diff --git a/htdocs/install/inc.php b/htdocs/install/inc.php index b009b9e18bd..c9fa4985326 100644 --- a/htdocs/install/inc.php +++ b/htdocs/install/inc.php @@ -188,25 +188,25 @@ if (! defined('SYSLOG_FILE_NO_ERROR')) define('SYSLOG_FILE_NO_ERROR',1); } -// Forcage du parametrage PHP magic_quotes_gpc et nettoyage des parametres -// (Sinon il faudrait a chaque POST, conditionner -// la lecture de variable par stripslashes selon etat de get_magic_quotes). -// En mode off (recommande il faut juste faire $db->escape au moment d'un insert/update. -function stripslashes_deep($value) -{ - return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value)); -} -//if (! preg_match('/PHP\/6/i', $_SERVER['SERVER_SOFTWARE'])) -if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* plus pris en compte dans PHP6 +// Removed magic_quotes +if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* removed in PHP6 { if (get_magic_quotes_gpc()) { + // Forcing parameter setting magic_quotes_gpc and cleaning parameters + // (Otherwise he would have for each position, condition + // Reading stripslashes variable according to state get_magic_quotes_gpc). + // Off mode (recommended, you just do $db->escape when an insert / update. + function stripslashes_deep($value) + { + return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value)); + } $_GET = array_map('stripslashes_deep', $_GET); $_POST = array_map('stripslashes_deep', $_POST); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); + @set_magic_quotes_runtime(0); } - @set_magic_quotes_runtime(0); } // Defini objet langs diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index ca8e806aa17..acc4f798bc8 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -43,18 +43,19 @@ if (! empty($_SERVER['DOL_TUNING'])) if (defined('XDEBUGCOVERAGE')) { xdebug_start_code_coverage(); } } -// Forcing parameter setting magic_quotes_gpc and cleaning parameters -// (Otherwise he would have for each position, condition -// Reading stripslashes variable according to state get_magic_quotes_gpc). -// Off mode (recommended, you just do $db->escape when an insert / update. -function stripslashes_deep($value) -{ - return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value)); -} +// Removed magic_quotes if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* removed in PHP6 { if (get_magic_quotes_gpc()) { + // Forcing parameter setting magic_quotes_gpc and cleaning parameters + // (Otherwise he would have for each position, condition + // Reading stripslashes variable according to state get_magic_quotes_gpc). + // Off mode (recommended, you just do $db->escape when an insert / update. + function stripslashes_deep($value) + { + return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value)); + } $_GET = array_map('stripslashes_deep', $_GET); $_POST = array_map('stripslashes_deep', $_POST); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); @@ -62,7 +63,6 @@ if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* removed in PHP6 } } - // Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST) function test_sql_and_script_inject($val,$get) { @@ -112,15 +112,15 @@ function analyse_sql_and_script(&$var,$get) return (test_sql_and_script_inject($var,$get) <= 0); } } -//analyse_sql_and_script($_GET,1); -//analyse_sql_and_script($_POST,0); -$morevaltochecklikeget=array($_SERVER["QUERY_STRING"]); -analyse_sql_and_script($morevaltochecklikeget,1); +// Sanity check on URL $morevaltochecklikepost=array($_SERVER["PHP_SELF"]); analyse_sql_and_script($morevaltochecklikepost,0); +// Sanity check on GET parameters +$morevaltochecklikeget=array($_SERVER["QUERY_STRING"]); +analyse_sql_and_script($morevaltochecklikeget,1); +// Sanity check on POST +analyse_sql_and_script($_POST,0); /* -//print $_SERVER["SCRIPT_NAME"]; -//print $_SERVER['PHP_SELF']; // Clean PHP_SELF for prevent XSS attack // Get the name of the current file $phpself = basename($_SERVER["SCRIPT_NAME"]); diff --git a/htdocs/support/inc.php b/htdocs/support/inc.php index 74e0c3ddb9b..f04f809c587 100644 --- a/htdocs/support/inc.php +++ b/htdocs/support/inc.php @@ -123,25 +123,25 @@ if (empty($conf->db->user)) $conf->db->user=''; -// Forcage du parametrage PHP magic_quotes_gpc et nettoyage des parametres -// (Sinon il faudrait a chaque POST, conditionner -// la lecture de variable par stripslashes selon etat de get_magic_quotes). -// En mode off (recommande il faut juste faire $db->escape au moment d'un insert/update. -function stripslashes_deep($value) -{ - return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value)); -} -//if (! preg_match('/PHP\/6/i', $_SERVER['SERVER_SOFTWARE'])) -if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* plus pris en compte dans PHP6 +// Removed magic_quotes +if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* removed in PHP6 { if (get_magic_quotes_gpc()) { + // Forcing parameter setting magic_quotes_gpc and cleaning parameters + // (Otherwise he would have for each position, condition + // Reading stripslashes variable according to state get_magic_quotes_gpc). + // Off mode (recommended, you just do $db->escape when an insert / update. + function stripslashes_deep($value) + { + return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value)); + } $_GET = array_map('stripslashes_deep', $_GET); $_POST = array_map('stripslashes_deep', $_POST); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); + @set_magic_quotes_runtime(0); } - @set_magic_quotes_runtime(0); } // Defini objet langs