/include/classes/Request.class.php
PHP | 567 lines | 451 code | 94 blank | 22 comment | 79 complexity | 434043e8f86979e78bcd3e3f591b3742 MD5 | raw file
- <?php
- /**
- * Web based SQLite management
- * Request input filter
- *
- * @method integer getInt() getInt($name, $default) Get a signed integer.
- * @method integer getUint() getUint($name, $default) Get an unsigned integer.
- * @method float getFloat() getFloat($name, $default) Get a floating-point number.
- * @method boolean getBool() getBool($name, $default) Get a boolean.
- * @method string getWord() getWord($name, $default)
- * @method string getAlnum() getAlnum($name, $default)
- * @method string getCmd() getCmd($name, $default)
- * @method string getBase64() getBase64($name, $default)
- * @method string getString() getString($name, $default)
- * @method string getHtml() getHtml($name, $default)
- *
- * @package SQLiteManager
- * @author Frédéric HENNINOT
- * @version $Id: SQLite.i18n.php,v 1.25 2006/04/14 15:16:52 freddy78 Exp $ $Revision: 1.25 $
- */
- class Request extends ArrayIterator
- {
- protected $data = array();
- public $tagBlacklist = array(
- 'applet',
- 'body',
- 'bgsound',
- 'base',
- 'basefont',
- 'embed',
- 'frame',
- 'frameset',
- 'head',
- 'html',
- 'id',
- 'iframe',
- 'ilayer',
- 'layer',
- 'link',
- 'meta',
- 'name',
- 'object',
- 'script',
- 'style',
- 'title',
- 'xml'
- );
- public $attrBlacklist = array(
- 'action',
- 'background',
- 'codebase',
- 'dynsrc',
- 'lowsrc'
- );
- public function __construct($source = null)
- {
- if (is_null($source) || !isset($source))
- {
- $this->data = & $_REQUEST;
- }
- else
- {
- $this->data = & $source;
- }
- parent::__construct($this->data);
- }
- public static function getInstance($source='default') {
- static $request = array();
- $source = strtoupper('_'.$source);
- if(!isset($request[$source])) {
- switch($source) {
- case '_POST':
- $sourceVar =& $_POST;
- break;
- case '_GET':
- $sourceVar =& $_GET;
- break;
- case '_COOKIE':
- $sourceVar =& $_COOKIE;
- break;
- case '_SERVER':
- $sourceVar =& $_SERVER;
- break;
- case '_ENV':
- $sourceVar =& $_ENV;
- break;
- default:
- $sourceVar = $_REQUEST;
- break;
- }
- $request[$source] = new Request($sourceVar);
- }
- return $request[$source];
- }
- public function get($name, $default = null, $filter = 'string')
- {
- if (isset($this->data[$name]))
- return $this->clean($this->data[$name], $filter);
- return $default;
- }
- public function set($name, $value)
- {
- $this->data[$name] = $value;
- parent::offsetSet($name, $value);
- }
- public function setDateFormat($format)
- {
- $this->dateFormat = $format;
- }
- public function exists($name)
- {
- if (isset($this->data[$name]))
- return true;
- return false;
- }
- public function def($name, $value)
- {
- if (isset($this->data[$name]))
- return;
- $this->data[$name] = $value;
- parent::offsetSet($name, $value);
- }
- public function getHash($source, $type='string')
- {
- if(is_array($source))
- foreach($source as $k=>$v)
- $source[$k] = $this->clean($v, $type);
- return $source;
- }
- public function offsetGet($name) {
- return $this->get($name);
- }
- public function clean($source, $type = 'string')
- {
- switch (strtoupper($type))
- {
- case 'INT':
- case 'INTEGER':
- preg_match('/-?[0-9]+/', (string) $source, $matches);
- $result = @ (int) $matches[0];
- break;
