Modified GetPOSTArray and GetGETArray, because keys were not filled in

This commit is contained in:
OpenXE 2022-12-16 14:40:19 +00:00
parent c519d8030a
commit 84eaf1b495

View File

@ -1,340 +1,344 @@
<?php <?php
/* /*
**** COPYRIGHT & LICENSE NOTICE *** DO NOT REMOVE **** **** COPYRIGHT & LICENSE NOTICE *** DO NOT REMOVE ****
* *
* Xentral (c) Xentral ERP Sorftware GmbH, Fuggerstrasse 11, D-86150 Augsburg, * Germany 2019 * Xentral (c) Xentral ERP Sorftware GmbH, Fuggerstrasse 11, D-86150 Augsburg, * Germany 2019
* *
* This file is licensed under the Embedded Projects General Public License *Version 3.1. * This file is licensed under the Embedded Projects General Public License *Version 3.1.
* *
* You should have received a copy of this license from your vendor and/or *along with this file; If not, please visit www.wawision.de/Lizenzhinweis * You should have received a copy of this license from your vendor and/or *along with this file; If not, please visit www.wawision.de/Lizenzhinweis
* to obtain the text of the corresponding license version. * to obtain the text of the corresponding license version.
* *
**** END OF COPYRIGHT & LICENSE NOTICE *** DO NOT REMOVE **** **** END OF COPYRIGHT & LICENSE NOTICE *** DO NOT REMOVE ****
*/ */
?> ?>
<?php <?php
/// Secure Layer, SQL Inject. Check, Syntax Check /// Secure Layer, SQL Inject. Check, Syntax Check
class Secure class Secure
{ {
public $GET; public $GET;
public $POST; public $POST;
/** /**
* Secure constructor. * Secure constructor.
* *
* @param ApplicationCore $app * @param ApplicationCore $app
*/ */
public function __construct($app){ public function __construct($app){
$this->app = $app; $this->app = $app;
// clear global variables, that everybody have to go over secure layer // clear global variables, that everybody have to go over secure layer
$this->GET = $_GET; $this->GET = $_GET;
if(isset($this->GET['msgs']) && isset($this->app->Location)) { if(isset($this->GET['msgs']) && isset($this->app->Location)) {
$this->GET['msg'] = $this->app->Location->getMessage($this->GET['msgs']); $this->GET['msg'] = $this->app->Location->getMessage($this->GET['msgs']);
} }
// $_GET=""; // $_GET="";
$this->POST = $_POST; $this->POST = $_POST;
// $_POST=""; // $_POST="";
if(!isset($this->app->stringcleaner) && file_exists(__DIR__. '/class.stringcleaner.php')) { if(!isset($this->app->stringcleaner) && file_exists(__DIR__. '/class.stringcleaner.php')) {
if(!class_exists('StringCleaner')) { if(!class_exists('StringCleaner')) {
require_once __DIR__ . '/class.stringcleaner.php'; require_once __DIR__ . '/class.stringcleaner.php';
} }
$this->app->stringcleaner = new StringCleaner($this->app); $this->app->stringcleaner = new StringCleaner($this->app);
} }
$this->AddRule('notempty','reg','.'); // at least one sign $this->AddRule('notempty','reg','.'); // at least one sign
$this->AddRule('alpha','reg','[a-zA-Z]'); $this->AddRule('alpha','reg','[a-zA-Z]');
$this->AddRule('digit','reg','[0-9]'); $this->AddRule('digit','reg','[0-9]');
$this->AddRule('space','reg','[ ]'); $this->AddRule('space','reg','[ ]');
$this->AddRule('specialchars','reg','[_-]'); $this->AddRule('specialchars','reg','[_-]');
$this->AddRule('email','reg','^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$'); $this->AddRule('email','reg','^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$');
$this->AddRule('datum','reg','([0-9]{1,2})\.([0-9]{1,2})\.([0-9]{4})'); $this->AddRule('datum','reg','([0-9]{1,2})\.([0-9]{1,2})\.([0-9]{4})');
$this->AddRule('username','glue','alpha+digit'); $this->AddRule('username','glue','alpha+digit');
$this->AddRule('password','glue','alpha+digit+specialchars'); $this->AddRule('password','glue','alpha+digit+specialchars');
} }
/** /**
* @param string $name * @param string $name
* @param null $rule * @param null $rule
* @param string $maxlength * @param string $maxlength
* @param string $sqlcheckoff * @param string $sqlcheckoff
