[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Noalyss-commit] [noalyss] 160/218: Protect parameters
|
From: |
Dany De Bontridder |
|
Subject: |
[Noalyss-commit] [noalyss] 160/218: Protect parameters |
|
Date: |
Thu, 12 Sep 2019 15:59:02 -0400 (EDT) |
sparkyx pushed a commit to branch entreprise
in repository noalyss.
commit 57bb44c85fffab96fac0f0432432adf7a244570a
Author: Dany De Bontridder <address@hidden>
Date: Sat Jan 12 13:39:48 2019 +0100
Protect parameters
---
html/fid_card.php | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/html/fid_card.php b/html/fid_card.php
index 1ee5d07..57577bb 100644
--- a/html/fid_card.php
+++ b/html/fid_card.php
@@ -27,6 +27,7 @@
require_once '../include/constant.php';
require_once NOALYSS_INCLUDE.'/lib/database.class.php';
+require_once NOALYSS_INCLUDE.'/lib/http_input.class.php';
require_once NOALYSS_INCLUDE.'/class/dossier.class.php';
/*!\brief
* Received parameters are
@@ -41,11 +42,12 @@ require_once NOALYSS_INCLUDE.'/class/dossier.class.php';
* - list of fd_id
*
*/
+$http=new HttpInput();
-$jrn= ( ! isset($_REQUEST['j']))?-1:$_REQUEST['j'];
+$jrn= $http->request("j","number",-1);
$filter_card="";
$cn=Dossier::connect();
-$d=$_REQUEST['e'];
+$d=$http->request('e');
$filter_card='';
require_once('class/user.class.php');
@@ -107,8 +109,8 @@ else
{
$get_cred='jrn_def_fiche_cred';
$get_deb='jrn_def_fiche_deb';
-
- $filter_jrn=$cn->make_list("select $get_cred||','||$get_deb as
fiche from jrn_def where jrn_def_type=$1",array($_REQUEST['type']));
+ $type=$http->request("type");
+ $filter_jrn=$cn->make_list("select $get_cred||','||$get_deb as
fiche from jrn_def where jrn_def_type=$1",array($type));
$filter_card=($filter_jrn != "")?" and fd_id in ($filter_jrn)":'
and false ';
}
@@ -125,9 +127,12 @@ else
$sql_str="select distinct f_id from fiche join fiche_detail using (f_id) where
ad_id in (9,1,23) and ad_value ilike '%'||$1||'%' ".$filter_card.' limit 12';
-$sql=$cn->get_array($sql_str ,array($_REQUEST['FID']));
-if (sizeof($sql) != 0 )
+$fid=$http->request("FID");
+
+$sql=$cn->get_array($sql_str ,array($fid));
+
+if ($sql != false && sizeof($sql) != 0 )
{
echo "<ul>";
$sql_get=$cn->prepare('get_name',"select ad_value from fiche_detail where
f_id = $1 and ad_id=$2");
@@ -146,12 +151,12 @@ if (sizeof($sql) != 0 )
$sql_name=$cn->execute('get_name',array($sql[$i]['f_id'],23));
if (Database::num_row($sql_name) == 1)
$quick_code=Database::fetch_result($sql_name,0,0);
- $fid=htmlentities($_REQUEST['FID']);
+ $fid=htmlentities($fid);
/* Highlight the found pattern with bold format */
- $name=str_ireplace($_REQUEST['FID'],'<em>'.$fid.'</em>',h($name));
-
$qcode=str_ireplace($_REQUEST['FID'],'<em>'.$fid.'</em>',h($quick_code));
- $desc=str_ireplace($_REQUEST['FID'],'<em>'.$fid.'</em>',h($desc));
+ $name=str_ireplace($fid,'<em>'.$fid.'</em>',h($name));
+ $qcode=str_ireplace($fid,'<em>'.$fid.'</em>',h($quick_code));
+ $desc=str_ireplace($fid,'<em>'.$fid.'</em>',h($desc));
printf('<li id="%s">%s <span class="informal">%s %s</span></li>',
$quick_code,
$quick_code,
- [Noalyss-commit] [noalyss] 104/218: Reverse for Currency, (continued)
- [Noalyss-commit] [noalyss] 104/218: Reverse for Currency, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 118/218: Currency : export CSV history for card and accounting, fix bug with unneeded oc_vat_amount + add the currency rate, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 146/218: Currency : history for accounting , correct amount in currency, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 145/218: Currency : the meaning is : 1 euro is worth xxx Currency , so we divide the amount with the currency rate to compute the EUR value, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 150/218: Currency : detail operation Sale , the amount in currency were wrong in the summary, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 154/218: by default jrn is an empty array, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 164/218: Currency Show currency info for MISC, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 161/218: PHP 7.2 incomptability : sizeof of not array, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 155/218: Task #0001309: Association d'une opération avec elle-même., Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 158/218: Merge branch 'master' of gitlab.noalyss.eu:noalyss/noalyss into r700-currency, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 160/218: Protect parameters,
Dany De Bontridder <=
- [Noalyss-commit] [noalyss] 167/218: Currency : set default accounting for change difference when using currency, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 165/218: Database upgrade, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 168/218: translation, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 169/218: Mantis #0001688: Affichage centime dans l'écran de confirmation, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 176/218: Mantis #1626: AFFICHAGE BALANCE FICHE - soldes nuls au débit, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 177/218: Mantis #1643: Déplacement du "bouton" «retour en-haut/calculatrice», Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 184/218: CSS : cosmetic, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 185/218: Merge issue : inappropriate rollback, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 186/218: Fix Inappropriate merge, Dany De Bontridder, 2019/09/12
- [Noalyss-commit] [noalyss] 188/218: Fix broken merge, Dany De Bontridder, 2019/09/12