This is now patched in the trunk of the SVN... No more slash apostrophe, or slash quote
the two files that changed are
/htdocs/class/model/write.php
/htdocs/kernel/object.php
This is the new cleanVars function in
/htdocs/kernel/object.php /**
* clean values of all variables of the object for storage.
* also add slashes whereever needed
*
* @return bool true if successful
* @access public
*/
function cleanVars()
{
$ts =& MyTextSanitizer::getInstance();
$existing_errors = $this->getErrors();
$this->_errors = array();
foreach ($this->vars as $k => $v) {
$cleanv = $v['value'];
if (!$v['changed']) {
} else {
$cleanv = is_string($cleanv) ? trim($cleanv) : $cleanv;
switch ($v['data_type']) {
case XOBJ_DTYPE_TXTBOX:
if ($v['required'] && $cleanv != '0' && $cleanv == '') {
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k));
continue;
}
if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) {
$this->setErrors(sprintf(_XOBJ_ERR_SHORTERTHAN, $k, intval($v['maxlength'])));
continue;
}
if (!$v['not_gpc']) {
$cleanv = $ts->stripSlashesGPC($ts->censorString($cleanv));
} else {
$cleanv = $ts->censorString($cleanv);
}
break;
case XOBJ_DTYPE_TXTAREA:
if ($v['required'] && $cleanv != '0' && $cleanv == '') {
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k));
continue;
}
if (!$v['not_gpc']) {
$cleanv = $ts->stripSlashesGPC($ts->censorString($cleanv));
} else {
$cleanv = $ts->censorString($cleanv);
}
break;
case XOBJ_DTYPE_SOURCE:
if (!$v['not_gpc']) {
$cleanv = $ts->stripSlashesGPC($cleanv);
} else {
$cleanv = $cleanv;
}
break;
case XOBJ_DTYPE_INT:
$cleanv = intval($cleanv);
break;
case XOBJ_DTYPE_EMAIL:
if ($v['required'] && $cleanv == '') {
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k));
continue;
}
if ($cleanv != '' && !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i", $cleanv)) {
$this->setErrors("Invalid Email");
continue;
}
if (!$v['not_gpc']) {
$cleanv = $ts->stripSlashesGPC($cleanv);
}
break;
case XOBJ_DTYPE_URL:
if ($v['required'] && $cleanv == '') {
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k));
continue;
}
if ($cleanv != '' && !preg_match("/^http[s]*:///i", $cleanv)) {
$cleanv = 'http://' . $cleanv;
}
if (!$v['not_gpc']) {
$cleanv =& $ts->stripSlashesGPC($cleanv);
}
break;
case XOBJ_DTYPE_ARRAY:
$cleanv = serialize($cleanv);
break;
case XOBJ_DTYPE_STIME:
case XOBJ_DTYPE_MTIME:
case XOBJ_DTYPE_LTIME:
$cleanv = !is_string($cleanv) ? intval($cleanv) : strtotime($cleanv);
break;
case XOBJ_DTYPE_FLOAT:
$cleanv = floatval($cleanv);
break;
case XOBJ_DTYPE_DECIMAL:
$cleanv = doubleval($cleanv);
break;
case XOBJ_DTYPE_ENUM:
if (!in_array($cleanv, $v['enumeration'])) {
$this->setErrors("Invalid Enumeration");
continue;
}
break;
case XOBJ_DTYPE_UNICODE_TXTBOX:
if ($v['required'] && $cleanv != '0' && $cleanv == '') {
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k));
continue;
}
$cleanv = xoops_convert_encode($ts->censorString($cleanv));
if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) {
$this->setErrors(sprintf(_XOBJ_ERR_SHORTERTHAN, $k, intval($v['maxlength'])));
continue;
}
if (!$v['not_gpc']) {
$cleanv = $ts->stripSlashesGPC($ts->censorString($cleanv));
}
break;
case XOBJ_DTYPE_UNICODE_TXTAREA:
if ($v['required'] && $cleanv != '0' && $cleanv == '') {
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k));
continue;
}
$cleanv = xoops_convert_encode($ts->censorString($cleanv));
if (!$v['not_gpc']) {
$cleanv = $ts->stripSlashesGPC($cleanv);
}
break;
case XOBJ_DTYPE_UNICODE_EMAIL:
