Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Merge pull request #1808 from KreizIT/GETPost_review

Browse Source 
Add improvement to GETPOST function
This commit is contained in:
Laurent Destailleur
2014-08-13 23:44:58 +02:00
parent 98f140962a 180cc0b200
commit e0a874b5fd
2 changed files with 135 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
htdocs/core/lib/functions.lib.php
View File

@@ -11,7 +11,8 @@
* Copyright (C) 2013 Cédric Salvador <csalvador@gpcsolutions.fr> * Copyright (C) 2013 Cédric Salvador <csalvador@gpcsolutions.fr>
* Copyright (C) 2013 Alexandre Spangaro <alexandre.spangaro@gmail.com> * Copyright (C) 2013 Alexandre Spangaro <alexandre.spangaro@gmail.com>
* Copyright (C) 2014 Marcos García <marcosgdf@gmail.com> * Copyright (C) 2014 Marcos García <marcosgdf@gmail.com>
* * Copyright (C) 2014 Cédric GROSS <c.gross@kreiz-it.fr>
*
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or * the Free Software Foundation; either version 3 of the License, or
@@ -169,11 +170,13 @@ function dol_shutdown()
* Return value of a param into GET or POST supervariable * Return value of a param into GET or POST supervariable
* *
* @param string $paramname Name of parameter to found * @param string $paramname Name of parameter to found
* @param string $check Type of check (''=no check, 'int'=check it's numeric, 'alpha'=check it's text and sign, 'aZ'=check it's a-z only, 'array'=check it's array) * @param string $check Type of check (''=no check, 'int'=check it's numeric, 'alpha'=check it's text and sign, 'aZ'=check it's a-z only, 'array'=check it's array, 'san_alpha'= Use filter_var with FILTER_SANITIZE_STRING, 'custom'= custom filter specify $filter and $options)
* @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get, 4 = post then get then cookie) * @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get, 4 = post then get then cookie)
* @param int $filter Filter to apply when $check is set to custom. (See http://php.net/manual/en/filter.filters.php for détails)
* @param mixed $options Options to pass to filter_var when $check is set to custom
* @return string||string[] Value found, or '' if check fails * @return string||string[] Value found, or '' if check fails
*/ */
function GETPOST($paramname,$check='',$method=0) function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL)
{ {
if (empty($method)) $out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:''); if (empty($method)) $out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:'');
elseif ($method==1) $out = isset($_GET[$paramname])?$_GET[$paramname]:''; elseif ($method==1) $out = isset($_GET[$paramname])?$_GET[$paramname]:'';
@@ -184,28 +187,33 @@ function GETPOST($paramname,$check='',$method=0)
if (! empty($check)) if (! empty($check))
{ {
// Check if numeric switch ($check)
if ($check == 'int' && ! is_numeric($out)) $out=''; {
// Check if alpha case 'int':
elseif ($check == 'alpha') if (! is_numeric($out)) { $out=''; }
{ break;
$out=trim($out); case 'alpha':
// '"' is dangerous because param in url can close the href= or src= and add javascript functions. $out=trim($out);
// '../' is dangerous because it allows dir transversals // '"' is dangerous because param in url can close the href= or src= and add javascript functions.
if (preg_match('/"/',$out)) $out=''; // '../' is dangerous because it allows dir transversals
else if (preg_match('/\.\.\//',$out)) $out=''; if (preg_match('/"/',$out)) $out='';
} else if (preg_match('/\.\.\//',$out)) $out='';
elseif ($check == 'aZ') break;
{ case 'san_alpha':
$out=trim($out); $out=filter_var($out,FILTER_SANITIZE_STRING);
// '"' is dangerous because param in url can close the href= or src= and add javascript functions. break;
// '../' is dangerous because it allows dir transversals case 'aZ':
if (preg_match('/[^a-z]+/i',$out)) $out=''; $out=trim($out);
} if (preg_match('/[^a-z]+/i',$out)) $out='';
elseif ($check == 'array') break;
{ case 'array':
if (! is_array($out) || empty($out)) $out=array(); if (! is_array($out) || empty($out)) $out=array();
} break;
case 'custom':
if (empty($filter)) return 'BadFourthParameterForGETPOST';
