File

Code

API Navigation