diff options
author | plegall <plg@piwigo.org> | 2009-12-15 00:33:57 +0000 |
---|---|---|
committer | plegall <plg@piwigo.org> | 2009-12-15 00:33:57 +0000 |
commit | 742e2a7c0ac86e9bcce2fa6eef65214e869cd19c (patch) | |
tree | 39ece70263b1fb2ef881352f11e1f4a38b94afd7 /include | |
parent | 8bbbe6c7943296a81df1c232ca7de0329295477f (diff) |
bug 1329 fixed: add a check_input_parameter function to prevent hacking
attempts.
git-svn-id: http://piwigo.org/svn/branches/2.0@4495 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include')
-rw-r--r-- | include/constants.php | 3 | ||||
-rw-r--r-- | include/functions.inc.php | 43 |
2 files changed, 46 insertions, 0 deletions
diff --git a/include/constants.php b/include/constants.php index 99a4816e7..2c828702a 100644 --- a/include/constants.php +++ b/include/constants.php @@ -38,6 +38,9 @@ define('ACCESS_ADMINISTRATOR', 3); define('ACCESS_WEBMASTER', 4); define('ACCESS_CLOSED', 5); +// Sanity checks +define('PATTERN_ID', '/^\d+$/'); + // Table names if (!defined('CATEGORIES_TABLE')) define('CATEGORIES_TABLE', $prefixeTable.'categories'); diff --git a/include/functions.inc.php b/include/functions.inc.php index 273d63776..dbcaf6a97 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -1492,4 +1492,47 @@ function get_comment_post_key($image_id) ) ); } + +/* + * breaks the script execution if the given value doesn't match the given + * pattern. This should happen only during hacking attempts. + * + * @param string param_name + * @param mixed param_value + * @param boolean is_array + * @param string pattern + * + * @return void + */ +function check_input_parameter($param_name, $param_value, $is_array, $pattern) +{ + // it's ok if the input parameter is null + if (empty($param_value)) + { + return true; + } + + if ($is_array) + { + if (!is_array($param_value)) + { + die('[Hacking attempt] the input parameter "'.$param_name.'" should be an array'); + } + + foreach ($param_value as $item_to_check) + { + if (!preg_match($pattern, $item_to_check)) + { + die('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"'); + } + } + } + else + { + if (!preg_match($pattern, $param_value)) + { + die('[Hacking attempt] the input parameter "'.$param_name.'" is not valid'); + } + } +} ?>
\ No newline at end of file |