noalyss-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Noalyss-commit] [noalyss] 04/04: Security ; remove direct access to glo

From: Dany De Bontridder
Subject: [Noalyss-commit] [noalyss] 04/04: Security ; remove direct access to global http variable
Date: Tue, 17 Sep 2019 12:31:00 -0400 (EDT) 
sparkyx pushed a commit to branch master
in repository noalyss.

commit b674242c82b58d52f79930030b6861f894dd0405
Author: Dany De Bontridder <address@hidden>
Date:   Mon Sep 16 17:46:25 2019 +0200

    Security ; remove direct access to global http variable
---
 include/category_card.inc.php     |  2 +-
 include/lettering.gestion.inc.php | 16 ++++++++--------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/include/category_card.inc.php b/include/category_card.inc.php
index ce26bc1..42f0e2f 100644
--- a/include/category_card.inc.php
+++ b/include/category_card.inc.php
@@ -140,7 +140,7 @@ if ($ss_action=='cn')
     echo '<div class="content">';
 
     echo dossier::hidden();
-    $f=new Fiche($cn, $_REQUEST['f_id']);
+    $f=new Fiche($cn, $http->request('f_id','number'));
     $contact=new Contact($cn);
     $contact->company=$f->get_quick_code();
     echo $contact->summary("");
diff --git a/include/lettering.gestion.inc.php 
b/include/lettering.gestion.inc.php
index ad44c2a..f4a1c55 100644
--- a/include/lettering.gestion.inc.php
+++ b/include/lettering.gestion.inc.php
@@ -6,14 +6,14 @@ if ( ! defined ('ALLOWED') ) die('Appel direct ne sont pas 
permis');
 require_once NOALYSS_INCLUDE.'/class/lettering.class.php';
 global $g_user;
 echo '<div class="content">';
-
+$http=new HttpInput();
 echo '<div id="search">';
 echo '<FORM METHOD="GET">';
 echo dossier::hidden();
-echo HtmlInput::hidden('ac',$_REQUEST['ac']);
-echo HtmlInput::hidden('sb',$_REQUEST['sb']);
-echo HtmlInput::hidden('sc',$_REQUEST['sc']);
-echo HtmlInput::hidden('f_id',$_REQUEST['f_id']);
+echo HtmlInput::hidden('ac',$http->request('ac'));
+echo HtmlInput::hidden('sb',$http->request('sb'));
+echo HtmlInput::hidden('sc',$http->request('sc'));
+echo HtmlInput::hidden('f_id',$http->request('f_id'));
 
 echo '<table width="50%">';
 
@@ -23,7 +23,7 @@ $periode=new Periode($cn);
 list($first_per,$last_per)=$periode->get_limit($exercice);
 
 $start=new IDate('start');
-$start->value=(isset($_GET['start']))?$_GET['start']:$first_per->first_day();
+$start->value=(isset($_GET['start']))?$http->get('start'):$first_per->first_day();
 $r=td(_('Date début'));
 $r.=td($start->input());
 echo tr($r);
@@ -41,7 +41,7 @@ $sel->value=array(
                 array('value'=>1,'label'=>_('Opérations lettrées')),
                 array('value'=>2,'label'=>_('Opérations NON lettrées'))
             );
-if (isset($_GET['type_let'])) $sel->selected=$_GET['type_let'];
+if (isset($_GET['type_let'])) $sel->selected=$http->get('type_let');
 else $sel->selected=1;
 
 $r= td("Filtre ").
@@ -68,7 +68,7 @@ if ( isset($_POST['record']))
 
//--------------------------------------------------------------------------------
 if ( isset($_GET['start']) && isset($_GET['end']))
   {
-    if ( isDate($_GET['start']) == null || isDate($_GET['end']) == null )
+    if ( isDate($http->get('start') ) == null || isDate($http->get ('end') ) 
== null )
       {
        echo alert(_('Date malformée, désolé'));
        return;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]