Merge pull request #181 from pentium10/master

improving code by applying filter_input for sanitization
ptrofimov · Feb 4, 2022 · 0f1ec60 · 0f1ec60
2 parents 95d5808 + 6ca48e9
commit 0f1ec60
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 9 deletions.
diff --git a/lib/include.php b/lib/include.php
@@ -19,13 +19,13 @@ function autoload_class($class) {
 require_once dirname(__FILE__) . '/../config.php';
 require_once dirname(__FILE__) . '/../src/Storage.php';
 
-$GLOBALS['server'] = !empty($_GET['server']) ? $_GET['server'] : '';
-$GLOBALS['action'] = !empty($_GET['action']) ? $_GET['action'] : '';
-$GLOBALS['state'] = !empty($_GET['state']) ? $_GET['state'] : '';
-$GLOBALS['count'] = !empty($_GET['count']) ? $_GET['count'] : '';
-$GLOBALS['tube'] = !empty($_GET['tube']) ? $_GET['tube'] : '';
-$GLOBALS['tplMain'] = !empty($_GET['tplMain']) ? $_GET['tplMain'] : '';
-$GLOBALS['tplBlock'] = !empty($_GET['tplBlock']) ? $_GET['tplBlock'] : '';
+$GLOBALS['server'] = !empty($_GET['server']) ? filter_input(INPUT_GET, 'server', FILTER_SANITIZE_SPECIAL_CHARS) : '';
+$GLOBALS['action'] = !empty($_GET['action']) ? filter_input(INPUT_GET, 'action', FILTER_SANITIZE_SPECIAL_CHARS) : '';
+$GLOBALS['state'] = !empty($_GET['state']) ? filter_input(INPUT_GET, 'state', FILTER_SANITIZE_SPECIAL_CHARS) : '';
+$GLOBALS['count'] = !empty($_GET['count']) ? filter_input(INPUT_GET, 'count', FILTER_SANITIZE_SPECIAL_CHARS) : '';
+$GLOBALS['tube'] = !empty($_GET['tube']) ? filter_input(INPUT_GET, 'tube', FILTER_SANITIZE_SPECIAL_CHARS) : '';
+$GLOBALS['tplMain'] = !empty($_GET['tplMain']) ? filter_input(INPUT_GET, 'tplMain', FILTER_SANITIZE_SPECIAL_CHARS) : '';
+$GLOBALS['tplBlock'] = !empty($_GET['tplBlock']) ? filter_input(INPUT_GET, 'tplBlock', FILTER_SANITIZE_SPECIAL_CHARS) : '';
 
 class Console {
 

diff --git a/lib/tpl/currentTubeSearchResults.php b/lib/tpl/currentTubeSearchResults.php
@@ -60,7 +60,7 @@ class="glyphicon glyphicon-forward glyphicon-white"></i>
                 </table>
             </div>
         </div>
-        First <?php echo $_GET['limit']; ?> rows are displayed for each state.
+        First <?php echo intval($_GET['limit']); ?> rows are displayed for each state.
         <br/>
         <br/>
     </section>

diff --git a/lib/tpl/sampleJobsEdit.php b/lib/tpl/sampleJobsEdit.php
@@ -2,7 +2,7 @@
 if (isset($isNewRecord) && $isNewRecord) {
     $action = '?action=newSample';
 } else {
-    $action = '?action=editSample&key=' . $_GET['key'];
+    $action = '?action=editSample&key=' . urlencode($_GET['key']);
 }
 ?>
 <form name="sampleJobsEdit" action="<?php echo $action; ?>" method="POST">