claunia/qemudb
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

filter_gpc() should report success or failure, a higher level function should take care of calling out to an error page.

Browse Source 
Add a unit test for filter_gpc() and test filtering success, failure and test that the filtering of html and normal strings
properly preserves tags for html strings and strips them from normal strings
This commit is contained in:
Chris Morgan
2007-01-06 06:27:50 +00:00
committed by WineHQ
parent bafd714c01
commit 3eca785210
3 changed files with 164 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
include/filter.php
View File

@@ -1,19 +1,39 @@
<?php
$aClean = array();
filter_gpc();
filter_perform_filtering();
/* perform input variable filtering */
function filter_perform_filtering()
{
// if filtering failed post the error
$sResult = filter_gpc();
if($sResult)
{
util_show_error_page_and_exit($sResult);
}
}
/*
* Make all get/post/cookies variable clean based on their names.
* Returns an error string if failure occurs, null if successful
*/
function filter_gpc()
{
global $aClean;
$aKeys = array_keys($_REQUEST);
for($i=0; $i < sizeof($aKeys); $i++)
{
// NOTE: useful for debugging
//echo "'".$aKeys[$i]."' = '".$_REQUEST[$aKeys[$i]]."'\n";
// Special cases for variables that don't fit our filtering scheme
// don't filter the AppDB session cookie and MAX_FILE_SIZE
// and the DialogX values that xinha uses
// NOTE: we must use === when comparing the return value of strpos
// against a value, otherwise if strpos() returns false indicating that
// the value wasn't found strpos(something) == 0 will still be true
if(strpos($aKeys[$i], "Dialog") === 0) // Xinha variables
{
// copy the key over to the clean array
@@ -24,7 +44,7 @@ function filter_gpc()
continue; // go to the next entry
} else if($aKeys[$i] == "whq_appdb" || ($aKeys[$i] == "MAX_FILE_SIZE")
|| ($aKeys[$i] == "PHPSESSID")
|| (strpos($aKeys[$i], "pref_")) === 0) // other variables
|| (strpos($aKeys[$i], "pref_") === 0)) // other variables
{
// copy the key over to the clean array after stripping tags and trimming
$aClean[$aKeys[$i]] = trim(strip_tags($_REQUEST[$aKeys[$i]]));
@@ -37,16 +57,16 @@ function filter_gpc()
case "f": // float
if(is_numeric($_REQUEST[$aKeys[$i]]))
$aClean[$aKeys[$i]] = $_REQUEST[$aKeys[$i]];
elseif(empty($_REQUEST[$aKeys[$i]]))
else if(empty($_REQUEST[$aKeys[$i]]))
$aClean[$aKeys[$i]] = 0;
else
util_show_error_page_and_exit("Fatal error: ".$aKeys[$i]." should be a numeric value.");
return "Fatal error: ".$aKeys[$i]." should be a numeric value.";
break;
case "b": // boolean
if($_REQUEST[$aKeys[$i]]=="true" || $_REQUEST[$aKeys[$i]]=="false")
$aClean[$aKeys[$i]] = $_REQUEST[$aKeys[$i]];
else
util_show_error_page_and_exit("Fatal error: ".$aKeys[$i]." should be a boolean value.");
return "Fatal error: ".$aKeys[$i]." should be a boolean value.";
break;
case "s": // string
switch($aKeys[$i][1])
@@ -64,10 +84,10 @@ function filter_gpc()
break;
case "a": // array
if(!is_array($_REQUEST[$aKeys[$i]]))
util_show_error_page_and_exit("Fatal error: ".$aKeys[$i]." should be an array.");
return "Fatal error: ".$aKeys[$i]." should be an array.";
break;
default:
util_show_error_page_and_exit("Fatal error: type of variable ".$aKeys[$i]." is not recognized.");
return "Fatal error: type of variable ".$aKeys[$i]." is not recognized.";
break;
}
}
@@ -79,5 +99,7 @@ function filter_gpc()
$_GET = array();
if(APPDB_DONT_CLEAR_COOKIES_VAR != "1")
$_COOKIES = array();
return null;
}
?>