/** * Performs value sanitation. * * Sanitizes a value with a given filter. * Valid values for $filter are all PHP defined FILTER_SANITIZE_* constants or a string value. * If $filter is one of those constants, $filter_options apply as in PHP documentation. * See http://www.php.net/manual/en/filter.filters.sanitize.php for details on that. * If $filter is a string see code below for details. * Mentionable here: * - 'array': Will treat value as an array. You may provide filter_options to * be a string (like 'int') defining a type for all array elements or * to be an array that should contain the same keys (count and name) as the * value and each filter_option[key] value defines another type. * Sample: $filter='array', $filter_options=array('int','bool','string') * - 'object': Will treat the value as object and simply return it if it is one. * May also be a string defining the storage_id of an object in object store. * In that case restore_object($value) will be returned. * * Another note: sanitize will fill the log with messages severity WARN if something unexpected * happen. This is especially the case when default values are returned for invalid inputs. * So have an eye on the logs! * * @param mixed $value The value to be sanitized * @param string|int $filter Type of filter * @param mixed $filter_options Optional options for the filter * @return mixed The sanitized value */ public static function sanitize($value, $filter, $filter_options = null) { if (is_string($filter)) { $filter = strtoupper($filter); switch ($filter) { case 'STRING': case 'TEXT': case 'STRIPPED': case 'VARCHAR': return filter_var($value, FILTER_SANITIZE_STRING); case 'URL': case 'URI': return filter_var($value, FILTER_SANITIZE_URL); case 'MAIL': case 'EMAIL': $value = filter_var($value, FILTER_SANITIZE_EMAIL); if (!preg_match("/^[a-zA-Z0-9,!#\$%&'\\*\\+\\/=\\?\\^_`\\{\\|}~-]+(\\.[a-zA-Z0-9,!#\$%&'\\*\\+\\/=\\?\\^_`\\{\\|}~-]+)*@[a-zA-Z0-9-]+(\\.[a-z0-9-]+)*\\.([a-zA-Z]{2,})\$/", $value)) { if (is_null($filter_options) || ($filter_options = false)) { log_warn("Invalid eMail address '{$value}'. Retuning empty string"); return ""; } } return $value; case 'INT': case 'INTEGER': if (intval($value) . "" == "{$value}") { return intval($value); } log_warn("Value '{$value}' is no valid '{$filter}'. Returning 0"); return 0; case 'BOOL': case 'BOOLEAN': if (is_string($value)) { if ($value == '' || $value == '0' || strtolower($value) == "false") { return false; } else { return true; } } return $value == true; case 'FLOAT': case 'DOUBLE': if (is_string($value) && !is_null(self::$_ci)) { return self::$_ci->NumberFormat->StrToNumber($value); } log_warn("No CultureInfo specified for '{$filter}'. Returning doubleval({$value})"); return doubleval($value); case 'CURRENCY': if (is_string($value) && !is_null(self::$_ci)) { return self::$_ci->CurrencyFormat->StrToCurrencyValue($value); } log_warn("No CultureInfo specified for '{$filter}'. Returning doubleval({$value})"); return doubleval($value); case 'ARRAY': if (is_array($value)) { if (!is_null($filter_options)) { if (is_string($filter_options)) { foreach ($value as $k => $v) { $value[$k] = self::sanitize($v, "{$filter_options}"); } return $value; } if (is_array($filter_options)) { foreach ($value as $k => $v) { if (isset($filter_options[$k])) { $value[$k] = self::sanitize($v, $filter_options[$k] . ''); } else { log_warn("Array elements filter not given for key '{$k}'. Leaving value unfiltered"); } } return $value; } } return $value; } log_warn("Value is no array. Returning empty array"); return array(); case 'OBJECT': if (is_string($value) && in_object_storage($value)) { return restore_object($value); } if (is_object($value)) { return $value; } log_warn("Value is not an object nor in session storage. Returning NULL"); return null; } log_warn("Unknown filter '{$filter}'. Returning unsanitized value '{$value}'"); return $value; } return filter_var($value, $filter, $filter_options); }
/** * Tries to set up a category for a logged in user. * * Checks the object store for an object with id $object_storage_id * that contains a field $fieldname. Then adds content of that field as category to all loggers. * * Note: This will NOT extend the logger with information as logging_extend_logger does! * @param string $object_storage_id Storage ID of the object to check for * @param string $fieldname Name of field/property to use as category ('name' will use $obj->name as category) * @return void */ function logging_set_user($object_storage_id = 'user', $fieldname = 'username') { if (in_object_storage('user')) { $lu = restore_object('user'); if ($lu && isset($lu->username) && $lu->username) { logging_add_category($lu->username); } } }
