pioder/uf2
1
0
Fork 0
Code Releases Activity

improved data filtering in controllers

Browse Source
This commit is contained in:
Piotr Dergun
2015-02-16 19:59:00 +01:00
parent 8354bd53a3
commit 2a335e9c6c
3 changed files with 109 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
inc/controllers/AdminController.class.php
View File

@@ -59,6 +59,7 @@ class AdminController extends Controller
if ($this->loadDependencies())
{
$this->loadModel('UsersModel');
get_clean('id', $this->db);
$user_info = $this->getModel('UsersModel')->getUserInformation($_GET['id'], true);
if ($user_info == null)
@@ -72,13 +73,13 @@ class AdminController extends Controller
if (isset($_POST['nick'], $_POST['passwd'], $_POST['passwd_confirm'], $_POST['email']))
{
//secure pools
$_POST['nick'] = trim(strip_tags($this->db->real_escape_string($_POST['nick'])));
$_POST['passwd'] = trim($_POST['passwd']);
$_POST['passwd_confirm'] = trim($_POST['passwd_confirm']);
$_POST['email'] = trim(strip_tags($this->db->real_escape_string($_POST['email'])));
$_POST['location'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['location'])));
$_POST['signature'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['signature'])));
$_POST['user_rank'] = trim(strip_tags($this->db->real_escape_string($_POST['user_rank'])));
post_clean('nick', $this->db, array('spchars'));
post_clean('passwd', $this->db, array());
post_clean('passwd_confirm', $this->db, array());
post_clean('email', $this->db);
post_clean('location', $this->db, array('spchars'));
post_clean('signature', $this->db, array('spchars'));
post_clean('user_rank', $this->db);
if ($_POST['passwd'] != '')
{
@@ -154,12 +155,11 @@ class AdminController extends Controller
}
}
$_POST['nick'] = (isset($_POST['nick'])) ? stripslashes($_POST['nick']) : $user_info['nick'];
$_POST['email'] = (isset($_POST['email'])) ? stripslashes($_POST['email']) : $user_info['email'];
$_POST['location'] = (isset($_POST['location'])) ? stripslashes($_POST['location']) : $user_info['location'];
$_POST['signature'] = (isset($_POST['signature'])) ? stripslashes($_POST['signature']) : $user_info['signature'];
$_POST['user_rank'] = (isset($_POST['user_rank'])) ? $_POST['user_rank'] : $user_info['rank'];
post_default('nick', $user_info['nick']);
post_default('email', $user_info['email']);
post_default('location', $user_info['location']);
post_default('signature', $user_info['signature']);
post_default('user_rank', $user_info['rank']);
$this->getView('MainView')->putExistingModel('UsersModel', $this->getModel('UsersModel'));
if (!isset($lockv))
@@ -193,10 +193,10 @@ class AdminController extends Controller
else
$_GET['rank'] = '';
$_POST['sort_type'] = (isset($_POST['sort_type'])) ? $this->db->real_escape_string($_POST['sort_type']) : 'regdate';
post_default('sort_type', 'regdate');
$allowed_sorting = array('regdate', 'lastvisit', 'nick', 'post_count');
if (!in_array($_POST['sort_type'], $allowed_sorting))
$_POST['sort_type'] = '';
$_POST['sort_type'] = 'regdate';
$_POST['sort_desc'] = (isset($_POST['sort_desc'])) ? 'DESC' : 'ASC';
$this->getView('MainView')->admin_userlist();
@@ -211,7 +211,7 @@ class AdminController extends Controller
$this->loadModel('UsersModel');
$this->getView('MainView')->putExistingModel('UsersModel', $this->getModel('UsersModel'));
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
get_clean('id', $this->db);
$user_info = $this->getModel('UsersModel')->getUserInformation($_GET['id']);
if ($user_info == null)
@@ -228,7 +228,6 @@ class AdminController extends Controller
}
}
if (isset($_POST['confirmed']) && !isset($lockv))
{
if (!isset($_POST['rejected']))
@@ -258,8 +257,8 @@ class AdminController extends Controller
if (isset($_POST['forum_name'], $_POST['forum_desc']))
{
$_POST['forum_name'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['forum_name'])));
$_POST['forum_desc'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['forum_desc'])));
post_clean('forum_name', $this->db, array('spchars'));
post_clean('forum_desc', $this->db, array('spchars'));
if (strlen($_POST['forum_name']) < 3)
{
@@ -289,8 +288,8 @@ class AdminController extends Controller
}
}
$_POST['forum_name'] = (isset($_POST['forum_name'])) ? stripslashes($_POST['forum_name']) : $this->getModel('ConfigModel')->getConf('forum_name');
$_POST['forum_desc'] = (isset($_POST['forum_desc'])) ? stripslashes($_POST['forum_desc']) : $this->getModel('ConfigModel')->getConf('forum_desc');
post_default('forum_name', $this->getModel('ConfigModel')->getConf('forum_name'));
post_default('forum_desc', $this->getModel('ConfigModel')->getConf('forum_desc'));
if (!isset($lockv))
{
$this->getView('MainView')->admin_config($msg);
@@ -343,7 +342,8 @@ class AdminController extends Controller
if ($this->loadDependencies())
{
$this->loadModel('ForumsModel');
