fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HOR-4760

Browse Source
This commit is contained in:
Paula Quispe
2018-07-25 14:37:42 -04:00
parent 571e717743 81c0262dbf
commit 61df766312
474 changed files with 36168 additions and 50155 deletions
Download Patch File Download Diff File Expand all files Collapse all files

470
gulliver/system/class.inputfilter.php
View File

@@ -1,15 +1,15 @@
<?php
/** @class: InputFilter (PHP4 & PHP5, with comments)
* @project: PHP Input Filter
* @date: 10-05-2005
* @version: 1.2.2_php4/php5
* @author: Daniel Morris
* @contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.
* @copyright: Daniel Morris
* @email: dan@rootcube.com
* @license: GNU General Public License (GPL)
*/
* @project: PHP Input Filter
* @date: 10-05-2005
* @version: 1.2.2_php4/php5
* @author: Daniel Morris
* @contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie.
* @copyright: Daniel Morris
* @email: dan@rootcube.com
* @license: GNU General Public License (GPL)
*/
class InputFilter
{
public $tagsArray;// default = empty array
@@ -22,15 +22,15 @@ class InputFilter
public $tagBlacklist = array('applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml');
public $attrBlacklist = array('action', 'background', 'codebase', 'dynsrc', 'lowsrc'); // also will strip ALL event handlers
/**
* Constructor for inputFilter class. Only first parameter is required.
* @access constructor
* @param Array $tagsArray - list of user-defined tags
* @param Array $attrArray - list of user-defined attributes
* @param int $tagsMethod - 0= allow just user-defined, 1= allow all but user-defined
* @param int $attrMethod - 0= allow just user-defined, 1= allow all but user-defined
* @param int $xssAuto - 0= only auto clean essentials, 1= allow clean blacklisted tags/attr
*/
/**
* Constructor for inputFilter class. Only first parameter is required.
* @access constructor
* @param Array $tagsArray - list of user-defined tags
* @param Array $attrArray - list of user-defined attributes
* @param int $tagsMethod - 0= allow just user-defined, 1= allow all but user-defined
* @param int $attrMethod - 0= allow just user-defined, 1= allow all but user-defined
* @param int $xssAuto - 0= only auto clean essentials, 1= allow clean blacklisted tags/attr
*/
public function inputFilter($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1)
{
// make sure user defined arrays are in lowercase
@@ -41,19 +41,19 @@ class InputFilter
$attrArray[$i] = strtolower($attrArray[$i]);
}
// assign to member vars
$this->tagsArray = (array) $tagsArray;
$this->attrArray = (array) $attrArray;
$this->tagsArray = (array)$tagsArray;
$this->attrArray = (array)$attrArray;
$this->tagsMethod = $tagsMethod;
$this->attrMethod = $attrMethod;
$this->xssAuto = $xssAuto;
}
/**
* Method to be called by another php script. Processes for XSS and specified bad code.
* @access public
* @param Mixed $source - input string/array-of-string to be 'cleaned'
* @return String $source - 'cleaned' version of input parameter
*/
/**
* Method to be called by another php script. Processes for XSS and specified bad code.
