Example #1
0
function anti_injection($user, $pass, $ip)
{
    global $db;
    // We'll first get rid of any special characters using a simple regex statement.
    // After that, we'll get rid of any SQL command words using a string replacment.
    $banlist = array("'", "--", "select", "union", "insert", "update", "like", "delete", "distinct", "having", "truncate", "replace", "handler", " as ", "or ", "procedure", "limit", "order by", "group by", "asc", "desc", "1=1", "or", "#", "//", "' or '1'='1'", "'1'='1'");
    // ---------------------------------------------
    if (preg_match("/[a-zA-Z0-9]+/i", $user)) {
        $user = TRIM(STR_REPLACE($banlist, '', STRTOLOWER($user)));
    } else {
        $user = NULL;
    }
    // ---------------------------------------------
    // Now to make sure the given password is an alphanumerical string
    // devoid of any special characters. strtolower() is being used
    // because unfortunately, str_ireplace() only works with PHP5.
    if (preg_match("/[a-zA-Z0-9]+/i", $pass)) {
        $pass = TRIM(STR_REPLACE($banlist, '', STRTOLOWER($pass)));
    } else {
        $pass = NULL;
    }
    // ---------------------------------------------
    // Now to make an array so we can dump these variables into the SQL query.
    // If either user or pass is NULL (because of inclusion of illegal characters),
    // the whole script will stop dead in its tracks.
    $array = array('user' => $user, 'pass' => $pass);
    // ---------------------------------------------
    if (!IN_ARRAY(NULL, $array)) {
        return $array;
    }
}
Example #2
0
 public function validacompra($attribute, $params)
 {
     $ordencompra = Ocompra::model()->findAll("numcot=:voi", array(":voi" => trim($this->numdocref)));
     /* var_dump($ordencompra);
        yii::app()->end();*/
     if (count($ordencompra) == 0) {
         $this->adderror('numdocref', 'Esta orden de compra no existe');
     } else {
         if (IN_ARRAY($ordencompra[0]->codestado, array(ESTADO_OC_CREADA, ESTADO_OC_PREVIO, ESTADO_OC_MODIFICADA, ESTADO_OC_ANULADA))) {
             $this->adderror('numdocref', 'La Orden de Compra no tiene el status adecuado ');
         }
     }
     //verificando el estado
     //$ordencompra->codestado
 }
Example #3
0
function anti_injection($user, $pass, $ip)
{
    global $db;
    // We'll first get rid of any special characters using a simple regex statement.
    // After that, we'll get rid of any SQL command words using a string replacment.
    $banlist = array("'", "--", "select", "union", "insert", "update", "like", "delete", "distinct", "having", "truncate", "replace", "handler", " as ", "or ", "procedure", "limit", "order by", "group by", "asc", "desc", "1=1", "or", "#", "//", "' or '1'='1'", "'1'='1'");
    // ---------------------------------------------
    if (preg_match("/[a-zA-Z0-9]+/i", $user)) {
        $user = TRIM(STR_REPLACE($banlist, '', STRTOLOWER($user)));
    } else {
        $user = NULL;
    }
    // ---------------------------------------------
    // Now to make sure the given password is an alphanumerical string
    // devoid of any special characters. strtolower() is being used
    // because unfortunately, str_ireplace() only works with PHP5.
    if (preg_match("/[a-zA-Z0-9]+/i", $pass)) {
        $pass = TRIM(STR_REPLACE($banlist, '', STRTOLOWER($pass)));
    } else {
        $pass = NULL;
    }
    // ---------------------------------------------
    // Now to make an array so we can dump these variables into the SQL query.
    // If either user or pass is NULL (because of inclusion of illegal characters),
    // the whole script will stop dead in its tracks.
    $array = array('user' => $user, 'pass' => $pass);
    // ---------------------------------------------
    if (IN_ARRAY(NULL, $array)) {
        /*
        		$db->connectdb(DB_NAME,DB_USERNAME,DB_PASSWORD);
        		$db->add_db(TB_IPBLOCK,array(
        			"ip"=>"".$ip."",
        			"post_date"=>"".time().""
