iger
/
engelsystem
9
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Replaced [0-9] with \d

This commit is contained in:
Bot 2017-01-21 19:47:44 +01:00 committed by Igor Scheller
parent 915ce28fee
commit 740026a9de
20 changed files with 41 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
includes/controller/shift_entries_controller.php
View File

@ -12,7 +12,7 @@ function shift_entry_add_controller()
global $privileges, $user; global $privileges, $user;
$shift_id = 0; $shift_id = 0;
if (isset($_REQUEST['shift_id']) && preg_match('/^[0-9]*$/', $_REQUEST['shift_id'])) { if (isset($_REQUEST['shift_id']) && preg_match('/^\d*$/', $_REQUEST['shift_id'])) {
$shift_id = $_REQUEST['shift_id']; $shift_id = $_REQUEST['shift_id'];
} else { } else {
redirect(page_link_to('user_shifts')); redirect(page_link_to('user_shifts'));
@ -32,7 +32,7 @@ function shift_entry_add_controller()
} }
$type_id = 0; $type_id = 0;
if (isset($_REQUEST['type_id']) && preg_match('/^[0-9]*$/', $_REQUEST['type_id'])) { if (isset($_REQUEST['type_id']) && preg_match('/^\d*$/', $_REQUEST['type_id'])) {
$type_id = $_REQUEST['type_id']; $type_id = $_REQUEST['type_id'];
} else { } else {
redirect(page_link_to('user_shifts')); redirect(page_link_to('user_shifts'));
@ -64,7 +64,7 @@ function shift_entry_add_controller()
if ( if (
isset($_REQUEST['user_id']) isset($_REQUEST['user_id'])
&& preg_match('/^[0-9]*$/', $_REQUEST['user_id']) && preg_match('/^\d*$/', $_REQUEST['user_id'])
&& ( && (
in_array('user_shifts_admin', $privileges) in_array('user_shifts_admin', $privileges)
|| in_array('shiftentry_edit_angeltype_supporter', $privileges) || in_array('shiftentry_edit_angeltype_supporter', $privileges)

6
includes/controller/shifts_controller.php
View File

@ -78,7 +78,7 @@ function shift_edit_controller()
$title = strip_request_item('title'); $title = strip_request_item('title');
// Auswahl der sichtbaren Locations für die Schichten // Auswahl der sichtbaren Locations für die Schichten
if (isset($_REQUEST['rid']) && preg_match('/^[0-9]+$/', $_REQUEST['rid']) && isset($room[$_REQUEST['rid']])) { if (isset($_REQUEST['rid']) && preg_match('/^\d+$/', $_REQUEST['rid']) && isset($room[$_REQUEST['rid']])) {
$rid = $_REQUEST['rid']; $rid = $_REQUEST['rid'];
} else { } else {
$valid = false; $valid = false;
@ -192,7 +192,7 @@ function shift_delete_controller()
} }
// Schicht komplett löschen (nur für admins/user mit user_shifts_admin privileg) // Schicht komplett löschen (nur für admins/user mit user_shifts_admin privileg)
if (!isset($_REQUEST['delete_shift']) || !preg_match('/^[0-9]*$/', $_REQUEST['delete_shift'])) { if (!isset($_REQUEST['delete_shift']) || !preg_match('/^\d*$/', $_REQUEST['delete_shift'])) {
redirect(page_link_to('user_shifts')); redirect(page_link_to('user_shifts'));
} }
$shift_id = $_REQUEST['delete_shift']; $shift_id = $_REQUEST['delete_shift'];
@ -360,7 +360,7 @@ function shifts_json_export_controller()
{ {
global $user; global $user;
if (!isset($_REQUEST['key']) || !preg_match('/^[0-9a-f]{32}$/', $_REQUEST['key'])) { if (!isset($_REQUEST['key']) || !preg_match('/^[\da-f]{32}$/', $_REQUEST['key'])) {
engelsystem_error('Missing key.'); engelsystem_error('Missing key.');
} }

2
includes/controller/shifttypes_controller.php
View File

@ -79,7 +79,7 @@ function shifttype_edit_controller()
error(_('Please enter a name.')); error(_('Please enter a name.'));
} }
if (isset($_REQUEST['angeltype_id']) && preg_match('/^[0-9]+$/', $_REQUEST['angeltype_id'])) { if (isset($_REQUEST['angeltype_id']) && preg_match('/^\d+$/', $_REQUEST['angeltype_id'])) {
$angeltype_id = $_REQUEST['angeltype_id']; $angeltype_id = $_REQUEST['angeltype_id'];
} else { } else {
$angeltype_id = null; $angeltype_id = null;