* @access public
* @param Mixed $source - input string/array-of-string to be 'cleaned'
* @return String $source - 'cleaned' version of input parameter
*/
public function process($source)
{
// clean all elements in this array
@@ -75,15 +75,15 @@ class InputFilter
}
}
/**
* Internal method to iteratively remove all unwanted tags and attributes
* @access protected
* @param String $source - input string to be 'cleaned'
* @return String $source - 'cleaned' version of input parameter
*/
/**
* Internal method to iteratively remove all unwanted tags and attributes
* @access protected
* @param String $source - input string to be 'cleaned'
* @return String $source - 'cleaned' version of input parameter
*/
public function remove($source)
{
$loopCounter=0;
$loopCounter = 0;
// provides nested-tag protection
while ($source != $this->filterTags($source)) {
$source = $this->filterTags($source);
@@ -92,12 +92,12 @@ class InputFilter
return $source;
}
/**
* Internal method to strip a string of certain tags
* @access protected
* @param String $source - input string to be 'cleaned'
* @return String $source - 'cleaned' version of input parameter
*/
/**
* Internal method to strip a string of certain tags
* @access protected
* @param String $source - input string to be 'cleaned'
* @return String $source - 'cleaned' version of input parameter
*/
public function filterTags($source)
{
// filter pass setup
@@ -119,8 +119,8 @@ class InputFilter
// next start of tag (for nested tag assessment)
$tagOpen_nested = strpos($fromTagOpen, '<');
if (($tagOpen_nested !== false) && ($tagOpen_nested < $tagOpen_end)) {
$preTag .= substr($postTag, 0, ($tagOpen_nested+1));
$postTag = substr($postTag, ($tagOpen_nested+1));
$preTag .= substr($postTag, 0, ($tagOpen_nested + 1));
$postTag = substr($postTag, ($tagOpen_nested + 1));
$tagOpen_start = strpos($postTag, '<');
continue;
}
@@ -146,7 +146,7 @@ class InputFilter
list($tagName) = explode(' ', $currentTag);
}
// excludes all "non-regular" tagnames OR no tagname OR remove if xssauto is on and tag is blacklisted
if ((!preg_match("/^[a-z][a-z0-9]*$/i",$tagName)) || (!$tagName) || ((in_array(strtolower($tagName), $this->tagBlacklist)) && ($this->xssAuto))) {
if ((!preg_match("/^[a-z][a-z0-9]*$/i", $tagName)) || (!$tagName) || ((in_array(strtolower($tagName), $this->tagBlacklist)) && ($this->xssAuto))) {
$postTag = substr($postTag, ($tagLength + 2));
$tagOpen_start = strpos($postTag, '<');
// don't append this tag
@@ -154,15 +154,15 @@ class InputFilter
}
// this while is needed to support attribute values with spaces in!
while ($currentSpace !== false) {
$fromSpace = substr($tagLeft, ($currentSpace+1));
$fromSpace = substr($tagLeft, ($currentSpace + 1));
$nextSpace = strpos($fromSpace, ' ');
$openQuotes = strpos($fromSpace, '"');
$closeQuotes = strpos(substr($fromSpace, ($openQuotes+1)), '"') + $openQuotes + 1;
$closeQuotes = strpos(substr($fromSpace, ($openQuotes + 1)), '"') + $openQuotes + 1;
// another equals exists
if (strpos($fromSpace, '=') !== false) {
// opening and closing quotes exists
if (($openQuotes !== false) && (strpos(substr($fromSpace, ($openQuotes+1)), '"') !== false)) {
$attr = substr($fromSpace, 0, ($closeQuotes+1));
if (($openQuotes !== false) && (strpos(substr($fromSpace, ($openQuotes + 1)), '"') !== false)) {
$attr = substr($fromSpace, 0, ($closeQuotes + 1));
} else {
// one or neither exist
$attr = substr($fromSpace, 0, $nextSpace);
@@ -212,17 +212,17 @@ class InputFilter
return $preTag;
}
/**
* Internal method to strip a tag of certain attributes
* @access protected
* @param Array $attrSet
* @return Array $newSet
*/
/**
* Internal method to strip a tag of certain attributes
* @access protected
* @param Array $attrSet
* @return Array $newSet
*/
public function filterAttr($attrSet)
{
$newSet = array();
// process attributes
for ($i = 0; $i <count($attrSet); $i++) {
for ($i = 0; $i < count($attrSet); $i++) {
// skip blank spaces in tag
if (!$attrSet[$i]) {
continue;
@@ -231,7 +231,7 @@ class InputFilter
$attrSubSet = explode('=', trim($attrSet[$i]));
list($attrSubSet[0]) = explode(' ', $attrSubSet[0]);