* *
* @return array|mixed|string * @return array|mixed|string
*/ */
public function GetGET($name,$rule=null,$maxlength='',$sqlcheckoff='') public function GetGET($name,$rule=null,$maxlength='',$sqlcheckoff='')
{ {
if($name === 'msg' && isset($this->app->erp) && method_exists($this, 'xss_clean')) { if($name === 'msg' && isset($this->app->erp) && method_exists($this, 'xss_clean')) {
$ret = $this->Syntax(isset($this->GET[$name])?$this->GET[$name]:'','',$maxlength,$sqlcheckoff); $ret = $this->Syntax(isset($this->GET[$name])?$this->GET[$name]:'','',$maxlength,$sqlcheckoff);
$ret = $this->app->erp->base64_url_decode($ret); $ret = $this->app->erp->base64_url_decode($ret);
if(strpos($ret,'"button"') === false){ if(strpos($ret,'"button"') === false){
$ret = $this->xss_clean($ret); $ret = $this->xss_clean($ret);
} }
return $this->app->erp->base64_url_encode($ret); return $this->app->erp->base64_url_encode($ret);
} }
if($rule === null) { if($rule === null) {
$rule = $this->NameToRule($name); $rule = $this->NameToRule($name);
} }
return $this->Syntax(isset($this->GET[$name])?$this->GET[$name]:'',$rule,$maxlength,$sqlcheckoff); return $this->Syntax(isset($this->GET[$name])?$this->GET[$name]:'',$rule,$maxlength,$sqlcheckoff);
} }
function NameToRule($name) function NameToRule($name)
{ {
switch($name) switch($name)
{ {
case 'id': case 'id':
return 'doppelid'; return 'doppelid';
break; break;
case 'sid': case 'sid':
return 'alphadigits'; return 'alphadigits';
break; break;
case 'module': case 'module':
case 'smodule': case 'smodule':
case 'action': case 'action':
case 'saction': case 'saction':
return 'module'; return 'module';
break; break;
case 'cmd': case 'cmd':
return 'moduleminus'; return 'moduleminus';
break; break;
} }
return 'nothtml'; return 'nothtml';
} }
public function GetPOST($name,$rule=null,$maxlength="",$sqlcheckoff="") public function GetPOST($name,$rule=null,$maxlength="",$sqlcheckoff="")
{ {
if($rule === null) { if($rule === null) {
$rule = $this->NameToRule($name); $rule = $this->NameToRule($name);
if(isset($this->POST['ishtml_cke_'.$name]) && $this->POST['ishtml_cke_'.$name]) { if(isset($this->POST['ishtml_cke_'.$name]) && $this->POST['ishtml_cke_'.$name]) {
$rule = 'nojs'; $rule = 'nojs';
} }
} }
return $this->Syntax(isset($this->POST[$name])?$this->POST[$name]:'',$rule,$maxlength,$sqlcheckoff); return $this->Syntax(isset($this->POST[$name])?$this->POST[$name]:'',$rule,$maxlength,$sqlcheckoff);
} }
public function GetPOSTForForms($name,$rule="",$maxlength="",$sqlcheckoff="") public function GetPOSTForForms($name,$rule="",$maxlength="",$sqlcheckoff="")
{ {
return $this->SyntaxForForms($this->POST[$name],$rule,$maxlength,$sqlcheckoff); return $this->SyntaxForForms($this->POST[$name],$rule,$maxlength,$sqlcheckoff);
} }
public function CleanString($string, $rule='nohtml',$sqlcheckoff='') public function CleanString($string, $rule='nohtml',$sqlcheckoff='')
{ {
return $this->Syntax($string, $rule, '', $sqlcheckoff); return $this->Syntax($string, $rule, '', $sqlcheckoff);
} }
public function xss_clean($data) public function xss_clean($data)
{ {
return $this->app->stringcleaner->xss_clean($data); return $this->app->stringcleaner->xss_clean($data);
} }
public function GetPOSTArray() public function GetPOSTArray()
{ {
if(!empty($this->POST) && count($this->POST)>0) if(!empty($this->POST) && count($this->POST)>0)
{ {
foreach($this->POST as $key=>$value) foreach($this->POST as $key=>$value)
{ {
$key = $this->GetPOST($key,"alpha+digit+specialchars",20); $value = $this->GetPOST($key);
$ret[$key]=$this->GetPOST($value); if ($value !== null) {
} $ret[$key] = $value;
} }
if(!empty($ret)) }
{ }
return $ret; if(!empty($ret))
} {
return $ret;
return null; }
}
return null;
public function GetGETArray() }
{
if(!empty($this->GET) && count($this->GET)>0) public function GetGETArray()
{ {
