search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
minor bug fix
[openemr.git] / library / classes / Filtreatment_class.php
blob362751cdd7680b31e54e5056ee9ddad2545b693e
1 <?php
2 /**
3 * FILTREATMENT CLASS FILE
4 *
5 *
6 * @author Cristian Năvălici {@link http://www.lemonsoftware.eu} lemonsoftware [at] gmail [.] com
7 * @version 1.31 17 March 2008
8 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
9 * @package Filtreatment
10 *
11 */
12
13 //error_reporting(E_ALL);
14
15 /**
16 * constant used in float comparisions
17 */
18 define('EPSILON', 1.0e-8);
19
20 /**
21 * CLASS DEFINITION
22 *
23 * This class can be used to sanitize user inputs and prevent
24 * most of known vulnerabilities
25 * it requires at least PHP 5.0
26 *
27 * @package Filtreatment
28 */
29 class Filtreatment {
30
31 var $minval = 0;
32 var $maxval = 0;
33 var $error = '';
34
35 /**
36 * CONSTRUCTOR
37 *
38 * do some settings at init
39 *
40 * @param none
41 * @return void
42 */
43 function __construct() {
44 if ( get_magic_quotes_gpc() ) {
45 if ( !defined('MAGICQUOTES') ) define ('MAGICQUOTES', TRUE);
46 } else {
47 if ( !defined('MAGICQUOTES') ) define ('MAGICQUOTES', FALSE);
48 }
49 }
50
51 //-----------------------------------------------------------------------------
52 /**
53 * CHECKS FOR AN INTEGER
54 *
55 * if the $minval and|or $maxval are set, a comparison will be performed
56 *
57 * NOTE: because the function can return 0 also as a valid result, check with === the return value
58 * @param int $input - what to check/transform
59 * @return int|bool
60 */
61 function ft_integer($input) {
62 $input_c = (int)$input;
63 $mnval = (int)$this->minval;
64 $mxval = (int)$this->maxval;
65
66 if ( !$mnval && !$mxval ) {
67 return $input_c;
68 } else if ( $mnval && $mxval ) {
69 // check if they are in order (min < max)
70 if ( $mnval > $mxval ) {
71 $temp = $mnval;
72 $mnval = $mxval;
73 $mxval = $temp;
74 }
75
76 // and then check if the value is between these values
77 return (($input >= $mnval) && ($input <= $mxval)) ? $input_c : FALSE;
78 } else {
79 // only one value set
80 if ( $mnval ) return (($input >= $mnval) ? $input_c : FALSE );
81 if ( $mxval ) return (($input <= $mxval) ? $input_c : FALSE );
82 }
83
84 }
85
86
87 //-----------------------------------------------------------------------------
88 /**
89 * CHECKS FOR A FLOAT
90 *
91 * if the $minval and|or $maxval are set, a comparison will be performed
92 *
93 * @param int $input - what to check/transform
94 * @return int|bool
95 */
96 function ft_float($input) {
97 $input_c = (float)$input;
98 $mnval = (float)$this->minval;
99 $mxval = (float)$this->maxval;
100
101 if ( !$mnval && !$mxval ) {
102 return $input_c;
103 } else if ( $mnval && $mxval ) {
104 // check if they are in order (min < max)
105 if ( $this->ft_realcmp($mnval, $mxval) > 0 ) {
106 $temp = $mnval;
107 $mnval = $mxval;
108 $mxval = $temp;
109 }
110
111 // and then check if the value is between these values
112 $lt = $this->ft_realcmp($input, $mxval); //-1 or 0 for true
113 if ( $lt === -1 || $lt === 0 ) $lt = $input_c; else $lt = FALSE;
114
115 $gt = $this->ft_realcmp($input, $mnval); //1 or 0 for true
116 if ( $gt === 1 || $gt === 0 ) $gt = TRUE; else $gt = FALSE;
117
