Made correct distinction between validate and escape.

diff --git a/CRM/Activity/Page/AJAX.php b/CRM/Activity/Page/AJAX.php
index 783f262c47f7eda74cbec26afd3156f3c6f26ba8..21164501e6939a7fb7ec16a0197972040c937310 100644 (file)
--- a/CRM/Activity/Page/AJAX.php
+++ b/CRM/Activity/Page/AJAX.php
@@ -37,23 +37,23 @@
  */
 class CRM_Activity_Page_AJAX {
   public static function getCaseActivity() {
-    // Should those params be passed through the getSanitizedParams method?
-    $caseID = CRM_Utils_Type::escape($_GET['caseID'], 'Integer');
-    $contactID = CRM_Utils_Type::escape($_GET['cid'], 'Integer');
-    $userID = CRM_Utils_Type::escape($_GET['userID'], 'Integer');
-    $context = CRM_Utils_Type::escape(CRM_Utils_Array::value('context', $_GET), 'String');
+    // Should those params be passed through the validateParams method?
+    $caseID = CRM_Utils_Type::validate($_GET['caseID'], 'Integer');
+    $contactID = CRM_Utils_Type::validate($_GET['cid'], 'Integer');
+    $userID = CRM_Utils_Type::validate($_GET['userID'], 'Integer');
+    $context = CRM_Utils_Type::validate(CRM_Utils_Array::value('context', $_GET), 'String');
 
     $optionalParameters = array(
       'source_contact_id' => 'Integer',
       'status_id' => 'Integer',
       'activity_deleted' => 'Boolean',
       'activity_type_id' => 'Integer',
-      'activity_date_low' => 'String',
-      'activity_date_high' => 'String',
+      'activity_date_low' => 'Date',
+      'activity_date_high' => 'Date',
     );
 
     $params = CRM_Core_Page_AJAX::defaultSortAndPagerParams();
-    $params += CRM_Core_Page_AJAX::getSanitizedParams(array(), $optionalParameters);
+    $params += CRM_Core_Page_AJAX::validateParams(array(), $optionalParameters);
 
     // get the activities related to given case
     $activities = CRM_Case_BAO_Case::getCaseActivity($caseID, $params, $contactID, $context, $userID);
@@ -399,7 +399,7 @@ class CRM_Activity_Page_AJAX {
     );
 
     $params = CRM_Core_Page_AJAX::defaultSortAndPagerParams();
-    $params += CRM_Core_Page_AJAX::getSanitizedParams($requiredParameters, $optionalParameters);
+    $params += CRM_Core_Page_AJAX::validateParams($requiredParameters, $optionalParameters);
 
     // get the contact activities
     $activities = CRM_Activity_BAO_Activity::getContactActivitySelector($params);

diff --git a/CRM/Core/Page/AJAX.php b/CRM/Core/Page/AJAX.php
index cfc7e8d909be3e410a470d12e64c519ceea9b44b..3a4559878662c5bd9ca12ed1f8b56298b3f0ac30 100644 (file)
--- a/CRM/Core/Page/AJAX.php
+++ b/CRM/Core/Page/AJAX.php
@@ -224,11 +224,11 @@ class CRM_Core_Page_AJAX {
       $sortMapper[$key] = CRM_Utils_Type::escape($value['data'], 'MysqlColumnName');
     };
 
-    $offset = isset($_GET['start']) ? CRM_Utils_Type::escape($_GET['start'], 'Integer') : $defaultOffset;
-    $rowCount = isset($_GET['length']) ? CRM_Utils_Type::escape($_GET['length'], 'Integer') : $defaultRowCount;
+    $offset = isset($_GET['start']) ? CRM_Utils_Type::validate($_GET['start'], 'Integer') : $defaultOffset;
+    $rowCount = isset($_GET['length']) ? CRM_Utils_Type::validate($_GET['length'], 'Integer') : $defaultRowCount;
     // Why is the number of order by columns limited to 1?
-    $sort = isset($_GET['order'][0]['column']) ? CRM_Utils_Array::value(CRM_Utils_Type::escape($_GET['order'][0]['column'], 'Integer'), $sortMapper) : $defaultSort;
-    $sortOrder = isset($_GET['order'][0]['dir']) ? CRM_Utils_Type::escape($_GET['order'][0]['dir'], 'MysqlOrderByDirection') : $defaultsortOrder;
+    $sort = isset($_GET['order'][0]['column']) ? CRM_Utils_Array::value(CRM_Utils_Type::validate($_GET['order'][0]['column'], 'Integer'), $sortMapper) : $defaultSort;
+    $sortOrder = isset($_GET['order'][0]['dir']) ? CRM_Utils_Type::validate($_GET['order'][0]['dir'], 'MysqlOrderByDirection') : $defaultsortOrder;
 
     if ($sort) {
       $params['sortBy'] = "`{$sort}` {$sortOrder}";
@@ -244,16 +244,16 @@ class CRM_Core_Page_AJAX {
     return $params;
   }
 
-  public static function getSanitizedParams($requiredParams = array(), $optionalParams = array()) {
+  public static function validateParams($requiredParams = array(), $optionalParams = array()) {
     $params = array();
 
     foreach ($requiredParams as $param => $type) {
-      $params[$param] = CRM_Utils_Type::escape(CRM_Utils_Array::value($param, $_GET), $type);
+      $params[$param] = CRM_Utils_Type::validate(CRM_Utils_Array::value($param, $_GET), $type);
     }
 
     foreach ($optionalParams as $param => $type) {
       if (CRM_Utils_Array::value($param, $_GET)) {
-        $params[$param] = CRM_Utils_Type::escape(CRM_Utils_Array::value($param, $_GET), $type);
+        $params[$param] = CRM_Utils_Type::validate(CRM_Utils_Array::value($param, $_GET), $type);
       }
     }
 

diff --git a/CRM/Utils/Type.php b/CRM/Utils/Type.php
index 50c242df8d59cde161c5ffe684f463736372e582..81e8274f91f12f6f378ad9dca1e76eb83959ccb7 100644 (file)
--- a/CRM/Utils/Type.php
+++ b/CRM/Utils/Type.php
@@ -377,6 +377,30 @@ class CRM_Utils_Type {
         }
         break;
 
+      case 'MysqlColumnNameLoose':
+        if (CRM_Utils_Rule::mysqlColumnNameLoose($data)) {
+          return data;
+        }
+        break;
+
+      case 'MysqlColumnName':
+        if (CRM_Utils_Rule::mysqlColumnName($data)) {
+          return $data;
+        }
+        break;
+
+      case 'MysqlOrderByDirection':
+        if (CRM_Utils_Rule::mysqlOrderByDirection($data)) {
+          return $data;
+        }
+        break;
+
+      case 'MysqlOrderBy':
+        if (CRM_Utils_Rule::mysqlOrderBy($data)) {
+          return $data;
+        }
+        break;
+
       default:
         CRM_Core_Error::fatal("Cannot recognize $type for $data");
         break;