$out=filter_var($out, $filter, $options);
break;
}
} }
return $out; return $out;

204
htdocs/societe/soc.php
View File

@@ -136,64 +136,64 @@ if (empty($reshook))
{ {
$object->particulier = GETPOST("private"); $object->particulier = GETPOST("private");
$object->name = dolGetFirstLastname(GETPOST('firstname'),GETPOST('nom')?GETPOST('nom'):GETPOST('name')); $object->name = dolGetFirstLastname(GETPOST('firstname','san_alpha'),GETPOST('nom','san_alpha')?GETPOST('nom','san_alpha'):GETPOST('name','san_alpha'));
$object->civility_id = GETPOST('civility_id'); $object->civility_id = GETPOST('civility_id', 'int');
// Add non official properties // Add non official properties
$object->name_bis = GETPOST('name')?GETPOST('name'):GETPOST('nom'); $object->name_bis = GETPOST('name','san_alpha')?GETPOST('name','san_alpha'):GETPOST('nom','san_alpha');
$object->firstname = GETPOST('firstname'); $object->firstname = GETPOST('firstname','san_alpha');
} }
else else
{ {
$object->name = GETPOST('name')?GETPOST('name'):GETPOST('nom'); $object->name = GETPOST('name', 'san_alpha')?GETPOST('name', 'san_alpha'):GETPOST('nom', 'san_alpha');
} }
$object->address = GETPOST('address'); $object->address = GETPOST('address', 'san_alpha');
$object->zip = GETPOST('zipcode'); $object->zip = GETPOST('zipcode', 'san_alpha');
$object->town = GETPOST('town'); $object->town = GETPOST('town', 'san_alpha');
$object->country_id = GETPOST('country_id'); $object->country_id = GETPOST('country_id', 'int');
$object->state_id = GETPOST('state_id'); $object->state_id = GETPOST('state_id', 'int');
$object->skype = GETPOST('skype'); $object->skype = GETPOST('skype', 'san_alpha');
$object->phone = GETPOST('phone'); $object->phone = GETPOST('phone', 'san_alpha');
$object->fax = GETPOST('fax'); $object->fax = GETPOST('fax','san_alpha');
$object->email = GETPOST('email'); $object->email = GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL);
$object->url = GETPOST('url'); $object->url = GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL);
$object->idprof1 = GETPOST('idprof1'); $object->idprof1 = GETPOST('idprof1', 'san_alpha');
$object->idprof2 = GETPOST('idprof2'); $object->idprof2 = GETPOST('idprof2', 'san_alpha');
$object->idprof3 = GETPOST('idprof3'); $object->idprof3 = GETPOST('idprof3', 'san_alpha');
$object->idprof4 = GETPOST('idprof4'); $object->idprof4 = GETPOST('idprof4', 'san_alpha');
$object->idprof5 = GETPOST('idprof5'); $object->idprof5 = GETPOST('idprof5', 'san_alpha');
$object->idprof6 = GETPOST('idprof6'); $object->idprof6 = GETPOST('idprof6', 'san_alpha');
$object->prefix_comm = GETPOST('prefix_comm'); $object->prefix_comm = GETPOST('prefix_comm', 'san_alpha');
$object->code_client = GETPOST('code_client'); $object->code_client = GETPOST('code_client', 'san_alpha');
$object->code_fournisseur = GETPOST('code_fournisseur'); $object->code_fournisseur = GETPOST('code_fournisseur', 'san_alpha');
$object->capital = GETPOST('capital'); $object->capital = GETPOST('capital', 'san_alpha');
$object->barcode = GETPOST('barcode'); $object->barcode = GETPOST('barcode', 'san_alpha');
$object->tva_intra = GETPOST('tva_intra'); $object->tva_intra = GETPOST('tva_intra', 'san_alpha');
$object->tva_assuj = GETPOST('assujtva_value'); $object->tva_assuj = GETPOST('assujtva_value', 'san_alpha');
$object->status = GETPOST('status'); $object->status = GETPOST('status', 'san_alpha');
// Local Taxes // Local Taxes
$object->localtax1_assuj = GETPOST('localtax1assuj_value'); $object->localtax1_assuj = GETPOST('localtax1assuj_value', 'san_alpha');
$object->localtax2_assuj = GETPOST('localtax2assuj_value'); $object->localtax2_assuj = GETPOST('localtax2assuj_value', 'san_alpha');
$object->localtax1_value = GETPOST('lt1'); $object->localtax1_value = GETPOST('lt1', 'san_alpha');
$object->localtax2_value = GETPOST('lt2'); $object->localtax2_value = GETPOST('lt2', 'san_alpha');
$object->forme_juridique_code = GETPOST('forme_juridique_code'); $object->forme_juridique_code = GETPOST('forme_juridique_code', 'int');
$object->effectif_id = GETPOST('effectif_id'); $object->effectif_id = GETPOST('effectif_id', 'int');
if (GETPOST("private") == 1) if (GETPOST("private") == 1)
