Project

General

Profile

Revision 6156a9b6

Added by Jocelyn Delande about 9 years ago

some request input checking/sanitization

View differences:

panorama.php
5 5
   require 'class/utils.class.php';
6 6
   require_once 'constants.inc.php';
7 7

  
8
  $fields_spec = array(
9
    'panorama'   => array('basename'),
10
    'dir'        => array(),//fixme
11
    'to_cap'     => array('numeric'),
12
    'to_ele'     => array('numeric'),
13
    'to_zoom'     => array('numeric')
14
  );
15
  
16
  $validator = new FormValidator($fields_spec);
17
  $is_valid = $validator->validate($_GET);
18
  
19
  if ($is_valid) {
20
    $input = $validator->sane_values();
21
  } else {
22
    $validator->print_errors();
23
    die();//fixme, could be cleaner
24
  }
25
  
8 26
   $form_extpoint = file_get_contents('html/form_extpoint.html');
9 27

  
10 28
   $form_param = file_get_contents('html/form_param.html');
11 29

  
12
   if (isset($_GET['dir']) && isset($_GET['panorama'])) {
13
     $dir   = $_GET['dir'];
14
     $name  = $_GET['panorama'];
30
   if (isset($input['dir']) && isset($input['panorama'])) {
31
     $dir   = $input['dir'];
32
     $name  = $input['panorama'];
15 33
   } else {
16 34
     $dir   = PANORAMA_PATH;
17 35
     $name  = 'ttn_mediatheque';
18 36
   }
19 37
   $opt_vals = array();
20 38
   foreach(array('to_cap', 'to_ele', 'to_zoom') as $val) {
21
     if (!empty($_GET[$val])) $opt_vals[$val] = $_GET[$val];
39
     if (!empty($input[$val])) $opt_vals[$val] = $input[$val];
22 40
   }
23 41

  
24
   $base_dir = $dir.'/'.$name;
25
   $pt = new site_point($base_dir);
42
   $pt = site_point::get($input['panorama']);
43
   $base_dir = $pt->tiles_url_prefix();
26 44
   if(!$pt) die("impossible d'accéder à ".$base_dir." !\n");
27 45
   $params = $pt->get_params();
28 46
   $prefix = $pt->get_prefix();
......
140 158
       print("</div>\n");
141 159
       echo $form_extpoint;
142 160
     } elseif ($params == false ) {
143
     	$dir   = $_GET['dir'];
144
        $name  = $_GET['panorama'];
161
     	$dir   = $input['dir'];
162
        $name  = $input['panorama'];
145 163
        printf($form_param, $name, $name);
146 164
     }
147 165
     echo '<p id="info"></p>'."\n";

Also available in: Unified diff