[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Noalyss-commit] [noalyss] 09/19: Security : direct access to GLOBALS
|
From: |
Dany De Bontridder |
|
Subject: |
[Noalyss-commit] [noalyss] 09/19: Security : direct access to GLOBALS |
|
Date: |
Mon, 9 Sep 2019 13:54:59 -0400 (EDT) |
sparkyx pushed a commit to branch master
in repository noalyss.
commit 2a46b2cd6ed63f092eddbed6c35a104795c799b0
Author: Dany De Bontridder <address@hidden>
Date: Sun Sep 8 15:42:09 2019 +0200
Security : direct access to GLOBALS
---
include/adm.inc.php | 6 +++---
include/bank.inc.php | 13 +++++++------
include/contact.inc.php | 23 ++++++++++++-----------
include/customer.inc.php | 13 +++++++------
include/manager.inc.php | 14 +++++++-------
include/supplier.inc.php | 12 +++++++-----
6 files changed, 43 insertions(+), 38 deletions(-)
diff --git a/include/adm.inc.php b/include/adm.inc.php
index 8165a74..7d0a478 100644
--- a/include/adm.inc.php
+++ b/include/adm.inc.php
@@ -74,7 +74,7 @@ if ( $low_action == "list" )
<?php
echo '<h2>' . "Exercice " . $g_user->get_exercice() . '</h2>';
echo dossier::hidden();
- $a=(isset($_GET['query']))?$_GET['query']:"";
+ $a=$http->get("query","string","");
echo _("Cherche ").HtmlInput::filter_table_form("tiers_tb", '0,1,2',
1,"query",$a);
echo HtmlInput::request_to_hidden(array('ac'));
@@ -85,7 +85,7 @@ if ( $low_action == "list" )
$sel_card->value=$cn->make_array('select fd_id, fd_label from
fiche_def '.
' where frd_id=$1 '.
' order by fd_label
',1,array(FICHE_TYPE_ADM_TAX));
- $sel_card->selected=(isset($_GET['cat']))?$_GET['cat']:-1;
+ $sel_card->selected=$http->get("cat","number",-1);
$sel_card->javascript=' onchange="submit(this);"';
echo _('Catégorie :').$sel_card->input();
} else
@@ -108,7 +108,7 @@ if ( $low_action == "list" )
$cat=$http->request("cat","number",-1);
if ( $cat != -1)
{
- $sql=sprintf(" and fd_id = %d",$_GET['cat']);
+ $sql=sprintf(" and fd_id = %d",$cat);
}
echo '<div class="content">';
diff --git a/include/bank.inc.php b/include/bank.inc.php
index cf2ae7a..6fd15dd 100644
--- a/include/bank.inc.php
+++ b/include/bank.inc.php
@@ -49,7 +49,7 @@ if ( isset($_POST['delete_card'] ) )
return;
}
- $f_id=$_REQUEST['f_id'];
+ $f_id = $http->request('f_id','number');
$fiche=new Bank($cn,$f_id);
$fiche->remove();
@@ -70,7 +70,7 @@ if ( $low_action == "list" )
<?php
echo dossier::hidden();
echo '<h2>' ._( "Exercice")." " . $g_user->get_exercice() . '</h2>';
- $a=(isset($_GET['query']))?$_GET['query']:"";
+ $a=$http->get("query","string","");
echo _("Cherche ").HtmlInput::filter_table_form("tiers_tb", '0,1,2',
1,"query",$a);
$choice_cat=$http->request("choice_cat", "string",1);
@@ -81,7 +81,7 @@ if ( $low_action == "list" )
$sel_card->value=$cn->make_array('select fd_id, fd_label from
fiche_def '.
' where frd_id=$1'.
' order by fd_label
',1,array(FICHE_TYPE_FIN));
- $sel_card->selected=(isset($_GET['cat']))?$_GET['cat']:-1;
+ $sel_card->selected=$http->get("cat","number",-1);
$sel_card->javascript=' onchange="submit(this);"';
echo _('Catégorie :').$sel_card->input();
}
@@ -102,11 +102,12 @@ if ( $low_action == "list" )
</div>
<?php
$supplier=new Bank($cn);
- $search=(isset($_GET['query']))?$_GET['query']:"";
+ $search=$http->get("query","string","");
$sql="";
if ( isset($_GET['cat']))
-{
- if ( $_GET['cat'] != -1) $sql=sprintf(" and fd_id = %d",$_GET['cat']);
+ {
+ $cat=$http->get("cat","number");
+ if ($cat!= -1 ) $sql = sprintf(" and fd_id = %s", $cat);
}
$noop=(isset($_GET['noop']))?false:true;
diff --git a/include/contact.inc.php b/include/contact.inc.php
index 9caea62..06f76b5 100644
--- a/include/contact.inc.php
+++ b/include/contact.inc.php
@@ -27,7 +27,7 @@ require_once NOALYSS_INCLUDE.'/class/contact.class.php';
require_once NOALYSS_INCLUDE.'/lib/ibutton.class.php';
require_once NOALYSS_INCLUDE.'/class/fiche_def.class.php';
-
+$http=new HttpInput();
$low_action = (isset($_REQUEST['sb'])) ? $_REQUEST['sb'] : "list";
/** \file
@@ -54,7 +54,7 @@ if (isset($_POST['action_fiche']))
return;
}
- $f_id = $_REQUEST['f_id'];
+ $f_id = $http->request('f_id','number');
$fiche = new Contact($cn, $f_id);
$fiche->remove();
@@ -91,30 +91,31 @@ if ($low_action == "list")
where
ad_id='.ATTR_DEF_COMPANY. " and frd_id=
".FICHE_TYPE_CONTACT.
