PageRenderTime 28ms CodeModel.GetById 23ms RepoModel.GetById 1ms app.codeStats 0ms

/library/classes/Filtreatment_class.php

https://github.com/md-tech/openemr
PHP | 483 lines | 179 code | 61 blank | 243 comment | 55 complexity | 2968dc9beab1be34a8be082fa4cb91ff MD5 | raw file
    

  1. <?php
    2. 

  2. /**
    3. 

  3.  * FILTREATMENT CLASS FILE
    4. 

  4.  * 
    5. 

  5.  * 
    6. 

  6.  * @author Cristian Năvălici {@link http://www.lemonsoftware.eu} lemonsoftware [at] gmail [.] com
    7. 

  7.  * @version 1.31 17 March 2008
    8. 

  8.  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
    9. 

  9.  * @package Filtreatment
    10. 

  10.  * 
    11. 

  11.  */
    12. 

  12. 

  13. //error_reporting(E_ALL); 
    14. 

  14. 

  15. /**
    16. 

  16.  * constant used in float comparisions
    17. 

  17.  */
    18. 

  18. define('EPSILON', 1.0e-8);
    19. 

  19. 

  20. /**
    21. 

  21.  * CLASS DEFINITION
    22. 

  22.  *
    23. 

  23.  * This class can be used to sanitize user inputs and prevent
    24. 

  24.  * most of known vulnerabilities
    25. 

  25.  * it requires at least PHP 5.0
    26. 

  26.  *
    27. 

  27.  * @package Filtreatment
    28. 

  28.  */
    29. 

  29. class Filtreatment {
    30. 

  30. 

  31. var $minval = 0;
    32. 

  32. var $maxval = 0;
    33. 

  33. var $error = '';
    34. 

  34. 

  35. /**
    36. 

  36.  * CONSTRUCTOR
    37. 

  37.  *
    38. 

  38.  * do some settings at init
    39. 

  39.  *
    40. 

  40.  * @param none
    41. 

  41.  * @return void
    42. 

  42.  */
    43. 

  43. function __construct() {
    44. 

  44.     if ( get_magic_quotes_gpc() ) {
    45. 

  45.         if ( !defined('MAGICQUOTES') ) define ('MAGICQUOTES', TRUE);
    46. 

  46.     } else {
    47. 

  47.         if ( !defined('MAGICQUOTES') ) define ('MAGICQUOTES', FALSE);
    48. 

  48.     }
    49. 

  49. }
    50. 

  50. 

  51. //-----------------------------------------------------------------------------
    52. 

  52. /**
    53. 

  53.  * CHECKS FOR AN INTEGER
    54. 

  54.  * 
    55. 

  55.  * if the $minval and|or $maxval are set, a comparison will be performed
    56. 

  56.  * 
    57. 

  57.  * NOTE: because the function can return 0 also as a valid result, check with === the return value
    58. 

  58.  * @param int $input - what to check/transform
    59. 

  59.  * @return int|bool
    60. 

  60.  */
    61. 

  61. function ft_integer($input) {
    62. 

  62.     $input_c    = (int)$input;
    63. 

  63.     $mnval      = (int)$this->minval;
    64. 

  64.     $mxval      = (int)$this->maxval;
    65. 

  65. 

  66.     if ( !$mnval && !$mxval ) {
    67. 

  67.         return $input_c;
    68. 

  68.     } else if ( $mnval && $mxval ) {
    69. 

  69.         // check if they are in order (min <  max)
    70. 

  70.         if ( $mnval > $mxval ) {
    71. 

  71.             $temp   = $mnval;
    72. 

  72.             $mnval  = $mxval;
    73. 

  73.             $mxval  = $temp;
    74. 

  74.         }
    75. 

  75. 

  76.         // and then check if the value is between these values
    77. 

  77.         return (($input >= $mnval) && ($input <= $mxval)) ? $input_c : FALSE;
    78. 

  78.     } else { 
    79. 

  79.         // only one value set
    80. 

