Fix and enable input filtering through include/filter.php

account.php

@@ -20,7 +20,6 @@
 // application environment
 require("path.php");
 require(BASE."include/incl.php");
-require(BASE."include/filter.php");
 require_once(BASE."include/mail.php");
 
 // set http header to not cache

addcomment.php

@@ -14,7 +14,6 @@
 // application environment
 require("path.php");
 require(BASE."include/incl.php");
-require(BASE."include/filter.php");
 require_once(BASE."include/comment.php");
 
 // you must be logged in to submit comments

admin/addAppNote.php

@@ -7,13 +7,6 @@ require("path.php");
 require(BASE."include/incl.php");
 require_once(BASE."include/note.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['iVersionId'] = makeSafe($_REQUEST['iVersionId']);
-$aClean['iAppId'] = makeSafe( $_REQUEST['iAppId']);
-$aClean['sSub'] = makeSafe($_REQUEST['sSub']);
-$aClean['sSubmit'] = makeSafe($_REQUEST['sSubmit']);
-
 //FIXME: get rid of appId references everywhere, as version is enough.
 $sQuery = "SELECT appId FROM appVersion WHERE versionId = '?'";
 $hResult = query_parameters($sQuery, $aClean['iVersionId']);
@@ -37,7 +30,7 @@ else
     exit;
 
 $oNote = new Note();
-$oNote->GetOutputEditorValues($_REQUEST);
+$oNote->GetOutputEditorValues($aClean);
 
 if($aClean['sSub'] == "Submit")
 {

admin/addCategory.php

@@ -3,14 +3,6 @@ require("path.php");
 require(BASE."include/incl.php");
 require_once(BASE."include/category.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['iCatId'] = makeSafe($_REQUEST['iCatId']);
-$aClean['sName'] = makeSafe($_REQUEST['sName']);
-$aClean['sDescription'] = makeSafe($_REQUEST['sDescription']);
-$aClean['iParentId'] = makeSafe($_REQUEST['iParentId']);
-$aClean['sSubmit'] = makeSafe($_REQUEST['sSubmit']);
-
 if(!$_SESSION['current']->hasPriv("admin"))
     util_show_error_page_and_exit();
 

admin/adminAppDataQueue.php

@@ -11,15 +11,6 @@ require_once(BASE."include/application.php");
 require_once(BASE."include/version.php");
 require_once(BASE."include/user.php");
 
-$aClean = array(); //array of user input
-
-$aClean['iId'] = makeSafe($_REQUEST['iId']);
-$aClean['sSub'] = makeSafe($_REQUEST['sSub']);
-$aClean['sAdd'] = makeSafe($_REQUEST['sAdd']);
-$aClean['sDescription'] = makeSafe($_REQUEST['sDescription']);
-$aClean['sReplyText'] = makeSafe($_REQUEST['sReplyText']);
-$aClean['sReject'] = makeSafe($_REQUEST['sReject']);
-
 // deny access if not admin or at least some kind of maintainer
 if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintainer())
     util_show_error_page_and_exit("Insufficient privileges.");

admin/adminAppQueue.php

@@ -9,21 +9,6 @@ require_once(BASE."include/tableve.php");
 require_once(BASE."include/application.php");
 require_once(BASE."include/testData.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['iTestingId'] = makeSafe($_REQUEST['iTestingId']);
-$aClean['sSub'] = makeSafe($_REQUEST['sSub'] );
-$aClean['sAppType'] = makeSafe($_REQUEST['sAppType']);
-$aClean['iAppId'] = makeSafe($_REQUEST['iAppId']);
-$aClean['iVersionId'] = makeSafe($_REQUEST['iVersionId']);
-$aClean['sAppVendorName'] = makeSafe($_REQUEST['sAppVendorName']);
-$aClean['iAppVendorId']  = makeSafe($_REQUEST['iAppVendorId']);
-$aClean['sAppWebpage'] = makeSafe($_REQUEST['sAppWebpage']);
-$aClean['iAppIdMergeTo'] = makeSafe($_REQUEST['iAppIdMergeTo']);
-$aClean['sReplyText'] = makeSafe($_REQUEST['sReplyText']);
-$aClean['iVersionIdMergeTo'] = makeSafe($_REQUEST['iVersionIdMergeTo']);
-$aClean['sDistribution'] = makeSafe($_REQUEST['sDistribution']);
-
 function get_vendor_from_keywords($sKeywords)
 {
     $aKeywords = explode(" *** ",$sKeywords);
@@ -188,12 +173,12 @@ if ($aClean['sSub'])
     {
         $oVersion = new Version($aClean['iVersionId']);
         $oTest = new testData($aClean['iTestingId']);
-        $oVersion->GetOutputEditorValues($_REQUEST);
-        $oTest->GetOutputEditorValues($_REQUEST);
+        $oVersion->GetOutputEditorValues($aClean);
+        $oTest->GetOutputEditorValues($aClean);
         if ($aClean['sAppType'] == "application") // application
         {
             $oApp = new Application($aClean['iAppId']);
-            $oApp->GetOutputEditorValues($_REQUEST); // load the values from $_REQUEST 
+            $oApp->GetOutputEditorValues($aClean); // load the values from $aClean
             // add new vendor
             if($aClean['sAppVendorName'] and !$aClean['iAppVendorId'])
             {
@@ -267,12 +252,12 @@ if ($aClean['sSub'])
     {
         $oVersion = new Version($aClean['iVersionId']);
         $oTest = new testData($aClean['iTestingId']);
-        $oVersion->GetOutputEditorValues($_REQUEST);
-        $oTest->GetOutputEditorValues($_REQUEST);
+        $oVersion->GetOutputEditorValues($aClean);
+        $oTest->GetOutputEditorValues($aClean);
         if ($aClean['sAppType'] == "application") // application
         {
             $oApp = new Application($aClean['iAppId']);
-            $oApp->GetOutputEditorValues($_REQUEST); // load the values from $_REQUEST 
+            $oApp->GetOutputEditorValues($aClean); // load the values from $aClean
             $oApp->update(true);
             $oApp->reject();
         }

admin/adminBugs.php

@@ -10,15 +10,6 @@ require("path.php");
 require(BASE."include/incl.php");
 require_once(BASE."include/bugs.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['sSub'] = makeSafe($_REQUEST['sSub']);
-$aClean['iBuglinkId'] = makeSafe($_REQUEST['iBuglinkId']);
-$aClean['iItemsPerPage'] = makeSafe($_REQUEST['iItemsPerPage']);
-$aClean['sQueuedOnly'] = makeSafe($_REQUEST['sQueuedOnly']);
-$aClean['iPage'] = makeSafe($_REQUEST['iPage']);
-
-
 // deny access if not logged in
 if(!$_SESSION['current']->hasPriv("admin"))
     util_show_error_page_and_exit("Insufficient privileges.");

admin/adminCommentView.php

@@ -15,11 +15,6 @@ $pageRange = 10;
 $ItemsPerPage = 10;
 $currentPage = 1;
 
