james/fembooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

validate_input() function

Browse Source
This commit is contained in:
Shish 2015-07-12 22:40:28 +01:00
parent 06d8c7a879
commit 90539a32bc
3 changed files with 90 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
core/exceptions.class.php
View File

@ -22,3 +22,8 @@ class PermissionDeniedException extends SCoreException {}
* Example: Image::by_id(-1) returns null * Example: Image::by_id(-1) returns null
*/ */
class ImageDoesNotExist extends SCoreException {} class ImageDoesNotExist extends SCoreException {}
/*
* For validate_input()
*/
class InvalidInput extends SCoreException {}

58
core/util.inc.php
View File

@ -263,6 +263,64 @@ function isValidDate($date) {
return false; return false;
} }
function validate_input($inputs) {
$outputs = array();
foreach($inputs as $key => $validations) {
$flags = explode(',', $validations);
if(in_array('optional', $flags)) {
if(!isset($_POST[$key])) {
continue;
}
}
if(!isset($_POST[$key])) {
throw new InvalidInput("Input '$key' not set");
}
$value = $_POST[$key];
if(in_array('user_id', $flags)) {
$id = int_escape($value);
if(in_array('exists', $flags)) {
if(is_null(User::by_id($id))) {
throw new InvalidInput("User #$id does not exist");
}
}
$outputs[$key] = $id;
}
else if(in_array('user_name', $flags)) {
if(strlen($value) < 1) {
throw new InvalidInput("Username must be at least 1 character");
}
else if(!preg_match('/^[a-zA-Z0-9-_]+$/', $value)) {
throw new InvalidInput(
"Username contains invalid characters. Allowed characters are ".
"letters, numbers, dash, and underscore");
}
$outputs[$key] = $value;
}
else if(in_array('user_class', $flags)) {
global $_user_classes;
if(!array_key_exists($value, $_user_classes)) {
throw new InvalidInput("Invalid user class: ".html_escape($class));
}
$outputs[$key] = $value;
}
else if(in_array('email', $flags)) {
$outputs[$key] = $value;
}
else if(in_array('password', $flags)) {
$outputs[$key] = $value;
}
else {
throw new InvalidInput("Unknown validation '$validations'");
}
}
return $outputs;
}
/** /**
* Give a HTML string which shows an IP (if the user is allowed to see IPs), * Give a HTML string which shows an IP (if the user is allowed to see IPs),
* and a link to ban that IP (if the user is allowed to ban IPs) * and a link to ban that IP (if the user is allowed to ban IPs)

71
ext/user/main.php
View File

@ -174,7 +174,7 @@ class UserPage extends Extension {
log_info("user", "Logged out"); log_info("user", "Logged out");
$page->set_mode("redirect"); $page->set_mode("redirect");
// Try forwarding to same page on logout unless user comes from registration page // Try forwarding to same page on logout unless user comes from registration page
if ($config->get_int("user_loginshowprofile",0) == 0 && if ($config->get_int("user_loginshowprofile",0) == 0 &&
isset($_SERVER['HTTP_REFERER']) && isset($_SERVER['HTTP_REFERER']) &&
strstr($_SERVER['HTTP_REFERER'], "post/")) strstr($_SERVER['HTTP_REFERER'], "post/"))
@ -190,49 +190,37 @@ class UserPage extends Extension {
} }
else if($event->get_arg(0) == "change_name") { else if($event->get_arg(0) == "change_name") {
if(isset($_POST['id']) && isset($_POST['name'])) { $input = validate_input(array(
$duser = User::by_id($_POST['id']); 'id' => 'user_id,exists',
if ( ! $duser instanceof User) { 'name' => 'user_name',
throw new NullUserException("Error: the user id does not exist!"); ));
} $duser = User::by_id($input['id']);
$name = $_POST['name']; $this->change_name_wrapper($duser, $input['name']);
$this->change_name_wrapper($duser, $name);
}
} }
else if($event->get_arg(0) == "change_pass") { else if($event->get_arg(0) == "change_pass") {
if(isset($_POST['id']) && isset($_POST['pass1']) && isset($_POST['pass2'])) { $input = validate_input(array(
$duser = User::by_id($_POST['id']); 'id' => 'user_id,exists',
if ( ! $duser instanceof User) { 'pass1' => 'password',
throw new NullUserException("Error: the user id does not exist!"); 'pass2' => 'password',
} ));
$pass1 = $_POST['pass1']; $duser = User::by_id($input['id']);
$pass2 = $_POST['pass2']; $this->change_password_wrapper($duser, $input['pass1'], $input['pass2']);
$this->change_password_wrapper($duser, $pass1, $pass2);
}
} }
else if($event->get_arg(0) == "change_email") { else if($event->get_arg(0) == "change_email") {
if(isset($_POST['id']) && isset($_POST['address'])) { $input = validate_input(array(
$duser = User::by_id($_POST['id']); 'id' => 'user_id,exists',
if ( ! $duser instanceof User) { 'address' => 'email',
throw new NullUserException("Error: the user id does not exist!"); ));
} $duser = User::by_id($input['id']);
$address = $_POST['address']; $this->change_email_wrapper($duser, $input['address']);
$this->change_email_wrapper($duser, $address);
}
} }
else if($event->get_arg(0) == "change_class") { else if($event->get_arg(0) == "change_class") {
global $_user_classes; $input = validate_input(array(
if(isset($_POST['id']) && isset($_POST['class'])) { 'id' => 'user_id,exists',
$duser = User::by_id($_POST['id']); 'class' => 'user_class',
if ( ! $duser instanceof User) { ));
throw new NullUserException("Error: the user id does not exist!"); $duser = User::by_id($input['id']);
} $this->change_class_wrapper($duser, $input['class']);
$class = $_POST['class'];
if(!array_key_exists($class, $_user_classes)) {
throw Exception("Invalid user class: ".html_escape($class));
}
$this->change_class_wrapper($duser, $class);
}
} }
else if($event->get_arg(0) == "delete_user") { else if($event->get_arg(0) == "delete_user") {
$this->delete_user($page, isset($_POST["with_images"]), isset($_POST["with_comments"])); $this->delete_user($page, isset($_POST["with_images"]), isset($_POST["with_comments"]));
@ -459,7 +447,7 @@ class UserPage extends Extension {
"Username contains invalid characters. Allowed characters are ". "Username contains invalid characters. Allowed characters are ".
"letters, numbers, dash, and underscore"); "letters, numbers, dash, and underscore");
} }
else if($database->get_row($database->scoreql_to_sql("SELECT * FROM users WHERE SCORE_STRNORM(name) = SCORE_STRNORM(:name)"), array("name"=>$name))) { else if(User::by_name($name)) {
throw new UserCreationException("That username is already taken"); throw new UserCreationException("That username is already taken");
} }
} }
@ -601,12 +589,7 @@ class UserPage extends Extension {
global $user; global $user;
if($user->class->name == "admin") { if($user->class->name == "admin") {
$duser = User::by_id($_POST['id']);
if ( ! $duser instanceof User) {
throw new NullUserException("Error: the user id does not exist!");
}
$duser->set_class($class); $duser->set_class($class);
flash_message("Class changed"); flash_message("Class changed");
$this->redirect_to_user($duser); $this->redirect_to_user($duser);
} }