[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Noalyss-commit] [noalyss] 160/238: Protect parameters
|
From: |
Dany De Bontridder |
|
Subject: |
[Noalyss-commit] [noalyss] 160/238: Protect parameters |
|
Date: |
Sat, 26 Oct 2019 04:40:56 -0400 (EDT) |
sparkyx pushed a commit to annotated tag rel7110
in repository noalyss.
commit 57bb44c85fffab96fac0f0432432adf7a244570a
Author: Dany De Bontridder <address@hidden>
Date: Sat Jan 12 13:39:48 2019 +0100
Protect parameters
---
html/fid_card.php | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/html/fid_card.php b/html/fid_card.php
index 1ee5d07..57577bb 100644
--- a/html/fid_card.php
+++ b/html/fid_card.php
@@ -27,6 +27,7 @@
require_once '../include/constant.php';
require_once NOALYSS_INCLUDE.'/lib/database.class.php';
+require_once NOALYSS_INCLUDE.'/lib/http_input.class.php';
require_once NOALYSS_INCLUDE.'/class/dossier.class.php';
/*!\brief
* Received parameters are
@@ -41,11 +42,12 @@ require_once NOALYSS_INCLUDE.'/class/dossier.class.php';
* - list of fd_id
*
*/
+$http=new HttpInput();
-$jrn= ( ! isset($_REQUEST['j']))?-1:$_REQUEST['j'];
+$jrn= $http->request("j","number",-1);
$filter_card="";
$cn=Dossier::connect();
-$d=$_REQUEST['e'];
+$d=$http->request('e');
$filter_card='';
require_once('class/user.class.php');
@@ -107,8 +109,8 @@ else
{
$get_cred='jrn_def_fiche_cred';
$get_deb='jrn_def_fiche_deb';
-
- $filter_jrn=$cn->make_list("select $get_cred||','||$get_deb as
fiche from jrn_def where jrn_def_type=$1",array($_REQUEST['type']));
+ $type=$http->request("type");
+ $filter_jrn=$cn->make_list("select $get_cred||','||$get_deb as
fiche from jrn_def where jrn_def_type=$1",array($type));
$filter_card=($filter_jrn != "")?" and fd_id in ($filter_jrn)":'
and false ';
}
@@ -125,9 +127,12 @@ else
$sql_str="select distinct f_id from fiche join fiche_detail using (f_id) where
ad_id in (9,1,23) and ad_value ilike '%'||$1||'%' ".$filter_card.' limit 12';
-$sql=$cn->get_array($sql_str ,array($_REQUEST['FID']));
-if (sizeof($sql) != 0 )
+$fid=$http->request("FID");
+
+$sql=$cn->get_array($sql_str ,array($fid));
+
+if ($sql != false && sizeof($sql) != 0 )
{
echo "<ul>";
$sql_get=$cn->prepare('get_name',"select ad_value from fiche_detail where
f_id = $1 and ad_id=$2");
@@ -146,12 +151,12 @@ if (sizeof($sql) != 0 )
$sql_name=$cn->execute('get_name',array($sql[$i]['f_id'],23));
if (Database::num_row($sql_name) == 1)
$quick_code=Database::fetch_result($sql_name,0,0);
- $fid=htmlentities($_REQUEST['FID']);
+ $fid=htmlentities($fid);
/* Highlight the found pattern with bold format */
- $name=str_ireplace($_REQUEST['FID'],'<em>'.$fid.'</em>',h($name));
-
$qcode=str_ireplace($_REQUEST['FID'],'<em>'.$fid.'</em>',h($quick_code));
- $desc=str_ireplace($_REQUEST['FID'],'<em>'.$fid.'</em>',h($desc));
+ $name=str_ireplace($fid,'<em>'.$fid.'</em>',h($name));
+ $qcode=str_ireplace($fid,'<em>'.$fid.'</em>',h($quick_code));
+ $desc=str_ireplace($fid,'<em>'.$fid.'</em>',h($desc));
printf('<li id="%s">%s <span class="informal">%s %s</span></li>',
$quick_code,
$quick_code,
- [Noalyss-commit] [noalyss] 120/238: Currency : send the saldo for financial ledger, (continued)
- [Noalyss-commit] [noalyss] 120/238: Currency : send the saldo for financial ledger, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 145/238: Currency : the meaning is : 1 euro is worth xxx Currency , so we divide the amount with the currency rate to compute the EUR value, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 140/238: Misc. Operation : input : Missing tag TR, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 137/238: Translation, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 141/238: Currency : for misc. operation, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 164/238: Currency Show currency info for MISC, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 161/238: PHP 7.2 incomptability : sizeof of not array, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 166/238: Typo, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 154/238: by default jrn is an empty array, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 149/238: Currency : purchase, save all detail also in currency, fix problem with the advance payment, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 160/238: Protect parameters,
Dany De Bontridder <=
- [Noalyss-commit] [noalyss] 157/238: Merge branch 'r700-currency' of gitlab.noalyss.eu:noalyss/noalyss into r700-currency, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 162/238: Currency - fix view, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 150/238: Currency : detail operation Sale , the amount in currency were wrong in the summary, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 165/238: Database upgrade, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 158/238: Merge branch 'master' of gitlab.noalyss.eu:noalyss/noalyss into r700-currency, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 167/238: Currency : set default accounting for change difference when using currency, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 159/238: Currency : because of Misc Operation, the tiers must also be saved into operation_currency. Fix also PRINTJRN for currency, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 173/238: Mantis #0001682: CA - ajouter possibilité d'exporter le plan analytique, missing file, Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 177/238: Mantis #1643: Déplacement du "bouton" «retour en-haut/calculatrice», Dany De Bontridder, 2019/10/26
- [Noalyss-commit] [noalyss] 182/238: Bug : CARD misplace of "Search Card", Dany De Bontridder, 2019/10/26