Mercurial > hg > fapweb
changeset 207:e31c42a9b574
Slowly work on input validation.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Sun, 17 Nov 2013 19:26:46 +0200 |
parents | 1fa109a0c583 |
children | 8985d2bdb29b |
files | admajax.php msite.inc.php register.inc.php |
diffstat | 3 files changed, 49 insertions(+), 34 deletions(-) [+] |
line wrap: on
line diff
--- a/admajax.php Sun Nov 17 19:07:08 2013 +0200 +++ b/admajax.php Sun Nov 17 19:26:46 2013 +0200 @@ -217,9 +217,9 @@ { echo "<form method=\"post\" action=\"\" onsubmit=\"return addNews()\">\n". - " ".stGetFormTextInput(40, 40, "", "nntitle", "", "")."<br />\n". + " ".stGetFormTextInput(40, SET_LEN_NEWS_TITLE, "", "nntitle", "", "")."<br />\n". " ".stGetFormTextArea(5, 60, "", "nntext", "", "")."<br />\n". - " ".stGetFormTextInput(20, 20, "", "nnauthor", "", "orgaz")."\n". + " ".stGetFormTextInput(20, SET_LEN_NEWS_AUTHOR, "", "nnauthor", "", "orgaz")."\n". " ".stGetFormSubmitInput("nnadd", "Add post")."\n". " ".stGetFormButtonInput("", "", "", "Clear", "this.form.reset()")."\n". "</form>\n". @@ -251,10 +251,10 @@ " <th>Actions</th>\n". " </tr>\n". " <tr>\n". - " <td>".stGetFormTextInput(20, 64, "name", "x", $prefix, "")."</td>\n". - " <td>".stGetFormTextInput(20, 64, "groups", "x", $prefix, "")."</td>\n". - " <td>".stGetFormTextInput(30, 64, "oneliner", "x", $prefix, "")."</td>\n". - " <td>".stGetFormTextInput(20, 64, "email", "x", $prefix, "")."</td>\n". + " <td>".stGetFormTextInput(20, SET_LEN_USERNAME, "name", "x", $prefix, "")."</td>\n". + " <td>".stGetFormTextInput(20, SET_LEN_GROUPS, "groups", "x", $prefix, "")."</td>\n". + " <td>".stGetFormTextInput(30, SET_LEN_ONELINER, "oneliner", "x", $prefix, "")."</td>\n". + " <td>".stGetFormTextInput(20, SET_LEN_EMAIL, "email", "x", $prefix, "")."</td>\n". " <td>".stGetFormButtonInput("add", "", $prefix, " Add new ", "addAttendee()")."</td>\n". " </tr>\n". "</table>\n". @@ -314,7 +314,7 @@ { echo "<form method=\"post\" action=\"\" onsubmit=\"return addCompo()\">\n". - " ".stGetFormTextInput(64, 64, "", "ncname", "", "")."<br />\n". + " ".stGetFormTextInput(64, SET_LEN_COMPO_NAME, "", "ncname", "", "")."<br />\n". " ".stGetFormTextArea(5, 60, "", "ncdescription", "", "")."<br />\n". " ".stGetFormSubmitInput("nccompo", "Add compo")."\n". " ".stGetFormButtonInput("", "", "", "Clear", "this.form.reset()")."\n". @@ -328,7 +328,7 @@ echo "<div id=\"compo".$id."\">\n". "<h2>#".$id." - ".chentities($item["name"])."</h2>\n". - stGetFormTextInput(40, 64, "name", $id, $prefix, $item["name"])."\n". + stGetFormTextInput(40, SET_LEN_COMPO_NAME, "name", $id, $prefix, $item["name"])."\n". stGetFormCheckBoxInput("visible", $id, $prefix, $item["visible"], "Visible")."\n". stGetFormCheckBoxInput("showAuthors", $id, $prefix, $item["showAuthors"], "Show authors")."\n". stGetFormCheckBoxInput("voting", $id, $prefix, $item["voting"], "Enable voting")."