From 55f93018a64c0d68c2cc21416bf762f6bed9a9ac Mon Sep 17 00:00:00 2001 From: Laurent Destailleur <eldy@destailleur.fr> Date: Sat, 10 May 2014 02:21:04 +0200 Subject: [PATCH] Fix: We must never use 'alpha' as second parameter of GETPOST when field is a "free text". We can use it only for special field we are sure it contains only alphabetical caracters and only alphabetical chars. --- htdocs/contact/fiche.php | 74 ++++++++++++++++++++-------------------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/htdocs/contact/fiche.php b/htdocs/contact/fiche.php index 76b3634d798..2192252b2f4 100644 --- a/htdocs/contact/fiche.php +++ b/htdocs/contact/fiche.php @@ -106,11 +106,11 @@ if (empty($reshook)) // Creation user $nuser = new User($db); - $result=$nuser->create_from_contact($object,GETPOST("login",'alpha')); + $result=$nuser->create_from_contact($object,GETPOST("login")); // Do not use GETPOST(alpha) if ($result > 0) { - $result2=$nuser->setPassword($user,GETPOST("password",'alpha'),0,0,1); + $result2=$nuser->setPassword($user,GETPOST("password"),0,0,1); // Do not use GETPOST(alpha) if ($result2) { $db->commit(); @@ -161,21 +161,21 @@ if (empty($reshook)) if ($canvas) $object->canvas=$canvas; $object->socid = GETPOST("socid",'int'); - $object->lastname = GETPOST("lastname",'alpha'); - $object->firstname = GETPOST("firstname",'alpha'); + $object->lastname = GETPOST("lastname"); + $object->firstname = GETPOST("firstname"); $object->civility_id = GETPOST("civility_id",'alpha'); - $object->poste = GETPOST("poste",'alpha'); - $object->address = GETPOST("address",'alpha'); - $object->zip = GETPOST("zipcode",'alpha'); - $object->town = GETPOST("town",'alpha'); + $object->poste = GETPOST("poste"); + $object->address = GETPOST("address"); + $object->zip = GETPOST("zipcode"); + $object->town = GETPOST("town"); $object->country_id = GETPOST("country_id",'int'); $object->state_id = GETPOST("state_id",'int'); - $object->skype = GETPOST("skype",'alpha'); + $object->skype = GETPOST("skype"); $object->email = GETPOST("email",'alpha'); - $object->phone_pro = GETPOST("phone_pro",'alpha'); - $object->phone_perso = GETPOST("phone_perso",'alpha'); - $object->phone_mobile = GETPOST("phone_mobile",'alpha'); - $object->fax = GETPOST("fax",'alpha'); + $object->phone_pro = GETPOST("phone_pro"); + $object->phone_perso = GETPOST("phone_perso"); + $object->phone_mobile = GETPOST("phone_mobile"); + $object->fax = GETPOST("fax"); $object->jabberid = GETPOST("jabberid",'alpha'); $object->no_email = GETPOST("no_email",'int'); $object->priv = GETPOST("priv",'int'); @@ -190,7 +190,7 @@ if (empty($reshook)) // Fill array 'array_options' with data from add form $ret = $extrafields->setOptionalsFromPost($extralabels,$object); - if (! GETPOST("lastname",'alpha')) + if (! GETPOST("lastname")) { $error++; $errors[]=$langs->trans("ErrorFieldRequired",$langs->transnoentities("Lastname").' / '.