/** * Pour protéger la base de données. Fait appel à cleanInput($data) si $data n'est pas un tableau. * @author Alban Truc * @param array|string $data Données envoyées * @since 19/02/2014 * @return array|mixed Données nettoyées */ function _sanitize($data) { $clean_input = array(); if (is_array($data)) { foreach ($data as $key => $value) { $clean_input[$key] = _sanitize($value); } } else { if (get_magic_quotes_gpc()) { $data = trim(stripslashes($data)); } $data = trim(strip_tags($data)); $clean_input = _cleanInput($data); } return $clean_input; }
/** * Sanitize input values from POST * @param mixed $post The value or The array of values being sanitized. * @return mixed the cleaned value */ function _post($post) { if (is_array($post)) { foreach ($post as $name => $value) { if (is_array($value)) { $post[$name] = _post($value); } else { $value = stripslashes($value); $value = _sanitize($value); $post[$name] = $value; } } } else { $value = stripslashes($post); $value = _sanitize($value); return $value; } return $post; }
if (is_array($value)) { foreach ($_POST[$key] as $postkey => $postvalue) { $_POST[$key . '_' . $postkey] = $postvalue; } unset($_POST[$key]); } } /** * Clean all user submitted data of hack and SQL injection attempts */ if ($useSanitizer) { $getSanitizePath = $_SERVER['DOCUMENT_ROOT'] . str_replace('//', '/', dirname($_SERVER['PHP_SELF']) . '/inc.sanitize.php'); if (file_exists($getSanitizePath)) { require_once $getSanitizePath; foreach ($_POST as $key => $value) { $_POST[$key] = _sanitize($value); } } } /** * 1. Convert all $_POST variables to a regular variable * 2. Checks all $_POSTs for URL type input * - will exit and not proceed if URL type input is found * NOTE1: REQUIRED, PLEASE DO NOT CHANGE ... NEEDED TO SET VARIABLES PROPERLY * NOTE2: Processing here because many of the settings can be altered by the form * NOTE3: Processing here because External Config will also alter settings (after the form) */ foreach ($_POST as $key => $value) { $key = strtolower($key); $value = str_replace("\n", "<br />", $value); $hacked = false;
if ($userManager->checkEmailAvailability($email) != FALSE) { $accountId = new MongoId(); $userId = new MongoId(); //crypte le password $password = $userManager->encrypt($password); //@link http://www.php.net/manual/en/class.mongodate.php $time = time(); $end = $time + 30 * 24 * 60 * 60; // + 30 jours //info compte $account = array('_id' => $accountId, 'state' => new MongoInt32($state), 'idUser' => $userId, 'idRefPlan' => new MongoId($plan), 'storage' => (int) 0, 'ratio' => (int) 0, 'startDate' => new MongoDate($time), 'endDate' => new MongoDate($end)); $isAccountAdded = $accountManager->create($account); //Si aucun pb apres ajout du compte, ajoute l'user, sinon suppresion de user if ($isAccountAdded == TRUE) { //infos user $user = array('_id' => $userId, 'isAdmin' => $isAdmin, 'state' => new MongoInt32($state), 'idCurrentAccount' => $accountId, 'firstName' => _sanitize($firstname), 'lastName' => _sanitize($lastname), 'password' => $password, 'email' => $email, 'geolocation' => $geo, 'apiKey' => $userManager->generateGUID()); $isUserAdded = $userManager->create($user); if ($isUserAdded != TRUE) { //annule l'insertion de l'account $removeAccount = $accountManager->remove($account); if ($removeAccount == TRUE) { $isUserAdded['error'] .= 'The account created for this user has been removed successfully.'; } else { $isUserAdded['error'] .= 'The account created for this user has not been removed successfully: ' . $removeAccount; } //contient le détail de l'erreur de suppression } else { $message = 'User <strong>' . $firstname . '</strong> has been inserted in database'; $_SESSION['addUserMessage'] = $message; header('Location: ../pages/users.php'); }
/** * Get the upload directory name from REQUEST * @param string $name The file element name * @return mixed */ public static function getDirFromRequest($name) { return isset($_REQUEST[$name . '-dir']) ? _sanitize(base64_decode($_REQUEST[$name . '-dir'])) : ''; }