// removes all "non-regular" attr names AND also attr blacklisted
if ((!eregi("^[a-z]*$",$attrSubSet[0])) || (($this->xssAuto) && ((in_array(strtolower($attrSubSet[0]), $this->attrBlacklist)) || (substr($attrSubSet[0], 0, 2) == 'on')))) {
if ((!preg_match("/^[a-z]*$/i", $attrSubSet[0])) || (($this->xssAuto) && ((in_array(strtolower($attrSubSet[0]), $this->attrBlacklist)) || (substr($attrSubSet[0], 0, 2) == 'on')))) {
continue;
}
// xss attr value filtering
@@ -250,12 +250,12 @@ class InputFilter
$attrSubSet[1] = stripslashes($attrSubSet[1]);
}
// auto strip attr's with "javascript:
if (((strpos(strtolower($attrSubSet[1]), 'expression') !== false) &&(strtolower($attrSubSet[0]) == 'style')) ||
(strpos(strtolower($attrSubSet[1]), 'javascript:') !== false) ||
(strpos(strtolower($attrSubSet[1]), 'behaviour:') !== false) ||
(strpos(strtolower($attrSubSet[1]), 'vbscript:') !== false) ||
(strpos(strtolower($attrSubSet[1]), 'mocha:') !== false) ||
(strpos(strtolower($attrSubSet[1]), 'livescript:') !== false)
if (((strpos(strtolower($attrSubSet[1]), 'expression') !== false) && (strtolower($attrSubSet[0]) == 'style')) ||
(strpos(strtolower($attrSubSet[1]), 'javascript:') !== false) ||
(strpos(strtolower($attrSubSet[1]), 'behaviour:') !== false) ||
(strpos(strtolower($attrSubSet[1]), 'vbscript:') !== false) ||
(strpos(strtolower($attrSubSet[1]), 'mocha:') !== false) ||
(strpos(strtolower($attrSubSet[1]), 'livescript:') !== false)
) {
continue;
}
@@ -279,30 +279,34 @@ class InputFilter
return $newSet;
}
/**
* Try to convert to plaintext
* @access protected
* @param String $source
* @return String $source
*/
/**
* Try to convert to plaintext
* @access protected
* @param String $source
* @return String $source
*/
public function decode($source)
{
// url decode
$source = html_entity_decode($source, ENT_QUOTES, "ISO-8859-1");
// convert decimal
$source = preg_replace('/&#(\d+);/me',"chr(\\1)", $source);// decimal notation
$source = preg_replace_callback('/&#(\d+);/m', function ($matches) {
return utf8_encode(chr($matches[1]));
}, $source);// decimal notation
// convert hex
$source = preg_replace('/&#x([a-f0-9]+);/mei',"chr(0x\\1)", $source);// hex notation
$source = preg_replace_callback('/&#x([a-f0-9]+);/mi', function ($matches) {
return utf8_encode(chr('0x' . $matches[1]));
}, $source);// hex notation
return $source;
}
/**
* Method to be called by another php script. Processes for SQL injection
* @access public
* @param Mixed $source - input string/array-of-string to be 'cleaned'
* @param Buffer $connection - An open MySQL connection
* @return String $source - 'cleaned' version of input parameter
*/
/**
* Method to be called by another php script. Processes for SQL injection
* @access public
* @param Mixed $source - input string/array-of-string to be 'cleaned'
* @param Buffer $connection - An open MySQL connection
* @return String $source - 'cleaned' version of input parameter
*/
public function safeSQL($source, &$connection)
{
// clean all elements in this array
@@ -326,14 +330,14 @@ class InputFilter
}
}
/**
* @author Chris Tobin
* @author Daniel Morris
* @access protected
* @param String $source
* @param Resource $connection - An open MySQL connection
* @return String $source
*/
/**
* @author Chris Tobin
* @author Daniel Morris
* @access protected
* @param String $source
* @param Resource $connection - An open MySQL connection
* @return String $source
*/
public function quoteSmart($source, &$connection)
{
// strip slashes
@@ -356,17 +360,10 @@ class InputFilter
*/
public function escapeString($string, &$connection)
{
// depreciated function
if (version_compare(phpversion(),"4.3.0", "<")) {
mysql_escape_string($string);
} else {
// current function
mysql_real_escape_string($string);
}
return $string;
return mysqli_real_escape_string($connection, $string);
}
/*
/**
* Escapes a string using a Propel connection
*
* @param string $string The string to escapes
@@ -376,27 +373,27 @@ class InputFilter
*/
public function escapeUsingConnection($string, $connection)
{
return mysql_real_escape_string($string, $connection->getResource());
