Intercept more SQL injection

Changes

@@ -1,5 +1,9 @@
 Revision history for CGI-Info
 
+0.84
+	Intercept SQL Injection
+		entry=-4346" OR 1749\=1749 AND "dgiO"\="dgiO;page=people
+
 0.83	Sun  8 Sep 08:52:23 EDT 2024
 	Mark Go-http-client as a robot
 	Support CircleCI

lib/CGI/Info.pm

@@ -765,6 +765,7 @@ sub params {
 			   ($value =~ /((\%27)|(\'))union/ix) ||
 			   ($value =~ /select[[a-z]\s\*]from/ix) ||
 			   ($value =~ /\sAND\s1=1/ix) ||
+			   ($value =~ /\sOR\s.+\sAND\s/) ||
 			   ($value =~ /\/\*\*\/ORDER\/\*\*\/BY\/\*\*/ix) ||
 			   ($value =~ /exec(\s|\+)+(s|x)p\w+/ix)) {
 				if($self->{logger}) {

t/params.t

@@ -2,7 +2,7 @@
 
 use strict;
 use warnings;
-use Test::Most tests => 174;
+use Test::Most tests => 179;
 use Test::NoWarnings;
 use File::Spec;
 use lib 't/lib';
@@ -77,6 +77,7 @@ PARAMS: {
 	%p = %{$i->params()};
 	ok($p{foo} eq 'bar');
 	ok($p{fred} eq 'wilma');
+	cmp_ok($i->foo(), 'eq', 'bar', 'Test AUTOLOAD');
 	ok($i->as_string() eq 'foo=bar;fred=wilma');
 
 	# Catch XSS attempts
@@ -96,6 +97,13 @@ PARAMS: {
 	ok(!defined($i->params()));
 	ok($i->as_string() eq '');
 
+	# Seen in vwf.log
+	$ENV{'QUERY_STRING'} = 'entry=-4346" OR 1749\=1749 AND "dgiO"\="dgiO;page=people';
+	$i = new_ok('CGI::Info');
+	ok(!defined($i->params()));
+	ok(!defined($i->entry()));
+	ok($i->as_string() eq '');
+
 	$ENV{'QUERY_STRING'} = '<script>alert(123)</script>=wilma';
 	$i = new_ok('CGI::Info');
 	%p = %{$i->params()};