  80.         if ( $mnval ) return (($input >= $mnval) ? $input_c : FALSE );
    81. 

  81.         if ( $mxval ) return (($input <= $mxval) ? $input_c : FALSE );
    82. 

  82.     }
    83. 

  83. 

  84. }
    85. 

  85. 

  86. 

  87. //-----------------------------------------------------------------------------
    88. 

  88. /**
    89. 

  89.  * CHECKS FOR A FLOAT
    90. 

  90.  * 
    91. 

  91.  * if the $minval and|or $maxval are set, a comparison will be performed
    92. 

  92.  * 
    93. 

  93.  * @param int $input - what to check/transform
    94. 

  94.  * @return int|bool
    95. 

  95.  */
    96. 

  96. function ft_float($input) {
    97. 

  97.     $input_c    = (float)$input;
    98. 

  98.     $mnval      = (float)$this->minval;
    99. 

  99.     $mxval      = (float)$this->maxval;
    100. 

  100. 

  101.     if ( !$mnval && !$mxval ) {
    102. 

  102.         return $input_c;
    103. 

  103.     } else if ( $mnval && $mxval ) {
    104. 

  104.         // check if they are in order (min <  max)
    105. 

  105.         if ( $this->ft_realcmp($mnval, $mxval) > 0 ) {
    106. 

  106.             $temp   = $mnval;
    107. 

  107.             $mnval  = $mxval;
    108. 

  108.             $mxval  = $temp;
    109. 

  109.         }
    110. 

  110. 

  111.         // and then check if the value is between these values
    112. 

  112.         $lt = $this->ft_realcmp($input, $mxval); //-1 or 0 for true
    113. 

  113.         if ( $lt === -1 || $lt === 0 ) $lt = $input_c; else $lt = FALSE;
    114. 

  114. 

  115.         $gt = $this->ft_realcmp($input, $mnval); //1 or 0 for true
    116. 

  116.         if ( $gt === 1 || $gt === 0 ) $gt = TRUE; else $gt = FALSE;
    117. 

  117.   
    118. 

  118.         return (( $lt && $gt ) ? $input_c : FALSE);
    119. 

  119.     } else { 
    120. 

  120.         // only one value set
    121. 

  121.         if ( $mnval ) {
    122. 

  122.             $gt = $this->ft_realcmp($input, $mnval); //1 or 0 for true
    123. 

  123.             return ( $gt === 1 || $gt === 0 ) ? $input_c : FALSE;
    124. 

  124.         }
    125. 

  125. 

  126.         if ( $mxval ) {
    127. 

  127.             $lt = $this->ft_realcmp($input, $mxval); //-1 or 0 for true
    128. 

  128.             return ( $lt === -1 || $lt === 0 ) ? $input_c : FALSE;
    129. 

  129.         }
    130. 

  130.     }
    131. 

  131. 

  132. }
    133. 

  133. 

  134. //-----------------------------------------------------------------------------
    135. 

  135. /**
    136. 

  136.  * VALIDATES A DATE
    137. 

  137.  * 
    138. 

  138.  * must be in YYYY-MM-DD format
    139. 

  139.  * 
    140. 

  140.  * @param string $str - date in requested format
    141. 

  141.  * @return string|bool - the string itselfs only for valid date
    142. 

  142.  */
    143. 

  143. function ft_validdate($str) {
    144. 

  144.     if ( preg_match("/([0-9]{4})-([0-9]{1,2})-([0-9]{1,2})/", $str) ) {
    145. 

  145.         $arr = split("-",$str);     // splitting the array
    146. 

  146.         $yy = $arr[0];            // first element of the array is year
    147. 

  147.         $mm = $arr[1];            // second element is month
    148. 

  148.         $dd = $arr[2];            // third element is days
    149. 

  149.         return ( checkdate($mm, $dd, $yy) ? $str : FALSE );
    150. 

  150.     } else {
    151. 

  151.         return FALSE;
    152. 

  152.     }
    153. 

  153. }
    154. 

  154. 

  155. //-----------------------------------------------------------------------------
    156. 