        		));
        		$db->closedb ();
        ?>
        <BR><BR>
        <CENTER><A HREF="?name=index"><IMG SRC="images/dangerous.png" BORDER="0"></A><BR><BR>
        <FONT COLOR="#336600"><B><?=_ADMIN_IPBLOCK_MESSAGE_HACK;?> <?=WEB_EMAIL;?></B></FONT><BR><BR>
        <A HREF="?name=index"><B><?=_ADMIN_IPBLOCK_MESSAGE_HACK1;?></B></A>
        </CENTER>
        <?php echo "<meta http-equiv='refresh' content='10; url=?name=index'>" ; ?>
        <BR><BR>
        <?php */
    } else {
        return $array;
    }
}
 public function get_htmltag_outerText(&$html, $htmltag)
 {
     $from = '<' . $htmltag;
     $fromend = '>';
     $to = '</' . $htmltag . '>';
     $selfend = array('img', 'br');
     //自闭合标记,self end htmltag
     if (IN_ARRAY($htmltag, $selfend)) {
         $to = '/>';
         $strleft = STRSTR($html, $from);
         $j = 0;
         while ($strleft != '') {
             $topos = STRPOS($strleft, $to);
             $tagouterText[] = SUBSTR($strleft, 0, $topos + STRLEN($to));
             $html = SUBSTR($strleft, $topos + STRLEN($to));
             //echo $taginnerText[0];echo $html;die;
             $strleft = STRSTR($html, $from);
         }
         //end while
     } else {
         //echo "转换标记:".$htmltag."n<br>";//$i=0;
         $strleft = STRSTR($html, $from);
         while ($strleft != '') {
             $topos = STRPOS($strleft, $to);
             $fromendpos = STRPOS($strleft, $fromend);
             $tagouterText[] = SUBSTR($strleft, 0, $topos + STRLEN($to));
             $html = SUBSTR($strleft, $topos + STRLEN($to));
             //echo $taginnerText[0];echo $html;die;
             $strleft = STRSTR($html, $from);
         }
         //end while
     }
     //end else not self end htmltag,非自闭合标记处理结束
     return $tagouterText;
 }
Example #5
0
$user = USER::VERIFY(0, TRUE);
$params = array($user['user_id'], 0);
$b = MYSQL::QUERY('SELECT * FROM core_messages WHERE m_to = ? AND m_read = ? ORDER BY m_sent ASC LIMIT 5', $params);
if ($user['bronze_medals'] >= 100 || $user['silver_medals'] >= 100) {
    if ($user['bronze_medals'] >= 100) {
        $br = $user['bronze_medals'] % 100;
        $user['bronze_medals'] = $br;
        $user['silver_medals']++;
    }
    if ($user['silver_medals'] >= 100) {
        $sr = $user['silver_medals'] % 100;
        $user['silver_medals'] = $sr;
        $user['gold_medals']++;
    }
    MYSQL::QUERY('UPDATE core_users SET gold_medals=?,silver_medals=?,bronze_medals=? WHERE user_id=? LIMIT 1', array($user['gold_medals'], $user['silver_medals'], $user['bronze_medals'], $user['user_id']));
}
if (!empty($b)) {
    $message = array("NA" => "message", "messages" => array(), "gold" => $user['gold_medals'], "silver" => $user['silver_medals'], "bronze" => $user['bronze_medals']);
    foreach ($b as $m) {
        $message['messages'][] = array("from" => $m['m_from'], "message" => $m['m_message'], "avatar" => $m['m_from_avatar'], "time" => date("h:i A M,d", strtotime($m['m_sent'])));
        $DL_FROM = array("Price Request", "Price Response", "LeaderBoard Reward", "Achievement Earned", "Purge");
        if (IN_ARRAY($m['m_from'], $DL_FROM)) {
            MYSQL::QUERY('DELETE FROM core_messages WHERE m_id = ? LIMIT 1', array($m['m_id']));
        } else {
            MYSQL::QUERY('UPDATE core_messages SET m_read = ? WHERE m_id = ? LIMIT 1', array(1, $m['m_id']));
        }
    }
    echo json_encode($message);
} else {
    echo json_encode(array("NA" => "false", "messages" => array(), "gold" => $user['gold_medals'], "silver" => $user['silver_medals'], "bronze" => $user['bronze_medals']));
}