Mercurial > hg > fapweb

changeset 207:e31c42a9b574

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Slowly work on input validation.
author Matti Hamalainen <ccr@tnsp.org>
date Sun, 17 Nov 2013 19:26:46 +0200
parents 1fa109a0c583
children 8985d2bdb29b
files admajax.php msite.inc.php register.inc.php
diffstat 3 files changed, 49 insertions(+), 34 deletions(-) [+]
line wrap: on
line diff
--- a/admajax.php	Sun Nov 17 19:07:08 2013 +0200
+++ b/admajax.php	Sun Nov 17 19:26:46 2013 +0200
@@ -217,9 +217,9 @@
       {
         echo
           "<form method=\"post\" action=\"\" onsubmit=\"return addNews()\">\n".
-          "  ".stGetFormTextInput(40, 40, "", "nntitle", "", "")."<br />\n".
+          "  ".stGetFormTextInput(40, SET_LEN_NEWS_TITLE, "", "nntitle", "", "")."<br />\n".
           "  ".stGetFormTextArea(5, 60, "", "nntext", "", "")."<br />\n".
-          "  ".stGetFormTextInput(20, 20, "", "nnauthor", "", "orgaz")."\n".
+          "  ".stGetFormTextInput(20, SET_LEN_NEWS_AUTHOR, "", "nnauthor", "", "orgaz")."\n".
           "  ".stGetFormSubmitInput("nnadd", "Add post")."\n".
           "  ".stGetFormButtonInput("", "", "", "Clear", "this.form.reset()")."\n".
           "</form>\n".
@@ -251,10 +251,10 @@
           "  <th>Actions</th>\n".
           " </tr>\n".
           " <tr>\n".
-          "  <td>".stGetFormTextInput(20, 64, "name", "x", $prefix, "")."</td>\n".
-          "  <td>".stGetFormTextInput(20, 64, "groups", "x", $prefix, "")."</td>\n".
-          "  <td>".stGetFormTextInput(30, 64, "oneliner", "x", $prefix, "")."</td>\n".
-          "  <td>".stGetFormTextInput(20, 64, "email", "x", $prefix, "")."</td>\n".
+          "  <td>".stGetFormTextInput(20, SET_LEN_USERNAME, "name", "x", $prefix, "")."</td>\n".
+          "  <td>".stGetFormTextInput(20, SET_LEN_GROUPS,   "groups", "x", $prefix, "")."</td>\n".
+          "  <td>".stGetFormTextInput(30, SET_LEN_ONELINER, "oneliner", "x", $prefix, "")."</td>\n".
+          "  <td>".stGetFormTextInput(20, SET_LEN_EMAIL,    "email", "x", $prefix, "")."</td>\n".
           "  <td>".stGetFormButtonInput("add", "", $prefix, " Add new ", "addAttendee()")."</td>\n".
           " </tr>\n".
           "</table>\n".
@@ -314,7 +314,7 @@
       {
         echo
           "<form method=\"post\" action=\"\" onsubmit=\"return addCompo()\">\n".
-          "  ".stGetFormTextInput(64, 64, "", "ncname", "", "")."<br />\n".
+          "  ".stGetFormTextInput(64, SET_LEN_COMPO_NAME, "", "ncname", "", "")."<br />\n".
           "  ".stGetFormTextArea(5, 60, "", "ncdescription", "", "")."<br />\n".
           "  ".stGetFormSubmitInput("nccompo", "Add compo")."\n".
           "  ".stGetFormButtonInput("", "", "", "Clear", "this.form.reset()")."\n".
@@ -328,7 +328,7 @@
           echo
             "<div id=\"compo".$id."\">\n".
             "<h2>#".$id." - ".chentities($item["name"])."</h2>\n".
-            stGetFormTextInput(40, 64, "name", $id, $prefix, $item["name"])."\n".
+            stGetFormTextInput(40, SET_LEN_COMPO_NAME, "name", $id, $prefix, $item["name"])."\n".
             stGetFormCheckBoxInput("visible", $id, $prefix, $item["visible"], "Visible")."\n".
             stGetFormCheckBoxInput("showAuthors", $id, $prefix, $item["showAuthors"], "Show authors")."\n".
             stGetFormCheckBoxInput("voting", $id, $prefix, $item["voting"], "Enable voting")."<br />\n".
@@ -403,9 +403,7 @@
       stExecSQLCond($sql, "OK, compo added.");
     }
     else
-    if ($type == "attendees" && stChkRequestItem("name") &&
-      stChkRequestItem("groups") && stChkRequestItem("oneliner") &&
-      stChkRequestItem("email"))
+    if ($type == "attendees" && stCheckRequestUserData(TRUE))
     {
       $sql = stPrepareSQL(
         "INSERT INTO attendees (regtime,name,groups,oneliner,email) VALUES (%d,%S,%S,%S,%S)",
@@ -431,9 +429,7 @@
     //
     // Update existing entry
     //
-    if ($type == "attendees" && stChkRequestItem("id") &&
-      stChkRequestItem("name") && stChkRequestItem("groups") &&
-      stChkRequestItem("email") && stChkRequestItem("oneliner"))
+    if ($type == "attendees" && stCheckRequestUserData(TRUE))
     {
       $sql = stPrepareSQLUpdate("attendees",
         "WHERE id=".intval(stGetRequestItem("id")),
--- a/msite.inc.php	Sun Nov 17 19:07:08 2013 +0200
+++ b/msite.inc.php	Sun Nov 17 19:26:46 2013 +0200
@@ -244,4 +244,42 @@
 }
 
