Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Merge pull request #1808 from KreizIT/GETPost_review

Browse Source 
Add improvement to GETPOST function
This commit is contained in:
Laurent Destailleur
2014-08-13 23:44:58 +02:00
parent 98f140962a 180cc0b200
commit e0a874b5fd
2 changed files with 135 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
htdocs/core/lib/functions.lib.php
View File

@@ -11,7 +11,8 @@
* Copyright (C) 2013 Cédric Salvador <csalvador@gpcsolutions.fr>
* Copyright (C) 2013 Alexandre Spangaro <alexandre.spangaro@gmail.com>
* Copyright (C) 2014 Marcos García <marcosgdf@gmail.com>
*
* Copyright (C) 2014 Cédric GROSS <c.gross@kreiz-it.fr>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
@@ -169,11 +170,13 @@ function dol_shutdown()
* Return value of a param into GET or POST supervariable
*
* @param string $paramname Name of parameter to found
* @param string $check Type of check (''=no check, 'int'=check it's numeric, 'alpha'=check it's text and sign, 'aZ'=check it's a-z only, 'array'=check it's array)
* @param string $check Type of check (''=no check, 'int'=check it's numeric, 'alpha'=check it's text and sign, 'aZ'=check it's a-z only, 'array'=check it's array, 'san_alpha'= Use filter_var with FILTER_SANITIZE_STRING, 'custom'= custom filter specify $filter and $options)
* @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get, 4 = post then get then cookie)
* @param int $filter Filter to apply when $check is set to custom. (See http://php.net/manual/en/filter.filters.php for détails)
* @param mixed $options Options to pass to filter_var when $check is set to custom
* @return string||string[] Value found, or '' if check fails
*/
function GETPOST($paramname,$check='',$method=0)
function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL)
{
if (empty($method)) $out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:'');
elseif ($method==1) $out = isset($_GET[$paramname])?$_GET[$paramname]:'';
@@ -184,28 +187,33 @@ function GETPOST($paramname,$check='',$method=0)
if (! empty($check))
{
// Check if numeric
if ($check == 'int' && ! is_numeric($out)) $out='';
// Check if alpha
elseif ($check == 'alpha')
{
$out=trim($out);
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
if (preg_match('/"/',$out)) $out='';
else if (preg_match('/\.\.\//',$out)) $out='';
}
elseif ($check == 'aZ')
{
$out=trim($out);
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
if (preg_match('/[^a-z]+/i',$out)) $out='';
}
elseif ($check == 'array')
{
if (! is_array($out) || empty($out)) $out=array();
}
switch ($check)
{
case 'int':
if (! is_numeric($out)) { $out=''; }
break;
case 'alpha':
$out=trim($out);
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
// '../' is dangerous because it allows dir transversals
if (preg_match('/"/',$out)) $out='';
else if (preg_match('/\.\.\//',$out)) $out='';
break;
case 'san_alpha':
$out=filter_var($out,FILTER_SANITIZE_STRING);
break;
case 'aZ':
$out=trim($out);
if (preg_match('/[^a-z]+/i',$out)) $out='';
break;
case 'array':
if (! is_array($out) || empty($out)) $out=array();
break;
case 'custom':
if (empty($filter)) return 'BadFourthParameterForGETPOST';
$out=filter_var($out, $filter, $options);
break;
}
}
return $out;