diff --git a/src/web/server/.htaccess b/src/web/server/.htaccess new file mode 100644 index 0000000..cc6a67b --- /dev/null +++ b/src/web/server/.htaccess @@ -0,0 +1,28 @@ +# SQL Injection 방어 - Apache 레벨 WAF +# Time-based Blind SQL Injection 공격 패턴 차단 + + + RewriteEngine On + + # SLEEP(), BENCHMARK() 등 시간 지연 함수 차단 (Time-based Blind SQLi 핵심 패턴) + RewriteCond %{QUERY_STRING} (sleep|benchmark|waitfor\s+delay|pg_sleep) [NC] + RewriteRule .* - [F,L] + + RewriteCond %{REQUEST_URI} (sleep|benchmark|waitfor\s+delay|pg_sleep) [NC] + RewriteRule .* - [F,L] + + # POST body의 SQLi 패턴은 mod_security로 처리 (아래 참조) + + +# PHP 에러 메시지 노출 방지 + + php_flag display_errors Off + php_flag log_errors On + + + php_flag display_errors Off + php_flag log_errors On + + +# 서버 정보 숨기기 +ServerSignature Off diff --git a/src/web/server/record/update_result_record.php b/src/web/server/record/update_result_record.php index 79f110d..22140a1 100644 --- a/src/web/server/record/update_result_record.php +++ b/src/web/server/record/update_result_record.php @@ -16,21 +16,16 @@ $prev_best_record_id = -1; $prev_best_record = 0; $prev_best_record_id = get_best_record($maestro_id, $app_id, $player_id); -echo "id : ".$prev_best_record_id." ".$prev_best_record; if($prev_best_record_id === null || $prev_best_record_id < 0) { - echo "insert"; insert_best_record($maestro_id, $app_id, $player_id, $record); } else { - echo $record." ".$prev_best_record; if(is_highest_record_prefer_app($app_id)) { if($record > $prev_best_record) { - echo "update"; update_best_record($prev_best_record_id, $record); } } else { if($record < $prev_best_record) { - echo "update"; update_best_record($prev_best_record_id, $record); } } @@ -38,9 +33,6 @@ if($prev_best_record_id === null || $prev_best_record_id < 0) { // highest record is the highest record $app_highest_record = get_app_highest_record($maestro_id, $app_id, $player_id); -echo "\napp_highest_record : $app_highest_record"; - -// echo "\nrecord : $record"; if($app_highest_record == null) { insert_app_highest_record($maestro_id, $app_id, $player_id, $record); // echo "\ninsert_app_highest_record : $record"; diff --git a/src/web/server/setup/connect_db.php b/src/web/server/setup/connect_db.php index b0e98f6..e7763e7 100644 --- a/src/web/server/setup/connect_db.php +++ b/src/web/server/setup/connect_db.php @@ -15,7 +15,7 @@ if($hasServiceDBSetting == true) { // connect db $db_conn = new mysqli($db_host, $db_user, $db_passwd, $db_name); if ($db_conn->connect_error) { - set_error_message("Failed to connect DB: ".$db_conn->connect_error); + set_error_message("DB connection failed."); send_result_fail(); exit; } else {