replaced strip_tags() by htmlspecialchars() in most of POST variables
added stripslashes() to POST variables while form is not sent
This commit is contained in:
@@ -26,7 +26,7 @@ class AdminController extends Controller
|
||||
$this->getView('MainView')->putExistingModel('ConfigModel', $this->getModel('ConfigModel'));
|
||||
|
||||
if ($_SERVER['REQUEST_SCHEME'] == 'http')
|
||||
$this->forward('https://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
|
||||
$this->forward(buildURL($_SERVER['REQUEST_URI']));
|
||||
|
||||
if (!$this->getModel('SessionModel')->isLogged())
|
||||
{
|
||||
@@ -73,11 +73,11 @@ class AdminController extends Controller
|
||||
{
|
||||
//secure pools
|
||||
$_POST['nick'] = trim(strip_tags($this->db->real_escape_string($_POST['nick'])));
|
||||
$_POST['passwd'] = trim(strip_tags($_POST['passwd']));
|
||||
$_POST['passwd_confirm'] = trim(strip_tags($_POST['passwd_confirm']));
|
||||
$_POST['passwd'] = trim($_POST['passwd']);
|
||||
$_POST['passwd_confirm'] = trim($_POST['passwd_confirm']);
|
||||
$_POST['email'] = trim(strip_tags($this->db->real_escape_string($_POST['email'])));
|
||||
$_POST['location'] = trim(strip_tags($this->db->real_escape_string($_POST['location'])));
|
||||
$_POST['signature'] = trim(strip_tags($this->db->real_escape_string($_POST['signature'])));
|
||||
$_POST['location'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['location'])));
|
||||
$_POST['signature'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['signature'])));
|
||||
$_POST['user_rank'] = trim(strip_tags($this->db->real_escape_string($_POST['user_rank'])));
|
||||
|
||||
if ($_POST['passwd'] != '')
|
||||
@@ -154,10 +154,10 @@ class AdminController extends Controller
|
||||
}
|
||||
}
|
||||
|
||||
$_POST['nick'] = (isset($_POST['nick'])) ? $_POST['nick'] : $user_info['nick'];
|
||||
$_POST['email'] = (isset($_POST['email'])) ? $_POST['email'] : $user_info['email'];
|
||||
$_POST['location'] = (isset($_POST['location'])) ? $_POST['location'] : $user_info['location'];
|
||||
$_POST['signature'] = (isset($_POST['signature'])) ? $_POST['signature'] : $user_info['signature'];
|
||||
$_POST['nick'] = (isset($_POST['nick'])) ? stripslashes($_POST['nick']) : $user_info['nick'];
|
||||
$_POST['email'] = (isset($_POST['email'])) ? stripslashes($_POST['email']) : $user_info['email'];
|
||||
$_POST['location'] = (isset($_POST['location'])) ? stripslashes($_POST['location']) : $user_info['location'];
|
||||
$_POST['signature'] = (isset($_POST['signature'])) ? stripslashes($_POST['signature']) : $user_info['signature'];
|
||||
$_POST['user_rank'] = (isset($_POST['user_rank'])) ? $_POST['user_rank'] : $user_info['rank'];
|
||||
|
||||
$this->getView('MainView')->putExistingModel('UsersModel', $this->getModel('UsersModel'));
|
||||
@@ -259,7 +259,7 @@ class AdminController extends Controller
|
||||
if (isset($_POST['forum_name'], $_POST['forum_desc']))
|
||||
{
|
||||
$_POST['forum_name'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['forum_name'])));
|
||||
$_POST['forum_desc'] = trim(htmlspecialchars($_POST['forum_desc']));
|
||||
$_POST['forum_desc'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['forum_desc'])));
|
||||
|
||||
if (strlen($_POST['forum_name']) < 3)
|
||||
{
|
||||
@@ -278,7 +278,6 @@ class AdminController extends Controller
|
||||
|
||||
if ($msg == '')
|
||||
{
|
||||
$what = '';
|
||||
if ($_POST['forum_name'] != $this->getModel('ConfigModel')->getConf('forum_name'))
|
||||
$this->getModel('ConfigModel')->updateConf('forum_name', $_POST['forum_name']);
|
||||
|
||||
@@ -290,8 +289,8 @@ class AdminController extends Controller