$langs->transnoentities("Label")); $action = 'create'; @@ -224,8 +224,8 @@ if (empty($reshook)) { $result=$object->fetch($id); - $object->old_lastname = GETPOST("old_lastname",'alpha'); - $object->old_firstname = GETPOST("old_firstname",'alpha'); + $object->old_lastname = GETPOST("old_lastname"); + $object->old_firstname = GETPOST("old_firstname"); $result = $object->delete(); if ($result > 0) @@ -255,27 +255,27 @@ if (empty($reshook)) $object->oldcopy=dol_clone($object); - $object->old_lastname = GETPOST("old_lastname",'alpha'); - $object->old_firstname = GETPOST("old_firstname",'alpha'); + $object->old_lastname = GETPOST("old_lastname"); + $object->old_firstname = GETPOST("old_firstname"); $object->socid = GETPOST("socid",'int'); - $object->lastname = GETPOST("lastname",'alpha'); - $object->firstname = GETPOST("firstname",'alpha'); + $object->lastname = GETPOST("lastname"); + $object->firstname = GETPOST("firstname"); $object->civility_id = GETPOST("civility_id",'alpha'); - $object->poste = GETPOST("poste",'alpha'); + $object->poste = GETPOST("poste"); - $object->address = GETPOST("address",'alpha'); - $object->zip = GETPOST("zipcode",'alpha'); - $object->town = GETPOST("town",'alpha'); + $object->address = GETPOST("address"); + $object->zip = GETPOST("zipcode"); + $object->town = GETPOST("town"); $object->state_id = GETPOST("state_id",'int'); $object->country_id = GETPOST("country_id",'int'); $object->email = GETPOST("email",'alpha'); $object->skype = GETPOST("skype",'alpha'); - $object->phone_pro = GETPOST("phone_pro",'alpha'); - $object->phone_perso = GETPOST("phone_perso",'alpha'); - $object->phone_mobile = GETPOST("phone_mobile",'alpha'); - $object->fax = GETPOST("fax",'alpha'); + $object->phone_pro = GETPOST("phone_pro"); + $object->phone_perso = GETPOST("phone_perso"); + $object->phone_mobile = GETPOST("phone_mobile"); + $object->fax = GETPOST("fax"); $object->jabberid = GETPOST("jabberid",'alpha'); $object->no_email = GETPOST("no_email",'int'); $object->priv = GETPOST("priv",'int'); @@ -424,8 +424,8 @@ else print '<table class="border" width="100%">'; // Name - print '<tr><td width="20%" class="fieldrequired">'.$langs->trans("Lastname").' / '.$langs->trans("Label").'</td><td width="30%"><input name="lastname" type="text" size="30" maxlength="80" value="'.(GETPOST("lastname",'alpha')?GETPOST("lastname",'alpha'):$object->lastname).'"></td>'; - print '<td width="20%">'.$langs->trans("Firstname").'</td><td width="30%"><input name="firstname" type="text" size="30" maxlength="80" value="'.(GETPOST("firstname",'alpha')?GETPOST("firstname",'alpha'):$object->firstname).'"></td></tr>'; + print '<tr><td width="20%" class="fieldrequired">'.$langs->trans("Lastname").' / '.$langs->trans("Label").'</td><td width="30%"><input name="lastname" type="text" size="30" maxlength="80" value="'.dol_escape_htmltag(GETPOST("lastname")?GETPOST("lastname"):$object->lastname).'"></td>'; + print '<td width="20%">'.$langs->trans("Firstname").'</td><td width="30%"><input name="firstname" type="text" size="30" maxlength="80" value="'.dol_escape_htmltag(GETPOST("firstname")?GETPOST("firstname"):$object->firstname).'"></td></tr>'; // Company if (empty($conf->global->SOCIETE_DISABLE_CONTACTS)) @@ -451,7 +451,7 @@ else print $formcompany->select_civility(GETPOST("civility_id",'alpha')?GETPOST("civility_id",'alpha'):$object->civility_id); print '</td></tr>'; - print '<tr><td>'.$langs->trans("PostOrFunction").'</td><td colspan="3"><input name="poste" type="text" size="50" maxlength="80" value="'.(GETPOST("poste",'alpha')?GETPOST("poste",'alpha'):$object->poste).'"></td>'; + print '<tr><td>'.$langs->trans("PostOrFunction").'</td><td colspan="3"><input name="poste" type="text" size="50" maxlength="80" value="'.dol_escape_htmltag(GETPOST("poste",'alpha')?GETPOST("poste",'alpha'):$object->poste).'"