2009-11-25 10:12:42 +01:00
|
|
|
<?php
|
|
|
|
|
/**
|
|
|
|
|
* Cleans a string by encoding to UTF-8 and replacing the HTML
|
|
|
|
|
* entities. UTF-8 is necessary for foreign chars like asian
|
|
|
|
|
* and our databases are (or should be) UTF-8
|
|
|
|
|
*
|
|
|
|
|
* @param mixed String or array of strings to be cleaned.
|
|
|
|
|
*
|
|
|
|
|
* @return mixed The cleaned string or array.
|
|
|
|
|
*/
|
|
|
|
|
function safe_input($value) {
|
|
|
|
|
//Stop!! Are you sure to modify this critical code? Because the older
|
|
|
|
|
//versions are serius headache in many places of Pandora.
|
|
|
|
|
|
|
|
|
|
if (is_numeric($value))
|
|
|
|
|
return $value;
|
|
|
|
|
|
|
|
|
|
if (is_array($value)) {
|
|
|
|
|
array_walk($value, "safe_input");
|
|
|
|
|
return $value;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//Clean the trash mix into string because of magic quotes.
|
|
|
|
|
if (get_magic_quotes_gpc() == 1) {
|
|
|
|
|
$value = stripslashes($value);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (! mb_check_encoding ($value, 'UTF-8'))
|
|
|
|
|
$value = utf8_encode ($value);
|
|
|
|
|
|
|
|
|
|
$valueHtmlEncode = htmlentities ($value, ENT_QUOTES, "UTF-8", true);
|
|
|
|
|
|
|
|
|
|
//Replace the character '\' for the equivalent html entitie
|
|
|
|
|
$valueHtmlEncode = str_replace('\\', "\", $valueHtmlEncode);
|
2010-08-18 13:35:42 +02:00
|
|
|
|
|
|
|
|
// First attempt to avoid SQL Injection based on SQL comments
|
|
|
|
|
// Specific for MySQL.
|
|
|
|
|
$valueHtmlEncode = str_replace('/*', "/*", $valueHtmlEncode);
|
|
|
|
|
$valueHtmlEncode = str_replace('*/', "*/", $valueHtmlEncode);
|
2010-10-08 13:35:18 +02:00
|
|
|
|
|
|
|
|
//Replace ( for the html entitie
|
|
|
|
|
$valueHtmlEncode = str_replace('(', "(", $valueHtmlEncode);
|
|
|
|
|
|
|
|
|
|
//Replace ( for the html entitie
|
|
|
|
|
$valueHtmlEncode = str_replace(')', ")", $valueHtmlEncode);
|
|
|
|
|
|
|
|
|
|
//Replace some characteres for html entities
|
2010-10-08 19:00:28 +02:00
|
|
|
for ($i=0;$i<33;$i++) {
|
2010-10-08 13:35:18 +02:00
|
|
|
$valueHtmlEncode = str_ireplace(chr($i),ascii_to_html($i), $valueHtmlEncode);
|
|
|
|
|
}
|
2010-08-18 13:35:42 +02:00
|
|
|
|
2009-11-25 10:12:42 +01:00
|
|
|
return $valueHtmlEncode;
|
|
|
|
|
}
|
|
|
|
|
|
2010-10-14 14:27:09 +02:00
|
|
|
/**
|
|
|
|
|
* Cleans a string by encoding to UTF-8 and replacing the HTML
|
|
|
|
|
* entities for HTML only. UTF-8 is necessary for foreign chars
|
|
|
|
|
* like asian and our databases are (or should be) UTF-8
|
|
|
|
|
*
|
|
|
|
|
* @param mixed String or array of strings to be cleaned.
|
|
|
|
|
*
|
|
|
|
|
* @return mixed The cleaned string or array.
|
|
|
|
|
*/
|
|
|
|
|
function safe_input_html($value) {
|
|
|
|
|
//Stop!! Are you sure to modify this critical code? Because the older
|
|
|
|
|
//versions are serius headache in many places of Pandora.
|
|
|
|
|
|
|
|
|
|
if (is_numeric($value))
|
|
|
|
|
return $value;
|
|
|
|
|
|
|
|
|
|
if (is_array($value)) {
|
|
|
|
|
array_walk($value, "safe_input");
|
|
|
|
|
return $value;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//Clean the trash mix into string because of magic quotes.
