More EL code, security for $_POST elements rewritten (simplified):
authorRoland Häder <roland@mxchange.org>
Tue, 28 Jun 2011 09:00:38 +0000 (09:00 +0000)
committerRoland Häder <roland@mxchange.org>
Tue, 28 Jun 2011 09:00:38 +0000 (09:00 +0000)
- More usage of EL code
- Removed double secureString() call
- Non-array elements in $_POST are now also secured in
  inc/libs/security_functions.php
- Renamed more array elements for better naming consistancy
- TODOs.txt updated

23 files changed:
DOCS/TODOs.txt
inc/libs/security_functions.php
inc/libs/sponsor_functions.php
inc/libs/theme_functions.php
inc/modules/admin.php
inc/modules/admin/what-config_points.php
inc/modules/admin/what-del_sponsor.php
inc/modules/admin/what-edit_sponsor.php
inc/modules/admin/what-lock_sponsor.php
inc/modules/admin/what-user_contct.php
inc/modules/guest/what-sponsor_reg.php
inc/modules/member/what-beg2.php
inc/modules/member/what-holiday.php
inc/modules/member/what-transfer.php
inc/monthly/monthly_beg.php
inc/request-functions.php
inc/session-functions.php
inc/stylesheet.php
templates/de/emails/admin/admin_transfer_points.tpl
templates/de/emails/member/member_beg.tpl
templates/de/emails/member/member_transfer_recipient.tpl
templates/de/emails/member/member_transfer_sender.tpl
templates/de/html/member/member_list_beg_row.tpl

index bb04566..8102d8a 100644 (file)
 ./inc/modules/admin/what-config_admins.php:108:        // @TODO Rewrite this to a filter
 ./inc/modules/admin/what-config_admins.php:136:        // @TODO Rewrite this to filter 'run_sqls'
 ./inc/modules/admin/what-config_mods.php:55:                   // @TODO This can be moved into mysql-function.php, see checkModulePermissions() function
-./inc/modules/admin/what-config_points.php:111:                        // @TODO Rewrite this to a filter
+./inc/modules/admin/what-config_points.php:110:                        // @TODO Rewrite this to a filter
 ./inc/modules/admin/what-config_rallye_prices.php:195:                 // @TODO Rewrite these two constants
 ./inc/modules/admin/what-config_register.php:75:       // @TODO Move this HTML code into a template
 ./inc/modules/admin/what-del_email.php:61:             // @TODO Unused: cat_id, payment_id
 ./inc/modules/guest/what-sponsor_reg.php:287:                  // @TODO Maybe a default referal id?
 ./inc/modules/guest/what-stats.php:100:                // @TODO This can be somehow rewritten
 ./inc/modules/guest/what-stats.php:74:// @TODO This can be rewritten in a dynamic include
-./inc/modules/member/what-beg2.php:87:         // @TODO points->beg_points
 ./inc/modules/member/what-beg.php:54:// @TODO Can't this be moved into EL?
 ./inc/modules/member/what-beg.php:63:// @TODO No more needed? define('__BEG_UID_TIMEOUT', createFancyTime(getBegUseridTimeout()));
 ./inc/modules/member/what-bonus.php:55:        // @TODO Rewrite this to a filter
 ./inc/modules/member/what-refback.php:124:                     // @TODO UNUSED: $refRow['status']      = translateUserStatus($refRow['status']);
 ./inc/modules/member/what-reflinks.php:52:// @TODO Move this into a filter
 ./inc/modules/member/what-transfer.php:134:                            // @TODO Rewrite this to a filter
-./inc/modules/member/what-transfer.php:224:                            // @TODO Try to rewrite his to $content = SQL_FETCHARRAY(), see some lines above for two different queries
+./inc/modules/member/what-transfer.php:223:                            // @TODO Try to rewrite his to $content = SQL_FETCHARRAY(), see some lines above for two different queries
 ./inc/modules/member/what-transfer.php:96:                     // @TODO Rewrite this to a filter
 ./inc/modules/member/what-unconfirmed.php:142: // @TODO Try to rewrite this to $content = SQL_FETCHARRAY()
 ./inc/modules/member/what-unconfirmed.php:207:                         // @TODO This 'userid' cannot be saved because of encapsulated EL code
index 2b41ab9..df3d568 100644 (file)
@@ -212,6 +212,18 @@ if (is_array($_GET)) {
        } // END - foreach
 } // END - if
 