-$aClean = array(); //array of filtered user input
-
-$aClean['iItemsPerPage'] = makeSafe($_REQUEST['iItemsPerPage']);
-$aClean['iPage'] = makeSafe($_REQUEST['iPage']);
-
 if($aClean['iItemsPerPage'])
     $ItemsPerPage = $aClean['iItemsPerPage'];
 if($aClean['iPage'])

admin/adminMaintainerQueue.php

@@ -14,14 +14,6 @@ require_once(BASE."include/mail.php");
 /* The initial help text displayed in the admin's response field */
 $sReplyTextHelp = "Enter a personalized reason for accepting or rejecting the user's maintainer request here";
 
-$aClean = array(); //array of filtered user input
-
-$aClean['sSub'] = makeSafe( $_REQUEST['sSub'] );
-$aClean['iMaintainerId'] = makeSafe( $_REQUEST['iMaintainerId'] );
-$aClean['sAdd'] = makeSafe( $_REQUEST['sAdd'] );
-$aClean['sReject'] = makeSafe( $_REQUEST['sReject'] );
-$aClean['sReplyText'] = makeSafe( $_REQUEST['sReplyText'] );
-
 /* If the admin's response text has not been modified, it should not be included in the e-mail sent to the rejected/accepted maintainer */
 if($aClean['sReplyText'] == $sReplyTextHelp)
     $aClean['sReplyText'] = "";

admin/adminMaintainers.php

@@ -9,11 +9,6 @@
 require("path.php");
 require(BASE."include/incl.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['sSub'] = makeSafe($_REQUEST['sSub']);
-$aClean['iMaintainerId'] = makeSafe($_REQUEST['iMaintainerId']);
-
 // deny access if not logged in
 if(!$_SESSION['current']->hasPriv("admin"))
     util_show_error_page_and_exit("Insufficient privileges.");

admin/adminScreenshots.php

@@ -9,15 +9,6 @@ require(BASE."include/incl.php");
 require_once(BASE."include/screenshot.php");
 require_once(BASE."include/application.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['sCmd'] = makeSafe($_REQUEST['sCmd']);
-$aClean['iImageId'] = makeSafe($_REQUEST['iImageId']);
-$aClean['iItemsPerPage'] = makeSafe($_REQUEST['iItemsPerPage']);
-$aClean['iPage'] = makeSafe($_REQUEST['iPage']);
-$aClean['bRegenerate'] = makeSafe($_REQUEST['bRegenerate']);
-$aClean['iVersionId'] = makeSafe($_REQUEST['iVersionId']);
-
 // deny access if not admin
 if(!$_SESSION['current']->hasPriv("admin"))
     util_show_error_page_and_exit("Insufficient privileges.");

admin/adminTestResults.php

@@ -11,11 +11,6 @@ require_once(BASE."include/version.php");
 require_once(BASE."include/testData.php");
 require_once(BASE."include/distribution.php");
 
-$aClean = array();
-
-$aClean['sSub'] = makeSafe($_REQUEST['sSub']);
-$aClean['iTestingId'] = makeSafe($_REQUEST['iTestingId']);
-
 if ($aClean['sSub'])
 {
     $oTest = new testData($aClean['iTestingId']);
@@ -29,7 +24,7 @@ if ($aClean['sSub'])
         if(is_numeric($aClean['iTestingId']))
         {
             $oTest = new testData($aClean['iTestingId']);
-            $oTest->GetOutputEditorValues($_REQUEST);
+            $oTest->GetOutputEditorValues($aClean);
 
             if($aClean['sSub'] == 'Submit')        // submit the test results
             {

admin/adminUsers.php

@@ -6,15 +6,6 @@
 require("path.php");
 require(BASE."include/incl.php");
 
-$aClean = array(); //filtered user input
-
-$aClean['sAction'] = makeSafe($_REQUEST['sAction']);
-$aClean['iUserId'] = makeSafe($_REQUEST['iUserId']);
-$aClean['sSearch'] = makeSafe($_REQUEST['sSearch']);
-$aClean['iLimit'] = makeSafe($_REQUEST['iLimit']);
-$aClean['sOrderBy'] = makeSafe($_REQUEST['sOrderBy']);
-$aClean['sSubmit'] = makeSafe($_REQUEST['sSubmit']);
-
 apidb_header("Admin Users Management");
 
 if(!$_SESSION['current']->hasPriv("admin"))

admin/deleteAny.php

@@ -13,14 +13,6 @@ require_once(BASE."include/application.php");
 require_once(BASE."include/monitor.php");
 require_once(BASE."include/testData.php");
 
-$aClean = array(); //filtered user input
-
-$aClean['sConfirmed'] = makeSafe($_REQUEST['sConfirmed']);
-$aClean['sWhat'] = makeSafe($_REQUEST['sWhat']);
-$aClean['iCatId'] = makeSafe($_REQUEST['iCatId']);
-$aClean['iAppId'] = makeSafe($_REQUEST['iAppId']);
-$aClean['iVersionId'] = makeSafe($_REQUEST['iVersionId']);
-
 if($aClean['sConfirmed'] != "yes")
 {
     // ask for confirmation

admin/editAppFamily.php

@@ -9,11 +9,6 @@ require_once(BASE."include/tableve.php");
 require_once(BASE."include/application.php");
 require_once(BASE."include/category.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['iAppId'] = makeSafe($_REQUEST['iAppId']);
-$aClean['sSubmit'] = makeSafe($_REQUEST['sSubmit']);
-
 if(!is_numeric($aClean['iAppId']))
     util_show_error_page_and_exit("Wrong ID");
 

admin/editAppNote.php

@@ -7,13 +7,6 @@ require("path.php");
 require(BASE."include/incl.php");
 require_once(BASE."include/note.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['iNoteId'] = makeSafe($_REQUEST['iNoteId']);
-$aClean['sSub'] = makeSafe($_REQUEST['sSub']);
-$aClean['sSubmit'] = makeSafe($_REQUEST['sSubmit']);
-$aClean['sPreview'] = makeSafe($_REQUEST['sPreview']);
-
 if(!is_numeric($aClean['iNoteId']))
     util_show_error_page_and_exit('Wrong note ID');
 
