pn_API :: Zikula Community :: Support at your fingertips

Get Zikula 1.3.3!New core, modules & more

Quick Links

Donate Today!Support your Software

Documentationlearn, share & develop

Watch

GitHub Core

Show your support for Zikula! Sign up at Github account and watch the Core project!

GitHub Modules

Forum Activity

mazdev responded to »Hide "Register new account" and change template to 3 col« 07:50 AM
mesteele101 created topic »Zikula 1.3.3 - Site Search 1.5.2 - Unable to turn off plug-ins« 07:48 AM
internetking created topic »password problem« 25. May
mesteele101 responded to »ERR (3): E_USER_ERROR: Smarty error: [in pagesvar:pagesitem2en line XXX]…« 25. May
mazdev responded to »Pages 2.5.0 and updating - Page not found« 25. May
mesteele101 responded to »Zikula 1.3.3 - Selecting a category in Pages not working« 25. May
mdee created topic »How to implement returnpage ?« 25. May

» Visit forum | » View latest posts

Zikula Blog

Anatomy of Open Source Projects on Mar 07
Continuous Review on Mar 01
Not Invented Here on Feb 24
How to Contribute Your Code at Github on Jan 13
10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
Submitting Bug Report Tickets That Get Results on Aug 17
Cozi Tricks #1: Syntax Highlighting on Aug 07

pn_API

Print topic

new_to_this

Rank: Softmore

Registered: Nov 21, 2004

Last visit: Oct 21, 2009

Posts: 290
Posted: Mar 02, 2007 - 05:09 PM

I am working on a camp registration form handler for a site that I want to convert to PN late this summer (after .8?) but thought it would be nice if I could code the pages that I am doing now to work with PN after I upgrade.

My though was this; use the functions like pnVarCleanFromInput() and pnVarPrepForDisplay() in my code now so I wont need to do anything then. Then I looked at the API and noticed most of what I wanted to use I could with out PN... But not all of it. I striped out as much as I could but am not sure what else to do. (end of my ability / understanding)

The one function that I am having a problem with is pnConfigGetVar($name) ?

This is what I have to date:

Code
/**
* get a configuration variable
*
* @param name $ the name of the variable
* @return mixed value of the variable, or false on failure
*/
function pnConfigGetVar($name)
{
if (!isset($name)) {
return null;
}

if (isset($GLOBALS['pnconfig'][$name]))
{
$result = $GLOBALS['pnconfig'][$name];
}

if (!isset($result)) {
return null;
}
return $result;
}

/**
* clean user input
* <br />
* Gets a global variable, cleaning it up to try to ensure that
* hack attacks don't work
*
* @param var $ name of variable to get
* @param $ ...
* @return mixed prepared variable if only one variable passed
* in, otherwise an array of prepared variables
*/
function pnVarCleanFromInput()
{
// Create an array of bad objects to clean out of input variables
$search = array('|</?\s*SCRIPT.*?>|si',
'|</?\s*FRAME.*?>|si',
'|</?\s*OBJECT.*?>|si',
'|</?\s*META.*?>|si',
'|</?\s*APPLET.*?>|si',
'|</?\s*LINK.*?>|si',
'|</?\s*IFRAME.*?>|si',
'|STYLE\s*=\s*"[^"]*"|si');

// Create an empty array that will be used to replace any malacious code
$replace = array('');

// Create an array to store cleaned variables
$resarray = array();

// Loop through the function arguments
// these arguments are input variables to be cleaned
foreach (func_get_args() as $var) {

// If the var is empty return void
if (empty($var)) {
return;
}

// Identify the correct place to get our variable from
// and if we should attempt to cleanse the variable
// content from the $_FILES array is left untouched
$cleanse = false;
switch (true) {
case (isset($_REQUEST[$var]) && !isset($_FILES[$var])):
// Set $ourvar from the $_REQUEST superglobal
// but only if it's not also present in the $_FILES array
// since php < 4.30 includes $_FILES in $_REQUEST
$ourvar = $_REQUEST[$var];
$cleanse = true;
break;
case isset($_GET[$var]):
// Set $ourvar from the $_GET superglobal
$ourvar = $_GET[$var];
$cleanse = true;
break;
case isset($_POST[$var]):
// Set $ourvar from the $_POST superglobal
$ourvar = $_POST[$var];
$cleanse = true;
break;
case isset($_COOKIE[$var]):
// Set $ourvar from the $_COOKIE superglobal
$ourvar = $_COOKIE[$var];
$cleanse = true;
break;
case isset($_FILES[$var]):
// Set $ourvar from the $_FILES superglobal
$ourvar = $_FILES[$var];
break;
default:
$ourvar = null;
break;
}

$alwaysclean = array('name', 'module', 'type', 'file', 'authid');
if (in_array($var, $alwaysclean)) {
$cleanse = true;
}

if ($cleanse) {
// If magic_quotes_gpc is on strip out the slashes
if (get_magic_quotes_gpc()) {
pnStripslashes($ourvar);
}

// If at least ADMIN access level is not set clean the variable
// @note: Since no security parameters have been passed to this
// the variables will always be cleaned.
// @note: some vars will always be cleaned so as not to trigger
// a security check (requires 3 sql queries to build permissions
// map).
// removed ------------> if (!pnSecAuthAction(0, '.*', '.*', ACCESS_ADMIN)) {
$ourvar = preg_replace($search, $replace, $ourvar);
// removed ------------}
}