/** * Instanciates the previously chosen controller * * Checks what is requested: and object from the object-store, a controller via classname and loads/instaciates it. * Will also die in AJAX requests when something weird is called or throw an exception if in normal mode. * @param mixed $controller_id Whatever system_parse_request_path() returned * @return ICallable Fresh Instance of whatever is needed */ function system_instanciate_controller($controller_id) { if (in_object_storage($controller_id)) { $res = restore_object($controller_id); } elseif (class_exists($controller_id)) { $res = new $controller_id(); } else { WdfException::Raise("ACCESS DENIED: Unknown controller '{$controller_id}'"); } if (system_is_ajax_call()) { if (!$res instanceof Renderable && !$res instanceof WdfResource) { log_fatal("ACCESS DENIED: {$controller_id} is no Renderable"); die("__SESSION_TIMEOUT__"); } } else { if (!$res instanceof ICallable) { WdfException::Raise("ACCESS DENIED: {$controller_id} is no ICallable"); } } return $res; }
/** * Checks a given array for data for this and updates another array accordingly * * This is kind of internal, so will not be documented further. Only that it ensures typed data in the $args argument * from the $data argument. We will most likely clean this procedure up in the future. * @param array $data Combined request data * @param array $args resulting typed values * @return boolean|string true if everything went fine, an error string if not */ function UpdateArgs($data, &$args) { global $CONFIG; if ($CONFIG['requestparam']['ignore_case']) { $name = strtolower($this->Name); foreach ($data as $k => $v) { unset($data[$k]); $data[strtolower($k)] = $v; } } else { $name = $this->Name; } if (isset($GLOBALS['routing_args']) && count($GLOBALS['routing_args']) > 0 && !isset($data[$name])) { $data[$name] = array_shift($GLOBALS['routing_args']); } if (!isset($data[$name])) { if (!is_null($this->Default)) { $args[$this->Name] = $this->Default; return true; } $args[$this->Name] = null; return 'missing'; } if (!isset($GLOBALS['request_param_detected_ci'])) { if (isset($CONFIG['requestparam']['ci_detection_func']) && function_exists($CONFIG['requestparam']['ci_detection_func'])) { $GLOBALS['request_param_detected_ci'] = $CONFIG['requestparam']['ci_detection_func'](); } else { $GLOBALS['request_param_detected_ci'] = Localization::detectCulture(); } } $ci = $GLOBALS['request_param_detected_ci']; if (!is_null($this->Type)) { switch (strtolower($this->Type)) { case 'object': if (!in_object_storage($data[$name])) { return 'object not found'; } $args[$this->Name] = restore_object($data[$name]); return true; case 'array': case 'file': if (isset($data[$name]) && is_array($data[$name])) { $args[$this->Name] = $data[$name]; } return true; case 'string': case 'text': if ($this->Filter) { $args[$this->Name] = filter_var($data[$name], $this->Filter, FILTER_FLAG_NO_ENCODE_QUOTES); } else { $args[$this->Name] = $data[$name]; } return true; case 'email': $args[$this->Name] = filter_var($data[$name], FILTER_SANITIZE_EMAIL); return true; case 'url': case 'uri': $args[$this->Name] = filter_var($data[$name], FILTER_SANITIZE_URL); return true; case 'int': case 'integer': if (intval($data[$name]) . "" != $data[$name]) { // if( floatval($data[$name])."" != $data[$name] ) return 'invalid int value'; } $args[$this->Name] = intval($data[$name]); return true; case 'float': case 'double': case 'currency': if ($data[$name] . "" == "" && $this->IsOptional()) { $data[$name] = $this->Default; $args[$this->Name] = $this->Default; return true; } // if( isset($CONFIG['localization']['float_conversion']) ) // $data[$name] = call_user_func($CONFIG['localization']['float_conversion'],$data[$name]); // else if( !is_float(floatval($data[$name])) ) // $data[$name] = false; if (strtolower($this->Type) == 'currency') { $data[$name] = $ci->CurrencyFormat->StrToCurrencyValue($data[$name]); } else { $data[$name] = $ci->NumberFormat->StrToNumber($data[$name]); } if ($data[$name] === false) { return 'invalid float value'; } else { $args[$this->Name] = $data[$name]; } return true; case 'bool': case 'boolean': if ($data[$name] == '' || $data[$name] == '0' || strtolower($data[$name]) == "false") { $args[$this->Name] = false; } else { $args[$this->Name] = true; } return true; } return 'wrong type'; } $args[$this->Name] = $data[$name]; return true; }