From ee7de32ea3b2674c02940f410ad91cddaa6efa02 Mon Sep 17 00:00:00 2001 From: stronk7 Date: Tue, 29 Aug 2006 23:53:46 +0000 Subject: [PATCH] relative+cleaned paths --- .../edit_field_save/edit_field_save.class.php | 22 +++++++++++-------- .../edit_index_save/edit_index_save.class.php | 16 +++++++++----- .../edit_key_save/edit_key_save.class.php | 18 +++++++++------ 3 files changed, 34 insertions(+), 22 deletions(-) diff --git a/admin/xmldb/actions/edit_field_save/edit_field_save.class.php b/admin/xmldb/actions/edit_field_save/edit_field_save.class.php index e0d9b885d8..b3d9e27b3f 100644 --- a/admin/xmldb/actions/edit_field_save/edit_field_save.class.php +++ b/admin/xmldb/actions/edit_field_save/edit_field_save.class.php @@ -75,27 +75,31 @@ class edit_field_save extends XMLDBAction { /// Do the job, setting result as needed + if (!data_submitted('nomatch')) { ///Basic prevention + error('Wrong action call'); + } + /// Get parameters - $dirpath = required_param('dir', PARAM_CLEAN); - $dirpath = stripslashes_safe($dirpath); + $dirpath = required_param('dir', PARAM_PATH); + $dirpath = $CFG->dirroot . stripslashes_safe($dirpath); - $tableparam = strtolower(required_param('table', PARAM_CLEAN)); - $fieldparam = strtolower(required_param('field', PARAM_CLEAN)); - $name = substr(trim(strtolower(optional_param('name', $fieldparam, PARAM_CLEAN))),0,30); + $tableparam = strtolower(required_param('table', PARAM_PATH)); + $fieldparam = strtolower(required_param('field', PARAM_PATH)); + $name = substr(trim(strtolower(optional_param('name', $fieldparam, PARAM_PATH))),0,30); $comment = required_param('comment', PARAM_CLEAN); $comment = trim(stripslashes_safe($comment)); $type = required_param('type', PARAM_INT); - $length = strtolower(optional_param('length', NULL, PARAM_CLEAN)); - $decimals = optional_param('decimals', NULL, PARAM_CLEAN); + $length = strtolower(optional_param('length', NULL, PARAM_ALPHANUM)); + $decimals = optional_param('decimals', NULL, PARAM_INT); $unsigned = optional_param('unsigned', false, PARAM_BOOL); $notnull = optional_param('notnull', false, PARAM_BOOL); $sequence = optional_param('sequence', false, PARAM_BOOL); $enum = optional_param('enum', false, PARAM_BOOL); $enumvalues = optional_param('enumvalues', 0, PARAM_CLEAN); $enumvalues = trim(stripslashes_safe($enumvalues)); - $default = optional_param('default', NULL, PARAM_CLEAN); + $default = optional_param('default', NULL, PARAM_PATH); $default = trim(stripslashes_safe($default)); $editeddir =& $XMLDB->editeddirs[$dirpath]; @@ -284,7 +288,7 @@ class edit_field_save extends XMLDBAction { "" . $this->str['administration'] . " -> XMLDB"); notice ('

' .implode(', ', $errors) . '