return mysqli_real_escape_string($connection->getResource(), $string);
}
/**
* Internal method removes tags/special characters
* @author Marcelo Cuiza
* @access protected
* @param Array or String $input
* @param String $type
* @return Array or String $input
*/
/**
* Internal method removes tags/special characters
* @author Marcelo Cuiza
* @access protected
* @param Array or String $input
* @param String $type
* @return Array or String $input
*/
public function xssFilter($input, $type = "")
{
if(is_array($input)) {
if(sizeof($input)) {
foreach($input as $i => $val) {
if(is_array($val) && sizeof($val)) {
if (is_array($input)) {
if (count($input)) {
foreach ($input as $i => $val) {
if (is_array($val) && count($val)) {
$input[$i] = $this->xssFilter($val);
} else {
if(!empty($val)) {
if($type != "url") {
if (!empty($val)) {
if ($type != "url") {
$inputFiltered = addslashes(htmlspecialchars(filter_var($val, FILTER_SANITIZE_STRING), ENT_COMPAT, 'UTF-8'));
} else {
$inputFiltered = filter_var($val, FILTER_SANITIZE_STRING);
@@ -407,13 +404,13 @@ class InputFilter
$input[$i] = $inputFiltered;
}
}
}
}
return $input;
} else {
if(!isset($input) || trim($input) === '' || $input === NULL ) {
if (!isset($input) || trim($input) === '' || $input === null) {
return '';
} else {
if($type != "url") {
if ($type != "url") {
return addslashes(htmlspecialchars(filter_var($input, FILTER_SANITIZE_STRING), ENT_COMPAT, 'UTF-8'));
} else {
return filter_var($input, FILTER_SANITIZE_STRING);
@@ -421,41 +418,41 @@ class InputFilter
}
}
}
/**
* Internal method: remove malicious code, fix missing end tags, fix illegal nesting, convert deprecated tags, validate CSS, preserve rich formatting
* @author Marcelo Cuiza
* @access protected
* @param Array or String $input
* @param String $type (url)
* @return Array or String $input
*/
function xssFilterHard($input, $type = "")
{
/**
* Internal method: remove malicious code, fix missing end tags, fix illegal nesting, convert deprecated tags, validate CSS, preserve rich formatting
* @author Marcelo Cuiza
* @access protected
* @param Array or String $input
* @param String $type (url)
* @return Array or String $input
*/
public function xssFilterHard($input, $type = "")
{
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
if(is_array($input)) {
if(sizeof($input)) {
foreach($input as $i => $val) {
if(is_array($val) || is_object($val) && sizeof($val)) {
if (is_array($input)) {
if (count($input)) {
foreach ($input as $i => $val) {
if (is_array($val) || is_object($val) && count($val)) {
$input[$i] = $this->xssFilterHard($val);
} else {
if(!empty($val)) {
if(!is_object(G::json_decode($val))) {
if (!empty($val)) {
if (!is_object(G::json_decode($val))) {
$inputFiltered = $purifier->purify($val);
if($type != "url" && !strpos(basename($val), "=")) {
$inputFiltered = htmlspecialchars($inputFiltered, ENT_NOQUOTES, 'UTF-8');
if ($type != "url" && !strpos(basename($val), "=")) {
$inputFiltered = htmlspecialchars($inputFiltered, ENT_NOQUOTES, 'UTF-8');
} else {
$inputFiltered = str_replace('&amp;','&',$inputFiltered);
$inputFiltered = str_replace('&amp;', '&', $inputFiltered);
}
} else {
$jsArray = G::json_decode($val,true);
if(is_array($jsArray) && sizeof($jsArray)) {
foreach($jsArray as $j => $jsVal){
if(is_array($jsVal) && sizeof($jsVal)) {
$jsArray = G::json_decode($val, true);
if (is_array($jsArray) && count($jsArray)) {
foreach ($jsArray as $j => $jsVal) {
if (is_array($jsVal) && count($jsVal)) {
$jsArray[$j] = $this->xssFilterHard($jsVal);
} else {
if(!empty($jsVal)) {
if (!empty($jsVal)) {
$jsArray[$j] = $purifier->purify($jsVal);
}
}
@@ -464,7 +461,7 @@ class InputFilter
} else {
$inputFiltered = $val;
}
}
}
} else {
$inputFiltered = "";
}
@@ -474,16 +471,16 @@ class InputFilter
}
return $input;
} else {
if(!isset($input) || empty($input)) {
if (!isset($input) || empty($input)) {
return '';
} else {
if(is_object($input)) {
if(sizeof($input)) {
foreach($input as $j => $jsVal){
if(is_array($jsVal) || is_object($jsVal) && sizeof($jsVal)) {
if (is_object($input)) {
if (count($input)) {
