Mercurial > hg > fapweb

changeset 184:1b30c2107e5b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add function for validating input with different definable conditions. Use this functionality in register.inc.php. Define field sizes.
author Matti Hamalainen <ccr@tnsp.org>
date Fri, 08 Nov 2013 18:54:54 +0200
parents 320d6b68062b
children 449b2862cc75
files msite.inc.php msitegen.inc.php register.inc.php
diffstat 3 files changed, 139 insertions(+), 20 deletions(-) [+]
line wrap: on
line diff
--- a/msite.inc.php	Fri Nov 08 12:08:16 2013 +0200
+++ b/msite.inc.php	Fri Nov 08 18:54:54 2013 +0200
@@ -6,10 +6,31 @@
 //
 require_once "msitegen.inc.php";
 
+// Define modes of party information display system
 define("SMODE_ROTATE", 1);
 define("SMODE_COMPO", 2);
 
 
+// Define sizes of database fields, see createdb.php
+// and also the places where input is validated.
+define("SET_LEN_USERNAME", 32);
+define("SET_LEN_GROUPS", 64);
+define("SET_LEN_ONELINER", 64);
+define("SET_LEN_EMAIL", 80);
+
+define("SET_LEN_NEWS_TITLE", 128);
+define("SET_LEN_NEWS_TEXT", 4096);
+define("SET_LEN_NEWS_AUTHOR", 64);
+
+define("SET_LEN_COMPO_NAME", 128);
+define("SET_LEN_COMPO_DESC", 4096);
+
+define("SET_LEN_ENTRY_NAME", 64);
+define("SET_LEN_ENTRY_AUTHOR", 64);
+define("SET_LEN_ENTRY_FILENAME", 256);
+define("SET_LEN_ENTRY_INFO", 256);
+
+
 //
 // Different voting modes
 //
--- a/msitegen.inc.php	Fri Nov 08 12:08:16 2013 +0200
+++ b/msitegen.inc.php	Fri Nov 08 18:54:54 2013 +0200
@@ -9,11 +9,19 @@
 $errorSet = FALSE;
 $errorMsg = "";
 
+// Value types
 define("VT_STR", 1);
 define("VT_INT", 2);
 define("VT_BOOL", 3);
 define("VT_TEXT", 4);
 
+// Validation check types
+define("CHK_TYPE", 1);
+define("CHK_ISLT", 2);
+define("CHK_ISGT", 3);
+define("CHK_ISEQ", 4);
+define("CHK_CUSTOM", 5);
+
 
 function stDebug($msg)
 {
@@ -206,15 +214,97 @@
 }
 
 
-function stChkDataItem($name)
+function stErrorStrF($msg, $data)
 {
-  return !isset($_REQUEST[$name]) || strlen(trim($_REQUEST[$name])) < 1;
+  stError($msg);
+  return FALSE;
 }
 
 
-function stChkRequestItem($name)
+//
+// Check and validate one item from $_REQUEST[], based on
+// list of validation conditions. For example:
+//
+//  stChkRequestItem("name", FALSE,
+//    array(CHK_ISGT, VT_STR, 0, "Handle / name not given."),
+//    array(CHK_ISGT, VT_STR, 3, "Handle / name too short, should be 3 characters or more."),
+//    array(CHK_ISLT, VT_STR, SET_LEN_USERNAME, "Handle / name is too long, should be less than ".SET_LEN_USERNAME." characters."));
+//
+function stChkRequestItem($name, &$sdata)
 {
-  return isset($_REQUEST[$name]);
+  if (!isset($_REQUEST[$name]))
+    return FALSE;
+
+  $data = trim($_REQUEST[$name]);
+  $slen = strlen($data);
+
+  if ($sdata !== FALSE)
+    $sdata = $data;
+
+  // Go through list of validation checks
+  $argc = func_num_args();
+  $argv = func_get_args();
+
+  for ($argn = 2; $argn < $argc; $argn++)
+  {
+    // Act according to check type
+    $check = $argv[$argn];
+    switch ($check[0])
+    {
+      case CHK_TYPE:
+        // Check type of the data
+        switch ($check[1])
+        {
+          case VT_STR:
+            if ($slen == 0)
+              return stErrorStrF($check[2], $data);
+            break;
+
+          case VT_INT:
+          case VT_BOOL:
+            if ($slen == 0 || !is_numeric($data))
+              return stErrorStrF($check[2], $data);
+            break;
+        }
+        break;
+
+      case CHK_ISLT:
+      case CHK_ISGT:
+      case CHK_ISEQ:
+        // Check length or value of the data
+        switch ($check[1])
+        {
+          case VT_STR:
+          case VT_TEXT:
+            // Strings get their length checked
+            if (($check[0] == CHK_ISLT && $slen >= $check[2]) ||
+                ($check[0] == CHK_ISGT && $slen <= $check[2]) ||
+                ($check[0] == CHK_ISEQ && $slen != $check[2]))
+                return stErrorStrF($check[3], $data);
+            break;
+
+          case VT_INT:
+          case VT_BOOL:
+            // Integer values checked against .. value
+            $sval = to_int($data);
+            if (($check[0] == CHK_ISLT && $sval >= $check[2]) ||
+                ($check[0] == CHK_ISGT && $sval <= $check[2]) ||
+                ($check[0] == CHK_ISEQ && $sval != $check[2]))
+                return stErrorStrF($check[3], $data);
+            break;
+        }
+        break;
+
+      case CHK_CUSTOM:
+        // Call a custom function (or closure)
+        $func = $check[1];
+        if (!is_callable($func) || !$func($data))
+          return stErrorStrF($check[2], $data);
+        break;
+    }
+  }
+
+  return TRUE;
 }
 
