Mercurial > hg > fapweb
changeset 214:36423e8ab765
Improve input validation.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Sun, 17 Nov 2013 22:01:40 +0200 |
parents | 682a926fd6fb |
children | bfd480370a70 |
files | admajax.php |
diffstat | 1 files changed, 99 insertions(+), 34 deletions(-) [+] |
line wrap: on
line diff
--- a/admajax.php Sun Nov 17 21:03:57 2013 +0200 +++ b/admajax.php Sun Nov 17 22:01:40 2013 +0200 @@ -9,7 +9,85 @@ require_once "msite.inc.php"; require_once "msession.inc.php"; + +function stCheckRequestCompoData($full) +{ + if (!stChkRequestItem("name", $fake, + array(CHK_ISGT, VT_STR, 0, "Compo name too short"), + array(CHK_ISLT, VT_STR, SET_LEN_COMPO_NAME, "Compo name too long.")) || + !stChkRequestItem("description", $fake, + array(CHK_ISGT, VT_STR, 10, "Compo description too short"), + array(CHK_ISLT, VT_STR, SET_LEN_COMPO_DESC, "Compo description too long."))) + return FALSE; + + if (!$full) + return TRUE; + + return + stChkRequestItem("visible", $fake, + array(CHK_TYPE, VT_BOOL, "Invalid data.") + ) && + stChkRequestItem("voting", $fake, + array(CHK_TYPE, VT_BOOL, "Invalid data.") + ) && + stChkRequestItem("showAuthors", $fake, + array(CHK_TYPE, VT_BOOL, "Invalid data.") + ); +} + + +function stCheckRequestEntryData(&$compo_id) +{ + return + stChkRequestItem("name", $fake, + array(CHK_ISGT, VT_STR, 0, "Entry name too short."), + array(CHK_ISLT, VT_STR, SET_LEN_ENTRY_NAME, "Entry name too long.") + ) && + stChkRequestItem("author", $fake, + array(CHK_ISGT, VT_STR, 0, "Author name not set."), + array(CHK_ISLT, VT_STR, SET_LEN_ENTRY_AUTHOR, "Entry author too long.") + ) && + stChkRequestItem("filename", $fake, + array(CHK_TYPE, VT_TEXT, "Invalid data."), + array(CHK_ISLT, VT_STR, SET_LEN_ENTRY_FILENAME, "Entry filename too long.") + ) && + stChkRequestItem("info", $fake, + array(CHK_TYPE, VT_TEXT, "Invalid data."), + array(CHK_ISLT, VT_STR, SET_LEN_INFO, "Entry info too long.") + ) && + stChkRequestItem("compo_id", $compo_id, + array(CHK_TYPE, VT_INT, "Invalid compo ID.") + ); +} + + +function stCheckRequestNewsData() +{ + return + stChkRequestItem("text", $fake, + array(CHK_ISGT, VT_STR, 0, "News text too short."), + array(CHK_ISLT, VT_STR, SET_LEN_NEWS_TEXT, "News text too long.") + ) && + stChkRequestItem("author", $fake, + array(CHK_ISGT, VT_STR, 0, "News author name too short."), + array(CHK_ISLT, VT_STR, SET_LEN_NEWS_AUTHOR, "News author name too long.") + ) && + stChkRequestItem("title", $fake, + array(CHK_ISGT, VT_STR, 0, "News title too short."), + array(CHK_ISLT, VT_STR, SET_LEN_NEWS_TITLE, "News title too long.") + ); +} + + +function stGetSaveButton() +{ + return "<input type=\"submit\" value=\" Save \" />\n"; +} + + +// // Check if we are allowed to execute +// if (!stCheckHTTPS() || !stAdmSessionAuth()) { stSetupCacheControl(); @@ -20,23 +98,18 @@ exit; } + +// +// Initialize +// stSetupCacheControl(); -// Initiate SQL database connection if (!stConnectSQLDB()) die("Could not connect to SQL database."); -// Fetch non-"hardcoded" settings from SQL database stReloadSettings(); -function saveButton() -{ - return "<input type=\"submit\" value=\" Save \" />\n"; -} - - -// XMLHttp responses $type = stGetRequestItem("type", ""); switch (stGetRequestItem("action", "")) { @@ -136,13 +209,15 @@ " <td>".