foreach ($input as $j => $jsVal) {
if (is_array($jsVal) || is_object($jsVal) && count($jsVal)) {
$input->j = $this->xssFilterHard($jsVal);
} else {
if(!empty($jsVal)) {
if (!empty($jsVal)) {
$input->j = $purifier->purify($jsVal);
}
}
@@ -491,97 +488,101 @@ class InputFilter
}
return $input;
}
if(!is_object(G::json_decode($input))) {
if (!is_object(G::json_decode($input))) {
$input = $purifier->purify($input);
if($type != "url" && !strpos(basename($input), "=")) {
if ($type != "url" && !strpos(basename($input), "=")) {
$input = addslashes(htmlspecialchars($input, ENT_COMPAT, 'UTF-8'));
} else {
$input = str_replace('&amp;','&',$input);
$input = str_replace('&amp;', '&', $input);
}
} else {
$jsArray = G::json_decode($input,true);
if(is_array($jsArray) && sizeof($jsArray)) {
foreach($jsArray as $j => $jsVal){
if(is_array($jsVal) || is_object($jsVal) && sizeof($jsVal)) {
$jsArray = G::json_decode($input, true);
if (is_array($jsArray) && count($jsArray)) {
foreach ($jsArray as $j => $jsVal) {
if (is_array($jsVal) || is_object($jsVal) && count($jsVal)) {
$jsArray[$j] = $this->xssFilterHard($jsVal);
} else {
if(!empty($jsVal)) {
if (!empty($jsVal)) {
$jsArray[$j] = $purifier->purify($jsVal);
}
}
}
$input = G::json_encode($jsArray);
}
}
}
return $input;
}
}
}
/**
* Internal method: protect against SQL injection
* @author Marcelo Cuiza
* @access protected
* @param String $con
* @param String $query
* @param Array $values
* @return String $query
*/
function preventSqlInjection($query, $values = Array(), $con = NULL)
/**
* Internal method: protect against SQL injection
* @author Marcelo Cuiza
* @access protected
* @param String $con
* @param String $query
* @param array $values
* @return String $query
*/
public function preventSqlInjection($query, $values = array(), $con = null)
{
if(is_array($values) && sizeof($values)) {
foreach($values as $k1 => $val1) {
$values[$k1] = mysql_real_escape_string($val1);
if (empty($con)) {
$con = Propel::getConnection('workflow');
$con = $con->getResource();
}
if (is_array($values) && count($values)) {
foreach ($values as $k1 => $val1) {
$values[$k1] = mysqli_real_escape_string($con, $val1);
}
if ( get_magic_quotes_gpc() ) {
foreach($values as $k => $val) {
if (get_magic_quotes_gpc()) {
foreach ($values as $k => $val) {
$values[$k] = stripslashes($val);
}
}
$newquery = vsprintf($query,$values);
$newQuery = vsprintf($query, $values);
} else {
//$newquery = mysql_real_escape_string($query);
$newquery = $this->quoteSmart($this->decode($query), $con);
$newQuery = $this->quoteSmart($this->decode($query), $con);
}
return $newquery;
return $newQuery;
}
/**
* Internal method: validate user input
* @author Marcelo Cuiza
* @access protected
* @param String $value (required)
* @param Array or String $types ( string | int | float | boolean | path | nosql )
* @param String $valType ( validate | sanitize )
* @return String $value
*/
function validateInput($value, $types = 'string', $valType = 'sanitize')
/**
* Internal method: validate user input
* @author Marcelo Cuiza
* @access protected
* @param String $value (required)
* @param Array or String $types ( string | int | float | boolean | path | nosql )
* @param String $valType ( validate | sanitize )
* @return String $value
*/
public function validateInput($value, $types = 'string', $valType = 'sanitize')
{
if(!isset($value) || empty($value)) {
if (!isset($value) || empty($value)) {
return '';
}
if(is_array($types) && sizeof($types)){
foreach($types as $type){
if($valType == 'sanitize') {
}
if (is_array($types) && count($types)) {
foreach ($types as $type) {
if ($valType == 'sanitize') {
$value = $this->sanitizeInputValue($value, $type);
} else {
$value = $this->validateInputValue($value, $type);
$value = $this->validateInputValue($value, $type);
}
}
} elseif(is_string($types)) {
if($types == 'sanitize' || $types == 'validate') {
}
} elseif (is_string($types)) {
if ($types === 'sanitize' || $types === 'validate') {
$valType = $types;
$types = 'string';
}
if($valType == 'sanitize') {
if ($valType === 'sanitize') {
$value = $this->sanitizeInputValue($value, $types);