<br />\n". @@ -403,9 +403,7 @@ stExecSQLCond($sql, "OK, compo added."); } else - if ($type == "attendees" && stChkRequestItem("name") && - stChkRequestItem("groups") && stChkRequestItem("oneliner") && - stChkRequestItem("email")) + if ($type == "attendees" && stCheckRequestUserData(TRUE)) { $sql = stPrepareSQL( "INSERT INTO attendees (regtime,name,groups,oneliner,email) VALUES (%d,%S,%S,%S,%S)", @@ -431,9 +429,7 @@ // // Update existing entry // - if ($type == "attendees" && stChkRequestItem("id") && - stChkRequestItem("name") && stChkRequestItem("groups") && - stChkRequestItem("email") && stChkRequestItem("oneliner")) + if ($type == "attendees" && stCheckRequestUserData(TRUE)) { $sql = stPrepareSQLUpdate("attendees", "WHERE id=".intval(stGetRequestItem("id")),
--- a/msite.inc.php Sun Nov 17 19:07:08 2013 +0200 +++ b/msite.inc.php Sun Nov 17 19:26:46 2013 +0200 @@ -244,4 +244,42 @@ } +function stCheckRequestUserData($admin) +{ + if (!stChkRequestItem("name", $fake, + array(CHK_ISGT, VT_STR, 0, "Handle / name not given."), + array(CHK_ISLT, VT_STR, SET_LEN_USERNAME, "Handle / name is too long, should be less than ".SET_LEN_USERNAME." characters.") + )) return FALSE; + + if (!stChkRequestItem("groups", $fake, + array(CHK_ISLT, VT_STR, SET_LEN_GROUPS, "Groups are too long, should be less than ".SET_LEN_GROUPS." characters.") + )) return FALSE; + + if (!stChkRequestItem("oneliner", $fake, + array(CHK_ISLT, VT_STR, SET_LEN_ONELINER, "Oneliner is too long, should be less than ".SET_LEN_ONELINER." characters.") + )) return FALSE; + + $email = stGetRequestItem("email"); + if (!$admin && stGetSetting("requireEMail") && strlen($email) < 4) + { + stError("E-mail address not given, or it is too short."); + return FALSE; + } + + if (strlen($email) > 0 && (strpos($email, "@") === FALSE || strpos($email, ".") === FALSE)) + { + stError("E-mail address not in proper format."); + return FALSE; + } + + if (strlen($email) > SET_LEN_EMAIL) + { + stError("E-mail address too long, max ".SET_LEN_EMAIL." characters."); + return FALSE; + } + + return TRUE; +} + + ?> \ No newline at end of file
--- a/register.inc.php Sun Nov 17 19:07:08 2013 +0200 +++ b/register.inc.php Sun Nov 17 19:26:46 2013 +0200 @@ -157,29 +157,10 @@ // // Check the registrant's details // - stChkRequestItem("name", $fake, - array(CHK_ISGT, VT_STR, 0, "Handle / name not given."), - array(CHK_ISLT, VT_STR, SET_LEN_USERNAME, "Handle / name is too long, should be less than ".SET_LEN_USERNAME." characters.")); - - stChkRequestItem("groups", $fake, - array(CHK_ISLT, VT_STR, SET_LEN_GROUPS, "Groups are too long, should be less than ".SET_LEN_GROUPS." characters.")); - - stChkRequestItem("oneliner", $fake, - array(CHK_ISLT, VT_STR, SET_LEN_ONELINER, "Oneliner is too long, should be less than ".SET_LEN_ONELINER." characters.")); - stChkRequestItem("hash", $hash, array(CHK_GTEQ, VT_STR, 0, "Invalid data.")); - - $email = stGetRequestItem("email"); - if (stGetSetting("requireEMail") && strlen($email) < 4) - stError("E-mail address not given, or it is too short."); - - if (strlen($email) > 0 && (strpos($email, "@") === FALSE || strpos($email, ".") === FALSE)) - stError("E-mail address not in proper format."); - - if (strlen($email) > SET_LEN_EMAIL) - stError("E-mail address too long, max ".SET_LEN_EMAIL." characters."); + stCheckRequestUserData(FALSE); $answer = stGetRequestItem("botcheck"); if (hashToAnswer($hash) != intval($answer))