[RESOLVED] FInite $_POST produces infinite loop - help!

ppowell

I have no idea why this is happening and I need someone to explain this to me at the simplest level absolutely possible (pretend I'm a 10-year old and explain it that way, please!)

This class method:

	/**
	 * Perform an array scan
	 *
	 * @access private
 	 * @param array $array
	 * @see vname
	 */
	function &array_scan(&$array) {						
		if (is_array($array) && @sizeof($array) > 0) {
		 print_r("sizeof(" . vname($array) . ") = " . sizeof($array) . "<P>");
		 $index = 1;
		 foreach ($array as $key => $val) {
		   print_r("index = $index<P>"); $index++;
		  $this->setData($val);
		  print_r("key = $key and val = $val and this->data = $this->data and array name = " . vname($array) . "<P>");
		  $this->scan($key, vname($array));
		  $array[$key] = $this->getData();
		 }
		}
	}

Constantly produces the following results:

sizeof(_POST) = 5

index = 1

key = username and val = phillip and this->data = phillip and array name = _POST

this->data = phillip

index = 2

key = username and val = phillip and this->data = phillip and array name = _POST

this->data = phillip

index = 3

key = username and val = phillip and this->data = phillip and array name = _POST

this->data = phillip

index = 4

key = username and val = phillip and this->data = phillip and array name = _POST

this->data = phillip

index = 5

key = username and val = phillip and this->data = phillip and array name = _POST

this->data = phillip

index = 6

key = username and val = phillip and this->data = phillip and array name = _POST

this->data = phillip

index = 7

key = username and val = phillip and this->data = phillip and array name = _POST

this->data = phillip

index = 8

key = username and val = phillip and this->data = phillip and array name = _POST

this->data = phillip

index = 9

key = username and val = phillip and this->data = phillip and array name = _POST

this->data = phillip

index = 10

key = username and val = phillip and this->data = phillip and array name = _POST

this->data = phillip

...// and so on and so on.. as high as 200,000 at times and still doesn't quit!!

Why is this happening, I honestly can't see why.

Thanx
Phil

ednark

perhaps you are accidentally appending data to the array you are looping through

 $this->scan($key, vname($array));

perhaps scan() is taking a reference to key and incrementing it so you are writing back to your array with a new value, so your main loop would always see a next key, or perhaps it is directly appending values to _POST since it is a superglobal and hence accessible from everywhere?

just some thoughts

try doing a print_r on your array inside your loop and see whats happening to your main array at each step.

ppowell

I did that and here are the results:

field = get and _GET = Array ( )

field = post and _POST = Array ( [username] => phillip [password] => phillip [hasLoggedIn] => 1 [refURL] => /tools/ivc/index.php? [login] => Authenticate )

sizeof(_POST) = 5

index = 1

key = username and val = phillip and this->data = phillip and array name = POST and sizeof(POST) = 5

this->data = phillip

index = 2

key = username and val = phillip and this->data = phillip and array name = POST and sizeof(POST) = 5

this->data = phillip

index = 3

key = username and val = phillip and this->data = phillip and array name = POST and sizeof(POST) = 5

this->data = phillip

index = 4

key = username and val = phillip and this->data = phillip and array name = POST and sizeof(POST) = 5

this->data = phillip

index = 5

key = username and val = phillip and this->data = phillip and array name = POST and sizeof(POST) = 5

this->data = phillip

index = 6

key = username and val = phillip and this->data = phillip and array name = POST and sizeof(POST) = 5

this->data = phillip

index = 7

key = username and val = phillip and this->data = phillip and array name = POST and sizeof(POST) = 5

this->data = phillip

The size of $POST never changes and it keeps going constantly to $POST['username'] in spite of the looping foreach construct.