118 return (( $lt && $gt ) ? $input_c : FALSE);
119 } else {
120 // only one value set
121 if ( $mnval ) {
122 $gt = $this->ft_realcmp($input, $mnval); //1 or 0 for true
123 return ( $gt === 1 || $gt === 0 ) ? $input_c : FALSE;
124 }
125
126 if ( $mxval ) {
127 $lt = $this->ft_realcmp($input, $mxval); //-1 or 0 for true
128 return ( $lt === -1 || $lt === 0 ) ? $input_c : FALSE;
129 }
130 }
131
132 }
133
134 //-----------------------------------------------------------------------------
135 /**
136 * VALIDATES A DATE
137 *
138 * must be in YYYY-MM-DD format
139 *
140 * @param string $str - date in requested format
141 * @return string|bool - the string itselfs only for valid date
142 */
143 function ft_validdate($str) {
144 if ( preg_match("/([0-9]{4})-([0-9]{1,2})-([0-9]{1,2})/", $str) ) {
145 $arr = split("-",$str); // splitting the array
146 $yy = $arr[0]; // first element of the array is year
147 $mm = $arr[1]; // second element is month
148 $dd = $arr[2]; // third element is days
149 return ( checkdate($mm, $dd, $yy) ? $str : FALSE );
150 } else {
151 return FALSE;
152 }
153 }
154
155 //-----------------------------------------------------------------------------
156 /**
157 * VALIDATES AN EMAIL
158 *
159 * implies RFC 2822
160 *
161 * @param string $str - email to validate
162 * @return string|bool - the string itselfs only for valid email
163 */
164 function ft_email($email) {
165 if (MAGICQUOTES) {
166 $value = stripslashes($email);
167 }
168
169 // check for @ symbol and maximum allowed lengths
170 if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) { return FALSE; }
171
172 // split for sections
173 $email_array = explode("@", $email);
174 $local_array = explode(".", $email_array[0]);
175
176 for ($i = 0; $i < sizeof($local_array); $i++) {
177 if ( !ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i]) ) {
178 return FALSE;
179 }
180 }
181
182 if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) {
183 // verify if domain is IP. If not, it must be a valid domain name
184 $domain_array = explode(".", $email_array[1]);
185 if (sizeof($domain_array) < 2) { return FALSE; }
186
187 for ($i = 0; $i < sizeof($domain_array); $i++) {
188 if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
189 return false;
190 }
191 }
192 } // if
193
194 return $email;
195 }
196
197 //-----------------------------------------------------------------------------
198 /**
199 * PREPARES THE INPUT FOR DATABASE
200 *
201 * works with mysql/postgresql
202 * NOTE: mysql_real_escape_string() requires that a valid mysql connection (mysql_connect()) exists to work
203 *
204 * @param string $value - email to validate
205 * @param string $db_type - allow two constants MYSQL | PGSQL
206 * @return string|bool $value sanitized value
207 */
208 function ft_dbsql($value, $db_type = 'MYSQL') {
209 if (MAGICQUOTES) {
210 $value = stripslashes($value);
211 }
212
213 // Quote if not a number or a numeric string
214 if (!is_numeric($value)) {
215 /*switch ($db_type) {
216 case 'MYSQL': $value = "'" . mysql_real_escape_string($value) . "'"; break;
217 case 'PGSQL': $value = "'" . pg_escape_string($value) . "'"; break;
218 }*/
219 // trick to not modify the openemr genuine code who put the string (already quoted) in quotes!