// Add the cleaned var to the return array
array_push($resarray, $ourvar);
}

// If there was only one parameter passed return a variable
if (func_num_args() == 1) {
return $resarray[0];
// Else return an array
} else {
return $resarray;
}
}
new_to_this

Rank: Softmore

Registered: Nov 21, 2004

Last visit: Oct 21, 2009

Posts: 290
Posted: Mar 02, 2007 - 05:12 PM

Continuing code (would not all fit)

Code
/**
* strip slashes
*
* stripslashes on multidimensional arrays.
* Used in conjunction with pnVarCleanFromInput
*
* @access private
* @param any $ variables or arrays to be stripslashed
*/
function pnStripslashes (&$value)
{
if(empty($value))
return;

if (!is_array($value)) {
$value = stripslashes($value);
} else {
array_walk($value, 'pnStripslashes');
}
}

/**
* ready user output
* <br />
* Gets a variable, cleaning it up such that the text is
* shown exactly as expected
*
* @param var $ variable to prepare
* @param $ ...
* @return mixed prepared variable if only one variable passed
* in, otherwise an array of prepared variables
*/
function pnVarPrepForDisplay()
{
// This search and replace finds the text 'x@y' and replaces
// it with HTML entities, this provides protection against
// email harvesters
static $search = array('/(.)@(.)/se');

static $replace = array('"&#" .
sprintf("%03d", ord("")) .
";@&#" .
sprintf("%03d", ord("")) . ";";');

$resarray = array();
foreach (func_get_args() as $ourvar) {
// Prepare var
$ourvar = htmlspecialchars($ourvar);
$ourvar = preg_replace($search, $replace, $ourvar);
// Add to array
array_push($resarray, $ourvar);
}
// Return vars
if (func_num_args() == 1) {
return $resarray[0];
} else {
return $resarray;
}
}

/**
* ready HTML output
* <br />
* Gets a variable, cleaning it up such that the text is
* shown exactly as expected, except for allowed HTML tags which
* are allowed through
* @author Xaraya development team
* @param var variable to prepare
* @param ...
* @return string/array prepared variable if only one variable passed
* in, otherwise an array of prepared variables
*/
function pnVarPrepHTMLDisplay()
{
// This search and replace finds the text 'x@y' and replaces
// it with HTML entities, this provides protection against
// email harvesters
//
// Note that the use of 4 and 2 are needed to ensure that
// this does not break HTML tags that might be around either
// the username or the domain name
static $search = array('/([^4])@([^2])/se');

static $replace = array('"&#" .
sprintf("%03d", ord("")) .
";@&#" .
sprintf("%03d", ord("")) . ";";');

static $allowedtags = null;

if (!isset($allowedtags)) {
$allowedhtml = array();
foreach(pnConfigGetVar('AllowableHTML') as $k=>$v) {
if ($k == '!--') {
if ($v <> 0) {
$allowedhtml[] = "$k.*?--";
}
} else {
switch($v) {
case 0:
break;
case 1:
$allowedhtml[] = "/?$k\s*/?";
break;
case 2:
// intelligent regex to deal with > in parameters, bug #1782
// credits to jln
$allowedhtml[] = "/?\s*$k" . "(\s+[\w:]+\s*=\s*(\"[^\"]*\"|'[^']*'))*" . '\s*/?';
// original version
// $allowedhtml[] = "/?$k(\s+[^>]*)?/?";
break;
}
}
}
if (count($allowedhtml) > 0) {
// 2nd part of bugfix #1782
$allowedtags = '~<\s*(' . join('|',$allowedhtml) . ')\s*>~is';
} else {
$allowedtags = '';
}
}

$resarray = array();
foreach (func_get_args() as $var) {
// Preparse var to mark the HTML that we want
if (!empty($allowedtags))
$var = preg_replace($allowedtags, "24", $var);

// Prepare var
$var = htmlspecialchars($var);

// Fix the HTML that we want
$var = preg_replace_callback('/2([^4]*)4/',
'pnVarPrepHTMLDisplay__callback',
$var);

// Fix entities if required
if (pnConfigGetVar('htmlentities')) {
$var = preg_replace('/&([a-z#0-9]+);/i', "&;", $var);
}

// Add to array
array_push($resarray, $var);
}

// Return vars
if (func_num_args() == 1) {
return $resarray[0];
} else {
return $resarray;
}
}

/**
* Callback function for pnVarPrepHTMLDisplay
*
* @author Xaraya development team
* @access private
*/
function pnVarPrepHTMLDisplay__callback($matches)
{
if(empty($matches))
return;

return '<' . strtr($matches[1],
array('>' => '>',
'<' => '<',
'"' => '"'/*,
'&' => '&'*/))
. '>';
}

/**
* ready database output
* <br />
* Gets a variable, cleaning it up such that the text is
* stored in a database exactly as expected
*
* @param var $ variable to prepare
* @param $ ...
* @return mixed prepared variable if only one variable passed
* in, otherwise an array of prepared variables
*/
function pnVarPrepForStore()
{
$resarray = array();
foreach (func_get_args() as $ourvar) {
if (!get_magic_quotes_runtime() && !is_array($ourvar)) {
$ourvar = addslashes($ourvar);
}
// Add to array
array_push($resarray, $ourvar);
}
// Return vars
if (func_num_args() == 1) {
return $resarray[0];
} else {
return $resarray;
}
}