Phil

ppowell

OK here is some more information that might help you:

	/**
	 * Internal method that will auto-execute via constructor. 
	 *
	 * Purge any data containing any potentially harmful patterns such as <!.. !> auto-executable script, along with <script>, <embed> and <object> HTML codes that could contain
	 * browser-based auto-launching viral sequences.  Also remove potential SQL injection '; that could be added to $_POST form data via user
	 *
	 * *Note* This method will also purge all HTML upon global variable $willStripHTML
	 *
	 * @access private
	 * @return mixed $this->data
	 */
	function &analyze() {											// STATIC STRING METHOD
		if ($this->data) {
		 $this->scan();
		 return $this->getData();
		}

	foreach (array('get', 'post', 'cookie') as $field) {
	 global ${'_' . strtoupper($field)};								// IS NOT THE AUTOGLOBAL COLLECTION OBJECT YET SINCE IT IS A DYNAMIC FIELD UNTIL global
	 print_r("field = $field and _" . strtoupper($field) . ' = '); print_r(${'_' . strtoupper($field)}); print_r("<P>");
	 if (is_array(${'_' . strtoupper($field)}) && @sizeof(${'_' . strtoupper($field)}) > 0) $this->array_scan(${'_' . strtoupper($field)});
	 $GLOBALS['_' . strtoupper($field)] = ${'_' . strtoupper($field)};	// JUST IN CASE
	}

	return true;
}

/**
 * Perform an array scan
 *
 * @access private
 * @param array $array
 * @see vname
 */
function &array_scan(&$array) {						
	if (is_array($array) && @sizeof($array) > 0) {
	 print_r("sizeof(" . vname($array) . ") = " . sizeof($array) . "<P>");
	 $index = 1;
	 foreach ($array as $key => $val) {
	   print_r("index = $index<P>"); $index++;
	  //$this->setData($val);
	  print_r("key = $key and val = $val and this->data = $this->data and array name = " . vname($array) . " and sizeof(" . vname($array) . ") = " . sizeof($array) . "<P>");
	  //$this->scan($key, vname($array));
	  //$array[$key] = $this->getData();
	 }
	}
}

ednark

I still don't see your problem, but your are using print_r incorrectly

please pass print_r only the array

it will print a very pretty version of your array but with white space formatting

the <pre> will make it easy to read on the webpage


     print "<pre>";
     print_r($array);
     print "</pre>";
     foreach ($array as $key => $val) {
       print "index = $index<P>"; 
       print "<pre>";
       print_r($array);
       print "</pre>";

      $index++;
      //$this->setData($val);
      print "key = $key and val = $val and this->data = $this->data and array name = " . vname($array) . " and sizeof(" . vname($array) . ") = " . sizeof($array) . "<P>";
      //$this->scan($key, vname($array));
      //$array[$key] = $this->getData();
     }
    }

ppowell

I don't get it, using print_r() incorrectly? It doesn't break when I use it my way, sorry.

Weedpacket

Read up what the manual says about [man]print_r[/man]:

print_r -- Prints human-readable information about a variable

And there are the examples:

<pre>
<?php
    $a = array ('a' => 'apple', 'b' => 'banana', 'c' => array ('x', 'y', 'z'));
    print_r ($a);
?>
</pre>

will output

<pre>
Array
(
    [a] => apple
    [b] => banana
    [c] => Array
        (
            [0] => x
            [1] => y
            [2] => z
        )
)
</pre>

Pretty unambiguous.

If all you're wanting to do is print, use [man]print[/man] (as ednark illustrated).

Anyhow; I don't see how posting analyze() helps, because that doesn't appear to be used anywhere here. How does $_POST[] get into array_scan, what is contained in $array, what's in $this->data, do any of the functions (like vname()) or methods (like scan()) modify the array at all, ....?

ppowell

Thanx for the advice on print, but I'll stick with print_r(), as I understand it, I know how to use it and I can read it, and only I need to ultimately read it (but I'll remember to pretty it up for others when it's necessary).. but please, this argument is a total tangent from the problem at hand..

analyze() method is the main method used by the DataAnalyzer class constructor. $POST is put into array_scan() via analyze within a dynamic field loop, $array contains either everything in $POST, $GET, $COOKIE or, for that matter, anything in $array itself if you have an array variable that you put directly into array_scan() method itself (since in PHP version 4 there is no such thing as "private", "protected", etc.), and scan() method only modifies the data in $this->data which is set via $this->setData() within array_scan() for each element in $array, scanned via scan() and then reset back into $array.

