[Noalyss-commit] [noalyss] 05/27: Security : avoid direct call to Http V

noalyss-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Noalyss-commit] [noalyss] 05/27: Security : avoid direct call to Http V

From:	Dany De Bontridder
Subject:	[Noalyss-commit] [noalyss] 05/27: Security : avoid direct call to Http Variable
Date:	Wed, 4 Sep 2019 15:24:52 -0400 (EDT)

sparkyx pushed a commit to branch master
in repository noalyss.

commit 4a637a0e87c9d9b847aaea285695d1ba102771fa
Author: Dany De Bontridder <address@hidden>
Date:   Tue Aug 27 18:53:31 2019 +0200

    Security : avoid direct call to Http Variable
---
 include/history_operation.inc.php | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/include/history_operation.inc.php 
b/include/history_operation.inc.php
index 3a0ceb7..420a324 100644
--- a/include/history_operation.inc.php
+++ b/include/history_operation.inc.php
@@ -142,13 +142,16 @@ $r = HtmlInput::get_to_hidden(array('search_opnb_jrn',
     'search_opr_jrn'));
 if (isset($_GET['r_jrn']))
 {
-    foreach ($_GET['r_jrn'] as $k => $v)
-        $r.=HtmlInput::hidden('r_jrn[' . $k . ']', $v);
+    $a_rjn=$http->get('r_jrn','array');
+    foreach ($a_rjn as $k => $v) {
+      if (isNumber($v))  $r.=HtmlInput::hidden('r_jrn[' . $k . ']', $v);
+    }
 }
 if (isset($_GET['search_opr_jrn']))
 {
-    foreach ($_GET['search_opr_jrn'] as $k => $v)
-        $r.=HtmlInput::hidden('r_jrn[' . $k . ']', $v);
+     $a_search_opr_jrn=$http->get('search_opr_jrn','array');
+    foreach ($a_search_opr_jrn as $k => $v)
+          if (isNumber($v)) $r.=HtmlInput::hidden('r_jrn[' . $k . ']', $v);
 }
 echo $r;
 
@@ -164,13 +167,13 @@ $r = HtmlInput::get_to_hidden(array('l', 
'date_paid_start','date_paid_end',
     'accounting', 'unpaid', 'gDossier', 'ledger_type', 'p_action'));
 if (isset($_GET['search_opr_jrn']))
 {
-    foreach ($_GET['search_opr_jrn'] as $k => $v)
-        $r.=HtmlInput::hidden('r_jrn[' . $k . ']', $v);
+    foreach ($a_search_opr_jrn as $k => $v)
+       if (isNumber($v))  $r.=HtmlInput::hidden('r_jrn[' . $k . ']', $v);
 }
 if (isset($_GET['r_jrn']))
 {
-       foreach ($_GET['r_jrn'] as $k => $v)
-               $r.=HtmlInput::hidden('r_jrn[' . $k . ']', $v);
+       foreach ($a_rjn as $k => $v)
+       if (isNumber($v))       $r.=HtmlInput::hidden('r_jrn[' . $k . ']', $v);
 }
 echo '<form action="export.php" method="get">';
 echo $r;

[Prev in Thread]

Current Thread

[Next in Thread]

[Noalyss-commit] [noalyss] 09/27: fixup! fixup! New Task 1728: Aide à l'encodage - Journaux négatifs (note de crédit), (continued)
- [Noalyss-commit] [noalyss] 09/27: fixup! fixup! New Task 1728: Aide à l'encodage - Journaux négatifs (note de crédit), Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 18/27: #0001735: icone add catégorie de fiche, Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 12/27: #1369: Étendre la comptabilité analytique à tous les postes? #1716: GROS SOUCI CA - ventilation 4 et 5. 5 phantôme! #1479: PROPOSITION CA - paramétrage comptes actifs, Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 20/27: Task #0001731: Moyen de paiement , bug in ajax , if ledger==ODS a category of card is mandatory, Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 21/27: Data_SQL Add database indication, Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 02/27: Task #0001736: PHP7 comptability : count() works only with array, Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 26/27: Database_Core add function with the number of cols, Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 07/27: #0001584: En mode «optionnelle», afficher si CA ventilée ou non. Ajout symbole "contient", Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 11/27: layout, Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 27/27: Merge branch 'dev7109', Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 05/27: Security : avoid direct call to Http Variable, Dany De Bontridder <=
- [Noalyss-commit] [noalyss] 19/27: #0001735: icone warning, Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 13/27: Missing files for #1369: Étendre la comptabilité analytique à tous les postes?, Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 10/27: #0001711: Gros souci comptanal Montant compté en absolu, Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 15/27: @0001735: icone poubelle catégorie de fiche, Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 17/27: #0001735: icone poubelle catégorie de fiche, Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 22/27: translate, Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 23/27: Data_SQL add the member, Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 16/27: #0001736: PHP7 comptability + translation, Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 14/27: #0001643: ajout icon "cache" pour bouton "remonter", Dany De Bontridder, 2019/09/04
- [Noalyss-commit] [noalyss] 25/27: PDF_Core : add function get, Dany De Bontridder, 2019/09/04

Prev by Date: [Noalyss-commit] [noalyss] 27/27: Merge branch 'dev7109'
Next by Date: [Noalyss-commit] [noalyss] 19/27: #0001735: icone warning
Previous by thread: [Noalyss-commit] [noalyss] 27/27: Merge branch 'dev7109'
Next by thread: [Noalyss-commit] [noalyss] 19/27: #0001735: icone warning
Index(es):
- Date
- Thread