pioder
/
uf2
1
0
Fork 0
Code Releases 0 Activity
Browse Source

improved data filtering in controllers

master
Piotr Dergun 9 years ago
parent
8354bd53a3
commit
2a335e9c6c
3 changed files with 109 additions and 104 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +42
    -53
      inc/controllers/AdminController.class.php
  2. +42
    -48
      inc/controllers/MainController.class.php
  3. +25
    -3
      inc/misc_functions.php

+ 42
- 53
inc/controllers/AdminController.class.php View File

@ -59,6 +59,7 @@ class AdminController extends Controller
if ($this->loadDependencies())
{
$this->loadModel('UsersModel');
get_clean('id', $this->db);
$user_info = $this->getModel('UsersModel')->getUserInformation($_GET['id'], true);
if ($user_info == null)
@ -72,13 +73,13 @@ class AdminController extends Controller
if (isset($_POST['nick'], $_POST['passwd'], $_POST['passwd_confirm'], $_POST['email']))
{
//secure pools
$_POST['nick'] = trim(strip_tags($this->db->real_escape_string($_POST['nick'])));
$_POST['passwd'] = trim($_POST['passwd']);
$_POST['passwd_confirm'] = trim($_POST['passwd_confirm']);
$_POST['email'] = trim(strip_tags($this->db->real_escape_string($_POST['email'])));
$_POST['location'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['location'])));
$_POST['signature'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['signature'])));
$_POST['user_rank'] = trim(strip_tags($this->db->real_escape_string($_POST['user_rank'])));
post_clean('nick', $this->db, array('spchars'));
post_clean('passwd', $this->db, array());
post_clean('passwd_confirm', $this->db, array());
post_clean('email', $this->db);
post_clean('location', $this->db, array('spchars'));
post_clean('signature', $this->db, array('spchars'));
post_clean('user_rank', $this->db);
if ($_POST['passwd'] != '')
{
@ -154,12 +155,11 @@ class AdminController extends Controller
}
}
$_POST['nick'] = (isset($_POST['nick'])) ? stripslashes($_POST['nick']) : $user_info['nick'];
$_POST['email'] = (isset($_POST['email'])) ? stripslashes($_POST['email']) : $user_info['email'];
$_POST['location'] = (isset($_POST['location'])) ? stripslashes($_POST['location']) : $user_info['location'];
$_POST['signature'] = (isset($_POST['signature'])) ? stripslashes($_POST['signature']) : $user_info['signature'];
$_POST['user_rank'] = (isset($_POST['user_rank'])) ? $_POST['user_rank'] : $user_info['rank'];
post_default('nick', $user_info['nick']);
post_default('email', $user_info['email']);
post_default('location', $user_info['location']);
post_default('signature', $user_info['signature']);
post_default('user_rank', $user_info['rank']);
$this->getView('MainView')->putExistingModel('UsersModel', $this->getModel('UsersModel'));
if (!isset($lockv))
@ -193,10 +193,10 @@ class AdminController extends Controller
else
$_GET['rank'] = '';
$_POST['sort_type'] = (isset($_POST['sort_type'])) ? $this->db->real_escape_string($_POST['sort_type']) : 'regdate';
post_default('sort_type', 'regdate');
$allowed_sorting = array('regdate', 'lastvisit', 'nick', 'post_count');
if (!in_array($_POST['sort_type'], $allowed_sorting))
$_POST['sort_type'] = '';
$_POST['sort_type'] = 'regdate';
$_POST['sort_desc'] = (isset($_POST['sort_desc'])) ? 'DESC' : 'ASC';
$this->getView('MainView')->admin_userlist();
@ -211,7 +211,7 @@ class AdminController extends Controller
$this->loadModel('UsersModel');
$this->getView('MainView')->putExistingModel('UsersModel', $this->getModel('UsersModel'));
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
get_clean('id', $this->db);
$user_info = $this->getModel('UsersModel')->getUserInformation($_GET['id']);
if ($user_info == null)
@ -228,7 +228,6 @@ class AdminController extends Controller
}
}
if (isset($_POST['confirmed']) && !isset($lockv))
{
if (!isset($_POST['rejected']))
@ -258,8 +257,8 @@ class AdminController extends Controller
if (isset($_POST['forum_name'], $_POST['forum_desc']))
{
$_POST['forum_name'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['forum_name'])));
$_POST['forum_desc'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['forum_desc'])));
post_clean('forum_name', $this->db, array('spchars'));
post_clean('forum_desc', $this->db, array('spchars'));
if (strlen($_POST['forum_name']) < 3)
{
@ -289,8 +288,8 @@ class AdminController extends Controller
}
}
$_POST['forum_name'] = (isset($_POST['forum_name'])) ? stripslashes($_POST['forum_name']) : $this->getModel('ConfigModel')->getConf('forum_name');
$_POST['forum_desc'] = (isset($_POST['forum_desc'])) ? stripslashes($_POST['forum_desc']) : $this->getModel('ConfigModel')->getConf('forum_desc');
post_default('forum_name', $this->getModel('ConfigModel')->getConf('forum_name'));
post_default('forum_desc', $this->getModel('ConfigModel')->getConf('forum_desc'));
if (!isset($lockv))
{
$this->getView('MainView')->admin_config($msg);
@ -343,7 +342,8 @@ class AdminController extends Controller