} $userManager = new UserPdoManager(); $accountManager = new AccountPdoManager(); $planManager = new RefPlanPdoManager(); // $sDate = $userManager->formatMongoDate($startDate); // $eDate = $userManager->formatMongoDate($endDate); $account = $accountManager->findById($id); //récupère l'idAccount $user = $account->getUser(); //récupère l'idUser $user = $userManager->findById($user); //récupère ensuite les infos user byId $criteriaAccount = array('_id' => new MongoId($account->getId())); $criteriaUser = array('_id' => new MongoId($user->getId())); $updateFieldAccount = array('$set' => array('startDate' => new MongoDate($startDate), 'endDate' => new MongoDate($endDate), 'idRefPlan' => new MongoId(_sanitize($plan)), 'state' => new MongoInt32(1))); $updateFieldUser = array('$set' => array('firstName' => _sanitize($firstname), 'lastName' => _sanitize($lastname), 'password' => _sanitize($password), 'email' => _sanitize($email), 'geo' => _sanitize($geo), 'state' => new MongoInt32(1))); $options = array('new' => true); // var_dump($updateFieldAccount); $editAccount = $accountManager->findAndModify($criteriaAccount, $updateFieldAccount, NULL, $options); $editUser = $userManager->findAndModify($criteriaUser, $updateFieldUser, NULL, $options); // var_dump($criteriaAccount); // var_dump($criteriaUser); // echo '</br>'; // echo '----------'; // var_dump($updateFieldAccount); // var_dump($updateFieldUser); // exit(); if ($editAccount && $editUser == TRUE) { if (!array_key_exists('error', $editAccount)) { $message = 'User' . ' <strong>' . $firstname . '</strong> ' . 'has been successfully modified'; $_SESSION['editUserMessage'] = $message;
/** * Assign data to template * * Note: * * - Variables are tagged with %name% in templates * - Variables provided by system by default: * site_name, * site_url, * site_slogan, * site_description, * site_adminname, * site_adminmail * * @param string $content * @param array $vars * @return string */ public function assignTemplate($content, $vars = array()) { // Bind system variables $systemVars = array('site_adminmail' => _sanitize(Pi::config('adminmail')), 'site_adminname' => _sanitize(Pi::config('adminname')), 'site_name' => _sanitize(Pi::config('sitename')), 'site_slogan' => _sanitize(Pi::config('slogan')), 'site_description' => _sanitize(Pi::config('description')), 'site_url' => Pi::url('www', true)); $vars = array_merge($systemVars, $vars); // Assign variables foreach ($vars as $key => $val) { $content = str_replace('%' . $key . '%', $val, $content); } return $content; }
$firstName = $_POST['firstName']; $email = $_POST['email']; $password = $_POST['password']; $passwordConfirmation = $_POST['passwordConfirmation']; if (!empty($_POST['geolocation'])) { $geolocation = $_POST['geolocation']; } else { $geolocation = 'Not specified'; } //Verifie si le champ correspondant a "nom" n'est pas vide, meme chose pour "password" //S'il ne sont pas vide=> debut de la condition if (!empty($name) && $password == $passwordConfirmation) { if (chk_crypt($_POST['code'])) { $userPdoManager = new UserPdoManager(); /*$result = $userPdoManager->register($name, $firstName, $email, $password, $passwordConfirmation, $geolocation);*/ $result = $userPdoManager->register(_sanitize($name), _sanitize($firstName), _sanitize($email), _sanitize($password), _sanitize($passwordConfirmation), _sanitize($geolocation)); //http://www.php.net/manual/en/function.array-key-exists.php if (!array_key_exists('error', $result)) { $registerOK = true; $_SESSION['validMessageRegister'] = $registerOK; //reste sur la page header('Location:/Cubbyhole/view/register.php'); } else { $_SESSION['errorMessageRegister'] = $result['error']; header('Location:../view/register.php'); die; } } else { $errorCaptcha = 'Error, invalid captcha'; $_SESSION['errorMessageCaptcha'] = $errorCaptcha; header('Location:../view/register.php');