Though Drupal should not be vulnerable to SQL Injection attacks, it could be handy to know when someone is attempting to exploit them. Kind of makes you think that that person might not have the best of intentions for your site. It would be nice to integrate the ability to use PHP-IDS so that admins can see more of who is trying to attack them.

Comments

Ok, so here's what I had in mind.

Start by making php-ids pluggable, so that if you create a sites/all/modules/troll/php-ids directory and drop the php-ids files in there, Troll will pick it up and the configuration will show some options related to php-ids that weren't there otherwise. As the first round of implementation, I believe php-ids can just signal a warning. Catch that signal and log it in watchdog and track on the user's troll tab. I see you have a CVS account, so would you want to just commit as you go?

Assigned:Unassigned» JoshuaRogers

That sounds great. Thank you.

CVS granted. It'd be nice if you drop me an email or file a closed issue every now and then when you make a big commit so if people file issues, I'm in the loop, too.

Status:Active» Closed (fixed)

This has been added in the latest commit.

Status:Closed (fixed)» Patch (to be ported)

Needs to be ported to HEAD/7.x.

Assigned:JoshuaRogers» Unassigned

I'm afraid I can't do D7 just yet.

Should this still be updated to 7.x with the http://drupal.org/project/phpids module in existence?

I am trying to use this module in a FreeBSD jail.

The problem is that the jail does not expose the actual IP address of the users but rather the internal IP address of the jail.

We use X-Forwarded-For support in pound to enable Apache to log the actual IP address of the client.
http://en.wikipedia.org/wiki/X-Forwarded-For

Can Troll be configured to use the X-Forwarded-For header?

Please consider adding this support to Troll and PHP-IDS if they do not support it.

Here is an example of the problem:
IP History
IP Status Last Access First Access Host Information
10.1.0.2 not banned Tuesday, June 23, 2009 - 01:10 Tuesday, June 23, 2009 - 00:59 2.0.1.10.in-addr.arpa domain name pointer lamp.stream.

I think the patch ought to look like something that integrates with http://drupal.org/project/phpids rather than keeping php-ids built into troll.

Title:Integration with PHP-IDSIntegration with PHP-IDS module
Category:feature» task