Merge pull request #148 from simnandez/develop

Fix: Sanitize data
Dolibarr · Apr 4, 2012 · d6cea81 · d6cea81
2 parents ffd80b0 + 7bf0d77
commit d6cea81
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 15 deletions.
diff --git a/htdocs/externalsite/admin/externalsite.php b/htdocs/externalsite/admin/externalsite.php
@@ -4,7 +4,7 @@
  * Copyright (C) 2004-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2004      Sebastien Di Cintio  <sdicintio@ressource-toi.org>
  * Copyright (C) 2004      Benoit Mortier       <benoit.mortier@opensides.be>
- * Copyright (C) 2011 	   Juanjo Menent		<jmenent@2byte.es>
+ * Copyright (C) 2011-2012 Juanjo Menent		<jmenent@2byte.es>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -40,7 +40,7 @@
 
 $def = array();
 
-$action = GETPOST("action");
+$action = GETPOST('action','alpha');
 
 // Sauvegardes parametres
 if ($action == 'update')
@@ -49,7 +49,7 @@
 
     $db->begin();
 
-    $exturl = GETPOST("EXTERNALSITE_URL");
+    $exturl = GETPOST('EXTERNALSITE_URL','alpha');
 
     $i+=dolibarr_set_const($db,'EXTERNALSITE_URL',trim($exturl),'chaine',0,'',$conf->entity);
     //$i+=dolibarr_set_const($db,'EXTERNALSITE_LABEL',trim($_POST["EXTERNALSITE_LABEL"]),'chaine',0,'',$conf->entity);
@@ -99,7 +99,7 @@
 
 print "<tr class=\"impair\">";
 print "<td>".$langs->trans("ExternalSiteURL")."</td>";
-print "<td><input type=\"text\" class=\"flat\" name=\"EXTERNALSITE_URL\" value=\"". ($_POST["EXTERNALSITE_URL"]?$_POST["EXTERNALSITE_URL"]:$conf->global->EXTERNALSITE_URL) . "\" size=\"40\"></td>";
+print "<td><input type=\"text\" class=\"flat\" name=\"EXTERNALSITE_URL\" value=\"". (GETPOST('EXTERNALSITE_URL','alpha')?GETPOST('EXTERNALSITE_URL','alpha'):$conf->global->EXTERNALSITE_URL) . "\" size=\"40\"></td>";
 print "<td>http://localhost/myurl/";
 print "<br>http://wikipedia.org/";
 print "</td>";

diff --git a/htdocs/ftp/admin/ftpclient.php b/htdocs/ftp/admin/ftpclient.php
@@ -34,8 +34,8 @@
 $def = array();
 $lastftpentry=0;
 
-$action = GETPOST("action");
-$entry = GETPOST("numero_entry");
+$action = GETPOST('action','alpha');
+$entry = GETPOST('numero_entry','alpha');
 
 // Positionne la variable pour le nombre de rss externes
 $sql ="select MAX(name) as name from ".MAIN_DB_PREFIX."const";
@@ -52,21 +52,21 @@
     dol_print_error($db);
 }
 
-if ($action == 'add' || GETPOST("modify"))
+if ($action == 'add' || GETPOST('modify','alpha'))
 {
     $ftp_name = "FTP_NAME_" . $entry;// $_POST["numero_entry"];
 	$ftp_server = "FTP_SERVER_" . $entry; //$_POST["numero_entry"];
 
 	$error=0;
 	$mesg='';
 
-	if (! GETPOST("$ftp_name"))
+	if (! GETPOST("$ftp_name",'alpha'))
 	{
 		$error=1;
 		$mesg.='<div class="error">'.$langs->trans("ErrorFieldRequired",$langs->transnoentitiesnoconv("Label")).'</div>';
 	}
 
-	if (! GETPOST("$ftp_server"))
+	if (! GETPOST("$ftp_server",'alpha'))
 	{
 		$error=1;
 		$mesg.='<div class="error">'.$langs->trans("ErrorFieldRequired",$langs->transnoentitiesnoconv("Server")).'</div>';
@@ -81,11 +81,11 @@
 
         $db->begin();
 
-		$result1=dolibarr_set_const($db, "FTP_PORT_" . $entry,GETPOST($ftp_port),'chaine',0,'',$conf->entity);
-		if ($result1) $result2=dolibarr_set_const($db, "FTP_SERVER_" . $entry, GETPOST($ftp_server),'chaine',0,'',$conf->entity);
-		if ($result2) $result3=dolibarr_set_const($db, "FTP_USER_" . $entry,GETPOST($ftp_user),'chaine',0,'',$conf->entity);
-		if ($result3) $result4=dolibarr_set_const($db, "FTP_PASSWORD_" . $entry,GETPOST($ftp_password),'chaine',0,'',$conf->entity);
-		if ($result4) $result5=dolibarr_set_const($db, "FTP_NAME_" . $entry,GETPOST($ftp_name),'chaine',0,'',$conf->entity);
+		$result1=dolibarr_set_const($db, "FTP_PORT_" . $entry,GETPOST($ftp_port,'alpha'),'chaine',0,'',$conf->entity);
+		if ($result1) $result2=dolibarr_set_const($db, "FTP_SERVER_" . $entry, GETPOST($ftp_server,'alpha'),'chaine',0,'',$conf->entity);
+		if ($result2) $result3=dolibarr_set_const($db, "FTP_USER_" . $entry,GETPOST($ftp_user,'alpha'),'chaine',0,'',$conf->entity);
+		if ($result3) $result4=dolibarr_set_const($db, "FTP_PASSWORD_" . $entry,GETPOST($ftp_password,'alpha'),'chaine',0,'',$conf->entity);
+		if ($result4) $result5=dolibarr_set_const($db, "FTP_NAME_" . $entry,GETPOST($ftp_name,'alpha'),'chaine',0,'',$conf->entity);
 
         if ($result1 && $result2 && $result3 && $result4 && $result5)
         {
@@ -102,7 +102,7 @@
     }
 }
 
-if ($_POST["delete"])
+if (GETPOST('delete','alpha'))
 {
     if($entry)
     {