 
+function stCheckRequestUserData($admin)
+{
+  if (!stChkRequestItem("name", $fake,
+    array(CHK_ISGT, VT_STR, 0, "Handle / name not given."),
+    array(CHK_ISLT, VT_STR, SET_LEN_USERNAME, "Handle / name is too long, should be less than ".SET_LEN_USERNAME." characters.")
+    )) return FALSE;
+
+  if (!stChkRequestItem("groups", $fake,
+    array(CHK_ISLT, VT_STR, SET_LEN_GROUPS, "Groups are too long, should be less than ".SET_LEN_GROUPS." characters.")
+    )) return FALSE;
+
+  if (!stChkRequestItem("oneliner", $fake,
+    array(CHK_ISLT, VT_STR, SET_LEN_ONELINER, "Oneliner is too long, should be less than ".SET_LEN_ONELINER." characters.")
+    )) return FALSE;
+
+  $email = stGetRequestItem("email");
+  if (!$admin && stGetSetting("requireEMail") && strlen($email) < 4)
+  {
+    stError("E-mail address not given, or it is too short.");
+    return FALSE;
+  }
+
+  if (strlen($email) > 0 && (strpos($email, "@") === FALSE || strpos($email, ".") === FALSE))
+  {
+    stError("E-mail address not in proper format.");
+    return FALSE;
+  }
+
+  if (strlen($email) > SET_LEN_EMAIL)
+  {
+    stError("E-mail address too long, max ".SET_LEN_EMAIL." characters.");
+    return FALSE;
+  }
+  
+  return TRUE;
+}
+
+
 ?>
\ No newline at end of file
--- a/register.inc.php	Sun Nov 17 19:07:08 2013 +0200
+++ b/register.inc.php	Sun Nov 17 19:26:46 2013 +0200
@@ -157,29 +157,10 @@
   //
   // Check the registrant's details
   //
-  stChkRequestItem("name", $fake,
-    array(CHK_ISGT, VT_STR, 0, "Handle / name not given."),
-    array(CHK_ISLT, VT_STR, SET_LEN_USERNAME, "Handle / name is too long, should be less than ".SET_LEN_USERNAME." characters."));
-
-  stChkRequestItem("groups", $fake,
-    array(CHK_ISLT, VT_STR, SET_LEN_GROUPS, "Groups are too long, should be less than ".SET_LEN_GROUPS." characters."));
-
-  stChkRequestItem("oneliner", $fake,
-    array(CHK_ISLT, VT_STR, SET_LEN_ONELINER, "Oneliner is too long, should be less than ".SET_LEN_ONELINER." characters."));
-
   stChkRequestItem("hash", $hash,
     array(CHK_GTEQ, VT_STR, 0, "Invalid data."));
 
-
-  $email = stGetRequestItem("email");
-  if (stGetSetting("requireEMail") && strlen($email) < 4)
-    stError("E-mail address not given, or it is too short.");
-
-  if (strlen($email) > 0 && (strpos($email, "@") === FALSE || strpos($email, ".") === FALSE))
-    stError("E-mail address not in proper format.");
-
-  if (strlen($email) > SET_LEN_EMAIL)
-    stError("E-mail address too long, max ".SET_LEN_EMAIL." characters.");
+  stCheckRequestUserData(FALSE);
 
   $answer = stGetRequestItem("botcheck");
   if (hashToAnswer($hash) != intval($answer))