Navigation

Changeset 72

Timestamp:

06/21/07 17:28:46 (2 years ago)

Author:

pdingle

Message:

added cleanInitialClaim function to guard against SQL injection and XSS attacks

Files:

r70	r72
448	448	break;
449	449	}
450		$AttributeValue = $Attribute->firstChild;
451		$claims[$AttributeName] = $AttributeValue->nodeValue;
	450	$AttributeValue = $Attribute->firstChild;
	451	$claims[$AttributeName] = pw_utils::cleanInitialClaim($AttributeValue->nodeValue);
	452	//$claims[$AttributeName] = pw_utils::cleanInitialClaim(htmlspecialchars($AttributeValue->nodeValue));
452	453	$offset++;
453	454	}

r50	r72
88	88	if ($claims[$aclaim->handle])
89	89	{
	90	// note data has already been checked for SQL injection
90	91	$aclaim->add_token_value($claims[$aclaim->handle]);
91	92	}

r57	r72
174	174	echo PW_PLUGINURL . "/pwlib/images/pp-logo-bw-small.png";
175	175	}
	176	// Function: cleanInitialClaim
	177	// Description: to remove the possibility of SQL injection or XSS
	178	// attacks by properly escaping characters that could
	179	// be used to turn a string into a command.
	180	// Function & explanation found at: (many thanks)
	181	// http://simon.net.nz/articles/protecting-mysql-sql-injection-attacks-using-php/
	182	// Input: - claimslist entry for the claim to be cleaned
	183	// Output: cleaned string
	184	// Side-effects: database object is requested from a plugin-specific routine
	185	function cleanInitialClaim( $claim )
	186	{
	187	// not sure if this covers base-64 encoded data yet
	188	// but at least it works for the plain stuff.
	189
	190	if ( get_magic_quotes_gpc() )
	191	{
	192	$claim = stripslashes( $claim );
	193	}
	194	$output = htmlspecialchars($claim, ENT_QUOTES);
	195	if ($output === $claim)
	196	{
	197	//nothing exciting happened
	198	return $output;
	199	}
	200	else
	201	{
	202	pw_utils::printDebug('<br/>DATA HAD TO BE CLEANSED: '.$output.'<br/>');
	203	return $output;
	204	}
	205	}
	206
176	207	} // end class pw_utils
177	208	?>