function valid_input_data($data)
{
if (is_array($data) || is_object($data)) {
/*
** Form data can contain a number of nested arrays.
*/
foreach ($data as $key => $value) {
if (!valid_input_data($value)) {
return 0;
}
}
} else {
/*
** Detect evil input data.
*/
// check strings:
$match = preg_match("/\\Wjavascript\\s*:/i", $data);
$match += preg_match("/\\Wexpression\\s*\\(/i", $data);
$match += preg_match("/\\Walert\\s*\\(/i", $data);
// check attributes:
$match += preg_match("/\\W(dynsrc|datasrc|data|lowsrc|on[a-z]+)\\s*=[^>]+?>/i", $data);
// check tags:
$match += preg_match("/<\\s*(applet|script|object|style|embed|form|blink|meta|html|frame|iframe|layer|ilayer|head|frameset|xml)/i", $data);
if ($match) {
return 0;
}
}
return 1;
}
require_once "classes/field.php";
require_once "classes/person.php";
require_once "classes/league.php";
require_once "classes/team.php";
require_once "classes/game.php";
require_once "classes/slot.php";
require_once "classes/event.php";
require_once "classes/registration.php";
require_once "classes/registration_payment.php";
require_once "classes/formbuilder.php";
require_once "classes/session.php";
require_once "classes/spirit.php";
require_once "classes/field_report.php";
require_once "classes/note.php";
require_once "classes/season.php";
if (!valid_input_data($_REQUEST)) {
die("terminated request due to suspicious input data");
}
require_once "Handler.php";
// configure sessions
lr_configure_sessions();
/* TODO Hack! */
$smarty->assign('session_valid', $lr_session->is_valid());
$smarty->assign('session_fullname', $lr_session->attr_get('fullname'));
$smarty->assign('session_userid', $lr_session->attr_get('user_id'));
// Headers have not been sent yet
global $headers_sent;
$headers_sent = 0;
/* Build menus */
menu_build();
if (array_key_exists('q', $_GET)) {
function valid_input_data($data)
{
if (is_array($data) || is_object($data)) {
foreach ($data as $key => $value) {
if (!valid_input_data($key) || !valid_input_data($value)) {
return FALSE;
}
}
} else {
if (isset($data)) {
$data = $this->decode_entities($data, array('<', '&', '"'));
$match = preg_match('/\\Wjavascript\\s*:/i', $data);
$match += preg_match('/\\Wexpression\\s*\\(/i', $data);
$match += preg_match('/\\Walert\\s*\\(/i', $data);
$match += preg_match("/\\W(dynsrc|datasrc|data|lowsrc|on[a-z]+)\\s*=[^>]+?>/i", $data);
$match += preg_match("/<\\s*(applet|script|object|style|embed|form|blink|meta|html|frame|iframe|layer|ilayer|head|frameset|xml)/i", $data);
if ($match) {
return FALSE;
}
}
}
return TRUE;
}