tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

2010-10-08 Dario Rodriguez <dario.rodriguez@artica.es> 

* include/functions_io.php: Added functions ascii_to_html and html_to_ascii. 
	Also use this functions to convert no printing chars in function safe_input 
	and to revert the conversion in function safe_output.
	* include/functions_db.php: Added function escape_string_sql, is a
	wrapper db indepenten function to do the same that function mysql_real_escape_string
	* index.php: Use function escape_string_sql with login parameters.



git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@3372 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
This commit is contained in:
darode 2010-10-08 11:35:18 +00:00
parent ec5776bfce
commit c550c2a1a3
4 changed files with 81 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
pandora_console/ChangeLog
View File

@ -1,3 +1,12 @@
2010-10-08 Dario Rodriguez <dario.rodriguez@artica.es>
* include/functions_io.php: Added functions ascii_to_html and html_to_ascii.
Also use this functions to convert no printing chars in function safe_input
and to revert the conversion in function safe_output.
* include/functions_db.php: Added function escape_string_sql, is a
wrapper db indepenten function to do the same that function mysql_real_escape_string
* index.php: Use function escape_string_sql with login parameters.
2010-10-08 Sergio Martin <sergio.martin@artica.es>
* include/javascript/pandora.js

17
pandora_console/include/functions_db.php
View File

@ -62,6 +62,23 @@ function check_login () {
exit;
}
/**
*
* Escape string to set it properly to use in sql queries
*
* @param string String to be cleaned.
*
* @return string String cleaned.
*/
function escape_string_sql ($string) {
$str = mysql_real_escape_string($string);
return $str;
}
/**
* Return a array of id_group of childrens (to branches down)
*

52
pandora_console/include/functions_io.php
View File

@ -37,10 +37,51 @@ function safe_input($value) {
// Specific for MySQL.
$valueHtmlEncode = str_replace('/*', "&#47;&#42;", $valueHtmlEncode);
$valueHtmlEncode = str_replace('*/', "&#42;&#47;", $valueHtmlEncode);
//Replace ( for the html entitie
$valueHtmlEncode = str_replace('(', "&#40;", $valueHtmlEncode);
//Replace ( for the html entitie
$valueHtmlEncode = str_replace(')', "&#41;", $valueHtmlEncode);
//Replace some characteres for html entities
for ($i=0;$i<32;$i++) {
$valueHtmlEncode = str_ireplace(chr($i),ascii_to_html($i), $valueHtmlEncode);
}
return $valueHtmlEncode;
}
/**
* Convert ascii char to html entitines
*
* @param int num of ascci char
*
* @return string String of html entitie
*/
function ascii_to_html($num) {
if ($num <= 15) {
return "&#x0".dechex($num).";";
} else {
return "&#x".dechex($num).";";
}
}
/**
* Convert hexadecimal html entity value to char
*
* @param string String of html hexadecimal value
*
* @return string String with char
*/
function html_to_ascii($hex) {
$dec = hexdec($hex);
return chr($dec);
}
/**
* Convert the $value encode in html entity to clear char string. This function
* should be called always to "clean" HTML encoded data; to render to a text
@ -72,6 +113,17 @@ function safe_output($value, $utf8 = true)
$valueHtmlEncode = html_entity_decode ($value, ENT_QUOTES);
}
//Replace the html entitie of ( for the char
$valueHtmlEncode = str_replace("&#40;", '(', $valueHtmlEncode);
//Replace the html entitie of ) for the char
$valueHtmlEncode = str_replace("&#41;", ')', $valueHtmlEncode);
//Revert html entities to chars
for ($i=0;$i<32;$i++) {
$valueHtmlEncode = str_ireplace("&#x".dechex($i).";",html_to_ascii(dechex($i)), $valueHtmlEncode);
}
return $valueHtmlEncode;
}

5
pandora_console/index.php
View File

@ -157,11 +157,12 @@ if (! isset ($config['id_user']) && isset ($_GET["loginhash"])) {
}
elseif (! isset ($config['id_user']) && isset ($_GET["login"])) {
// Login process
include_once('include/functions_db.php');//Include it to use escape_string_sql function
$config["auth_error"] = ""; //Set this to the error message from the authorization mechanism
$nick = get_parameter_post ("nick"); //This is the variable with the login
$pass = get_parameter_post ("pass"); //This is the variable with the password
$nick = escape_string_sql($nick);
$pass = escape_string_sql($pass);
// process_user_login is a virtual function which should be defined in each auth file.
// It accepts username and password. The rest should be internal to the auth file.
// The auth file can set $config["auth_error"] to an informative error output or reference their internal error messages to it