claunia/appdb
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2025-05-23. You can view files and clone it, but cannot push or open issues or pull requests.
Files
main
appdb/include/filter.php
claunia 2782475c4f Just configured from Wine's GIT 
svn path=/; revision=1
2009-10-09 00:08:02 +00:00

118 lines
4.6 KiB
PHP
Raw Permalink Blame History

<?php
$aClean = array();
filter_perform_filtering();
/* perform input variable filtering */
function filter_perform_filtering()
{
// if filtering failed post the error
$sResult = filter_gpc();
if($sResult)
{
util_show_error_page_and_exit($sResult);
}
}
/*
* Make all get/post/cookies variable clean based on their names.
* Returns an error string if failure occurs, null if successful
*/
function filter_gpc()
{
global $aClean;
$sErrorSuggestion = " Please try clearing out your cookies. If the problem continues ".
" please email ".APPDB_OWNER_EMAIL." with the error text.";
$aKeys = array_keys($_REQUEST);
for($i=0; $i < sizeof($aKeys); $i++)
{
// NOTE: useful for debugging
//echo "'".$aKeys[$i]."' = '".$_REQUEST[$aKeys[$i]]."'\n";
// Special cases for variables that don't fit our filtering scheme
// don't filter the AppDB session cookie and MAX_FILE_SIZE
// and the DialogX values that xinha uses
// NOTE: we must use === when comparing the return value of strpos
// against a value, otherwise if strpos() returns false indicating that
// the value wasn't found strpos(something) == 0 will still be true
if((strpos($aKeys[$i], "Dialog") === 0) ||
(strpos($aKeys[$i], "XinhaColorPicker") === 0) || // Xinha variables
($aKeys[$i] == "cx") || // google custom search variable
($aKeys[$i] == "cof") || // google custom search variable
($aKeys[$i] == "q")) // google custom search variable
{
// copy the key over to the clean array
// NOTE: we do not strip html tags or trim any Xinha variables
// because Xinha is a html editor and removing html tags
// would break the ability to use Xinha to create or edit html
$aClean[$aKeys[$i]] = $_REQUEST[$aKeys[$i]];
continue; // go to the next entry
} else if($aKeys[$i] == "whq_appdb" || ($aKeys[$i] == "MAX_FILE_SIZE")
|| ($aKeys[$i] == "PHPSESSID")
|| (strpos($aKeys[$i], "pref_") === 0)) // other variables
{
// copy the key over to the clean array after stripping tags and trimming
$aClean[$aKeys[$i]] = trim(strip_tags($_REQUEST[$aKeys[$i]]));
continue; // go to the next entry
}
switch($aKeys[$i][0])
{
case "i": // integer
case "f": // float
if(is_numeric($_REQUEST[$aKeys[$i]]))
$aClean[$aKeys[$i]] = $_REQUEST[$aKeys[$i]];
else if(empty($_REQUEST[$aKeys[$i]]))
$aClean[$aKeys[$i]] = 0;
else if(is_numeric(trim($_REQUEST[$aKeys[$i]]))) // try clearing whitespace
$aClean[$aKeys[$i]] = trim($_REQUEST[$aKeys[$i]]);
else
return "Fatal error: ".$aKeys[$i]." should be a numeric value. ".
$sErrorSuggestion;
break;
case "b": // boolean
if($_REQUEST[$aKeys[$i]]=="true" || $_REQUEST[$aKeys[$i]]=="false")
$aClean[$aKeys[$i]] = $_REQUEST[$aKeys[$i]];
else
return "Fatal error: ".$aKeys[$i]." should be a boolean value. ".
$sErrorSuggestion;
break;
case "s": // string
switch($aKeys[$i][1])
{
case "h": // HTML string
$aClean[$aKeys[$i]] = trim($_REQUEST[$aKeys[$i]]);
// if there is no content and no image, make the variable empty
if(strip_tags($aClean[$aKeys[$i]],'<img>')=="")
$aClean[$aKeys[$i]] = "";
break;
default: // normal string (no HTML)
$aClean[$aKeys[$i]] = trim(strip_tags($_REQUEST[$aKeys[$i]]));
break;
}
break;
case "a": // array
// store the value if it is an array
if(is_array($_REQUEST[$aKeys[$i]]))
$aClean[$aKeys[$i]] = $_REQUEST[$aKeys[$i]];
break;
default:
// type not recognized, skip it
break;
}
}
/* null out all input data so we can be assured that */
/* no unfiltered values are being used */
$_REQUEST = array();
$_POST = array();
$_GET = array();
if(APPDB_DONT_CLEAR_COOKIES_VAR != "1")
$_COOKIES = array();
return null;
}
?>
Reference in New Issue View Git Blame Copy Permalink