From 90539a32bc946be34715dfa5e8a7264599112b8b Mon Sep 17 00:00:00 2001
From: Shish <shish@shishnet.org>
Date: Sun, 12 Jul 2015 22:40:28 +0100
Subject: [PATCH] validate_input() function

---
 core/exceptions.class.php |  5 +++
 core/util.inc.php         | 58 ++++++++++++++++++++++++++++++++
 ext/user/main.php         | 71 +++++++++++++++------------------------
 3 files changed, 90 insertions(+), 44 deletions(-)

diff --git a/core/exceptions.class.php b/core/exceptions.class.php
index 14765760..d2400893 100644
--- a/core/exceptions.class.php
+++ b/core/exceptions.class.php
@@ -22,3 +22,8 @@ class PermissionDeniedException extends SCoreException {}
  * Example: Image::by_id(-1) returns null
  */
 class ImageDoesNotExist extends SCoreException {}
+
+/*
+ * For validate_input()
+ */
+class InvalidInput extends SCoreException {}
diff --git a/core/util.inc.php b/core/util.inc.php
index 10730bd1..a159681d 100644
--- a/core/util.inc.php
+++ b/core/util.inc.php
@@ -263,6 +263,64 @@ function isValidDate($date) {
 	return false;
 }
 
+function validate_input($inputs) {
+	$outputs = array();
+
+	foreach($inputs as $key => $validations) {
+		$flags = explode(',', $validations);
+		if(in_array('optional', $flags)) {
+			if(!isset($_POST[$key])) {
+				continue;
+			}
+		}
+
+		if(!isset($_POST[$key])) {
+			throw new InvalidInput("Input '$key' not set");
+		}
+
+		$value = $_POST[$key];
+
+		if(in_array('user_id', $flags)) {
+			$id = int_escape($value);
+			if(in_array('exists', $flags)) {
+				if(is_null(User::by_id($id))) {
+					throw new InvalidInput("User #$id does not exist");
+				}
+			}
+			$outputs[$key] = $id;
+		}
+		else if(in_array('user_name', $flags)) {
+			if(strlen($value) < 1) {
+				throw new InvalidInput("Username must be at least 1 character");
+			}
+			else if(!preg_match('/^[a-zA-Z0-9-_]+$/', $value)) {
+				throw new InvalidInput(
+						"Username contains invalid characters. Allowed characters are ".
+						"letters, numbers, dash, and underscore");
+			}
+			$outputs[$key] = $value;
+		}
+		else if(in_array('user_class', $flags)) {
+			global $_user_classes;
+			if(!array_key_exists($value, $_user_classes)) {
+				throw new InvalidInput("Invalid user class: ".html_escape($class));
+			}
+			$outputs[$key] = $value;
+		}
+		else if(in_array('email', $flags)) {
+			$outputs[$key] = $value;
+		}
+		else if(in_array('password', $flags)) {
+			$outputs[$key] = $value;
+		}
+		else {
+			throw new InvalidInput("Unknown validation '$validations'");
+		}
+	}
+
+	return $outputs;
+}
+
 /**
  * Give a HTML string which shows an IP (if the user is allowed to see IPs),
  * and a link to ban that IP (if the user is allowed to ban IPs)
diff --git a/ext/user/main.php b/ext/user/main.php
index e5791f4d..a0d87426 100644
--- a/ext/user/main.php
+++ b/ext/user/main.php
@@ -174,7 +174,7 @@ class UserPage extends Extension {
 				log_info("user", "Logged out");
 				$page->set_mode("redirect");
                                 
