[Helpmeict-cvs] Helpdesk find.php,1.14,1.15

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv27518

Modified Files:
	find.php 
Log Message:

More elegant way of sanitizing inputs and assinging GET/POST/REQUEST variables.

Index: find.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/find.php,v
retrieving revision 1.14
retrieving revision 1.15
diff -C2 -d -r1.14 -r1.15
*** find.php	8 Sep 2007 05:27:03 -0000	1.14
--- find.php	11 Sep 2007 15:51:30 -0000	1.15
***************
*** 56,121 ****
    require 'system/calendar.inc';

    // Language selection
    set_text_domain("find");

    foreach($_POST as $key => $val) {
      // scrubbing the field NAME...
      if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
!     $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
    }
    foreach($_GET as $key => $val) {
      // scrubbing the field NAME...
      if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
    }

    // Retrieve Get/Post variables
! 
!   ## There are a lot of variables here to protect!
!   if (!get_magic_quotes_gpc()) {

!   ## Need to do it this way because some the $_REQUEST arrays are an array of arrays do to the building of the
!   ## of the multiple box's

!     $act = addslashes(htmlentities(strip_tags($_REQUEST['act']), ENT_QUOTES));
!     $id = addslashes(htmlentities(strip_tags($_REQUEST['id']), ENT_QUOTES));
!     $orderby = addslashes(htmlentities(strip_tags($_GET['orderby']), ENT_QUOTES));
!     $orderdir = addslashes(htmlentities(strip_tags($_GET['orderdir']), ENT_QUOTES));
!     $page = addslashes(htmlentities(strip_tags($_GET['page']), ENT_QUOTES));
!     $freetextscope = addslashes(htmlentities(strip_tags($_REQUEST['freetextscope']), ENT_QUOTES));
!     $freetext = addslashes(htmlentities(strip_tags($_REQUEST['freetext']), ENT_QUOTES));
!     $site = $_REQUEST['site'];
!     $reportedby = $_REQUEST['reportedby'];
!     $priority = $_REQUEST['priority'];
!     $level = $_REQUEST['level'];
!     $status = $_REQUEST['status'];
!     $category = $_REQUEST['category'];
!     $detail = $_REQUEST['detail'];
!     $datefrom = addslashes(htmlentities(strip_tags($_REQUEST['datefrom']), ENT_QUOTES));
!     $dateto = addslashes(htmlentities(strip_tags($_REQUEST['dateto']), ENT_QUOTES));
!     $assignedto = $_REQUEST['assignedto'];
!     $createdby = $_REQUEST['createdby'];
!     $reset = addslashes(htmlentities(strip_tags($_REQUEST['reset']), ENT_QUOTES));
    }
!   else {
!     $act = htmlentities(strip_tags($_REQUEST['act']), ENT_QUOTES);
!     $id = htmlentities(strip_tags($_REQUEST['id']), ENT_QUOTES);
!     $orderby = htmlentities(strip_tags($_GET['orderby']), ENT_QUOTES);
!     $orderdir = htmlentities(strip_tags($_GET['orderdir']), ENT_QUOTES);
!     $page = htmlentities(strip_tags($_GET['page']), ENT_QUOTES);
!     $freetextscope = htmlentities(strip_tags($_REQUEST['freetextscope']), ENT_QUOTES);
!     $freetext = htmlentities(strip_tags($_REQUEST['freetext']), ENT_QUOTES);
!     $site = $_REQUEST['site'];
!     $reportedby = $_REQUEST['reportedby'];
!     $priority = $_REQUEST['priority'];
!     $level = $_REQUEST['level'];
!     $status = $_REQUEST['status'];
!     $category = $_REQUEST['category'];
!     $detail = $_REQUEST['detail'];
!     $datefrom = htmlentities(strip_tags($_REQUEST['datefrom']), ENT_QUOTES);
!     $dateto = htmlentities(strip_tags($_REQUEST['dateto']), ENT_QUOTES);
!     $assignedto = $_REQUEST['assignedto'];
!     $createdby = $_REQUEST['createdby'];
!     $reset = $_REQUEST['reset'];
    }
    if ($reset == 'yes') {
      // Reset remembered sql restrictions
--- 56,170 ----
    require 'system/calendar.inc';

+   global $reset, $act, $orderby, $site, $reportedby, $createdby, $assignedto,
+          $level, $priority, $status, $category, $detail, $page;
    // Language selection
    set_text_domain("find");

+   ## There are a lot of variables here to protect!
    foreach($_POST as $key => $val) {
      // scrubbing the field NAME...
      if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
!     if(is_array($_POST[$key])) {
!       foreach ($_POST[$key] as $key2 => $val2) {
!         if (get_magic_quotes_gpc()) {
!           $_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
!         }
!         else {
!           $_POST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
!         }
!       } 
!     }
!     else {
!       if (get_magic_quotes_gpc()) {
!         $_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
!       }
!       else {
!         $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
!       }
!     }
    }
    foreach($_GET as $key => $val) {
      // scrubbing the field NAME...
      if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
+     if(is_array($_GET[$key])) {
+       foreach ($_GET[$key] as $key2 => $val2) {
+         if (get_magic_quotes_gpc()) {
+           $_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
+         }
+         else {
+           $_GET[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
+         }
+       } 
+     }
+     else {
+       if (get_magic_quotes_gpc()) {
+         $_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
+       }
+       else {
+         $_GET[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
+       }
+     }
+   }
+   foreach($_REQUEST as $key => $val) {
+     // scrubbing the field NAME...
+     if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
+     if(is_array($_REQUEST[$key])) {
+       foreach ($_REQUEST[$key] as $key2 => $val2) {
+         if (get_magic_quotes_gpc()) {
+           $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
+         }
+         else {
+           $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
+         }
+       } 
+     }
+     else {
+       if (get_magic_quotes_gpc()) {
+         $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
+       }
+       else {
+         $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
+       }
+     }
    }

    // Retrieve Get/Post variables
!   $requestarg = Array(
!                   'act',
!                   'id',
!                   'freetextscope',
!                   'freetext',
!                   'site',
!                   'reportedby',
!                   'priority',
!                   'level',
!                   'status',
!                   'category',
!                   'detail',
!                   'datefrom',
!                   'dateto',
!                   'assignedto',
!                   'createdby',
!                   'reset'
!                 );

!   $getarg = Array(
!               'orderby',
!               'orderdir',
!               'page'
!               );

!   foreach ($requestarg as $request) {
!     if (isset($_REQUEST[$request])) {
!      $$request = $_REQUEST[$request];
!     } 
    }
! 
!   foreach ($getarg as $get) {
!     if (isset($_GET[$get])) {
!       $$get = $_GET[$get];
!     }
    }
+ 
    if ($reset == 'yes') {
      // Reset remembered sql restrictions