} else {
$value = $this->validateInputValue($value, $types);
$value = $this->validateInputValue($value, $types);
}
}
return $value;
}
@@ -590,36 +591,36 @@ class InputFilter
* @param $type
* @return bool|int|mixed|string
*/
function sanitizeInputValue($value, $type) {
switch($type) {
public function sanitizeInputValue($value, $type)
{
switch ($type) {
case 'float':
$value = filter_var($value, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION | FILTER_FLAG_ALLOW_THOUSAND);
break;
break;
case 'int':
$value = (int)filter_var($value, FILTER_SANITIZE_NUMBER_INT);
break;
break;
case 'boolean':
$value = (boolean)filter_var($value, FILTER_VALIDATE_BOOLEAN,FILTER_NULL_ON_FAILURE);
break;
$value = (boolean)filter_var($value, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
break;
case 'path':
if(!file_exists($value)) {
if(!is_dir($value)) {
if (!file_exists($value)) {
if (!is_dir($value)) {
$value = '';
}
}
break;
break;
case 'nosql':
$value = (string)filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
if(preg_match('/\b(or|and|xor|drop|insert|update|delete|select)\b/i' , $value, $matches, PREG_OFFSET_CAPTURE)) {
$value = substr($value,0,$matches[0][1]);
if (preg_match('/\b(or|and|xor|drop|insert|update|delete|select)\b/i', $value, $matches, PREG_OFFSET_CAPTURE)) {
$value = substr($value, 0, $matches[0][1]);
}
break;
break;
default:
$value = (string)filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
}
return $value;
return $value;
}
/**
@@ -627,39 +628,39 @@ class InputFilter
* @param $type
* @throws Exception
*/
function validateInputValue($value, $type) {
switch($type) {
public function validateInputValue($value, $type)
{
switch ($type) {
case 'float':
$value = str_replace(',', '.', $value);
if(!filter_var($value, FILTER_VALIDATE_FLOAT)) {
throw new Exception('not a float value');
if (!filter_var($value, FILTER_VALIDATE_FLOAT)) {
throw new Exception('not a float value');
}
break;
break;
case 'int':
if(!filter_var($value, FILTER_VALIDATE_INT)) {
throw new Exception('not a int value');
if (!filter_var($value, FILTER_VALIDATE_INT)) {
throw new Exception('not a int value');
}
break;
break;
case 'boolean':
if(!preg_match('/\b(yes|no|false|true|1|0)\b/i' , $value)) {
if (!preg_match('/\b(yes|no|false|true|1|0)\b/i', $value)) {
throw new Exception('not a boolean value');
}
break;
break;
case 'path':
if(!file_exists($value)) {
if(!is_dir($value)) {
if (!file_exists($value)) {
if (!is_dir($value)) {
throw new Exception('not a valid path');
}
}
break;
break;
case 'nosql':
if(preg_match('/\b(or|and|xor|drop|insert|update|delete|select)\b/i' , $value)) {
if (preg_match('/\b(or|and|xor|drop|insert|update|delete|select)\b/i', $value)) {
throw new Exception('sql command found');
}
break;
break;
default:
if(!is_string($value)) {
if (!is_string($value)) {
throw new Exception('not a string value');
}
}
@@ -669,7 +670,8 @@ class InputFilter
* @param $pathFile
* @return string
*/
function validatePath($pathFile) {
public function validatePath($pathFile)
{
$sanitizefilteredPath = mb_ereg_replace("([\.]{2,})", '', $pathFile);
$sanitizefilteredPath = mb_ereg_replace("(^~)", '', $sanitizefilteredPath);
return $sanitizefilteredPath;
@@ -678,23 +680,23 @@ class InputFilter
/**
* Filter only characters valids by regular expression
*
* @param mixed $data Data
* @param mixed $data Data
* @param mixed $regex Regular expression
*
* @return mixed Returns data with the characters valids by regular expression
*/
function xssRegexFilter($data, $regex)
public function xssRegexFilter($data, $regex)
{
try {
switch (gettype($data)) {
case 'array':
foreach ($data as $key => $value) {
$data[$key] = $this->xssRegexFilter($value, (is_array($regex))? ((isset($regex[$key]))? $regex[$key] : '') : $regex);
$data[$key] = $this->xssRegexFilter($value, (is_array($regex)) ? ((isset($regex[$key])) ? $regex[$key] : '') : $regex);
}
break;
default:
if ($regex != '') {
$data = (preg_match_all($regex, $data, $arrayMatch))? implode('', $arrayMatch[0]) : '';
$data = (preg_match_all($regex, $data, $arrayMatch)) ? implode('', $arrayMatch[0]) : '';
}
break;
}