Delete php warning and secure SQL

This commit is contained in:
Simon Leblanc 2011-05-22 04:03:44 +02:00
parent f6caac6e35
commit 7c9a061582
3 changed files with 82 additions and 45 deletions

View File

@ -361,7 +361,7 @@ if ($dsondage->commentaires){
echo '<br>'. _("Comments") .' :<br>'."\n"; echo '<br>'. _("Comments") .' :<br>'."\n";
$commentaires=$dsondage->commentaires; $commentaires=$dsondage->commentaires;
$commentaires=str_replace("\\","",$commentaires); $commentaires=str_replace("\\","",$commentaires);
echo $commentaires; echo nl2br($commentaires);
echo '<br>'."\n"; echo '<br>'."\n";
} }
echo '<br>'."\n"; echo '<br>'."\n";
@ -417,7 +417,7 @@ if (isset($_POST["ajoutercolonne_x"]) && issetAndNoEmpty('nouvellecolonne') && (
//on rajoute la valeur a la fin de tous les sujets deja entrés //on rajoute la valeur a la fin de tous les sujets deja entrés
$nouveauxsujets.=","; $nouveauxsujets.=",";
$nouveauxsujets.=str_replace(","," ",$_POST["nouvellecolonne"]); $nouveauxsujets.=str_replace(","," ",$_POST["nouvellecolonne"]);
$nouveauxsujets=str_replace("'","°",$nouveauxsujets); $nouveauxsujets = htmlentities(html_entity_decode($nouveauxsujets, ENT_QUOTES, 'UTF-8'), ENT_QUOTES, 'UTF-8');
//mise a jour avec les nouveaux sujets dans la base //mise a jour avec les nouveaux sujets dans la base
$sql = 'UPDATE sujet_studs SET sujet = '.$connect->Param('nouveauxsujets').' WHERE id_sondage = '.$connect->Param('numsondage'); $sql = 'UPDATE sujet_studs SET sujet = '.$connect->Param('nouveauxsujets').' WHERE id_sondage = '.$connect->Param('numsondage');