if ($v['required'] && $cleanv == '') {
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k));
continue;
}
$cleanv = xoops_convert_encode($ts->censorString($cleanv));
if ($cleanv != '' && !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i", $cleanv)) {
$this->setErrors("Invalid Email");
continue;
}
if (!$v['not_gpc']) {
$cleanv = $ts->stripSlashesGPC($cleanv);
}
break;
case XOBJ_DTYPE_UNICODE_URL:
if ($v['required'] && $cleanv == '') {
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k));
continue;
}
if ($cleanv != '' && !preg_match("/^http[s]*:///i", $cleanv)) {
$cleanv = 'http://' . $cleanv;
}
$cleanv = xoops_convert_encode($cleanv);
if (!$v['not_gpc']) {
$cleanv =& $ts->stripSlashesGPC($cleanv);
}
break;
case XOBJ_DTYPE_UNICODE_ARRAY:
$cleanv = serialize(array_walk($cleanv, 'xoops_aw_encode'));
break;
default:
break;
}
}
$this->cleanVars[$k] = str_replace('"', '"', $cleanv);
unset($cleanv);
}
if (count($this->_errors) > 0) {
$this->_errors = array_merge($existing_errors, $this->_errors);
return false;
}
$this->_errors = array_merge($existing_errors, $this->_errors);
$this->unsetDirty();
return true;
}
This is the new cleanVars function in
/htdocs/class/model/write.php /**
* Clean values of all variables of the object for storage.
* also add slashes and quote string whereever needed
*
* CleanVars only contains changed and cleaned variables
* Reference is used for PHP4 compliance
*
* @return bool true if successful
* @access public
*/
function cleanVars(&$object)
{
$ts =& MyTextSanitizer::getInstance();
$errors = array();
$vars = $object->getVars();
$object->cleanVars = array();
foreach ($vars as $k => $v) {
if (!$v["changed"]) {
continue;
}
$cleanv = $v['value'];
switch ($v["data_type"]) {
case XOBJ_DTYPE_UNICODE_TXTBOX:
if ($v['required'] && $cleanv != '0' && $cleanv == '') {
$errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k);
continue;
}
if (!$v['not_gpc']) {
$cleanv = $ts->stripSlashesGPC(xoops_convert_encode($ts->censorString($cleanv)));
} else {
$cleanv = xoops_convert_encode($ts->censorString($cleanv));
}
if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) {
$errors[] = sprintf(_XOBJ_ERR_SHORTERTHAN, $k, intval($v['maxlength']));
continue;
}
$cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv));
break;
case XOBJ_DTYPE_UNICODE_TXTAREA:
if ($v['required'] && $cleanv != '0' && $cleanv == '') {
$errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k);
continue;
}
if (!$v['not_gpc']) {
if (!empty($vars['dohtml']['value'])) {
$cleanv = $ts->textFilter($cleanv);
}
$cleanv = $ts->stripSlashesGPC(xoops_convert_encode($ts->censorString($cleanv)));
} else {
$cleanv = $ts->censorString($cleanv);
}
$cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv));
break;
case XOBJ_DTYPE_TXTBOX:
if ($v['required'] && $cleanv != '0' && $cleanv == '') {
$errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k);
continue;
}
if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) {
$errors[] = sprintf(_XOBJ_ERR_SHORTERTHAN, $k, intval($v['maxlength']));
continue;
}
if (!$v['not_gpc']) {
$cleanv = $ts->stripSlashesGPC($ts->censorString($cleanv));
} else {
$cleanv = $ts->censorString($cleanv);
}
$cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv));
break;
case XOBJ_DTYPE_TXTAREA:
if ($v['required'] && $cleanv != '0' && $cleanv == '') {
$errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k);
continue;
}
if (!$v['not_gpc']) {
if (!empty($vars['dohtml']['value'])) {