@@ -26,7 +19,7 @@ if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintaine
 
 if(!empty($aClean['sSub']))
 {
-    $oNote->GetOutputEditorValues($_REQUEST); /* retrieve the updated values */
+    $oNote->GetOutputEditorValues($aClean); /* retrieve the updated values */
 
     if ($aClean['sSub'] == 'Delete')
     {
@@ -45,7 +38,7 @@ if(!empty($aClean['sSub']))
     /* if preview is set display the note for review */
     if($aClean['sPreview'])
     {
-        $oNote->GetOutputEditorValues($_REQUEST); /* retrieve the updated values */
+        $oNote->GetOutputEditorValues($aClean); /* retrieve the updated values */
         $oNote->show(true);
     }
 

admin/editAppVersion.php

@@ -5,12 +5,6 @@ require_once(BASE."include/tableve.php");
 require_once(BASE."include/application.php");
 require_once(BASE."include/version.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['iAppId'] = makeSafe($_REQUEST['iAppId']);
-$aClean['iVersionId'] = makeSafe($_REQUEST['iVersionId']);
-$aClean['sSubmit'] = makeSafe($_REQUEST['sSubmit']);
-
 if(!is_numeric($aClean['iAppId']) OR !is_numeric($aClean['iVersionId']))
     util_show_error_page_and_exit("Wrong ID");
 

admin/editBundle.php

@@ -18,25 +18,25 @@ function build_app_list()
     echo "</select>\n";
 }
 
-if($_REQUEST['sCmd'])
+if($aClean['sCmd'])
 {
-    if($_REQUEST['sCmd'] == "delete")
+    if($aClean['sCmd'] == "delete")
     {
         $hResult = query_parameters("DELETE FROM appBundle WHERE appId ='?' AND bundleId = '?'",
-                                    $_REQUEST['iAppId'], $_REQUEST['iBundleId']);
+                                    $aClean['iAppId'], $aClean['iBundleId']);
         if($hResult)
             addmsg("App deleted from bundle", "green");
         else
             addmsg("Failed to delete app from bundle!", "red");
     }
-    if($_REQUEST['sCmd'] == "add")
+    if($aClean['sCmd'] == "add")
     {
         $hResult = query_parameters("INSERT INTO appBundle (bundleId, appId) VALUES".
                                     "('?', '?')",
-                                    $_REQUEST['iBundleId'],
-                                    $_REQUEST['iAppId']);
+                                    $aClean['iBundleId'],
+                                    $aClean['iAppId']);
         if($hResult)
-            addmsg("App $appId added to Bundle".$_REQUEST['iBundleId'], "green");
+            addmsg("App $appId added to Bundle".$aClean['iBundleId'], "green");
     }
 }
 
@@ -45,7 +45,7 @@ apidb_header("Edit Application Bundle");
 
 $hResult = query_parameters("SELECT bundleId, appBundle.appId, appName FROM appBundle, appFamily ".
                             "WHERE bundleId = '?' AND appFamily.appId = appBundle.appId",
-                            $_REQUEST['iBundleId']);
+                            $aClean['iBundleId']);
 
 echo html_frame_start("Apps in this Bundle","300",'',0);
 echo "<table width='100%' border=0 cellpadding=3 cellspacing=0>\n\n";
@@ -63,7 +63,7 @@ if($hResult && mysql_num_rows($hResult))
         //set row color
         if ($c % 2 == 1) { $bgcolor = 'color0'; } else { $bgcolor = 'color1'; }
 		    
-        $delete_link = "[<a href='editBundle.php?sCmd=delete&iBundleId=".$_REQUEST['iBundleId']."&iAppId=$oRow->appId'>delete</a>]";
+        $delete_link = "[<a href='editBundle.php?sCmd=delete&iBundleId=".$aClean['iBundleId']."&iAppId=$oRow->appId'>delete</a>]";
 
         echo "<tr class=$bgcolor>\n";
         echo "    <td>$oRow->appName &nbsp;</td>\n";
@@ -89,7 +89,7 @@ echo html_frame_start("Application List (double click to add)","",'',2);
 build_app_list();
 echo html_frame_end();
     
-echo "<input type=\"hidden\" name=\"iBundleId\"  value=\"".$_REQUEST['iBundleId']."\">\n";
+echo "<input type=\"hidden\" name=\"iBundleId\"  value=\"".$aClean['iBundleId']."\">\n";
 echo "<input type=\"hidden\" name=\"sCmd\" value=\"add\">\n";
 echo "</form>\n";
     

admin/editDistribution.php

@@ -3,19 +3,13 @@ require("path.php");
 require(BASE."include/incl.php");
 require_once(BASE."include/distribution.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['iDistributionId'] = makeSafe($_REQUEST['iDistributionId']);
-$aClean['sSubmit'] = makeSafe($_REQUEST['sSubmit']);
-
 if(!$_SESSION['current']->hasPriv("admin"))
     util_show_error_page_and_exit("Insufficient privileges.");
 
-
 $oDistribution = new distribution($aClean['iDistributionId']);
 if($aClean['sSubmit'])
 {
-    $oDistribution->GetOutputEditorValues($_REQUEST);
+    $oDistribution->GetOutputEditorValues($aClean);
 
     if($oDistribution->iDistributionId)
         $oDistribution->update();

admin/editVendor.php

@@ -3,12 +3,6 @@ require("path.php");
 require(BASE."include/incl.php");
 require_once(BASE."include/vendor.php");
 
-$aClean = array(); //array of filtered user input
-$aClean['iVendorId'] = makeSafe($_REQUEST['iVendorId']);
-$aClean['sSubmit'] = makeSafe($_REQUEST['sSubmit']);
-$aClean['sName'] = makeSafe($_REQUEST['sName']);
-$aClean['sWebpage'] = makeSafe($_REQUEST['sWebpage']);
-
 if(!$_SESSION['current']->hasPriv("admin"))
     util_show_error_page_and_exit();
 

admin/moveAppVersion.php

@@ -5,12 +5,6 @@ require_once(BASE."include/tableve.php");
 require_once(BASE."include/application.php");
 require_once(BASE."include/version.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['iAppId'] = makeSafe($_REQUEST['iAppId']);
-$aClean['iVersionId'] = makeSafe($_REQUEST['iVersionId']);
-$aClean['sAction'] = makeSafe($_REQUEST['sAction']);
-
 if(!is_numeric($aClean['iAppId']) OR !is_numeric($aClean['iVersionId']))
     util_show_error_page_and_exit("Wrong ID");
 

appbrowse.php

@@ -9,7 +9,6 @@
 // application environment
 require("path.php");
 require(BASE."include/"."incl.php");
-require(BASE."include/filter.php");
 require_once(BASE."include/"."appdb.php");
 require_once(BASE."include/"."category.php");
 

appimage.php

@@ -17,7 +17,6 @@
 // application environment
 require("path.php");
 require(BASE."include/incl.php");
-require(BASE."include/filter.php");
 require_once(BASE."include/screenshot.php");
 
