static function checkForScript($value) { // [FIXME] replace this function with a sanitization method applied on request data // we can use the htmlpurifier project if we need to display html or htmlspecialchars to display text // for now we limit to log the attempt and stop the script if (csa($value, "<") || csa($value, ">") || csa($value, "(") || csa($value, ")")) { log_security("XSS attempt: {$value}"); exit; } if (csa($value, "'")) { log_security("SQL injection attempt: {$value}"); exit; } }
/** * Login Customer */ function login() { if ($this->post['user']->getPassword() == $this->post['password']) { // Only customers are allowed to login to the order form if ($this->post['user']->getType() != "Client") { $this->setError(array("type" => "[ONLY_CUSTOMERS_CAN_LOGIN]")); return; } // Login success $_SESSION['client']['userdbo'] = $this->post['user']; log_notice("CustomerLoginPage::login()", "User: "******" logged in."); $this->gotoPage("cart"); } else { // Login failure log_security("CustomerLoginPage::login()", "Password Incorrect."); $this->setError(array("type" => "[LOGIN_FAILED]")); } }
/** * Login * * Validate the login. Store the UserDBO in the session if OK, or display an error * if the login failed. */ function login() { try { $user_dbo = load_UserDBO($this->post['username']); if ($user_dbo->getPassword() == $this->post['password'] && ($user_dbo->getType() == "Administrator" || $user_dbo->getType() == "Account Manager")) { // Login success if (isset($this->post['theme'])) { $user_dbo->setTheme($this->post['theme']); } $_SESSION['client']['userdbo'] = $user_dbo; log_notice("Login", "User: "******" logged in"); $_SESSION['jsFunction'] = "reloadMenu()"; $this->gotoPage("home"); } } catch (DBNoRowsFoundException $e) { } // Login failure log_security("Login", "Login failed for " . $this->post['username']); throw new SWUserException("[LOGIN_FAILED]"); }