Skip to content

Commit

Permalink
Initial class file
Browse files Browse the repository at this point in the history 
Initial class file for the file_handler class, plus two test case files:
-
contact_us.php and address_book_process.php
  • Loading branch information
FwrMedia committed Jul 27, 2012
1 parent f180251 commit 3d2768b
Show file tree
Hide file tree
Showing 3 changed files with 157 additions and 33 deletions.
35 changes: 11 additions & 24 deletions catalog/address_book_process.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,28 +34,15 @@

// error checking when updating or adding an entry
$process = false;
if (isset($HTTP_POST_VARS['action']) && (($HTTP_POST_VARS['action'] == 'process') || ($HTTP_POST_VARS['action'] == 'update')) && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken)) {
require(DIR_WS_CLASSES . '/form_handler.php');
$formHandler = new form_handler();
if (($extracted = $formHandler->setRequiredFormKeys(array('action' => array('process', 'update'), 'firstname' => 'strip_tags', 'lastname' => 'strip_tags', 'street_address' => 'strip_tags', 'postcode' => 'strip_tags','city' => 'strip_tags','country' => 'numeric', 'state' => 'strip_tags'))
->setOptionalFormKeys(array('gender' => 'strip_tags', 'company' => 'strip_tags', 'suburb' => 'strip_tags', 'zone_id' => 'strip_tags', 'primary' => 'strip_tags' ))
->validate()) !== false) {
extract($extracted,EXTR_OVERWRITE);
$process = true;
$error = false;

if (ACCOUNT_GENDER == 'true') $gender = tep_db_prepare_input($HTTP_POST_VARS['gender']);
if (ACCOUNT_COMPANY == 'true') $company = tep_db_prepare_input($HTTP_POST_VARS['company']);
$firstname = tep_db_prepare_input($HTTP_POST_VARS['firstname']);
$lastname = tep_db_prepare_input($HTTP_POST_VARS['lastname']);
$street_address = tep_db_prepare_input($HTTP_POST_VARS['street_address']);
if (ACCOUNT_SUBURB == 'true') $suburb = tep_db_prepare_input($HTTP_POST_VARS['suburb']);
$postcode = tep_db_prepare_input($HTTP_POST_VARS['postcode']);
$city = tep_db_prepare_input($HTTP_POST_VARS['city']);
$country = tep_db_prepare_input($HTTP_POST_VARS['country']);
if (ACCOUNT_STATE == 'true') {
if (isset($HTTP_POST_VARS['zone_id'])) {
$zone_id = tep_db_prepare_input($HTTP_POST_VARS['zone_id']);
} else {
$zone_id = false;
}
$state = tep_db_prepare_input($HTTP_POST_VARS['state']);
}

if (ACCOUNT_GENDER == 'true') {
if ( ($gender != 'm') && ($gender != 'f') ) {
$error = true;
Expand Down Expand Up @@ -145,13 +132,13 @@
}
}

if ($HTTP_POST_VARS['action'] == 'update') {
if ($action == 'update') {
$check_query = tep_db_query("select address_book_id from " . TABLE_ADDRESS_BOOK . " where address_book_id = '" . (int)$HTTP_GET_VARS['edit'] . "' and customers_id = '" . (int)$customer_id . "' limit 1");
if (tep_db_num_rows($check_query) == 1) {
tep_db_perform(TABLE_ADDRESS_BOOK, $sql_data_array, 'update', "address_book_id = '" . (int)$HTTP_GET_VARS['edit'] . "' and customers_id ='" . (int)$customer_id . "'");

// reregister session variables
if ( (isset($HTTP_POST_VARS['primary']) && ($HTTP_POST_VARS['primary'] == 'on')) || ($HTTP_GET_VARS['edit'] == $customer_default_address_id) ) {
if ( (isset($primary) && ($primary == 'on')) || ($HTTP_GET_VARS['edit'] == $customer_default_address_id) ) {
$customer_first_name = $firstname;
$customer_country_id = $country;
$customer_zone_id = (($zone_id > 0) ? (int)$zone_id : '0');
Expand All @@ -176,17 +163,17 @@
$new_address_book_id = tep_db_insert_id();

