2009-11-19 Miguel de Dios <miguel.dedios@artica.es>
* include/functions.php: change the "safe_input" for estandarize the input and clean bugs for this cause. Now Pandora Console depends of 5.2.3 PHP version or up. * extensions/dbmanager.php: change the source code to use correctly the "safe_input". git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@2120 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
This commit is contained in:
parent
36612c6a58
commit
bb69f81d1b
|
@ -1,3 +1,11 @@
|
|||
2009-11-19 Miguel de Dios <miguel.dedios@artica.es>
|
||||
|
||||
* include/functions.php: change the "safe_input" for estandarize the input
|
||||
and clean bugs for this cause. Now Pandora Console depends of 5.2.3 PHP
|
||||
version or up.
|
||||
* extensions/dbmanager.php: change the source code to use correctly the
|
||||
"safe_input".
|
||||
|
||||
2009-11-19 Miguel de Dios <miguel.dedios@artica.es>
|
||||
|
||||
* godmode/modules/manage_network_components_form_plugin.php: tiny fix in the
|
||||
|
|
|
@ -19,13 +19,8 @@ function dbmanager_query ($sql, &$error) {
|
|||
|
||||
if ($sql == '')
|
||||
return false;
|
||||
|
||||
// This following two lines are for real clean the string coming from the PHP
|
||||
// because add ' for single quote and " for the double, you cannot
|
||||
// see with a simple echo and mysql reject it, so dont forget to do this.
|
||||
|
||||
$sql = unsafe_string ($sql);
|
||||
$sql = htmlspecialchars_decode ($sql, ENT_QUOTES);
|
||||
|
||||
$sql = html_entity_decode($sql, ENT_QUOTES);
|
||||
|
||||
$result = mysql_query ($sql);
|
||||
if ($result === false) {
|
||||
|
@ -71,7 +66,7 @@ function dbmgr_extension_main () {
|
|||
|
||||
echo "<br /><br />";
|
||||
echo "<form method='post' action=''>";
|
||||
print_textarea ('sql', 5, 50, unsafe_string ($sql));
|
||||
print_textarea ('sql', 5, 50, html_entity_decode($sql, ENT_QUOTES));
|
||||
echo '<br />';
|
||||
echo '<div class="action-buttons" style="width: 100%">';
|
||||
print_submit_button (__('Execute SQL'), '', false, 'class="sub next"');
|
||||
|
|
|
@ -37,24 +37,61 @@ define ('ENTERPRISE_NOT_HOOK', -1);
|
|||
*
|
||||
* @return mixed The cleaned string or array.
|
||||
*/
|
||||
function safe_input ($value) {
|
||||
if (is_numeric ($value))
|
||||
return $value;
|
||||
//function safe_input ($value) {
|
||||
// if (is_numeric ($value))
|
||||
// return $value;
|
||||
//
|
||||
// if (is_array ($value)) {
|
||||
// array_walk ($value, 'safe_input');
|
||||
// return $value;
|
||||
// }
|
||||
//
|
||||
// if (version_compare (PHP_VERSION, '5.2.3') === 1) {
|
||||
// if (! mb_check_encoding ($value, 'UTF-8'))
|
||||
// $value = utf8_encode ($value);
|
||||
// return htmlentities ($value, ENT_QUOTES, "UTF-8", false);
|
||||
// } else {
|
||||
// $translation_table = get_html_translation_table (HTML_ENTITIES, ENT_QUOTES);
|
||||
// $translation_table[chr(38)] = '&';
|
||||
// return preg_replace ("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/", "&", strtr ($value, $translation_table));
|
||||
// }
|
||||
//}
|
||||
|
||||
if (is_array ($value)) {
|
||||
array_walk ($value, 'safe_input');
|
||||
/**
|
||||
* Cleans a string by encoding to UTF-8 and replacing the HTML
|
||||
* entities. UTF-8 is necessary for foreign chars like asian
|
||||
* and our databases are (or should be) UTF-8
|
||||
*
|
||||
* @param mixed String or array of strings to be cleaned.
|
||||
*
|
||||
* @return mixed The cleaned string or array.
|
||||
*/
|
||||
function safe_input($value) {
|
||||
//Stop!! Are you sure to modify this critical code? Because the older
|
||||
//versions are serius headache in many places of Pandora.
|
||||
|
||||
if (is_numeric($value))
|
||||
return $value;
|
||||
|
||||
if (is_array($value)) {
|
||||
array_walk($value, "safe_input");
|
||||
return $value;
|
||||
}
|
||||
|
||||
if (version_compare (PHP_VERSION, '5.2.3') === 1) {
|
||||
if (! mb_check_encoding ($value, 'UTF-8'))
|
||||
$value = utf8_encode ($value);
|
||||
return htmlentities ($value, ENT_QUOTES, "UTF-8", false);
|
||||
} else {
|
||||
$translation_table = get_html_translation_table (HTML_ENTITIES, ENT_QUOTES);
|
||||
$translation_table[chr(38)] = '&';
|
||||
return preg_replace ("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/", "&", strtr ($value, $translation_table));
|
||||
|
||||
//Clean the trash mix into string because of magic quotes.
|
||||
if (get_magic_quotes_gpc() == 1) {
|
||||
$value = stripslashes($value);
|
||||
}
|
||||
|
||||
if (! mb_check_encoding ($value, 'UTF-8'))
|
||||
$value = utf8_encode ($value);
|
||||
|
||||
$valueHtmlEncode = htmlentities ($value, ENT_QUOTES, "UTF-8", true);
|
||||
|
||||
//Replace the character '\' for the equivalent html entitie
|
||||
$valueHtmlEncode = str_replace('\\', "\", $valueHtmlEncode);
|
||||
|
||||
return $valueHtmlEncode;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
Loading…
Reference in New Issue