220 switch ($db_type) {
221 case 'MYSQL': $value = mysql_real_escape_string($value); break;
222 case 'PGSQL': $value = pg_escape_string($value); break;
223 }
224 }
225
226 return $value;
227 }
228
229
230 //-----------------------------------------------------------------------------
231 /**
232 * WORKS ON A STRING WITH REGEX EXPRESSION
233 *
234 * checks a string for specified characters
235 *
236 * @param string $value - variable to sanitize
237 * @param string $regex - is in a special form detailed below:
238 * it contains ONLY allowed characters, ANY other characters making invalid string
239 * it must NOT contain begin/end delimitators /[... ]/
240 * eg: 0-9, 0-9A-Za-z, AERS
241 * @param int $cv - 1 or 2
242 * @return string|bool return string if check succeed ($cv = 1) or string with replaced chars
243
244 */
245 function ft_strregex($value, $regex, $cv = 1) {
246 $s = TRUE; //var control
247 $regexfull = "/[^" . $regex . "]/";
248
249 // function of $cv might be a clean up operation, or just verifying
250 switch ($cv) {
251 // verify the string
252 case '1':
253 $s = ( preg_match($regexfull, $value) ? FALSE : TRUE );
254 break;
255
256 // cleanup the string
257 case '2':
258 $value = preg_replace($regexfull,'',$value);
259 break;
260
261 // if $cv is not specified or it's wrong
262 default: if ( preg_match($regexfull, $value) ) $s = FALSE;
263 }
264
265 return ( $s ? $value : FALSE );
266 }
267
268
269
270 //-----------------------------------------------------------------------------
271 /**
272 * CLEANS AGAINST XSS
273 *
274 * NOTE all credits goes to codeigniter.com
275 * @param string $str - string to check
276 * @param string $charset - character set (default ISO-8859-1)
277 * @return string|bool $value sanitized string
278 */
279 function ft_xss($str, $charset = 'ISO-8859-1') {
280 /*
281 * Remove Null Characters
282 *
283 * This prevents sandwiching null characters
284 * between ascii characters, like Java\0script.
285 *
286 */
287 $str = preg_replace('/\0+/', '', $str);
288 $str = preg_replace('/(\\\\0)+/', '', $str);
289
290 /*
291 * Validate standard character entities
292 *
293 * Add a semicolon if missing. We do this to enable
294 * the conversion of entities to ASCII later.
295 *
296 */
297 $str = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u',"\\1;",$str);
298
299 /*
300 * Validate UTF16 two byte encoding (x00)
301 *
302 * Just as above, adds a semicolon if missing.
303 *
304 */
305 $str = preg_replace('#(&\#x*)([0-9A-F]+);*#iu',"\\1\\2;",$str);
306
307 /*
308 * URL Decode
309 *
310 * Just in case stuff like this is submitted:
311 *
312 * <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
313 *
314 * Note: Normally urldecode() would be easier but it removes plus signs
315 *
316 */
317 $str = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $str);
318 $str = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $str);
319
320 /*
321 * Convert character entities to ASCII
322 *
323 * This permits our tests below to work reliably.
324 * We only convert entities that are within tags since
325 * these are the ones that will pose security problems.
326 *
327 */
328 if (preg_match_all("/<(.+?)>/si", $str, $matches)) {
329 for ($i = 0; $i < count($matches['0']); $i++) {
330 $str = str_replace($matches['1'][$i],
331 html_entity_decode($matches['1'][$i], ENT_COMPAT, $charset), $str);
332 }
333 }
334
335 /*
336 * Convert all tabs to spaces
337 *
338 * This prevents strings like this: ja vascript
339 * Note: we deal with spaces between characters later.
340 *
341 */
342 $str = preg_replace("#\t+#", " ", $str);
343
344 /*
345 * Makes PHP tags safe
346 *
347 * Note: XML tags are inadvertently replaced too:
348 *
349 * <?xml
350 *
351 * But it doesn't seem to pose a problem.
352 *
353 */
354 $str = str_replace(array('<?php', '<?PHP', '<?', '?>'), array('&lt;?php', '&lt;?PHP', '&lt;?', '?&gt;'), $str);
355
356 /*
357 * Compact any exploded words
358 *
359 * This corrects words like: j a v a s c r i p t
360 * These words are compacted back to their correct state.
