claunia/qemudb
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

filter_gpc() should report success or failure, a higher level function should take care of calling out to an error page.

Browse Source 
Add a unit test for filter_gpc() and test filtering success, failure and test that the filtering of html and normal strings
properly preserves tags for html strings and strips them from normal strings
This commit is contained in:
Chris Morgan
2007-01-06 06:27:50 +00:00
committed by WineHQ
parent bafd714c01
commit 3eca785210
3 changed files with 164 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
include/filter.php
View File

@@ -1,19 +1,39 @@
<?php
$aClean = array();
filter_gpc();
filter_perform_filtering();
/* perform input variable filtering */
function filter_perform_filtering()
{
// if filtering failed post the error
$sResult = filter_gpc();
if($sResult)
{
util_show_error_page_and_exit($sResult);
}
}
/*
* Make all get/post/cookies variable clean based on their names.
* Returns an error string if failure occurs, null if successful
*/
function filter_gpc()
{
global $aClean;
$aKeys = array_keys($_REQUEST);
for($i=0; $i < sizeof($aKeys); $i++)
{
// NOTE: useful for debugging
//echo "'".$aKeys[$i]."' = '".$_REQUEST[$aKeys[$i]]."'\n";
// Special cases for variables that don't fit our filtering scheme
// don't filter the AppDB session cookie and MAX_FILE_SIZE
// and the DialogX values that xinha uses
// NOTE: we must use === when comparing the return value of strpos
// against a value, otherwise if strpos() returns false indicating that
// the value wasn't found strpos(something) == 0 will still be true
if(strpos($aKeys[$i], "Dialog") === 0) // Xinha variables
{
// copy the key over to the clean array
@@ -24,7 +44,7 @@ function filter_gpc()
continue; // go to the next entry
} else if($aKeys[$i] == "whq_appdb" || ($aKeys[$i] == "MAX_FILE_SIZE")
|| ($aKeys[$i] == "PHPSESSID")
|| (strpos($aKeys[$i], "pref_")) === 0) // other variables
|| (strpos($aKeys[$i], "pref_") === 0)) // other variables
{
// copy the key over to the clean array after stripping tags and trimming
$aClean[$aKeys[$i]] = trim(strip_tags($_REQUEST[$aKeys[$i]]));
@@ -37,16 +57,16 @@ function filter_gpc()
case "f": // float
if(is_numeric($_REQUEST[$aKeys[$i]]))
$aClean[$aKeys[$i]] = $_REQUEST[$aKeys[$i]];
elseif(empty($_REQUEST[$aKeys[$i]]))
else if(empty($_REQUEST[$aKeys[$i]]))
$aClean[$aKeys[$i]] = 0;
else
util_show_error_page_and_exit("Fatal error: ".$aKeys[$i]." should be a numeric value.");
return "Fatal error: ".$aKeys[$i]." should be a numeric value.";
break;
case "b": // boolean
if($_REQUEST[$aKeys[$i]]=="true" || $_REQUEST[$aKeys[$i]]=="false")
$aClean[$aKeys[$i]] = $_REQUEST[$aKeys[$i]];
else
util_show_error_page_and_exit("Fatal error: ".$aKeys[$i]." should be a boolean value.");
return "Fatal error: ".$aKeys[$i]." should be a boolean value.";
break;
case "s": // string
switch($aKeys[$i][1])
@@ -64,10 +84,10 @@ function filter_gpc()
break;
case "a": // array
if(!is_array($_REQUEST[$aKeys[$i]]))
util_show_error_page_and_exit("Fatal error: ".$aKeys[$i]." should be an array.");
return "Fatal error: ".$aKeys[$i]." should be an array.";
break;
default:
util_show_error_page_and_exit("Fatal error: type of variable ".$aKeys[$i]." is not recognized.");
return "Fatal error: type of variable ".$aKeys[$i]." is not recognized.";
break;
}
}
@@ -79,5 +99,7 @@ function filter_gpc()
$_GET = array();
if(APPDB_DONT_CLEAR_COOKIES_VAR != "1")
$_COOKIES = array();
return null;
}
?>