2
includes/model/Message_model.php
View File

@ -41,7 +41,7 @@ function Message_send($receiver_user_id, $text)
global $user; global $user;
$text = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($text)); $text = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($text));
$receiver_user_id = preg_replace('/([^0-9]{1,})/ui', '', strip_tags($receiver_user_id)); $receiver_user_id = preg_replace('/([^\d]{1,})/ui', '', strip_tags($receiver_user_id));
if ( if (
($text != '' && is_numeric($receiver_user_id)) ($text != '' && is_numeric($receiver_user_id))

10
includes/pages/admin_active.php
View File

@ -33,7 +33,7 @@ function admin_active()
if (isset($_REQUEST['set_active'])) { if (isset($_REQUEST['set_active'])) {
$valid = true; $valid = true;
if (isset($_REQUEST['count']) && preg_match('/^[0-9]+$/', $_REQUEST['count'])) { if (isset($_REQUEST['count']) && preg_match('/^\d+$/', $_REQUEST['count'])) {
$count = strip_request_item('count'); $count = strip_request_item('count');
if ($count < $forced_count) { if ($count < $forced_count) {
error(sprintf( error(sprintf(
@ -89,7 +89,7 @@ function admin_active()
} }
} }
if (isset($_REQUEST['active']) && preg_match('/^[0-9]+$/', $_REQUEST['active'])) { if (isset($_REQUEST['active']) && preg_match('/^\d+$/', $_REQUEST['active'])) {
$user_id = $_REQUEST['active']; $user_id = $_REQUEST['active'];
$user_source = User($user_id); $user_source = User($user_id);
if ($user_source != null) { if ($user_source != null) {
@ -99,7 +99,7 @@ function admin_active()
} else { } else {
$msg = error(_('Angel not found.'), true); $msg = error(_('Angel not found.'), true);
} }
} elseif (isset($_REQUEST['not_active']) && preg_match('/^[0-9]+$/', $_REQUEST['not_active'])) { } elseif (isset($_REQUEST['not_active']) && preg_match('/^\d+$/', $_REQUEST['not_active'])) {
$user_id = $_REQUEST['not_active']; $user_id = $_REQUEST['not_active'];
$user_source = User($user_id); $user_source = User($user_id);
if ($user_source != null) { if ($user_source != null) {
@ -109,7 +109,7 @@ function admin_active()
} else { } else {
$msg = error(_('Angel not found.'), true); $msg = error(_('Angel not found.'), true);
} }
} elseif (isset($_REQUEST['tshirt']) && preg_match('/^[0-9]+$/', $_REQUEST['tshirt'])) { } elseif (isset($_REQUEST['tshirt']) && preg_match('/^\d+$/', $_REQUEST['tshirt'])) {
$user_id = $_REQUEST['tshirt']; $user_id = $_REQUEST['tshirt'];
$user_source = User($user_id); $user_source = User($user_id);
if ($user_source != null) { if ($user_source != null) {
@ -119,7 +119,7 @@ function admin_active()
} else { } else {
$msg = error('Angel not found.', true); $msg = error('Angel not found.', true);
} }
} elseif (isset($_REQUEST['not_tshirt']) && preg_match('/^[0-9]+$/', $_REQUEST['not_tshirt'])) { } elseif (isset($_REQUEST['not_tshirt']) && preg_match('/^\d+$/', $_REQUEST['not_tshirt'])) {
$user_id = $_REQUEST['not_tshirt']; $user_id = $_REQUEST['not_tshirt'];
$user_source = User($user_id); $user_source = User($user_id);
if ($user_source != null) { if ($user_source != null) {

4
includes/pages/admin_arrive.php
View File

@ -21,7 +21,7 @@ function admin_arrive()
$search = strip_request_item('search'); $search = strip_request_item('search');
} }
if (isset($_REQUEST['reset']) && preg_match('/^[0-9]*$/', $_REQUEST['reset'])) { if (isset($_REQUEST['reset']) && preg_match('/^\d*$/', $_REQUEST['reset'])) {
$user_id = $_REQUEST['reset']; $user_id = $_REQUEST['reset'];
$user_source = User($user_id); $user_source = User($user_id);
if ($user_source != null) { if ($user_source != null) {
@ -37,7 +37,7 @@ function admin_arrive()
} else { } else {
$msg = error(_('Angel not found.'), true); $msg = error(_('Angel not found.'), true);
} }
} elseif (isset($_REQUEST['arrived']) && preg_match('/^[0-9]*$/', $_REQUEST['arrived'])) { } elseif (isset($_REQUEST['arrived']) && preg_match('/^\d*$/', $_REQUEST['arrived'])) {
$user_id = $_REQUEST['arrived']; $user_id = $_REQUEST['arrived'];
$user_source = User($user_id); $user_source = User($user_id);
if ($user_source != null) { if ($user_source != null) {