|
|
|
|
|
if (get_magic_quotes_gpc() == 1) {
|
|
|
|
|
$value = stripslashes($value);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (! mb_check_encoding ($value, 'UTF-8'))
|
|
|
|
|
$value = utf8_encode ($value);
|
|
|
|
|
|
|
|
|
|
//Replace some characteres for html entities
|
|
|
|
|
for ($i=0;$i<33;$i++) {
|
|
|
|
|
$value = str_ireplace(chr($i),ascii_to_html($i), $value);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $value;
|
|
|
|
|
}
|
|
|
|
|
|
2010-10-08 13:35:18 +02:00
|
|
|
/**
|
|
|
|
|
* Convert ascii char to html entitines
|
|
|
|
|
*
|
|
|
|
|
* @param int num of ascci char
|
|
|
|
|
*
|
|
|
|
|
* @return string String of html entitie
|
|
|
|
|
*/
|
|
|
|
|
function ascii_to_html($num) {
|
|
|
|
|
|
|
|
|
|
if ($num <= 15) {
|
|
|
|
|
return "�".dechex($num).";";
|
|
|
|
|
} else {
|
|
|
|
|
return "&#x".dechex($num).";";
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Convert hexadecimal html entity value to char
|
|
|
|
|
*
|
|
|
|
|
* @param string String of html hexadecimal value
|
|
|
|
|
*
|
|
|
|
|
* @return string String with char
|
|
|
|
|
*/
|
|
|
|
|
function html_to_ascii($hex) {
|
|
|
|
|
|
|
|
|
|
$dec = hexdec($hex);
|
|
|
|
|
|
|
|
|
|
return chr($dec);
|
|
|
|
|
}
|
|
|
|
|
|
2009-11-27 Sancho lerena <slerena@artica.es>
* operation/menu.php: User section has no ACL check, always can be seen.
* index.php: Added suppor for user-defined custom language (this code was
on my disk for 3 months, pending to be commited!).
* include/functions_db.php,
* include/functions_agents.php,
* godmode/alerts/alert_list.php,
* godmode/agentes/modificar_agente.php,
* godmode/agentes/configurar_agente.php: Added audit calls to several
management operations who don't have or have insufficient audit info.
* godmode/users/configure_user.php: Fixed several annoyings bugs. Added
custom language support, and added more audit info on management operations.
* godmode/users/user_list.php: More audit info.
* include/config_process.php: Add new debug option to render error log to
/pandora_console.log. Also set timezone if not defined (this makes warnings
on several PHP 5.x setups). Added user custom language support.
* include/functions_events.php: More audit info. Fixed problems with HTML
encoding render.
* functions_io.php: Some cleaning.
* include/functions_messages.php: Fixed problems with HTML
encoding render.
* functions_ui.php: Fixed problems with HTML encoding render in
print_string_substr() function.
* auth/mysql.php: is_user_admin() functions seems to be broken ¿?¿!. Fixed.
* styles/pandora.css: removed green colored left border in default style.
* message.php, incident*: Fixed problems with HTML encoding render.
* user.php: Better ACL check before let user to view/edit another user.
* user_edit: Removed some un-used form fields, some arrangements in layout,
and FIXED forever problems with password change (new code written).
* users/user_statistics.php: Now user can see its own audit records.
git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@2139 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2009-11-27 21:02:12 +01:00
|
|
|
/**
|
|
|
|
|
* Convert the $value encode in html entity to clear char string. This function
|
|
|
|
|
* should be called always to "clean" HTML encoded data; to render to a text
|
|
|
|
|
* plain ascii file, to render to console, or to put in any kind of data field
|
|
|
|
|
* who doesn't make the HTML render by itself.
|
|
|
|
|
*
|
|
|
|
|
* @param mixed String or array of strings to be cleaned.
|
2010-04-30 12:35:20 +02:00
|
|
|
* @param boolean $utf8 Flag, set the output encoding in utf8, by default true.
|
2009-11-27 Sancho lerena <slerena@artica.es>
* operation/menu.php: User section has no ACL check, always can be seen.
* index.php: Added suppor for user-defined custom language (this code was
on my disk for 3 months, pending to be commited!).
* include/functions_db.php,
* include/functions_agents.php,
* godmode/alerts/alert_list.php,
* godmode/agentes/modificar_agente.php,
* godmode/agentes/configurar_agente.php: Added audit calls to several
management operations who don't have or have insufficient audit info.
