From: Roland Häder Date: Fri, 25 Nov 2011 22:17:56 +0000 (+0000) Subject: Some important/minor improvements/fixes: X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=b72f264c4e47f8fac48596b7eeb977a3f5e56e10;p=mailer.git Some important/minor improvements/fixes: - Replace {,} with entities - Introduced isPhpVersionEqualNewer() - Added/improved some comments --- diff --git a/inc/libs/security_functions.php b/inc/libs/security_functions.php index b1cce1c5b3..b84140ced3 100644 --- a/inc/libs/security_functions.php +++ b/inc/libs/security_functions.php @@ -51,13 +51,15 @@ if (strpos($_SERVER['PHP_SELF'], basename(__FILE__)) !== false) { /** * Function to secure input strings * - * @param $str The unsecured string - * @param $strip Strip tags - * @return $str A (hopefully) secured string against XSS and other bad things + * @param $str The unsecured string + * @param $stripTags Strip tags + * @return $str A (hopefully) secured string against XSS and other bad things */ -function secureString ($str, $strip = true, $encode = false) { +function secureString ($str, $stripTags = true, $encode = false) { // Shall we strip HTML code? - if ($strip === true) $str = strip_tags($str); + if ($stripTags === true) { + $str = strip_tags($str); + } // END - if // Trim string $str = trim($str); @@ -68,6 +70,9 @@ function secureString ($str, $strip = true, $encode = false) { $str = htmlentities($str, ENT_QUOTES); } // END - if + // Replace {,} with entities + $str = str_replace(array('{', '}'), array('{', '}'), $str); + // Return result return $str; } @@ -112,6 +117,16 @@ function securePhpSelf () { unset($phpSelfFile); } +/** + * Checks if PHP_VERSION is newer or equal to given version string + * + * @param $versionString A PHP'ized version string which shall be compared with PHP_VERSION + * @return $isEqualNewer Wether the given version string is equal or newer to PHP_VERSION + */ +function isPhpVersionEqualNewer ($versionString) { + return (version_compare(PHP_VERSION, $versionString, '>=')); +} + /** * Detects caching in PHP * @@ -119,7 +134,7 @@ function securePhpSelf () { */ function detectPhpCaching () { // Activate caching or transparent compressing when it is not already done - if (phpversion() >= '4.0.4pl1' && (strstr(getenv('HTTP_USER_AGENT'),'compatible') || (strstr(getenv('HTTP_USER_AGENT'), 'Mozilla')))) { + if ((isPhpVersionEqualNewer('4.0.4pl1')) && (strstr(getenv('HTTP_USER_AGENT'),'compatible') || (strstr(getenv('HTTP_USER_AGENT'), 'Mozilla')))) { if ((extension_loaded('zlib')) && (function_exists('ob_start'))) { // Start caching $GLOBALS['php_caching'] = 'on'; @@ -138,9 +153,11 @@ function detectPhpCaching () { ini_set('magic_quotes_runtime', false); ini_set('magic_quotes_gpc', false); // This may not work on some systems -// No compatibility with Zend Engine 1, else an error like 'Implicit cloning' -// will be produced. -if (phpversion() >= '5.0') { +/* + * No compatibility with Zend Engine 1, else an error like 'Implicit cloning' + * will be produced. + */ +if (isPhpVersionEqualNewer('5.0')) { ini_set('zend.ze1_compatibility_mode', 'Off'); } // END - if @@ -163,7 +180,7 @@ if (!isset($_POST)) { // Generate arrays which holds the relevante chars to replace $GLOBALS['security_chars'] = array( // The chars we are looking for... - 'from' => array('/', '.', "'", '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--', "\\"), + 'from' => array('/', '.', chr(39), '$', '(', ')', '{--', '--}', '{?', '?}', '%', ';', '[', ']', ':', '--', chr(92)), // ... and we will replace to. 'to' => array( '{SLASH}', @@ -186,10 +203,12 @@ $GLOBALS['security_chars'] = array( ), ); -// Characters allowed in URLs -// -// Note: Do not replace 'to' with 'from' and vise-versa! When you do this all booked URLs will be -// rejected because of the {SLASH}, {DOT} and all below listed items inside the URL. +/* + * Characters allowed in URLs + * + * Note: Do not replace 'to' with 'from' and vise-versa! When you do this all booked URLs will be + * rejected because of the {SLASH}, {DOT} and all below listed items inside the URL. + */ $GLOBALS['url_chars'] = array( // Search for these secured characters 'to' => array('{SLASH}', '{DOT}', '{PER}', '{DBL_DOT}', '{COMMENT}'),