6
includes/pages/admin_groups.php
View File

@ -53,7 +53,7 @@ function admin_groups()
} else { } else {
switch ($_REQUEST['action']) { switch ($_REQUEST['action']) {
case 'edit': case 'edit':
if (isset($_REQUEST['id']) && preg_match('/^-[0-9]{1,11}$/', $_REQUEST['id'])) { if (isset($_REQUEST['id']) && preg_match('/^-\d{1,11}$/', $_REQUEST['id'])) {
$group_id = $_REQUEST['id']; $group_id = $_REQUEST['id'];
} else { } else {
return error('Incomplete call, missing Groups ID.', true); return error('Incomplete call, missing Groups ID.', true);
@ -99,7 +99,7 @@ function admin_groups()
break; break;
case 'save': case 'save':
if (isset($_REQUEST['id']) && preg_match('/^-[0-9]{1,11}$/', $_REQUEST['id'])) { if (isset($_REQUEST['id']) && preg_match('/^-\d{1,11}$/', $_REQUEST['id'])) {
$group_id = $_REQUEST['id']; $group_id = $_REQUEST['id'];
} else { } else {
return error('Incomplete call, missing Groups ID.', true); return error('Incomplete call, missing Groups ID.', true);
@ -114,7 +114,7 @@ function admin_groups()
DB::delete('DELETE FROM `GroupPrivileges` WHERE `group_id`=?', [$group_id]); DB::delete('DELETE FROM `GroupPrivileges` WHERE `group_id`=?', [$group_id]);
$privilege_names = []; $privilege_names = [];
foreach ($_REQUEST['privileges'] as $privilege) { foreach ($_REQUEST['privileges'] as $privilege) {
if (preg_match('/^[0-9]{1,}$/', $privilege)) { if (preg_match('/^\d{1,}$/', $privilege)) {
$group_privileges_source = DB::select( $group_privileges_source = DB::select(
'SELECT `name` FROM `Privileges` WHERE `id`=? LIMIT 1', 'SELECT `name` FROM `Privileges` WHERE `id`=? LIMIT 1',
[$privilege] [$privilege]

2
includes/pages/admin_news.php
View File

@ -14,7 +14,7 @@ function admin_news()
} }
$html = '<div class="col-md-12"><h1>' . _('Edit news entry') . '</h1>' . msg(); $html = '<div class="col-md-12"><h1>' . _('Edit news entry') . '</h1>' . msg();
if (isset($_REQUEST['id']) && preg_match('/^[0-9]{1,11}$/', $_REQUEST['id'])) { if (isset($_REQUEST['id']) && preg_match('/^\d{1,11}$/', $_REQUEST['id'])) {
$news_id = $_REQUEST['id']; $news_id = $_REQUEST['id'];
} else { } else {
return error('Incomplete call, missing News ID.', true); return error('Incomplete call, missing News ID.', true);

4
includes/pages/admin_questions.php
View File

@ -98,7 +98,7 @@ function admin_questions()
} else { } else {
switch ($_REQUEST['action']) { switch ($_REQUEST['action']) {
case 'answer': case 'answer':
if (isset($_REQUEST['id']) && preg_match('/^[0-9]{1,11}$/', $_REQUEST['id'])) { if (isset($_REQUEST['id']) && preg_match('/^\d{1,11}$/', $_REQUEST['id'])) {
$question_id = $_REQUEST['id']; $question_id = $_REQUEST['id'];
} else { } else {
return error('Incomplete call, missing Question ID.', true); return error('Incomplete call, missing Question ID.', true);
@ -139,7 +139,7 @@ function admin_questions()
} }
break; break;
case 'delete': case 'delete':
if (isset($_REQUEST['id']) && preg_match('/^[0-9]{1,11}$/', $_REQUEST['id'])) { if (isset($_REQUEST['id']) && preg_match('/^\d{1,11}$/', $_REQUEST['id'])) {
$question_id = $_REQUEST['id']; $question_id = $_REQUEST['id'];
} else { } else {
return error('Incomplete call, missing Question ID.', true); return error('Incomplete call, missing Question ID.', true);

