From: Mattias Michaux Date: Tue, 26 Apr 2016 05:50:23 +0000 (+0200) Subject: Made correct distinction between validate and escape. X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=5d817a1382dd8a7b2352b67743e6f6a7807c4ba6;p=civicrm-core.git Made correct distinction between validate and escape. --- diff --git a/CRM/Activity/Page/AJAX.php b/CRM/Activity/Page/AJAX.php index 783f262c47..21164501e6 100644 --- a/CRM/Activity/Page/AJAX.php +++ b/CRM/Activity/Page/AJAX.php @@ -37,23 +37,23 @@ */ class CRM_Activity_Page_AJAX { public static function getCaseActivity() { - // Should those params be passed through the getSanitizedParams method? - $caseID = CRM_Utils_Type::escape($_GET['caseID'], 'Integer'); - $contactID = CRM_Utils_Type::escape($_GET['cid'], 'Integer'); - $userID = CRM_Utils_Type::escape($_GET['userID'], 'Integer'); - $context = CRM_Utils_Type::escape(CRM_Utils_Array::value('context', $_GET), 'String'); + // Should those params be passed through the validateParams method? + $caseID = CRM_Utils_Type::validate($_GET['caseID'], 'Integer'); + $contactID = CRM_Utils_Type::validate($_GET['cid'], 'Integer'); + $userID = CRM_Utils_Type::validate($_GET['userID'], 'Integer'); + $context = CRM_Utils_Type::validate(CRM_Utils_Array::value('context', $_GET), 'String'); $optionalParameters = array( 'source_contact_id' => 'Integer', 'status_id' => 'Integer', 'activity_deleted' => 'Boolean', 'activity_type_id' => 'Integer', - 'activity_date_low' => 'String', - 'activity_date_high' => 'String', + 'activity_date_low' => 'Date', + 'activity_date_high' => 'Date', ); $params = CRM_Core_Page_AJAX::defaultSortAndPagerParams(); - $params += CRM_Core_Page_AJAX::getSanitizedParams(array(), $optionalParameters); + $params += CRM_Core_Page_AJAX::validateParams(array(), $optionalParameters); // get the activities related to given case $activities = CRM_Case_BAO_Case::getCaseActivity($caseID, $params, $contactID, $context, $userID); @@ -399,7 +399,7 @@ class CRM_Activity_Page_AJAX { ); $params = CRM_Core_Page_AJAX::defaultSortAndPagerParams(); - $params += CRM_Core_Page_AJAX::getSanitizedParams($requiredParameters, $optionalParameters); + $params += CRM_Core_Page_AJAX::validateParams($requiredParameters, $optionalParameters); // get the contact activities $activities = CRM_Activity_BAO_Activity::getContactActivitySelector($params); diff --git a/CRM/Core/Page/AJAX.php b/CRM/Core/Page/AJAX.php index cfc7e8d909..3a45598786 100644 --- a/CRM/Core/Page/AJAX.php +++ b/CRM/Core/Page/AJAX.php @@ -224,11 +224,11 @@ class CRM_Core_Page_AJAX { $sortMapper[$key] = CRM_Utils_Type::escape($value['data'], 'MysqlColumnName'); }; - $offset = isset($_GET['start']) ? CRM_Utils_Type::escape($_GET['start'], 'Integer') : $defaultOffset; - $rowCount = isset($_GET['length']) ? CRM_Utils_Type::escape($_GET['length'], 'Integer') : $defaultRowCount; + $offset = isset($_GET['start']) ? CRM_Utils_Type::validate($_GET['start'], 'Integer') : $defaultOffset; + $rowCount = isset($_GET['length']) ? CRM_Utils_Type::validate($_GET['length'], 'Integer') : $defaultRowCount; // Why is the number of order by columns limited to 1? - $sort = isset($_GET['order'][0]['column']) ? CRM_Utils_Array::value(CRM_Utils_Type::escape($_GET['order'][0]['column'], 'Integer'), $sortMapper) : $defaultSort; - $sortOrder = isset($_GET['order'][0]['dir']) ? CRM_Utils_Type::escape($_GET['order'][0]['dir'], 'MysqlOrderByDirection') : $defaultsortOrder; + $sort = isset($_GET['order'][0]['column']) ? CRM_Utils_Array::value(CRM_Utils_Type::validate($_GET['order'][0]['column'], 'Integer'), $sortMapper) : $defaultSort; + $sortOrder = isset($_GET['order'][0]['dir']) ? CRM_Utils_Type::validate($_GET['order'][0]['dir'], 'MysqlOrderByDirection') : $defaultsortOrder; if ($sort) { $params['sortBy'] = "`{$sort}` {$sortOrder}"; @@ -244,16 +244,16 @@ class CRM_Core_Page_AJAX { return $params; } - public static function getSanitizedParams($requiredParams = array(), $optionalParams = array()) { + public static function validateParams($requiredParams = array(), $optionalParams = array()) { $params = array(); foreach ($requiredParams as $param => $type) { - $params[$param] = CRM_Utils_Type::escape(CRM_Utils_Array::value($param, $_GET), $type); + $params[$param] = CRM_Utils_Type::validate(CRM_Utils_Array::value($param, $_GET), $type); } foreach ($optionalParams as $param => $type) { if (CRM_Utils_Array::value($param, $_GET)) { - $params[$param] = CRM_Utils_Type::escape(CRM_Utils_Array::value($param, $_GET), $type); + $params[$param] = CRM_Utils_Type::validate(CRM_Utils_Array::value($param, $_GET), $type); } } diff --git a/CRM/Utils/Type.php b/CRM/Utils/Type.php index 50c242df8d..81e8274f91 100644 --- a/CRM/Utils/Type.php +++ b/CRM/Utils/Type.php @@ -377,6 +377,30 @@ class CRM_Utils_Type { } break; + case 'MysqlColumnNameLoose': + if (CRM_Utils_Rule::mysqlColumnNameLoose($data)) { + return data; + } + break; + + case 'MysqlColumnName': + if (CRM_Utils_Rule::mysqlColumnName($data)) { + return $data; + } + break; + + case 'MysqlOrderByDirection': + if (CRM_Utils_Rule::mysqlOrderByDirection($data)) { + return $data; + } + break; + + case 'MysqlOrderBy': + if (CRM_Utils_Rule::mysqlOrderBy($data)) { + return $data; + } + break; + default: CRM_Core_Error::fatal("Cannot recognize $type for $data"); break;