' order by 1', 1);
- $sl_company->selected = (isset($_GET['sel_company'])) ?
$_GET['sel_company'] : '';
+ $sl_company->selected = $http->get("sel_company","string","");
echo _('Société :') . $sl_company->input();
?>
<input type="submit" class="button" name="submit_query"
value="<?php echo _('recherche')?>">
- <input type="hidden" name="ac" value="<?php echo
$_REQUEST['ac']?>">
+ <input type="hidden" name="ac" value="<?php echo
$http->request('ac')?>">
</form>
</div>
<?php
$client = new contact($cn);
- $search = (isset($_GET['query'])) ? $_GET['query'] : "";
+ $search =$http->get("query","string","");
$sql = "";
if (isset($_GET['cat']))
{
- if ($_GET['cat'] != -1)
- $sql = sprintf(" and fd_id = %d", $_GET['cat']);
+ $cat=$http->get("cat","number");
+ if ($cat!= -1 ) $sql = sprintf(" and fd_id = %s", $cat);
}
if (isset($_GET['sel_company']))
{
- if ($_GET['sel_company'] != '' && $_GET['sel_company'] != -1)
- {
+ $sel_company=$http->get("sel_company");
+ if ($sel_company != '' && $sel_company != "-1")
+ {
- $client->company=$_GET['sel_company'];
- }
+ $client->company=$sel_company;
+ }
}
echo '<div class="content">';
diff --git a/include/customer.inc.php b/include/customer.inc.php
index 239cfd5..0bbc7c5 100644
--- a/include/customer.inc.php
+++ b/include/customer.inc.php
@@ -74,7 +74,7 @@ if ($low_action == "list")
<form method="get" action="<?php echo $href;?>">
<?php
echo '<h2>' . "Exercice " . $g_user->get_exercice() . '</h2>';
- $a=(isset($_GET['query']))?$_GET['query']:"";
+ $a=$http->get("query","string","");
echo _("Cherche ").HtmlInput::filter_table_form("tiers_tb",
'0,1,2', 1,"query",$a);
$choice_cat=$http->request("choice_cat", "",1);
@@ -85,7 +85,7 @@ if ($low_action == "list")
$sel_card->value=$cn->make_array('select fd_id, fd_label from
fiche_def '.
' where
frd_id='.FICHE_TYPE_CLIENT.
' order by fd_label ',1);
- $sel_card->selected=(isset($_GET['cat']))?$_GET['cat']:-1;
+ $sel_card->selected=$http->get("cat","number",-1);
$sel_card->javascript=' onchange="submit(this);"';
echo _('Catégorie :').$sel_card->input();
} else
@@ -101,17 +101,18 @@ if ($low_action == "list")
echo _('Inclure les clients sans opération :') .
$nooperation->input();
?>
<input type="submit" class="button" name="submit_query"
value="<?php echo _('recherche')?>">
- <input type="hidden" name="ac" value="<?php echo
$_REQUEST['ac']?>">
+ <input type="hidden" name="ac" value="<?php echo
$http->request('ac')?>">
</form>
</div>
<?php
$client = new Customer($cn);
- $search = (isset($_GET['query'])) ? $_GET['query'] : "";
+ $search=$http->get("query","string","");
$sql = "";
if (isset($_GET['cat']))
{
- if ($_GET['cat'] != -1)
- $sql = sprintf(" and fd_id = %d", $_GET['cat']);
+ $cat=$http->get("cat","number");
+ if ($cat!= -1)
+ $sql = sprintf(" and fd_id = %s", $cat);
}
$noop = (isset($_GET['noop'])) ? false : true;
echo '<div class="content">';
diff --git a/include/manager.inc.php b/include/manager.inc.php
index 5d4775b..83c336b 100644
--- a/include/manager.inc.php
+++ b/include/manager.inc.php
@@ -57,7 +57,7 @@ if (isset($_POST['action_fiche']))
return;
}
- $f_id = $_REQUEST['f_id'];
+ $f_id = $http->request('f_id','number');
$fiche = new Manager($cn, $f_id);
$fiche->remove();
@@ -77,7 +77,7 @@ if ($low_action == "list")
<?php
echo '<h2>' . "Exercice " . $g_user->get_exercice() . '</h2>';
echo dossier::hidden();
- $a = (isset($_GET['query'])) ? $_GET['query'] : "";
+ $a=$http->get("query","string","");
echo _("Cherche ").HtmlInput::filter_table_form("tiers_tb",
'0,1,2', 1,"query",$a);
echo HtmlInput::request_to_hidden(array('ac'));
@@ -88,7 +88,7 @@ if ($low_action == "list")
$sel_card->value = $cn->make_array('select fd_id, fd_label
from fiche_def ' .