+// Secure also $_POST data (only simple, no replace)
+if (is_array($_POST)) {
+       // Secure only simple data
+       foreach ($_POST as $seckey => $secvalue) {
+               // Is it an array?
+               if (!is_array($secvalue)) {
+                       // Strip all other out
+                       $_POST[$seckey] = secureString($_POST[$seckey]);
+               } // END - if
+       } // END - foreach
+} // END - if
+
 // Detect PHP caching
 detectPhpCaching();
 
index 6135e91..814a19b 100644 (file)
@@ -574,11 +574,11 @@ function doProcessSponsorFormRequest ($messageArray = array()) {
                                // Prepare data for the email template
                                $content['id']        = $id;
                                $content['hash']      = $hash;
-                               $content['email']     = secureString(postRequestParameter('email'));
-                               $content['surname']   = secureString(postRequestParameter('surname'));
-                               $content['family']    = secureString(postRequestParameter('family'));
+                               $content['email']     = postRequestParameter('email');
+                               $content['surname']   = postRequestParameter('surname');
+                               $content['family']    = postRequestParameter('family');
                                $content['timestamp'] = generateDateTime(time(), 0);
-                               $content['password']  = secureString(postRequestParameter('pass1'));
+                               $content['password']  = postRequestParameter('pass1');
 
                                // Generate email and send it to the new sponsor
                                $message = loadEmailTemplate('sponsor_confirm', $content, $id);
index 976d45a..58d1fec 100644 (file)
@@ -248,9 +248,9 @@ function getActualTheme () {
                if ((isGetRequestParameterSet('theme')) && (isIncludeReadable($theme))) {
                        // Set cookie from URL data
                        setTheme(getRequestParameter('theme'));
-               } elseif (isIncludeReadable(sprintf("theme/%s/theme.php", secureString(postRequestParameter('theme'))))) {
+               } elseif (isIncludeReadable(sprintf("theme/%s/theme.php", postRequestParameter('theme')))) {
                        // Set cookie from posted data
-                       setTheme(secureString(postRequestParameter('theme')));
+                       setTheme(postRequestParameter('theme'));
                }
 
                // Set return value
index 5728884..f0c295e 100644 (file)
@@ -194,8 +194,8 @@ if (!isAdminRegistered()) {
                if ($valid === true) {
                        // Prepare content first
                        $content = array(
-                               'hash'  => secureString(postRequestParameter('hash')),
-                               'login' => secureString(postRequestParameter('login'))
+                               'hash'  => postRequestParameter('hash'),
+                               'login' => postRequestParameter('login')
                        );
 
                        // Validation okay so display form for final password change
index 3ef4897..a9cab39 100644 (file)
@@ -77,10 +77,9 @@ if (isFormSent()) {
                        break;
 
                case 'ref':
-                       switch (getRequestParameter('do'))
-                       {
+                       switch (getRequestParameter('do')) {
                                case 'add':
-                                       addSql("INSERT INTO `{?_MYSQL_PREFIX?}_refdepths` (`level`, `percents`) VALUES ('".postRequestParameter('level')."','".postRequestParameter('percents')."')");
+                                       addSql("INSERT INTO `{?_MYSQL_PREFIX?}_refdepths` (`level`, `percents`) VALUES ('".bigintval(postRequestParameter('level'))."','".bigintval(postRequestParameter('percents'))."')");
                                        break;
 
                                case 'edit': // Change entries
@@ -94,7 +93,7 @@ if (isFormSent()) {
                                                // Update entry
                                                SQL_QUERY_ESC("UPDATE `{?_MYSQL_PREFIX?}_refdepths` SET `level`=%s, `percents`=%s WHERE `id`=%s LIMIT 1",
                                                        array(bigintval($value), convertCommaToDot(postRequestParameter('percents', $id)), $id), __FILE__, __LINE__);
-                                       }
+                                       } // END - foreach
                                        $message = '{--ADMIN_REFERAL_DEPTHS_SAVED--}';
                                        break;
 
@@ -102,10 +101,10 @@ if (isFormSent()) {
                                        foreach (postRequestParameter('id') as $id => $value) {
                                                SQL_QUERY_ESC("DELETE LOW_PRIORITY FROM `{?_MYSQL_PREFIX?}_refdepths` WHERE `id`=%s LIMIT 1",
                                                array(bigintval($id)), __FILE__, __LINE__);
-                                       }
+                                       } // END - foreach
                                        $message = '{--ADMIN_REFERAL_DEPTHS_DELETED--}';
                                        break;
-                       }
+                       } // END - switch
 
