From a32a49a22571459070c89e5de5010e1d6daf9bb8 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 21 Nov 2010 14:35:59 +0000 Subject: [PATCH] Fix: Regression --- htdocs/lib/functions.lib.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/htdocs/lib/functions.lib.php b/htdocs/lib/functions.lib.php index ed5c34a1ec9..01e951f5688 100644 --- a/htdocs/lib/functions.lib.php +++ b/htdocs/lib/functions.lib.php @@ -52,10 +52,11 @@ function GETPOST($paramname,$check='',$method=0) if (!empty($check)) { - // Check if integer - if ($check == 'int' && ! is_numeric(trim($out))) $out=''; + // Check if numeric + if ($check == 'int' && ! preg_match('/^[\.,0-9]+$/i',trim($out))) $out=''; // Check if alpha - if ($check == 'alpha' && ! preg_match('/^[#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out=''; + //if ($check == 'alpha' && ! preg_match('/^[ =:@#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out=''; + if ($check == 'alpha' && preg_match('/"/',trim($out))) $out=''; // Only " is dangerous because param in url can close the href= or src= and add javascript functions } return $out;