Add sanitisation

This commit is contained in:
grandeljay 2022-06-22 21:19:01 +02:00
parent f81d6916e8
commit 97e3e4a788
10 changed files with 125 additions and 42 deletions

View file

@ -36,10 +36,12 @@ switch ($_SERVER['REQUEST_METHOD']) {
$response['data'][$table] = $count->get();
}
} else {
$table = Sanitiser::getTable($_GET['table']);
$count = $database
->query(
'SELECT COUNT(`id`) AS "count"
FROM `' . $_GET['table'] . '`;'
FROM `' . $table . '`;'
)
->fetch();

View file

@ -59,11 +59,11 @@ switch ($_SERVER['REQUEST_METHOD']) {
break;
}
$wish_title = trim($_POST['wish_title']);
$wish_description = trim($_POST['wish_description']);
$wish_image = trim($_POST['wish_image']);
$wish_url = trim($_POST['wish_url']);
$wish_priority = isset($_POST['wish_priority']) && $_POST['wish_priority'] ? $_POST['wish_priority'] : 'NULL';
$wish_title = Sanitiser::getTitle($_POST['wish_title']);
$wish_description = Sanitiser::getText($_POST['wish_description']);
$wish_image = Sanitiser::getURL($_POST['wish_image']);
$wish_url = Sanitiser::getURL($_POST['wish_url']);
$wish_priority = !empty(Sanitiser::getNumber($_POST['wish_priority'])) ? Sanitiser::getNumber($_POST['wish_priority']) : 'NULL';
$wish_is_purchasable = isset($_POST['wish_is_purchasable']) ? 'true' : 'false';
if (Wish::NO_IMAGE === $wish_image) {
@ -127,7 +127,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
*/
$wish_price = empty($_POST['wish_price']) || 'false' === $wish_is_purchasable
? 'NULL'
: $_POST['wish_price'];
: Sanitiser::getNumber($_POST['wish_price']);
$database
->query(
@ -207,7 +207,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
* Product
*/
$wish_id = $database->lastInsertId();
$wish_price = floatval($_POST['wish_price']);
$wish_price = Sanitiser::getNumber($_POST['wish_price']);
if ($wish_price > 0) {
$database
@ -235,7 +235,8 @@ switch ($_SERVER['REQUEST_METHOD']) {
/**
* Update Wish Status
*/
$status = $_PUT['wish_status'];
$status = Sanitiser::getStatus($_PUT['wish_status']);
$wish_id = Sanitiser::getNumber($_PUT['wish_id']);
if (Wish::STATUS_TEMPORARY === $status) {
$status = time();
@ -244,7 +245,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
$database->query(
'UPDATE `wishes`
SET `status` = "' . $status . '"
WHERE `id` = ' . $_PUT['wish_id'] . ';'
WHERE `id` = ' . $wish_id . ';'
);
$response['success'] = true;
@ -254,8 +255,8 @@ switch ($_SERVER['REQUEST_METHOD']) {
*/
$database->query(
'UPDATE `wishes`
SET `url` = "' . $_PUT['wish_url_proposed'] . '"
WHERE `url` = "' . $_PUT['wish_url_current'] . '";'
SET `url` = "' . Sanitiser::getURL($_PUT['wish_url_proposed']) . '"
WHERE `url` = "' . Sanitiser::getURL($_PUT['wish_url_current']) . '";'
);
$response['success'] = true;
@ -268,7 +269,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
if (isset($_DELETE['wish_id'])) {
$database->query(
'DELETE FROM `wishes`
WHERE `id` = ' . $_DELETE['wish_id'] . ';'
WHERE `id` = ' . Sanitiser::getNumber($_DELETE['wish_id']) . ';'
);
}

View file

@ -26,7 +26,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
$wishlist = $database
->query('SELECT *
FROM `wishlists_saved`
WHERE `wishlist` = ' . $_POST['wishlist'] . '
WHERE `wishlist` = ' . Sanitiser::getNumber($_POST['wishlist']) . '
;')
->fetch();
@ -34,7 +34,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
/** Delete */
$database
->query('DELETE FROM `wishlists_saved`
WHERE `wishlist` = ' . $_POST['wishlist'] . '
WHERE `wishlist` = ' . Sanitiser::getNumber($_POST['wishlist']) . '
;');
$response['action'] = 'deleted';
@ -46,7 +46,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
`wishlist`
) VALUES (
' . $user->id . ',
' . $_POST['wishlist'] . '
' . Sanitiser::getNumber($_POST['wishlist']) . '
)
;');