2
unit_test/run_tests.php
View File

@@ -20,4 +20,6 @@ echo "\n";
include_once("test_application.php");
echo "\n";
include_once("test_error_log.php");
echo "\n";
include_once("test_filter.php");
?>

133
unit_test/test_filter.php Normal file
View File

@@ -0,0 +1,133 @@
<?php
/* unit tests for input filtering routines */
require_once("path.php");
require_once("test_common.php");
require_once(BASE."include/incl.php");
// Test that we can filter properly, that filtering errors result in error output
// and that we properly preserve html tags in html strings and strip html tags from
// normal strings
function test_filter()
{
global $aClean; // the array where filtered variables will be stored
//*********************************************************
// test that filtering properly fails when given an integer
// that doesn't contain an integer value
$_REQUEST = array(); // clear out the array
$_REQUEST['iInteger'] = 100;
$_REQUEST['iNotAnInteger'] = "asfasdflskjf"; // this value should cause filtering to
// fail since it isn't an integer bug has
// the integer prefix of 'i'
$sResult = filter_gpc();
if(!$sResult)
{
echo "filter_gpc() succeeded when it should have failed due to invalid input!\n";
return false;
}
//***************************************************************
// test that filtering succeeds when given valid values to filter
$sString = "some string";
$iInteger = 12345;
$_REQUEST = array(); // clear out the array
$_REQUEST['sString'] = $sString;
$_REQUEST['iInteger'] = $iInteger;
// filter the variables and make sure that we don't have a return value
// ie, that filtering succeeded
$sResult = filter_gpc();
if($sResult)
{
echo "sResult is '$sResult' but we expected success and no return value\n";
return false;
}
// make sure the values match what we expect
if($aClean['sString'] != $sString)
{
echo "Expected aClean['sString'] to be '".$sString."' but instead it was '".$aClean['sString']."'\n";
return false;
}
if($aClean['iInteger'] != $iInteger)
{
echo "Expected aClean['iInteger'] to be '".$iInteger."' but instead it was '".$aClean['iInteger']."'\n";
return false;
}
//*************************************************************
// test that filtering html works properly, preserving the tags
$_REQUEST = array(); // clear out the array
$shHtml = "<pre>This is some html</pre>";
$_REQUEST['shHtml'] = $shHtml;
// filter the variables and make sure that we don't have a return value
// ie, that filtering succeeded
$sResult = filter_gpc();
if($sResult)
{
echo "sResult is '$sResult' but we expected success and no return value\n";
return false;
}
// expect that the filtered value will be equal
if($aClean['shHtml'] != $shHtml)
{
echo "Expected aClean['shHtml'] to be '".$shHtml."' but instead it was '".$aClean['shHtml']."'\n";
return false;
}
//*****************************************************************************
// test that filtering strings with html results in the tags being stripped out
$_REQUEST = array(); // clear out the array
$sHtml = "<pre>This is some html</pre>";
$_REQUEST['sHtml'] = $sHtml;
// filter the variables and make sure that we don't have a return value
// ie, that filtering succeeded
$sResult = filter_gpc();
if($sResult)
{
echo "sResult is '$sResult' but we expected success and no return value\n";
return false;
}
// expect that $aClean value has been modified during filtering so these
// shouldn't be equal unless something has failed
if($aClean['sHtml'] == $sHtml)
{
echo "Expected aClean['shHtml'] to be '".$sHtml."' but instead it was '".$aClean['sHtml']."'\n";
return false;
}
// make sure all html has been stripped
if(strip_tags($aClean['sHtml']) != $aClean['sHtml'])
{
echo "Expected all html to be stripped already but we were able to strip this '".$aClean['sHtml']
."' into '".strip_tags($aClean['sHtml'])."'\n";
return false;
}
return true;
}
/*************************/
/* Main test routines */
if(!test_filter())
echo "test_filter() failed!\n";
else
echo "test_filter() passed\n";
?>