Here is the whole thing:

/**
 * Analyze data provided via parameter or via $_GET, $_POST and $_COOKIE that might contain malicious code or SQL injection attempts
 *
 * @author Phil
 * @version 1.2.0
 * @package TOOLS
 */
class DataAnalyzer {

/**
 * @access private
 * @var mixed $data
 */
var $data;

/**
 * @access private
 * @var boolean $willLog (default true)
 */
var $willLog = true;

/**
 * @access private
 * @var boolean $hasFoundEmbeddedExec (default false)
 */
var $hasFoundEmbeddedExec = false;

/**
 * @access private
 * @var boolean $hasFoundEmbeddedExec (default false)
 */
var $hasFoundSQLInjection = false;

/**
 * @access private
 * @var boolean $hasFoundEmbeddedExec (default false)
 */
var $hasFoundMaliciousScript = false;

/**	
 * Do note that this LogGenerator object property can only be instantiated if the project inheriting this client class has an available LogGenerator class
 *
 * @access private
 * @var LogGenerator $log
 */
var $log;

/**
 * @access private
 * @var DBActionPerformer $dbAP
 */
var $dbAP;

/**
 * Constructor
 *
 * @access public
 * @var mixed $data (optional)
 * @var boolean $willLog (default true)
 */
function DataAnalyzer($data = '', $willLog = true) {															// CONSTRUCTOR
	global $section, $action;
	if ($data) $this->data = $data;
	if ($willLog !== true) $this->willLog = $willLog;
	if ($this->willLog && class_exists('LogGenerator')) $this->log =& new LogGenerator($section, $action);
	if (class_exists('DBActionPerformer') && @!is_a($this, 'DBActionPerformer')) $this->dbAP =& new DBActionPerformer();
	if (class_exists('DBActionPerformer') && @is_a($this, 'DBActionPerformer')) $this->dbAP =& $this;				// TO ENSURE PROPER FUNCTIONALITY WITHIN scan()
	if ($this->data) return $this->analyze(); else $this->analyze();
}

//----------------------------------------------------------------- --* GETTER/SETTER METHODS *-- ------------------------------------------------------------------------------------------------------
/**
 * Retrive $this->data
 *
 * @access private
 * @return mixed $this->data
 */
function &getData() {								// STATIC STRING METHOD
	return $this->data;
}

/**
 * Set $this->data
 *
 * @access private
 * @param mixed $data
 */
function &setData($data) {							// STATIC VOID METHOD
	$this->data = $data;
}

//------------------------------------------------------------- --* END OF GETTER/SETTER METHODS *-- -------------------------------------------------------------------------------------------------

/**
 * Internal method that will auto-execute via constructor. 
 *
 * Purge any data containing any potentially harmful patterns such as <!.. !> auto-executable script, along with <script>, <embed> and <object> HTML codes that could contain
 * browser-based auto-launching viral sequences.  Also remove potential SQL injection '; that could be added to $_POST form data via user
 *
 * *Note* This method will also purge all HTML upon global variable $willStripHTML
 *
 * @access private
 * @return mixed $this->data
 */
function &analyze() {											// STATIC STRING METHOD
	if ($this->data) {
	 $this->scan();
	 return $this->getData();
	}

	foreach (array('get', 'post', 'cookie') as $field) {
	 global ${'_' . strtoupper($field)};								// IS NOT THE AUTOGLOBAL COLLECTION OBJECT YET SINCE IT IS A DYNAMIC FIELD UNTIL global
	 if (is_array(${'_' . strtoupper($field)}) && @sizeof(${'_' . strtoupper($field)}) > 0)
	  ${'_' . strtoupper($field)} =& $this->array_scan(${'_' . strtoupper($field)}, '_' . strtoupper($field));
	 $GLOBALS['_' . strtoupper($field)] = ${'_' . strtoupper($field)};	// JUST IN CASE
	 if (!$this->dbAP->isSuccessful) return false;					// STOP PROCESSING SINCE BAD SCRIPT HAS BEEN FOUND
	}