></td>'; $colspan=3; if ($conf->use_javascript_ajax && $socid > 0) $colspan=2; @@ -476,8 +476,8 @@ else if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->zip)) == 0) $object->zip = $objsoc->zip; // Predefined with third party if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->town)) == 0) $object->town = $objsoc->town; // Predefined with third party print '<tr><td>'.$langs->trans("Zip").' / '.$langs->trans("Town").'</td><td colspan="'.$colspan.'" class="maxwidthonsmartphone">'; - print $formcompany->select_ziptown((GETPOST("zipcode",'alpha')?GETPOST("zipcode",'alpha'):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6).' '; - print $formcompany->select_ziptown((GETPOST("town",'alpha')?GETPOST("town",'alpha'):$object->town),'town',array('zipcode','selectcountry_id','state_id')); + print $formcompany->select_ziptown((GETPOST("zipcode")?GETPOST("zipcode"):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6).' '; + print $formcompany->select_ziptown((GETPOST("town")?GETPOST("town"):$object->town),'town',array('zipcode','selectcountry_id','state_id')); print '</td></tr>'; // Country @@ -503,12 +503,12 @@ else // Phone / Fax if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->phone_pro)) == 0) $object->phone_pro = $objsoc->phone; // Predefined with third party - print '<tr><td>'.$langs->trans("PhonePro").'</td><td><input name="phone_pro" id="phone_pro" type="text" size="18" maxlength="80" value="'.(GETPOST("phone_pro",'alpha')?GETPOST("phone_pro",'alpha'):$object->phone_pro).'"></td>'; - print '<td>'.$langs->trans("PhonePerso").'</td><td><input name="phone_perso" id="phone_perso" type="text" size="18" maxlength="80" value="'.(GETPOST("phone_perso",'alpha')?GETPOST("phone_perso",'alpha'):$object->phone_perso).'"></td></tr>'; + print '<tr><td>'.$langs->trans("PhonePro").'</td><td><input name="phone_pro" id="phone_pro" type="text" size="18" maxlength="80" value="'.dol_escape_htmltag(GETPOST("phone_pro")?GETPOST("phone_pro"):$object->phone_pro).'"></td>'; + print '<td>'.$langs->trans("PhonePerso").'</td><td><input name="phone_perso" id="phone_perso" type="text" size="18" maxlength="80" value="'.dol_escape_htmltag(GETPOST("phone_perso")?GETPOST("phone_perso"):$object->phone_perso).'"></td></tr>'; if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->fax)) == 0) $object->fax = $objsoc->fax; // Predefined with third party - print '<tr><td>'.$langs->trans("PhoneMobile").'</td><td><input name="phone_mobile" id="phone_mobile" type="text" size="18" maxlength="80" value="'.(GETPOST("phone_mobile",'alpha')?GETPOST("phone_mobile",'alpha'):$object->phone_mobile).'"></td>'; - print '<td>'.$langs->trans("Fax").'</td><td><input name="fax" id="fax" type="text" size="18" maxlength="80" value="'.(GETPOST("fax",'alpha')?GETPOST("fax",'alpha'):$object->fax).'"></td></tr>'; + print '<tr><td>'.$langs->trans("PhoneMobile").'</td><td><input name="phone_mobile" id="phone_mobile" type="text" size="18" maxlength="80" value="'.dol_escape_htmltag(GETPOST("phone_mobile")?GETPOST("phone_mobile"):$object->phone_mobile).'"></td>'; + print '<td>'.$langs->trans("Fax").'</td><td><input name="fax" id="fax" type="text" size="18" maxlength="80" value="'.dol_escape_htmltag(GETPOST("fax",'alpha')?GETPOST("fax",'alpha'):$object->fax).'"></td></tr>'; // EMail if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->email)) == 0) $object->email = $objsoc->email; // Predefined with third party -- GitLab