2
includes/pages/admin_rooms.php
View File

@ -112,7 +112,7 @@ function admin_rooms()
foreach ($angeltypes as $angeltype_id => $angeltype) { foreach ($angeltypes as $angeltype_id => $angeltype) {
if ( if (
isset($_REQUEST['angeltype_count_' . $angeltype_id]) isset($_REQUEST['angeltype_count_' . $angeltype_id])
&& preg_match('/^[0-9]{1,4}$/', $_REQUEST['angeltype_count_' . $angeltype_id]) && preg_match('/^\d{1,4}$/', $_REQUEST['angeltype_count_' . $angeltype_id])
) { ) {
$angeltypes_count[$angeltype_id] = $_REQUEST['angeltype_count_' . $angeltype_id]; $angeltypes_count[$angeltype_id] = $_REQUEST['angeltype_count_' . $angeltype_id];
} else { } else {

8
includes/pages/admin_shifts.php
View File

@ -72,7 +72,7 @@ function admin_shifts()
// Auswahl der sichtbaren Locations für die Schichten // Auswahl der sichtbaren Locations für die Schichten
if ( if (
isset($_REQUEST['rid']) isset($_REQUEST['rid'])
&& preg_match('/^[0-9]+$/', $_REQUEST['rid']) && preg_match('/^\d+$/', $_REQUEST['rid'])
&& isset($room_array[$_REQUEST['rid']]) && isset($room_array[$_REQUEST['rid']])
) { ) {
$rid = $_REQUEST['rid']; $rid = $_REQUEST['rid'];
@ -105,7 +105,7 @@ function admin_shifts()
if ($_REQUEST['mode'] == 'single') { if ($_REQUEST['mode'] == 'single') {
$mode = 'single'; $mode = 'single';
} elseif ($_REQUEST['mode'] == 'multi') { } elseif ($_REQUEST['mode'] == 'multi') {
if (isset($_REQUEST['length']) && preg_match('/^[0-9]+$/', trim($_REQUEST['length']))) { if (isset($_REQUEST['length']) && preg_match('/^\d+$/', trim($_REQUEST['length']))) {
$mode = 'multi'; $mode = 'multi';
$length = trim($_REQUEST['length']); $length = trim($_REQUEST['length']);
} else { } else {
@ -115,7 +115,7 @@ function admin_shifts()
} elseif ($_REQUEST['mode'] == 'variable') { } elseif ($_REQUEST['mode'] == 'variable') {
if ( if (
isset($_REQUEST['change_hours']) isset($_REQUEST['change_hours'])
&& preg_match('/^([0-9]{2}(,|$))/', trim(str_replace(' ', '', $_REQUEST['change_hours']))) && preg_match('/^(\d{2}(,|$))/', trim(str_replace(' ', '', $_REQUEST['change_hours'])))
) { ) {
$mode = 'variable'; $mode = 'variable';
$change_hours = array_map('trim', explode(',', $_REQUEST['change_hours'])); $change_hours = array_map('trim', explode(',', $_REQUEST['change_hours']));
@ -137,7 +137,7 @@ function admin_shifts()
foreach ($types as $type) { foreach ($types as $type) {
if ( if (
isset($_REQUEST['type_' . $type['id']]) isset($_REQUEST['type_' . $type['id']])
&& preg_match('/^[0-9]+$/', trim($_REQUEST['type_' . $type['id']])) && preg_match('/^\d+$/', trim($_REQUEST['type_' . $type['id']]))
) { ) {
$needed_angel_types[$type['id']] = trim($_REQUEST['type_' . $type['id']]); $needed_angel_types[$type['id']] = trim($_REQUEST['type_' . $type['id']]);
} else { } else {

2
includes/pages/guest_login.php
View File

@ -155,7 +155,7 @@ function guest_register()
if (isset($_REQUEST['prename'])) { if (isset($_REQUEST['prename'])) {
$preName = strip_request_item('prename'); $preName = strip_request_item('prename');
} }
if (isset($_REQUEST['age']) && preg_match('/^[0-9]{0,4}$/', $_REQUEST['age'])) { if (isset($_REQUEST['age']) && preg_match('/^\d{0,4}$/', $_REQUEST['age'])) {
$age = strip_request_item('age'); $age = strip_request_item('age');
} }
if (isset($_REQUEST['tel'])) { if (isset($_REQUEST['tel'])) {