                        // Update cache file
                        // @TODO Rewrite this to a filter
index 2552156..14035c9 100644 (file)
@@ -54,7 +54,7 @@ if (isGetRequestParameterSet('id')) {
                        $content = SQL_FETCHARRAY($result);
 
                        // Prepare data for the template
-                       $content['reason']  = secureString(postRequestParameter('reason'));
+                       $content['reason']  = postRequestParameter('reason');
 
                        // Prepare message and send it away
                        $message = loadEmailTemplate('del_sponsor', $content, bigintval(getRequestParameter('id')));
index 27b3978..d22020f 100644 (file)
@@ -83,7 +83,7 @@ LIMIT 1",
 
                                                // Remember points /reason for the template
                                                $content['points'] = $points;
-                                               $content['reason'] = secureString(postRequestParameter('reason'));
+                                               $content['reason'] = postRequestParameter('reason');
 
                                                // Send email
                                                $message = loadEmailTemplate('sponsor_add_points', $content);
@@ -106,7 +106,7 @@ LIMIT 1",
 
                                                // Remember points /reason for the template
                                                $content['points'] = $points;
-                                               $content['reason'] = secureString(postRequestParameter('reason'));
+                                               $content['reason'] = postRequestParameter('reason');
 
                                                // Send email
                                                $message = loadEmailTemplate('sponsor_sub_points', $content);
index 00b2e25..ed5d9ea 100644 (file)
@@ -55,7 +55,7 @@ if (isGetRequestParameterSet('id')) {
                if (($content['status'] == 'CONFIRMED') || ($content['status'] == 'LOCKED')) {
                        // Transfer data to constants
                        $content['id']     = bigintval(getRequestParameter('id'));
-                       $content['reason'] = secureString(postRequestParameter('reason'));
+                       $content['reason'] = postRequestParameter('reason');
 
                        if (isFormSent()) {
                                // Create messages
index ac51462..36c68ab 100644 (file)
@@ -56,7 +56,7 @@ if ((isGetRequestParameterSet('userid')) && (bigintval(getRequestParameter('user
                // Shall we send the email?
                if (isFormSent()) {
                        // Insert text
-                       $content['text'] = trim(secureString(postRequestParameter('text')));
+                       $content['text'] = postRequestParameter('text');
 
                        // Load email template
                        $message = loadEmailTemplate('member_contct', $content, getRequestParameter('userid'));
index 3d0a935..9dd8629 100644 (file)
@@ -260,7 +260,7 @@ ORDER BY
                if (count($formErrors) > 0) {
                        // Some found... :-(
                        foreach (array('company','position','tax_ident','surname','family','street_nr1','street_nr2','country','zip','city','phone','fax','cell','email','url') as $entry) {
-                               $content[$entry]    = secureString(postRequestParameter($entry));
+                               $content[$entry]    = postRequestParameter($entry);
                        } // END - foreach
 
                        // Init receive selection
index 25b5bdc..30ff574 100644 (file)
@@ -84,13 +84,8 @@ if (!SQL_HASZERONUMS($result)) {
        $count = 1;
        while ($content = SQL_FETCHARRAY($result)) {
                // Prepare data for the template
-               // @TODO points->beg_points
-               $content = array(
-                       'cnt'         => $count,
-                       'userid'      => $content['userid'],
-                       'points'      => $content['beg_points'],
-                       'last_online' => generateDateTime($content['last_online'], 2),
-               );
+               $content['cnt']         = $count;
+               $content['last_online'] = generateDateTime($content['last_online'], 2);
 
                // Load row template
                $OUT .= loadTemplate('member_list_beg_row', true, $content);
@@ -99,7 +94,7 @@ if (!SQL_HASZERONUMS($result)) {
                $count++;
        } // END - while
 } else {
-       // No one is interested in our "active rallye" ! :-(
+       // No one is interested in our "begging rallye" ! :-(
        $OUT = loadTemplate('member_beg_404', true);
 }
 
index 10c76ee..46baf1c 100644 (file)
@@ -139,7 +139,7 @@ LIMIT 1",
                $content['end_day']     = bigintval(postRequestParameter('end_day'));
                $content['end_month']   = $GLOBALS['month_descr'][postRequestParameter('end_month')];
                $content['end_year']    = bigintval(postRequestParameter('end_year'));
-               $content['comments']    = secureString(postRequestParameter('comments'));
+               $content['comments']    = postRequestParameter('comments');
 