  156. /**
    157. 

  157.  * VALIDATES AN EMAIL
    158. 

  158.  * 
    159. 

  159.  * implies RFC 2822
    160. 

  160.  * 
    161. 

  161.  * @param string $str - email to validate
    162. 

  162.  * @return string|bool - the string itselfs only for valid email
    163. 

  163.  */
    164. 

  164. function ft_email($email) {
    165. 

  165.     if (MAGICQUOTES) {
    166. 

  166.         $value = stripslashes($email);
    167. 

  167.     }
    168. 

  168. 

  169.     // check for @ symbol and maximum allowed lengths
    170. 

  170.     if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) { return FALSE; }
    171. 

  171. 

  172.     // split for sections
    173. 

  173.     $email_array = explode("@", $email);
    174. 

  174.     $local_array = explode(".", $email_array[0]);
    175. 

  175. 

  176.     for ($i = 0; $i < sizeof($local_array); $i++) {
    177. 

  177.         if ( !ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i]) ) {
    178. 

  178.              return FALSE;
    179. 

  179.         }
    180. 

  180.     }
    181. 

  181. 

  182.     if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { 
    183. 

  183.     // verify if domain is IP. If not, it must be a valid domain name 
    184. 

  184.         $domain_array = explode(".", $email_array[1]);
    185. 

  185.         if (sizeof($domain_array) < 2) { return FALSE; }
    186. 

  186. 

  187.         for ($i = 0; $i < sizeof($domain_array); $i++) {
    188. 

  188.             if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) { 
    189. 

  189.                 return false; 
    190. 

  190.             }	
    191. 

  191.         }
    192. 

  192.     } // if 
    193. 

  193. 

  194.     return $email;
    195. 

  195. }
    196. 

  196. 

  197. //-----------------------------------------------------------------------------
    198. 

  198. /**
    199. 

  199.  * PREPARES THE INPUT FOR DATABASE
    200. 

  200.  * 
    201. 

  201.  * works with mysql/postgresql
    202. 

  202.  * NOTE: mysql_real_escape_string() requires that a valid mysql connection (mysql_connect()) exists to work
    203. 

  203.  * 
    204. 

  204.  * @param string $value - email to validate
    205. 

  205.  * @param string $db_type - allow two constants MYSQL | PGSQL
    206. 

  206.  * @return string|bool $value sanitized value
    207. 

  207.  */
    208. 

  208. function ft_dbsql($value, $db_type = 'MYSQL') {
    209. 

  209.    if (MAGICQUOTES) {
    210. 

  210.         $value = stripslashes($value);
    211. 

  211.     }
    212. 

  212. 

  213.     // Quote if not a number or a numeric string
    214. 

  214.     if (!is_numeric($value)) {
    215. 

  215.         /*switch ($db_type) {
    216. 

  216.             case 'MYSQL': $value = "'" . mysql_real_escape_string($value) . "'"; break;
    217. 

  217.             case 'PGSQL': $value = "'" . pg_escape_string($value) . "'"; break;
    218. 

  218.         }*/
    219. 

  219.         // trick to not modify the openemr genuine code who put the string (already quoted) in quotes!
    220. 

  220.         switch ($db_type) {
    221. 

  221.             case 'MYSQL': $value = mysql_real_escape_string($value); break;
    222. 

  222.             case 'PGSQL': $value = pg_escape_string($value); break;
    223. 

  223.         }
    224. 

  224.     }
    225. 

  225. 

  226.     return $value;
    227. 

  227. }
    228. 

  228. 

  229. 

  230. //-----------------------------------------------------------------------------
    231. 

  231. /**
    232. 

  232.  * WORKS ON A STRING WITH REGEX EXPRESSION
    233. 

  233.  * 
    234. 

  234.  * checks a string for specified characters
    235. 

  235.  * 
    236. 

  236.  * @param string $value - variable to sanitize
    237. 

  237.  * @param string $regex - is in a special form detailed below:
    238. 

  238.  * it contains ONLY allowed characters, ANY other characters making invalid string
    239. 