{ {
$object->typent_id = dol_getIdFromCode($db,'TE_PRIVATE','c_typent'); $object->typent_id = dol_getIdFromCode($db,'TE_PRIVATE','c_typent');
} }
else else
{ {
$object->typent_id = GETPOST('typent_id'); $object->typent_id = GETPOST('typent_id', 'int');
} }
$object->client = GETPOST('client'); $object->client = GETPOST('client', 'int');
$object->fournisseur = GETPOST('fournisseur'); $object->fournisseur = GETPOST('fournisseur', 'int');
$object->commercial_id = GETPOST('commercial_id'); $object->commercial_id = GETPOST('commercial_id', 'int');
$object->default_lang = GETPOST('default_lang'); $object->default_lang = GETPOST('default_lang');
// Fill array 'array_options' with data from add form // Fill array 'array_options' with data from add form
@@ -645,48 +645,48 @@ else
if (GETPOST("type")=='p') { $object->client=2; } if (GETPOST("type")=='p') { $object->client=2; }
if (! empty($conf->fournisseur->enabled) && (GETPOST("type")=='f' || GETPOST("type")=='')) { $object->fournisseur=1; } if (! empty($conf->fournisseur->enabled) && (GETPOST("type")=='f' || GETPOST("type")=='')) { $object->fournisseur=1; }
$object->name = GETPOST('nom'); $object->name = GETPOST('nom', 'san_alpha');
$object->firstname = GETPOST('firstname'); $object->firstname = GETPOST('firstname', 'san_alpha');
$object->particulier = $private; $object->particulier = $private;
$object->prefix_comm = GETPOST('prefix_comm'); $object->prefix_comm = GETPOST('prefix_comm');
$object->client = GETPOST('client')?GETPOST('client'):$object->client; $object->client = GETPOST('client')?GETPOST('client'):$object->client;
$object->code_client = GETPOST('code_client'); $object->code_client = GETPOST('code_client', 'san_alpha');
$object->fournisseur = GETPOST('fournisseur')?GETPOST('fournisseur'):$object->fournisseur; $object->fournisseur = GETPOST('fournisseur')?GETPOST('fournisseur'):$object->fournisseur;
$object->code_fournisseur = GETPOST('code_fournisseur'); $object->code_fournisseur = GETPOST('code_fournisseur', 'san_alpha');
$object->address = GETPOST('address'); $object->address = GETPOST('address', 'san_alpha');
$object->zip = GETPOST('zipcode'); $object->zip = GETPOST('zipcode', 'san_alpha');
$object->town = GETPOST('town'); $object->town = GETPOST('town', 'san_alpha');
$object->state_id = GETPOST('state_id'); $object->state_id = GETPOST('state_id', 'int');
$object->skype = GETPOST('skype'); $object->skype = GETPOST('skype', 'san_alpha');
$object->phone = GETPOST('phone'); $object->phone = GETPOST('phone', 'san_alpha');
$object->fax = GETPOST('fax'); $object->fax = GETPOST('fax', 'san_alpha');
$object->email = GETPOST('email'); $object->email = GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL);
$object->url = GETPOST('url'); $object->url = GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL);
$object->capital = GETPOST('capital'); $object->capital = GETPOST('capital', 'int');
$object->barcode = GETPOST('barcode'); $object->barcode = GETPOST('barcode', 'san_alpha');
$object->idprof1 = GETPOST('idprof1'); $object->idprof1 = GETPOST('idprof1', 'san_alpha');
$object->idprof2 = GETPOST('idprof2'); $object->idprof2 = GETPOST('idprof2', 'san_alpha');
$object->idprof3 = GETPOST('idprof3'); $object->idprof3 = GETPOST('idprof3', 'san_alpha');
$object->idprof4 = GETPOST('idprof4'); $object->idprof4 = GETPOST('idprof4', 'san_alpha');
$object->idprof5 = GETPOST('idprof5'); $object->idprof5 = GETPOST('idprof5', 'san_alpha');
$object->idprof6 = GETPOST('idprof6'); $object->idprof6 = GETPOST('idprof6', 'san_alpha');
$object->typent_id = GETPOST('typent_id'); $object->typent_id = GETPOST('typent_id', 'int');
$object->effectif_id = GETPOST('effectif_id'); $object->effectif_id = GETPOST('effectif_id', 'int');
$object->civility_id = GETPOST('civility_id'); $object->civility_id = GETPOST('civility_id', 'int');
$object->tva_assuj = GETPOST('assujtva_value'); $object->tva_assuj = GETPOST('assujtva_value', 'int');
$object->status = GETPOST('status'); $object->status = GETPOST('status', 'int');
//Local Taxes //Local Taxes
$object->localtax1_assuj = GETPOST('localtax1assuj_value'); $object->localtax1_assuj = GETPOST('localtax1assuj_value', 'int');