* godmode/users/configure_user.php: Fixed several annoyings bugs. Added
custom language support, and added more audit info on management operations.
* godmode/users/user_list.php: More audit info.
* include/config_process.php: Add new debug option to render error log to
/pandora_console.log. Also set timezone if not defined (this makes warnings
on several PHP 5.x setups). Added user custom language support.
* include/functions_events.php: More audit info. Fixed problems with HTML
encoding render.
* functions_io.php: Some cleaning.
* include/functions_messages.php: Fixed problems with HTML
encoding render.
* functions_ui.php: Fixed problems with HTML encoding render in
print_string_substr() function.
* auth/mysql.php: is_user_admin() functions seems to be broken ¿?¿!. Fixed.
* styles/pandora.css: removed green colored left border in default style.
* message.php, incident*: Fixed problems with HTML encoding render.
* user.php: Better ACL check before let user to view/edit another user.
* user_edit: Removed some un-used form fields, some arrangements in layout,
and FIXED forever problems with password change (new code written).
* users/user_statistics.php: Now user can see its own audit records.
git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@2139 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2009-11-27 21:02:12 +01:00
|
|
|
*
|
|
|
|
|
* @return unknown_type
|
|
|
|
|
*/
|
2010-04-30 12:35:20 +02:00
|
|
|
function safe_output($value, $utf8 = true)
|
|
|
|
|
{
|
2009-11-27 Sancho lerena <slerena@artica.es>
* operation/menu.php: User section has no ACL check, always can be seen.
* index.php: Added suppor for user-defined custom language (this code was
on my disk for 3 months, pending to be commited!).
* include/functions_db.php,
* include/functions_agents.php,
* godmode/alerts/alert_list.php,
* godmode/agentes/modificar_agente.php,
* godmode/agentes/configurar_agente.php: Added audit calls to several
management operations who don't have or have insufficient audit info.
* godmode/users/configure_user.php: Fixed several annoyings bugs. Added
custom language support, and added more audit info on management operations.
* godmode/users/user_list.php: More audit info.
* include/config_process.php: Add new debug option to render error log to
/pandora_console.log. Also set timezone if not defined (this makes warnings
on several PHP 5.x setups). Added user custom language support.
* include/functions_events.php: More audit info. Fixed problems with HTML
encoding render.
* functions_io.php: Some cleaning.
* include/functions_messages.php: Fixed problems with HTML
encoding render.
* functions_ui.php: Fixed problems with HTML encoding render in
print_string_substr() function.
* auth/mysql.php: is_user_admin() functions seems to be broken ¿?¿!. Fixed.
* styles/pandora.css: removed green colored left border in default style.
* message.php, incident*: Fixed problems with HTML encoding render.
* user.php: Better ACL check before let user to view/edit another user.
* user_edit: Removed some un-used form fields, some arrangements in layout,
and FIXED forever problems with password change (new code written).
* users/user_statistics.php: Now user can see its own audit records.
git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@2139 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2009-11-27 21:02:12 +01:00
|
|
|
if (is_numeric($value))
|
|
|
|
|
return $value;
|
|
|
|
|
|
|
|
|
|
if (is_array($value)) {
|
|
|
|
|
array_walk($value, "safe_output");
|
|
|
|
|
return $value;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (! mb_check_encoding ($value, 'UTF-8'))
|
|
|
|
|
$value = utf8_encode ($value);
|
|
|
|
|
|
2010-04-30 12:35:20 +02:00
|
|
|
if ($utf8) {
|
|
|
|
|
$valueHtmlEncode = html_entity_decode ($value, ENT_QUOTES, "UTF-8");
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
$valueHtmlEncode = html_entity_decode ($value, ENT_QUOTES);
|
|
|
|
|
}
|
2009-11-27 Sancho lerena <slerena@artica.es>
* operation/menu.php: User section has no ACL check, always can be seen.
* index.php: Added suppor for user-defined custom language (this code was
on my disk for 3 months, pending to be commited!).
* include/functions_db.php,
* include/functions_agents.php,
* godmode/alerts/alert_list.php,
* godmode/agentes/modificar_agente.php,
* godmode/agentes/configurar_agente.php: Added audit calls to several
management operations who don't have or have insufficient audit info.
