From 46435e43dd2ed02ebe79462e124cc5c9337f2e6b Mon Sep 17 00:00:00 2001 From: mdtrooper Date: Thu, 19 Nov 2009 20:04:11 +0000 Subject: [PATCH] 2009-11-19 Miguel de Dios * include/functions.php: change the "safe_input" for estandarize the input and clean bugs for this cause. Now Pandora Console depends of 5.2.3 PHP version or up. * extensions/dbmanager.php: change the source code to use correctly the "safe_input". git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@2120 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f --- pandora_console/ChangeLog | 8 +++ pandora_console/extensions/dbmanager.php | 11 ++-- pandora_console/include/functions.php | 65 +++++++++++++++++++----- 3 files changed, 62 insertions(+), 22 deletions(-) diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog index 0fd06be941..5b839f2b46 100644 --- a/pandora_console/ChangeLog +++ b/pandora_console/ChangeLog @@ -1,3 +1,11 @@ +2009-11-19 Miguel de Dios + + * include/functions.php: change the "safe_input" for estandarize the input + and clean bugs for this cause. Now Pandora Console depends of 5.2.3 PHP + version or up. + * extensions/dbmanager.php: change the source code to use correctly the + "safe_input". + 2009-11-19 Miguel de Dios * godmode/modules/manage_network_components_form_plugin.php: tiny fix in the diff --git a/pandora_console/extensions/dbmanager.php b/pandora_console/extensions/dbmanager.php index 463f8f9083..3dd143defc 100644 --- a/pandora_console/extensions/dbmanager.php +++ b/pandora_console/extensions/dbmanager.php @@ -19,13 +19,8 @@ function dbmanager_query ($sql, &$error) { if ($sql == '') return false; - - // This following two lines are for real clean the string coming from the PHP - // because add ' for single quote and " for the double, you cannot - // see with a simple echo and mysql reject it, so dont forget to do this. - - $sql = unsafe_string ($sql); - $sql = htmlspecialchars_decode ($sql, ENT_QUOTES); + + $sql = html_entity_decode($sql, ENT_QUOTES); $result = mysql_query ($sql); if ($result === false) { @@ -71,7 +66,7 @@ function dbmgr_extension_main () { echo "

"; echo "
"; - print_textarea ('sql', 5, 50, unsafe_string ($sql)); + print_textarea ('sql', 5, 50, html_entity_decode($sql, ENT_QUOTES)); echo '
'; echo '
'; print_submit_button (__('Execute SQL'), '', false, 'class="sub next"'); diff --git a/pandora_console/include/functions.php b/pandora_console/include/functions.php index 80e2c20338..1dc3bc94ae 100644 --- a/pandora_console/include/functions.php +++ b/pandora_console/include/functions.php @@ -37,24 +37,61 @@ define ('ENTERPRISE_NOT_HOOK', -1); * * @return mixed The cleaned string or array. */ -function safe_input ($value) { - if (is_numeric ($value)) - return $value; +//function safe_input ($value) { +// if (is_numeric ($value)) +// return $value; +// +// if (is_array ($value)) { +// array_walk ($value, 'safe_input'); +// return $value; +// } +// +// if (version_compare (PHP_VERSION, '5.2.3') === 1) { +// if (! mb_check_encoding ($value, 'UTF-8')) +// $value = utf8_encode ($value); +// return htmlentities ($value, ENT_QUOTES, "UTF-8", false); +// } else { +// $translation_table = get_html_translation_table (HTML_ENTITIES, ENT_QUOTES); +// $translation_table[chr(38)] = '&'; +// return preg_replace ("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/", "&", strtr ($value, $translation_table)); +// } +//} - if (is_array ($value)) { - array_walk ($value, 'safe_input'); +/** + * Cleans a string by encoding to UTF-8 and replacing the HTML + * entities. UTF-8 is necessary for foreign chars like asian + * and our databases are (or should be) UTF-8 + * + * @param mixed String or array of strings to be cleaned. + * + * @return mixed The cleaned string or array. + */ +function safe_input($value) { + //Stop!! Are you sure to modify this critical code? Because the older + //versions are serius headache in many places of Pandora. + + if (is_numeric($value)) + return $value; + + if (is_array($value)) { + array_walk($value, "safe_input"); return $value; } - - if (version_compare (PHP_VERSION, '5.2.3') === 1) { - if (! mb_check_encoding ($value, 'UTF-8')) - $value = utf8_encode ($value); - return htmlentities ($value, ENT_QUOTES, "UTF-8", false); - } else { - $translation_table = get_html_translation_table (HTML_ENTITIES, ENT_QUOTES); - $translation_table[chr(38)] = '&'; - return preg_replace ("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/", "&", strtr ($value, $translation_table)); + + //Clean the trash mix into string because of magic quotes. + if (get_magic_quotes_gpc() == 1) { + $value = stripslashes($value); } + + if (! mb_check_encoding ($value, 'UTF-8')) + $value = utf8_encode ($value); + + $valueHtmlEncode = htmlentities ($value, ENT_QUOTES, "UTF-8", true); + + //Replace the character '\' for the equivalent html entitie + $valueHtmlEncode = str_replace('\\', "\", $valueHtmlEncode); + + return $valueHtmlEncode; } /**