if ($this->loadDependencies())
{
$this->loadModel('ForumsModel');
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
get_clean('id', $this->db);
$forum_info = $this->getModel('ForumsModel')->getForum($_GET['id']);
if ($forum_info == null)
@ -375,7 +375,8 @@ class AdminController extends Controller
if ($this->loadDependencies())
{
$this->loadModel('ForumsModel');
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
get_clean('id', $this->db);
$cat_info = $this->getModel('ForumsModel')->getCat($_GET['id']);
if ($cat_info == null)
@ -410,7 +411,7 @@ class AdminController extends Controller
if ($m == 'edit')
{
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
get_clean('id', $this->db);
$cat_info = $this->getModel('ForumsModel')->getCat($_GET['id']);
if ($cat_info == null)
@ -423,7 +424,7 @@ class AdminController extends Controller
if (isset($_POST['name']) && !isset($lockv))
{
$_POST['name'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['name'])));
post_clean('name', $this->db, array('spchars'));
if (strlen($_POST['name']) < 3)
$msg .= 'Category name is too short (min 3 characters)!<br>';
@ -446,10 +447,7 @@ class AdminController extends Controller
if (!isset($lockv))
{
if ($m == 'add')
$_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : '';
else
$_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : $cat_info['name'];
post_default('name', ($m == 'add') ? '' : $cat_info['name']);
$this->getView('MainView')->putExistingModel('ForumsModel', $this->getModel('ForumsModel'));
$this->getView('MainView')->admin_cat_form($msg, $m);
@ -464,7 +462,7 @@ class AdminController extends Controller
if ($m == 'edit')
{
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
get_cat('id', $this->db);
$forum_info = $this->getModel('ForumsModel')->getForum($_GET['id']);
if ($forum_info == null)
@ -477,10 +475,10 @@ class AdminController extends Controller
if (isset($_POST['name']) && !isset($lockv))
{
$_POST['name'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['name'])));
$_POST['desc'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['desc'])));
$_POST['category_id'] = trim(strip_tags($this->db->real_escape_string($_POST['category_id'])));
$_POST['locked'] = trim(strip_tags($this->db->real_escape_string($_POST['locked'])));
post_clean('name', $this->db, array('spchars'));
post_clean('desc', $this->db, array('spchars'));
post_clean('category_id', $this->db);
post_clean('locked', $this->db);
$_POST['locked'] = ($_POST['locked'] == true) ? true : false;
if (strlen($_POST['name']) < 3)
@ -510,20 +508,10 @@ class AdminController extends Controller
if (!isset($lockv))
{
if ($m == 'add')
{
$_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : '';
$_POST['desc'] = (isset($_POST['desc'])) ? stripslashes($_POST['desc']) : '';
$_POST['category_id'] = (isset($_POST['category_id'])) ? $_POST['category_id'] : '';
$_POST['locked'] = (isset($_POST['locked'])) ? $_POST['locked'] : '';
}
else
{
$_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : $forum_info['name'];
$_POST['desc'] = (isset($_POST['desc'])) ? stripslashes($_POST['desc']) : $forum_info['desc'];
$_POST['category_id'] = (isset($_POST['category_id'])) ? $_POST['category_id'] : $forum_info['category_id'];
$_POST['locked'] = (isset($_POST['locked'])) ? $_POST['locked'] : $forum_info['locked'];
}
post_default('name', ($m == 'add') ? '' : $forum_info['name']);
post_default('desc', ($m == 'add') ? '' : $forum_info['desc']);
post_default('category_id', ($m == 'add') ? '' : $forum_info['category_id']);
post_default('locked', ($m == 'add') ? '' : $forum_info['locked']);
$this->getView('MainView')->putExistingModel('ForumsModel', $this->getModel('ForumsModel'));
$this->getView('MainView')->admin_forum_form($msg, $m);
@ -541,7 +529,8 @@ class AdminController extends Controller
if ($this->loadDependencies())
{
$this->loadModel('BansModel');
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
get_clean('id', $this->db);
$ban_info = $this->getModel('BansModel')->getBan($_GET['id']);
if ($ban_info == null)
@ -579,8 +568,8 @@ class AdminController extends Controller
if (isset($_POST['user_id'], $_POST['reason']))
{
$_POST['user_id'] = trim(strip_tags($this->db->real_escape_string($_POST['user_id'])));
$_POST['reason'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['reason'])));
post_clean('user_id', $this->db);
post_clean('reason', $this->db, array('spchars'));
if ($_POST['user_id'] == $this->getModel('SessionModel')->getID())
$msg .= 'You cannot ban your profile!<br>';
@ -601,8 +590,8 @@ class AdminController extends Controller
if (!isset($lockv))
{
$_POST['user_id'] = (isset($_POST['user_id'])) ? $_POST['user_id'] : '';
$_POST['reason'] = (isset($_POST['reason'])) ? stripslashes($_POST['reason']) : '';
post_default('user_id', '');
post_default('reason', '');
$this->getView('MainView')->admin_ban_form($msg);
}

