adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2024-11-15 11:28:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Closes #1985, Sanitize::clean( ) should provide an option to specify what should/shouldn't be cleaned

Browse source 
git-svn-id: https://svn.cakephp.org/repo/branches/1.2.x.x@5641 3807eeeb-6ff5-0310-8944-8be069107fe0
This commit is contained in:
phpnut 2007-09-15 20:28:46 +00:00
parent b91f9b087d
commit dd5c795b30
2 changed files with 75 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

59
cake/libs/sanitize.php
View file

@ -71,7 +71,7 @@ class Sanitize{
* @static * @static
*/ */
function escape($string, $connection = 'default') { function escape($string, $connection = 'default') {
$db = ConnectionManager::getDataSource($connection); $db =& ConnectionManager::getDataSource($connection);
if (is_numeric($string)) { if (is_numeric($string)) {
return $string; return $string;
} }
@ -164,44 +164,69 @@ class Sanitize{
return $str; return $str;
} }
/** /**
* Sanitizes given array or value for safe input. * Sanitizes given array or value for safe input. Use the options to specify
* the connection to use, and what filters should be applied (with a boolean
* value). Valid filters: odd_spaces, encode, dollar, carriage, unicode,
* escape, backslash.
* *
* @param mixed $data Data to sanitize * @param mixed $data Data to sanitize
* @param string $connection DB connection being used * @param mixed $options If string, DB connection being used, otherwise set of options
* @return mixed Sanitized data * @return mixed Sanitized data
* @access public * @access public
* @static * @static
*/ */
function clean($data, $connection = 'default') { function clean($data, $options = array()) {
if (empty($data)) { if (empty($data)) {
return $data; return $data;
} }
if (is_string($options)) {
$options = array('connection' => $options);
} else if (!is_array($options)) {
$options = array();
}
$options = am(array(
'connection' => 'default',
'odd_spaces' => true,
'encode' => true,
'dollar' => true,
'carriage' => true,
'unicode' => true,
'escape' => true,
'backslash' => true
), $options);
if (is_array($data)) { if (is_array($data)) {
foreach ($data as $key => $val) { foreach ($data as $key => $val) {
$data[$key] = Sanitize::clean($val, $connection); $data[$key] = Sanitize::clean($val, $options['connection']);
} }
return $data; return $data;
} else { } else {
//Replace odd spaces with safe ones if ($options['odd_spaces']) {
$val = str_replace(chr(0xCA), '', str_replace(' ', ' ', $data)); $val = str_replace(chr(0xCA), '', str_replace(' ', ' ', $data));
//Encode any HTML to entities. }
if ($options['encode']) {
$val = Sanitize::html($val); $val = Sanitize::html($val);
}
if ($options['dollar']) {
$val = str_replace("\\\$", "$", $val);
}
if ($options['carriage']) {
$val = str_replace("\r", "", $val);
}
//Double-check special chars and remove carriage returns
//For increased SQL security
$val = preg_replace("/\\\$/", "$", $val);
$val = preg_replace("/\r/", "", $val);
$val = str_replace("'", "'", str_replace("!", "!", $val)); $val = str_replace("'", "'", str_replace("!", "!", $val));
//Allow unicode (?) if ($options['unicode']) {
$val = preg_replace("/&#([0-9]+);/s", "&#\\1;", $val); $val = preg_replace("/&#([0-9]+);/s", "&#\\1;", $val);
}
// Escape for DB output if ($options['escape']) {
$val = Sanitize::escape($val, $connection); $val = Sanitize::escape($val, $options['connection']);
}
//Swap user-inputted backslashes (?) if ($options['backslash']) {
$val = preg_replace("/\\\(?!&#|\?#)/", "\\", $val); $val = preg_replace("/\\\(?!&#|\?#)/", "\\", $val);
}
return $val; return $val;
} }
} }

27
cake/tests/cases/libs/sanitize.test.php
View file

@ -51,5 +51,32 @@ class SanitizeTest extends UnitTestCase {
$resultNumeric = Sanitize::escape('#1234.23', 'default'); $resultNumeric = Sanitize::escape('#1234.23', 'default');
$this->assertEqual($resultNumeric, '#1234.23'); $this->assertEqual($resultNumeric, '#1234.23');
} }
function testClean() {
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
$expected = 'test & "quote" 'other' ;.$ symbol.another line';
$result = Sanitize::clean($string);
$this->assertEqual($result, $expected);
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
$expected = 'test & ' . Sanitize::escape('"quote"') . ' ' . Sanitize::escape('\'other\'') . ' ;.$ symbol.another line';
$result = Sanitize::clean($string, array('encode' => false));
$this->assertEqual($result, $expected);
$string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line';
$expected = 'test & "quote" \'other\' ;.$ $ symbol.another line';
$result = Sanitize::clean($string, array('encode' => false, 'escape' => false));
$this->assertEqual($result, $expected);
$string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line';
$expected = 'test & "quote" \'other\' ;.$ \\$ symbol.another line';
$result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'dollar' => false));
$this->assertEqual($result, $expected);
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
$expected = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
$result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'carriage' => false));
$this->assertEqual($result, $expected);
}
} }
?> ?>