View file

@ -21,15 +21,18 @@ switch ($_SERVER['REQUEST_METHOD']) {
/**
* Create
*/
$user_id = Sanitiser::getNumber($_SESSION['user']['id']);
$wish_name = Sanitiser::getTitle($_POST['wishlist-name']);
$database->query('INSERT INTO `wishlists`
(
`user`,
`name`,
`hash`
) VALUES (
' . $_SESSION['user']['id'] . ',
"' . $_POST['wishlist-name'] . '",
"' . sha1(time() . $_SESSION['user']['id'] . $_POST['wishlist-name']) . '"
' . $user_id . ',
"' . $wish_name . '",
"' . sha1(time() . $user_id . $wish_name) . '"
)
;');
@ -40,7 +43,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
/**
* Request more wishes
*/
$wishlistID = $_POST['wishlist-id'];
$wishlistID = Sanitiser::getNumber($_POST['wishlist-id']);
/** Get last notification time */
$wishlistQuery = $database
@ -148,8 +151,8 @@ switch ($_SERVER['REQUEST_METHOD']) {
$database
->query('UPDATE `wishlists`
SET `name` = "' . $_PUT['wishlist_title'] . '"
WHERE `id` = ' . $_PUT['wishlist_id'] . '
SET `name` = "' . Sanitiser::getTitle($_PUT['wishlist_title']) . '"
WHERE `id` = ' . Sanitiser::getNumber($_PUT['wishlist_id']) . '
;');
$response['success'] = true;
@ -159,7 +162,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
parse_str(file_get_contents("php://input"), $_DELETE);
$database->query('DELETE FROM `wishlists`
WHERE `id` = ' . $_DELETE['wishlistID'] . '
WHERE `id` = ' . Sanitiser::getNumber($_DELETE['wishlistID']) . '
;');
$response['success'] = true;

View file

@ -28,12 +28,12 @@ class Options
try {
$option = $this->database->query(
'SELECT * FROM `options`
WHERE `key` = "' . $key . '";'
WHERE `key` = "' . Sanitiser::getOption($key) . '";'
)->fetch();
$value = $option['value'] ?? '';
} catch (\Throwable $th) {
//throw $th;
throw $th;
}
return $value;
@ -41,6 +41,9 @@ class Options
public function setOption(string $key, string $value): void
{
$key = Sanitiser::getOption($key);
$value = Sanitiser::getText($value);
$optionExists = 0 !== $this->database
->query('SELECT *
FROM `options`

70
src/classes/sanitiser.php Normal file
View file

@ -0,0 +1,70 @@
<?php
namespace wishthis;
class Sanitiser
{
public static function getNumber(mixed $valueToSanitise): float
{
return preg_replace('/[^0-9\.]+/', '', $valueToSanitise);
}
public static function getPage(mixed $valueToSanitise): string
{
$valueToSanitise = strtolower($valueToSanitise);
return preg_replace('/[^a-z\-_]+/', '', $valueToSanitise);
}
public static function getTable(mixed $valueToSanitise): string
{
$valueToSanitise = strtolower($valueToSanitise);
return preg_replace('/[^a-z_]+/', '', $valueToSanitise);
}
public static function getTitle(mixed $valueToSanitise): string
{
$valueToSanitise = trim($valueToSanitise);
return htmlentities($valueToSanitise, ENT_QUOTES | ENT_SUBSTITUTE | ENT_DISALLOWED | ENT_HTML5);
}
public static function getText(mixed $valueToSanitise): string
{
$valueToSanitise = trim($valueToSanitise);
return htmlentities($valueToSanitise, ENT_QUOTES | ENT_SUBSTITUTE | ENT_DISALLOWED | ENT_HTML5);
}
public static function getURL(mixed $valueToSanitise): string
{
return preg_replace('/[\s]+/', '', $valueToSanitise);
}
public static function getStatus(mixed $valueToSanitise): string
{
$valueToSanitise = strtolower($valueToSanitise);
return preg_replace('/[^a-z\-_]+/', '', $valueToSanitise);
}
public static function getOption(mixed $valueToSanitise): string
{
return preg_replace('/[^a-zA-Z\_]+/', '', $valueToSanitise);
}
public static function getEmail(mixed $valueToSanitise): string
{
$valueToSanitise = strtolower($valueToSanitise);
return preg_replace('/[^a-z\-_0-9\.+@]+/', '', $valueToSanitise);
}
public static function getSHA1(mixed $valueToSanitise): string
{
$valueToSanitise = strtolower($valueToSanitise);
return preg_replace('/[^a-f0-9]+/', '', $valueToSanitise);
}
}