                // Send mail to member
                $message = loadEmailTemplate('member_holiday_request', $content, getMemberId());
index e9e78c9..cf6fec7 100644 (file)
@@ -142,9 +142,8 @@ switch ($mode) {
                                        } // END - if
                                } // END - if
 
-                               // Remember transfer reason and fancy date/time in constants
-                               $content['reason']  = secureString(postRequestParameter('reason'));
-                               $content['expires'] = '{%config,createFancyTime=transfer_age%}';
+                               // Remember transfer reason
+                               $content['reason']  = postRequestParameter('reason');
 
                                // Generate tranafer id
                                $content['trans_id'] = bigintval(generateRandomCode('10', mt_rand(0, 99999), getMemberId(), postRequestParameter('reason')));
index 232bee7..c1effc0 100644 (file)
@@ -71,7 +71,7 @@ if ((getBegRanks() > 0) && (!isCssOutputMode())) {
 
        // SQL string to check for accounts
        $result_main = SQL_QUERY("SELECT
-       `userid`, `email`, `gender`, `surname`, `family`, `beg_points` AS `points`
+       `userid`, `email`, `gender`, `surname`, `family`, `beg_points`
 FROM
        `{?_MYSQL_PREFIX?}_user_data`
 WHERE
@@ -86,7 +86,7 @@ LIMIT {?beg_ranks?}", __FILE__, __LINE__);
                // Load our winners...
                while ($content = SQL_FETCHARRAY($result_main)) {
                        // Add points to user's account directly
-                       addPointsDirectly('monthly_beg', $content['userid'], $content['points']);
+                       addPointsDirectly('monthly_beg', $content['userid'], $content['beg_points']);
 
                        // Load email template and email it away
                        $message = loadEmailTemplate('member_beg', $content, bigintval($content['userid']));
index ee70e61..799d4e3 100644 (file)
@@ -52,15 +52,15 @@ function getRequestParameter ($element) {
        $value = null;
 
        // Is the element cached or there?
-       if (isset($GLOBALS['cache_request']['request_get'][$element])) {
+       if (isset($GLOBALS['cache_request']['get'][$element])) {
                // Then use the cache
-               $value = $GLOBALS['cache_request']['request_get'][$element];
+               $value = $GLOBALS['cache_request']['get'][$element];
        } elseif (isGetRequestParameterSet($element)) {
                // Then get it directly
                $value = SQL_ESCAPE($GLOBALS['raw_request']['get'][$element]);
 
                // Store it in cache
-               $GLOBALS['cache_request']['request_get'][$element] = $value;
+               $GLOBALS['cache_request']['get'][$element] = $value;
        } // END - if
 
        // Return value
@@ -113,7 +113,7 @@ function setGetRequestParameter ($element, $value) {
        $GLOBALS['raw_request']['get'][$element] = $value;
 
        // Update cache
-       $GLOBALS['cache_request']['request_get'][$element] = $value;
+       $GLOBALS['cache_request']['get'][$element] = $value;
 }
 
 // Wrapper for elements in $_POST
@@ -122,9 +122,9 @@ function postRequestParameter ($element, $subElement=null) {
        $value = null;
 
        // Is the element in cache?
-       if (isset($GLOBALS['cache_request']['request_post'][$element][$subElement])) {
+       if (isset($GLOBALS['cache_request']['post'][$element][$subElement])) {
                // Then use it
-               $value = $GLOBALS['cache_request']['request_post'][$element][$subElement];
+               $value = $GLOBALS['cache_request']['post'][$element][$subElement];
        } elseif (isPostRequestParameterSet($element)) {
                // Then use it
                $value = $GLOBALS['raw_request']['post'][$element];
@@ -139,7 +139,7 @@ function postRequestParameter ($element, $subElement=null) {
                }
 
                // Set it in cache
-               $GLOBALS['cache_request']['request_post'][$element][$subElement] = $value;
+               $GLOBALS['cache_request']['post'][$element][$subElement] = $value;
        } // END - if
 
        // Return value
@@ -218,7 +218,7 @@ function setPostRequestParameter ($element, $value) {
        }
 
        // Update cache
-       $GLOBALS['cache_request']['request_post'][$element][null] = $value;
+       $GLOBALS['cache_request']['post'][$element][null] = $value;
 }
 
 // Checks wether a form was sent. If so, the $_POST['ok'] element must be set
index 7bfb18c..f71f3e0 100644 (file)
@@ -46,7 +46,8 @@ function setSession ($var, $value) {
        if (isCssOutputMode()) return true;
 
        // Trim value and session variable
-       $var = trim(secureString($var)); $value = trim($value);
+       $var   = trim(secureString($var));
+       $value = trim($value);
 
