Add sanitisation

This commit is contained in:
grandeljay 2022-06-22 21:19:01 +02:00
parent f81d6916e8
commit 97e3e4a788
10 changed files with 125 additions and 42 deletions

View file

@ -36,10 +36,12 @@ switch ($_SERVER['REQUEST_METHOD']) {
$response['data'][$table] = $count->get(); $response['data'][$table] = $count->get();
} }
} else { } else {
$table = Sanitiser::getTable($_GET['table']);
$count = $database $count = $database
->query( ->query(
'SELECT COUNT(`id`) AS "count" 'SELECT COUNT(`id`) AS "count"
FROM `' . $_GET['table'] . '`;' FROM `' . $table . '`;'
) )
->fetch(); ->fetch();

View file

@ -59,11 +59,11 @@ switch ($_SERVER['REQUEST_METHOD']) {
break; break;
} }
$wish_title = trim($_POST['wish_title']); $wish_title = Sanitiser::getTitle($_POST['wish_title']);
$wish_description = trim($_POST['wish_description']); $wish_description = Sanitiser::getText($_POST['wish_description']);
$wish_image = trim($_POST['wish_image']); $wish_image = Sanitiser::getURL($_POST['wish_image']);
$wish_url = trim($_POST['wish_url']); $wish_url = Sanitiser::getURL($_POST['wish_url']);
$wish_priority = isset($_POST['wish_priority']) && $_POST['wish_priority'] ? $_POST['wish_priority'] : 'NULL'; $wish_priority = !empty(Sanitiser::getNumber($_POST['wish_priority'])) ? Sanitiser::getNumber($_POST['wish_priority']) : 'NULL';
$wish_is_purchasable = isset($_POST['wish_is_purchasable']) ? 'true' : 'false'; $wish_is_purchasable = isset($_POST['wish_is_purchasable']) ? 'true' : 'false';
if (Wish::NO_IMAGE === $wish_image) { if (Wish::NO_IMAGE === $wish_image) {
@ -127,7 +127,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
*/ */
$wish_price = empty($_POST['wish_price']) || 'false' === $wish_is_purchasable $wish_price = empty($_POST['wish_price']) || 'false' === $wish_is_purchasable
? 'NULL' ? 'NULL'
: $_POST['wish_price']; : Sanitiser::getNumber($_POST['wish_price']);
$database $database
->query( ->query(
@ -207,7 +207,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
* Product * Product
*/ */
$wish_id = $database->lastInsertId(); $wish_id = $database->lastInsertId();
$wish_price = floatval($_POST['wish_price']); $wish_price = Sanitiser::getNumber($_POST['wish_price']);
if ($wish_price > 0) { if ($wish_price > 0) {
$database $database
@ -235,7 +235,8 @@ switch ($_SERVER['REQUEST_METHOD']) {
/** /**
* Update Wish Status * Update Wish Status
*/ */
$status = $_PUT['wish_status']; $status = Sanitiser::getStatus($_PUT['wish_status']);
$wish_id = Sanitiser::getNumber($_PUT['wish_id']);
if (Wish::STATUS_TEMPORARY === $status) { if (Wish::STATUS_TEMPORARY === $status) {
$status = time(); $status = time();
@ -243,8 +244,8 @@ switch ($_SERVER['REQUEST_METHOD']) {
$database->query( $database->query(
'UPDATE `wishes` 'UPDATE `wishes`
SET `status` = "' . $status . '" SET `status` = "' . $status . '"
WHERE `id` = ' . $_PUT['wish_id'] . ';' WHERE `id` = ' . $wish_id . ';'
); );
$response['success'] = true; $response['success'] = true;
@ -254,8 +255,8 @@ switch ($_SERVER['REQUEST_METHOD']) {
*/ */
$database->query( $database->query(
'UPDATE `wishes` 'UPDATE `wishes`
SET `url` = "' . $_PUT['wish_url_proposed'] . '" SET `url` = "' . Sanitiser::getURL($_PUT['wish_url_proposed']) . '"
WHERE `url` = "' . $_PUT['wish_url_current'] . '";' WHERE `url` = "' . Sanitiser::getURL($_PUT['wish_url_current']) . '";'
); );
$response['success'] = true; $response['success'] = true;
@ -268,7 +269,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
if (isset($_DELETE['wish_id'])) { if (isset($_DELETE['wish_id'])) {
$database->query( $database->query(
'DELETE FROM `wishes` 'DELETE FROM `wishes`
WHERE `id` = ' . $_DELETE['wish_id'] . ';' WHERE `id` = ' . Sanitiser::getNumber($_DELETE['wish_id']) . ';'
); );
} }

