Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fix: Sanitize data

  • Loading branch information...
commit 7bf0d77e5cc38efae9576e9404b6c748ab5cfd29 1 parent ffd80b0
@simnandez authored
View
8 htdocs/externalsite/admin/externalsite.php
@@ -4,7 +4,7 @@
* Copyright (C) 2004-2010 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2004 Sebastien Di Cintio <sdicintio@ressource-toi.org>
* Copyright (C) 2004 Benoit Mortier <benoit.mortier@opensides.be>
- * Copyright (C) 2011 Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2011-2012 Juanjo Menent <jmenent@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -40,7 +40,7 @@
$def = array();
-$action = GETPOST("action");
+$action = GETPOST('action','alpha');
// Sauvegardes parametres
if ($action == 'update')
@@ -49,7 +49,7 @@
$db->begin();
- $exturl = GETPOST("EXTERNALSITE_URL");
+ $exturl = GETPOST('EXTERNALSITE_URL','alpha');
$i+=dolibarr_set_const($db,'EXTERNALSITE_URL',trim($exturl),'chaine',0,'',$conf->entity);
//$i+=dolibarr_set_const($db,'EXTERNALSITE_LABEL',trim($_POST["EXTERNALSITE_LABEL"]),'chaine',0,'',$conf->entity);
@@ -99,7 +99,7 @@
print "<tr class=\"impair\">";
print "<td>".$langs->trans("ExternalSiteURL")."</td>";
-print "<td><input type=\"text\" class=\"flat\" name=\"EXTERNALSITE_URL\" value=\"". ($_POST["EXTERNALSITE_URL"]?$_POST["EXTERNALSITE_URL"]:$conf->global->EXTERNALSITE_URL) . "\" size=\"40\"></td>";
+print "<td><input type=\"text\" class=\"flat\" name=\"EXTERNALSITE_URL\" value=\"". (GETPOST('EXTERNALSITE_URL','alpha')?GETPOST('EXTERNALSITE_URL','alpha'):$conf->global->EXTERNALSITE_URL) . "\" size=\"40\"></td>";
print "<td>http://localhost/myurl/";
print "<br>http://wikipedia.org/";
print "</td>";
View
22 htdocs/ftp/admin/ftpclient.php
@@ -34,8 +34,8 @@
$def = array();
$lastftpentry=0;
-$action = GETPOST("action");
-$entry = GETPOST("numero_entry");
+$action = GETPOST('action','alpha');
+$entry = GETPOST('numero_entry','alpha');
// Positionne la variable pour le nombre de rss externes
$sql ="select MAX(name) as name from ".MAIN_DB_PREFIX."const";
@@ -52,7 +52,7 @@
dol_print_error($db);
}
-if ($action == 'add' || GETPOST("modify"))
+if ($action == 'add' || GETPOST('modify','alpha'))
{
$ftp_name = "FTP_NAME_" . $entry;// $_POST["numero_entry"];
$ftp_server = "FTP_SERVER_" . $entry; //$_POST["numero_entry"];
@@ -60,13 +60,13 @@
$error=0;
$mesg='';
- if (! GETPOST("$ftp_name"))
+ if (! GETPOST("$ftp_name",'alpha'))
{
$error=1;
$mesg.='<div class="error">'.$langs->trans("ErrorFieldRequired",$langs->transnoentitiesnoconv("Label")).'</div>';
}
- if (! GETPOST("$ftp_server"))
+ if (! GETPOST("$ftp_server",'alpha'))
{
$error=1;
$mesg.='<div class="error">'.$langs->trans("ErrorFieldRequired",$langs->transnoentitiesnoconv("Server")).'</div>';
@@ -81,11 +81,11 @@
$db->begin();
- $result1=dolibarr_set_const($db, "FTP_PORT_" . $entry,GETPOST($ftp_port),'chaine',0,'',$conf->entity);
- if ($result1) $result2=dolibarr_set_const($db, "FTP_SERVER_" . $entry, GETPOST($ftp_server),'chaine',0,'',$conf->entity);
- if ($result2) $result3=dolibarr_set_const($db, "FTP_USER_" . $entry,GETPOST($ftp_user),'chaine',0,'',$conf->entity);
- if ($result3) $result4=dolibarr_set_const($db, "FTP_PASSWORD_" . $entry,GETPOST($ftp_password),'chaine',0,'',$conf->entity);
- if ($result4) $result5=dolibarr_set_const($db, "FTP_NAME_" . $entry,GETPOST($ftp_name),'chaine',0,'',$conf->entity);
+ $result1=dolibarr_set_const($db, "FTP_PORT_" . $entry,GETPOST($ftp_port,'alpha'),'chaine',0,'',$conf->entity);
+ if ($result1) $result2=dolibarr_set_const($db, "FTP_SERVER_" . $entry, GETPOST($ftp_server,'alpha'),'chaine',0,'',$conf->entity);
+ if ($result2) $result3=dolibarr_set_const($db, "FTP_USER_" . $entry,GETPOST($ftp_user,'alpha'),'chaine',0,'',$conf->entity);
+ if ($result3) $result4=dolibarr_set_const($db, "FTP_PASSWORD_" . $entry,GETPOST($ftp_password,'alpha'),'chaine',0,'',$conf->entity);
+ if ($result4) $result5=dolibarr_set_const($db, "FTP_NAME_" . $entry,GETPOST($ftp_name,'alpha'),'chaine',0,'',$conf->entity);
if ($result1 && $result2 && $result3 && $result4 && $result5)
{
@@ -102,7 +102,7 @@
}
}
-if ($_POST["delete"])
+if (GETPOST('delete','alpha'))
{
if($entry)
{
Please sign in to comment.
Something went wrong with that request. Please try again.