361 *
362 */
363 $words = array('javascript', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
364 foreach ($words as $word) {
365 $temp = '';
366 for ($i = 0; $i < strlen($word); $i++) {
367 $temp .= substr($word, $i, 1)."\s*";
368 }
369
370 $temp = substr($temp, 0, -3);
371 $str = preg_replace('#'.$temp.'#s', $word, $str);
372 $str = preg_replace('#'.ucfirst($temp).'#s', ucfirst($word), $str);
373 }
374
375 /*
376 * Remove disallowed Javascript in links or img tags
377 */
378 $str = preg_replace("#<a.+?href=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>.*?</a>#si", "", $str);
379 $str = preg_replace("#<img.+?src=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>#si","", $str);
380 $str = preg_replace("#<(script|xss).*?\>#si", "", $str);
381
382 /*
383 * Remove JavaScript Event Handlers
384 *
385 * Note: This code is a little blunt. It removes
386 * the event handler and anything up to the closing >,
387 * but it's unlikely to be a problem.
388 *
389 */
390 $str = preg_replace('#(<[^>]+.*?)(onblur|onchange|onclick|onfocus|onload|onmouseover|onmouseup|onmousedown|onselect|onsubmit|onunload|onkeypress|onkeydown|onkeyup|onresize)[^>]*>#iU',"\\1>",$str);
391
392 /*
393 * Sanitize naughty HTML elements
394 *
395 * If a tag containing any of the words in the list
396 * below is found, the tag gets converted to entities.
397 *
398 * So this: <blink>
399 * Becomes: &lt;blink&gt;
400 *
401 */
402 $str = preg_replace('#<(/*\s*)(alert|applet|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|layer|link|meta|object|plaintext|style|script|textarea|title|xml|xss)([^>]*)>#is', "&lt;\\1\\2\\3&gt;", $str);
403
404 /*
405 * Sanitize naughty scripting elements
406 *
407 * Similar to above, only instead of looking for
408 * tags it looks for PHP and JavaScript commands
409 * that are disallowed. Rather than removing the
410 * code, it simply converts the parenthesis to entities
411 * rendering the code un-executable.
412 *
413 * For example: eval('some code')
414 * Becomes: eval&#40;'some code'&#41;
415 *
416 */
417 $str = preg_replace('#(alert|cmd|passthru|eval|exec|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2&#40;\\3&#41;", $str);
418
419 /*
420 * Final clean up
421 *
422 * This adds a bit of extra precaution in case
423 * something got through the above filters
424 *
425 */
426
427 $bad = array(
428 'document.cookie' => '',
429 'document.write' => '',
430 'window.location' => '',
431 "javascript\s*:" => '',
432 "Redirect\s+302" => '',
433 '<!--' => '&lt;!--',
434 '-->' => '--&gt;'
435 );
436
437 foreach ($bad as $key => $val) {
438 $str = preg_replace("#".$key."#i", $val, $str);
439 }
440
441 return $str;
442
443 }
444
445 //-----------------------------------------------------------------------------
446 /**
447 * DISPLAY ERRORS
448 *
449 * @param int $mode - if 1 then echo the string; if 2 then echo the string
450 * @return void
451 */
452 function display_error($mode = 1) {
453 $errstr = ( $this->error ) ? $this->error : '';
454 if ( $mode == 1 ) {
455 echo '<br />' .$this->ft_xss($errstr) . '<br />';
456 } else {
457 return $this->ft_xss($errstr);
458 }
459 }
460
461
462 //-----------------------------------------------------------------------------
463 /**
464 * REAL COMPARASION BETWEEN FLOATS
465 *
466 * 0 - for ==, 1 for r1 > r2, -1 for r1 '<' r2
467 *
468 * @param float $r1
469 * @param float $r2
470 * @return int
471 */
472 function ft_realcmp($r1, $r2) {
473 $diff = $r1 - $r2;
474
475 if ( abs($diff) < EPSILON ) return 0;
476 else return $diff < 0 ? -1 : 1;
477 }
478
479
480 //-----------------------------------------------------------------------------
481 } // class
482
483 ?>
Mirror of official OpenEMR Sourceforge repository