 // an image doesn't have a link, so a cookie makes no sense

appsubmit.php

@@ -33,20 +33,6 @@ require_once(BASE."include/tableve.php");
 require_once(BASE."include/application.php");
 require_once(BASE."include/testData.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['sAppType'] = makeSafe($_REQUEST['sAppType']);
-$aClean['sSub'] = makeSafe($_REQUEST['sSub']);
-$aClean['iAppId'] = makeSafe($_REQUEST['iAppId']);
-$aClean['iVersionId'] = makeSafe($_REQUEST['iVersionId']);
-$aClean['iTestingId'] = makeSafe($_REQUEST['iTestingId']);
-$aClean['sAppVendorName'] = makeSafe($_REQUEST['sAppVendorName']);
-$aClean['iVendorId'] = makeSafe($_REQUEST['iVendorId']);
-$aClean['sAppWebpage'] = makeSafe($_REQUEST['sAppWebpage']);
-$aClean['sAppKeywords'] = makeSafe($_REQUEST['sAppKeywords']);
-$aClean['iDistributionId'] = makeSafe($_REQUEST['iDistributionId']);
-$aClean['sDistribution'] = makeSafe($_REQUEST['sDistribution']);
-
 function get_vendor_from_keywords($sKeywords)
 {
     $aKeywords = explode(" *** ",$sKeywords);
@@ -158,15 +144,15 @@ if ($aClean['sSub'])
         $errors = "";
         $oVersion = new Version($aClean['iVersionId']);
         $oTest = new testData($aClean['iTestingId']);
-        $errors .= $oVersion->CheckOutputEditorInput($_REQUEST);
-        $errors .= $oTest->CheckOutputEditorInput($_REQUEST);
-        $oVersion->GetOutputEditorValues($_REQUEST);
-        $oTest->GetOutputEditorValues($_REQUEST);
+        $errors .= $oVersion->CheckOutputEditorInput($aClean);
+        $errors .= $oTest->CheckOutputEditorInput($aClean);
+        $oVersion->GetOutputEditorValues($aClean);
+        $oTest->GetOutputEditorValues($aClean);
         if ($aClean['sAppType'] == "application") // application
         {
             $oApp = new Application($aClean['iAppId']);
-            $errors .= $oApp->CheckOutputEditorInput($_REQUEST);
-            $oApp->GetOutputEditorValues($_REQUEST); // load the values from $_REQUEST 
+            $errors .= $oApp->CheckOutputEditorInput($aClean);
+            $oApp->GetOutputEditorValues($aClean); // load the values from $aClean
 
             if(empty($errors))
             {

appview.php

@@ -27,14 +27,6 @@ require_once(BASE."include/category.php");
 require_once(BASE."include/maintainer.php");
 require_once(BASE."include/monitor.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['iAppId'] = makeSafe($_REQUEST['iAppId']);
-$aClean['iVersionId'] = makeSafe($_REQUEST['iVersionId']);
-$aClean['sSub'] = makeSafe($_REQUEST['sSub']);
-$aClean['iBuglinkId'] = makeSafe($_REQUEST['iBuglinkId']);
-$aClean['iTestingId'] = makeSafe($_REQUEST['iTestingId']);
-
 $oApp = new Application($aClean['iAppId']);
 $oVersion = new Version($aClean['iVersionId']);
 

browse_by_rating.php

@@ -7,7 +7,6 @@
 // application environment
 require("path.php");
 require(BASE."include/incl.php");
-require(BASE."include/filter.php");
 require_once(BASE."include/application.php");
 
 apidb_header("Browse Applications by Rating");

browse_newest_apps.php

@@ -6,7 +6,6 @@
 
 require("path.php");
 require(BASE."include/incl.php");
-require(BASE."include/filter.php");
 
 /* Set default value */
 if(empty($aClean['iNumVersions']) || $aClean['iNumVersions'] > 200 || $aClean['iNumVersions'] < 0)

commentview.php

@@ -10,7 +10,6 @@
  */
 require("path.php");
 require(BASE."include/incl.php");
-require(BASE."include/filter.php");
 require_once(BASE."include/comment.php");
 
 apidb_header("Comments");

deletecomment.php

@@ -13,7 +13,6 @@
 // application environment
 require("path.php");
 require(BASE."include/incl.php");
-require(BASE."include/filter.php");
 require_once(BASE.'include/comment.php');
 
 $oComment = new Comment($aClean['iCommentId']);

distributionView.php

@@ -8,7 +8,6 @@
  */ 
 require("path.php");
 require(BASE."include/incl.php");
-require(BASE."include/filter.php");
 require_once(BASE."include/distribution.php");
 require_once(BASE."include/testData.php");
 

help/index.php

@@ -8,9 +8,9 @@ require(BASE."include/"."incl.php");
 
 $help_path = BASE."/help";
 
-if($_GET['sTopic'])
+if($aClean['sTopic'])
 {
-    display_help($_GET['sTopic']);
+    display_help($aClean['sTopic']);
 } else {
     display_index();    
 }
@@ -81,17 +81,17 @@ function get_help_title ($file)
 {
     $fp = @fopen($file, "r");
     if(!$fp)
-	return null;
+        return null;
 
     $line = fgets($fp, 1024);
     if(!$line)
-	return null;
+        return null;
 
     $line = trim($line);
 
     if(eregi("^<!--TITLE: (.+)-->$", $line, $arr))
     {
-	return $arr[1];
+        return $arr[1];
     }
     return "Internal Error: missing title";
 }

include/application.php

@@ -358,11 +358,8 @@ class Application {
 
     function mailSubmitter($sAction="add")
     {
-        $aClean = array(); //array of filtered user input
-
-        if(isset($_REQUEST['sReplyText']))
-            $aClean['sReplyText'] = makeSafe($_REQUEST['sReplyText']);	
-        else
+        global $aClean;
+        if(!isset($aClean['sReplyText']))
             $aClean['sReplyText'] = "";
 
         if($this->iSubmitterId)
@@ -432,11 +429,8 @@ class Application {
 
     function SendNotificationMail($sAction="add",$sMsg=null)
     {
-        $aClean = array(); //array of filtered user input
-
-        if(isset($_REQUEST['sReplyText']))
-            $aClean['sReplyText'] = makeSafe($_REQUEST['sReplyText']);	
-        else
+        global $aClean;
+        if(!isset($aClean['sReplyText']))
             $aClean['sReplyText'] = "";
 
         switch($sAction)
@@ -581,7 +575,7 @@ class Application {
         return $errors;
     }
 
-    /* retrieves values from $_REQUEST that were output by OutputEditor() */
+    /* retrieves values from $aValues that were output by OutputEditor() */
     /* $aValues can be $_REQUEST or any array with the values from OutputEditor() */
     function GetOutputEditorValues($aValues)
     {

include/bugs.php

@@ -191,9 +191,9 @@ class Bug {
 
     function mailSubmitter($bRejected=false)
     {
-        $aClean = array(); //array of filtered user input
-
-        $aClean['sReplyText'] = makeSafe($_REQUEST['sReplyText']);
+        global $aClean;
+        if(!isset($aClean['sReplyText']))
+            $aClean['sReplyText'] = "";
 	
         if($this->iSubmitterId)
         {
@@ -298,9 +298,7 @@ class Bug {
 
 function view_version_bugs($iVersionId = null, $aBuglinkIds)
 {
-    $aClean = array(); //array of filtered user input
-
-    $aClean['buglinkId'] = makeSafe($_REQUEST['buglinkId']);
+    global $aClean;
 
