# HG changeset patch # User Matti Hamalainen # Date 1384718500 -7200 # Node ID 36423e8ab76563c5e77518b44e268a9992af2c82 # Parent 682a926fd6fb6d2c7b54c8ec30dcbbd2e16631c7 Improve input validation. diff -r 682a926fd6fb -r 36423e8ab765 admajax.php --- a/admajax.php Sun Nov 17 21:03:57 2013 +0200 +++ b/admajax.php Sun Nov 17 22:01:40 2013 +0200 @@ -9,7 +9,85 @@ require_once "msite.inc.php"; require_once "msession.inc.php"; + +function stCheckRequestCompoData($full) +{ + if (!stChkRequestItem("name", $fake, + array(CHK_ISGT, VT_STR, 0, "Compo name too short"), + array(CHK_ISLT, VT_STR, SET_LEN_COMPO_NAME, "Compo name too long.")) || + !stChkRequestItem("description", $fake, + array(CHK_ISGT, VT_STR, 10, "Compo description too short"), + array(CHK_ISLT, VT_STR, SET_LEN_COMPO_DESC, "Compo description too long."))) + return FALSE; + + if (!$full) + return TRUE; + + return + stChkRequestItem("visible", $fake, + array(CHK_TYPE, VT_BOOL, "Invalid data.") + ) && + stChkRequestItem("voting", $fake, + array(CHK_TYPE, VT_BOOL, "Invalid data.") + ) && + stChkRequestItem("showAuthors", $fake, + array(CHK_TYPE, VT_BOOL, "Invalid data.") + ); +} + + +function stCheckRequestEntryData(&$compo_id) +{ + return + stChkRequestItem("name", $fake, + array(CHK_ISGT, VT_STR, 0, "Entry name too short."), + array(CHK_ISLT, VT_STR, SET_LEN_ENTRY_NAME, "Entry name too long.") + ) && + stChkRequestItem("author", $fake, + array(CHK_ISGT, VT_STR, 0, "Author name not set."), + array(CHK_ISLT, VT_STR, SET_LEN_ENTRY_AUTHOR, "Entry author too long.") + ) && + stChkRequestItem("filename", $fake, + array(CHK_TYPE, VT_TEXT, "Invalid data."), + array(CHK_ISLT, VT_STR, SET_LEN_ENTRY_FILENAME, "Entry filename too long.") + ) && + stChkRequestItem("info", $fake, + array(CHK_TYPE, VT_TEXT, "Invalid data."), + array(CHK_ISLT, VT_STR, SET_LEN_INFO, "Entry info too long.") + ) && + stChkRequestItem("compo_id", $compo_id, + array(CHK_TYPE, VT_INT, "Invalid compo ID.") + ); +} + + +function stCheckRequestNewsData() +{ + return + stChkRequestItem("text", $fake, + array(CHK_ISGT, VT_STR, 0, "News text too short."), + array(CHK_ISLT, VT_STR, SET_LEN_NEWS_TEXT, "News text too long.") + ) && + stChkRequestItem("author", $fake, + array(CHK_ISGT, VT_STR, 0, "News author name too short."), + array(CHK_ISLT, VT_STR, SET_LEN_NEWS_AUTHOR, "News author name too long.") + ) && + stChkRequestItem("title", $fake, + array(CHK_ISGT, VT_STR, 0, "News title too short."), + array(CHK_ISLT, VT_STR, SET_LEN_NEWS_TITLE, "News title too long.") + ); +} + + +function stGetSaveButton() +{ + return "\n"; +} + + +// // Check if we are allowed to execute +// if (!stCheckHTTPS() || !stAdmSessionAuth()) { stSetupCacheControl(); @@ -20,23 +98,18 @@ exit; } + +// +// Initialize +// stSetupCacheControl(); -// Initiate SQL database connection if (!stConnectSQLDB()) die("Could not connect to SQL database."); -// Fetch non-"hardcoded" settings from SQL database stReloadSettings(); -function saveButton() -{ - return "\n"; -} - - -// XMLHttp responses $type = stGetRequestItem("type", ""); switch (stGetRequestItem("action", "")) { @@ -136,13 +209,15 @@ " ".$item["desc"]."\n". " \n"; } - echo "\n".saveButton(); + echo "\n".stGetSaveButton(); foreach (stExecSQL("SELECT * FROM settings WHERE vtype=".VT_TEXT) as $item) { - echo "

".chentities($item["desc"])."

