Changeset 4495
- Timestamp:
- Dec 15, 2009, 1:33:57 AM (14 years ago)
- Location:
- branches/2.0
- Files:
-
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/2.0/admin/cat_list.php
r3046 r4495 65 65 // +-----------------------------------------------------------------------+ 66 66 67 check_input_parameter('parent_id', @$_GET['parent_id'], false, PATTERN_ID); 68 67 69 $categories = array(); 68 70 -
branches/2.0/admin/element_set.php
r3217 r4495 40 40 check_status(ACCESS_ADMINISTRATOR); 41 41 42 check_input_parameter('selection', @$_POST['selection'], true, PATTERN_ID); 43 42 44 // +-----------------------------------------------------------------------+ 43 45 // | caddie management | -
branches/2.0/admin/element_set_global.php
r3046 r4495 43 43 // | deletion form submission | 44 44 // +-----------------------------------------------------------------------+ 45 46 // the $_POST['selection'] was already checked in element_set.php 47 check_input_parameter('add_tags', @$_POST['add_tags'], true, PATTERN_ID); 48 check_input_parameter('del_tags', @$_POST['del_tags'], true, PATTERN_ID); 49 check_input_parameter('associate', @$_POST['associate'], false, PATTERN_ID); 50 check_input_parameter('dissociate', @$_POST['dissociate'], false, PATTERN_ID); 45 51 46 52 if (isset($_POST['delete'])) -
branches/2.0/admin/picture_modify.php
r3389 r4495 34 34 check_status(ACCESS_ADMINISTRATOR); 35 35 36 check_input_parameter('image_id', $_GET['image_id'], false, PATTERN_ID); 37 check_input_parameter('cat_id', @$_GET['cat_id'], false, PATTERN_ID); 38 36 39 // +-----------------------------------------------------------------------+ 37 40 // | synchronize metadata | -
branches/2.0/include/constants.php
r3196 r4495 38 38 define('ACCESS_WEBMASTER', 4); 39 39 define('ACCESS_CLOSED', 5); 40 41 // Sanity checks 42 define('PATTERN_ID', '/^\d+$/'); 40 43 41 44 // Table names -
branches/2.0/include/functions.inc.php
r3204 r4495 1493 1493 ); 1494 1494 } 1495 1496 /* 1497 * breaks the script execution if the given value doesn't match the given 1498 * pattern. This should happen only during hacking attempts. 1499 * 1500 * @param string param_name 1501 * @param mixed param_value 1502 * @param boolean is_array 1503 * @param string pattern 1504 * 1505 * @return void 1506 */ 1507 function check_input_parameter($param_name, $param_value, $is_array, $pattern) 1508 { 1509 // it's ok if the input parameter is null 1510 if (empty($param_value)) 1511 { 1512 return true; 1513 } 1514 1515 if ($is_array) 1516 { 1517 if (!is_array($param_value)) 1518 { 1519 die('[Hacking attempt] the input parameter "'.$param_name.'" should be an array'); 1520 } 1521 1522 foreach ($param_value as $item_to_check) 1523 { 1524 if (!preg_match($pattern, $item_to_check)) 1525 { 1526 die('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"'); 1527 } 1528 } 1529 } 1530 else 1531 { 1532 if (!preg_match($pattern, $param_value)) 1533 { 1534 die('[Hacking attempt] the input parameter "'.$param_name.'" is not valid'); 1535 } 1536 } 1537 } 1495 1538 ?>
Note: See TracChangeset
for help on using the changeset viewer.