1
0
mirror of https://github.com/e107inc/e107.git synced 2025-01-17 12:48:24 +01:00

Bugtracker #3700 - restrict field names to alphanumeric characters

This commit is contained in:
e107steved 2007-01-28 20:49:54 +00:00
parent d01f93b489
commit 884f0691e1
2 changed files with 17 additions and 8 deletions

View File

@ -11,9 +11,9 @@
| GNU General Public License (http://gnu.org).
|
| $Source: /cvs_backup/e107_0.8/e107_admin/users_extended.php,v $
| $Revision: 1.5 $
| $Date: 2007-01-20 16:54:48 $
| $Author: mrpete $
| $Revision: 1.6 $
| $Date: 2007-01-28 20:49:28 $
| $Author: e107steved $
+----------------------------------------------------------------------------+
*/
require_once("../class2.php");
@ -91,6 +91,9 @@ if (isset($_POST['catdown_x']))
if (isset($_POST['add_field']))
{
$ue_field_name = str_replace(' ','_',trim($_POST['user_field'])); // Replace space with underscore - better security
if (preg_match('#^\w+$#',$ue_field_name) === 1) // Check for allowed characters, finite field length
{
if($_POST['user_type']==4)
{
$_POST['user_values'] = array($_POST['table_db'],$_POST['field_id'],$_POST['field_value'],$_POST['field_order']);
@ -99,18 +102,23 @@ if (isset($_POST['add_field']))
$new_parms = $tp->toDB($_POST['user_include']."^,^".$_POST['user_regex']."^,^".$_POST['user_regexfail']."^,^".$_POST['user_hide']);
// Check to see if its a reserved field name before adding to database
if($ue->user_extended_reserved($_POST['user_field']))
if($ue->user_extended_reserved($ue_field_name))
{ // Reserved field name
$message = "[user_".$tp->toHTML($_POST['user_field'])."] ".EXTLAN_74;
$message = "[user_".$tp->toHTML($ue_field_name)."] ".EXTLAN_74;
}
else
{
$result = admin_update($ue->user_extended_add($_POST['user_field'], $_POST['user_text'], $_POST['user_type'], $new_parms, $new_values, $_POST['user_default'], $_POST['user_required'], $_POST['user_read'], $_POST['user_write'], $_POST['user_applicable'], 0, $_POST['user_parent']), 'insert', EXTLAN_29);
$result = admin_update($ue->user_extended_add($ue_field_name, $_POST['user_text'], $_POST['user_type'], $new_parms, $new_values, $_POST['user_default'], $_POST['user_required'], $_POST['user_read'], $_POST['user_write'], $_POST['user_applicable'], 0, $_POST['user_parent']), 'insert', EXTLAN_29);
if(!$result)
{
$message = EXTLAN_75;
}
}
}
else
{
$message = EXTLAN_76." : ".$tp->toHTML($ue_field_name);
}
}
if (isset($_POST['update_field'])) {

View File

@ -4,8 +4,8 @@
| e107 website system - Language File.
|
| $Source: /cvs_backup/e107_0.8/e107_languages/English/admin/lan_users_extended.php,v $
| $Revision: 1.2 $
| $Date: 2007-01-18 20:52:07 $
| $Revision: 1.3 $
| $Date: 2007-01-28 20:49:35 $
| $Author: e107steved $
+----------------------------------------------------------------------------+
*/
@ -88,6 +88,7 @@ define("EXTLAN_72", "has been deactivated");
define("EXTLAN_73", "was not deactivated!");
define("EXTLAN_74", "is a reserved field name and can not be used.");
define("EXTLAN_75", "Error adding field to database.");
define("EXTLAN_76", "Invalid characters in field name - only A-Z, a-z, 0-9, '_' allowed.");
//textbox