4
includes/pages/user_atom.php
View File

@ -9,7 +9,7 @@ function user_atom()
{ {
global $user, $display_news; global $user, $display_news;
if (!isset($_REQUEST['key']) || !preg_match('/^[0-9a-f]{32}$/', $_REQUEST['key'])) { if (!isset($_REQUEST['key']) || !preg_match('/^[\da-f]{32}$/', $_REQUEST['key'])) {
engelsystem_error('Missing key.'); engelsystem_error('Missing key.');
} }
$key = $_REQUEST['key']; $key = $_REQUEST['key'];
@ -48,7 +48,7 @@ function make_atom_entries_from_news($news_entries)
<title>Engelsystem</title> <title>Engelsystem</title>
<id>' . $_SERVER['HTTP_HOST'] <id>' . $_SERVER['HTTP_HOST']
. htmlspecialchars(preg_replace( . htmlspecialchars(preg_replace(
'#[&?]key=[a-f0-9]{32}#', '#[&?]key=[a-f\d]{32}#',
'', '',
$_SERVER['REQUEST_URI'] $_SERVER['REQUEST_URI']
)) ))

2
includes/pages/user_ical.php
View File

@ -7,7 +7,7 @@ function user_ical()
{ {
global $user; global $user;
if (!isset($_REQUEST['key']) || !preg_match('/^[0-9a-f]{32}$/', $_REQUEST['key'])) { if (!isset($_REQUEST['key']) || !preg_match('/^[\da-f]{32}$/', $_REQUEST['key'])) {
engelsystem_error('Missing key.'); engelsystem_error('Missing key.');
} }
$key = $_REQUEST['key']; $key = $_REQUEST['key'];

4
includes/pages/user_messages.php
View File

@ -123,7 +123,7 @@ function user_messages()
} else { } else {
switch ($_REQUEST['action']) { switch ($_REQUEST['action']) {
case 'read': case 'read':
if (isset($_REQUEST['id']) && preg_match('/^[0-9]{1,11}$/', $_REQUEST['id'])) { if (isset($_REQUEST['id']) && preg_match('/^\d{1,11}$/', $_REQUEST['id'])) {
$message_id = $_REQUEST['id']; $message_id = $_REQUEST['id'];
} else { } else {
return error(_('Incomplete call, missing Message ID.'), true); return error(_('Incomplete call, missing Message ID.'), true);
@ -145,7 +145,7 @@ function user_messages()
break; break;
case 'delete': case 'delete':
if (isset($_REQUEST['id']) && preg_match('/^[0-9]{1,11}$/', $_REQUEST['id'])) { if (isset($_REQUEST['id']) && preg_match('/^\d{1,11}$/', $_REQUEST['id'])) {
$message_id = $_REQUEST['id']; $message_id = $_REQUEST['id'];
} else { } else {
return error(_('Incomplete call, missing Message ID.'), true); return error(_('Incomplete call, missing Message ID.'), true);

6
includes/pages/user_myshifts.php
View File

@ -23,7 +23,7 @@ function user_myshifts()
if ( if (
isset($_REQUEST['id']) isset($_REQUEST['id'])
&& in_array('user_shifts_admin', $privileges) && in_array('user_shifts_admin', $privileges)
&& preg_match('/^[0-9]{1,}$/', $_REQUEST['id']) && preg_match('/^\d{1,}$/', $_REQUEST['id'])
&& count(DB::select('SELECT `UID` FROM `User` WHERE `UID`=?', [$_REQUEST['id']])) > 0 && count(DB::select('SELECT `UID` FROM `User` WHERE `UID`=?', [$_REQUEST['id']])) > 0
) { ) {
$user_id = $_REQUEST['id']; $user_id = $_REQUEST['id'];
@ -47,7 +47,7 @@ function user_myshifts()
), ),
button(page_link_to('user_myshifts') . '&reset=ack', _('Continue'), 'btn-danger') button(page_link_to('user_myshifts') . '&reset=ack', _('Continue'), 'btn-danger')
]); ]);
} elseif (isset($_REQUEST['edit']) && preg_match('/^[0-9]*$/', $_REQUEST['edit'])) { } elseif (isset($_REQUEST['edit']) && preg_match('/^\d*$/', $_REQUEST['edit'])) {
$user_id = $_REQUEST['edit']; $user_id = $_REQUEST['edit'];
$shift = DB::select(' $shift = DB::select('
SELECT SELECT
@ -129,7 +129,7 @@ function user_myshifts()
} else { } else {
redirect(page_link_to('user_myshifts')); redirect(page_link_to('user_myshifts'));
} }
} elseif (isset($_REQUEST['cancel']) && preg_match('/^[0-9]*$/', $_REQUEST['cancel'])) { } elseif (isset($_REQUEST['cancel']) && preg_match('/^\d*$/', $_REQUEST['cancel'])) {
$user_id = $_REQUEST['cancel']; $user_id = $_REQUEST['cancel'];
$shift = DB::select(' $shift = DB::select('
SELECT * SELECT *