|
||||
}
|
||||
}
|
||||
|
||||
$_POST['forum_name'] = (isset($_POST['forum_name'])) ? $_POST['forum_name'] : $this->getModel('ConfigModel')->getConf('forum_name');
|
||||
$_POST['forum_desc'] = (isset($_POST['forum_desc'])) ? $_POST['forum_desc'] : $this->getModel('ConfigModel')->getConf('forum_desc');
|
||||
$_POST['forum_name'] = (isset($_POST['forum_name'])) ? stripslashes($_POST['forum_name']) : $this->getModel('ConfigModel')->getConf('forum_name');
|
||||
$_POST['forum_desc'] = (isset($_POST['forum_desc'])) ? stripslashes($_POST['forum_desc']) : $this->getModel('ConfigModel')->getConf('forum_desc');
|
||||
if (!isset($lockv))
|
||||
{
|
||||
$this->getView('MainView')->admin_config($msg);
|
||||
@@ -448,9 +447,9 @@ class AdminController extends Controller
|
||||
if (!isset($lockv))
|
||||
{
|
||||
if ($m == 'add')
|
||||
$_POST['name'] = (isset($_POST['name'])) ? $_POST['name'] : '';
|
||||
$_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : '';
|
||||
else
|
||||
$_POST['name'] = (isset($_POST['name'])) ? $_POST['name'] : $cat_info['name'];
|
||||
$_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : $cat_info['name'];
|
||||
|
||||
$this->getView('MainView')->putExistingModel('ForumsModel', $this->getModel('ForumsModel'));
|
||||
$this->getView('MainView')->admin_cat_form($msg, $m);
|
||||
@@ -513,15 +512,15 @@ class AdminController extends Controller
|
||||
{
|
||||
if ($m == 'add')
|
||||
{
|
||||
$_POST['name'] = (isset($_POST['name'])) ? $_POST['name'] : '';
|
||||
$_POST['desc'] = (isset($_POST['desc'])) ? $_POST['desc'] : '';
|
||||
$_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : '';
|
||||
$_POST['desc'] = (isset($_POST['desc'])) ? stripslashes($_POST['desc']) : '';
|
||||
$_POST['category_id'] = (isset($_POST['category_id'])) ? $_POST['category_id'] : '';
|
||||
$_POST['locked'] = (isset($_POST['locked'])) ? $_POST['locked'] : '';
|
||||
}
|
||||
else
|
||||
{
|
||||
$_POST['name'] = (isset($_POST['name'])) ? $_POST['name'] : $forum_info['name'];
|
||||
$_POST['desc'] = (isset($_POST['desc'])) ? $_POST['desc'] : $forum_info['desc'];
|
||||
$_POST['name'] = (isset($_POST['name'])) ? stripslashes($_POST['name']) : $forum_info['name'];
|
||||
$_POST['desc'] = (isset($_POST['desc'])) ? stripslashes($_POST['desc']) : $forum_info['desc'];
|
||||
$_POST['category_id'] = (isset($_POST['category_id'])) ? $_POST['category_id'] : $forum_info['category_id'];
|
||||
$_POST['locked'] = (isset($_POST['locked'])) ? $_POST['locked'] : $forum_info['locked'];
|
||||
}
|
||||
@@ -581,7 +580,7 @@ class AdminController extends Controller
|
||||
if (isset($_POST['user_id'], $_POST['reason']))
|
||||
{
|
||||
$_POST['user_id'] = trim(strip_tags($this->db->real_escape_string($_POST['user_id'])));
|
||||
$_POST['reason'] = trim(strip_tags($this->db->real_escape_string($_POST['reason'])));
|
||||
$_POST['reason'] = trim(htmlspecialchars($this->db->real_escape_string($_POST['reason'])));
|
||||
|
||||
if ($_POST['user_id'] == $this->getModel('SessionModel')->getID())
|
||||
$msg .= 'You cannot ban your profile!<br>';
|
||||
@@ -603,12 +602,11 @@ class AdminController extends Controller
|
||||
if (!isset($lockv))
|
||||
{
|
||||
$_POST['user_id'] = (isset($_POST['user_id'])) ? $_POST['user_id'] : '';
|
||||
$_POST['reason'] = (isset($_POST['reason'])) ? $_POST['reason'] : '';
|
||||
$_POST['reason'] = (isset($_POST['reason'])) ? stripslashes($_POST['reason']) : '';
|
||||
|
||||
$this->getView('MainView')->admin_ban_form($msg);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
Reference in New Issue
Block a user