From 67e0c87b201f1cc6cde76134c7fc92c4905793d8 Mon Sep 17 00:00:00 2001 From: Shish Date: Sun, 25 Dec 2011 15:11:26 +0000 Subject: [PATCH] create a generic bool_escape function, use that --- core/util.inc.php | 19 +++++++++++++++++++ ext/upload/main.php | 9 ++------- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/core/util.inc.php b/core/util.inc.php index a38fa9a1..a5bec9db 100644 --- a/core/util.inc.php +++ b/core/util.inc.php @@ -47,6 +47,25 @@ function sql_escape($input) { return $database->db->Quote($input); } + +/** + * Turn all manner of HTML / INI / JS / DB booleans into a PHP one + * + * @retval boolean + */ +function bool_escape($input) { + $input = strtolower($input); + return ( + $input == "y" || + $input == "yes" || + $input == "t" || + $input == "true" || + $input == "on" || + $input == 1 || + $input == true + ); +} + /** * Some functions require a callback function for escaping, * but we might not want to alter the data diff --git a/ext/upload/main.php b/ext/upload/main.php index b624d992..0a40076c 100644 --- a/ext/upload/main.php +++ b/ext/upload/main.php @@ -313,12 +313,7 @@ class Upload implements Extension { // Checks if user is admin > check if you want locked. if($user->is_admin()){ - // There must be a less messy way to do this.. - if($_GET['locked'] == "y" || $_GET['locked'] == "yes" || $_GET['locked'] == "true" || $_GET['locked'] == "on" || $_GET['locked'] == "n" || $_GET['locked'] == "no" || $_GET['locked'] == "false" || $_GET['locked'] == "off"){ - if($_GET['locked'] == "y" || $_GET['locked'] == "yes" || $_GET['locked'] == "true" || $_GET['locked'] == "on"){ - $locked = "on"; - } - } + $locked = bool_escape($_GET['locked']); } // Checks if url contains rating, also checks if the rating extension is enabled. @@ -391,7 +386,7 @@ class Upload implements Extension { /* check for locked > adds to metadata if it has */ if(!empty($locked)){ - $metadata['locked'] = $locked; + $metadata['locked'] = $locked ? "on" : ""; } /* check for rating > adds to metadata if it has */