/**
* clean user input
* <br>
* Gets a global variable, cleaning it up to try to ensure that
* hack attacks don't work
* @param var name of variable to get
* @param ...
* @returns string/array
* @return prepared variable if only one variable passed
* in, otherwise an array of prepared variables
*/
function pnVarCleanFromInput()
{
$search = array('|</?\\s*SCRIPT.*?>|si', '|</?\\s*FRAME.*?>|si', '|</?\\s*OBJECT.*?>|si', '|</?\\s*META.*?>|si', '|</?\\s*APPLET.*?>|si', '|</?\\s*LINK.*?>|si', '|</?\\s*IFRAME.*?>|si', '|STYLE\\s*=\\s*"[^"]*"|si');
$replace = array('');
$resarray = array();
foreach (func_get_args() as $var) {
// Get var
global ${$var};
if (empty($var)) {
return;
}
$ourvar = ${$var};
if (!isset($ourvar)) {
array_push($resarray, NULL);
continue;
}
if (empty($ourvar)) {
array_push($resarray, $ourvar);
continue;
}
// Clean var
if (check_magic_quotes()) {
pnStripslashes($ourvar);
}
if (!pnSecAuthAction(0, '::', '::', ACCESS_ADMIN)) {
$ourvar = preg_replace($search, $replace, $ourvar);
}
// Add to result array
array_push($resarray, $ourvar);
}
// Return vars
if (func_num_args() == 1) {
return $resarray[0];
} else {
return $resarray;
}
}
/**
* clean user input
* <br />
* Gets a global variable, cleaning it up to try to ensure that
* hack attacks don't work
*
* @param var $ name of variable to get
* @param $ ...
* @return mixed prepared variable if only one variable passed
* in, otherwise an array of prepared variables
*/
function pnVarCleanFromInput()
{
// Create an array of bad objects to clean out of input variables
$search = array('|</?\\s*SCRIPT.*?>|si', '|</?\\s*FRAME.*?>|si', '|</?\\s*OBJECT.*?>|si', '|</?\\s*META.*?>|si', '|</?\\s*APPLET.*?>|si', '|</?\\s*LINK.*?>|si', '|</?\\s*IFRAME.*?>|si', '|STYLE\\s*=\\s*"[^"]*"|si');
// Create an empty array that will be used to replace any malacious code
$replace = array('');
// Create an array to store cleaned variables
$resarray = array();
// Loop through the function arguments
// these arguments are input variables to be cleaned
foreach (func_get_args() as $var) {
// If the var is empty return void
if (empty($var)) {
return;
}
// Identify the correct place to get our variable from
// and if we should attempt to cleanse the variable
// content from the $_FILES array is left untouched
$cleanse = false;
switch (true) {
case isset($_REQUEST[$var]) && !isset($_FILES[$var]):
// Set $ourvar from the $_REQUEST superglobal
// but only if it's not also present in the $_FILES array
// since php < 4.30 includes $_FILES in $_REQUEST
$ourvar = $_REQUEST[$var];
$cleanse = true;
break;
case isset($_GET[$var]):
// Set $ourvar from the $_GET superglobal
$ourvar = $_GET[$var];
$cleanse = true;
break;
case isset($_POST[$var]):
// Set $ourvar from the $_POST superglobal
$ourvar = $_POST[$var];
$cleanse = true;
break;
case isset($_COOKIE[$var]):
// Set $ourvar from the $_COOKIE superglobal
$ourvar = $_COOKIE[$var];
$cleanse = true;
break;
case isset($_FILES[$var]):
// Set $ourvar from the $_FILES superglobal
$ourvar = $_FILES[$var];
break;
default:
$ourvar = null;
break;
}
$alwaysclean = array('name', 'module', 'type', 'file', 'authid');
if (in_array($var, $alwaysclean)) {
$cleanse = true;
}
if ($cleanse) {
// If magic_quotes_gpc is on strip out the slashes
if (get_magic_quotes_gpc()) {
pnStripslashes($ourvar);
}
// If at least ADMIN access level is not set clean the variable
// @note: Since no security parameters have been passed to this
// the variables will always be cleaned.
// @note: some vars will always be cleaned so as not to trigger
// a security check (requires 3 sql queries to build permissions
// map).
if (!pnSecAuthAction(0, '.*', '.*', ACCESS_ADMIN)) {
$ourvar = preg_replace($search, $replace, $ourvar);
}
}
// Add the cleaned var to the return array
array_push($resarray, $ourvar);
}
// If there was only one parameter passed return a variable
if (func_num_args() == 1) {
return $resarray[0];
// Else return an array
} else {
return $resarray;
}
}