View File

@ -47,7 +47,7 @@ if (file_exists('bandeaux_local.php')) {
} }
//si les variables de session ne sont pas valides, il y a une erreur //si les variables de session ne sont pas valides, il y a une erreur
if (!$_SESSION["nom"]&&!$_SESSION["adresse"]&&!$_SESSION["commentaires"]&&!$_SESSION["mail"]) { if (issetAndNoEmpty('titre', $_SESSION) === false || issetAndNoEmpty('nom', $_SESSION) === false || issetAndNoEmpty('adresse', $_SESSION) === false) {
echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">'."\n"; echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">'."\n";
echo '<html>'."\n"; echo '<html>'."\n";
echo '<head>'."\n"; echo '<head>'."\n";
@ -72,60 +72,70 @@ if (!$_SESSION["nom"]&&!$_SESSION["adresse"]&&!$_SESSION["commentaires"]&&!$_SES
//partie creation du sondage dans la base SQL //partie creation du sondage dans la base SQL
//On prépare les données pour les inserer dans la base //On prépare les données pour les inserer dans la base
if ($_POST["confirmecreation_x"]) { $erreur = false;
$testdate = true;
$date_selected = '';
if (isset($_POST["confirmecreation"]) || isset($_POST["confirmecreation_x"])) {
//recuperation des données de champs textes //recuperation des données de champs textes
$toutchoix = '';
for ($i = 0; $i < $_SESSION["nbrecases"] + 1; $i++) { for ($i = 0; $i < $_SESSION["nbrecases"] + 1; $i++) {
if ($_POST["choix"][$i]) { if (isset($_POST["choix"]) && issetAndNoEmpty($i, $_POST["choix"])) {
$toutchoix.=','; $toutchoix.=',';
$toutchoix.=str_replace(","," ",$_POST["choix"][$i]); $toutchoix.=str_replace(",", " ", htmlentities(html_entity_decode($_POST["choix"][$i], ENT_QUOTES, 'UTF-8'), ENT_QUOTES, 'UTF-8'));
} }
} }
$toutchoix=str_replace("'","°",$toutchoix);
$toutchoix=substr("$toutchoix",1); $toutchoix=substr("$toutchoix",1);
$_SESSION["toutchoix"]=$toutchoix; $_SESSION["toutchoix"]=$toutchoix;
if ($_POST["champdatefin"]) { if (issetAndNoEmpty('champdatefin')) {
$registredate=explode("/",$_POST["champdatefin"]); $registredate=explode("/",$_POST["champdatefin"]);
if (is_array($registredate) === false || count($registredate) !== 3) {
$testdate = false;
$date_selected = $_POST["champdatefin"];
} else {
$time = mktime(0,0,0,$registredate[1],$registredate[0],$registredate[2]);
if ($time === false || date('d/m/Y', $time) !== $_POST["champdatefin"]) {
$testdate = false;
$date_selected = $_POST["champdatefin"];
} else {
if (mktime(0,0,0,$registredate[1],$registredate[0],$registredate[2]) > time() + 250000) { if (mktime(0,0,0,$registredate[1],$registredate[0],$registredate[2]) > time() + 250000) {
$_SESSION["champdatefin"]=mktime(0,0,0,$registredate[1],$registredate[0],$registredate[2]); $_SESSION["champdatefin"]=mktime(0,0,0,$registredate[1],$registredate[0],$registredate[2]);
} }
}
}
} else { } else {
$_SESSION["champdatefin"]=time()+15552000; $_SESSION["champdatefin"]=time()+15552000;
} }
if ($testdate === true) {
//format du sondage AUTRE //format du sondage AUTRE
$_SESSION["formatsondage"]="A".$_SESSION["studsplus"]; $_SESSION["formatsondage"]="A".$_SESSION["studsplus"];
ajouter_sondage(); ajouter_sondage();
} else {
$_POST["fin_sondage_autre"] = 'ok';
}
} }
// recuperation des sujets pour sondage AUTRE // recuperation des sujets pour sondage AUTRE
$erreur_injection = false;
if (isset($_SESSION["nbrecases"])) {
for ($i = 0; $i < $_SESSION["nbrecases"]; $i++) { for ($i = 0; $i < $_SESSION["nbrecases"]; $i++) {
if (!preg_match(';<|>|";',$_POST["choix"][$i])) { if (isset($_POST["choix"]) && isset($_POST["choix"][$i])) {
$_SESSION["choix$i"]=$_POST["choix"][$i]; $_SESSION["choix$i"]=htmlentities(html_entity_decode($_POST["choix"][$i], ENT_QUOTES, 'UTF-8'), ENT_QUOTES, 'UTF-8');
} else {
$erreur_injection="yes";
} }
} }
} else { //nombre de cases par défaut
//nombre de cases par défaut
if (!$_SESSION["nbrecases"]) {
$_SESSION["nbrecases"]=10; $_SESSION["nbrecases"]=10;
} }
if ($_POST["ajoutcases"]||$_POST["ajoutcases_x"]) { if (isset($_POST["ajoutcases"]) || isset($_POST["ajoutcases_x"])) {
$_SESSION["nbrecases"]=$_SESSION["nbrecases"]+5; $_SESSION["nbrecases"]=$_SESSION["nbrecases"]+5;
} }
echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">'."\n"; print_header();
echo '<html>'."\n";
echo '<head>'."\n";
echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8">'."\n";
echo '<title>'.NOMAPPLICATION.'</title>'."\n";