View file

@ -26,7 +26,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
$wishlist = $database $wishlist = $database
->query('SELECT * ->query('SELECT *
FROM `wishlists_saved` FROM `wishlists_saved`
WHERE `wishlist` = ' . $_POST['wishlist'] . ' WHERE `wishlist` = ' . Sanitiser::getNumber($_POST['wishlist']) . '
;') ;')
->fetch(); ->fetch();
@ -34,7 +34,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
/** Delete */ /** Delete */
$database $database
->query('DELETE FROM `wishlists_saved` ->query('DELETE FROM `wishlists_saved`
WHERE `wishlist` = ' . $_POST['wishlist'] . ' WHERE `wishlist` = ' . Sanitiser::getNumber($_POST['wishlist']) . '
;'); ;');
$response['action'] = 'deleted'; $response['action'] = 'deleted';
@ -46,7 +46,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
`wishlist` `wishlist`
) VALUES ( ) VALUES (
' . $user->id . ', ' . $user->id . ',
' . $_POST['wishlist'] . ' ' . Sanitiser::getNumber($_POST['wishlist']) . '
) )
;'); ;');

View file

@ -21,15 +21,18 @@ switch ($_SERVER['REQUEST_METHOD']) {
/** /**
* Create * Create
*/ */
$user_id = Sanitiser::getNumber($_SESSION['user']['id']);
$wish_name = Sanitiser::getTitle($_POST['wishlist-name']);
$database->query('INSERT INTO `wishlists` $database->query('INSERT INTO `wishlists`
( (
`user`, `user`,
`name`, `name`,
`hash` `hash`
) VALUES ( ) VALUES (
' . $_SESSION['user']['id'] . ', ' . $user_id . ',
"' . $_POST['wishlist-name'] . '", "' . $wish_name . '",
"' . sha1(time() . $_SESSION['user']['id'] . $_POST['wishlist-name']) . '" "' . sha1(time() . $user_id . $wish_name) . '"
) )
;'); ;');
@ -40,7 +43,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
/** /**
* Request more wishes * Request more wishes
*/ */
$wishlistID = $_POST['wishlist-id']; $wishlistID = Sanitiser::getNumber($_POST['wishlist-id']);
/** Get last notification time */ /** Get last notification time */
$wishlistQuery = $database $wishlistQuery = $database
@ -148,8 +151,8 @@ switch ($_SERVER['REQUEST_METHOD']) {
$database $database
->query('UPDATE `wishlists` ->query('UPDATE `wishlists`
SET `name` = "' . $_PUT['wishlist_title'] . '" SET `name` = "' . Sanitiser::getTitle($_PUT['wishlist_title']) . '"
WHERE `id` = ' . $_PUT['wishlist_id'] . ' WHERE `id` = ' . Sanitiser::getNumber($_PUT['wishlist_id']) . '
;'); ;');
$response['success'] = true; $response['success'] = true;
@ -159,7 +162,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
parse_str(file_get_contents("php://input"), $_DELETE); parse_str(file_get_contents("php://input"), $_DELETE);
$database->query('DELETE FROM `wishlists` $database->query('DELETE FROM `wishlists`
WHERE `id` = ' . $_DELETE['wishlistID'] . ' WHERE `id` = ' . Sanitiser::getNumber($_DELETE['wishlistID']) . '
;'); ;');
$response['success'] = true; $response['success'] = true;

View file

@ -28,12 +28,12 @@ class Options
try { try {
$option = $this->database->query( $option = $this->database->query(
'SELECT * FROM `options` 'SELECT * FROM `options`
WHERE `key` = "' . $key . '";' WHERE `key` = "' . Sanitiser::getOption($key) . '";'
)->fetch(); )->fetch();
$value = $option['value'] ?? ''; $value = $option['value'] ?? '';
} catch (\Throwable $th) { } catch (\Throwable $th) {
//throw $th; throw $th;
} }
return $value; return $value;
@ -41,6 +41,9 @@ class Options
public function setOption(string $key, string $value): void public function setOption(string $key, string $value): void
{ {
$key = Sanitiser::getOption($key);
$value = Sanitiser::getText($value);
$optionExists = 0 !== $this->database $optionExists = 0 !== $this->database
->query('SELECT * ->query('SELECT *
FROM `options` FROM `options`

