tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-28 08:14:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

2009-11-19 Miguel de Dios <miguel.dedios@artica.es>

Browse Source 
* include/functions.php: change the "safe_input" for estandarize the input
	and clean bugs for this cause. Now Pandora Console depends of 5.2.3 PHP
	version or up.
	* extensions/dbmanager.php: change the source code to use correctly the
	"safe_input".



git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@2120 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
This commit is contained in:
mdtrooper 2009-11-19 20:04:11 +00:00
parent 36612c6a58
commit bb69f81d1b
3 changed files with 62 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pandora_console/ChangeLog
View File

@ -1,3 +1,11 @@
2009-11-19 Miguel de Dios <miguel.dedios@artica.es>
* include/functions.php: change the "safe_input" for estandarize the input
and clean bugs for this cause. Now Pandora Console depends of 5.2.3 PHP
version or up.
* extensions/dbmanager.php: change the source code to use correctly the
"safe_input".
2009-11-19 Miguel de Dios <miguel.dedios@artica.es> 2009-11-19 Miguel de Dios <miguel.dedios@artica.es>
* godmode/modules/manage_network_components_form_plugin.php: tiny fix in the * godmode/modules/manage_network_components_form_plugin.php: tiny fix in the

9
pandora_console/extensions/dbmanager.php
View File

@ -20,12 +20,7 @@ function dbmanager_query ($sql, &$error) {
if ($sql == '') if ($sql == '')
return false; return false;
// This following two lines are for real clean the string coming from the PHP $sql = html_entity_decode($sql, ENT_QUOTES);
// because add &#039; for single quote and &quot; for the double, you cannot
// see with a simple echo and mysql reject it, so dont forget to do this.
$sql = unsafe_string ($sql);
$sql = htmlspecialchars_decode ($sql, ENT_QUOTES);
$result = mysql_query ($sql); $result = mysql_query ($sql);
if ($result === false) { if ($result === false) {
@ -71,7 +66,7 @@ function dbmgr_extension_main () {
echo "<br /><br />"; echo "<br /><br />";
echo "<form method='post' action=''>"; echo "<form method='post' action=''>";
print_textarea ('sql', 5, 50, unsafe_string ($sql)); print_textarea ('sql', 5, 50, html_entity_decode($sql, ENT_QUOTES));
echo '<br />'; echo '<br />';
echo '<div class="action-buttons" style="width: 100%">'; echo '<div class="action-buttons" style="width: 100%">';
print_submit_button (__('Execute SQL'), '', false, 'class="sub next"'); print_submit_button (__('Execute SQL'), '', false, 'class="sub next"');

59
pandora_console/include/functions.php
View File

@ -37,24 +37,61 @@ define ('ENTERPRISE_NOT_HOOK', -1);
* *
* @return mixed The cleaned string or array. * @return mixed The cleaned string or array.
*/ */
function safe_input ($value) { //function safe_input ($value) {
if (is_numeric ($value)) // if (is_numeric ($value))
// return $value;
//
// if (is_array ($value)) {
// array_walk ($value, 'safe_input');
// return $value;
// }
//
// if (version_compare (PHP_VERSION, '5.2.3') === 1) {
// if (! mb_check_encoding ($value, 'UTF-8'))
// $value = utf8_encode ($value);
// return htmlentities ($value, ENT_QUOTES, "UTF-8", false);
// } else {
// $translation_table = get_html_translation_table (HTML_ENTITIES, ENT_QUOTES);
// $translation_table[chr(38)] = '&';
// return preg_replace ("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/", "&amp;", strtr ($value, $translation_table));
// }
//}
/**
* Cleans a string by encoding to UTF-8 and replacing the HTML
* entities. UTF-8 is necessary for foreign chars like asian
* and our databases are (or should be) UTF-8
*
* @param mixed String or array of strings to be cleaned.
*
* @return mixed The cleaned string or array.
*/
function safe_input($value) {
//Stop!! Are you sure to modify this critical code? Because the older
//versions are serius headache in many places of Pandora.
if (is_numeric($value))
return $value; return $value;
if (is_array ($value)) { if (is_array($value)) {
array_walk ($value, 'safe_input'); array_walk($value, "safe_input");
return $value; return $value;
} }
if (version_compare (PHP_VERSION, '5.2.3') === 1) { //Clean the trash mix into string because of magic quotes.
if (get_magic_quotes_gpc() == 1) {
$value = stripslashes($value);
}
if (! mb_check_encoding ($value, 'UTF-8')) if (! mb_check_encoding ($value, 'UTF-8'))
$value = utf8_encode ($value); $value = utf8_encode ($value);
return htmlentities ($value, ENT_QUOTES, "UTF-8", false);
} else { $valueHtmlEncode = htmlentities ($value, ENT_QUOTES, "UTF-8", true);
$translation_table = get_html_translation_table (HTML_ENTITIES, ENT_QUOTES);
$translation_table[chr(38)] = '&'; //Replace the character '\' for the equivalent html entitie
return preg_replace ("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/", "&amp;", strtr ($value, $translation_table)); $valueHtmlEncode = str_replace('\\', "&#92;", $valueHtmlEncode);
}
return $valueHtmlEncode;
} }
/** /**