$object->localtax2_assuj = GETPOST('localtax2assuj_value'); $object->localtax2_assuj = GETPOST('localtax2assuj_value', 'int');
$object->localtax1_value =GETPOST('lt1'); $object->localtax1_value =GETPOST('lt1', 'int');
$object->localtax2_value =GETPOST('lt2'); $object->localtax2_value =GETPOST('lt2', 'int');
$object->tva_intra = GETPOST('tva_intra'); $object->tva_intra = GETPOST('tva_intra', 'san_alpha');
$object->commercial_id = GETPOST('commercial_id'); $object->commercial_id = GETPOST('commercial_id', 'int');
$object->default_lang = GETPOST('default_lang'); $object->default_lang = GETPOST('default_lang');
$object->logo = (isset($_FILES['photo'])?dol_sanitizeFileName($_FILES['photo']['name']):''); $object->logo = (isset($_FILES['photo'])?dol_sanitizeFileName($_FILES['photo']['name']):'');
@@ -1154,38 +1154,38 @@ else
if (GETPOST('nom')) if (GETPOST('nom'))
{ {
// We overwrite with values if posted // We overwrite with values if posted
$object->name = GETPOST('nom'); $object->name = GETPOST('nom', 'san_alpha');
$object->prefix_comm = GETPOST('prefix_comm'); $object->prefix_comm = GETPOST('prefix_comm', 'san_alpha');
$object->client = GETPOST('client'); $object->client = GETPOST('client', 'int');
$object->code_client = GETPOST('code_client'); $object->code_client = GETPOST('code_client', 'san_alpha');
$object->fournisseur = GETPOST('fournisseur'); $object->fournisseur = GETPOST('fournisseur', 'int');
$object->code_fournisseur = GETPOST('code_fournisseur'); $object->code_fournisseur = GETPOST('code_fournisseur', 'san_alpha');
$object->address = GETPOST('address'); $object->address = GETPOST('address', 'san_alpha');
$object->zip = GETPOST('zipcode'); $object->zip = GETPOST('zipcode', 'san_alpha');
$object->town = GETPOST('town'); $object->town = GETPOST('town', 'san_alpha');
$object->country_id = GETPOST('country_id')?GETPOST('country_id'):$mysoc->country_id; $object->country_id = GETPOST('country_id')?GETPOST('country_id', 'int'):$mysoc->country_id;
$object->state_id = GETPOST('state_id'); $object->state_id = GETPOST('state_id', 'int');
$object->skype = GETPOST('skype'); $object->skype = GETPOST('skype', 'san_alpha');
$object->phone = GETPOST('phone'); $object->phone = GETPOST('phone', 'san_alpha');
$object->fax = GETPOST('fax'); $object->fax = GETPOST('fax', 'san_alpha');
$object->email = GETPOST('email'); $object->email = GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL);
$object->url = GETPOST('url'); $object->url = GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL);
$object->capital = GETPOST('capital'); $object->capital = GETPOST('capital', 'int');
$object->idprof1 = GETPOST('idprof1'); $object->idprof1 = GETPOST('idprof1', 'san_alpha');
$object->idprof2 = GETPOST('idprof2'); $object->idprof2 = GETPOST('idprof2', 'san_alpha');
$object->idprof3 = GETPOST('idprof3'); $object->idprof3 = GETPOST('idprof3', 'san_alpha');
$object->idprof4 = GETPOST('idprof4'); $object->idprof4 = GETPOST('idprof4', 'san_alpha');
$object->idprof5 = GETPOST('idprof5'); $object->idprof5 = GETPOST('idprof5', 'san_alpha');
$object->idprof6 = GETPOST('idprof6'); $object->idprof6 = GETPOST('idprof6', 'san_alpha');
$object->typent_id = GETPOST('typent_id'); $object->typent_id = GETPOST('typent_id', 'int');
$object->effectif_id = GETPOST('effectif_id'); $object->effectif_id = GETPOST('effectif_id', 'int');
$object->barcode = GETPOST('barcode'); $object->barcode = GETPOST('barcode', 'san_alpha');
$object->forme_juridique_code = GETPOST('forme_juridique_code'); $object->forme_juridique_code = GETPOST('forme_juridique_code', 'int');
$object->default_lang = GETPOST('default_lang'); $object->default_lang = GETPOST('default_lang', 'san_alpha');
$object->tva_assuj = GETPOST('assujtva_value'); $object->tva_assuj = GETPOST('assujtva_value', 'int');
$object->tva_intra = GETPOST('tva_intra'); $object->tva_intra = GETPOST('tva_intra', 'san_alpha');
$object->status = GETPOST('status'); $object->status = GETPOST('status', 'int');
//Local Taxes //Local Taxes
$object->localtax1_assuj = GETPOST('localtax1assuj_value'); $object->localtax1_assuj = GETPOST('localtax1assuj_value');