  239.  * it must NOT contain begin/end delimitators  /[... ]/
    240. 

  240.  * eg: 0-9, 0-9A-Za-z, AERS
    241. 

  241.  * @param int $cv - 1 or 2
    242. 

  242.  * @return string|bool return string if check succeed ($cv = 1) or string with replaced chars 
    243. 

    244. 

  244.  */
    245. 

  245. function ft_strregex($value, $regex, $cv = 1) {
    246. 

  246.     $s = TRUE; //var control
    247. 

  247.     $regexfull = "/[^" . $regex . "]/";
    248. 

  248. 

  249.     // function of $cv might be a clean up operation, or just verifying
    250. 

  250.     switch ($cv) {
    251. 

  251.         // verify the string
    252. 

  252.         case '1': 
    253. 

  253.             $s = ( preg_match($regexfull, $value) ? FALSE : TRUE ); 
    254. 

  254.         break;
    255. 

  255. 

  256.         // cleanup the string
    257. 

  257.         case '2':
    258. 

  258.             $value = preg_replace($regexfull,'',$value);
    259. 

  259.         break;
    260. 

  260. 

  261.         // if $cv is not specified or it's wrong
    262. 

  262.         default: if ( preg_match($regexfull, $value) ) $s = FALSE;
    263. 

  263.     }
    264. 

  264. 

  265.     return ( $s ? $value : FALSE );
    266. 

  266. }
    267. 

  267. 

  268. 

  269. 

  270. //-----------------------------------------------------------------------------
    271. 

  271. /**
    272. 

  272.  * CLEANS AGAINST XSS
    273. 

  273.  * 
    274. 

  274.  * NOTE all credits goes to codeigniter.com
    275. 

  275.  * @param string $str - string to check
    276. 

  276.  * @param string $charset - character set (default ISO-8859-1)
    277. 

  277.  * @return string|bool $value sanitized string
    278. 

  278.  */
    279. 

  279. function ft_xss($str, $charset = 'ISO-8859-1') {
    280. 

  280.     /*
    281. 

  281.     * Remove Null Characters
    282. 

  282.     *
    283. 

  283.     * This prevents sandwiching null characters
    284. 

  284.     * between ascii characters, like Java\0script.
    285. 

  285.     *
    286. 

  286.     */
    287. 

  287.     $str = preg_replace('/\0+/', '', $str);
    288. 

  288.     $str = preg_replace('/(\\\\0)+/', '', $str);
    289. 

  289. 

  290.     /*
    291. 

  291.     * Validate standard character entities
    292. 

  292.     *
    293. 

  293.     * Add a semicolon if missing.  We do this to enable
    294. 

  294.     * the conversion of entities to ASCII later.
    295. 

  295.     *
    296. 

  296.     */
    297. 

  297.     $str = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u',"\\1;",$str);
    298. 

  298. 		
    299. 

  299.     /*
    300. 

  300.     * Validate UTF16 two byte encoding (x00)
    301. 

  301.     *
    302. 

  302.     * Just as above, adds a semicolon if missing.
    303. 

  303.     *
    304. 

  304.     */
    305. 

  305.     $str = preg_replace('#(&\#x*)([0-9A-F]+);*#iu',"\\1\\2;",$str);
    306. 

  306. 

  307.     /*
    308. 

  308.     * URL Decode
    309. 

  309.     *
    310. 

  310.     * Just in case stuff like this is submitted:
    311. 

  311.     *
    312. 

  312.     * <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
    313. 

  313.     *
    314. 

  314.     * Note: Normally urldecode() would be easier but it removes plus signs
    315. 

  315.     *
    316. 

  316.     */	
    317. 

  317.     $str = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $str);
    318. 

  318.     $str = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $str);		
    319. 

  319. 				
    320. 

  320.     /*
    321. 

  321.     * Convert character entities to ASCII
    322. 

  322.     *
    323. 

  323.     * This permits our tests below to work reliably.
    324. 

  324.     * We only convert entities that are within tags since
    325. 