70
src/classes/sanitiser.php Normal file
View file

@ -0,0 +1,70 @@
<?php
namespace wishthis;
class Sanitiser
{
public static function getNumber(mixed $valueToSanitise): float
{
return preg_replace('/[^0-9\.]+/', '', $valueToSanitise);
}
public static function getPage(mixed $valueToSanitise): string
{
$valueToSanitise = strtolower($valueToSanitise);
return preg_replace('/[^a-z\-_]+/', '', $valueToSanitise);
}
public static function getTable(mixed $valueToSanitise): string
{
$valueToSanitise = strtolower($valueToSanitise);
return preg_replace('/[^a-z_]+/', '', $valueToSanitise);
}
public static function getTitle(mixed $valueToSanitise): string
{
$valueToSanitise = trim($valueToSanitise);
return htmlentities($valueToSanitise, ENT_QUOTES | ENT_SUBSTITUTE | ENT_DISALLOWED | ENT_HTML5);
}
public static function getText(mixed $valueToSanitise): string
{
$valueToSanitise = trim($valueToSanitise);
return htmlentities($valueToSanitise, ENT_QUOTES | ENT_SUBSTITUTE | ENT_DISALLOWED | ENT_HTML5);
}
public static function getURL(mixed $valueToSanitise): string
{
return preg_replace('/[\s]+/', '', $valueToSanitise);
}
public static function getStatus(mixed $valueToSanitise): string
{
$valueToSanitise = strtolower($valueToSanitise);
return preg_replace('/[^a-z\-_]+/', '', $valueToSanitise);
}
public static function getOption(mixed $valueToSanitise): string
{
return preg_replace('/[^a-zA-Z\_]+/', '', $valueToSanitise);
}
public static function getEmail(mixed $valueToSanitise): string
{
$valueToSanitise = strtolower($valueToSanitise);
return preg_replace('/[^a-z\-_0-9\.+@]+/', '', $valueToSanitise);
}
public static function getSHA1(mixed $valueToSanitise): string
{
$valueToSanitise = strtolower($valueToSanitise);
return preg_replace('/[^a-f0-9]+/', '', $valueToSanitise);
}
}

View file

@ -11,7 +11,7 @@ namespace wishthis;
$page = new Page(__FILE__, __('Login as'), 100); $page = new Page(__FILE__, __('Login as'), 100);
if (isset($_POST['email'])) { if (isset($_POST['email'])) {
$email = $_POST['email']; $email = Sanitiser::getEmail($_POST['email']);
$user = $database $user = $database
->query( ->query(

View file

@ -14,7 +14,7 @@ $page = new Page(__FILE__, __('Login'));
* Login * Login
*/ */
if (isset($_POST['login'], $_POST['email'], $_POST['password'])) { if (isset($_POST['login'], $_POST['email'], $_POST['password'])) {
$email = $_POST['email']; $email = Sanitiser::getEmail($_POST['email']);
$password = User::generatePassword($_POST['password']); $password = User::generatePassword($_POST['password']);
$database->query('UPDATE `users` $database->query('UPDATE `users`
@ -54,7 +54,7 @@ if (isset($_POST['reset'], $_POST['email'])) {
$user = $database $user = $database
->query('SELECT * ->query('SELECT *
FROM `users` FROM `users`
WHERE `email` = "' . $_POST['email'] . '";') WHERE `email` = "' . Sanitiser::getEmail($_POST['email']) . '";')
->fetch(); ->fetch();
if ($user) { if ($user) {
@ -68,7 +68,7 @@ if (isset($_POST['reset'], $_POST['email'])) {
WHERE `id` = ' . $user['id'] . ' WHERE `id` = ' . $user['id'] . '
;'); ;');
$emailReset = new Email($_POST['email'], __('Password reset link'), 'default', 'password-reset'); $emailReset = new Email($user['email'], __('Password reset link'), 'default', 'password-reset');
$emailReset->setPlaceholder('TEXT_HELLO', __('Hello,')); $emailReset->setPlaceholder('TEXT_HELLO', __('Hello,'));
$emailReset->setPlaceholder( $emailReset->setPlaceholder(
'TEXT_PASSWORD_RESET', 'TEXT_PASSWORD_RESET',
@ -84,7 +84,7 @@ if (isset($_POST['reset'], $_POST['email'])) {
'password-reset-link', 'password-reset-link',
$_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['REQUEST_SCHEME'] . '://' .
$_SERVER['HTTP_HOST'] . $_SERVER['HTTP_HOST'] .
Page::PAGE_REGISTER . '&password-reset=' . $_POST['email'] . '&token=' . $token Page::PAGE_REGISTER . '&password-reset=' . $user['email'] . '&token=' . $token
); );
$emailReset->send(); $emailReset->send();