     $bCanEdit = FALSE;
     $oVersion = new Version($iVersionId);

include/comment.php

@@ -366,10 +366,7 @@ class Comment {
 
     function view_app_comments($versionId, $threadId = 0)
     {
-        $aClean = array(); //array of filtered user input
-
-        $aClean['sCmode'] = makeSafe($_REQUEST['sCmode']);
-        $aClean['sMode'] = makeSafe($_REQUEST['sMode']);
+        global $aClean;
 
         // count posts
         $hResult = query_parameters("SELECT commentId FROM appComments WHERE versionId = '?'", $versionId);

include/distribution.php

@@ -257,10 +257,7 @@ class distribution{
 
     function mailSubmitter($sAction="add")
     {
-
-        $aClean = array(); //array of filtered user input
-
-        $aClean['sReplyText'] = makeSafe($_REQUEST['sReplyText']);
+        global $aClean;
 
         if($this->iSubmitterId)
         {
@@ -301,9 +298,8 @@ class distribution{
  
     function SendNotificationMail($sAction="add",$sMsg=null)
     {
-        $aClean = array(); //array of filtered user input
+        global $aClean;
 
-        $aClean['sReplyText'] = makeSafe($_REQUEST['sReplyText']);
         switch($sAction)
         {
             case "add":

include/filter.php

@@ -9,8 +9,19 @@ function filter_gpc()
 {
     global $aClean;
     $aKeys = array_keys($_REQUEST);
-    for($i=0;$i<sizeof($aKeys);$i++)
+    for($i=0; $i < sizeof($aKeys); $i++)
     {
+        // Special cases for variables that don't fit our filtering scheme
+        // don't filter the AppDB session cookie and MAX_FILE_SIZE
+        // and the DialogX values that xinha uses
+        if($aKeys[$i] == "whq_appdb" || ($aKeys[$i] == "MAX_FILE_SIZE") || ($aKeys[$i] == "PHPSESSID")
+           || (strpos($aKeys[$i], "Dialog") == 0) || (strpos($aKeys[$i], "pref_") == 0))
+        {
+            // copy the key over to the clean array
+            $aClean[$aKeys[$i]] = trim(strip_tags($_REQUEST[$aKeys[$i]]));
+            continue; // go to the next entry
+        }
+
         switch($aKeys[$i][0])
         {
             case "i": // integer
@@ -47,13 +58,7 @@ function filter_gpc()
                     util_show_error_page_and_exit("Fatal error: ".$aKeys[$i]." should be an array.");
             break;
             default:
-                // don't filter the AppDB session cookie and MAX_FILE_SIZE
-                // and the DialogX values that xinha uses
-                if($aKeys[$i]!="whq_appdb" && $aKeys[$i]!="MAX_FILE_SIZE" && $aKeys[$i]!="PHPSESSID"
-                   && strpos($aKeys[$i], "Dialog") == 0)
-                {
-                    util_show_error_page_and_exit("Fatal error: type of variable ".$aKeys[$i]." is not recognized.");
-                }
+                util_show_error_page_and_exit("Fatal error: type of variable ".$aKeys[$i]." is not recognized.");
                 break;
         }
     }

include/form_edit.php

@@ -1,9 +1,6 @@
 <?php
 require_once(BASE."include/util.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['iUserId'] = makeSafe($_REQUEST['iUserId']);
 /*********************/
 /* Edit Account Form */
 /*********************/

include/form_login.php

@@ -1,10 +1,6 @@
 <?php
 require_once(BASE."include/util.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['sUserEmail'] = makeSafe($_POST['sUserEmail']);
-
 /**************/
 /* Login Form */
 /**************/

include/form_new.php

@@ -1,12 +1,6 @@
 <?php
 require_once(BASE."include/util.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['sUserEmail'] = makeSafe($_POST['sUserEmail']);
-$aClean['sUserRealname'] = makeSafe($_POST['realname']);
-
-
 /********************/
 /* New Account Form */
 /********************/

include/incl.php

@@ -82,6 +82,9 @@ if(isset($_REQUEST['mode']))
 /* End backwards compatibility code */
 
 
+// include filter.php to filter all REQUEST input
+require(BASE."include/filter.php");
+
 
 // create arrays
 $sidebar_func_list = array();
@@ -285,7 +288,11 @@ function dumpmsgbuffer()
 $session = new session("whq_appdb");
 $session->register("current");
 
-if(!isset($_SESSION['current'])) $_SESSION['current'] = new User();
+if(!isset($_SESSION['current']))
+{
+    echo "Session not set, creating new user";
+    $_SESSION['current'] = new User();
+}
 
 // if we are debugging we need to see all errors
 if($_SESSION['current']->showDebuggingInfos()) error_reporting(E_ALL ^ E_NOTICE);

include/note.php

@@ -2,12 +2,6 @@
 require_once(BASE."include/util.php");
 require_once(BASE."include/version.php");
 
-$aClean = array(); //array of filtered user input
-if(isset($_REQUEST['sReplyText']))
-    $aClean['sReplyText'] = makeSafe( $_REQUEST['sReplyText'] );
-else
-    $aClean['sReplyText'] = "";
-
 /************************************/
 /* note class and related functions */
 /************************************/
@@ -257,7 +251,7 @@ class Note {
         echo html_frame_end();
     }
 
-    /* retrieves values from $_REQUEST that were output by OutputEditor() */
+    /* retrieves values from $aValue that were output by OutputEditor() */
     /* $aValues can be $_REQUEST or any array with the values from OutputEditor() */
     function GetOutputEditorValues($aValues)
     {

include/screenshot.php

@@ -302,9 +302,7 @@ class Screenshot {
 
     function mailSubmitter($bRejected=false)
     {
-        $aClean = array(); //array of filtered user input
-
-        $aClean['sReplyText'] = makeSafe($_REQUEST['sReplyText']);
+        global $aClean;
 
         if($this->iSubmitterId)
         {

include/sidebar.php

@@ -6,11 +6,9 @@ require_once(BASE."include/distribution.php");
 require_once(BASE."include/vendor.php");
 require_once(BASE."include/util.php");
   
-function global_sidebar_menu() {
-     
-    $aClean = array(); //array of filtered user input
-
-    $aClean['sSearchQuery'] = makeSafe($_REQUEST['sSearchQuery']);
+function global_sidebar_menu()
+{
+    global $aClean;
 
     $g = new htmlmenu(APPDB_OWNER." Menu");
     $g->add(APPDB_OWNER, APPDB_OWNER_URL);

include/testData.php

@@ -245,10 +245,7 @@ class testData{
 
     function mailSubmitter($sAction="add")
     {
-
-        $aClean = array(); //array of filtered user input
-
-        $aClean = makeSafe($_REQUEST['sReplyText']);
+        global $aClean;
 
         if($this->iSubmitterId)
         {
@@ -290,9 +287,7 @@ class testData{
  
     function SendNotificationMail($sAction="add",$sMsg=null)
     {
-        $aClean = array(); //array of filtered user input
-
-        $aClean['sReplyText'] = makeSafe($_REQUEST['sReplyText']);
+        global $aClean;
 
