* $Author:: $ *
* -------------------------------------------------------------------- *
* Copyright (c) 2003 - 2009 by Roland Haeder *
- * Copyright (c) 2009 - 2011 by Mailer Developer Team *
+ * Copyright (c) 2009 - 2016 by Mailer Developer Team *
* For more information visit: http://mxchange.org *
* *
* This program is free software; you can redistribute it and/or modify *
} // END - if
// Some security stuff...
-if (strpos($_SERVER['PHP_SELF'], basename(__FILE__)) !== false) {
+if (strpos($_SERVER['PHP_SELF'], basename(__FILE__)) !== FALSE) {
die();
} // END - if
* @param $stripTags Strip tags
* @return $str A (hopefully) secured string against XSS and other bad things
*/
-function secureString ($str, $stripTags = true, $encode = false) {
+function secureString ($str, $stripTags = TRUE, $encode = FALSE) {
// Shall we strip HTML code?
- if ($stripTags === true) {
+ if ($stripTags === TRUE) {
$str = strip_tags($str);
} // END - if
$str = trim($str);
// Encode in entities if requested
- if ($encode === true) {
+ if ($encode === TRUE) {
// Encode in entities (this breakes UTF-8!)
$str = htmlentities($str, ENT_QUOTES);
} // END - if
$phpSelfFile = basename($_SERVER['PHP_SELF']);
// Check for a .php inside the $phpSelfDirectory...
- while (strpos($phpSelfDirectory, '.php') !== false) {
+ while (strpos($phpSelfDirectory, '.php') !== FALSE) {
// Correct the dirname
$phpSelfDirectory = substr($phpSelfDirectory, 0, (strpos($phpSelfDirectory, '.php') + 4));
// Rewrite filename...
$_SERVER['PHP_SELF'] = $phpSelfDirectory . '/' . $phpSelfFile;
// Did run...
- $GLOBALS['php_self_secured'] = true;
+ $GLOBALS['php_self_secured'] = TRUE;
// Remove uneccessary variables
unset($phpSelfDirectory);
}
// Runtime/GPC quoting is off now...
-ini_set('magic_quotes_runtime', false);
-ini_set('magic_quotes_gpc', false); // This may not work on some systems
+ini_set('magic_quotes_runtime', FALSE);
+ini_set('magic_quotes_gpc', FALSE); // This may not work on some systems
/*
* No compatibility with Zend Engine 1, else an error like 'Implicit cloning'
} // END - if
// Check if important arrays are found and define them if missing
-if (!isset($_SERVER)) {
+if ((!isset($_SERVER)) || (!is_array($_SERVER))) {
global $_SERVER;
$_SERVER = $GLOBALS['_SERVER'];
} // END - if
-if (!isset($_GET)) {
+if ((!isset($_GET)) || (!is_array($_GET))) {
global $_GET;
$_GET = $GLOBALS['_GET'];
} // END - if
-if (!isset($_POST)) {
+if ((!isset($_POST)) || (!is_array($_POST))) {
global $_POST;
$_POST = $GLOBALS['_POST'];
} // END - if
// Generate arrays which holds the relevante chars to replace
$GLOBALS['security_chars'] = array(
// The chars we are looking for...
- 'from' => array('/', '.', chr(39), '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--', chr(92)),
+ 'from' => array('/', '.', chr(39), '$', '(', ')', '{--', '--}', '{%', '%}', '{?', '?}', '%', ';', '[', ']', ':', '--', chr(92), chr(39), '<', '>'),
// ... and we will replace to.
'to' => array(
'{SLASH}',
'{DOLLAR}',
'{OPEN_ANCHOR}',
'{CLOSE_ANCHOR}',
+ '{OPEN_LANGUAGE}',
+ '{CLOSE_LANGUAGE}',
'{OPEN_TEMPLATE}',
'{CLOSE_TEMPLATE}',
'{OPEN_CONFIG}',
'{CLOSE_INDEX}',
'{DBL_DOT}',
'{COMMENT}',
- '{BACKSLASH}'
+ '{BACKSLASH}',
+ '{SQUOTE}',
+ '{OPEN_TAG}',
+ '{CLOSE_TAG}'
),
);
/*
- * Characters allowed in URLs
+ * Characters allowed in booked URLs
*
* Note: Do not replace 'to' with 'from' and vise-versa! When you do this all booked URLs will be
* rejected because of the {SLASH}, {DOT} and all below listed items inside the URL.
if (is_array($_GET)) {
foreach ($_GET as $seckey => $secvalue) {
if (is_array($secvalue)) {
- // Throw arrays away...
+ // Throw arrays away ...
unset($_GET[$seckey]);
} else {
- // Only variables are allowed (non-array) but we secure them all!
+ // Only variables are allowed (non-array) but we secure them all.
$_GET[$seckey] = str_replace($GLOBALS['security_chars']['from'], $GLOBALS['security_chars']['to'], $_GET[$seckey]);
// Strip all other out