[pLog-svn] r3522 - plog/branches/lifetype-1.0.5/class/action
Mark Wu
markplace at gmail.com
Sun Jun 4 17:24:55 GMT 2006
Hi Oscar:
+ $this->registerFieldValidator( "albumName", new
IntegerValidator(), true );
+ $this->registerFieldValidator( "blogId", new
IntegerValidator(), true );
+ $this->registerFieldValidator( "blogName", new
IntegerValidator(), true );
+ $this->registerFieldValidator( "userId", new
IntegerValidator(), true );
+ $this->registerFieldValidator( "blogUserName", new
IntegerValidator(), true );
I just see the code and issue. Wow.... The first sql injection issue ...:(
it seems even the "Name" field, we use IntegerValidator. Is it right?
Mark
> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of
> oscar at devel.lifetype.net
> Sent: Sunday, June 04, 2006 6:29 AM
> To: plog-svn at devel.lifetype.net
> Subject: [pLog-svn] r3522 - plog/branches/lifetype-1.0.5/class/action
>
> Author: oscar
> Date: 2006-06-03 22:28:33 +0000 (Sat, 03 Jun 2006) New Revision: 3522
>
> Modified:
> plog/branches/lifetype-1.0.5/class/action/commentaction.class.php
> plog/branches/lifetype-1.0.5/class/action/defaultaction.class.php
>
> plog/branches/lifetype-1.0.5/class/action/resourceserveraction
> .class.php
> plog/branches/lifetype-1.0.5/class/action/rssaction.class.php
> plog/branches/lifetype-1.0.5/class/action/viewalbumaction.class.php
>
> plog/branches/lifetype-1.0.5/class/action/viewarticleaction.class.php
>
> plog/branches/lifetype-1.0.5/class/action/viewarticletrackback
> saction.class.php
>
> plog/branches/lifetype-1.0.5/class/action/viewresourceaction.class.php
> Log:
> added some validation to all action classes, looks like we
> had forgotten it
>
>
> Modified:
> plog/branches/lifetype-1.0.5/class/action/commentaction.class.php
> ===================================================================
> ---
> plog/branches/lifetype-1.0.5/class/action/commentaction.cl
> ass.php 2006-06-03 22:28:13 UTC (rev 3521)
> +++
> plog/branches/lifetype-1.0.5/class/action/commentaction.cl
> ass.php 2006-06-03 22:28:33 UTC (rev 3522)
> @@ -27,6 +27,7 @@
>
> // data validation
> $this->registerFieldValidator(
> "articleId", new IntegerValidator());
> + $this->registerFieldValidator(
> "parentId", new IntegerValidator());
> $this->setValidationErrorView( new ErrorView(
> $this->_blogInfo, "error_incorrect_article_id" ));
> }
>
>
> Modified:
> plog/branches/lifetype-1.0.5/class/action/defaultaction.class.php
> ===================================================================
> ---
> plog/branches/lifetype-1.0.5/class/action/defaultaction.cl
> ass.php 2006-06-03 22:28:13 UTC (rev 3521)
> +++
> plog/branches/lifetype-1.0.5/class/action/defaultaction.cl
> ass.php 2006-06-03 22:28:33 UTC (rev 3522)
> @@ -6,6 +6,8 @@
> include_once( PLOG_CLASS_PATH."class/dao/blogs.class.php" );
> include_once( PLOG_CLASS_PATH."class/view/errorview.class.php" );
> include_once(
> PLOG_CLASS_PATH."class/plugin/pluginmanager.class.php" );
> + include_once(
> PLOG_CLASS_PATH."class/data/validator/stringvalidator.class.php" );
> + include_once(
> PLOG_CLASS_PATH."class/data/validator/integervalidator.class.php" );
>
> /**
> * \ingroup Action
> @@ -27,14 +29,24 @@
> function DefaultAction( $actionInfo, $request )
> {
> $this->BlogAction( $actionInfo, $request );
> +
> + $this->registerFieldValidator(
> "postCategoryId", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "postCategoryName", new StringValidator(), true );
> + $this->registerFieldValidator(
> "userId", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "userName", new StringValidator(),
> +true );
> +
> + $this->setValidationErrorView( new
> ErrorView( $this->_blogInfo,
> +"error_fetching_articles" ));
> }
>
> function validate()
> {
> + if( !parent::validate())
> + return false;
> +
> // value of the Date parameter from the request
> $this->_date = $this->_request->getValue( "Date", -1 );
>
> - $this->_categoryName =
> $this->_request->getValue( 'postCategoryName' );
> + $this->_categoryName =
> $this->_request->getValue( 'postCategoryName'
> +);
> $this->_categoryId = $this->_request->getValue(
> 'postCategoryId' );
> if( $this->_categoryId == '' )
> if( $this->_date == -1 )
>
> Modified:
> plog/branches/lifetype-1.0.5/class/action/resourceserveraction