- case 'UINT':
- preg_match('/-?[0-9]+/', (string) $source, $matches);
- $result = @ abs((int) $matches[0]);
- break;
- case 'FLOAT':
- case 'DOUBLE':
- preg_match('/-?[0-9]+(\.[0-9]+)?/', (string) $source, $matches);
- $result = @ (float) $matches[0];
- break;
- case 'BOOL':
- case 'BOOLEAN':
- $result = (bool) $source;
- break;
- case 'WORD':
- $result = (string) preg_replace('/[^A-Z_]/i', '', $source);
- break;
- case 'ALNUM':
- $result = (string) preg_replace('/[^A-Z0-9]/i', '', $source);
- break;
- case 'CMD':
- $result = (string) preg_replace('/[^A-Z0-9_\.-]/i', '', $source);
- $result = ltrim($result, '.');
- break;
- case 'BASE64':
- $result = (string) preg_replace('/[^A-Z0-9\/+=]/i', '', $source);
- break;
- case 'STRING':
- $result = (string) $this->_remove($this->_decode((string) $source));
- break;
- case 'RAW':
- $result = (string)$source;
- break;
- case 'ARRAY':
- $result = (array) $source;
- break;
- default:
- if (is_array($source))
- {
- foreach ($source as $key => $value)
- {
- if (is_string($value))
- {
- $source[$key] = $this->_remove($this->_decode($value));
- }
- }
- $result = $source;
- }
- else
- {
- if (is_string($source) && !empty($source))
- {
- $result = $this->_remove($this->_decode($source));
- }
- else
- {
- // Not an array or string.. return the passed parameter
- $result = $source;
- }
- }
- break;
- }
- return $result;
- }
- protected function _decode($source)
- {
- static $ttr;
- if (!is_array($ttr))
- {
- $trans_tbl = get_html_translation_table(HTML_ENTITIES);
- foreach ($trans_tbl as $k => $v)
- {
- $ttr[$v] = utf8_encode($k);
- }
- }
- $source = strtr($source, $ttr);
- // Convert decimal
- $source = preg_replace('/&#(\d+);/me', "utf8_encode(chr(\\1))", $source); // decimal notation
- // Convert hex
- $source = preg_replace('/&#x([a-f0-9]+);/mei', "utf8_encode(chr(0x\\1))", $source); // hex notation
- return $source;
- }
- protected function _remove($source)
- {
- while ($source != $this->_cleanTags($source))
- $source = $this->_cleanTags($source);
- return $source;
- }
- public static function checkAttribute($attrSubSet)
- {
- $attrSubSet[0] = strtolower($attrSubSet[0]);
- $attrSubSet[1] = strtolower($attrSubSet[1]);
- return (((strpos($attrSubSet[1], 'expression') !== false) && ($attrSubSet[0]) == 'style') || (strpos($attrSubSet[1], 'javascript:') !== false) ||
- (strpos($attrSubSet[1], 'behaviour:') !== false) || (strpos($attrSubSet[1], 'vbscript:') !== false) ||
- (strpos($attrSubSet[1], 'mocha:') !== false) || (strpos($attrSubSet[1], 'livescript:') !== false));
- }
- protected function _cleanTags($source)
- {
- $source = $this->_escapeAttributeValues($source);
- $preTag = null;
- $postTag = $source;
- $currentSpace = false;
- $attr = '';
- $tagOpen_start = strpos($source, '<');
- while ($tagOpen_start !== false)
- {
- $preTag .= substr($postTag, 0, $tagOpen_start);
- $postTag = substr($postTag, $tagOpen_start);
- $fromTagOpen = substr($postTag, 1);
- $tagOpen_end = strpos($fromTagOpen, '>');
- $nextOpenTag = (strlen($postTag) > $tagOpen_start) ? strpos($postTag, '<', $tagOpen_start + 1) : false;
- if (($nextOpenTag !== false) && ($nextOpenTag < $tagOpen_end))
- {
- $postTag = substr($postTag, 0, $tagOpen_start) . substr($postTag, $tagOpen_start + 1);
- $tagOpen_start = strpos($postTag, '<');
- continue;
- }
- if ($tagOpen_end === false)
- {