$item["desc"]."</td>\n". " </tr>\n"; } - echo "</table>\n".saveButton(); + echo "</table>\n".stGetSaveButton(); foreach (stExecSQL("SELECT * FROM settings WHERE vtype=".VT_TEXT) as $item) { - echo "<h2>".chentities($item["desc"])."</h2>\n". - stGetFormTextArea(10, 60, "", $item["key"], $prefix, $item["vtext"]). - "\n<br />\n".saveButton(); + echo + "<h2>".chentities($item["desc"])."</h2>\n". + stGetFormTextArea(10, 60, "", $item["key"], $prefix, $item["vtext"]). + "\n<br />\n". + stGetSaveButton(); } echo "</form>\n"; break; @@ -373,8 +448,7 @@ // // Add new entry // - if ($type == "news" && stChkRequestItem("text") && - stChkRequestItem("author") && stChkRequestItem("title")) + if ($type == "news" && stCheckRequestNewsData()) { $sql = stPrepareSQL( "INSERT INTO news (utime,title,text,author) VALUES (%d,%S,%Q,%S)", @@ -383,8 +457,7 @@ stExecSQLCond($sql, "OK, news item added."); } else - if ($type == "compo" && stChkRequestItem("name") && - stChkRequestItem("description")) + if ($type == "compo" && stCheckRequestCompoData(FALSE)) { $sql = stPrepareSQL( "INSERT INTO compos (name,description,visible,voting,showAuthors) VALUES (%S,%Q,0,0,0)", @@ -402,12 +475,11 @@ stExecSQLCond($sql, "OK, attendee added."); } else - if ($type == "entry" && stChkRequestItem("name") && - stChkRequestItem("author") && stChkRequestItem("compo_id")) + if ($type == "entry" && stCheckRequestEntryData($fake)) { $sql = stPrepareSQL( - "INSERT INTO entries (name,author,compo_id,filename) VALUES (%S,%S,%D,%S)", - "name", "author", "compo_id", "filename"); + "INSERT INTO entries (name,author,compo_id,filename,info) VALUES (%S,%S,%D,%S,%S)", + "name", "author", "compo_id", "filename", "info"); stExecSQLCond($sql, "OK, entry added."); } @@ -442,9 +514,7 @@ stExecSQLCond($sql, "OK, attendee updated."); } else - if ($type == "news" && - stChkRequestItem("text") && stChkRequestItem("author") && - stChkRequestItem("title")) + if ($type == "news" && stCheckRequestNewsData()) { $sql = stPrepareSQLUpdate("news", "WHERE id=".intval(stGetRequestItem("id")), @@ -457,10 +527,7 @@ stExecSQLCond($sql, "OK, news item updated."); } else - if ($type == "compo" && - stChkRequestItem("name") && stChkRequestItem("description") && - stChkRequestItem("visible") && stChkRequestItem("voting") && - stChkRequestItem("showAuthors")) + if ($type == "compo" && stCheckRequestCompoData(TRUE)) { $sql = stPrepareSQLUpdate("compos", "WHERE id=".intval(stGetRequestItem("id")), @@ -475,14 +542,11 @@ stExecSQLCond($sql, "OK, compo updated."); } else - if ($type == "entry" && - stChkRequestItem("name") && stChkRequestItem("author") && - stChkRequestItem("compo_id")) + if ($type == "entry" && stCheckRequestEntryData($compo_id)) { - $cid = stGetRequestItem("compo_id"); - if (stFetchSQLColumn("SELECT id FROM compos WHERE id=".$cid) === FALSE) + if (stFetchSQLColumn("SELECT id FROM compos WHERE id=".$compo_id) === FALSE) { - stError("No such compo id."); + stError("No such compo ID."); } else { @@ -492,6 +556,7 @@ "name" => "S", "author" => "S", "filename" => "S", + "info" => "S", "compo_id" => "D", ));