> .class.php
> ===================================================================
> ---
> plog/branches/lifetype-1.0.5/class/action/resourceserveraction
> .class.php 2006-06-03 22:28:13 UTC (rev 3521)
> +++
> plog/branches/lifetype-1.0.5/class/action/resourceserveraction
> .class.php 2006-06-03 22:28:33 UTC (rev 3522)
> @@ -9,6 +9,8 @@
> include_once( PLOG_CLASS_PATH."class/net/url.class.php" );
> include_once(
> PLOG_CLASS_PATH."class/security/pipeline.class.php" );
> include_once(
> PLOG_CLASS_PATH."class/plugin/pluginmanager.class.php" );
> + include_once(
> PLOG_CLASS_PATH."class/data/validator/stringvalidator.class.php" );
> + include_once(
> PLOG_CLASS_PATH."class/data/validator/integervalidator.class.php" );
>
> /**
> * \ingroup Action
> @@ -32,6 +34,23 @@
> $this->_session = $session['SessionInfo'];
>
>
> $this->_config =& Config::getConfig();
> +
> + $this->registerFieldValidator(
> "resource", new StringValidator(), true );
> + $this->registerFieldValidator( "resId",
> new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "albumId", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "albumName", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "blogId", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "blogName", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "userId", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "blogUserName", new IntegerValidator(), true );
> +
> + // since this class does not return
> HTML code but files, we cannot
> + // return HTML so let's return 404
> status code with a custom error message
> + $view = new ResourceServerView();
> + $view->addHeaderResponse( "HTTP/1.1 404
> Not Found" );
> + $view->addHeaderResponse( "Status: 404
> Not Found" );
> + $view->addHeaderResponse(
> "X-LifeType-Error: Invalid parameters" );
> + $this->setValidationErrorView( $view );
> }
>
> /**
> @@ -100,6 +119,9 @@
>
> function validate()
> {
> + if( !parent::validate())
> + return false;
> +
> // before we do anything, let's find
> out the blogId and if there isn't any, quit
> $this->_getBlogInfo();
> if( $this->_blogInfo == false ) {
> @@ -107,7 +129,7 @@
> $this->_view = new ResourceServerView();
>
> $this->_view->addHeaderResponse( "HTTP/1.1 404 Not Found" );
>
> $this->_view->addHeaderResponse( "Status: 404 Not Found" );
> -
> $this->_view->addHeaderResponse( "X-pLog-Error: Blog $resId
> is not correct" );
> +
> $this->_view->addHeaderResponse( "X-LifeType-Error: Blog $resId is
> +not correct" );
>
> return false;
> }
> @@ -129,7 +151,7 @@
> $this->_view = new ResourceServerView();
>
> $this->_view->addHeaderResponse( "HTTP/1.1 403 Forbidden" );
>
> $this->_view->addHeaderResponse( "Status: 403 Forbidden" );
> -
> $this->_view->addHeaderResponse( "X-pLog-Error: Access is blocked" );
> +
> $this->_view->addHeaderResponse( "X-LifeType-Error: Access is
> +blocked" );
>
> return false;
> }
> @@ -151,7 +173,7 @@
> $this->_view =
> new ResourceServerView();
>
> $this->_view->addHeaderResponse( "HTTP/1.1 404 Not Found" );
>
> $this->_view->addHeaderResponse( "Status: 404 Not Found" );
> -
> $this->_view->addHeaderResponse( "X-pLog-Error: Album
> $albumId not found" );
> +
> $this->_view->addHeaderResponse( "X-LifeType-Error: Album
> +$albumId not found" );
> return false;
> }
> $this->_albumId =
> $album->getId(); @@ -198,7 +220,7 @@
> $this->_view = new ResourceServerView();
>
> $this->_view->addHeaderResponse( "HTTP/1.1 404 Not Found" );
>
> $this->_view->addHeaderResponse( "Status: 404 Not Found" );
> -
> $this->_view->addHeaderResponse( "X-pLog-Error: Resource
> $this->_resId not found" );
> +
> $this->_view->addHeaderResponse( "X-LifeType-Error: Resource
> $this->_resId not found" );
>
> return false;
> }
>
> Modified:
> plog/branches/lifetype-1.0.5/class/action/rssaction.class.php
> ===================================================================
> ---
> plog/branches/lifetype-1.0.5/class/action/rssaction.class.php
> 2006-06-03 22:28:13 UTC (rev 3521)
> +++
> plog/branches/lifetype-1.0.5/class/action/rssaction.class.php
> 2006-06-03 22:28:33 UTC (rev 3522)
> @@ -6,6 +6,8 @@
> include_once( PLOG_CLASS_PATH."class/view/errorview.class.php" );
> include_once( PLOG_CLASS_PATH."class/locale/locale.class.php" );
