From d9f27676785cf39facff076a9f020dd8302592e0 Mon Sep 17 00:00:00 2001 From: Robert Sesek Date: Sat, 22 Jan 2005 21:52:53 +0000 Subject: [PATCH] Added input sanitize functions. The new system works by merging $_GET and $_POST, running them through a unicode-safe htmlspecialchars() and storing it in _isso::input. Then this can be accessed; and proper data manipulation (intval(), floatval(), _isso::escape) can be run on it. _isso::escape uses a variety of escape functions from none (Magic Quotes on), to mysql_real_escape_string() (have a valid DB connection), to just addslashes() (neither of the previous two). --- functions.php | 26 +---------- kernel.php | 117 +++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 116 insertions(+), 27 deletions(-) diff --git a/functions.php b/functions.php index 2532f4d..75b2dc5 100644 --- a/functions.php +++ b/functions.php @@ -69,31 +69,7 @@ class Functions setcookie($name, $value, $expire, $this->cookiepath, $this->cookiedom); } } - - /** - * Simple way to protect against HTML attacks with Unicode support - * - * @param str Unsanitzed text - * - * @return str Properly protected text that only encodes potential threats - */ - function sanitize($text) - { - return str_replace(array('<', '>', '"'), array('<', '>', '"'), $text); - } - - /** - * Takes text that has been processed for HTML and unsanitizes it - * - * @param str Text that needs to be turned back into HTML - * - * @return str Unsanitized text - */ - function unsanitize($text) - { - return str_replace(array('<', '>', '"'), array('<', '>', '"'), $text); - } - + /** * Alternate between two background colours * diff --git a/kernel.php b/kernel.php index 84a1cee..fb3a0b7 100644 --- a/kernel.php +++ b/kernel.php @@ -40,6 +40,8 @@ class Shared_Object_Framework * @var debug Variable for debug mode * @var debuginfo Listing of all debug notices * @var modules An array of loaded framework modules + * @var input All input data for the system + * @var magicquotes Status of Magic Quotes GPC */ var $version = '[#]version[#]'; var $sourcepath = ''; @@ -48,13 +50,24 @@ class Shared_Object_Framework var $debug = false; var $debuginfo = array(); var $modules = array(); + var $input = array(); + var $magicquotes = 0; /** * Constructor */ function Shared_Object_Framework() { + // error reporting set_error_handler(array(&$this, '_error_handler')); + + // magic quotes + $this->magicquotes = get_magic_quotes_gpc(); + set_magic_quotes_runtime(0); + + // start input sanitize using variable_order GP + $this->input = $this->_sanitize_input_recursive(array_merge($_GET, $_POST)); + $this->modules['kernel'] = 'Shared Object Framework Core'; } @@ -102,8 +115,21 @@ class Shared_Object_Framework */ function locate($framework) { - require_once($this->sourcepath . $framework . '.php'); - return array('CLASS' => $CLASS, 'OBJECT' => $OBJECT, 'OBJ' => $OBJ); + if ($this->sourcepath == '') + { + trigger_error('Invalid sourcepath specified', ERR_FATAL); + } + + if (file_exists($this->sourcepath . $framework . '.php')) + { + require_once($this->sourcepath . $framework . '.php'); + return array('CLASS' => $CLASS, 'OBJECT' => $OBJECT, 'OBJ' => $OBJ); + } + else + { + trigger_error('Could not find the framework ' . $this->sourcepath . $framework . '.php', ERR_FATAL); + exit; + } } /** @@ -229,6 +255,11 @@ class Shared_Object_Framework $errstr .= " in $errfile on line $errline"; $this->_message($title, $errstr, 3); + + if ($errno == ERR_FATAL) + { + exit; + } } /** @@ -243,6 +274,88 @@ class Shared_Object_Framework $this->debuginfo[] = $message; } } + + /** + * Recursive XSS cleaner + * + * @param mixed Unsanitized REQUEST data + * + * @return mixed Sanitized data + */ + function _sanitize_input_recursive($data) + { + foreach($data AS $key => $value) + { + if (is_array($value)) + { + $data["$key"] = $this->_sanitize_input_recursive($value); + } + else + { + $data["$key"] = $this->sanitize($value); + } + } + return $data; + } + + /** + * Simple way to protect against HTML attacks with Unicode support + * + * @param str Unsanitzed text + * + * @return str Properly protected text that only encodes potential threats + */ + function sanitize($text) + { + return str_replace(array('<', '>', '"'), array('<', '>', '"'), $text); + } + + /** + * Takes text that has been processed for HTML and unsanitizes it + * + * @param str Text that needs to be turned back into HTML + * + * @return str Unsanitized text + */ + function unsanitize($text) + { + return str_replace(array('<', '>', '"'), array('<', '>', '"'), $text); + } + + /** + * Smart addslashes() that only applies itself it the Magic Quotes GPC is off + * + * @param str Some string + * + * @return str String that has slashes added + */ + function escape($str) + { + global $_isso; + + if ($this->magicquotes) + { + return $str; + } + else + { + if (isset($_isso->db)) + { + if (is_resource($_isso->db->link_id)) + { + return $_isso->db->escape_string($str); + } + else + { + return addslashes($str); + } + } + else + { + return addslashes($str); + } + } + } } /** -- 2.43.5