Update of /cvsroot/fink/web/pdb
In directory sc8-pr-cvs5.sourceforge.net:/tmp/cvs-serv7194

Modified Files:
      Tag: redesign_pdb
        browse.php header.inc package.php 
Log Message:
Use new get_safe_param method from header.inc to get url parameters safely


Index: package.php
===================================================================
RCS file: /cvsroot/fink/web/pdb/package.php,v
retrieving revision 1.43.2.13
retrieving revision 1.43.2.14
diff -u -d -r1.43.2.13 -r1.43.2.14
--- package.php 1 Feb 2007 19:28:45 -0000       1.43.2.13
+++ package.php 4 Feb 2007 00:09:35 -0000       1.43.2.14
@@ -18,28 +18,10 @@
 <?
 } else { /* if (no package) */
 
-// Read the version and release field. We use basic HTML encoding for now, and 
-// cut off very long values, to make unforseen SQL injection hacks more 
difficult.
-//
-// TODO:
-// This code should be streamlined in a global method (e.g. in header.inc) and
-// also be used in browse.php etc.
-$version = $_GET['version'];
-if (strlen($version) > 35 || !preg_match("/^[0-9\-.:]+$/", $version)) {
-       $version = '';
-} else {
-       $version = htmlspecialchars($version);
-       if (strlen($version) > 35 || !preg_match("/^[0-9\-.:]+$/", $version))
-               $version = '';
-}
-$release = $_GET['release'];
-if (strlen($release) > 35 || !preg_match("/^[a-z0-9\-.]+$/", $release)) {
-       $release = '';
-} else {
-       $release = htmlspecialchars($release);
-       if (strlen($release) > 35 || !preg_match("/^[a-z0-9\-.]+$/", $release))
-               $release = '';
-}
+
+// Get url parameters
+$version = get_safe_param('version', '/^[0-9\-.:]+$/');
+$release = get_safe_param('release', '/^[a-z0-9\-.]+$/');
 
 // Get package data to display (use for version-nonspecific pkg metadata)
 $qtodisplay = "SELECT * FROM package WHERE name='$package' ";

Index: header.inc
===================================================================
RCS file: /cvsroot/fink/web/pdb/header.inc,v
retrieving revision 1.10
retrieving revision 1.10.2.1
diff -u -d -r1.10 -r1.10.2.1
--- header.inc  28 Jun 2006 16:40:00 -0000      1.10
+++ header.inc  4 Feb 2007 00:09:35 -0000       1.10.2.1
@@ -58,4 +58,21 @@
 include $fsroot."db.inc.php";
 $dbh = mysql_pconnect($db_host, $db_user, $db_passwd);
 mysql_select_db($db_name, $dbh);
+
+
+// Read url parameters. We use basic HTML encoding for now, and 
+// cut off very long values, to make unforseen SQL injection hacks more 
difficult.
+function get_safe_param($param_name, $valid_regexp='.*', $max_length=35) {
+  $param_name = $_GET[$param_name];
+  if (strlen($param_name) > $max_length || !preg_match($valid_regexp, 
$param_name)) {
+    $param_name = '';
+  } else {
+    $param_name = htmlspecialchars($param_name);
+    if (strlen($param_name) > $max_length || !preg_match($valid_regexp, 
$param_name))
+      $param_name = '';
+  }
+  return $param_name;
+}
+ 
+
 ?>

Index: browse.php
===================================================================
RCS file: /cvsroot/fink/web/pdb/browse.php,v
retrieving revision 1.1.2.1
retrieving revision 1.1.2.2
diff -u -d -r1.1.2.1 -r1.1.2.2
--- browse.php  27 Jan 2007 04:03:23 -0000      1.1.2.1
+++ browse.php  4 Feb 2007 00:09:35 -0000       1.1.2.2
@@ -74,27 +74,9 @@
        }
 }
 
-// Read the maintainer field. We use basic HTML encoding for now, and cut off
-// very long values, to make unforseen SQL injection hacks more difficult.
-$maintainer = $_GET['maintainer'];
-if (strlen($maintainer) > 15 || !preg_match("/[EMAIL PROTECTED] ]+$/", 
$maintainer)) {
-       $maintainer = "";
-} else {
-       $maintainer = htmlspecialchars($maintainer);
-       if (strlen($maintainer) > 15 || !preg_match("/^[a-zA-Z0-9@ ]+$/", 
$maintainer))
-               $maintainer = "";
-}
-
-// Read the name field. We use basic HTML encoding for now, and cut off
-// very long values, to make unforseen SQL injection hacks more difficult.
-$name = $_GET['name'];
-if (strlen($name) > 15 || !preg_match("/[EMAIL PROTECTED] ]+$/", $name)) {
-       $name = "";
-} else {
-       $name = htmlspecialchars($name);
-       if (strlen($name) > 15 || !preg_match("/^[a-zA-Z0-9@ ]+$/", $name))
-               $name = "";
-}
+// Read url parameters
+$maintainer = get_safe_param('maintainer', '/[EMAIL PROTECTED] ]+$/');
+$name = get_safe_param('name', '/^[a-z0-9+\-.]+$/');
 
 // Extract the distribution
 // TODO


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Fink-commits mailing list
Fink-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fink-commits

Reply via email to