From d9f27676785cf39facff076a9f020dd8302592e0 Mon Sep 17 00:00:00 2001
From: Robert Sesek <rsesek@bluestatic.org>
Date: Sat, 22 Jan 2005 21:52:53 +0000
Subject: [PATCH] Added input sanitize functions. The new system works by
 merging $_GET and $_POST, running them through a unicode-safe
 htmlspecialchars() and storing it in _isso::input. Then this can be accessed;
 and proper data manipulation (intval(), floatval(), _isso::escape) can be run
 on it. _isso::escape uses a variety of escape functions from none (Magic
 Quotes on), to mysql_real_escape_string() (have a valid DB connection), to
 just addslashes() (neither of the previous two).

---
 functions.php |  26 +----------
 kernel.php    | 117 +++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 116 insertions(+), 27 deletions(-)

diff --git a/functions.php b/functions.php
index 2532f4d..75b2dc5 100644
--- a/functions.php
+++ b/functions.php
@@ -69,31 +69,7 @@ class Functions
 			setcookie($name, $value, $expire, $this->cookiepath, $this->cookiedom);
 		}
 	}
-	
-	/**
-	* Simple way to protect against HTML attacks with Unicode support
-	*
-	* @param	str		Unsanitzed text
-	*
-	* @return	str		Properly protected text that only encodes potential threats
-	*/
-	function sanitize($text)
-	{
-		return str_replace(array('<', '>', '"'), array('&lt;', '&gt;', '&quot;'), $text);
-	}
-	
-	/**
-	* Takes text that has been processed for HTML and unsanitizes it
-	*
-	* @param	str		Text that needs to be turned back into HTML
-	*
-	* @return	str		Unsanitized text
-	*/
-	function unsanitize($text)
-	{
-		return str_replace(array('&lt;', '&gt;', '&quot;'), array('<', '>', '"'), $text);
-	}
-	
+		
 	/**
 	* Alternate between two background colours
 	*
diff --git a/kernel.php b/kernel.php
index 84a1cee..fb3a0b7 100644
--- a/kernel.php
+++ b/kernel.php
@@ -40,6 +40,8 @@ class Shared_Object_Framework
 	* @var	debug			Variable for debug mode
 	* @var	debuginfo		Listing of all debug notices
 	* @var	modules			An array of loaded framework modules
+	* @var	input			All input data for the system
+	* @var	magicquotes		Status of Magic Quotes GPC
 	*/
 	var $version = '[#]version[#]';
 	var $sourcepath = '';
@@ -48,13 +50,24 @@ class Shared_Object_Framework
 	var $debug = false;
 	var $debuginfo = array();
 	var $modules = array();
+	var $input = array();
+	var $magicquotes = 0;
 	
 	/**
 	* Constructor
 	*/
 	function Shared_Object_Framework()
 	{
+		// error reporting
 		set_error_handler(array(&$this, '_error_handler'));
+		
+		// magic quotes
+		$this->magicquotes = get_magic_quotes_gpc();
+		set_magic_quotes_runtime(0);
+		
+		// start input sanitize using variable_order GP
+		$this->input = $this->_sanitize_input_recursive(array_merge($_GET, $_POST));
+		
 		$this->modules['kernel'] = 'Shared Object Framework Core';
 	}
 	
@@ -102,8 +115,21 @@ class Shared_Object_Framework
 	*/
 	function locate($framework)
 	{
-		require_once($this->sourcepath . $framework . '.php');
-		return array('CLASS' => $CLASS, 'OBJECT' => $OBJECT, 'OBJ' => $OBJ);
+		if ($this->sourcepath == '')
+		{
+			trigger_error('Invalid sourcepath specified', ERR_FATAL);
+		}
+		
+		if (file_exists($this->sourcepath . $framework . '.php'))
+		{
+			require_once($this->sourcepath . $framework . '.php');
+			return array('CLASS' => $CLASS, 'OBJECT' => $OBJECT, 'OBJ' => $OBJ);
+		}
+		else
+		{
+			trigger_error('Could not find the framework ' . $this->sourcepath . $framework . '.php', ERR_FATAL);
+			exit;
+		}
 	}
 	
 	/**
@@ -229,6 +255,11 @@ class Shared_Object_Framework
 		$errstr .= " in <strong>$errfile</strong> on line <strong>$errline</strong>";
 		
 		$this->_message($title, $errstr, 3);
+		
+		if ($errno == ERR_FATAL)
+		{
+			exit;
+		}
 	}
 	
 	/**
@@ -243,6 +274,88 @@ class Shared_Object_Framework
 			$this->debuginfo[] = $message;
 		}
 	}
+	
+	/**
+	* Recursive XSS cleaner
+	*
+	* @param	mixed	Unsanitized REQUEST data
+	*
+	* @return	mixed	Sanitized data
+	*/
+	function _sanitize_input_recursive($data)
+	{
+		foreach($data AS $key => $value)
+		{
+			if (is_array($value))
+			{
+				$data["$key"] = $this->_sanitize_input_recursive($value);
+			}
+			else
+			{
+				$data["$key"] = $this->sanitize($value);
+			}
+		}
+		return $data;
+	}
+	
+	/**
+	* Simple way to protect against HTML attacks with Unicode support
+	*
+	* @param	str		Unsanitzed text
+	*
+	* @return	str		Properly protected text that only encodes potential threats
+	*/
+	function sanitize($text)
+	{
+		return str_replace(array('<', '>', '"'), array('&lt;', '&gt;', '&quot;'), $text);
+	}
+	
+	/**
+	* Takes text that has been processed for HTML and unsanitizes it
+	*
+	* @param	str		Text that needs to be turned back into HTML
+	*
+	* @return	str		Unsanitized text
+	*/
+	function unsanitize($text)
+	{
+		return str_replace(array('&lt;', '&gt;', '&quot;'), array('<', '>', '"'), $text);
+	}
+	
+	/**
+	* Smart addslashes() that only applies itself it the Magic Quotes GPC is off
+	*
+	* @param	str		Some string
+	*
+	* @return	str		String that has slashes added
+	*/
+	function escape($str)
+	{
+		global $_isso;
+		
+		if ($this->magicquotes)
+		{
+			return $str;
+		}
+		else
+		{
+			if (isset($_isso->db))
+			{
+				if (is_resource($_isso->db->link_id))
+				{
+					return $_isso->db->escape_string($str);
+				}
+				else
+				{
+					return addslashes($str);
+				}
+			}
+			else
+			{
+				return addslashes($str);
+			}
+		}
+	}
 }
 
 /**
-- 
2.22.5