-                                // Try forwarding to same page on logout unless user comes from registration page
+				// Try forwarding to same page on logout unless user comes from registration page
 				if ($config->get_int("user_loginshowprofile",0) == 0 && 
 							isset($_SERVER['HTTP_REFERER']) &&
 							strstr($_SERVER['HTTP_REFERER'], "post/"))
@@ -190,49 +190,37 @@ class UserPage extends Extension {
 			}
 
 			else if($event->get_arg(0) == "change_name") {
-				if(isset($_POST['id']) && isset($_POST['name'])) {
-					$duser = User::by_id($_POST['id']);
-					if ( ! $duser instanceof User) {
-						throw new NullUserException("Error: the user id does not exist!");
-					}
-					$name = $_POST['name'];
-					$this->change_name_wrapper($duser, $name);
-				}
+				$input = validate_input(array(
+					'id' => 'user_id,exists',
+					'name' => 'user_name',
+				));
+				$duser = User::by_id($input['id']);
+				$this->change_name_wrapper($duser, $input['name']);
 			}
 			else if($event->get_arg(0) == "change_pass") {
-				if(isset($_POST['id']) && isset($_POST['pass1']) && isset($_POST['pass2'])) {
-					$duser = User::by_id($_POST['id']);
-					if ( ! $duser instanceof User) {
-						throw new NullUserException("Error: the user id does not exist!");
-					}
-					$pass1 = $_POST['pass1'];
-					$pass2 = $_POST['pass2'];
-					$this->change_password_wrapper($duser, $pass1, $pass2);
-				}
+				$input = validate_input(array(
+					'id' => 'user_id,exists',
+					'pass1' => 'password',
+					'pass2' => 'password',
+				));
+				$duser = User::by_id($input['id']);
+				$this->change_password_wrapper($duser, $input['pass1'], $input['pass2']);
 			}
 			else if($event->get_arg(0) == "change_email") {
-				if(isset($_POST['id']) && isset($_POST['address'])) {
-					$duser = User::by_id($_POST['id']);
-					if ( ! $duser instanceof User) {
-						throw new NullUserException("Error: the user id does not exist!");
-					}
-					$address = $_POST['address'];
-					$this->change_email_wrapper($duser, $address);
-				}
+				$input = validate_input(array(
+					'id' => 'user_id,exists',
+					'address' => 'email',
+				));
+				$duser = User::by_id($input['id']);
+				$this->change_email_wrapper($duser, $input['address']);
 			}
 			else if($event->get_arg(0) == "change_class") {
-				global $_user_classes;
-				if(isset($_POST['id']) && isset($_POST['class'])) {
-					$duser = User::by_id($_POST['id']);
-					if ( ! $duser instanceof User) {
-						throw new NullUserException("Error: the user id does not exist!");
-					}
-					$class = $_POST['class'];
-					if(!array_key_exists($class, $_user_classes)) {
-						throw Exception("Invalid user class: ".html_escape($class));
-					}
-					$this->change_class_wrapper($duser, $class);
-				}
+				$input = validate_input(array(
+					'id' => 'user_id,exists',
+					'class' => 'user_class',
+				));
+				$duser = User::by_id($input['id']);
+				$this->change_class_wrapper($duser, $input['class']);
 			}
 			else if($event->get_arg(0) == "delete_user") {
 				$this->delete_user($page, isset($_POST["with_images"]), isset($_POST["with_comments"]));
@@ -459,7 +447,7 @@ class UserPage extends Extension {
 					"Username contains invalid characters. Allowed characters are ".
 					"letters, numbers, dash, and underscore");
 		}
-		else if($database->get_row($database->scoreql_to_sql("SELECT * FROM users WHERE SCORE_STRNORM(name) = SCORE_STRNORM(:name)"), array("name"=>$name))) {
+		else if(User::by_name($name)) {
 			throw new UserCreationException("That username is already taken");
 		}
 	}
@@ -601,12 +589,7 @@ class UserPage extends Extension {
 		global $user;
 
 		if($user->class->name == "admin") {
-			$duser = User::by_id($_POST['id']);
-			if ( ! $duser instanceof User) {
-				throw new NullUserException("Error: the user id does not exist!");
-			}
 			$duser->set_class($class);
-
 			flash_message("Class changed");
 			$this->redirect_to_user($duser);
 		}