View file

@ -11,7 +11,7 @@ namespace wishthis;
$page = new Page(__FILE__, __('Login as'), 100);
if (isset($_POST['email'])) {
$email = $_POST['email'];
$email = Sanitiser::getEmail($_POST['email']);
$user = $database
->query(

View file

@ -14,7 +14,7 @@ $page = new Page(__FILE__, __('Login'));
* Login
*/
if (isset($_POST['login'], $_POST['email'], $_POST['password'])) {
$email = $_POST['email'];
$email = Sanitiser::getEmail($_POST['email']);
$password = User::generatePassword($_POST['password']);
$database->query('UPDATE `users`
@ -54,7 +54,7 @@ if (isset($_POST['reset'], $_POST['email'])) {
$user = $database
->query('SELECT *
FROM `users`
WHERE `email` = "' . $_POST['email'] . '";')
WHERE `email` = "' . Sanitiser::getEmail($_POST['email']) . '";')
->fetch();
if ($user) {
@ -68,7 +68,7 @@ if (isset($_POST['reset'], $_POST['email'])) {
WHERE `id` = ' . $user['id'] . '
;');
$emailReset = new Email($_POST['email'], __('Password reset link'), 'default', 'password-reset');
$emailReset = new Email($user['email'], __('Password reset link'), 'default', 'password-reset');
$emailReset->setPlaceholder('TEXT_HELLO', __('Hello,'));
$emailReset->setPlaceholder(
'TEXT_PASSWORD_RESET',
@ -84,7 +84,7 @@ if (isset($_POST['reset'], $_POST['email'])) {
'password-reset-link',
$_SERVER['REQUEST_SCHEME'] . '://' .
$_SERVER['HTTP_HOST'] .
Page::PAGE_REGISTER . '&password-reset=' . $_POST['email'] . '&token=' . $token
Page::PAGE_REGISTER . '&password-reset=' . $user['email'] . '&token=' . $token
);
$emailReset->send();

View file

@ -108,7 +108,7 @@ if (isset($_POST['user-id'], $_POST['section'])) {
$database
->query('UPDATE `users`
SET ' . implode(',', $set) . '
WHERE `id` = ' . $_POST['user-id']);
WHERE `id` = ' . Sanitiser::getNumber($_POST['user-id']));
}
if ($loginRequired) {

View file

@ -23,9 +23,10 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
},
$users
);
$user_email = Sanitiser::getEmail($_POST['email']);
$isHuman = false;
$planet = strtolower($_POST['planet']);
$planet = Sanitiser::getTitle($_POST['planet']);
$planetName = strtoupper($planet[0]) . substr($planet, 1);
$planets = array(
strtolower(__('Mercury')),
@ -57,14 +58,17 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
$userRegistered = false;
if (isset($_GET['password-reset'], $_GET['token'])) {
$user_email = Sanitiser::getEmail($_GET['password-reset']);
$user_token = Sanitiser::getSHA1($_GET['token']);
/**
* Password reset
*/
$user = $database
->query(
'SELECT * FROM `users`
WHERE `email` = "' . $_GET['password-reset'] . '"
AND `password_reset_token` = "' . $_GET['token'] . '";'
WHERE `email` = "' . $user_email . '"
AND `password_reset_token` = "' . $user_token . '";'
)
->fetch();
@ -80,7 +84,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
);
$page->messages[] = Page::success(
'Password has been successfully reset for <strong>' . $_GET['password-reset'] . '</strong>.',
'Password has been successfully reset for <strong>' . $user_email . '</strong>.',
'Success'
);
} else {
@ -101,7 +105,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
`password`,
`power`
) VALUES (
"' . $_POST['email'] . '",
"' . $user_email . '",
"' . User::generatePassword($_POST['password']) . '",
100
)
@ -109,7 +113,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
);
$userRegistered = true;
} else {
if (in_array($_POST['email'], $emails)) {
if (in_array($user_email, $emails)) {
$page->messages[] = Page::error(
__('An account with this email address already exists.'),
__('Invalid email address')
@ -121,7 +125,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
`email`,
`password`
) VALUES (
"' . $_POST['email'] . '",
"' . $user_email . '",
"' . User::generatePassword($_POST['password']) . '"
)
;'
@ -138,7 +142,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
*/
if ($userRegistered) {
$userID = $database->lastInsertID();
$wishlistName = __('My hopes and dreams');
$wishlistName = Sanitiser::getTitle(__('My hopes and dreams'));
$database
->query(