View file

@ -108,7 +108,7 @@ if (isset($_POST['user-id'], $_POST['section'])) {
$database $database
->query('UPDATE `users` ->query('UPDATE `users`
SET ' . implode(',', $set) . ' SET ' . implode(',', $set) . '
WHERE `id` = ' . $_POST['user-id']); WHERE `id` = ' . Sanitiser::getNumber($_POST['user-id']));
} }
if ($loginRequired) { if ($loginRequired) {

View file

@ -16,16 +16,17 @@ $buttonSubmit = $passwordReset ? __('Reset') : __('Register');
$page = new Page(__FILE__, $pageTitle); $page = new Page(__FILE__, $pageTitle);
if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) { if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
$users = $database->query('SELECT * FROM `users`;')->fetchAll(); $users = $database->query('SELECT * FROM `users`;')->fetchAll();
$emails = array_map( $emails = array_map(
function ($user) { function ($user) {
return $user['email']; return $user['email'];
}, },
$users $users
); );
$user_email = Sanitiser::getEmail($_POST['email']);
$isHuman = false; $isHuman = false;
$planet = strtolower($_POST['planet']); $planet = Sanitiser::getTitle($_POST['planet']);
$planetName = strtoupper($planet[0]) . substr($planet, 1); $planetName = strtoupper($planet[0]) . substr($planet, 1);
$planets = array( $planets = array(
strtolower(__('Mercury')), strtolower(__('Mercury')),
@ -57,14 +58,17 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
$userRegistered = false; $userRegistered = false;
if (isset($_GET['password-reset'], $_GET['token'])) { if (isset($_GET['password-reset'], $_GET['token'])) {
$user_email = Sanitiser::getEmail($_GET['password-reset']);
$user_token = Sanitiser::getSHA1($_GET['token']);
/** /**
* Password reset * Password reset
*/ */
$user = $database $user = $database
->query( ->query(
'SELECT * FROM `users` 'SELECT * FROM `users`
WHERE `email` = "' . $_GET['password-reset'] . '" WHERE `email` = "' . $user_email . '"
AND `password_reset_token` = "' . $_GET['token'] . '";' AND `password_reset_token` = "' . $user_token . '";'
) )
->fetch(); ->fetch();
@ -80,7 +84,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
); );
$page->messages[] = Page::success( $page->messages[] = Page::success(
'Password has been successfully reset for <strong>' . $_GET['password-reset'] . '</strong>.', 'Password has been successfully reset for <strong>' . $user_email . '</strong>.',
'Success' 'Success'
); );
} else { } else {
@ -101,7 +105,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
`password`, `password`,
`power` `power`
) VALUES ( ) VALUES (
"' . $_POST['email'] . '", "' . $user_email . '",
"' . User::generatePassword($_POST['password']) . '", "' . User::generatePassword($_POST['password']) . '",
100 100
) )
@ -109,7 +113,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
); );
$userRegistered = true; $userRegistered = true;
} else { } else {
if (in_array($_POST['email'], $emails)) { if (in_array($user_email, $emails)) {
$page->messages[] = Page::error( $page->messages[] = Page::error(
__('An account with this email address already exists.'), __('An account with this email address already exists.'),
__('Invalid email address') __('Invalid email address')
@ -121,7 +125,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
`email`, `email`,
`password` `password`
) VALUES ( ) VALUES (
"' . $_POST['email'] . '", "' . $user_email . '",
"' . User::generatePassword($_POST['password']) . '" "' . User::generatePassword($_POST['password']) . '"
) )
;' ;'
@ -138,7 +142,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
*/ */
if ($userRegistered) { if ($userRegistered) {
$userID = $database->lastInsertID(); $userID = $database->lastInsertID();
$wishlistName = __('My hopes and dreams'); $wishlistName = Sanitiser::getTitle(__('My hopes and dreams'));
$database $database
->query( ->query(