Request.class.php | searchcode

/include/classes/Request.class.php

https://bitbucket.org/webinfopro/sqlitemanager
PHP | 567 lines | 451 code | 94 blank | 22 comment | 79 complexity | 434043e8f86979e78bcd3e3f591b3742 MD5 | raw file

<?php
/**
* Web based SQLite management
* Request input filter
*
* @method      integer  getInt()       getInt($name, $default)    Get a signed integer.
* @method      integer  getUint()      getUint($name, $default)   Get an unsigned integer.
* @method      float    getFloat()     getFloat($name, $default)  Get a floating-point number.
* @method      boolean  getBool()      getBool($name, $default)   Get a boolean.
* @method      string   getWord()      getWord($name, $default)
* @method      string   getAlnum()     getAlnum($name, $default)
* @method      string   getCmd()       getCmd($name, $default)
* @method      string   getBase64()    getBase64($name, $default)
* @method      string   getString()    getString($name, $default)
* @method      string   getHtml()      getHtml($name, $default)
*
* @package SQLiteManager
* @author Frédéric HENNINOT
* @version $Id: SQLite.i18n.php,v 1.25 2006/04/14 15:16:52 freddy78 Exp $ $Revision: 1.25 $
*/

class Request extends ArrayIterator
{
	protected $data = array();

	public $tagBlacklist = array(
			'applet',
			'body',
			'bgsound',
			'base',
			'basefont',
			'embed',
			'frame',
			'frameset',
			'head',
			'html',
			'id',
			'iframe',
			'ilayer',
			'layer',
			'link',
			'meta',
			'name',
			'object',
			'script',
			'style',
			'title',
			'xml'
	);

	public $attrBlacklist = array(
			'action',
			'background',
			'codebase',
			'dynsrc',
			'lowsrc'
	);


	public function __construct($source = null)
	{
		if (is_null($source) || !isset($source))
		{
			$this->data = & $_REQUEST;
		}
		else
		{
			$this->data = & $source;
		}

		parent::__construct($this->data);
	}

	public static function getInstance($source='default') {
		static $request = array();

		$source = strtoupper('_'.$source);

		if(!isset($request[$source])) {
			switch($source) {
				case '_POST':
					$sourceVar =& $_POST;
					break;
				case '_GET':
					$sourceVar =& $_GET;
					break;
				case '_COOKIE':
					$sourceVar =& $_COOKIE;
					break;
				case '_SERVER':
					$sourceVar =& $_SERVER;
					break;
				case '_ENV':
					$sourceVar =& $_ENV;
					break;
				default:
					$sourceVar = $_REQUEST;
					break;
			}

			$request[$source] = new Request($sourceVar);
		}

		return $request[$source];
	}

	public function get($name, $default = null, $filter = 'string')
	{
		if (isset($this->data[$name]))
			return $this->clean($this->data[$name], $filter);

		return $default;
	}

	public function set($name, $value)
	{
		$this->data[$name] = $value;
		parent::offsetSet($name, $value);
	}

	public function setDateFormat($format)
	{
		$this->dateFormat = $format;
	}

	public function exists($name)
	{
		if (isset($this->data[$name]))
			return true;

		return false;
	}

	public function def($name, $value)
	{
		if (isset($this->data[$name]))
			return;

		$this->data[$name] = $value;
		parent::offsetSet($name, $value);
	}

	public function getHash($source, $type='string')
	{
		if(is_array($source))
			foreach($source as $k=>$v)
				$source[$k] = $this->clean($v, $type);

		return $source;
	}

	public function offsetGet($name) {
		return $this->get($name);
	}

	public function clean($source, $type = 'string')
	{
		switch (strtoupper($type))
		{
			case 'INT':
			case 'INTEGER':
				preg_match('/-?[0-9]+/', (string) $source, $matches);
				$result = @ (int) $matches[0];
				break;

			case 'UINT':
				preg_match('/-?[0-9]+/', (string) $source, $matches);
				$result = @ abs((int) $matches[0]);
				break;

			case 'FLOAT':
			case 'DOUBLE':
				preg_match('/-?[0-9]+(\.[0-9]+)?/', (string) $source, $matches);
				$result = @ (float) $matches[0];
				break;

