bug 1329 fixed: add a check_input_parameter function to prevent hacking

attempts.

git-svn-id: http://piwigo.org/svn/branches/2.0@4495 68402e56-0260-453c-a942-63ccdbb3a9ee

2 files changed, 46 insertions, 0 deletions

diff --git a/include/constants.php b/include/constants.php
index 99a4816e7..2c828702a 100644
--- a/include/constants.php
+++ b/include/constants.php
@@ -38,6 +38,9 @@ define('ACCESS_ADMINISTRATOR', 3);
 define('ACCESS_WEBMASTER', 4);
 define('ACCESS_CLOSED', 5);
 
+// Sanity checks
+define('PATTERN_ID', '/^\d+$/');
+
 // Table names
 if (!defined('CATEGORIES_TABLE'))
   define('CATEGORIES_TABLE', $prefixeTable.'categories');
diff --git a/include/functions.inc.php b/include/functions.inc.php
index 273d63776..dbcaf6a97 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -1492,4 +1492,47 @@ function get_comment_post_key($image_id)
       )
     );
 }
+
+/*
+ * breaks the script execution if the given value doesn't match the given
+ * pattern. This should happen only during hacking attempts.
+ *
+ * @param string param_name
+ * @param mixed param_value
+ * @param boolean is_array
+ * @param string pattern
+ *
+ * @return void
+ */
+function check_input_parameter($param_name, $param_value, $is_array, $pattern)
+{
+  // it's ok if the input parameter is null
+  if (empty($param_value))
+  {
+    return true;
+  }
+  
+  if ($is_array)
+  {
+    if (!is_array($param_value))
+    {
+      die('[Hacking attempt] the input parameter "'.$param_name.'" should be an array');
+    }
+
+    foreach ($param_value as $item_to_check)
+    {
+      if (!preg_match($pattern, $item_to_check))
+      {
+        die('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"');
+      }
+    }
+  }
+  else
+  {
+    if (!preg_match($pattern, $param_value))
+    {
+      die('[Hacking attempt] the input parameter "'.$param_name.'" is not valid');
+    }
+  }
+}
 ?>
\ No newline at end of file