* godmode/users/configure_user.php: Fixed several annoyings bugs. Added
custom language support, and added more audit info on management operations.
* godmode/users/user_list.php: More audit info.
* include/config_process.php: Add new debug option to render error log to
/pandora_console.log. Also set timezone if not defined (this makes warnings
on several PHP 5.x setups). Added user custom language support.
* include/functions_events.php: More audit info. Fixed problems with HTML
encoding render.
* functions_io.php: Some cleaning.
* include/functions_messages.php: Fixed problems with HTML
encoding render.
* functions_ui.php: Fixed problems with HTML encoding render in
print_string_substr() function.
* auth/mysql.php: is_user_admin() functions seems to be broken ¿?¿!. Fixed.
* styles/pandora.css: removed green colored left border in default style.
* message.php, incident*: Fixed problems with HTML encoding render.
* user.php: Better ACL check before let user to view/edit another user.
* user_edit: Removed some un-used form fields, some arrangements in layout,
and FIXED forever problems with password change (new code written).
* users/user_statistics.php: Now user can see its own audit records.
git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@2139 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2009-11-27 21:02:12 +01:00
|
|
|
|
2010-10-08 13:35:18 +02:00
|
|
|
//Replace the html entitie of ( for the char
|
|
|
|
|
$valueHtmlEncode = str_replace("(", '(', $valueHtmlEncode);
|
|
|
|
|
|
|
|
|
|
//Replace the html entitie of ) for the char
|
|
|
|
|
$valueHtmlEncode = str_replace(")", ')', $valueHtmlEncode);
|
|
|
|
|
|
|
|
|
|
//Revert html entities to chars
|
2010-10-11 09:44:49 +02:00
|
|
|
for ($i=0;$i<33;$i++) {
|
2010-10-08 13:35:18 +02:00
|
|
|
$valueHtmlEncode = str_ireplace("&#x".dechex($i).";",html_to_ascii(dechex($i)), $valueHtmlEncode);
|
|
|
|
|
}
|
|
|
|
|
|
2009-11-27 Sancho lerena <slerena@artica.es>
* operation/menu.php: User section has no ACL check, always can be seen.
* index.php: Added suppor for user-defined custom language (this code was
on my disk for 3 months, pending to be commited!).
* include/functions_db.php,
* include/functions_agents.php,
* godmode/alerts/alert_list.php,
* godmode/agentes/modificar_agente.php,
* godmode/agentes/configurar_agente.php: Added audit calls to several
management operations who don't have or have insufficient audit info.
* godmode/users/configure_user.php: Fixed several annoyings bugs. Added
custom language support, and added more audit info on management operations.
* godmode/users/user_list.php: More audit info.
* include/config_process.php: Add new debug option to render error log to
/pandora_console.log. Also set timezone if not defined (this makes warnings
on several PHP 5.x setups). Added user custom language support.
* include/functions_events.php: More audit info. Fixed problems with HTML
encoding render.
* functions_io.php: Some cleaning.
* include/functions_messages.php: Fixed problems with HTML
encoding render.
* functions_ui.php: Fixed problems with HTML encoding render in
print_string_substr() function.
* auth/mysql.php: is_user_admin() functions seems to be broken ¿?¿!. Fixed.
* styles/pandora.css: removed green colored left border in default style.
* message.php, incident*: Fixed problems with HTML encoding render.
* user.php: Better ACL check before let user to view/edit another user.
* user_edit: Removed some un-used form fields, some arrangements in layout,
and FIXED forever problems with password change (new code written).
* users/user_statistics.php: Now user can see its own audit records.