			case 'BOOL':
			case 'BOOLEAN':
				$result = (bool) $source;
				break;

			case 'WORD':
				$result = (string) preg_replace('/[^A-Z_]/i', '', $source);
				break;

			case 'ALNUM':
				$result = (string) preg_replace('/[^A-Z0-9]/i', '', $source);
				break;

			case 'CMD':
				$result = (string) preg_replace('/[^A-Z0-9_\.-]/i', '', $source);
				$result = ltrim($result, '.');
				break;

			case 'BASE64':
				$result = (string) preg_replace('/[^A-Z0-9\/+=]/i', '', $source);
				break;

			case 'STRING':
				$result = (string) $this->_remove($this->_decode((string) $source));
				break;

			case 'RAW':
				$result = (string)$source;
				break;

			case 'ARRAY':
				$result = (array) $source;
				break;

			default:
				if (is_array($source))
				{
					foreach ($source as $key => $value)
					{
						if (is_string($value))
						{
							$source[$key] = $this->_remove($this->_decode($value));
						}
					}
					$result = $source;
				}
				else
				{
					if (is_string($source) && !empty($source))
					{
						$result = $this->_remove($this->_decode($source));
					}
					else
					{
						// Not an array or string.. return the passed parameter
						$result = $source;
					}
				}
				break;
		}

		return $result;
	}

	protected function _decode($source)
	{
		static $ttr;

		if (!is_array($ttr))
		{
			$trans_tbl = get_html_translation_table(HTML_ENTITIES);
			foreach ($trans_tbl as $k => $v)
			{
				$ttr[$v] = utf8_encode($k);
			}
		}
		$source = strtr($source, $ttr);

		// Convert decimal
		$source = preg_replace('/&#(\d+);/me', "utf8_encode(chr(\\1))", $source); // decimal notation

		// Convert hex
		$source = preg_replace('/&#x([a-f0-9]+);/mei', "utf8_encode(chr(0x\\1))", $source); // hex notation

		return $source;
	}

	protected function _remove($source)
	{
		while ($source != $this->_cleanTags($source))
			$source = $this->_cleanTags($source);

		return $source;
	}

	public static function checkAttribute($attrSubSet)
	{
		$attrSubSet[0] = strtolower($attrSubSet[0]);
		$attrSubSet[1] = strtolower($attrSubSet[1]);

		return (((strpos($attrSubSet[1], 'expression') !== false) && ($attrSubSet[0]) == 'style') || (strpos($attrSubSet[1], 'javascript:') !== false) ||
				(strpos($attrSubSet[1], 'behaviour:') !== false) || (strpos($attrSubSet[1], 'vbscript:') !== false) ||
				(strpos($attrSubSet[1], 'mocha:') !== false) || (strpos($attrSubSet[1], 'livescript:') !== false));
	}

	protected function _cleanTags($source)
	{
		$source = $this->_escapeAttributeValues($source);

		$preTag = null;
		$postTag = $source;
		$currentSpace = false;
		$attr = '';

		$tagOpen_start = strpos($source, '<');

		while ($tagOpen_start !== false)
		{
			$preTag .= substr($postTag, 0, $tagOpen_start);
			$postTag = substr($postTag, $tagOpen_start);
			$fromTagOpen = substr($postTag, 1);
			$tagOpen_end = strpos($fromTagOpen, '>');

			$nextOpenTag = (strlen($postTag) > $tagOpen_start) ? strpos($postTag, '<', $tagOpen_start + 1) : false;
			if (($nextOpenTag !== false) && ($nextOpenTag < $tagOpen_end))
			{
				$postTag = substr($postTag, 0, $tagOpen_start) . substr($postTag, $tagOpen_start + 1);
				$tagOpen_start = strpos($postTag, '<');
				continue;
			}

			if ($tagOpen_end === false)
			{
				$postTag = substr($postTag, $tagOpen_start + 1);
				$tagOpen_start = strpos($postTag, '<');
				continue;
			}

			$tagOpen_nested = strpos($fromTagOpen, '<');
			$tagOpen_nested_end = strpos(substr($postTag, $tagOpen_end), '>');
			if (($tagOpen_nested !== false) && ($tagOpen_nested < $tagOpen_end))
			{
				$preTag .= substr($postTag, 0, ($tagOpen_nested + 1));
				$postTag = substr($postTag, ($tagOpen_nested + 1));
				$tagOpen_start = strpos($postTag, '<');
				continue;
			}