         $oVersion = new Version($this->iVersionId);
         $oApp = new Application($oVersion->iAppId);
@@ -374,13 +369,12 @@ class testData{
     // Show the Test results for a application version
     function ShowVersionsTestingTable($link, $iDisplayLimit)
     {
+        global $aClean;
+
         /* escape input parameters */
         $link = mysql_real_escape_string($link);
         $iDisplayLimit = mysql_real_escape_string($iDisplayLimit);
 
-        $aClean = array(); //array of filtered user input
-        $aClean['showAll'] = makeSafe($_REQUEST['showAll']);
-
         $showAll = $aClean['showAll'];
 
         $sQuery = "SELECT * 
@@ -559,7 +553,7 @@ class testData{
         echo html_frame_end();
     }
 
-    /* $aValues can be $_REQUEST or any array with the values from OutputEditor() */
+    /* $aValues can be $aValues or any array with the values from OutputEditor() */
     function CheckOutputEditorInput($aValues, $sDistribution="")
     {
         $errors = "";
@@ -603,7 +597,7 @@ class testData{
 
     }
 
-    /* retrieves values from $_REQUEST that were output by OutputEditor() */
+    /* retrieves values from $aValues that were output by OutputEditor() */
     /* $aValues can be $_REQUEST or any array with the values from OutputEditor() */
     function GetOutputEditorValues($aValues)
     {

include/url.php

@@ -51,10 +51,7 @@ class Url {
      */
     function create($sDescription = null, $sUrl = null, $iVersionId = null, $iAppId = null)
     {
-        $aClean = array(); //array of filtered user input
-
-        $aClean['iVersionId'] = makeSafe($_REQUEST['iVersionId']);
-        $aClean['iAppId'] = makeSafe($_REQUEST['iAppId']);
+        global $aClean;
 
         // Security, if we are not an administrator or a maintainer, the url must be queued.
         if(!($_SESSION['current']->hasPriv("admin") || $_SESSION['current']->isMaintainer($aClean['iVersionId']) || $_SESSION['current']->isSupermaintainer($aClean['iAppId'])))
@@ -180,9 +177,8 @@ class Url {
     
     function mailSubmitter($bRejected=false)
     {
-        $aClean = array(); //array of filtered user input
+        global $aClean;
 
-        $aClean['sReplyText'] = makeSafe($_REQUEST['sReplyText']);
         if($this->iSubmitterId)
         {
             $sAppName = Application::lookup_name($this->appId)." ".Version::lookup_name($this->versionId);

include/util.php

@@ -552,91 +552,93 @@ function outputSearchTableForhResult($search_words, $hResult)
 
 /* pass in $isVersion of true if we are processing changes for an app version */
 /* or false if processing changes for an application family */
-function process_app_version_changes($isVersion)
+function process_app_version_changes($bIsVersion)
 {
+    global $aClean;
+
     /* load up the version or application depending on which values are set */
-    if($isVersion)
-        $oVersion = new Version($_REQUEST['iVersionId']);
+    if($bIsVersion)
+        $oVersion = new Version($aClean['iVersionId']);
     else
-        $oApp = new Application($_REQUEST['iAppId']);
+        $oApp = new Application($aClean['iAppId']);
 
     // commit changes of form to database
-    if(($_REQUEST['sSubmit'] == "Update Database") && $isVersion) /* is a version */
+    if(($aClean['sSubmit'] == "Update Database") && $bIsVersion) /* is a version */
     {
-        $oVersion->GetOutputEditorValues($_REQUEST);
+        $oVersion->GetOutputEditorValues($aClean);
         $oVersion->update();
-    } else if(($_REQUEST['sSubmit'] == "Update Database") && !$isVersion) /* is an application */
+    } else if(($aClean['sSubmit'] == "Update Database") && !$bIsVersion) /* is an application */
     {
-        $oApp->GetOutputEditorValues($_REQUEST);
+        $oApp->GetOutputEditorValues($aClean);
         $oApp->update();
-    } else if($_REQUEST['sSubmit'] == "Update URL")
+    } else if($aClean['sSubmit'] == "Update URL")
     {
         $sWhatChanged = "";
         $bAppChanged = false;
 
-        if (!empty($_REQUEST['sUrlDesc']) && !empty($_REQUEST['sUrl']) )
+        if (!empty($aClean['sUrlDesc']) && !empty($aClean['sUrl']) )
         {
             // process added URL
-            if($_SESSION['current']->showDebuggingInfos()) { echo "<p align=center><b>{$_REQUEST['sUrl']}:</b> {$_REQUEST['sUrlDesc']} </p>"; }
+            if($_SESSION['current']->showDebuggingInfos()) { echo "<p align=center><b>{$aClean['sUrl']}:</b> {$aClean['sUrlDesc']} </p>"; }
 
-            if($isVersion)
+            if($bIsVersion)
             {
                 $hResult = query_parameters("INSERT INTO appData (versionId, type, description, url) ".
                                             "VALUES ('?', '?', '?', '?')",
-                                            $_REQUEST['iVersionId'], "url", $_REQUEST['sUrlDesc'],
-                                            $_REQUEST['sUrl']);
+                                            $aClean['iVersionId'], "url", $aClean['sUrlDesc'],
+                                            $aClean['sUrl']);
             } else
             {
                 $hResult = query_parameters("INSERT INTO appData (appId, type, description, url) ".
                                             "VALUES ('?', '?', '?', '?')",
-                                            $_REQUEST['iAppId'], "url", $_REQUEST['sUrlDesc'],
-                                            $_REQUEST['sUrl']);
+                                            $aClean['iAppId'], "url", $aClean['sUrlDesc'],
+                                            $aClean['sUrl']);
             
             }
             
             if ($hResult)
             {
                 addmsg("The URL was successfully added into the database", "green");
-                $sWhatChanged .= "  Added Url:     Description: ".stripslashes($_REQUEST['sUrlDesc'])."\n";
-                $sWhatChanged .= "                         Url: ".stripslashes($_REQUEST['sUrl'])."\n";
+                $sWhatChanged .= "  Added Url:     Description: ".stripslashes($aClean['sUrlDesc'])."\n";
+                $sWhatChanged .= "                         Url: ".stripslashes($aClean['sUrl'])."\n";
                 $bAppChanged = true;
             }
         }
         
         // Process changed URLs  
-        for($i = 0; $i < $_REQUEST['iRows']; $i++)
+        for($i = 0; $i < $aClean['iRows']; $i++)
         {
-            if($_SESSION['current']->showDebuggingInfos()) { echo "<p align=center><b>{$_REQUEST['adescription'][$i]}:</b> {$_REQUEST['aURL'][$i]}: {$_REQUEST['adelete'][$i]} : {$_REQUEST['aId'][$i]} : .{$_REQUEST['aOldDesc'][$i]}. : {$_REQUEST['aOldURL'][$i]}</p>"; }
+            if($_SESSION['current']->showDebuggingInfos()) { echo "<p align=center><b>{$aClean['adescription'][$i]}:</b> {$aClean['aURL'][$i]}: {$aClean['adelete'][$i]} : {$aClean['aId'][$i]} : .{$aClean['aOldDesc'][$i]}. : {$aClean['aOldURL'][$i]}</p>"; }
 
