mirror of
https://github.com/kamilwylegala/cakephp2-php8.git
synced 2024-11-15 11:28:25 +00:00
Closes #1985, Sanitize::clean( ) should provide an option to specify what should/shouldn't be cleaned
git-svn-id: https://svn.cakephp.org/repo/branches/1.2.x.x@5641 3807eeeb-6ff5-0310-8944-8be069107fe0
This commit is contained in:
phpnut
parent
b91f9b087d
commit
dd5c795b30
2 changed files with 75 additions and 23 deletions
|
|
@ -71,7 +71,7 @@ class Sanitize{
|
|||
* @static
|
||||
*/
|
||||
function escape($string, $connection = 'default') {
|
||||
$db = ConnectionManager::getDataSource($connection);
|
||||
$db =& ConnectionManager::getDataSource($connection);
|
||||
if (is_numeric($string)) {
|
||||
return $string;
|
||||
}
|
||||
|
|
@ -164,44 +164,69 @@ class Sanitize{
|
|||
return $str;
|
||||
}
|
||||
/**
|
||||
* Sanitizes given array or value for safe input.
|
||||
* Sanitizes given array or value for safe input. Use the options to specify
|
||||
* the connection to use, and what filters should be applied (with a boolean
|
||||
* value). Valid filters: odd_spaces, encode, dollar, carriage, unicode,
|
||||
* escape, backslash.
|
||||
*
|
||||
* @param mixed $data Data to sanitize
|
||||
* @param string $connection DB connection being used
|
||||
* @param mixed $options If string, DB connection being used, otherwise set of options
|
||||
* @return mixed Sanitized data
|
||||
* @access public
|
||||
* @static
|
||||
*/
|
||||
function clean($data, $connection = 'default') {
|
||||
function clean($data, $options = array()) {
|
||||
if (empty($data)) {
|
||||
return $data;
|
||||
}
|
||||
|
||||
if (is_string($options)) {
|
||||
$options = array('connection' => $options);
|
||||
} else if (!is_array($options)) {
|
||||
$options = array();
|
||||
}
|
||||
|
||||
$options = am(array(
|
||||
'connection' => 'default',
|
||||
'odd_spaces' => true,
|
||||
'encode' => true,
|
||||
'dollar' => true,
|
||||
'carriage' => true,
|
||||
'unicode' => true,
|
||||
'escape' => true,
|
||||
'backslash' => true
|
||||
), $options);
|
||||
|
||||
if (is_array($data)) {
|
||||
foreach ($data as $key => $val) {
|
||||
$data[$key] = Sanitize::clean($val, $connection);
|
||||
$data[$key] = Sanitize::clean($val, $options['connection']);
|
||||
}
|
||||
return $data;
|
||||
} else {
|
||||
//Replace odd spaces with safe ones
|
||||
$val = str_replace(chr(0xCA), '', str_replace(' ', ' ', $data));
|
||||
//Encode any HTML to entities.
|
||||
$val = Sanitize::html($val);
|
||||
if ($options['odd_spaces']) {
|
||||
$val = str_replace(chr(0xCA), '', str_replace(' ', ' ', $data));
|
||||
}
|
||||
if ($options['encode']) {
|
||||
$val = Sanitize::html($val);
|
||||
}
|
||||
if ($options['dollar']) {
|
||||
$val = str_replace("\\\$", "$", $val);
|
||||
}
|
||||
if ($options['carriage']) {
|
||||
$val = str_replace("\r", "", $val);
|
||||
}
|
||||
|
||||
//Double-check special chars and remove carriage returns
|
||||
//For increased SQL security
|
||||
$val = preg_replace("/\\\$/", "$", $val);
|
||||
$val = preg_replace("/\r/", "", $val);
|
||||
$val = str_replace("'", "'", str_replace("!", "!", $val));
|
||||
|
||||
//Allow unicode (?)
|
||||
$val = preg_replace("/&#([0-9]+);/s", "&#\\1;", $val);
|
||||
|
||||
// Escape for DB output
|
||||
$val = Sanitize::escape($val, $connection);
|
||||
|
||||
//Swap user-inputted backslashes (?)
|
||||
$val = preg_replace("/\\\(?!&#|\?#)/", "\\", $val);
|
||||
if ($options['unicode']) {
|
||||
$val = preg_replace("/&#([0-9]+);/s", "&#\\1;", $val);
|
||||
}
|
||||
if ($options['escape']) {
|
||||
$val = Sanitize::escape($val, $options['connection']);
|
||||
}
|
||||
if ($options['backslash']) {
|
||||
$val = preg_replace("/\\\(?!&#|\?#)/", "\\", $val);
|
||||
}
|
||||
return $val;
|
||||
}
|
||||
}
|
||||
|
|
@ -276,4 +301,4 @@ class Sanitize{
|
|||
}
|
||||
}
|
||||
}
|
||||
?>
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -51,5 +51,32 @@ class SanitizeTest extends UnitTestCase {
|
|||
$resultNumeric = Sanitize::escape('#1234.23', 'default');
|
||||
$this->assertEqual($resultNumeric, '#1234.23');
|
||||
}
|
||||
|
||||
function testClean() {
|
||||
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
|
||||
$expected = 'test & "quote" 'other' ;.$ symbol.another line';
|
||||
$result = Sanitize::clean($string);
|
||||
$this->assertEqual($result, $expected);
|
||||
|
||||
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
|
||||
$expected = 'test & ' . Sanitize::escape('"quote"') . ' ' . Sanitize::escape('\'other\'') . ' ;.$ symbol.another line';
|
||||
$result = Sanitize::clean($string, array('encode' => false));
|
||||
$this->assertEqual($result, $expected);
|
||||
|
||||
$string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line';
|
||||
$expected = 'test & "quote" \'other\' ;.$ $ symbol.another line';
|
||||
$result = Sanitize::clean($string, array('encode' => false, 'escape' => false));
|
||||
$this->assertEqual($result, $expected);
|
||||
|
||||
$string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line';
|
||||
$expected = 'test & "quote" \'other\' ;.$ \\$ symbol.another line';
|
||||
$result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'dollar' => false));
|
||||
$this->assertEqual($result, $expected);
|
||||
|
||||
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
|
||||
$expected = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
|
||||
$result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'carriage' => false));
|
||||
$this->assertEqual($result, $expected);
|
||||
}
|
||||
}
|
||||
?>
|
||||
?>
|
||||
|
|
|
|||
Loading…
Reference in a new issue