// reregister session variables
if (isset($HTTP_POST_VARS['primary']) && ($HTTP_POST_VARS['primary'] == 'on')) {
if (isset($primary) && ($primary == 'on')) {
$customer_first_name = $firstname;
$customer_country_id = $country;
$customer_zone_id = (($zone_id > 0) ? (int)$zone_id : '0');
if (isset($HTTP_POST_VARS['primary']) && ($HTTP_POST_VARS['primary'] == 'on')) $customer_default_address_id = $new_address_book_id;
if (isset($primary) && ($primary == 'on')) $customer_default_address_id = $new_address_book_id;

$sql_data_array = array('customers_firstname' => $firstname,
'customers_lastname' => $lastname);

if (ACCOUNT_GENDER == 'true') $sql_data_array['customers_gender'] = $gender;
if (isset($HTTP_POST_VARS['primary']) && ($HTTP_POST_VARS['primary'] == 'on')) $sql_data_array['customers_default_address_id'] = $new_address_book_id;
if (isset($primary) && ($primary == 'on')) $sql_data_array['customers_default_address_id'] = $new_address_book_id;

tep_db_perform(TABLE_CUSTOMERS, $sql_data_array, 'update', "customers_id = '" . (int)$customer_id . "'");

Expand Down
17 changes: 8 additions & 9 deletions catalog/contact_us.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,14 @@
require('includes/application_top.php');

require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_CONTACT_US);

if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send') && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken)) {
require(DIR_WS_CLASSES . '/form_handler.php');
$formHandler = new form_handler();
if (($extracted = $formHandler->setRequiredFormKeys(array( 'action' => 'send', 'name' => 'strip_tags', 'email' => 'strip_tags', 'enquiry' => 'strip_tags'))
->setOptionalFormKeys()->validate()) !== false) {
extract($extracted,EXTR_OVERWRITE);
$error = false;

$name = tep_db_prepare_input($HTTP_POST_VARS['name']);
$email_address = tep_db_prepare_input($HTTP_POST_VARS['email']);
$enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']);

if (!tep_validate_email($email_address)) {
if (!tep_validate_email($email)) {
$error = true;

$messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);
Expand Down Expand Up @@ -74,7 +73,7 @@
} else {
?>

<?php echo tep_draw_form('contact_us', tep_href_link(FILENAME_CONTACT_US, 'action=send'), 'post', '', true); ?>
<?php echo tep_draw_form('contact_us', tep_href_link(FILENAME_CONTACT_US), 'post', '', true); ?>

<div class="contentContainer">
<div class="contentText">
Expand All @@ -95,7 +94,7 @@
</div>

<div class="buttonSet">
<span class="buttonAction"><?php echo tep_draw_button(IMAGE_BUTTON_CONTINUE, 'triangle-1-e', null, 'primary'); ?></span>
<span class="buttonAction"><?php echo tep_draw_hidden_field( 'action', 'send') . tep_draw_button(IMAGE_BUTTON_CONTINUE, 'triangle-1-e', null, 'primary'); ?></span>
</div>
</div>

Expand Down
138 changes: 138 additions & 0 deletions catalog/includes/classes/form_handler.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
<?php
class form_handler {
var $_superglobal;
var $_sessiontoken;
var $_required_keys = array();
var $_optional_keys = array();
var $_do_csrf_check = true;
var $_do_csrf_check_only = false;
var $_extracted = array();
function form_handler($superglobal_type = 'post') {
$this->_superglobal = strtolower($superglobal_type) === 'post' ? $_POST : $_GET;
}

function setRequiredFormKeys(array $args = array()) {
$this->_required_keys = $args;
return $this;
}

function setOptionalFormKeys(array $args = array()) {
$this->_optional_keys = $args;
return $this;
}

function validate(array $args = array()) {
global $sessiontoken;
$this->_sessiontoken =& $sessiontoken;
if($this->_do_csrf_check) $this->_required_keys['formid'] = 1;
$this->_extracted = array_intersect_key($this->_superglobal, $this->_required_keys);
if(count($this->_extracted) !== count($this->_required_keys)) return false;
$this->_extracted = array_merge( (array)$this->extractOptionals(), $this->_extracted);
if ($this->validateCsrf() === false) return false;
if ($this->_do_csrf_check_only) return true;
return $this->handleValues();
}

