restraining "using unescaped version of the test because of zero knowledge of the back-end DBMS" once per test (before was once per boundary)

2025-01-24 08:14:24 +03:00 · 2011-02-07 21:18:01 +00:00 · 2011-02-07 21:18:01 +00:00 · a577d0e9a5
commit a577d0e9a5
parent 66adf23532
1 changed files with 7 additions and 1 deletions
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@ -192,6 +192,9 @@ def checkSqlInjection(place, parameter, value):
            infoMsg = "testing '%s'" % title
            logger.info(infoMsg)

+            # Flag used for signaling warning messages regarding unescaping
+            genericWarningFlag = False
+
            # Force back-end DBMS according to the current
            # test value for proper payload unescaping
            Backend.forceDbms(dbms)
@ -360,12 +363,15 @@ def checkSqlInjection(place, parameter, value):

                            configUnion(test.request.char, test.request.columns)

-                            if not Backend.getIdentifiedDbms():
+                            if not Backend.getIdentifiedDbms() and not genericWarningFlag:
                                warnMsg = "using unescaped version of the test "
                                warnMsg += "because of zero knowledge of the "
                                warnMsg += "back-end DBMS"
                                logger.warn(warnMsg)

+                                # Set the flag preventing bulking of the message for the same test
+                                genericWarningFlag = True
+
                            # Test for UNION query SQL injection
                            reqPayload, vector = unionTest(comment, place, parameter, value, prefix, suffix)