			$tagOpen_nested = (strpos($fromTagOpen, '<') + $tagOpen_start + 1);
			$currentTag = substr($fromTagOpen, 0, $tagOpen_end);
			$tagLength = strlen($currentTag);
			$tagLeft = $currentTag;
			$attrSet = array();
			$currentSpace = strpos($tagLeft, ' ');

			if (substr($currentTag, 0, 1) == '/')
			{
				$isCloseTag = true;
				list ($tagName) = explode(' ', $currentTag);
				$tagName = substr($tagName, 1);
			}
			else
			{
				$isCloseTag = false;
				list ($tagName) = explode(' ', $currentTag);
			}

			if ( !preg_match("/^[a-z][a-z0-9]*$/i", $tagName) || !$tagName || in_array(strtolower($tagName), $this->tagBlacklist))
			{
				$postTag = substr($postTag, ($tagLength + 2));
				$tagOpen_start = strpos($postTag, '<');
				continue;
			}

			while ($currentSpace !== false)
			{
				$attr = '';
				$fromSpace = substr($tagLeft, ($currentSpace + 1));
				$nextEqual = strpos($fromSpace, '=');
				$nextSpace = strpos($fromSpace, ' ');
				$openQuotes = strpos($fromSpace, '"');
				$closeQuotes = strpos(substr($fromSpace, ($openQuotes + 1)), '"') + $openQuotes + 1;

				$startAtt = '';
				$startAttPosition = 0;

				if (preg_match('#\s*=\s*\"#', $fromSpace, $matches, PREG_OFFSET_CAPTURE))
				{
					$startAtt = $matches[0][0];
					$startAttPosition = $matches[0][1];
					$closeQuotes = strpos(substr($fromSpace, ($startAttPosition + strlen($startAtt))), '"') + $startAttPosition + strlen($startAtt);
					$nextEqual = $startAttPosition + strpos($startAtt, '=');
					$openQuotes = $startAttPosition + strpos($startAtt, '"');
					$nextSpace = strpos(substr($fromSpace, $closeQuotes), ' ') + $closeQuotes;
				}

				if ($fromSpace != '/' && (($nextEqual && $nextSpace && $nextSpace < $nextEqual) || !$nextEqual))
				{
					if (!$nextEqual)
						$attribEnd = strpos($fromSpace, '/') - 1;
					else
						$attribEnd = $nextSpace - 1;

					if ($attribEnd > 0)
						$fromSpace = substr($fromSpace, $attribEnd + 1);
				}

				if (strpos($fromSpace, '=') !== false)
				{
					if (($openQuotes !== false) && (strpos(substr($fromSpace, ($openQuotes + 1)), '"') !== false))
						$attr = substr($fromSpace, 0, ($closeQuotes + 1));
					else
						$attr = substr($fromSpace, 0, $nextSpace);
				}
				else
				{
					if ($fromSpace != '/')
						$attr = substr($fromSpace, 0, $nextSpace);
				}

				if (!$attr && $fromSpace != '/')
					$attr = $fromSpace;

				$attrSet[] = $attr;

				$tagLeft = substr($fromSpace, strlen($attr));
				$currentSpace = strpos($tagLeft, ' ');
			}

				$preTag .= '</' . $tagName . '>';

			$postTag = substr($postTag, ($tagLength + 2));
			$tagOpen_start = strpos($postTag, '<');
		}

		if ($postTag != '<')
			$preTag .= $postTag;

		return $preTag;
	}

	protected function _cleanAttributes($attrSet)
	{
		$newSet = array();

		$count = count($attrSet);
		for ($i = 0; $i < $count; $i++)
		{
			if (!$attrSet[$i])
				continue;