function extractOptionals(array $args = array()) {
$possibles = array_intersect_key($this->_superglobal, $this->_optional_keys);
return (array)$possibles;
}

function requireCsrfCheck($required = true) {
$this->_do_csrf_check = (bool)$required;
return $this;
}

function limitCsrfCheckOnly($csrf_only = false) {
$this->_do_csrf_check_only = (bool)$csrf_only;
return $this;
}

function validateCsrf( array $args = array() ) {
if ( $this->_do_csrf_check === false ) return true;
$new_session_token = $this->generateNewToken();
if($this->_extracted['formid'] == $this->_sessiontoken) {
$this->_sessiontoken = $new_session_token;
unset($this->_extracted['formid'],$this->_required_keys['formid']);
return true;
} else {
$this->_sessiontoken = $new_session_token;
}
return false;
}

function generateNewToken(array $args = array()) {
return md5(tep_rand() . tep_rand() . tep_rand() . tep_rand());
}

function handleValues() {
$optionals_found = array_intersect_key($this->_optional_keys,$this->_extracted);
$required_plus_optionals = array_merge($this->_required_keys, $optionals_found);
foreach($required_plus_optionals as $key => $value) {
switch($value) {
case 'int':
$this->_extracted[$key] = (int)$this->_extracted[$key];
break;
case 'numeric':
if (!is_numeric($this->_extracted[$key])) $this->_extracted[$key] = (int)$this->_extracted[$key];
break;
case 'real':
case 'double':
case 'float':
$this->_extracted[$key] = (float)$this->_extracted[$key];
break;
case 'string':
$this->_extracted[$key] = tep_db_prepare_input((string)$this->_extracted[$key]);
break;
case 'strip_tags':
$this->_extracted[$key] = tep_db_prepare_input(strip_tags((string)$this->_extracted[$key]));
break;
case 'array':
$this->_extracted[$key] = tep_db_prepare_input((array)$this->_extracted[$key]);
break;
case 'empty':
case 'null':
if(tep_not_null( $this->_extracted[$key])) {
$this->_extracted[$key] = is_array($this->_extracted[$key]) ? array() : '';
}
break;
case 'boolean':
case 'bool':
$this->_extracted[$key] = (bool)$this->_extracted[$key];
break;
case 'bypass':
// For some unknown reason we don't want this one formatted
break;
/**
* When the value is an array it could be confusing unless explained
*
* @example address_book_process.php
* if (isset($HTTP_POST_VARS['action']) && (($HTTP_POST_VARS['action'] == 'process') || ($HTTP_POST_VARS['action'] == 'update'))
* action is checked against the array e.g array( 'process', 'update' ) and if the action doesn't match any this returns false
*/
case is_array($value):
if (!in_array((string)$this->_extracted[$key], $value)) return false; // Effectively an OR
break;
case false !== strpos((string)$value, 'tep_'):
if (function_exists($value)) {
$this->_extracted[$key] = $value(tep_db_prepare_input($this->_extracted[$key])); // Pass the value through a tep_ function e.g. tep_output_string()
}
break;
case false !== strpos((string)$value, 'php_'):
$possible_function = substr($value, 4, strlen($value));
$disallowed = array( 'eval','exec','shell_exec','escapeshellarg','escapeshellcmd','system',
'passthru','readfile','proc_close','proc_open','ini_alter','dl','popen',
'parse_ini_file','show_source', 'curl_exec' );
if (in_array($possible_function,$disallowed)) return false; // Many PHP functions are dangerous
if (function_exists($possible_function)) {
$this->_extracted[$key] = $possible_function(tep_db_prepare_input($this->_extracted[$key]));
}
break;
default:
if((string)$value != (string)$this->_extracted[$key]) return false; // Checking simple matches like action => process
break;
}
}
return (array)$this->_extracted;
}
} // end class

0 comments on commit 3d2768b

Please sign in to comment.