foreach($this->GET as $key=>$value) if(!empty($this->GET) && count($this->GET)>0)
{ {
$key = $this->GetGET($key,"alpha+digit+specialchars",20); foreach($this->GET as $key=>$value)
$ret[$key]=$this->GetGET($value); {
} $value = $this->GetGET($key);
} if ($value !== null) {
if(!empty($ret)) $ret[$key] = $value;
{ }
return $ret; }
} }
if(!empty($ret))
return null; {
} return $ret;
}
function stripallslashes($string) {
return null;
while(strstr($string,'\\')) { }
$string = stripslashes($string);
} function stripallslashes($string) {
return $string;
} while(strstr($string,'\\')) {
$string = stripslashes($string);
public function smartstripslashes($str) { }
$cd1 = substr_count($str, "\""); return $string;
$cd2 = substr_count($str, "\\\""); }
$cs1 = substr_count($str, "'");
$cs2 = substr_count($str, "\\'"); public function smartstripslashes($str) {
$tmp = strtr($str, array("\\\"" => "", "\\'" => "")); $cd1 = substr_count($str, "\"");
$cb1 = substr_count($tmp, "\\"); $cd2 = substr_count($str, "\\\"");
$cb2 = substr_count($tmp, "\\\\"); $cs1 = substr_count($str, "'");
if ($cd1 == $cd2 && $cs1 == $cs2 && $cb1 == 2 * $cb2) { $cs2 = substr_count($str, "\\'");
return strtr($str, array("\\\"" => "\"", "\\'" => "'", "\\\\" => "\\")); $tmp = strtr($str, array("\\\"" => "", "\\'" => ""));
} $cb1 = substr_count($tmp, "\\");
return $str; $cb2 = substr_count($tmp, "\\\\");
} if ($cd1 == $cd2 && $cs1 == $cs2 && $cb1 == 2 * $cb2) {
return strtr($str, array("\\\"" => "\"", "\\'" => "'", "\\\\" => "\\"));
public function SyntaxForForms($value,$rule,$maxlength="",$sqlcheckoff="") }
{ return $str;
return $value;//mysqli_real_escape_string($this->app->DB->connection,$value);//mysqli_real_escape_string($value); }
}
public function SyntaxForForms($value,$rule,$maxlength="",$sqlcheckoff="")
// check actual value with given rule {
public function Syntax($value,$rule,$maxlength='',$sqlcheckoff='') return $value;//mysqli_real_escape_string($this->app->DB->connection,$value);//mysqli_real_escape_string($value);
{ }
$striptags = false;
if(is_array($value)) // check actual value with given rule
{ public function Syntax($value,$rule,$maxlength='',$sqlcheckoff='')
if($sqlcheckoff != '') {
{ $striptags = false;
return $value; if(is_array($value))
} {
foreach($value as $k => $v) if($sqlcheckoff != '')
{ {
if(is_array($v)) return $value;
{ }
$value[$k] = $v; foreach($value as $k => $v)
}else{ {
$v = str_replace("\xef\xbb\xbf","NONBLOCKINGZERO",$v); if(is_array($v))
if($striptags){ {
$v = $this->stripallslashes($v); $value[$k] = $v;
$v = $this->smartstripslashes($v); }else{
$v = $this->app->erp->superentities($v); $v = str_replace("\xef\xbb\xbf","NONBLOCKINGZERO",$v);
} if($striptags){
$value[$k] = $this->app->DB->real_escape_string($v); $v = $this->stripallslashes($v);
} $v = $this->smartstripslashes($v);
} $v = $this->app->erp->superentities($v);
return $value; }
} $value[$k] = $this->app->DB->real_escape_string($v);
}
}
$value = str_replace("\xef\xbb\xbf","NONBLOCKINGZERO",$value); return $value;
}
if($striptags){
$value = $this->stripallslashes($value);
$value = $this->smartstripslashes($value); $value = str_replace("\xef\xbb\xbf","NONBLOCKINGZERO",$value);
$value = $this->app->erp->superentities($value); if($striptags){
} $value = $this->stripallslashes($value);
$value = $this->smartstripslashes($value);
if(!empty($this->app->stringcleaner)) {
if( $sqlcheckoff == '') { $value = $this->app->erp->superentities($value);
return $this->app->DB->real_escape_string($this->app->stringcleaner->CleanString($value, $rule)); }
}
return $this->app->stringcleaner->CleanString($value, $rule); if(!empty($this->app->stringcleaner)) {
} if( $sqlcheckoff == '') {
return $this->app->DB->real_escape_string($this->app->stringcleaner->CleanString($value, $rule));
if($rule === 'nohtml') { }
if( $sqlcheckoff == '') { return $this->app->stringcleaner->CleanString($value, $rule);
return $this->app->DB->real_escape_string(strip_tags($value)); }
