From c18bb7daee9e14784069dd390441f97af024eb2a Mon Sep 17 00:00:00 2001 From: darode Date: Fri, 8 Oct 2010 11:35:18 +0000 Subject: [PATCH] 2010-10-08 Dario Rodriguez * include/functions_io.php: Added functions ascii_to_html and html_to_ascii. Also use this functions to convert no printing chars in function safe_input and to revert the conversion in function safe_output. * include/functions_db.php: Added function escape_string_sql, is a wrapper db indepenten function to do the same that function mysql_real_escape_string * index.php: Use function escape_string_sql with login parameters. git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@3372 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f --- pandora_console/ChangeLog | 9 ++++ pandora_console/include/functions_db.php | 17 ++++++++ pandora_console/include/functions_io.php | 52 ++++++++++++++++++++++++ pandora_console/index.php | 5 ++- 4 files changed, 81 insertions(+), 2 deletions(-) diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog index 4740594a49..2e7f605c86 100644 --- a/pandora_console/ChangeLog +++ b/pandora_console/ChangeLog @@ -1,3 +1,12 @@ +2010-10-08 Dario Rodriguez + + * include/functions_io.php: Added functions ascii_to_html and html_to_ascii. + Also use this functions to convert no printing chars in function safe_input + and to revert the conversion in function safe_output. + * include/functions_db.php: Added function escape_string_sql, is a + wrapper db indepenten function to do the same that function mysql_real_escape_string + * index.php: Use function escape_string_sql with login parameters. + 2010-10-08 Sergio Martin * include/javascript/pandora.js diff --git a/pandora_console/include/functions_db.php b/pandora_console/include/functions_db.php index 7fcb9ec0f7..692e75f14a 100644 --- a/pandora_console/include/functions_db.php +++ b/pandora_console/include/functions_db.php @@ -62,6 +62,23 @@ function check_login () { exit; } +/** + * + * Escape string to set it properly to use in sql queries + * + * @param string String to be cleaned. + * + * @return string String cleaned. + */ +function escape_string_sql ($string) { + + $str = mysql_real_escape_string($string); + + return $str; +} + + + /** * Return a array of id_group of childrens (to branches down) * diff --git a/pandora_console/include/functions_io.php b/pandora_console/include/functions_io.php index 1148c3e7fc..d60f1a89cd 100755 --- a/pandora_console/include/functions_io.php +++ b/pandora_console/include/functions_io.php @@ -37,10 +37,51 @@ function safe_input($value) { // Specific for MySQL. $valueHtmlEncode = str_replace('/*', "/*", $valueHtmlEncode); $valueHtmlEncode = str_replace('*/', "*/", $valueHtmlEncode); + + //Replace ( for the html entitie + $valueHtmlEncode = str_replace('(', "(", $valueHtmlEncode); + + //Replace ( for the html entitie + $valueHtmlEncode = str_replace(')', ")", $valueHtmlEncode); + + //Replace some characteres for html entities + for ($i=0;$i<32;$i++) { + $valueHtmlEncode = str_ireplace(chr($i),ascii_to_html($i), $valueHtmlEncode); + } return $valueHtmlEncode; } +/** + * Convert ascii char to html entitines + * + * @param int num of ascci char + * + * @return string String of html entitie + */ +function ascii_to_html($num) { + + if ($num <= 15) { + return "�".dechex($num).";"; + } else { + return "&#x".dechex($num).";"; + } +} + +/** + * Convert hexadecimal html entity value to char + * + * @param string String of html hexadecimal value + * + * @return string String with char + */ +function html_to_ascii($hex) { + + $dec = hexdec($hex); + + return chr($dec); +} + /** * Convert the $value encode in html entity to clear char string. This function * should be called always to "clean" HTML encoded data; to render to a text @@ -72,6 +113,17 @@ function safe_output($value, $utf8 = true) $valueHtmlEncode = html_entity_decode ($value, ENT_QUOTES); } + //Replace the html entitie of ( for the char + $valueHtmlEncode = str_replace("(", '(', $valueHtmlEncode); + + //Replace the html entitie of ) for the char + $valueHtmlEncode = str_replace(")", ')', $valueHtmlEncode); + + //Revert html entities to chars + for ($i=0;$i<32;$i++) { + $valueHtmlEncode = str_ireplace("&#x".dechex($i).";",html_to_ascii(dechex($i)), $valueHtmlEncode); + } + return $valueHtmlEncode; } diff --git a/pandora_console/index.php b/pandora_console/index.php index 2e799cb024..2dfb3f4526 100644 --- a/pandora_console/index.php +++ b/pandora_console/index.php @@ -157,11 +157,12 @@ if (! isset ($config['id_user']) && isset ($_GET["loginhash"])) { } elseif (! isset ($config['id_user']) && isset ($_GET["login"])) { // Login process - + include_once('include/functions_db.php');//Include it to use escape_string_sql function $config["auth_error"] = ""; //Set this to the error message from the authorization mechanism $nick = get_parameter_post ("nick"); //This is the variable with the login $pass = get_parameter_post ("pass"); //This is the variable with the password - + $nick = escape_string_sql($nick); + $pass = escape_string_sql($pass); // process_user_login is a virtual function which should be defined in each auth file. // It accepts username and password. The rest should be internal to the auth file. // The auth file can set $config["auth_error"] to an informative error output or reference their internal error messages to it