mirror of
https://github.com/e107inc/e107.git
synced 2025-01-17 20:58:30 +01:00
Bugtracker #3700 - restrict field names to alphanumeric characters
This commit is contained in:
e107steved
parent
d01f93b489
commit
884f0691e1
@ -11,9 +11,9 @@
|
||||
| GNU General Public License (http://gnu.org).
|
||||
|
|
||||
| $Source: /cvs_backup/e107_0.8/e107_admin/users_extended.php,v $
|
||||
| $Revision: 1.5 $
|
||||
| $Date: 2007-01-20 16:54:48 $
|
||||
| $Author: mrpete $
|
||||
| $Revision: 1.6 $
|
||||
| $Date: 2007-01-28 20:49:28 $
|
||||
| $Author: e107steved $
|
||||
+----------------------------------------------------------------------------+
|
||||
*/
|
||||
require_once("../class2.php");
|
||||
@ -91,6 +91,9 @@ if (isset($_POST['catdown_x']))
|
||||
|
||||
if (isset($_POST['add_field']))
|
||||
{
|
||||
$ue_field_name = str_replace(' ','_',trim($_POST['user_field'])); // Replace space with underscore - better security
|
||||
if (preg_match('#^\w+$#',$ue_field_name) === 1) // Check for allowed characters, finite field length
|
||||
{
|
||||
if($_POST['user_type']==4)
|
||||
{
|
||||
$_POST['user_values'] = array($_POST['table_db'],$_POST['field_id'],$_POST['field_value'],$_POST['field_order']);
|
||||
@ -99,18 +102,23 @@ if (isset($_POST['add_field']))
|
||||
$new_parms = $tp->toDB($_POST['user_include']."^,^".$_POST['user_regex']."^,^".$_POST['user_regexfail']."^,^".$_POST['user_hide']);
|
||||
|
||||
// Check to see if its a reserved field name before adding to database
|
||||
if($ue->user_extended_reserved($_POST['user_field']))
|
||||
if($ue->user_extended_reserved($ue_field_name))
|
||||
{ // Reserved field name
|
||||
$message = "[user_".$tp->toHTML($_POST['user_field'])."] ".EXTLAN_74;
|
||||
$message = "[user_".$tp->toHTML($ue_field_name)."] ".EXTLAN_74;
|
||||
}
|
||||
else
|
||||
{
|
||||
$result = admin_update($ue->user_extended_add($_POST['user_field'], $_POST['user_text'], $_POST['user_type'], $new_parms, $new_values, $_POST['user_default'], $_POST['user_required'], $_POST['user_read'], $_POST['user_write'], $_POST['user_applicable'], 0, $_POST['user_parent']), 'insert', EXTLAN_29);
|
||||
$result = admin_update($ue->user_extended_add($ue_field_name, $_POST['user_text'], $_POST['user_type'], $new_parms, $new_values, $_POST['user_default'], $_POST['user_required'], $_POST['user_read'], $_POST['user_write'], $_POST['user_applicable'], 0, $_POST['user_parent']), 'insert', EXTLAN_29);
|
||||
if(!$result)
|
||||
{
|
||||
$message = EXTLAN_75;
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
$message = EXTLAN_76." : ".$tp->toHTML($ue_field_name);
|
||||
}
|
||||
}
|
||||
|
||||
if (isset($_POST['update_field'])) {
|
||||
|
||||
@ -4,8 +4,8 @@
|
||||
| e107 website system - Language File.
|
||||
|
|
||||
| $Source: /cvs_backup/e107_0.8/e107_languages/English/admin/lan_users_extended.php,v $
|
||||
| $Revision: 1.2 $
|
||||
| $Date: 2007-01-18 20:52:07 $
|
||||
| $Revision: 1.3 $
|
||||
| $Date: 2007-01-28 20:49:35 $
|
||||
| $Author: e107steved $
|
||||
+----------------------------------------------------------------------------+
|
||||
*/
|
||||
@ -88,6 +88,7 @@ define("EXTLAN_72", "has been deactivated");
|
||||
define("EXTLAN_73", "was not deactivated!");
|
||||
define("EXTLAN_74", "is a reserved field name and can not be used.");
|
||||
define("EXTLAN_75", "Error adding field to database.");
|
||||
define("EXTLAN_76", "Invalid characters in field name - only A-Z, a-z, 0-9, '_' allowed.");
|
||||
|
||||
|
||||
//textbox
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user