\n". - stGetFormTextArea(10, 60, "", $item["key"], $prefix, $item["vtext"]). - "\n
\n".saveButton(); + echo + "

".chentities($item["desc"])."

\n". + stGetFormTextArea(10, 60, "", $item["key"], $prefix, $item["vtext"]). + "\n
\n". + stGetSaveButton(); } echo "\n"; break; @@ -373,8 +448,7 @@ // // Add new entry // - if ($type == "news" && stChkRequestItem("text") && - stChkRequestItem("author") && stChkRequestItem("title")) + if ($type == "news" && stCheckRequestNewsData()) { $sql = stPrepareSQL( "INSERT INTO news (utime,title,text,author) VALUES (%d,%S,%Q,%S)", @@ -383,8 +457,7 @@ stExecSQLCond($sql, "OK, news item added."); } else - if ($type == "compo" && stChkRequestItem("name") && - stChkRequestItem("description")) + if ($type == "compo" && stCheckRequestCompoData(FALSE)) { $sql = stPrepareSQL( "INSERT INTO compos (name,description,visible,voting,showAuthors) VALUES (%S,%Q,0,0,0)", @@ -402,12 +475,11 @@ stExecSQLCond($sql, "OK, attendee added."); } else - if ($type == "entry" && stChkRequestItem("name") && - stChkRequestItem("author") && stChkRequestItem("compo_id")) + if ($type == "entry" && stCheckRequestEntryData($fake)) { $sql = stPrepareSQL( - "INSERT INTO entries (name,author,compo_id,filename) VALUES (%S,%S,%D,%S)", - "name", "author", "compo_id", "filename"); + "INSERT INTO entries (name,author,compo_id,filename,info) VALUES (%S,%S,%D,%S,%S)", + "name", "author", "compo_id", "filename", "info"); stExecSQLCond($sql, "OK, entry added."); } @@ -442,9 +514,7 @@ stExecSQLCond($sql, "OK, attendee updated."); } else - if ($type == "news" && - stChkRequestItem("text") && stChkRequestItem("author") && - stChkRequestItem("title")) + if ($type == "news" && stCheckRequestNewsData()) { $sql = stPrepareSQLUpdate("news", "WHERE id=".intval(stGetRequestItem("id")), @@ -457,10 +527,7 @@ stExecSQLCond($sql, "OK, news item updated."); } else - if ($type == "compo" && - stChkRequestItem("name") && stChkRequestItem("description") && - stChkRequestItem("visible") && stChkRequestItem("voting") && - stChkRequestItem("showAuthors")) + if ($type == "compo" && stCheckRequestCompoData(TRUE)) { $sql = stPrepareSQLUpdate("compos", "WHERE id=".intval(stGetRequestItem("id")), @@ -475,14 +542,11 @@ stExecSQLCond($sql, "OK, compo updated."); } else - if ($type == "entry" && - stChkRequestItem("name") && stChkRequestItem("author") && - stChkRequestItem("compo_id")) + if ($type == "entry" && stCheckRequestEntryData($compo_id)) { - $cid = stGetRequestItem("compo_id"); - if (stFetchSQLColumn("SELECT id FROM compos WHERE id=".$cid) === FALSE) + if (stFetchSQLColumn("SELECT id FROM compos WHERE id=".$compo_id) === FALSE) { - stError("No such compo id."); + stError("No such compo ID."); } else { @@ -492,6 +556,7 @@ "name" => "S", "author" => "S", "filename" => "S", + "info" => "S", "compo_id" => "D", ));