	return true;
}

/**
 * Perform an array scan
 *
 * *Note* Although more practical to pass the array parameter $array by reference ("&$array"), apparently in PHP you cannot loop through an array passed as a reference parameter.
 * To attempt to loop through the array passed via reference parameter results in the foreach construct loop retrieving the first element pair only and never advances beyond that, causing
 * an infinite amount of attempts to advance the array pointer when it apparently can never advance.  This is why instead the array is passed and returned
 *
 * @access private
 * @param array $array
 * @param mixed $arrayName
 * @return array $array
 */
function &array_scan($array, $arrayName) {						
	if (is_array($array) && @sizeof($array) > 0) {
	 @reset($array);
	 foreach ($array as $key => $val) {
	  $this->setData($val);
	  $this->scan($key, $arrayName);
	  $array[$key] = $this->getData();
	  if (!$this->dbAP->isSuccessful) return $array;							// STOP ON THE FIRST ERROR, NO NEED TO PROCESS FURTHER
	 }
	}
	return $array;
}

/**
 * Perform logging
 *
 * @acces private
 * @param mixed $key
 * @param mixed $varname
 */
function &log($key = '', $varname = '') {									// STATIC VOID METHOD
	// LOG CHANGES IF REQUIRED TO DO SO
	global $section, $action;
	if (!$this->data) {
	 if ($this->hasFoundEmbeddedExec) $logMsg = "Error: Embedded potential \"exec()\" function ";
	 if ($this->hasFoundSQLInjection) $logMsg = "Error: Embedded potential SQL injection script ";
	 if ($this->hasFoundMaliciousScript) $logMsg = "Error: Embedded potential malicious script ";
	 if ($this->hasFoundEmbeddedExec || $this->hasFoundSQLInjection || $this->hasFoundMaliciousScript) {
	  $logMsg .= 'found within text ';
	  if ($key && $varname) $logMsg .= "within $varname" . "['$key'] ";
	  if ($section || $action || $_REQUEST['hasLoggedIn']) $logMsg .= ' performing:';
	  if ($section) $logMsg .= $section;
	  if ($section && $action) $logMsg .= ',';
	  if ($action) $logMsg .= " $action";
	  if (!$section && !$action && $_REQUEST['hasLoggedIn']) $logMsg .= ' login';
	  if ($this->willLog) $logMsg .= '; action and your IP address has been logged';
	  if ($this->willLog && class_exists('LogGenerator') && is_object($this->log) && @is_a($this->log, 'LogGenerator')) $this->log->performLog($logMsg);
	  $this->dbAP->setErrorArray(array('action' => nl2br(htmlspecialchars($logMsg))));
	 }
	}
}

/**
 * Perform scan on $this->data
 *
 * @access private
 * @param mixed $key (optional) Array key if applicable for logging scanning errors
 * @param mixed $varname (optional) Name of variable (or collection object) affected by scanning violation
 * @return mixed $this->data
 * @see actual_path
 */
function &scan($key = '', $varname = '') {									// STATIC STRING METHOD
	global $willStripHTML, $willStripHTMLFromMetadata, $hasSafeHTMLFile, $safeHTMLFullFileName, $tclLibraryPath;

	if (preg_match('/<![^!>]+>/', $this->data)) {
	 $this->data = '';													// STRIP $this->data IF FOUND <!.. !>
	 $this->hasFoundEmbeddedExec = true;
	 $this->dbAP->isSuccessful = false;
	}

	if (preg_match("/';/", $this->data)) {
	 $this->data = '';													// STRIP $this->data IF FOUND  '; POTENTIAL SQL INJECTION
	 $this->hasFoundSQLInjection = true;
	 $this->dbAP->isSuccessful = false;
	}

	foreach (array('script', 'embed', 'object') as $tag) {
	 if (preg_match("/<$tag" . '[^>]*>/i', $this->data)) {
	  $this->data = '';													// STRIP $this->data IF FOUND POTENTIAL HARMFUL HTML EMBEDDED VIRAL SEQUENCES
	  $this->hasFoundMaliciousScript = true;
	  $this->dbAP->isSuccessful = false;
	 }
	}

	if ($willStripHTML) $this->data = strip_tags($this->data); 				// STRIP **ALL** HTML 