6
includes/pages/user_news.php
View File

@ -35,7 +35,7 @@ function user_meetings()
$html = '<div class="col-md-12"><h1>' . meetings_title() . '</h1>' . msg(); $html = '<div class="col-md-12"><h1>' . meetings_title() . '</h1>' . msg();
if (isset($_REQUEST['page']) && preg_match('/^[0-9]{1,}$/', $_REQUEST['page'])) { if (isset($_REQUEST['page']) && preg_match('/^\d{1,}$/', $_REQUEST['page'])) {
$page = $_REQUEST['page']; $page = $_REQUEST['page'];
} else { } else {
$page = 0; $page = 0;
@ -120,7 +120,7 @@ function user_news_comments()
$html = '<div class="col-md-12"><h1>' . user_news_comments_title() . '</h1>'; $html = '<div class="col-md-12"><h1>' . user_news_comments_title() . '</h1>';
if ( if (
isset($_REQUEST['nid']) isset($_REQUEST['nid'])
&& preg_match('/^[0-9]{1,}$/', $_REQUEST['nid']) && preg_match('/^\d{1,}$/', $_REQUEST['nid'])
&& count(DB::select('SELECT `ID` FROM `News` WHERE `ID`=? LIMIT 1', [$_REQUEST['nid']])) > 0 && count(DB::select('SELECT `ID` FROM `News` WHERE `ID`=? LIMIT 1', [$_REQUEST['nid']])) > 0
) { ) {
$nid = $_REQUEST['nid']; $nid = $_REQUEST['nid'];
@ -203,7 +203,7 @@ function user_news()
redirect(page_link_to('news')); redirect(page_link_to('news'));
} }
if (isset($_REQUEST['page']) && preg_match('/^[0-9]{1,}$/', $_REQUEST['page'])) { if (isset($_REQUEST['page']) && preg_match('/^\d{1,}$/', $_REQUEST['page'])) {
$page = $_REQUEST['page']; $page = $_REQUEST['page'];
} else { } else {
$page = 0; $page = 0;

2
includes/pages/user_questions.php
View File

@ -56,7 +56,7 @@ function user_questions()
} }
break; break;
case 'delete': case 'delete':
if (isset($_REQUEST['id']) && preg_match('/^[0-9]{1,11}$/', $_REQUEST['id'])) { if (isset($_REQUEST['id']) && preg_match('/^\d{1,11}$/', $_REQUEST['id'])) {
$question_id = $_REQUEST['id']; $question_id = $_REQUEST['id'];
} else { } else {
return error(_('Incomplete call, missing Question ID.'), true); return error(_('Incomplete call, missing Question ID.'), true);

2
includes/sys_page.php
View File

@ -164,7 +164,7 @@ function strip_request_item($name, $default_value = null)
function test_request_int($name) function test_request_int($name)
{ {
if (isset($_REQUEST[$name])) { if (isset($_REQUEST[$name])) {
return preg_match('/^[0-9]*$/', $_REQUEST[$name]); return preg_match('/^\d*$/', $_REQUEST[$name]);
} }
return false; return false;
} }

2
public/index.php
View File

@ -30,7 +30,7 @@ if (!isset($_REQUEST['p'])) {
if ( if (
isset($_REQUEST['p']) isset($_REQUEST['p'])
&& preg_match('/^[a-z0-9_]*$/i', $_REQUEST['p']) && preg_match('/^\w*$/i', $_REQUEST['p'])
&& ( && (
in_array($_REQUEST['p'], $free_pages) in_array($_REQUEST['p'], $free_pages)
|| (isset($privileges) && in_array($_REQUEST['p'], $privileges)) || (isset($privileges) && in_array($_REQUEST['p'], $privileges))