git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@2139 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2009-11-27 21:02:12 +01:00
|
|
|
return $valueHtmlEncode;
|
|
|
|
|
}
|
|
|
|
|
|
2009-11-25 10:12:42 +01:00
|
|
|
/**
|
|
|
|
|
* Use to clean HTML entities when get_parameter or safe_input functions dont work
|
|
|
|
|
*
|
|
|
|
|
* @param string String to be cleaned
|
|
|
|
|
*
|
|
|
|
|
* @return string Cleaned string
|
|
|
|
|
*/
|
|
|
|
|
function salida_limpia ($string) {
|
|
|
|
|
$quote_style = ENT_QUOTES;
|
|
|
|
|
static $trans;
|
|
|
|
|
if (! isset ($trans)) {
|
|
|
|
|
$trans = get_html_translation_table (HTML_ENTITIES, $quote_style);
|
|
|
|
|
foreach ($trans as $key => $value)
|
|
|
|
|
$trans[$key] = '&#'.ord($key).';';
|
|
|
|
|
// dont translate the '&' in case it is part of &xxx;
|
|
|
|
|
$trans[chr(38)] = '&';
|
|
|
|
|
}
|
|
|
|
|
// after the initial translation, _do_ map standalone "&" into "&"
|
|
|
|
|
return preg_replace ("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/","&",
|
|
|
|
|
strtr ($string, $trans));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Cleans a string by encoding to UTF-8 and replacing the HTML
|
|
|
|
|
* entities to their numeric counterparts (possibly double encoding)
|
|
|
|
|
*
|
|
|
|
|
* @param mixed String or array of strings to be cleaned.
|
|
|
|
|
*
|
|
|
|
|
* @return mixed The cleaned string or array.
|
|
|
|
|
*/
|
|
|
|
|
function safe_output_xml ($string) {
|
|
|
|
|
if (is_numeric ($string))
|
|
|
|
|
return $string;
|
|
|
|
|
|
|
|
|
|
if (is_array ($string)) {
|
|
|
|
|
array_walk ($string, 'safe_output_xml');
|
|
|
|
|
return $string;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static $table;
|
|
|
|
|
static $replace;
|
|
|
|
|
|
|
|
|
|
if (empty ($table)) {
|
|
|
|
|
$table = get_html_translation_table (HTML_ENTITIES, ENT_QUOTES);
|
|
|
|
|
$replace = array ();
|
|
|
|
|
|
|
|
|
|
foreach ($table as $key => $value){
|
|
|
|
|
$table[$key] = "/".$value."/";
|
|
|
|
|
$char = htmlentities ($key, ENT_QUOTES, "UTF-8");
|
|
|
|
|
$replace[$char] = "&#".ord ($key).";";
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//now perform a replacement using preg_replace
|
|
|
|
|
//each matched value in $table will be replaced with the corresponding value in $replace
|
|
|
|
|
return preg_replace ($table, $replace, $string);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Avoid magic_quotes protection
|
|
|
|
|
*
|
|
|
|
|
* @param string Text string to be stripped of magic_quotes protection
|
|
|
|
|
*/
|
|
|
|
|
function unsafe_string ($string) {
|
|
|
|
|
if (get_magic_quotes_gpc ())
|
|
|
|
|
return stripslashes ($string);
|
|
|
|
|
return $string;
|
|
|
|
|
}
|
|
|
|
|
|
2009-11-27 Sancho lerena <slerena@artica.es>
* operation/menu.php: User section has no ACL check, always can be seen.
* index.php: Added suppor for user-defined custom language (this code was
on my disk for 3 months, pending to be commited!).
* include/functions_db.php,
* include/functions_agents.php,
* godmode/alerts/alert_list.php,
* godmode/agentes/modificar_agente.php,
* godmode/agentes/configurar_agente.php: Added audit calls to several
management operations who don't have or have insufficient audit info.
* godmode/users/configure_user.php: Fixed several annoyings bugs. Added
custom language support, and added more audit info on management operations.
* godmode/users/user_list.php: More audit info.
* include/config_process.php: Add new debug option to render error log to
/pandora_console.log. Also set timezone if not defined (this makes warnings
on several PHP 5.x setups). Added user custom language support.
* include/functions_events.php: More audit info. Fixed problems with HTML
encoding render.
* functions_io.php: Some cleaning.
* include/functions_messages.php: Fixed problems with HTML
encoding render.
* functions_ui.php: Fixed problems with HTML encoding render in
print_string_substr() function.
* auth/mysql.php: is_user_admin() functions seems to be broken ¿?¿!. Fixed.
* styles/pandora.css: removed green colored left border in default style.
* message.php, incident*: Fixed problems with HTML encoding render.
* user.php: Better ACL check before let user to view/edit another user.
* user_edit: Removed some un-used form fields, some arrangements in layout,
and FIXED forever problems with password change (new code written).
* users/user_statistics.php: Now user can see its own audit records.
git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@2139 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2009-11-27 21:02:12 +01:00
|
|
|
|
|
|
|
|
?>
|