  325.     * these are the ones that will pose security problems.
    326. 

  326.     *
    327. 

  327.     */
    328. 

  328.     if (preg_match_all("/<(.+?)>/si", $str, $matches)) {		
    329. 

  329.         for ($i = 0; $i < count($matches['0']); $i++) {
    330. 

  330.             $str = str_replace($matches['1'][$i],
    331. 

  331.                 html_entity_decode($matches['1'][$i], ENT_COMPAT, $charset), $str);
    332. 

  332.         }
    333. 

  333.     }
    334. 

  334. 	
    335. 

  335.     /*
    336. 

  336.     * Convert all tabs to spaces
    337. 

  337.     *
    338. 

  338.     * This prevents strings like this: ja	vascript
    339. 

  339.     * Note: we deal with spaces between characters later.
    340. 

  340.     *
    341. 

  341.     */		
    342. 

  342.     $str = preg_replace("#\t+#", " ", $str);
    343. 

  343. 	
    344. 

  344.     /*
    345. 

  345.     * Makes PHP tags safe
    346. 

  346.     *
    347. 

  347.     *  Note: XML tags are inadvertently replaced too:
    348. 

  348.     *
    349. 

  349.     *	<?xml
    350. 

  350.     *
    351. 

  351.     * But it doesn't seem to pose a problem.
    352. 

  352.     *
    353. 

  353.     */		
    354. 

  354.     $str = str_replace(array('<?php', '<?PHP', '<?', '?>'),  array('&lt;?php', '&lt;?PHP', '&lt;?', '?&gt;'), $str);
    355. 

  355. 	
    356. 

  356.     /*
    357. 

  357.     * Compact any exploded words
    358. 

  358.     *
    359. 

  359.     * This corrects words like:  j a v a s c r i p t
    360. 

  360.     * These words are compacted back to their correct state.
    361. 

  361.     *
    362. 

  362.     */		
    363. 

  363.     $words = array('javascript', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
    364. 

  364.     foreach ($words as $word) {
    365. 

  365.         $temp = '';
    366. 

  366.         for ($i = 0; $i < strlen($word); $i++) {
    367. 

  367.             $temp .= substr($word, $i, 1)."\s*";
    368. 

  368.         }
    369. 

  369. 	
    370. 

  370.         $temp = substr($temp, 0, -3);
    371. 

  371.         $str = preg_replace('#'.$temp.'#s', $word, $str);
    372. 

  372.         $str = preg_replace('#'.ucfirst($temp).'#s', ucfirst($word), $str);
    373. 

  373.     }
    374. 

  374. 

  375.     /*
    376. 

  376.     * Remove disallowed Javascript in links or img tags
    377. 

  377.     */		
    378. 

  378.     $str = preg_replace("#<a.+?href=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>.*?</a>#si", "", $str);
    379. 

  379.             $str = preg_replace("#<img.+?src=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>#si","", $str);
    380. 

  380.     $str = preg_replace("#<(script|xss).*?\>#si", "", $str);
    381. 

  381. 

  382.     /*
    383. 

  383.     * Remove JavaScript Event Handlers
    384. 

  384.     *
    385. 

  385.     * Note: This code is a little blunt.  It removes
    386. 

  386.     * the event handler and anything up to the closing >,
    387. 

  387.     * but it's unlikely to be a problem.
    388. 

  388.     *
    389. 

  389.     */		
    390. 

  390.     $str = preg_replace('#(<[^>]+.*?)(onblur|onchange|onclick|onfocus|onload|onmouseover|onmouseup|onmousedown|onselect|onsubmit|onunload|onkeypress|onkeydown|onkeyup|onresize)[^>]*>#iU',"\\1>",$str);
    391. 

  391.     
    392. 

  392.     /*
    393. 

  393.     * Sanitize naughty HTML elements
    394. 

  394.     *
    395. 

  395.     * If a tag containing any of the words in the list
    396. 

  396.     * below is found, the tag gets converted to entities.
    397. 

  397.             *
    398. 

  398.     * So this: <blink>
    399. 