echo '<link rel="stylesheet" type="text/css" href="style.css">'."\n";
echo '<script type="text/javascript" src="block_enter.js"></script>';
echo '</head>'."\n";
echo '<body>'."\n"; echo '<body>'."\n";
echo '<form name="formulaire" action="#bas" method="POST" onkeypress="javascript:process_keypress(event)">'."\n"; echo '<form name="formulaire" action="#bas" method="POST" onkeypress="javascript:process_keypress(event)">'."\n";
@ -141,6 +151,9 @@ if (!$_SESSION["nom"]&&!$_SESSION["adresse"]&&!$_SESSION["commentaires"]&&!$_SES
//affichage des cases texte de formulaire //affichage des cases texte de formulaire
for ($i = 0; $i < $_SESSION["nbrecases"]; $i++) { for ($i = 0; $i < $_SESSION["nbrecases"]; $i++) {
$j = $i + 1; $j = $i + 1;
if (isset($_SESSION["choix$i"]) === false) {
$_SESSION["choix$i"] = '';
}
echo '<tr><td>'. _("Choice") .' '.$j.' : </td><td><input type="text" name="choix[]" size="40" maxlength="40" value="'.str_replace("\\","",$_SESSION["choix$i"]).'" id="choix'.$i.'"></td></tr>'."\n"; echo '<tr><td>'. _("Choice") .' '.$j.' : </td><td><input type="text" name="choix[]" size="40" maxlength="40" value="'.str_replace("\\","",$_SESSION["choix$i"]).'" id="choix'.$i.'"></td></tr>'."\n";
} }
@ -162,28 +175,34 @@ if (!$_SESSION["nom"]&&!$_SESSION["adresse"]&&!$_SESSION["commentaires"]&&!$_SES
echo '</tr></table>'."\n"; echo '</tr></table>'."\n";
//test de remplissage des cases //test de remplissage des cases
$testremplissage = '';
for ($i=0;$i<$_SESSION["nbrecases"];$i++) { for ($i=0;$i<$_SESSION["nbrecases"];$i++) {
if ($_POST["choix"][$i]!="") { if (isset($_POST["choix"]) && issetAndNoEmpty($i, $_POST["choix"])) {
$testremplissage="ok"; $testremplissage="ok";
} }
} }
//message d'erreur si aucun champ renseigné //message d'erreur si aucun champ renseigné
if ($testremplissage!="ok"&&($_POST["fin_sondage_autre"]||$_POST["fin_sondage_autre_x"])) { if ($testremplissage != "ok" && (isset($_POST["fin_sondage_autre"]) || isset($_POST["fin_sondage_autre_x"]))) {
print "<br><font color=\"#FF0000\">" . _("Enter at least one choice") . "</font><br><br>"."\n"; print "<br><font color=\"#FF0000\">" . _("Enter at least one choice") . "</font><br><br>"."\n";
$erreur="yes"; $erreur = true;
}
//message d'erreur si mauvaise date
if ($testdate === false) {
print "<br><font color=\"#FF0000\">" . _("Date must be have the format DD/MM/YYYY") . "</font><br><br>"."\n";
} }
if ($erreur_injection) { if ($erreur_injection) {
print "<font color=#FF0000>" . _("Characters \" < and > are not permitted") . "</font><br><br>\n"; print "<font color=#FF0000>" . _("Characters \" < and > are not permitted") . "</font><br><br>\n";
} }
if (($_POST["fin_sondage_autre"]||$_POST["fin_sondage_autre_x"])&&!$erreur&&!$erreur_injection) { if ((isset($_POST["fin_sondage_autre"]) || isset($_POST["fin_sondage_autre_x"])) && !$erreur && !$erreur_injection) {
//demande de la date de fin du sondage //demande de la date de fin du sondage
echo '<br>'."\n"; echo '<br>'."\n";
echo '<div class=presentationdatefin>'."\n"; echo '<div class=presentationdatefin>'."\n";
echo '<br>'. _("Your poll will be automatically removed after 6 months.<br> You can fix another removal date for it.") .'<br><br>'."\n"; echo '<br>'. _("Your poll will be automatically removed after 6 months.<br> You can fix another removal date for it.") .'<br><br>'."\n";
echo _("Removal date (optional)") .' : <input type="text" name="champdatefin" size="10" maxlength="10"> '. _("(DD/MM/YYYY)") ."\n"; echo _("Removal date (optional)") .' : <input type="text" name="champdatefin" value="'.$date_selected.'" size="10" maxlength="10"> '. _("(DD/MM/YYYY)") ."\n";
echo '</div>'."\n"; echo '</div>'."\n";
echo '<div class=presentationdatefin>'."\n"; echo '<div class=presentationdatefin>'."\n";
echo '<font color=#FF0000>'. _("Once you have confirmed the creation of your poll, you will be automatically redirected on the page of your poll. <br><br>Then, you will receive quickly an email contening the link to your poll for sending it to the voters.") .'</font>'."\n"; echo '<font color=#FF0000>'. _("Once you have confirmed the creation of your poll, you will be automatically redirected on the page of your poll. <br><br>Then, you will receive quickly an email contening the link to your poll for sending it to the voters.") .'</font>'."\n";