+ 42
- 48
inc/controllers/MainController.class.php View File

@ -49,7 +49,7 @@ class MainController extends Controller
$this->loadModel('ForumsModel');
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
get_clean('id', $this->db);
$f = $this->getModel('ForumsModel')->getForum($_GET['id']);
@ -87,10 +87,10 @@ class MainController extends Controller
else
$_GET['rank'] = '';
$_POST['sort_type'] = (isset($_POST['sort_type'])) ? $this->db->real_escape_string($_POST['sort_type']) : 'regdate';
post_default('sort_type', 'regdate');
$allowed_sorting = array('regdate', 'lastvisit', 'nick', 'post_count');
if (!in_array($_POST['sort_type'], $allowed_sorting))
$_POST['sort_type'] = '';
$_POST['sort_type'] = 'regdate';
$_POST['sort_desc'] = (isset($_POST['sort_desc'])) ? 'DESC' : 'ASC';
$this->getView('MainView')->userlist();
@ -99,11 +99,9 @@ class MainController extends Controller
public function viewtopic()
{
$this->loadDependencies();
$this->loadModel('PostsModel');
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
get_clean('id', $this->db);
$t = $this->getModel('PostsModel')->getTopic($_GET['id']);
if ($t == null)
@ -141,8 +139,8 @@ class MainController extends Controller
$this->loadModel('PostsModel');
$this->loadModel('ForumsModel');
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
$_GET['submode'] = (isset($_GET['submode'])) ? trim(strip_tags($this->db->real_escape_string($_GET['submode']))) : 0;
get_clean('id', $this->db);
get_clean('submode', $this->db, false);
if (!$this->getModel('SessionModel')->isLogged())
{
@ -210,13 +208,11 @@ class MainController extends Controller
case 'deletepost':
$this->getModel('PostsModel')->deletePost($_GET['id']);
$this->getView('MainView')->forum_message('Post deleted. Redirecting...', buildURL('index.php?mode=viewtopic&amp;id='.$p['topic_id']));
$lockv = true;
break;
case 'deletetopic':
$this->getModel('PostsModel')->deleteTopic($_GET['id']);
$this->getView('MainView')->forum_message('Topic deleted. Redirecting...', buildURL('index.php?mode=viewforum&amp;id='.$t['forum_id']));
$lockv = true;
break;
case 'locktopic':
@ -230,8 +226,8 @@ class MainController extends Controller
$this->getModel('PostsModel')->lockTopic($_GET['id'], false);
$this->getView('MainView')->forum_message('Topic unlocked. Redirecting...', buildURL('index.php?mode=viewtopic&amp;id='.$_GET['id']));
}
$lockv = true;
break;
case 'sticktopic':
if ($t['topic_sticky'] == false)
{
@ -243,8 +239,8 @@ class MainController extends Controller
$this->getModel('PostsModel')->stickTopic($_GET['id'], false);
$this->getView('MainView')->forum_message('Topic unsticked. Redirecting...', buildURL('index.php?mode=viewtopic&amp;id='.$_GET['id']));
}
$lockv = true;
break;
case 'movetopic':
if ($this->getModel('ForumsModel')->getForum($_POST['forum_id']) == null)
$this->getView('MainView')->forum_message('Forum does not exist!', buildURL('index.php?mode=viewtopic&amp;id='.$_GET['id']));
@ -253,10 +249,10 @@ class MainController extends Controller
$this->getModel('PostsModel')->moveTopic($_GET['id'], $_POST['forum_id']);
$this->getView('MainView')->forum_message('Topic moved. Redirecting...', buildURL('index.php?mode=viewtopic&amp;id='.$_GET['id']));
}
$lockv = true;
break;
break;
}
$lockv = true;
}
else
{
@ -307,12 +303,11 @@ class MainController extends Controller
public function posting($type)
{
$this->loadDependencies();
$msg = '';
$this->loadModel('PostsModel');
$this->loadModel('ForumsModel');
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
$msg = '';
get_clean('id', $this->db);
if (!$this->getModel('SessionModel')->isLogged())
{
@ -365,7 +360,7 @@ class MainController extends Controller
if ($type == POSTING_QUOTE)
{
$_GET['q'] = (isset($_GET['q'])) ? trim(strip_tags($this->db->real_escape_string($_GET['q']))) : 0;
get_clean('q', $this->db);
$qp = $this->getModel('PostsModel')->getPost($_GET['q']);
if ($qp == null)
@ -425,11 +420,11 @@ class MainController extends Controller
//posting a HTML form --------------------------------------------------------------------------------
if (isset($_POST['post']) && !isset($_POST['preview']) && !isset($lockv))
{
$_POST['post'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['post'])));
post_clean('post', $this->db, array('spchars'));
if ($type == POSTING_NEWTOPIC || $type == POSTING_EDITTOPIC) //walidacja tytułu tematu (add, edit)
{
$_POST['topic'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['topic'])));
post_clean('topic', $this->db, array('spchars'));
if (strlen($_POST['topic']) < 3)
$msg .= 'Topic title is too short (min 3 characters)<br>';
@ -481,23 +476,23 @@ class MainController extends Controller
{
case POSTING_NEWTOPIC:
case POSTING_REPLY:
$_POST['post'] = (isset($_POST['post'])) ? stripslashes($_POST['post']) : '';
post_default('post', '');
break;
case POSTING_EDITTOPIC:
$_POST['post'] = (isset($_POST['post'])) ? stripslashes($_POST['post']) : $p['content'];