			$attrSubSet = explode('=', trim($attrSet[$i]), 2);
			$attrSubSet[0] = array_pop(explode(' ', trim($attrSubSet[0])));

			if ((!preg_match('/[a-z]*$/i', $attrSubSet[0]))
			|| (($this->xssAuto) && ((in_array(strtolower($attrSubSet[0]), $this->attrBlacklist))
					|| (substr($attrSubSet[0], 0, 2) == 'on'))))
			{
				continue;
			}

			if (isset($attrSubSet[1]))
			{
				$attrSubSet[1] = trim($attrSubSet[1]);
				$attrSubSet[1] = str_replace('&#', '', $attrSubSet[1]);
				$attrSubSet[1] = preg_replace('/[\n\r]/', '', $attrSubSet[1]);
				$attrSubSet[1] = str_replace('"', '', $attrSubSet[1]);
				if ((substr($attrSubSet[1], 0, 1) == "'") && (substr($attrSubSet[1], (strlen($attrSubSet[1]) - 1), 1) == "'"))
				{
					$attrSubSet[1] = substr($attrSubSet[1], 1, (strlen($attrSubSet[1]) - 2));
				}
				$attrSubSet[1] = stripslashes($attrSubSet[1]);
			}
			else
			{
				continue;
			}

			if (self::checkAttribute($attrSubSet))
				continue;

			$attrFound = in_array(strtolower($attrSubSet[0]), $this->attrArray);

			if ((!$attrFound && $this->attrMethod) || ($attrFound && !$this->attrMethod))
			{
				if (empty($attrSubSet[1]) === false)
				{
					$newSet[] = $attrSubSet[0] . '="' . $attrSubSet[1] . '"';
				}
				elseif ($attrSubSet[1] === "0")
				{
					$newSet[] = $attrSubSet[0] . '="0"';
				}
				else
				{
					$newSet[] = $attrSubSet[0] . '=""';
				}
			}
		}

		return $newSet;
	}

	protected function _escapeAttributeValues($source)
	{
		$alreadyFiltered = '';
		$remainder = $source;
		$badChars = array('<', '"', '>');
		$escapedChars = array('&lt;', '&quot;', '&gt;');
		while (preg_match('#<[^>]*?=\s*?(\"|\')#s', $remainder, $matches, PREG_OFFSET_CAPTURE))
		{
			$quotePosition = $matches[0][1];
			$nextBefore = $quotePosition + strlen($matches[0][0]);

			$quote = substr($matches[0][0], -1);
			$pregMatch = ($quote == '"') ? '#(\"\s*/\s*>|\"\s*>|\"\s+|\"$)#' : "#(\'\s*/\s*>|\'\s*>|\'\s+|\'$)#";

			if (preg_match($pregMatch, substr($remainder, $nextBefore), $matches, PREG_OFFSET_CAPTURE))
				$nextAfter = $nextBefore + $matches[0][1];
			else
				$nextAfter = strlen($remainder);

			$attributeValue = substr($remainder, $nextBefore, $nextAfter - $nextBefore);
			$attributeValue = str_replace($badChars, $escapedChars, $attributeValue);
			$attributeValue = $this->_stripCSSExpressions($attributeValue);
			$alreadyFiltered .= substr($remainder, 0, $nextBefore) . $attributeValue . $quote;
			$remainder = substr($remainder, $nextAfter + 1);
		}

		return $alreadyFiltered . $remainder;
	}

	protected function _stripCSSExpressions($source)
	{
		$test = preg_replace('#\/\*.*\*\/#U', '', $source);
		if (!stripos($test, ':expression'))
		{
			$return = $source;
		}
		else
		{
			if (preg_match_all('#:expression\s*\(#', $test, $matches))
			{
				$test = str_ireplace(':expression', '', $test);
				$return = $test;
			}
		}

		return $return;
	}

	public function __call($name, $arguments)
	{
		if (substr($name, 0, 3) == 'get')
		{

			$filter = substr($name, 3);

			$default = null;
			if (isset($arguments[1]))
				$default = $arguments[1];

			return $this->get($arguments[0], $default, $filter);
		}
	}

	public static function __callstatic($name, $arguments)
	{
		if (substr($name, 0, 3) == 'get')
		{

			$filter = substr($name, 3);

			$default = null;
			if (isset($arguments[1]))
				$default = $arguments[1];

			$source = 'default';
			if(isset($arguments[2]))
				$source = $arguments[2];

			$request = Request::getInstance($source);

			return $request->get($arguments[0], $default, $filter);
		}
	}

	public function __get($source) {
		return $this->get($source);
	}
}