- $postTag = substr($postTag, $tagOpen_start + 1);
- $tagOpen_start = strpos($postTag, '<');
- continue;
- }
- $tagOpen_nested = strpos($fromTagOpen, '<');
- $tagOpen_nested_end = strpos(substr($postTag, $tagOpen_end), '>');
- if (($tagOpen_nested !== false) && ($tagOpen_nested < $tagOpen_end))
- {
- $preTag .= substr($postTag, 0, ($tagOpen_nested + 1));
- $postTag = substr($postTag, ($tagOpen_nested + 1));
- $tagOpen_start = strpos($postTag, '<');
- continue;
- }
- $tagOpen_nested = (strpos($fromTagOpen, '<') + $tagOpen_start + 1);
- $currentTag = substr($fromTagOpen, 0, $tagOpen_end);
- $tagLength = strlen($currentTag);
- $tagLeft = $currentTag;
- $attrSet = array();
- $currentSpace = strpos($tagLeft, ' ');
- if (substr($currentTag, 0, 1) == '/')
- {
- $isCloseTag = true;
- list ($tagName) = explode(' ', $currentTag);
- $tagName = substr($tagName, 1);
- }
- else
- {
- $isCloseTag = false;
- list ($tagName) = explode(' ', $currentTag);
- }
- if ( !preg_match("/^[a-z][a-z0-9]*$/i", $tagName) || !$tagName || in_array(strtolower($tagName), $this->tagBlacklist))
- {
- $postTag = substr($postTag, ($tagLength + 2));
- $tagOpen_start = strpos($postTag, '<');
- continue;
- }
- while ($currentSpace !== false)
- {
- $attr = '';
- $fromSpace = substr($tagLeft, ($currentSpace + 1));
- $nextEqual = strpos($fromSpace, '=');
- $nextSpace = strpos($fromSpace, ' ');
- $openQuotes = strpos($fromSpace, '"');
- $closeQuotes = strpos(substr($fromSpace, ($openQuotes + 1)), '"') + $openQuotes + 1;
- $startAtt = '';
- $startAttPosition = 0;
- if (preg_match('#\s*=\s*\"#', $fromSpace, $matches, PREG_OFFSET_CAPTURE))
- {
- $startAtt = $matches[0][0];
- $startAttPosition = $matches[0][1];
- $closeQuotes = strpos(substr($fromSpace, ($startAttPosition + strlen($startAtt))), '"') + $startAttPosition + strlen($startAtt);
- $nextEqual = $startAttPosition + strpos($startAtt, '=');
- $openQuotes = $startAttPosition + strpos($startAtt, '"');
- $nextSpace = strpos(substr($fromSpace, $closeQuotes), ' ') + $closeQuotes;
- }
- if ($fromSpace != '/' && (($nextEqual && $nextSpace && $nextSpace < $nextEqual) || !$nextEqual))
- {
- if (!$nextEqual)
- $attribEnd = strpos($fromSpace, '/') - 1;
- else
- $attribEnd = $nextSpace - 1;
- if ($attribEnd > 0)
- $fromSpace = substr($fromSpace, $attribEnd + 1);
- }
- if (strpos($fromSpace, '=') !== false)
- {
- if (($openQuotes !== false) && (strpos(substr($fromSpace, ($openQuotes + 1)), '"') !== false))
- $attr = substr($fromSpace, 0, ($closeQuotes + 1));
- else
- $attr = substr($fromSpace, 0, $nextSpace);
- }
- else
- {
- if ($fromSpace != '/')
- $attr = substr($fromSpace, 0, $nextSpace);
- }
- if (!$attr && $fromSpace != '/')
- $attr = $fromSpace;
- $attrSet[] = $attr;
- $tagLeft = substr($fromSpace, strlen($attr));
- $currentSpace = strpos($tagLeft, ' ');
- }
- $preTag .= '</' . $tagName . '>';
- $postTag = substr($postTag, ($tagLength + 2));
- $tagOpen_start = strpos($postTag, '<');
- }
- if ($postTag != '<')
- $preTag .= $postTag;
- return $preTag;
- }
- protected function _cleanAttributes($attrSet)
- {
- $newSet = array();
- $count = count($attrSet);
- for ($i = 0; $i < $count; $i++)
- {
- if (!$attrSet[$i])
- continue;
- $attrSubSet = explode('=', trim($attrSet[$i]), 2);
- $attrSubSet[0] = array_pop(explode(' ', trim($attrSubSet[0])));
- if ((!preg_match('/[a-z]*$/i', $attrSubSet[0]))