$_POST['topic'] = (isset($_POST['topic'])) ? stripslashes($_POST['topic']) : $t['topic_title'];
post_default('post', $p['content']);
post_default('topic', $t['topic_title']);
break;
case POSTING_EDIT:
$_POST['post'] = (isset($_POST['post'])) ? stripslashes($_POST['post']) : $p['content'];
post_default('post', $p['content']);
break;
case POSTING_QUOTE:
$quote = ($qp['nick'] != null) ? '='.$qp['nick'] : '';
$_POST['post'] = (isset($_POST['post'])) ? stripslashes($_POST['post']) : '[quote'.$quote.']'.$qp['content'].'[/quote]';
post_default('post', '[quote'.$quote.']'.$qp['content'].'[/quote]');
break;
}
if ($type == POSTING_NEWTOPIC)
$_POST['topic'] = (isset($_POST['topic'])) ? stripslashes($_POST['topic']) : '';
post_default('topic', '');
$this->getView('MainView')->putExistingModel('PostsModel', $this->getModel('PostsModel'));
$this->getView('MainView')->putExistingModel('ForumsModel', $this->getModel('ForumsModel'));
@ -522,7 +517,7 @@ class MainController extends Controller
$this->loadModel('UsersModel');
$this->getView('MainView')->putExistingModel('UsersModel', $this->getModel('UsersModel'));
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
get_clean('id', $this->db);
if ($this->getModel('UsersModel')->getUserInformation($_GET['id']) == null)
$this->getView('MainView')->forum_message('User does not exist!', buildURL('index.php'));
@ -548,13 +543,13 @@ class MainController extends Controller
if (isset($_POST['nick'], $_POST['passwd'], $_POST['passwd_confirm'], $_POST['email']))
{
//secure pools
$_POST['nick'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['nick'])));
$_POST['passwd_old'] = trim($_POST['passwd_old']);
$_POST['passwd'] = trim($_POST['passwd']);
$_POST['passwd_confirm'] = trim($_POST['passwd_confirm']);
$_POST['email'] = trim(strip_tags($this->db->real_escape_string($_POST['email'])));
$_POST['location'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['location'])));
$_POST['signature'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['signature'])));
post_clean('nick', $this->db, array('spchars'));
post_clean('passwd_old', $this->db, array());
post_clean('passwd', $this->db, array());
post_clean('passwd_confirm', $this->db, array());
post_clean('email', $this->db);
post_clean('location', $this->db, array('spchars'));
post_clean('signature', $this->db, array('spchars'));
if ($_POST['email'] != $user_info['email'] || $_POST['passwd'] != '')
{
@ -619,10 +614,10 @@ class MainController extends Controller
}
}
$_POST['nick'] = (isset($_POST['nick'])) ? stripslashes($_POST['nick']) : $user_info['nick'];
$_POST['email'] = (isset($_POST['email'])) ? stripslashes($_POST['email']) : $user_info['email'];
$_POST['location'] = (isset($_POST['location'])) ? stripslashes($_POST['location']) : $user_info['location'];
$_POST['signature'] = (isset($_POST['signature'])) ? stripslashes($_POST['signature']) : $user_info['signature'];
post_default('nick', $user_info['nick']);
post_default('email', $user_info['email']);
post_default('location', $user_info['location']);
post_default('signature', $user_info['signature']);
$this->getView('MainView')->putExistingModel('UsersModel', $this->getModel('UsersModel'));
@ -656,7 +651,7 @@ class MainController extends Controller
if (isset($_POST['nick'], $_POST['passwd']))
{
//secure pools
$_POST['nick'] = trim(strip_tags($this->db->an class="na">real_escape_string($_POST['nick'])));
post_clean('nick', $this->db);
$_POST['passwd'] = $this->getModel('UsersModel')->generatePasswordHash($_POST['nick'], trim($this->db->real_escape_string($_POST['passwd'])));
$userinfo = $this->getModel('SessionModel')->tryGetUser($_POST['nick'], $_POST['passwd']);
@ -682,7 +677,7 @@ class MainController extends Controller
}
}
$_POST['nick'] = (isset($_POST['nick'])) ? stripslashes($_POST['nick']) : '';
post_default('nick', '');
if (!isset($lockv))
$this->getView('MainView')->login_form($msg);
}
@ -699,10 +694,10 @@ class MainController extends Controller
if (isset($_POST['nick'], $_POST['passwd'], $_POST['passwd_confirm'], $_POST['email']))
{
//secure pools
$_POST['nick'] = trim(strip_tags($this->db->an class="na">real_escape_string($_POST['nick'])));
$_POST['passwd'] = trim($_POST['passwd']);
$_POST['passwd_confirm'] = trim($_POST['passwd_confirm']);
$_POST['email'] = trim(strip_tags($this->db->real_escape_string($_POST['email'])));
post_clean('nick', $this->db);
post_clean('passwd', $this->db, array());
post_clean('passwd_confirm', $this->db, array());
post_clean('email', $this->db);
if (strlen($_POST['nick']) < 3)
$msg .= 'Nick is too short (min 3 characters)<br>';
@ -727,9 +722,8 @@ class MainController extends Controller
}
}
$_POST['nick'] = (isset($_POST['nick'])) ? stripslashes($_POST['nick']) : '';
$_POST['email'] = (isset($_POST['email'])) ? stripslashes($_POST['email']) : '';
post_default('nick', '');
post_default('email', '');
if (!isset($lockv))
$this->getView('MainView')->register_form($msg);
}

