[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Noalyss-commit] [noalyss] 02/03: Security remove $_POST , $_GET direct
From: |
Dany De Bontridder |
Subject: |
[Noalyss-commit] [noalyss] 02/03: Security remove $_POST , $_GET direct access |
Date: |
Sun, 10 Apr 2022 16:11:21 -0400 (EDT) |
sparkyx pushed a commit to branch master
in repository noalyss.
commit 3dc017845536ecd19de8eb6ccddf5a1a24706b48
Author: sparkyx <danydb@noalyss.eu>
AuthorDate: Sun Apr 10 12:36:27 2022 +0200
Security remove $_POST , $_GET direct access
---
include/fiche.inc.php | 12 +++++++-----
include/lettering.account.inc.php | 2 +-
2 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/include/fiche.inc.php b/include/fiche.inc.php
index 44a7f9446..6f0ba282b 100644
--- a/include/fiche.inc.php
+++ b/include/fiche.inc.php
@@ -18,7 +18,8 @@
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
// Copyright Author Dany De Bontridder danydb@aevalys.eu
-/**\file
+/**
+ * \file
* \brief printing of category of card : balance, historic
*/
if ( ! defined ('ALLOWED') ) die('Appel direct ne sont pas permis');
@@ -145,16 +146,17 @@ if ($histo->selected == -1)
{
if ($write == 1)
{
- $ack = $_POST['f_id'];
+ $ack = $http->post("f_id","array",[]);
/**
* Move
*/
if (isset($_POST['move'])&& $_POST['move'] == 1)
{
+ $move_to=$http->post("move_to","number");
for ($i = 0; $i < count($ack); $i++)
{
$fiche = new Fiche($cn, $ack[$i]);
- $fiche->move_to($_POST['move_to']);
+ $fiche->move_to($move_to);
}
}
/**
@@ -199,8 +201,8 @@ if ($histo->selected == -1)
$max = $cn->get_value("select count(*) from fiche as f " . $cond);
$step = $_SESSION[SESSION_KEY.'g_pagesize'];
- $page = (isset($_GET['offset'])) ? $_GET['page'] : 1;
- $offset = (isset($_GET['offset'])) ? $_GET['offset'] : 0;
+ $page=$http->get("page","number",1);
+ $offset=$http->get("offset","number",0);
$bar = navigation_bar($offset, $max, $step, $page);
$limit = ($step == -1 ) ? "" : " limit " . $step;
$res = $cn->exec_sql("
diff --git a/include/lettering.account.inc.php
b/include/lettering.account.inc.php
index 1136a2879..178d63586 100644
--- a/include/lettering.account.inc.php
+++ b/include/lettering.account.inc.php
@@ -44,7 +44,7 @@ $poste->set_attribute('label','account_label');
$poste->set_attribute('account','acc');
$acc_lib="";
if (isset($_GET['acc'])) {
- $poste->value=$_GET['acc'];
+ $poste->value=$http->get("acc");
$acc_lib=$cn->get_value('select pcm_lib from tmp_pcmn where
pcm_val=upper($1)',array($poste->value));
}