-            if ($_REQUEST['adelete'][$i] == "on")
+            if ($aClean['adelete'][$i] == "on")
             {
-                $hResult = query_parameters("DELETE FROM appData WHERE id = '?'", $_REQUEST['aId'][$i]);
+                $hResult = query_parameters("DELETE FROM appData WHERE id = '?'", $aClean['aId'][$i]);
 
                 if($hResult)
                 {
-                    addmsg("<p><b>Successfully deleted URL ".$_REQUEST['aOldDesc'][$i]." (".$_REQUEST['aOldURL'][$i].")</b></p>\n",'green');
-                    $sWhatChanged .= "Deleted Url:     Description: ".stripslashes($_REQUEST['aOldDesc'][$i])."\n";
-                    $sWhatChanged .= "                         url: ".stripslashes($_REQUEST['aOldURL'][$i])."\n";
+                    addmsg("<p><b>Successfully deleted URL ".$aClean['aOldDesc'][$i]." (".$aClean['aOldURL'][$i].")</b></p>\n",'green');
+                    $sWhatChanged .= "Deleted Url:     Description: ".stripslashes($aClean['aOldDesc'][$i])."\n";
+                    $sWhatChanged .= "                         url: ".stripslashes($aClean['aOldURL'][$i])."\n";
                     $bAppChanged = true;
                 }
 
 
             }
-            else if( $_REQUEST['aURL'][$i] != $_REQUEST['aOldURL'][$i] || $_REQUEST['adescription'][$i] != $_REQUEST['aOldDesc'][$i])
+            else if( $aClean['aURL'][$i] != $aClean['aOldURL'][$i] || $aClean['adescription'][$i] != $aClean['aOldDesc'][$i])
             {
-                if(empty($_REQUEST['aURL'][$i]) || empty($_REQUEST['adescription'][$i]))
+                if(empty($aClean['aURL'][$i]) || empty($aClean['adescription'][$i]))
                     addmsg("The URL or description was blank. URL not changed in the database", "red");
                 else
                 {
                     if (query_parameters("UPDATE appData SET description = '?', url = '?' WHERE id = '?'",
-                                         $_REQUEST['adescription'][$i], $_REQUEST['aURL'][$i],
-                                         $_REQUEST['aId'][$i]))
+                                         $aClean['adescription'][$i], $aClean['aURL'][$i],
+                                         $aClean['aId'][$i]))
                     {
-                         addmsg("<p><b>Successfully updated ".$_REQUEST['aOldDesc'][$i]." (".$_REQUEST['aOldURL'][$i].")</b></p>\n",'green');
-                         $sWhatChanged .= "Changed Url: Old Description: ".stripslashes($_REQUEST['aOldDesc'][$i])."\n";
-                         $sWhatChanged .= "                     Old Url: ".stripslashes($_REQUEST['aOldURL'][$i])."\n";
-                         $sWhatChanged .= "             New Description: ".stripslashes($_REQUEST['adescription'][$i])."\n";
-                         $sWhatChanged .= "                     New url: ".stripslashes($_REQUEST['aURL'][$i])."\n";
+                         addmsg("<p><b>Successfully updated ".$aClean['aOldDesc'][$i]." (".$aClean['aOldURL'][$i].")</b></p>\n",'green');
+                         $sWhatChanged .= "Changed Url: Old Description: ".stripslashes($aClean['aOldDesc'][$i])."\n";
+                         $sWhatChanged .= "                     Old Url: ".stripslashes($aClean['aOldURL'][$i])."\n";
+                         $sWhatChanged .= "             New Description: ".stripslashes($aClean['adescription'][$i])."\n";
+                         $sWhatChanged .= "                     New url: ".stripslashes($aClean['aURL'][$i])."\n";
                          $bAppChanged = true;
                     }
                 }
@@ -644,16 +646,16 @@ function process_app_version_changes($isVersion)
         }
         if ($bAppChanged)
         {
-            $sEmail = User::get_notify_email_address_list($_REQUEST['iAppId']);
-            $oApp = new Application($_REQUEST['iAppId']);
+            $sEmail = User::get_notify_email_address_list($aClean['iAppId']);
+            $oApp = new Application($aClean['iAppId']);
             if($sEmail)
             {
-                if($isVersion)
+                if($bIsVersion)
                     $sSubject = "Links for ".$oApp->sName." ".$oVersion->sName." have been updated by ".$_SESSION['current']->sRealname;
                 else
                     $sSubject = "Links for ".$oApp->sName." have been updated by ".$_SESSION['current']->sRealname;
                     
-                $sMsg  = APPDB_ROOT."appview.php?iAppId=".$_REQUEST['iAppId']."\n";
+                $sMsg  = APPDB_ROOT."appview.php?iAppId=".$aClean['iAppId']."\n";
                 $sMsg .= "\n";
                 $sMsg .= "The following changes have been made:";
                 $sMsg .= "\n";

include/version.php

@@ -393,12 +393,10 @@ class Version {
 
     function mailSubmitter($sAction="add")
     {
-        $aClean = array(); //array of filtered user input
+        global $aClean; //FIXME: we should pass the sReplyText value in
 
         // use 'sReplyText' if it is defined, otherwise define the value as an empty string
-        if(isset($_REQUEST['sReplyText']))
-            $aClean['sReplyText'] = makeSafe($_REQUEST['sReplyText']);
-        else
+        if(!isset($aClean['sReplyText']))
             $aClean['sReplyText'] = "";
 
         if($this->iSubmitterId)
@@ -436,12 +434,10 @@ class Version {
  
     function SendNotificationMail($sAction="add",$sMsg=null)
     {
-        $aClean = array(); //array of filtered user input
+        global $aClean;
         
         // use 'sReplyText' if it is defined, otherwise define the value as an empty string
-        if(isset($_REQUEST['sReplyText']))
-            $aClean['sReplyText'] = makeSafe($_REQUEST['sReplyText']);
-        else
+        if(!isset($aClean['sReplyText']))
             $aClean['sReplyText'] = "";
 
         $oApp = new Application($this->iAppId);
@@ -601,7 +597,7 @@ class Version {
         return $errors;
     }
 
-    /* retrieves values from $_REQUEST that were output by OutputEditor() */
+    /* retrieves values from $aValues that were output by OutputEditor() */
     /* $aValues can be $_REQUEST or any array with the values from OutputEditor() */
     function GetOutputEditorValues($aValues)
     {

include/vote.php

@@ -9,7 +9,6 @@ define('MAX_VOTES',3);
  */
 function vote_count($iAppId, $iUserId = null)
 {
-
     if(!$iUserId)
     {
         if($_SESSION['current']->isLoggedIn())
@@ -78,7 +77,6 @@ function vote_add($iAppId, $iSlot, $iUserId = null)
  */
 function vote_remove($iSlot, $iUserId = null)
 {
-    
     if(!$iUserId)
     {
         if($_SESSION['current']->isLoggedIn())
@@ -114,9 +112,7 @@ function vote_get_user_votes($iUserId = null)
 
 function vote_menu()
 {
-
-    $aClean = array(); //array of filtered user input
-    $aClean['iAppId'] = makeSafe($_REQUEST['iAppId']);
+    global $aClean;
 