- || (($this->xssAuto) && ((in_array(strtolower($attrSubSet[0]), $this->attrBlacklist))
- || (substr($attrSubSet[0], 0, 2) == 'on'))))
- {
- continue;
- }
- if (isset($attrSubSet[1]))
- {
- $attrSubSet[1] = trim($attrSubSet[1]);
- $attrSubSet[1] = str_replace('&#', '', $attrSubSet[1]);
- $attrSubSet[1] = preg_replace('/[\n\r]/', '', $attrSubSet[1]);
- $attrSubSet[1] = str_replace('"', '', $attrSubSet[1]);
- if ((substr($attrSubSet[1], 0, 1) == "'") && (substr($attrSubSet[1], (strlen($attrSubSet[1]) - 1), 1) == "'"))
- {
- $attrSubSet[1] = substr($attrSubSet[1], 1, (strlen($attrSubSet[1]) - 2));
- }
- $attrSubSet[1] = stripslashes($attrSubSet[1]);
- }
- else
- {
- continue;
- }
- if (self::checkAttribute($attrSubSet))
- continue;
- $attrFound = in_array(strtolower($attrSubSet[0]), $this->attrArray);
- if ((!$attrFound && $this->attrMethod) || ($attrFound && !$this->attrMethod))
- {
- if (empty($attrSubSet[1]) === false)
- {
- $newSet[] = $attrSubSet[0] . '="' . $attrSubSet[1] . '"';
- }
- elseif ($attrSubSet[1] === "0")
- {
- $newSet[] = $attrSubSet[0] . '="0"';
- }
- else
- {
- $newSet[] = $attrSubSet[0] . '=""';
- }
- }
- }
- return $newSet;
- }
- protected function _escapeAttributeValues($source)
- {
- $alreadyFiltered = '';
- $remainder = $source;
- $badChars = array('<', '"', '>');
- $escapedChars = array('<', '"', '>');
- while (preg_match('#<[^>]*?=\s*?(\"|\')#s', $remainder, $matches, PREG_OFFSET_CAPTURE))
- {
- $quotePosition = $matches[0][1];
- $nextBefore = $quotePosition + strlen($matches[0][0]);
- $quote = substr($matches[0][0], -1);
- $pregMatch = ($quote == '"') ? '#(\"\s*/\s*>|\"\s*>|\"\s+|\"$)#' : "#(\'\s*/\s*>|\'\s*>|\'\s+|\'$)#";
- if (preg_match($pregMatch, substr($remainder, $nextBefore), $matches, PREG_OFFSET_CAPTURE))
- $nextAfter = $nextBefore + $matches[0][1];
- else
- $nextAfter = strlen($remainder);
- $attributeValue = substr($remainder, $nextBefore, $nextAfter - $nextBefore);
- $attributeValue = str_replace($badChars, $escapedChars, $attributeValue);
- $attributeValue = $this->_stripCSSExpressions($attributeValue);
- $alreadyFiltered .= substr($remainder, 0, $nextBefore) . $attributeValue . $quote;
- $remainder = substr($remainder, $nextAfter + 1);
- }
- return $alreadyFiltered . $remainder;
- }
- protected function _stripCSSExpressions($source)
- {
- $test = preg_replace('#\/\*.*\*\/#U', '', $source);
- if (!stripos($test, ':expression'))
- {
- $return = $source;
- }
- else
- {
- if (preg_match_all('#:expression\s*\(#', $test, $matches))
- {
- $test = str_ireplace(':expression', '', $test);
- $return = $test;
- }
- }
- return $return;
- }
- public function __call($name, $arguments)
- {
- if (substr($name, 0, 3) == 'get')
- {
- $filter = substr($name, 3);
- $default = null;
- if (isset($arguments[1]))
- $default = $arguments[1];
- return $this->get($arguments[0], $default, $filter);
- }
- }
- public static function __callstatic($name, $arguments)
- {
- if (substr($name, 0, 3) == 'get')
- {
- $filter = substr($name, 3);
- $default = null;
- if (isset($arguments[1]))
- $default = $arguments[1];
- $source = 'default';
- if(isset($arguments[2]))
- $source = $arguments[2];
- $request = Request::getInstance($source);
- return $request->get($arguments[0], $default, $filter);
- }
- }
- public function __get($source) {
- return $this->get($source);
- }
- }