+ 25
- 3
inc/misc_functions.php View File

@ -26,23 +26,45 @@ function post_default($key, $default='')
$_POST[$key] = (isset($_POST[$key])) ? stripslashes($_POST[$key]) : $default;
}
function clean_input(&$input, $dbobj, $opts = null)
function input_clean(&$input, &$dbobj, $opts = null)
{
$input = trim($input);
$input = $dbobj->real_escape_string($input);
if ($opts != null)
{
if (in_array('spchars', $opts)) //special chars
$input = htmlspecialchars($input);
if (in_array('strip', $opts)) //strip tags
$input = strip_tags($input);
if (in_array('nnegint', $opts)) //non-negative integer
{
$int_options = array('options' => array('min_range' => 0));
$input = var_dump(filter_var($input, FILTER_VALIDATE_INT, $int_options));
$input = filter_var($input, FILTER_VALIDATE_INT, $int_options);
}
}
else
$input = strip_tags($input);
$input = $dbobj->real_escape_string($input);
}
function post_clean($key, &$dbobj, $opts)
{
input_clean($_POST[$key], $dbobj, $opts);
}
function get_clean($key, &$dbobj, $intval = true)
{
if (array_key_exists($key, $_GET))
{
$opts = ($intval) ? array('strip', 'nnegint') : null;
input_clean($_GET[$key], $dbobj, $opts);
}
else
{
$_GET[$key] = ($intval) ? 0 : '';
}
}
?>

Write Preview
Loading…
Cancel
Save