     $m = new htmlmenu("Votes","updatevote.php");
     

maintainerdelete.php

@@ -23,13 +23,6 @@ require(BASE."include/incl.php");
 require_once(BASE."include/category.php");
 require_once(BASE."include/application.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['iAppId'] = makeSafe($_POST['iAppId']);
-$aClean['iVersionId'] = makeSafe($_POST['iVersionId']);
-$aClean['iConfirmed'] = makeSafe($_POST['iConfirmed']);
-$aClean['iSuperMaintainer'] = makeSafe($_POST['iSuperMaintainer']);
-
 if(!$_SESSION['current']->isLoggedIn())
     util_show_error_page_and_exit("You need to be logged in to resign from being a maintainer.");
 

maintainersubmit.php

@@ -21,13 +21,6 @@ require(BASE."include/incl.php");
 require_once(BASE."include/application.php");
 require_once(BASE.'include/version.php');
 
-$aClean = array(); //array of filtered user input
-
-$aClean['sMaintainReason'] = makeSafe($_REQUEST['sMaintainReason']);
-$aClean['iAppId'] = makeSafe($_POST['iAppId']);
-$aClean['iVersionId'] = makeSafe(strip_tags($_POST['iVersionId']));
-$aClean['iSuperMaintainer'] = makeSafe($_POST['iSuperMaintainer']);
-
 
 /**
  * Check the input of a submitted form. And output with a list

preferences.php

@@ -71,28 +71,6 @@ function show_user_fields($oUser)
 }
 
 
-$aClean = array(); //array of filtered user input
-
-$aClean['iUserId'] = makeSafe($_REQUEST['iUserId']);
-$aClean['iLimit'] = makeSafe($_REQUEST['iLimit']);
-$aClean['sOrderBy'] = makeSafe($_REQUEST['sOrderBy']);
-$aClean['sUserPassword'] = makeSafe($_REQUEST['sUserPassword']);
-$aClean['sUserPassword2'] = makeSafe($_REQUEST['sUserPassword2']);
-$aClean['sUserEmail'] = makeSafe($_REQUEST['sUserEmail']);
-$aClean['sUserRealname'] = makeSafe($_REQUEST['sUserRealname']);
-$aClean['sWineRelease'] = makeSafe($_REQUEST['sWineRelease']);
-$aClean['sHasAdmin'] = makeSafe($_POST['sHasAdmin']); 
-
-/* filter all of the preferences */
-while(list($sKey, $sValue) = each($_REQUEST))
-{
-    if(ereg("^pref_(.+)$", $sKey, $arr))
-        $aClean[$sKey] = makeSafe($sValue);
-}
-
-
-
-
 if(!$_SESSION['current']->isLoggedIn())
     util_show_error_page_and_exit("You must be logged in to edit preferences");
 
@@ -109,7 +87,7 @@ if($_SESSION['current']->hasPriv("admin") &&
     $oUser = &$_SESSION['current'];
 }
 
-if($_POST)
+if($aClean['sSubmit'] == "Update")
 {
     while(list($sKey, $sValue) = each($aClean))
     {
@@ -184,7 +162,7 @@ if($oUser->iUserId != $aClean['iUserId']) build_prefs_list($oUser);
 
 echo html_table_end();
 echo html_frame_end();
-echo "<br /> <div align=center> <input type=\"submit\" value=\"Update\" /> </div> <br />\n";
+echo "<br /> <div align=center> <input type=\"submit\" name='sSubmit' value=\"Update\" /> </div> <br />\n";
 echo "</form>\n";
 
 apidb_footer();

screenshots.php

@@ -21,7 +21,6 @@
 // application environment
 require("path.php");
 require(BASE."include/incl.php");
-require(BASE."include/filter.php");
 require_once(BASE."include/screenshot.php");
 require_once(BASE."include/application.php");
 require_once(BASE."include/version.php");

search.php

@@ -12,7 +12,6 @@
 // application environment
 require("path.php");
 require(BASE."include/incl.php");
-require(BASE."include/filter.php");
 
 apidb_header("Search Results");
 perform_search_and_output_results($aClean['sSearchQuery']);

testResults.php

@@ -10,14 +10,6 @@ require_once(BASE."include/application.php");
 require_once(BASE."include/testData.php");
 require_once(BASE."include/distribution.php");
 
-$aClean = array(); //array of filtered user input
-
-$aClean['sSub'] = makeSafe($_REQUEST['sSub']);
-$aClean['iTestingId'] = makeSafe($_REQUEST['iTestingId']);
-$aClean['iVersionId'] = makeSafe($_REQUEST['iVersionId']);
-$aClean['iDistributionId'] = makeSafe($_REQUEST['iDistributionId']);
-$aClean['sDistribution'] = makeSafe($_REQUEST['sDistribution']);
-
 //deny access if not logged on
 if(!$_SESSION['current']->isLoggedIn())
     util_show_error_page_and_exit("Insufficient privileges to create test results.  Are you sure you are logged in?");
@@ -33,8 +25,8 @@ if ($aClean['sSub'])
     // Submit or Resubmit the new test results
     if (($aClean['sSub'] == 'Submit') || ($aClean['sSub'] == 'Resubmit'))
     {
-        $errors = $oTest->CheckOutputEditorInput($_REQUEST);
-        $oTest->GetOutputEditorValues($_REQUEST); // retrieve the values from the current $_REQUEST 
+        $errors = $oTest->CheckOutputEditorInput($aClean);
+        $oTest->GetOutputEditorValues($aClean); // retrieve the values from the current $aClean
         if(empty($errors))
         {
             if(!$aClean['iDistributionId'])

vendorview.php

@@ -8,7 +8,6 @@
  */ 
 require("path.php");
 require(BASE."include/incl.php");
-require(BASE."include/filter.php");
 require_once(BASE."include/application.php");
 require_once(BASE."include/vendor.php");
 

viewScreenshots.php

@@ -6,7 +6,6 @@
 
 require("path.php");
 require(BASE."include/incl.php");
-require(BASE."include/filter.php");
 require_once(BASE."include/screenshot.php");
 require_once(BASE."include/application.php");
 

viewbugs.php

@@ -12,7 +12,6 @@
 // application environment
 require("path.php");
 require(BASE."include/incl.php");
-require(BASE."include/filter.php");
 
 /* code to View versions affected by a Bug */
 

votestats.php

@@ -10,7 +10,6 @@
 // application environment
 require("path.php");
 require(BASE."include/incl.php");
-require(BASE."include/filter.php");
 require_once(BASE."include/category.php");
 
 // set default values and check if the value makes sense