' . $tempfield->readableInfo(), - 'index.php?action=edit_field&field=' .$field->getName() . '&table=' . $table->getName() . '&dir=' . urlencode($dirpath)); + 'index.php?action=edit_field&field=' .$field->getName() . '&table=' . $table->getName() . '&dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath))); die; /// re-die :-P } diff --git a/admin/xmldb/actions/edit_index_save/edit_index_save.class.php b/admin/xmldb/actions/edit_index_save/edit_index_save.class.php index 374d52a2ba..0ec2ebd11e 100644 --- a/admin/xmldb/actions/edit_index_save/edit_index_save.class.php +++ b/admin/xmldb/actions/edit_index_save/edit_index_save.class.php @@ -69,13 +69,17 @@ class edit_index_save extends XMLDBAction { /// Do the job, setting result as needed + if (!data_submitted('nomatch')) { ///Basic prevention + error('Wrong action call'); + } + /// Get parameters - $dirpath = required_param('dir', PARAM_CLEAN); - $dirpath = stripslashes_safe($dirpath); + $dirpath = required_param('dir', PARAM_PATH); + $dirpath = $CFG->dirroot . stripslashes_safe($dirpath); - $tableparam = strtolower(required_param('table', PARAM_CLEAN)); - $indexparam = strtolower(required_param('index', PARAM_CLEAN)); - $name = trim(strtolower(optional_param('name', $indexparam, PARAM_CLEAN))); + $tableparam = strtolower(required_param('table', PARAM_PATH)); + $indexparam = strtolower(required_param('index', PARAM_PATH)); + $name = trim(strtolower(optional_param('name', $indexparam, PARAM_PATH))); $comment = required_param('comment', PARAM_CLEAN); $comment = trim(stripslashes_safe($comment)); @@ -165,7 +169,7 @@ class edit_index_save extends XMLDBAction { "" . $this->str['administration'] . " -> XMLDB"); notice ('

' .implode(', ', $errors) . '

' . $tempindex->readableInfo(), - 'index.php?action=edit_index&index=' .$index->getName() . '&table=' . $table->getName() . '&dir=' . urlencode($dirpath)); + 'index.php?action=edit_index&index=' .$index->getName() . '&table=' . $table->getName() . '&dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath))); die; /// re-die :-P } diff --git a/admin/xmldb/actions/edit_key_save/edit_key_save.class.php b/admin/xmldb/actions/edit_key_save/edit_key_save.class.php index 48d252a03b..68297d4873 100644 --- a/admin/xmldb/actions/edit_key_save/edit_key_save.class.php +++ b/admin/xmldb/actions/edit_key_save/edit_key_save.class.php @@ -75,13 +75,17 @@ class edit_key_save extends XMLDBAction { /// Do the job, setting result as needed + if (!data_submitted('nomatch')) { ///Basic prevention + error('Wrong action call'); + } + /// Get parameters - $dirpath = required_param('dir', PARAM_CLEAN); - $dirpath = stripslashes_safe($dirpath); + $dirpath = required_param('dir', PARAM_PATH); + $dirpath = $CFG->dirroot . stripslashes_safe($dirpath); - $tableparam = strtolower(required_param('table', PARAM_CLEAN)); - $keyparam = strtolower(required_param('key', PARAM_CLEAN)); - $name = trim(strtolower(optional_param('name', $keyparam, PARAM_CLEAN))); + $tableparam = strtolower(required_param('table', PARAM_PATH)); + $keyparam = strtolower(required_param('key', PARAM_PATH)); + $name = trim(strtolower(optional_param('name', $keyparam, PARAM_PATH))); $comment = required_param('comment', PARAM_CLEAN); $comment = trim(stripslashes_safe($comment)); @@ -92,7 +96,7 @@ class edit_key_save extends XMLDBAction { if ($type == XMLDB_KEY_FOREIGN || $type == XMLDB_KEY_FOREIGN_UNIQUE) { - $reftable = trim(strtolower(required_param('reftable', PARAM_CLEAN))); + $reftable = trim(strtolower(required_param('reftable', PARAM_PATH))); $reffields= required_param('reffields', PARAM_CLEAN); $reffields = str_replace(' ', '', trim(strtolower(stripslashes_safe($reffields)))); } @@ -241,7 +245,7 @@ class edit_key_save extends XMLDBAction { "" . $this->str['administration'] . " -> XMLDB"); notice ('

' .implode(', ', $errors) . '

' . $tempkey->readableInfo(), - 'index.php?action=edit_key&key=' .$key->getName() . '&table=' . $table->getName() . '&dir=' . urlencode($dirpath)); + 'index.php?action=edit_key&key=' .$key->getName() . '&table=' . $table->getName() . '&dir=' . urlencode(str_replace($CFG->dirroot, '', $dirpath))); die; /// re-die :-P } -- 2.39.5