	// ONLY STRIP "UNSAFE" HTML TAGS WHILE LEAVING "SAFE" ONES (AS DEFINED WITHIN $safeHTMLFullFileName)
	if (!$willStripHTML && $willStripHTMLFromMetadata && $hasSafeHTMLFile && is_dir(actual_path($tclLibraryPath)) && is_file(actual_path($safeHTMLFullFileName))) 
	 $this->data = @safe_html($this->data, $tclLibraryPath, $this->dbAP);

	$this->log($key, $varname);

	return $this->data;
}
}

ednark

I didn't seem to get my point across. Perhaps i can explain more better like.

Since your logic isn't obviously flawed perhaps the array you are passing in doesn't look like what you think it looks like. An easy way to check to see how your array is doing inside the loop is to print out the entire contents of the array every pass. Php provides a function for just this circumstance. print_r()

print_r is not like print at all. while you can print a string with with it, it is meant to be an introspective function that shows the internals of an object or an array. See weedpacket's example. The concept is similar to a reflection API available in several other languages like JAVA and PHP5.

Using print_r to find out more about what your program is doing in the loop might provide for you the key you need to stop your infinite loop.

ppowell

I think I found the problem; it just might be a PHP 4.3.9 bug.

Tested in PHP 4.3.9

function doStuff(&$array) {
  if (is_array($array) && @sizeof($array) > 0) {
    foreach ($array as $key => $val) echo "sizeof(array) = " . sizeof($array) . ' and key = $key and val = $val<P>");
  }
}

Results:

sizeof(array) = 5 and key = username and val = phillip
...[This printed up to 75,000 times before I killed the Apache process]

Tested PHP 5.0.4

function doStuff(&$array) {
  if (is_array($array) && @sizeof($array) > 0) {
    foreach ($array as $key => $val) echo "sizeof(array) = " . sizeof($array) . ' and key = $key and val = $val<P>");
  }
}

Results:

sizeof(array) = 5 and key = username and val = phillip
sizeof(array) = 5 and key = username and val = phillip
sizeof(array) = 5 and key = username and val = phillip
sizeof(array) = 5 and key = username and val = phillip
sizeof(array) = 5 and key = username and val = phillip

It appears in PHP 4.3.9 at most (untested in later PHP 4.3+ versions) that if you pass an array by reference into a function or a method, you cannot ever iterate past the first element in the array, however if you pass not-by-reference, it's just fine in all PHP versions.

PHP 4.3.9 bug?

Phil

PS: Upgrading is out of the question; government-based requirements stipulate that my application work in PHP 4.1.2 - 5.0.4, sorry.

Weedpacket

Well, after fixing your "test code" to remove the parse errors, and creating a test array:

function doStuff(&$array) {
  if (is_array($array) && @sizeof($array) > 0) {
    foreach ($array as $key => $val) echo "sizeof(array) = " . sizeof($array) . " and key = $key and val = $val<P>";
  }
} 


$array = array(
	'username'=>'phillip',
	'something'=>'somethingelse',
	'foo'=>'bar',
	'wibble'=>'womble',
	'afifththing'=>'sothecountisright',
);

doStuff($array);

It works fine in 4.3.10. There is no mention that such a bug was fixed in that version's entry in the changelog. You could try searching the bugs database, but if it's not there, then don't bother posting a new one because PHP's developers would probably just tell you to upgrade.

And given the security upgrades that have been made over the last five years, an insistence on continued support for PHP4.1 is (a) more expensive than just upgrading everyone, and (b) bordering on negligence 🙂

ppowell

I did the exact same test using your array in PHP 4.3.9.. infinite loop on my end, sorry!

And again I remind the PHP community: I work for the US Federal Government, and probably most of you here don't else you honestly wouldn't be asking me to tell the feds to upgrade multiple machines for a single portable web app

Phil

Installer

My tax dollars at work?! Bring back Ada.