 
--- a/register.inc.php	Fri Nov 08 12:08:16 2013 +0200
+++ b/register.inc.php	Fri Nov 08 18:54:54 2013 +0200
@@ -122,11 +122,11 @@
   stGetFormStart("register").
   " ".stGetFormHiddenInput("mode", "check")."\n".
   " ".stGetFormHiddenInput("hash", $botCheckHash)."\n".
-  " <table>\n";
-  stPrintFormTextInput("Handle:", "(elite)", 30, 30, "name");
-  stPrintFormTextInput("Group(s):", "(elite crew^supahmen)", 40, 64, "groups");
-  stPrintFormTextInput("E-mail:", "(to be informed of location etc)", 40, 64, "email");
-  stPrintFormTextInput("Oneliner:", "(whatever)", 64, 64, "oneliner");
+  " <table class=\"register\">\n";
+  stPrintFormTextInput("Handle:", "(elite)", 20, SET_LEN_USERNAME, "name");
+  stPrintFormTextInput("Group(s):", "(elite crew^supahmen)", 30, SET_LEN_GROUPS, "groups");
+  stPrintFormTextInput("E-mail:", "(to be informed of location etc)", 30, SET_LEN_EMAIL, "email");
+  stPrintFormTextInput("Oneliner:", "(whatever)", 30, SET_LEN_ONELINER, "oneliner");
   stPrintFormTextInput(hashToCheckStr($botCheckHash)." = ", "(I.Q. / robot check".
   //" [".hashToAnswer($botCheckHash)."]".
   ")", 20, 20, "botcheck", "autocomplete=\"off\"");
@@ -143,23 +143,31 @@
   //
   // Check the registrant's details
   //
-  if (stChkDataItem("name") || strlen(stGetRequestItem("name")) < 3)
-    stError("Handle / name not given, or too short.");
+  stChkRequestItem("name", FALSE,
+    array(CHK_ISGT, VT_STR, 0, "Handle / name not given."),
+    array(CHK_ISGT, VT_STR, 3, "Handle / name too short, should be 3 characters or more."),
+    array(CHK_ISLT, VT_STR, SET_LEN_USERNAME, "Handle / name is too long, should be less than ".SET_LEN_USERNAME." characters."));
 
-  if (stChkDataItem("hash"))
-    stError("Invalid data.");
+  stChkRequestItem("groups", FALSE,
+    array(CHK_ISLT, VT_STR, SET_LEN_GROUPS, "Groups are too long, should be less than ".SET_LEN_GROUPS." characters."));
+
+  stChkRequestItem("oneliner", FALSE,
+    array(CHK_ISLT, VT_STR, SET_LEN_ONELINER, "Oneliner is too long, should be less than ".SET_LEN_ONELINER." characters."));
+
+  stChkRequestItem("hash", $hash,
+    array(CHK_GTEQ, VT_STR, 0, "Invalid data."));
+
 
   $email = stGetRequestItem("email");
-  if (stGetSetting("requireEMail"))
-  {
-    if (stChkDataItem("email") || strlen($email) < 4)
-      stError("E-mail address not given, or it is too short.");
-  }
+  if (stGetSetting("requireEMail") && strlen($email) < 4)
+    stError("E-mail address not given, or it is too short.");
 
   if (strlen($email) > 0 && (strpos($email, "@") === FALSE || strpos($email, ".") === FALSE))
     stError("E-mail address not in proper format.");
 
-  $hash = stGetRequestItem("hash");
+  if (strlen($email) > SET_LEN_EMAIL)
+    stError("E-mail address too long, max ".SET_LEN_EMAIL." characters.");
+
   $answer = stGetRequestItem("botcheck");
   if (hashToAnswer($hash) != intval($answer))
     stError("Incorrect answer to I.Q. / bot check.");
@@ -181,7 +189,7 @@
     {
       echo stGetSetting("registerPostText");
 
-      if (stChkDataItem("email"))
+      if (strlen($email) < 4)
         echo stGetSetting("registerPostNoEmail");
     }
     else