  399.     * Becomes: &lt;blink&gt;
    400. 

  400.     *
    401. 

  401.     */		
    402. 

  402.     $str = preg_replace('#<(/*\s*)(alert|applet|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|layer|link|meta|object|plaintext|style|script|textarea|title|xml|xss)([^>]*)>#is', "&lt;\\1\\2\\3&gt;", $str);
    403. 

  403.             
    404. 

  404.     /*
    405. 

  405.     * Sanitize naughty scripting elements
    406. 

  406.     *
    407. 

  407.     * Similar to above, only instead of looking for
    408. 

  408.     * tags it looks for PHP and JavaScript commands
    409. 

  409.     * that are disallowed.  Rather than removing the
    410. 

  410.     * code, it simply converts the parenthesis to entities
    411. 

  411.     * rendering the code un-executable.
    412. 

  412.     *
    413. 

  413.     * For example:	eval('some code')
    414. 

  414.     * Becomes:		eval&#40;'some code'&#41;
    415. 

  415.     *
    416. 

  416.     */
    417. 

  417.     $str = preg_replace('#(alert|cmd|passthru|eval|exec|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2&#40;\\3&#41;", $str);
    418. 

  418.                                             
    419. 

  419.     /*
    420. 

  420.     * Final clean up
    421. 

  421.     *
    422. 

  422.     * This adds a bit of extra precaution in case
    423. 

  423.     * something got through the above filters
    424. 

  424.     *
    425. 

  425.     */	
    426. 

  426. 

  427.     $bad = array(
    428. 

  428.             'document.cookie'	=> '',
    429. 

  429.             'document.write'	=> '',
    430. 

  430.             'window.location'	=> '',
    431. 

  431.             "javascript\s*:"	=> '',
    432. 

  432.             "Redirect\s+302"	=> '',
    433. 

  433.             '<!--'			=> '&lt;!--',
    434. 

  434.             '-->'			=> '--&gt;'
    435. 

  435.     );
    436. 

  436.     
    437. 

  437.     foreach ($bad as $key => $val)	{
    438. 

  438.             $str = preg_replace("#".$key."#i", $val, $str);
    439. 

  439.     }
    440. 

  440. 

  441.     return $str;
    442. 

  442. 

  443. }
    444. 

  444. 

  445. //-----------------------------------------------------------------------------
    446. 

  446. /**
    447. 

  447.  * DISPLAY ERRORS
    448. 

  448.  * 
    449. 

  449.  * @param int $mode - if 1 then echo the string; if 2 then echo the string
    450. 

  450.  * @return void
    451. 

  451.  */
    452. 

  452. function display_error($mode = 1) {
    453. 

  453.     $errstr = ( $this->error ) ? $this->error : '';
    454. 

  454.     if ( $mode == 1 ) {
    455. 

  455.         echo '<br />' .$this->ft_xss($errstr) . '<br />';
    456. 

  456.     } else {
    457. 

  457.         return $this->ft_xss($errstr);
    458. 

  458.     }
    459. 

  459. }
    460. 

  460. 

  461. 

  462. //-----------------------------------------------------------------------------
    463. 

  463. /**
    464. 

  464.  * REAL COMPARASION BETWEEN FLOATS
    465. 

  465.  * 
    466. 

  466.  * 0 - for ==, 1 for r1 > r2, -1 for r1 '<' r2
    467. 

  467.  *
    468. 

  468.  * @param float $r1
    469. 

  469.  * @param float $r2
    470. 

  470.  * @return int 
    471. 

  471.  */
    472. 

  472. function ft_realcmp($r1, $r2) {
    473. 

  473.     $diff = $r1 - $r2;
    474. 

  474. 

  475.     if ( abs($diff) < EPSILON ) return 0;
    476. 

  476.     else return $diff < 0 ? -1 : 1;
    477. 

  477. }
    478. 

  478. 

  479. 

  480. //-----------------------------------------------------------------------------
    481. 

  481. } // class
    482. 

  482. 

  483. ?>
    484. 

  484.