}
if($rule === 'nohtml') {
return strip_tags($value); if( $sqlcheckoff == '') {
return $this->app->DB->real_escape_string(strip_tags($value));
} }
if($rule === 'nojs') {
if( $sqlcheckoff == '') { return strip_tags($value);
return $this->app->DB->real_escape_string($this->xss_clean($value));
} }
if($rule === 'nojs') {
return $this->xss_clean($value); if( $sqlcheckoff == '') {
} return $this->app->DB->real_escape_string($this->xss_clean($value));
}
if($rule=='' && $sqlcheckoff == '') {
return $this->app->DB->real_escape_string($value);//mysqli_real_escape_string($value); return $this->xss_clean($value);
} }
if($rule=='' && $sqlcheckoff != '') {
return $value; if($rule=='' && $sqlcheckoff == '') {
} return $this->app->DB->real_escape_string($value);//mysqli_real_escape_string($value);
}
// build complete regexp if($rule=='' && $sqlcheckoff != '') {
return $value;
// check if rule exists }
if($this->GetRegexp($rule)!=''){ // build complete regexp
//$v = '/^['.$this->GetRegexp($rule).']+$/';
$v = $this->GetRegexp($rule); // check if rule exists
if (preg_match_all('/'.$v.'/i', $value, $teffer) ) {
if($sqlcheckoff==''){ if($this->GetRegexp($rule)!=''){
return $this->app->DB->real_escape_string($value);//mysqli_real_escape_string($value); //$v = '/^['.$this->GetRegexp($rule).']+$/';
} $v = $this->GetRegexp($rule);
if (preg_match_all('/'.$v.'/i', $value, $teffer) ) {
return $value; if($sqlcheckoff==''){
} return $this->app->DB->real_escape_string($value);//mysqli_real_escape_string($value);
return ''; }
}
return $value;
echo "<table border=\"1\" width=\"100%\" bgcolor=\"#FFB6C1\"> }
<tr><td>Rule <b>$rule</b> doesn't exists!</td></tr></table>"; return '';
return ''; }
}
echo "<table border=\"1\" width=\"100%\" bgcolor=\"#FFB6C1\">
<tr><td>Rule <b>$rule</b> doesn't exists!</td></tr></table>";
function RuleCheck($value,$rule) return '';
{ }
$found = false;
if(!empty($this->app->stringcleaner)) {
$value_ = $this->app->stringcleaner->RuleCheck($value, $rule, $found); function RuleCheck($value,$rule)
if($found) { {
if($value_) { $found = false;
return true; if(!empty($this->app->stringcleaner)) {
} $value_ = $this->app->stringcleaner->RuleCheck($value, $rule, $found);
return false; if($found) {
} if($value_) {
} return true;
}
$v = $this->GetRegexp($rule); return false;
if (preg_match_all('/'.$v.'/i', $value, $teffer) ){ }
return true; }
}
$v = $this->GetRegexp($rule);
return false; if (preg_match_all('/'.$v.'/i', $value, $teffer) ){
} return true;
}
function AddRule($name,$type,$rule)
{ return false;
// type: reg = regular expression }
// type: glue ( already exists rules copy to new e.g. number+digit)
$this->rules[$name]=array('type'=>$type,'rule'=>$rule); function AddRule($name,$type,$rule)
} {
// type: reg = regular expression
// get complete regexp by rule name // type: glue ( already exists rules copy to new e.g. number+digit)
function GetRegexp($rule) $this->rules[$name]=array('type'=>$type,'rule'=>$rule);
{ }
$rules = explode('+',$rule);
$ret = ''; // get complete regexp by rule name
foreach($rules as $key) { function GetRegexp($rule)
// check if rule is last in glue string {
if($this->rules[$key]['type']==='glue') { $rules = explode('+',$rule);
$subrules = explode('+',$this->rules[$key]['rule']); $ret = '';
if(count($subrules)>0) { foreach($rules as $key) {
foreach($subrules as $subkey) { // check if rule is last in glue string
$ret .= $this->GetRegexp($subkey); if($this->rules[$key]['type']==='glue') {
} $subrules = explode('+',$this->rules[$key]['rule']);
} if(count($subrules)>0) {
} foreach($subrules as $subkey) {
elseif($this->rules[$key]['type']==='reg') { $ret .= $this->GetRegexp($subkey);
$ret .= $this->rules[$key]['rule']; }
} }
} }
if($ret==''){ elseif($this->rules[$key]['type']==='reg') {
$ret = 'none'; $ret .= $this->rules[$key]['rule'];
} }
return $ret; }
} if($ret==''){
$ret = 'none';
} }
return $ret;
}
}