function stripget($check_url) { $return = false; if (is_array($check_url)) { foreach ($check_url as $value) { if (stripget($value) == true) { return true; } } } else { $check_url = str_replace(array("\"", "\\'"), array("", ""), urldecode($check_url)); if (preg_match("/<[^<>]+>/i", $check_url)) { return true; } } return $return; }
| This program is released as free software under the | Affero GPL license. You can redistribute it and/or | modify it under the terms of this license which you | can read by viewing the included agpl.txt or online | at www.gnu.org/licenses/agpl.html. Removal of this | copyright header is strictly prohibited without | written permission from the original author(s). +--------------------------------------------------------*/ if (preg_match("/maincore.php/i", $_SERVER['PHP_SELF'])) { die; } define("IN_FUSION", TRUE); use PHPFusion\Authenticate; require __DIR__ . '/includes/core_resources_include.php'; // Prevent any possible XSS attacks via $_GET. if (stripget($_GET)) { die("Prevented a XSS attack through a GET variable!"); } // Establish mySQL database connection dbconnect($db_host, $db_user, $db_pass, $db_name); unset($db_host, $db_user, $db_pass); // Fetch the settings from the database $settings = fusion_get_settings(); if (empty($settings)) { die("Settings do not exist, please check your config.php file or run install/index-php again."); } // Settings dependent functions date_default_timezone_set($settings['default_timezone']); ini_set('session.gc_probability', 1); ini_set('session.gc_divisor', 100); // Session lifetime. After this time stored data will be seen as 'garbage' and cleaned up by the garbage collection process.
/** * Prevent any possible XSS attacks via $_GET * @param string $check_url * @return boolean TRUE if the URL is not secure */ function stripget($check_url) { if (!is_array($check_url)) { $check_url = str_replace(array("\"", "\\'"), array("", ""), urldecode($check_url)); return (bool) preg_match("/<[^<>]+>/i", $check_url); } foreach ($check_url as $value) { if (stripget($value)) { return TRUE; } } return FALSE; }