Filter uncanny-automator-pro

automator_pro_sql_disallowed_keywords

Filters SQL queries, preventing the execution of disallowed keywords like DROP, ALTER, and EXEC for database security.

add_filter( 'automator_pro_sql_disallowed_keywords', $callback, 10, 1 );

Description

Allows developers to filter the list of disallowed SQL keywords when running database queries. This is useful for hardening security by preventing malicious or unintended SQL commands. The filter receives an array of keywords and can return a modified array to customize the security checks.

Usage

add_filter( 'automator_pro_sql_disallowed_keywords', 'your_function_name', 10, 1 );

Return Value

The filtered value.

Examples

/**
 * Example of how to add to the disallowed SQL keywords for the Run Query action in Uncanny Automator Pro.
 *
 * This function will add the 'DELETE' keyword to the default list of disallowed SQL keywords.
 * This is useful if you want to further restrict the types of queries users can run.
 *
 * @param array $disallowed_keywords The default array of disallowed SQL keywords.
 * @return array The modified array of disallowed SQL keywords.
 */
add_filter( 'automator_pro_sql_disallowed_keywords', 'my_custom_automator_pro_disallowed_keywords', 10, 1 );

function my_custom_automator_pro_disallowed_keywords( array $disallowed_keywords ): array {
    // Add 'DELETE' to the list of disallowed keywords.
    $disallowed_keywords[] = 'DELETE';

    // You could also remove keywords if needed, for example:
    // $disallowed_keywords = array_diff( $disallowed_keywords, array( 'EXEC' ) );

    return $disallowed_keywords;
}

Placement

This code should be placed in the functions.php file of your active theme, a custom plugin, or using a code snippets plugin.

Source Code

uncanny-automator-pro/src/integrations/db-query/actions/run-query.php:170

public function trim_secure_select_query( $query ) {

		// Trim and keep the original query for executing.
		$query_trimmed = trim( $query );

		// Convert the query to uppercase to check for prohibited keywords.
		$trimmed_upper_query = strtoupper( $query_trimmed );

		// Check if the query starts with "SELECT".
		$allowed_queries = array( 'SELECT', 'INSERT', 'UPDATE', 'DELETE' );
		$query_keyword   = substr( $trimmed_upper_query, 0, 6 );

		if ( ! in_array( $query_keyword, $allowed_queries, true ) ) {
			throw new Exception( 'Error: Only SELECT, INSERT, UPDATE, and DELETE queries are allowed.' );
		}

		// Check for multiple statements by looking for semicolons outside of string literals.
		if ( $this->contains_unquoted_semicolon( $query_trimmed ) ) {
			throw new Exception( 'Error: Multiple statements are not allowed.' );
		}

		// Disallow certain SQL keywords to prevent SQL manipulation after SELECT
		$disallowed_keywords = apply_filters( 'automator_pro_sql_disallowed_keywords', array( 'DROP', 'ALTER', 'EXEC', 'CREATE', 'TRUNCATE' ) );

		if ( $this->contains_dangerous_keywords( $query_trimmed, $disallowed_keywords ) ) {
			throw new Exception( 'Error: Dangerous SQL keywords detected.' );
		}

		return $query_trimmed;
	}
Scroll to Top