        // Is the session variable set?
        if (('' . $value . '' == '') && (isSessionVariableSet($var))) {
index 7cd2a38..81ee2dc 100644 (file)
@@ -109,8 +109,11 @@ if ((isCssOutputMode()) || (getConfig('css_php') == 'DIRECT')) {
        if ((isInstallationPhase())) {
                // Default theme first
                $newTheme = 'default';
-               if (isGetRequestParameterSet('theme'))  $newTheme = getRequestParameter('theme');
-               if (isPostRequestParameterSet('theme')) $newTheme = secureString(postRequestParameter('theme'));
+               if (isPostRequestParameterSet('theme')) {
+                       $newTheme = postRequestParameter('theme');
+               } elseif (isGetRequestParameterSet('theme')) {
+                       $newTheme = getRequestParameter('theme');
+               }
                $OUT .= '?theme=' . $newTheme . '&amp;installing=1';
        } else {
                // Add SVN revision to bypass caching problems
index 0529f02..eba85cf 100644 (file)
@@ -24,7 +24,7 @@ Verwendungszweck: $content[reason]
 Transaktionsnummer: $content[trans_id]
 ------------------------------
 
-Diese beiden Mitglieder k&ouml;nnen sich die &Uuml;berweisung noch $content[expires] in ihrem Mitgliedsbereich ansehen. Danach wird der Eintrag bei installierter autopurge-Erweiterung automatisch entfernt.
+Diese beiden Mitglieder k&ouml;nnen sich die &Uuml;berweisung noch {%config,createFancyTime=transfer_age%} in ihrem Mitgliedsbereich ansehen. Danach wird der Eintrag bei installierter autopurge-Erweiterung automatisch entfernt.
 
 Mit freundlichen Gr&uuml;&szlig;en,
   Ihr {?MAIN_TITLE?} Script
index a66b7c9..5c8442d 100644 (file)
@@ -1,6 +1,6 @@
 Hallo {%user,gender,translateGender=$userid%} {%user,surname=$userid%} {%user,family=$userid%},
 
-Bei der monatlichen Bettel-Rallye haben Sie soeben Ihre {%pipe,translateComma=$content[points]%} {?POINTS?} gewonnen!
+Bei der monatlichen Bettel-Rallye haben Sie soeben Ihre {%pipe,translateComma=$content[beg_points]%} {?POINTS?} gewonnen!
 
 Herzlichen Gl&uuml;ckwunsch!
 
index e2cddb8..eaf2f9a 100644 (file)
@@ -15,7 +15,7 @@ Verwendungszweck: $content[reason]
 Transaktionsnummer: $content[trans_id]
 ------------------------------
 
-Sie k&ouml;nnen diese Transaktion $content[expires] noch im Mitgliedsbereich unter "{?POINTS?}-Transfer" nachvollziehen.
+Sie k&ouml;nnen diese Transaktion {%config,createFancyTime=transfer_age%} noch im Mitgliedsbereich unter "{?POINTS?}-Transfer" nachvollziehen.
 
 Mit freundlichen Gr&uuml;&szlig;en,
   Ihr {?MAIN_TITLE?} Team
index a0a8b0f..b12569c 100644 (file)
@@ -15,7 +15,7 @@ Verwendungszweck: $content[reason]
 Transaktionsnummer: $content[trans_id]
 ------------------------------
 
-Sie k&ouml;nnen diese Transaktion $content[expires] noch im Mitgliedsbereich unter "{?POINTS?}-Transfer" nachvollziehen.
+Sie k&ouml;nnen diese Transaktion {%config,createFancyTime=transfer_age%} noch im Mitgliedsbereich unter "{?POINTS?}-Transfer" nachvollziehen.
 
 Mit freundlichen Gr&uuml;&szlig;en,
   Ihr {?MAIN_TITLE?} Team
index 6812612..6075586 100644 (file)
@@ -1,6 +1,6 @@
 <tr>
        <td align="center" class="{%template,ColorSwitch%} bottom">$content[cnt]</td>
        <td align="center" class="{%template,ColorSwitch%} bottom">$content[userid]</td>
-       <td align="center" class="{%template,ColorSwitch%} bottom">{%pipe,translateComma=$content[points]%}</td>
+       <td align="center" class="{%template,ColorSwitch%} bottom">{%pipe,translateComma=$content[beg_points]%}</td>
        <td align="center" class="{%template,ColorSwitch%} bottom">$content[last_online]</td>
 </tr>