Use 'filter_input' to GET and VALIDATE value send as GET/POST param

melanger · vyskocilpavel · commit 28869576916e · 2019-07-09T09:53:24.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.
 - Removed unused include from 'templates/spDetail-tpl.php'
 - Deleted useless code
 - Deleted 'head' and 'body' tag in tab templates
+- Use 'filter_input' to GET and VALIDATE value send as GET/POST param
 
 #### Fixed
 - Fixed the syntax of CHANGELOG
diff --git a/templates/statistics-tpl.php b/templates/statistics-tpl.php
@@ -34,28 +34,28 @@
 
 $this->includeAtTemplateBase('includes/header.php');
 
-if (!isset($_POST['lastDays'])) {
-    $_POST['lastDays'] = 0;
+if (!isset($this->data['lastDays'])) {
+    $this->data['lastDays'] = 0;
 }
 
-if (!isset($_POST['tab'])) {
-    $_POST['tab'] = 1;
+if (!isset($this->data['tab'])) {
+    $this->data['tab'] = 1;
 }
 
 ?>
 
 <div id="tabdiv">
     <ul class="tabset_tabs" width="100px">
         <li><a id="tab-1"
-               href='<?php echo "summary.php?lastDays=" . $_POST['lastDays']; ?>'>
+               href='<?php echo "summary.php?lastDays=" . $this->data['lastDays']; ?>'>
                 <?php echo $this->t('{proxystatistics:Proxystatistics:summary}'); ?></a>
         </li>
         <li><a id="tab-2"
-               href='<?php echo "identityProviders.php?lastDays=" . $_POST['lastDays']; ?>'>
+               href='<?php echo "identityProviders.php?lastDays=" . $this->data['lastDays']; ?>'>
                 <?php echo $this->t('{proxystatistics:Proxystatistics:templates/statistics-tpl_idpsDetail}'); ?></a>
         </li>
         <li><a id="tab-3"
-               href='<?php echo "serviceProviders.php?lastDays=" . $_POST['lastDays']; ?>'>
+               href='<?php echo "serviceProviders.php?lastDays=" . $this->data['lastDays']; ?>'>
                 <?php echo $this->t('{proxystatistics:Proxystatistics:templates/statistics-tpl_spsDetail}'); ?></a>
         </li>
     </ul>
diff --git a/www/identityProviders.php b/www/identityProviders.php
@@ -12,5 +12,10 @@
 $session = Session::getSessionFromRequest();
 
 $t = new Template($config, 'proxystatistics:identityProviders-tpl.php');
-$t->data['lastDays'] = $_GET['lastDays'];
+$t->data['lastDays'] = filter_input(
+    INPUT_GET,
+    'lastDays',
+    FILTER_VALIDATE_INT,
+    ['options'=>['default'=>0,'min_range'=>0]]
+);
 $t->show();
diff --git a/www/idpDetail.php b/www/idpDetail.php
@@ -13,9 +13,11 @@
 
 $t = new Template($config, 'proxystatistics:idpDetail-tpl.php');
 
-if (!isset($_POST['lastDays'])) {
-    $_POST['lastDays'] = 0;
-}
-$t->data['lastDays'] = $_POST['lastDays'];
-$t->data['entityId'] = $_GET['entityId'];
+$t->data['lastDays'] = filter_input(
+    INPUT_POST,
+    'lastDays',
+    FILTER_VALIDATE_INT,
+    ['options'=>['default'=>0,'min_range'=>0]]
+);
+$t->data['entityId'] = filter_input(INPUT_GET, 'entityId', FILTER_SANITIZE_STRING);
 $t->show();
diff --git a/www/index.php b/www/index.php
@@ -12,15 +12,16 @@
 $session = Session::getSessionFromRequest();
 
 $t = new Template($config, 'proxystatistics:statistics-tpl.php');
-
-if (!isset($_POST['lastDays'])) {
-    $_POST['lastDays'] = 0;
-}
-
-if (!isset($_POST['tab'])) {
-    $_POST['tab'] = 1;
-}
-
-$t->data['lastDays'] = $_POST['lastDays'];
-$t->data['tab'] = $_POST['tab'];
+$t->data['lastDays'] = filter_input(
+    INPUT_POST,
+    'lastDays',
+    FILTER_VALIDATE_INT,
+    ['options'=>['default'=>0,'min_range'=>0]]
+);
+$t->data['tab'] = filter_input(
+    INPUT_POST,
+    'tab',
+    FILTER_VALIDATE_INT,
+    ['options'=>['default'=>0,'min_range'=>1]]
+);
 $t->show();
diff --git a/www/serviceProviders.php b/www/serviceProviders.php
@@ -12,5 +12,10 @@
 $session = Session::getSessionFromRequest();
 
 $t = new Template($config, 'proxystatistics:serviceProviders-tpl.php');
-$t->data['lastDays'] = $_GET['lastDays'];
+$t->data['lastDays'] = filter_input(
+    INPUT_GET,
+    'lastDays',
+    FILTER_VALIDATE_INT,
+    ['options'=>['default'=>0,'min_range'=>0]]
+);
 $t->show();
diff --git a/www/spDetail.php b/www/spDetail.php
@@ -13,10 +13,11 @@
 
 $t = new Template($config, 'proxystatistics:spDetail-tpl.php');
 
-if (!isset($_POST['lastDays'])) {
-    $_POST['lastDays'] = 0;
-}
-
-$t->data['lastDays'] = $_POST['lastDays'];
-$t->data['identifier'] = $_GET['identifier'];
+$t->data['lastDays'] = filter_input(
+    INPUT_POST,
+    'lastDays',
+    FILTER_VALIDATE_INT,
+    ['options'=>['default'=>0,'min_range'=>0]]
+);
+$t->data['identifier'] = filter_input(INPUT_GET, 'identifier', FILTER_SANITIZE_STRING);
 $t->show();
diff --git a/www/summary.php b/www/summary.php
@@ -12,5 +12,10 @@
 $session = Session::getSessionFromRequest();
 
 $t = new Template($config, 'proxystatistics:summary-tpl.php');
-$t->data['lastDays'] = $_GET['lastDays'];
+$t->data['lastDays'] = filter_input(
+    INPUT_GET,
+    'lastDays',
+    FILTER_VALIDATE_INT,
+    ['options'=>['default'=>0,'min_range'=>0]]
+);
 $t->show();
