2009-11-19 Miguel de Dios <miguel.dedios@artica.es>

* include/functions.php: change the "safe_input" for estandarize the input
	and clean bugs for this cause. Now Pandora Console depends of 5.2.3 PHP
	version or up.
	* extensions/dbmanager.php: change the source code to use correctly the
	"safe_input".



git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@2120 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f

pandora_console/ChangeLog

@@ -1,3 +1,11 @@
+2009-11-19  Miguel de Dios <miguel.dedios@artica.es>
+
+	* include/functions.php: change the "safe_input" for estandarize the input
+	and clean bugs for this cause. Now Pandora Console depends of 5.2.3 PHP
+	version or up.
+	* extensions/dbmanager.php: change the source code to use correctly the
+	"safe_input".
+
 2009-11-19  Miguel de Dios <miguel.dedios@artica.es>
 
 	* godmode/modules/manage_network_components_form_plugin.php: tiny fix in the

pandora_console/extensions/dbmanager.php

@@ -20,12 +20,7 @@ function dbmanager_query ($sql, &$error) {
 	if ($sql == '')
 		return false;
 		
-	// This following two lines are for real clean the string coming from the PHP
-	// because add ' for single quote and " for the double, you cannot 
-	// see with a simple echo and mysql reject it, so dont forget to do this.
-
-	$sql = unsafe_string ($sql);
-	$sql = htmlspecialchars_decode ($sql, ENT_QUOTES);
+	$sql = html_entity_decode($sql, ENT_QUOTES);
 
 	$result = mysql_query ($sql);
 	if ($result === false) {
@@ -71,7 +66,7 @@ function dbmgr_extension_main () {
 
 	echo "<br /><br />";
 	echo "<form method='post' action=''>";
-	print_textarea ('sql', 5, 50, unsafe_string ($sql));
+	print_textarea ('sql', 5, 50, html_entity_decode($sql, ENT_QUOTES));
 	echo '<br />';
 	echo '<div class="action-buttons" style="width: 100%">';
 	print_submit_button (__('Execute SQL'), '', false, 'class="sub next"');

pandora_console/include/functions.php

@@ -37,24 +37,61 @@ define ('ENTERPRISE_NOT_HOOK', -1);
  * 
  * @return mixed The cleaned string or array.
  */
-function safe_input ($value) {
-	if (is_numeric ($value))
+//function safe_input ($value) {
+//	if (is_numeric ($value))
+//		return $value;
+//
+//	if (is_array ($value)) {
+//		array_walk ($value, 'safe_input');
+//		return $value;
+//	}
+//
+//	if (version_compare (PHP_VERSION, '5.2.3') === 1) {
+//		if (! mb_check_encoding ($value, 'UTF-8'))
+//			$value = utf8_encode ($value);
+//		return htmlentities ($value, ENT_QUOTES, "UTF-8", false);
+//	} else {
+//		$translation_table = get_html_translation_table (HTML_ENTITIES, ENT_QUOTES);
+//		$translation_table[chr(38)] = '&';
+//		return preg_replace ("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/", "&", strtr ($value, $translation_table));
+//	}
+//}
+
+/** 
+ * Cleans a string by encoding to UTF-8 and replacing the HTML
+ * entities. UTF-8 is necessary for foreign chars like asian 
+ * and our databases are (or should be) UTF-8
+ * 
+ * @param mixed String or array of strings to be cleaned.
+ * 
+ * @return mixed The cleaned string or array.
+ */
+function safe_input($value) {
+	//Stop!! Are you sure to modify this critical code? Because the older
+	//versions are serius headache in many places of Pandora.
+	
+	if (is_numeric($value))
 		return $value;
 		
-	if (is_array ($value)) {
-		array_walk ($value, 'safe_input');
+	if (is_array($value)) {
+		array_walk($value, "safe_input");
 		return $value;
 	}
 	
-	if (version_compare (PHP_VERSION, '5.2.3') === 1) {
+	//Clean the trash mix into string because of magic quotes.
+	if (get_magic_quotes_gpc() == 1) {
+		$value = stripslashes($value);
+	}
+	
 	if (! mb_check_encoding ($value, 'UTF-8'))
 		$value = utf8_encode ($value);
-		return htmlentities ($value, ENT_QUOTES, "UTF-8", false);
-	} else {
-		$translation_table = get_html_translation_table (HTML_ENTITIES, ENT_QUOTES);
-		$translation_table[chr(38)] = '&';
-		return preg_replace ("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/", "&", strtr ($value, $translation_table));
-	}
+	
+	$valueHtmlEncode =  htmlentities ($value, ENT_QUOTES, "UTF-8", true);
+		
+	//Replace the character '\' for the equivalent html entitie
+	$valueHtmlEncode = str_replace('\\', "\", $valueHtmlEncode);
+	
+	return $valueHtmlEncode;
 }
 
 /**