qemudb/include/filter.php

<?php
$aClean = array();
filter_gpc();

/*
 * Make all get/post/cookies variable clean based on their names.
 */
function filter_gpc()
{
    global $aClean;
    $aKeys = array_keys($_REQUEST);
    for($i=0;$i<sizeof($aKeys);$i++)
    {
        switch($aKeys[$i][0])
        {
            case "i": // integer
            case "f": // float
                if(is_numeric($_REQUEST[$aKeys[$i]]))
                    $aClean[$aKeys[$i]] = $_REQUEST[$aKeys[$i]];
                elseif(empty($_REQUEST[$aKeys[$i]]))
                    $aClean[$aKeys[$i]] = 0;
                else
                    util_show_error_page_and_exit("Fatal error: ".$aKeys[$i]." should be a numeric value.");
            break;
            case "b": // boolean
                if($_REQUEST[$aKeys[$i]]=="true" || $_REQUEST[$aKeys[$i]]=="false")
                    $aClean[$aKeys[$i]] = $_REQUEST[$aKeys[$i]];
                else
                    util_show_error_page_and_exit("Fatal error: ".$aKeys[$i]." should be a boolean value.");
            break;
            case "s": // string
                switch($aKeys[$i][1])
                {
                     case "h": // HTML string
                         $aClean[$aKeys[$i]] = htmlspecialchars($_REQUEST[$aKeys[$i]]);
                     break;
                     default: // normal string (no HTML)
                          $aClean[$aKeys[$i]] = strip_tags($_REQUEST[$aKeys[$i]]);
                     break;
                }
            break;
            case "a": // array
                 if(!is_array($_REQUEST[$aKeys[$i]]))
                    util_show_error_page_and_exit("Fatal error: ".$aKeys[$i]." should be an array.");
            break;
            default:
                // don't filter the AppDB session cookie and MAX_FILE_SIZE
                if($aKeys[$i]!="whq_appdb" && $aKeys[$i]!="MAX_FILE_SIZE")
                { 
                    util_show_error_page_and_exit("Fatal error: type of variable ".$aKeys[$i]." is not recognized.");
                }
            break;
        }
    }
    
    /* null out all input data so we can be assured that */
    /* no unfiltered values are being used */
    $_REQUEST = array();
    $_POST = array();
    $_GET = array();
    if(APPDB_DONT_CLEAR_COOKIES_VAR != "1")
        $_COOKIES = array();
}
?>
Automatic filtering of $_REQUEST variables 2006-06-28 17:30:44 +00:00			`<?php`
			`$aClean = array();`
			`filter_gpc();`

			`/*`
			`* Make all get/post/cookies variable clean based on their names.`
			`*/`
			`function filter_gpc()`
			`{`
			`global $aClean;`
			`$aKeys = array_keys($_REQUEST);`
			`for($i=0;$i<sizeof($aKeys);$i++)`
			`{`
			`switch($aKeys[$i][0])`
			`{`
			`case "i": // integer`
			`case "f": // float`
			`if(is_numeric($_REQUEST[$aKeys[$i]]))`
			`$aClean[$aKeys[$i]] = $_REQUEST[$aKeys[$i]];`
Empty numeric values should default to 0 2006-07-07 16:01:26 +00:00			`elseif(empty($_REQUEST[$aKeys[$i]]))`
			`$aClean[$aKeys[$i]] = 0;`
Automatic filtering of $_REQUEST variables 2006-06-28 17:30:44 +00:00			`else`
Rename util_show_error_page() to util_show_error_page_and_exit() and redirect() to util_redirect_and_exit() so it is explicit that we exit in those functions that so we know it isn't necessary to put an exit after we call them 2006-07-06 18:44:56 +00:00			`util_show_error_page_and_exit("Fatal error: ".$aKeys[$i]." should be a numeric value.");`
Automatic filtering of $_REQUEST variables 2006-06-28 17:30:44 +00:00			`break;`
			`case "b": // boolean`
			`if($_REQUEST[$aKeys[$i]]=="true" \|\| $_REQUEST[$aKeys[$i]]=="false")`
			`$aClean[$aKeys[$i]] = $_REQUEST[$aKeys[$i]];`
			`else`
Rename util_show_error_page() to util_show_error_page_and_exit() and redirect() to util_redirect_and_exit() so it is explicit that we exit in those functions that so we know it isn't necessary to put an exit after we call them 2006-07-06 18:44:56 +00:00			`util_show_error_page_and_exit("Fatal error: ".$aKeys[$i]." should be a boolean value.");`
Automatic filtering of $_REQUEST variables 2006-06-28 17:30:44 +00:00			`break;`
			`case "s": // string`
			`switch($aKeys[$i][1])`
			`{`
			`case "h": // HTML string`
			`$aClean[$aKeys[$i]] = htmlspecialchars($_REQUEST[$aKeys[$i]]);`
			`break;`
			`default: // normal string (no HTML)`
			`$aClean[$aKeys[$i]] = strip_tags($_REQUEST[$aKeys[$i]]);`
			`break;`
			`}`
			`break;`
Check for arrays when filtering. MAX_FILE_SIZE should not be filtered 2006-06-29 16:09:29 +00:00			`case "a": // array`
			`if(!is_array($_REQUEST[$aKeys[$i]]))`
Rename util_show_error_page() to util_show_error_page_and_exit() and redirect() to util_redirect_and_exit() so it is explicit that we exit in those functions that so we know it isn't necessary to put an exit after we call them 2006-07-06 18:44:56 +00:00			`util_show_error_page_and_exit("Fatal error: ".$aKeys[$i]." should be an array.");`
Check for arrays when filtering. MAX_FILE_SIZE should not be filtered 2006-06-29 16:09:29 +00:00			`break;`
Automatic filtering of $_REQUEST variables 2006-06-28 17:30:44 +00:00			`default:`
Add an option to prevent filtering of cookies in the case where multiple web apps are hosted on the same virtualhost 2006-07-07 16:39:27 +00:00			`// don't filter the AppDB session cookie and MAX_FILE_SIZE`
			`if($aKeys[$i]!="whq_appdb" && $aKeys[$i]!="MAX_FILE_SIZE")`
filter_gpc() should ignore any bugzilla parameters to avoid errors when these cookies are set 2006-07-07 04:49:32 +00:00			`{`
Rename util_show_error_page() to util_show_error_page_and_exit() and redirect() to util_redirect_and_exit() so it is explicit that we exit in those functions that so we know it isn't necessary to put an exit after we call them 2006-07-06 18:44:56 +00:00			`util_show_error_page_and_exit("Fatal error: type of variable ".$aKeys[$i]." is not recognized.");`
filter_gpc() should ignore any bugzilla parameters to avoid errors when these cookies are set 2006-07-07 04:49:32 +00:00			`}`
Automatic filtering of $_REQUEST variables 2006-06-28 17:30:44 +00:00			`break;`
			`}`
			`}`

			`/* null out all input data so we can be assured that */`
			`/* no unfiltered values are being used */`
			`$_REQUEST = array();`
			`$_POST = array();`
			`$_GET = array();`
Add an option to prevent filtering of cookies in the case where multiple web apps are hosted on the same virtualhost 2006-07-07 16:39:27 +00:00			`if(APPDB_DONT_CLEAR_COOKIES_VAR != "1")`
			`$_COOKIES = array();`
Automatic filtering of $_REQUEST variables 2006-06-28 17:30:44 +00:00			`}`
			`?>`