> include_once( PLOG_CLASS_PATH."class/locale/locales.class.php" );
> + include_once(
> PLOG_CLASS_PATH."class/data/validator/stringvalidator.class.php" );
> + include_once(
> + PLOG_CLASS_PATH."class/data/validator/integervalidator.class.php" );
>
> /**
> * \ingroup Action
> @@ -23,6 +25,14 @@
> function RssAction( $blogInfo, $request )
> {
> $this->BlogAction( $blogInfo, $request );
> +
> + $this->registerFieldValidator(
> "categoryId", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "profile", new StringValidator(),
> +true );
> +
> + // generate a dummy view with nothing
> in it to signal an error
> + $view = new RssView( $this->_blogInfo,
> DEFAULT_PROFILE );
> + $view->setValue( "articles", Array());
> + $this->setValidationErrorView( $view );
>
> }
>
> /**
>
> Modified:
> plog/branches/lifetype-1.0.5/class/action/viewalbumaction.class.php
> ===================================================================
> ---
> plog/branches/lifetype-1.0.5/class/action/viewalbumaction.cl
> ass.php 2006-06-03 22:28:13 UTC (rev 3521)
> +++
> plog/branches/lifetype-1.0.5/class/action/viewalbumaction.cl
> ass.php 2006-06-03 22:28:33 UTC (rev 3522)
> @@ -7,6 +7,7 @@
> include_once(
> PLOG_CLASS_PATH."class/gallery/dao/galleryresources.class.php" );
> include_once(
> PLOG_CLASS_PATH."class/gallery/dao/galleryalbums.class.php" );
> include_once(
> PLOG_CLASS_PATH."class/data/validator/integervalidator.class.php" );
> + include_once(
> + PLOG_CLASS_PATH."class/data/validator/stringvalidator.class.php" );
>
> define( "VIEW_ALBUMS_TEMPLATE", "albums" );
> define( "VIEW_ALBUM_TEMPLATE", "album" ); @@ -25,13 +26,21 @@
> function ViewAlbumAction( $actionInfo, $request )
> {
> $this->BlogAction( $actionInfo, $request );
> +
> + $this->registerFieldValidator(
> "albumId", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "albumName", new StringValidator(),
> +true );
> +
> + $this->setValidationErrorView( new
> ErrorView( $this->_blogInfo,
> +"error_fetching_album" ));
> }
>
> // checks that the articleId is valid
> function validate()
> {
> + if( !parent::validate())
> + return false;
> +
> $this->_albumId = $this->_request->getValue(
> "albumId", 0 );
> - $this->_albumName = $this->_request->getValue(
> "albumName" );
> + $this->_albumName =
> $this->_request->getValue( "albumName" );
>
> return true;
> }
> @@ -41,7 +50,7 @@
> $galleryResources = new GalleryResources();
> $galleryAlbums = new GalleryAlbums();
>
> - $browseRootAlbum = ( $this->_albumId == 0 &&
> $this->_albumName == "" );
> + $browseRootAlbum = ( $this->_albumId ==
> 0 && $this->_albumName == ""
> +);
>
> // check which template we should use
> if( $browseRootAlbum )
>
> Modified:
> plog/branches/lifetype-1.0.5/class/action/viewarticleaction.class.php
> ===================================================================
> ---
> plog/branches/lifetype-1.0.5/class/action/viewarticleaction.cl
> ass.php 2006-06-03 22:28:13 UTC (rev 3521)
> +++
> plog/branches/lifetype-1.0.5/class/action/viewarticleaction.cl
> ass.php 2006-06-03 22:28:33 UTC (rev 3522)
> @@ -10,6 +10,8 @@
> include_once( PLOG_CLASS_PATH."class/view/errorview.class.php" );
> include_once(
> PLOG_CLASS_PATH."class/view/viewarticleview.class.php" );
> include_once(
> PLOG_CLASS_PATH.'class/data/timestamp.class.php' );
> + include_once(
> PLOG_CLASS_PATH."class/data/validator/integervalidator.class.php" );
> + include_once(
> PLOG_CLASS_PATH."class/data/validator/stringvalidator.class.php" );
>
> /**
> * \ingroup Action
> @@ -33,14 +35,25 @@
> function ViewArticleAction( $actionInfo, $request )
> {
> $this->BlogAction( $actionInfo, $request );
> +
> + $this->registerFieldValidator(
> "articleId", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "articleName", new StringValidator(), true );
> + $this->registerFieldValidator(
> "postCategoryId", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "postCategoryName", new StringValidator(), true );
> + $this->registerFieldValidator(
> "userId", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "userName", new StringValidator(),
> +true );
> +
> + $this->setValidationErrorView( new
> ErrorView( $this->_blogInfo,
> +"error_fetching_article" ));
> }
>
> // checks that the articleId is valid
> function validate()
> {
> + if( !parent::validate())