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
get_clean('id', $this->db);
$forum_info = $this->getModel('ForumsModel')->getForum($_GET['id']);
if ($forum_info == null)
@@ -375,7 +375,8 @@ class AdminController extends Controller
if ($this->loadDependencies())
{
$this->loadModel('ForumsModel');
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
get_clean('id', $this->db);
$cat_info = $this->getModel('ForumsModel')->getCat($_GET['id']);
if ($cat_info == null)
@@ -410,7 +411,7 @@ class AdminController extends Controller
if ($m == 'edit')
{
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
get_clean('id', $this->db);
$cat_info = $this->getModel('ForumsModel')->getCat($_GET['id']);
if ($cat_info == null)
@@ -423,7 +424,7 @@ class AdminController extends Controller
if (isset($_POST['name']) && !isset($lockv))
{
$_POST['name'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['name'])));
post_clean('name', $this->db, array('spchars'));
if (strlen($_POST['name']) < 3)
$msg .= 'Category name is too short (min 3 characters)!<br>';
@@ -446,10 +447,7 @@ class AdminController extends Controller
if (!isset($lockv))
{
if ($m == 'add')
$_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : '';
else
$_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : $cat_info['name'];
post_default('name', ($m == 'add') ? '' : $cat_info['name']);
$this->getView('MainView')->putExistingModel('ForumsModel', $this->getModel('ForumsModel'));
$this->getView('MainView')->admin_cat_form($msg, $m);
@@ -464,7 +462,7 @@ class AdminController extends Controller
if ($m == 'edit')
{
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
get_cat('id', $this->db);
$forum_info = $this->getModel('ForumsModel')->getForum($_GET['id']);
if ($forum_info == null)
@@ -477,10 +475,10 @@ class AdminController extends Controller
if (isset($_POST['name']) && !isset($lockv))
{
$_POST['name'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['name'])));
$_POST['desc'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['desc'])));
$_POST['category_id'] = trim(strip_tags($this->db->real_escape_string($_POST['category_id'])));
$_POST['locked'] = trim(strip_tags($this->db->real_escape_string($_POST['locked'])));
post_clean('name', $this->db, array('spchars'));
post_clean('desc', $this->db, array('spchars'));
post_clean('category_id', $this->db);
post_clean('locked', $this->db);
$_POST['locked'] = ($_POST['locked'] == true) ? true : false;
if (strlen($_POST['name']) < 3)
@@ -510,20 +508,10 @@ class AdminController extends Controller
if (!isset($lockv))
{
if ($m == 'add')
{
$_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : '';
$_POST['desc'] = (isset($_POST['desc'])) ? stripslashes($_POST['desc']) : '';
$_POST['category_id'] = (isset($_POST['category_id'])) ? $_POST['category_id'] : '';
$_POST['locked'] = (isset($_POST['locked'])) ? $_POST['locked'] : '';
}
else
{
$_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : $forum_info['name'];
$_POST['desc'] = (isset($_POST['desc'])) ? stripslashes($_POST['desc']) : $forum_info['desc'];
$_POST['category_id'] = (isset($_POST['category_id'])) ? $_POST['category_id'] : $forum_info['category_id'];
$_POST['locked'] = (isset($_POST['locked'])) ? $_POST['locked'] : $forum_info['locked'];
}
post_default('name', ($m == 'add') ? '' : $forum_info['name']);
post_default('desc', ($m == 'add') ? '' : $forum_info['desc']);
post_default('category_id', ($m == 'add') ? '' : $forum_info['category_id']);
post_default('locked', ($m == 'add') ? '' : $forum_info['locked']);
$this->getView('MainView')->putExistingModel('ForumsModel', $this->getModel('ForumsModel'));
$this->getView('MainView')->admin_forum_form($msg, $m);
@@ -541,7 +529,8 @@ class AdminController extends Controller
if ($this->loadDependencies())
{
$this->loadModel('BansModel');
$_GET['id'] = (isset($_GET['id'])) ? trim(strip_tags($this->db->real_escape_string($_GET['id']))) : 0;
get_clean('id', $this->db);
$ban_info = $this->getModel('BansModel')->getBan($_GET['id']);
if ($ban_info == null)
@@ -579,8 +568,8 @@ class AdminController extends Controller
if (isset($_POST['user_id'], $_POST['reason']))
{
$_POST['user_id'] = trim(strip_tags($this->db->real_escape_string($_POST['user_id'])));
$_POST['reason'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['reason'])));
post_clean('user_id', $this->db);
post_clean('reason', $this->db, array('spchars'));
if ($_POST['user_id'] == $this->getModel('SessionModel')->getID())
$msg .= 'You cannot ban your profile!<br>';
@@ -601,8 +590,8 @@ class AdminController extends Controller
if (!isset($lockv))
{
$_POST['user_id'] = (isset($_POST['user_id'])) ? $_POST['user_id'] : '';
$_POST['reason'] = (isset($_POST['reason'])) ? stripslashes($_POST['reason']) : '';
post_default('user_id', '');
post_default('reason', '');
$this->getView('MainView')->admin_ban_form($msg);
}