[pLog-svn] r3681 - plog/branches/lifetype-1.0.6/class/action
mark at devel.lifetype.net
mark at devel.lifetype.net
Mon Jul 3 16:24:24 GMT 2006
Author: mark
Date: 2006-07-03 16:24:24 +0000 (Mon, 03 Jul 2006)
New Revision: 3681
Modified:
plog/branches/lifetype-1.0.6/class/action/blogaction.class.php
plog/branches/lifetype-1.0.6/class/action/defaultaction.class.php
plog/branches/lifetype-1.0.6/class/action/viewarticleaction.class.php
Log:
Fixed a sql injection report in plog-svn.
Modified: plog/branches/lifetype-1.0.6/class/action/blogaction.class.php
===================================================================
--- plog/branches/lifetype-1.0.6/class/action/blogaction.class.php 2006-07-03 15:52:54 UTC (rev 3680)
+++ plog/branches/lifetype-1.0.6/class/action/blogaction.class.php 2006-07-03 16:24:24 UTC (rev 3681)
@@ -8,7 +8,8 @@
include_once( PLOG_CLASS_PATH."class/security/pipeline.class.php" );
include_once( PLOG_CLASS_PATH."class/net/http/subdomains.class.php" );
include_once( PLOG_CLASS_PATH."class/dao/referers.class.php" );
- include_once( PLOG_CLASS_PATH."class/dao/articles.class.php" );
+ include_once( PLOG_CLASS_PATH."class/dao/articles.class.php" );
+ include_once( PLOG_CLASS_PATH."class/data/validator/integervalidator.class.php" );
/**
* \ingroup Action
@@ -210,16 +211,18 @@
function checkDateParameter()
{
$date = $this->_request->getValue( 'Date' );
- if( $date ) {
+ $val = new IntegerValidator();
+ if( $date && $val->validate( $date ) ) {
$year = substr( $date, 0, 4);
$month = substr( $date, 4,2 );
$day = substr( $date, 6, 2);
}
else {
- $t = new Timestamp();
- $year = $t->getYear();
- $month = $t->getMonth();
- $day = $t->getDay();
+ $year = date('Y');
+ // $month = $t->getMonth();
+ $month = date('m');
+ // $day = $t->getDay();
+ $day = date('d');
}
$this->_session->setValue( 'Year', $year );
Modified: plog/branches/lifetype-1.0.6/class/action/defaultaction.class.php
===================================================================
--- plog/branches/lifetype-1.0.6/class/action/defaultaction.class.php 2006-07-03 15:52:54 UTC (rev 3680)
+++ plog/branches/lifetype-1.0.6/class/action/defaultaction.class.php 2006-07-03 16:24:24 UTC (rev 3681)
@@ -45,6 +45,10 @@
// value of the Date parameter from the request
$this->_date = $this->_request->getValue( "Date", -1 );
+ $val = new IntegerValidator();
+ if( !$val->validate( $this->_date ) ) {
+ $this->_date = -1;
+ }
$this->_categoryName = $this->_request->getValue( 'postCategoryName' );
$this->_categoryId = $this->_request->getValue( 'postCategoryId' );
Modified: plog/branches/lifetype-1.0.6/class/action/viewarticleaction.class.php
===================================================================
--- plog/branches/lifetype-1.0.6/class/action/viewarticleaction.class.php 2006-07-03 15:52:54 UTC (rev 3680)
+++ plog/branches/lifetype-1.0.6/class/action/viewarticleaction.class.php 2006-07-03 16:24:24 UTC (rev 3681)
@@ -61,6 +61,10 @@
$this->_userId = $this->_request->getValue( "userId", -1 );
$this->_userName = $this->_request->getValue( "userName" );
$this->_date = $this->_request->getValue( "Date", -1 );
+ $val = new IntegerValidator();
+ if( !$val->validate( $this->_date ) ) {
+ $this->_date = -1;
+ }
$this->_isCommentAdded = ($this->_request->getValue( "op" ) == "AddComment" );
// Caculate the correct article date period
More information about the pLog-svn
mailing list