> + return( false );
> +
> $this->_articleId = $this->_request->getValue(
> "articleId" );
> $this->_articleName =
> $this->_request->getValue( "articleName" );
> -
> // find some other additional
> parameters and use some 'null' values
> // in casuse they're empty
> $this->_categoryId =
> $this->_request->getValue( "postCategoryId", -1 ); @@ -49,7 +62,7 @@
> $this->_userName =
> $this->_request->getValue( "userName" );
> $this->_date =
> $this->_request->getValue( "Date", -1 );
> $this->_isCommentAdded =
> ($this->_request->getValue( "op" ) == "AddComment" );
> -
> +
> // Caculate the correct article date period
> $adjustedDates =
> $this->_getCorrectedDatePeriod( $this->_date );
> $this->_date = $adjustedDates["adjustedDate"];
>
> Modified:
> plog/branches/lifetype-1.0.5/class/action/viewarticletrackback
> saction.class.php
> ===================================================================
> ---
> plog/branches/lifetype-1.0.5/class/action/viewarticletrackback
> saction.class.php 2006-06-03 22:28:13 UTC (rev 3521)
> +++
> plog/branches/lifetype-1.0.5/class/action/viewarticletrackback
> saction.class.php 2006-06-03 22:28:33 UTC (rev 3522)
> @@ -7,6 +7,7 @@
> include_once( PLOG_CLASS_PATH."class/view/errorview.class.php" );
> include_once( PLOG_CLASS_PATH."class/dao/users.class.php" );
> include_once(
> PLOG_CLASS_PATH."class/dao/articlecategories.class.php" );
> + include_once(
> +PLOG_CLASS_PATH."class/data/validator/stringvalidator.class.php" );
>
> define( "VIEW_TRACKBACKS_TEMPLATE", "posttrackbacks" );
>
> @@ -30,11 +31,22 @@
> function ViewArticleTrackbacksAction(
> $actionInfo, $request )
> {
> $this->BlogAction( $actionInfo, $request );
> +
> + $this->registerFieldValidator(
> "articleId", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "articleName", new StringValidator(), true );
> + $this->registerFieldValidator(
> "postCategoryId", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "postCategoryName", new StringValidator(), true );
> + $this->registerFieldValidator(
> "userId", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "userName", new StringValidator(),
> +true );
> +
> + $this->setValidationErrorView( new
> ErrorView( $this->_blogInfo, "error_fetching_article" ));
>
> }
>
> -
> function validate()
> {
> + if( !parent::validate())
> + return false;
> +
> $this->_articleId =
> $this->_request->getValue( "articleId" );
> $this->_articleName =
> $this->_request->getValue( "articleName" );
> $this->_categoryId =
> $this->_request->getValue( "postCategoryId", -1 );
>
> Modified:
> plog/branches/lifetype-1.0.5/class/action/viewresourceaction.class.php
> ===================================================================
> ---
> plog/branches/lifetype-1.0.5/class/action/viewresourceaction.c
> lass.php 2006-06-03 22:28:13 UTC (rev 3521)
> +++
> plog/branches/lifetype-1.0.5/class/action/viewresourceaction.c
> lass.php 2006-06-03 22:28:33 UTC (rev 3522)
> @@ -4,6 +4,7 @@
> include_once( PLOG_CLASS_PATH."class/view/errorview.class.php" );
> include_once(
> PLOG_CLASS_PATH."class/gallery/dao/galleryresources.class.php" );
> include_once(
> PLOG_CLASS_PATH."class/data/validator/integervalidator.class.php" );
> + include_once(
> + PLOG_CLASS_PATH."class/data/validator/stringvalidator.class.php" );
>
> define( "VIEW_RESOURCE_TEMPLATE", "resource" );
>
> @@ -24,11 +25,21 @@
> function ViewResourceAction( $actionInfo, $request )
> {
> $this->BlogAction( $actionInfo, $request );
> +
> + $this->registerFieldValidator( "resId",
> new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "resouce", new StringValidator(), true );
> + $this->registerFieldValidator(
> "albumId", new IntegerValidator(), true );
> + $this->registerFieldValidator(
> "albumName", new StringValidator(),
> +true );
> +
> + $this->setValidationErrorView( new
> ErrorView( $this->_blogInfo, "error_fetching_resource" ));
>
> }
>
> // checks that the articleId is valid
> function validate()
> {
> + if( !parent::validate())
> + return false;
> +
> $this->_resourceId = $this->_request->getValue(
> "resId" );
> $this->_resourceName =
> $this->_request->getValue( "resource" );
> $this->_albumId =
> $this->_request->getValue( "albumId" );
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list