From cfe35f32e8ffd717ce678ac21ca9b5bc932b7578 Mon Sep 17 00:00:00 2001 From: KreizIT Date: Wed, 6 Aug 2014 15:59:36 +0200 Subject: [PATCH] - Add improvement to GETPOST function - Review thirdparty cards for illustration of new GETPOST functionality --- htdocs/core/lib/functions.lib.php | 56 ++++---- htdocs/societe/soc.php | 208 +++++++++++++++--------------- 2 files changed, 135 insertions(+), 129 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 7097bd2abae63..841b1d6c6d5b5 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -11,7 +11,8 @@ * Copyright (C) 2013 Cédric Salvador * Copyright (C) 2013 Alexandre Spangaro * Copyright (C) 2014 Marcos García - * + * Copyright (C) 2014 Cédric GROSS + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or @@ -169,11 +170,11 @@ function dol_shutdown() * Return value of a param into GET or POST supervariable * * @param string $paramname Name of parameter to found - * @param string $check Type of check (''=no check, 'int'=check it's numeric, 'alpha'=check it's text and sign, 'aZ'=check it's a-z only, 'array'=check it's array) + * @param string $check Type of check (''=no check, 'int'=check it's numeric, 'alpha'=check it's text and sign, 'aZ'=check it's a-z only, 'array'=check it's array, 'san_alpha'= Use filter_var with FILTER_SANITIZE_STRING, 'custom'= custom filter specify $filter and $options) * @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get, 4 = post then get then cookie) * @return string||string[] Value found, or '' if check fails */ -function GETPOST($paramname,$check='',$method=0) +function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL) { if (empty($method)) $out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:''); elseif ($method==1) $out = isset($_GET[$paramname])?$_GET[$paramname]:''; @@ -184,28 +185,33 @@ function GETPOST($paramname,$check='',$method=0) if (! empty($check)) { - // Check if numeric - if ($check == 'int' && ! is_numeric($out)) $out=''; - // Check if alpha - elseif ($check == 'alpha') - { - $out=trim($out); - // '"' is dangerous because param in url can close the href= or src= and add javascript functions. - // '../' is dangerous because it allows dir transversals - if (preg_match('/"/',$out)) $out=''; - else if (preg_match('/\.\.\//',$out)) $out=''; - } - elseif ($check == 'aZ') - { - $out=trim($out); - // '"' is dangerous because param in url can close the href= or src= and add javascript functions. - // '../' is dangerous because it allows dir transversals - if (preg_match('/[^a-z]+/i',$out)) $out=''; - } - elseif ($check == 'array') - { - if (! is_array($out) || empty($out)) $out=array(); - } + switch ($check) + { + case 'int': + if (! is_numeric($out)) { $out=''; } + break; + case 'alpha': + $out=trim($out); + // '"' is dangerous because param in url can close the href= or src= and add javascript functions. + // '../' is dangerous because it allows dir transversals + if (preg_match('/"/',$out)) $out=''; + else if (preg_match('/\.\.\//',$out)) $out=''; + break; + case 'san_alpha': + $out=filter_var($out,FILTER_SANITIZE_STRING); + break; + case 'aZ': + $out=trim($out); + if (preg_match('/[^a-z]+/i',$out)) $out=''; + break; + case 'array': + if (! is_array($out) || empty($out)) $out=array(); + break; + case 'custom': + if (empty($filter)) return 'BadFourthParameterForGETPOST'; + $out=filter_var($out, $filter, $options); + break; + } } return $out; diff --git a/htdocs/societe/soc.php b/htdocs/societe/soc.php index cc4a6018d7328..f752b149bd44b 100644 --- a/htdocs/societe/soc.php +++ b/htdocs/societe/soc.php @@ -136,64 +136,64 @@ { $object->particulier = GETPOST("private"); - $object->name = dolGetFirstLastname(GETPOST('firstname'),GETPOST('nom')?GETPOST('nom'):GETPOST('name')); - $object->civility_id = GETPOST('civility_id'); + $object->name = dolGetFirstLastname(GETPOST('firstname','san_alpha'),GETPOST('nom','san_alpha')?GETPOST('nom','san_alpha'):GETPOST('name','san_alpha')); + $object->civility_id = GETPOST('civility_id', 'int'); // Add non official properties - $object->name_bis = GETPOST('name')?GETPOST('name'):GETPOST('nom'); - $object->firstname = GETPOST('firstname'); + $object->name_bis = GETPOST('name','san_alpha')?GETPOST('name','san_alpha'):GETPOST('nom','san_alpha'); + $object->firstname = GETPOST('firstname','san_alpha'); } else { - $object->name = GETPOST('name')?GETPOST('name'):GETPOST('nom'); + $object->name = GETPOST('name', 'san_alpha')?GETPOST('name', 'san_alpha'):GETPOST('nom', 'san_alpha'); } - $object->address = GETPOST('address'); - $object->zip = GETPOST('zipcode'); - $object->town = GETPOST('town'); - $object->country_id = GETPOST('country_id'); - $object->state_id = GETPOST('state_id'); - $object->skype = GETPOST('skype'); - $object->phone = GETPOST('phone'); - $object->fax = GETPOST('fax'); - $object->email = GETPOST('email'); - $object->url = GETPOST('url'); - $object->idprof1 = GETPOST('idprof1'); - $object->idprof2 = GETPOST('idprof2'); - $object->idprof3 = GETPOST('idprof3'); - $object->idprof4 = GETPOST('idprof4'); - $object->idprof5 = GETPOST('idprof5'); - $object->idprof6 = GETPOST('idprof6'); - $object->prefix_comm = GETPOST('prefix_comm'); - $object->code_client = GETPOST('code_client'); - $object->code_fournisseur = GETPOST('code_fournisseur'); - $object->capital = GETPOST('capital'); - $object->barcode = GETPOST('barcode'); - - $object->tva_intra = GETPOST('tva_intra'); - $object->tva_assuj = GETPOST('assujtva_value'); - $object->status = GETPOST('status'); + $object->address = GETPOST('address', 'san_alpha'); + $object->zip = GETPOST('zipcode', 'san_alpha'); + $object->town = GETPOST('town', 'san_alpha'); + $object->country_id = GETPOST('country_id', 'int'); + $object->state_id = GETPOST('state_id', 'int'); + $object->skype = GETPOST('skype', 'san_alpha'); + $object->phone = GETPOST('phone', 'san_alpha'); + $object->fax = GETPOST('fax','san_alpha'); + $object->email = GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL); + $object->url = GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL); + $object->idprof1 = GETPOST('idprof1', 'san_alpha'); + $object->idprof2 = GETPOST('idprof2', 'san_alpha'); + $object->idprof3 = GETPOST('idprof3', 'san_alpha'); + $object->idprof4 = GETPOST('idprof4', 'san_alpha'); + $object->idprof5 = GETPOST('idprof5', 'san_alpha'); + $object->idprof6 = GETPOST('idprof6', 'san_alpha'); + $object->prefix_comm = GETPOST('prefix_comm', 'san_alpha'); + $object->code_client = GETPOST('code_client', 'san_alpha'); + $object->code_fournisseur = GETPOST('code_fournisseur', 'san_alpha'); + $object->capital = GETPOST('capital', 'san_alpha'); + $object->barcode = GETPOST('barcode', 'san_alpha'); + + $object->tva_intra = GETPOST('tva_intra', 'san_alpha'); + $object->tva_assuj = GETPOST('assujtva_value', 'san_alpha'); + $object->status = GETPOST('status', 'san_alpha'); // Local Taxes - $object->localtax1_assuj = GETPOST('localtax1assuj_value'); - $object->localtax2_assuj = GETPOST('localtax2assuj_value'); + $object->localtax1_assuj = GETPOST('localtax1assuj_value', 'san_alpha'); + $object->localtax2_assuj = GETPOST('localtax2assuj_value', 'san_alpha'); - $object->localtax1_value = GETPOST('lt1'); - $object->localtax2_value = GETPOST('lt2'); + $object->localtax1_value = GETPOST('lt1', 'san_alpha'); + $object->localtax2_value = GETPOST('lt2', 'san_alpha'); - $object->forme_juridique_code = GETPOST('forme_juridique_code'); - $object->effectif_id = GETPOST('effectif_id'); + $object->forme_juridique_code = GETPOST('forme_juridique_code', 'int'); + $object->effectif_id = GETPOST('effectif_id', 'int'); if (GETPOST("private") == 1) { $object->typent_id = dol_getIdFromCode($db,'TE_PRIVATE','c_typent'); } else { - $object->typent_id = GETPOST('typent_id'); + $object->typent_id = GETPOST('typent_id', 'int'); } - $object->client = GETPOST('client'); - $object->fournisseur = GETPOST('fournisseur'); + $object->client = GETPOST('client', 'int'); + $object->fournisseur = GETPOST('fournisseur', 'int'); - $object->commercial_id = GETPOST('commercial_id'); + $object->commercial_id = GETPOST('commercial_id', 'int'); $object->default_lang = GETPOST('default_lang'); // Fill array 'array_options' with data from add form @@ -645,48 +645,48 @@ if (GETPOST("type")=='p') { $object->client=2; } if (! empty($conf->fournisseur->enabled) && (GETPOST("type")=='f' || GETPOST("type")=='')) { $object->fournisseur=1; } - $object->name = GETPOST('nom'); - $object->firstname = GETPOST('firstname'); + $object->name = GETPOST('nom', 'san_alpha'); + $object->firstname = GETPOST('firstname', 'san_alpha'); $object->particulier = $private; $object->prefix_comm = GETPOST('prefix_comm'); $object->client = GETPOST('client')?GETPOST('client'):$object->client; - $object->code_client = GETPOST('code_client'); + $object->code_client = GETPOST('code_client', 'san_alpha'); $object->fournisseur = GETPOST('fournisseur')?GETPOST('fournisseur'):$object->fournisseur; - $object->code_fournisseur = GETPOST('code_fournisseur'); - $object->address = GETPOST('address'); - $object->zip = GETPOST('zipcode'); - $object->town = GETPOST('town'); - $object->state_id = GETPOST('state_id'); - $object->skype = GETPOST('skype'); - $object->phone = GETPOST('phone'); - $object->fax = GETPOST('fax'); - $object->email = GETPOST('email'); - $object->url = GETPOST('url'); - $object->capital = GETPOST('capital'); - $object->barcode = GETPOST('barcode'); - $object->idprof1 = GETPOST('idprof1'); - $object->idprof2 = GETPOST('idprof2'); - $object->idprof3 = GETPOST('idprof3'); - $object->idprof4 = GETPOST('idprof4'); - $object->idprof5 = GETPOST('idprof5'); - $object->idprof6 = GETPOST('idprof6'); - $object->typent_id = GETPOST('typent_id'); - $object->effectif_id = GETPOST('effectif_id'); - $object->civility_id = GETPOST('civility_id'); - - $object->tva_assuj = GETPOST('assujtva_value'); - $object->status = GETPOST('status'); + $object->code_fournisseur = GETPOST('code_fournisseur', 'san_alpha'); + $object->address = GETPOST('address', 'san_alpha'); + $object->zip = GETPOST('zipcode', 'san_alpha'); + $object->town = GETPOST('town', 'san_alpha'); + $object->state_id = GETPOST('state_id', 'int'); + $object->skype = GETPOST('skype', 'san_alpha'); + $object->phone = GETPOST('phone', 'san_alpha'); + $object->fax = GETPOST('fax', 'san_alpha'); + $object->email = GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL); + $object->url = GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL); + $object->capital = GETPOST('capital', 'int'); + $object->barcode = GETPOST('barcode', 'san_alpha'); + $object->idprof1 = GETPOST('idprof1', 'san_alpha'); + $object->idprof2 = GETPOST('idprof2', 'san_alpha'); + $object->idprof3 = GETPOST('idprof3', 'san_alpha'); + $object->idprof4 = GETPOST('idprof4', 'san_alpha'); + $object->idprof5 = GETPOST('idprof5', 'san_alpha'); + $object->idprof6 = GETPOST('idprof6', 'san_alpha'); + $object->typent_id = GETPOST('typent_id', 'int'); + $object->effectif_id = GETPOST('effectif_id', 'int'); + $object->civility_id = GETPOST('civility_id', 'int'); + + $object->tva_assuj = GETPOST('assujtva_value', 'int'); + $object->status = GETPOST('status', 'int'); //Local Taxes - $object->localtax1_assuj = GETPOST('localtax1assuj_value'); - $object->localtax2_assuj = GETPOST('localtax2assuj_value'); + $object->localtax1_assuj = GETPOST('localtax1assuj_value', 'int'); + $object->localtax2_assuj = GETPOST('localtax2assuj_value', 'int'); - $object->localtax1_value =GETPOST('lt1'); - $object->localtax2_value =GETPOST('lt2'); + $object->localtax1_value =GETPOST('lt1', 'int'); + $object->localtax2_value =GETPOST('lt2', 'int'); - $object->tva_intra = GETPOST('tva_intra'); + $object->tva_intra = GETPOST('tva_intra', 'san_alpha'); - $object->commercial_id = GETPOST('commercial_id'); + $object->commercial_id = GETPOST('commercial_id', 'int'); $object->default_lang = GETPOST('default_lang'); $object->logo = (isset($_FILES['photo'])?dol_sanitizeFileName($_FILES['photo']['name']):''); @@ -1154,38 +1154,38 @@ if (GETPOST('nom')) { // We overwrite with values if posted - $object->name = GETPOST('nom'); - $object->prefix_comm = GETPOST('prefix_comm'); - $object->client = GETPOST('client'); - $object->code_client = GETPOST('code_client'); - $object->fournisseur = GETPOST('fournisseur'); - $object->code_fournisseur = GETPOST('code_fournisseur'); - $object->address = GETPOST('address'); - $object->zip = GETPOST('zipcode'); - $object->town = GETPOST('town'); - $object->country_id = GETPOST('country_id')?GETPOST('country_id'):$mysoc->country_id; - $object->state_id = GETPOST('state_id'); - $object->skype = GETPOST('skype'); - $object->phone = GETPOST('phone'); - $object->fax = GETPOST('fax'); - $object->email = GETPOST('email'); - $object->url = GETPOST('url'); - $object->capital = GETPOST('capital'); - $object->idprof1 = GETPOST('idprof1'); - $object->idprof2 = GETPOST('idprof2'); - $object->idprof3 = GETPOST('idprof3'); - $object->idprof4 = GETPOST('idprof4'); - $object->idprof5 = GETPOST('idprof5'); - $object->idprof6 = GETPOST('idprof6'); - $object->typent_id = GETPOST('typent_id'); - $object->effectif_id = GETPOST('effectif_id'); - $object->barcode = GETPOST('barcode'); - $object->forme_juridique_code = GETPOST('forme_juridique_code'); - $object->default_lang = GETPOST('default_lang'); + $object->name = GETPOST('nom', 'san_alpha'); + $object->prefix_comm = GETPOST('prefix_comm', 'san_alpha'); + $object->client = GETPOST('client', 'int'); + $object->code_client = GETPOST('code_client', 'san_alpha'); + $object->fournisseur = GETPOST('fournisseur', 'int'); + $object->code_fournisseur = GETPOST('code_fournisseur', 'san_alpha'); + $object->address = GETPOST('address', 'san_alpha'); + $object->zip = GETPOST('zipcode', 'san_alpha'); + $object->town = GETPOST('town', 'san_alpha'); + $object->country_id = GETPOST('country_id')?GETPOST('country_id', 'int'):$mysoc->country_id; + $object->state_id = GETPOST('state_id', 'int'); + $object->skype = GETPOST('skype', 'san_alpha'); + $object->phone = GETPOST('phone', 'san_alpha'); + $object->fax = GETPOST('fax', 'san_alpha'); + $object->email = GETPOST('email', 'custom', 0, FILTER_SANITIZE_EMAIL); + $object->url = GETPOST('url', 'custom', 0, FILTER_SANITIZE_URL); + $object->capital = GETPOST('capital', 'int'); + $object->idprof1 = GETPOST('idprof1', 'san_alpha'); + $object->idprof2 = GETPOST('idprof2', 'san_alpha'); + $object->idprof3 = GETPOST('idprof3', 'san_alpha'); + $object->idprof4 = GETPOST('idprof4', 'san_alpha'); + $object->idprof5 = GETPOST('idprof5', 'san_alpha'); + $object->idprof6 = GETPOST('idprof6', 'san_alpha'); + $object->typent_id = GETPOST('typent_id', 'int'); + $object->effectif_id = GETPOST('effectif_id', 'int'); + $object->barcode = GETPOST('barcode', 'san_alpha'); + $object->forme_juridique_code = GETPOST('forme_juridique_code', 'int'); + $object->default_lang = GETPOST('default_lang', 'san_alpha'); - $object->tva_assuj = GETPOST('assujtva_value'); - $object->tva_intra = GETPOST('tva_intra'); - $object->status = GETPOST('status'); + $object->tva_assuj = GETPOST('assujtva_value', 'int'); + $object->tva_intra = GETPOST('tva_intra', 'san_alpha'); + $object->status = GETPOST('status', 'int'); //Local Taxes $object->localtax1_assuj = GETPOST('localtax1assuj_value');