' where frd_id=' . FICHE_TYPE_EMPL .
' order by fd_label ', 1);
- $sel_card->selected = (isset($_GET['cat'])) ? $_GET['cat']
: -1;
+ $sel_card->selected=$http->get("cat","number",-1);
$sel_card->javascript = ' onchange="submit(this);"';
echo _('Catégorie :') . $sel_card->input();
}
@@ -103,17 +103,17 @@ if ($low_action == "list")
echo _('Inclure les employés sans opération :') .
$nooperation->input();
?>
<input type="submit" class="button" name="submit_query"
value="<?php echo _('recherche') ?>">
- <input type="hidden" name="ac" value="<?php echo
$_REQUEST['ac'] ?>">
+ <input type="hidden" name="ac" value="<?php
echo$http->request('ac') ?>">
</form>
</div>
<?php
$supplier = new Manager($cn);
- $search = (isset($_GET['query'])) ? $_GET['query'] : "";
+ $search=$http->get("query","string","");
$sql = "";
if (isset($_GET['cat']))
{
- if ($_GET['cat'] != -1)
- $sql = sprintf(" and fd_id = %d", $_GET['cat']);
+ $cat=$http->get("cat","number");
+ if ($cat!= -1 ) $sql = sprintf(" and fd_id = %s", $cat);
}
$noop = (isset($_GET['noop'])) ? false : true;
diff --git a/include/supplier.inc.php b/include/supplier.inc.php
index 7fe2099..acbd673 100644
--- a/include/supplier.inc.php
+++ b/include/supplier.inc.php
@@ -87,7 +87,7 @@ if ( $low_action == "list" )
$sel_card->value=$cn->make_array('select fd_id, fd_label from
fiche_def '.
' where
frd_id='.FICHE_TYPE_FOURNISSEUR.
' order by fd_label ',1);
- $sel_card->selected=(isset($_GET['cat']))?$_GET['cat']:-1;
+ $sel_card->selected=$http->get("cat","number",-1);
$sel_card->javascript=' onchange="submit(this);"';
echo _('Catégorie :').$sel_card->input();
} else
@@ -102,16 +102,18 @@ if ( $low_action == "list" )
?>
<input type="submit" class="button" name="submit_query" value="<?php echo
_('recherche')?>">
- <input type="hidden" name="ac"
value="<?php echo $_REQUEST['ac']?>">
+ <input type="hidden" name="ac"
value="<?php echo $http->request('ac')?>">
</form>
</div>
<?php
$supplier=new Supplier($cn);
$search=(isset($_GET['query']))?$_GET['query']:"";
$sql="";
- if ( isset($_GET['cat']))
-{
- if ( $_GET['cat'] != -1) $sql=sprintf(" and fd_id = %d",$_GET['cat']);
+ if (isset($_GET['cat']))
+ {
+ $cat=$http->get("cat","number");
+ if ($cat!= -1)
+ $sql = sprintf(" and fd_id = %s", $cat);
}
$noop=(isset($_GET['noop']))?false:true;
- [Noalyss-commit] [noalyss] 16/19: Fiche Cosmetic :, (continued)
- [Noalyss-commit] [noalyss] 16/19: Fiche Cosmetic :, Dany De Bontridder, 2019/09/09
- [Noalyss-commit] [noalyss] 04/19: Correct Add button for ledger when creating FIN ledger, Dany De Bontridder, 2019/09/09
- [Noalyss-commit] [noalyss] 05/19: Bug prerelease : Cannot save preference, Dany De Bontridder, 2019/09/09
- [Noalyss-commit] [noalyss] 07/19: Code : mistype variable $step, Dany De Bontridder, 2019/09/09
- [Noalyss-commit] [noalyss] 06/19: Code : missing semicolon, Dany De Bontridder, 2019/09/09
- [Noalyss-commit] [noalyss] 15/19: Security : direct access to GLOBALS, Dany De Bontridder, 2019/09/09
- [Noalyss-commit] [noalyss] 17/19: Merge branch 'dev7109', Dany De Bontridder, 2019/09/09
- [Noalyss-commit] [noalyss] 19/19: Merge branch 'master' of gitlab.noalyss.eu:noalyss/noalyss, Dany De Bontridder, 2019/09/09
- [Noalyss-commit] [noalyss] 08/19: verif_bil : fetch_all return false or an array, comptability PHP7, Dany De Bontridder, 2019/09/09
- [Noalyss-commit] [noalyss] 13/19: Security : direct access to GLOBALS, Dany De Bontridder, 2019/09/09
- [Noalyss-commit] [noalyss] 09/19: Security : direct access to GLOBALS,
Dany De Bontridder <=
- [Noalyss-commit] [noalyss] 18/19: Cleaning, Dany De Bontridder, 2019/09/09