/** * Clean the passed parameter * * @param mixed $param the variable we are cleaning * @param int $type expected format of param after cleaning. * @return mixed */ function clean_param($param, $type) { global $CFG, $ERROR, $HUB_FLM; if (is_array($param)) { $newparam = array(); foreach ($param as $key => $value) { $newparam[$key] = clean_param($value, $type); } return $newparam; } switch ($type) { case PARAM_TEXT: // leave only tags needed for multilang if (is_numeric($param)) { return $param; } $param = stripslashes($param); $param = clean_text($param); $param = strip_tags($param, '<lang><span>'); $param = str_replace('+', '+', $param); $param = str_replace('(', '(', $param); $param = str_replace(')', ')', $param); $param = str_replace('=', '=', $param); $param = str_replace('"', '"', $param); $param = str_replace('\'', ''', $param); return $param; case PARAM_HTML: // keep as HTML, no processing $param = stripslashes($param); $param = clean_text($param); return trim($param); case PARAM_INT: return (int) $param; case PARAM_NUMBER: return (double) $param; case PARAM_ALPHA: // Remove everything not a-z return preg_replace('/([^a-zA-Z])/i', '', $param); case PARAM_ALPHANUM: // Remove everything not a-zA-Z0-9 return preg_replace('/([^A-Za-z0-9])/i', '', $param); case PARAM_ALPHAEXT: // Remove everything not a-zA-Z/_- return preg_replace('/([^a-zA-Z\\/_-])/i', '', $param); case PARAM_ALPHANUMEXT: // Remove everything not a-zA-Z0-9- return preg_replace('/([^a-zA-Z0-9-])/i', '', $param); case PARAM_BOOL: // Convert to 1 or 0 $tempstr = strtolower($param); if ($tempstr == 'on' or $tempstr == 'yes' or $tempstr == 'true') { $param = 1; } else { if ($tempstr == 'off' or $tempstr == 'no' or $tempstr == 'false') { $param = 0; } else { $param = empty($param) ? 0 : 1; } } return $param; case PARAM_BOOLTEXT: // check is an allowed text type boolean $tempstr = strtolower($param); if ($tempstr == 'on' or $tempstr == 'yes' or $tempstr == 'true' or $tempstr == 'off' or $tempstr == 'no' or $tempstr == 'false' or $tempstr == '0' or $tempstr == '1') { $param = $param; } else { $param = ""; } return $param; case PARAM_PATH: // Strip all suspicious characters from file path $param = str_replace('\\\'', '\'', $param); $param = str_replace('\\"', '"', $param); $param = str_replace('\\', '/', $param); $param = ereg_replace('[[:cntrl:]]|[<>"`\\|\':]', '', $param); $param = ereg_replace('\\.\\.+', '', $param); $param = ereg_replace('//+', '/', $param); return ereg_replace('/(\\./)+', '/', $param); case PARAM_URL: // allow safe ftp, http, mailto urls include_once $CFG->dirAddress . 'core/lib/url-validation.class.php'; $URLValidator = new mrsnk_URL_validation($param, MRSNK_URL_DO_NOT_PRINT_ERRORS, MRSNK_URL_DO_NOT_CONNECT_2_URL); if (!empty($param) && $URLValidator->isValid()) { // all is ok, param is respected } else { $param = ''; // not really ok } return $param; case PARAM_EMAIL: if (validEmail($param)) { return $param; } else { $ERROR = new error(); $ERROR->createInvalidEmailError(); include_once $HUB_FLM->getCodeDirPath("core/formaterror.php"); die; } case PARAM_XML: $param = parseFromXML($param); return $param; default: include_once $HUB_FLM->getCodeDirPath("core/formaterror.php"); $ERROR = new error(); $ERROR->createInvalidParameterError($type); die; } }