View File

@ -78,15 +78,33 @@ function ajouter_sondage()
$date_fin=$_SESSION["totalchoixjour"][$taille_tableau]+200000; $date_fin=$_SESSION["totalchoixjour"][$taille_tableau]+200000;
} }
if (is_numeric($date_fin) === false) {
$date_fin = time()+15552000;
}
$headers="From: ".NOMAPPLICATION." <".ADRESSEMAILADMIN.">\r\nContent-Type: text/plain; charset=\"UTF-8\"\nContent-Transfer-Encoding: 8bit"; $headers="From: ".NOMAPPLICATION." <".ADRESSEMAILADMIN.">\r\nContent-Type: text/plain; charset=\"UTF-8\"\nContent-Transfer-Encoding: 8bit";
global $connect; global $connect;
$connect->Execute('insert into sondage ' . $sql = 'INSERT INTO sondage
'(id_sondage, commentaires, mail_admin, nom_admin, titre, id_sondage_admin, date_fin, format, mailsonde) ' . (id_sondage, commentaires, mail_admin, nom_admin, titre, id_sondage_admin, date_fin, format, mailsonde)
'VALUES '. VALUES (
"('$sondage','$_SESSION[commentaires]', '$_SESSION[adresse]', '$_SESSION[nom]', '$_SESSION[titre]','$sondage_admin', FROM_UNIXTIME('$date_fin'), '$_SESSION[formatsondage]','$_SESSION[mailsonde]' )"); '.$connect->Param('id_sondage').',
$connect->Execute("insert into sujet_studs values ('$sondage', '$_SESSION[toutchoix]' )"); '.$connect->Param('commentaires').',
'.$connect->Param('mail_admin').',
'.$connect->Param('nom_admin').',
'.$connect->Param('titre').',
'.$connect->Param('id_sondage_admin').',
FROM_UNIXTIME('.$date_fin.'),
'.$connect->Param('format').',
'.$connect->Param('mailsonde').'
)';
$sql = $connect->Prepare($sql);
$res = $connect->Execute($sql, array($sondage, $_SESSION['commentaires'], $_SESSION['adresse'], $_SESSION['nom'], $_SESSION['titre'], $sondage_admin, $_SESSION['formatsondage'], $_SESSION['mailsonde']));
$sql = 'INSERT INTO sujet_studs values ('.$connect->Param('sondage').', '.$connect->Param('choix').')';
$sql = $connect->Prepare($sql);
$connect->Execute($sql, array($sondage, $_SESSION['toutchoix']));
$message = _("This is the message you have to send to the people you want to poll. \nNow, you have to send this message to everyone you want to poll."); $message = _("This is the message you have to send to the people you want to poll. \nNow, you have to send this message to everyone you want to poll.");
$message .= "\n\n"; $message .= "\n\n";