Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix: add check array in GETPOST

Browse Source 
New: update multiselect with a fork
This commit is contained in:
Regis Houssin
2012-03-24 21:19:22 +08:00
parent 0aa40b0503
commit 30fb26296d
3 changed files with 211 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
htdocs/core/lib/functions.lib.php
View File

@@ -275,7 +275,7 @@ function dol_shutdown()
* Return value of a param into GET or POST supervariable
*
* @param string $paramname Name of parameter to found
* @param string $check Type of check (''=no check, 'int'=check it's numeric, 'alpha'=check it's alpha only)
* @param string $check Type of check (''=no check, 'int'=check it's numeric, 'alpha'=check it's alpha only, 'array'=check it's array)
* @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get)
* @return string Value found or '' if check fails
*/
@@ -289,17 +289,25 @@ function GETPOST($paramname,$check='',$method=0)
if (! empty($check))
{
$out=trim($out);
// Check if numeric
if ($check == 'int' && ! preg_match('/^[-\.,0-9]+$/i',$out)) $out='';
if ($check == 'int' && ! preg_match('/^[-\.,0-9]+$/i',$out))
{
$out=trim($out);
$out='';
}
// Check if alpha
elseif ($check == 'alpha')
{
$out=trim($out);
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
if (preg_match('/"/',$out)) $out='';
else if (preg_match('/\.\.\//',$out)) $out='';
}
elseif ($check == 'array')
{
if (! is_array($out) || empty($out)) $out=array();
}
}
return $out;