$cleanv = $ts->textFilter($cleanv);
}
$cleanv = $ts->stripSlashesGPC($ts->censorString($cleanv));
} else {
$cleanv = $ts->censorString($cleanv);
}
$cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv));
break;
case XOBJ_DTYPE_SOURCE:
$cleanv = trim($cleanv);
if (!$v['not_gpc']) {
$cleanv = $ts->stripSlashesGPC($cleanv);
} else {
$cleanv = $cleanv;
}
$cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv));
break;
case XOBJ_DTYPE_UNICODE_EMAIL:
$cleanv = trim($cleanv);
if ($v['required'] && $cleanv == '') {
$errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k);
continue;
}
$cleanv = xoops_convert_encode($cleanv);
if (!$v['not_gpc']) {
$cleanv = $ts->stripSlashesGPC($cleanv);
}
$cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv));
break;
case XOBJ_DTYPE_EMAIL:
$cleanv = trim($cleanv);
if ($v['required'] && $cleanv == '') {
$errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k);
continue;
}
if ($cleanv != '' && !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i", $cleanv)) {
$errors[] = "Invalid Email";
continue;
}
if (!$v['not_gpc']) {
$cleanv = $ts->stripSlashesGPC($cleanv);
}
$cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv));
break;
case XOBJ_DTYPE_UNICODE_URL:
$cleanv = trim($cleanv);
if ($v['required'] && $cleanv == '') {
$errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k);
continue;
}
if ($cleanv != '' && !preg_match("/^http[s]*:///i", $cleanv)) {
$cleanv = 'http://' . $cleanv;
}
$cleanv = xoops_convert_encode($cleanv);
if (!$v['not_gpc']) {
$cleanv = $ts->stripSlashesGPC($cleanv);
}
$cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv));
break;
case XOBJ_DTYPE_URL:
$cleanv = trim($cleanv);
if ($v['required'] && $cleanv == '') {
$errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k);
continue;
}
if ($cleanv != '' && !preg_match("/^http[s]*:///i", $cleanv)) {
$cleanv = 'http://' . $cleanv;
}
if (!$v['not_gpc']) {
$cleanv = $ts->stripSlashesGPC($cleanv);
}
$cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv));
break;
case XOBJ_DTYPE_UNICODE_OTHER:
$cleanv = str_replace('"', '"', $this->handler->db->quote(xoops_convert_encode($cleanv)));
break;
case XOBJ_DTYPE_OTHER:
$cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv));
break;
case XOBJ_DTYPE_INT:
$cleanv = intval($cleanv);
break;
case XOBJ_DTYPE_FLOAT:
$cleanv = floatval($cleanv);
break;
case XOBJ_DTYPE_DECIMAL:
$cleanv = doubleval($cleanv);
break;
case XOBJ_DTYPE_UNICODE_ARRAY:
if (!$v['not_gpc']) {
$cleanv = array_map(array(&$ts , "stripSlashesGPC"), $cleanv);
}
foreach (array_keys($cleanv) as $key) {
$cleanv[$key] = str_replace('"', '"', addslashes($cleanv[$key]));
}
// TODO: Not encoding safe, should try base64_encode -- phppp
$cleanv = "'" . serialize(array_walk($cleanv, 'xoops_aw_encode')) . "'";
break;
case XOBJ_DTYPE_ARRAY:
if (!$v['not_gpc']) {
$cleanv = array_map(array(&$ts , "stripSlashesGPC"), $cleanv);
}
foreach (array_keys($cleanv) as $key) {
$cleanv[$key] = str_replace('"', '"', addslashes($cleanv[$key]));
}
// TODO: Not encoding safe, should try base64_encode -- phppp
$cleanv = "'" . serialize($cleanv) . "'";
break;
case XOBJ_DTYPE_STIME:
case XOBJ_DTYPE_MTIME:
case XOBJ_DTYPE_LTIME:
$cleanv = !is_string($cleanv) ? intval($cleanv) : strtotime($cleanv);
break;
default:
$cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv));
break;
}
$object->cleanVars[$k] = $cleanv;
}
if (!empty($errors)) {
$object->setErrors($errors);
}
$object->unsetDirty();
return empty($errors) ? true : false;
}
