search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mysql 8 fixes (#1639)
[openemr.git] / library / classes / Filtreatment_class.php
blobaff39b68a249ef2d97345eea550ef2e8ab01eda6
1 <?php
2 /**
3 * FILTREATMENT CLASS FILE
4 *
5 *
6 * @author Cristian Năvălici {@link http://www.lemonsoftware.eu} lemonsoftware [at] gmail [.] com
7 * @version 1.31 17 March 2008
8 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
9 * @package Filtreatment
10 *
11 */
12
13 //error_reporting(E_ALL);
14
15 /**
16 * constant used in float comparisions
17 */
18 define('EPSILON', 1.0e-8);
19
20 /**
21 * CLASS DEFINITION
22 *
23 * This class can be used to sanitize user inputs and prevent
24 * most of known vulnerabilities
25 * it requires at least PHP 5.0
26 *
27 * @package Filtreatment
28 */
29 class Filtreatment
30 {
31
32 var $minval = 0;
33 var $maxval = 0;
34 var $error = '';
35
36 /**
37 * CONSTRUCTOR
38 *
39 * do some settings at init
40 *
41 * @param none
42 * @return void
43 */
44 function __construct()
45 {
46 if (get_magic_quotes_gpc()) {
47 if (!defined('MAGICQUOTES')) {
48 define('MAGICQUOTES', true);
49 }
50 } else {
51 if (!defined('MAGICQUOTES')) {
52 define('MAGICQUOTES', false);
53 }
54 }
55 }
56
57 //-----------------------------------------------------------------------------
58 /**
59 * CHECKS FOR AN INTEGER
60 *
61 * if the $minval and|or $maxval are set, a comparison will be performed
62 *
63 * NOTE: because the function can return 0 also as a valid result, check with === the return value
64 * @param int $input - what to check/transform
65 * @return int|bool
66 */
67 function ft_integer($input)
68 {
69 $input_c = (int)$input;
70 $mnval = (int)$this->minval;
71 $mxval = (int)$this->maxval;
72
73 if (!$mnval && !$mxval) {
74 return $input_c;
75 } else if ($mnval && $mxval) {
76 // check if they are in order (min < max)
77 if ($mnval > $mxval) {
78 $temp = $mnval;
79 $mnval = $mxval;
80 $mxval = $temp;
81 }
82
83 // and then check if the value is between these values
84 return (($input >= $mnval) && ($input <= $mxval)) ? $input_c : false;
85 } else {
86 // only one value set
87 if ($mnval) {
88 return (($input >= $mnval) ? $input_c : false );
89 }
90
91 if ($mxval) {
92 return (($input <= $mxval) ? $input_c : false );
93 }
94 }
95 }
96
97
98 //-----------------------------------------------------------------------------
99 /**
100 * CHECKS FOR A FLOAT
101 *
102 * if the $minval and|or $maxval are set, a comparison will be performed
103 *
104 * @param int $input - what to check/transform
105 * @return int|bool
106 */
107 function ft_float($input)
108 {
109 $input_c = (float)$input;
110 $mnval = (float)$this->minval;
111 $mxval = (float)$this->maxval;
112
113 if (!$mnval && !$mxval) {
114 return $input_c;
115 } else if ($mnval && $mxval) {
116 // check if they are in order (min < max)
117 if ($this->ft_realcmp($mnval, $mxval) > 0) {
118 $temp = $mnval;
119 $mnval = $mxval;
120 $mxval = $temp;
121 }
122
123 // and then check if the value is between these values
124 $lt = $this->ft_realcmp($input, $mxval); //-1 or 0 for true
125 if ($lt === -1 || $lt === 0) {
126 $lt = $input_c;
127 } else {
128 $lt = false;
129 }
130
131 $gt = $this->ft_realcmp($input, $mnval); //1 or 0 for true
132 if ($gt === 1 || $gt === 0) {
133 $gt = true;
134 } else {
135 $gt = false;
136 }
137
138 return (( $lt && $gt ) ? $input_c : false);
139 } else {
140 // only one value set
141 if ($mnval) {
142 $gt = $this->ft_realcmp($input, $mnval); //1 or 0 for true
143 return ( $gt === 1 || $gt === 0 ) ? $input_c : false;
144 }
145
146 if ($mxval) {
147 $lt = $this->ft_realcmp($input, $mxval); //-1 or 0 for true
148 return ( $lt === -1 || $lt === 0 ) ? $input_c : false;
149 }
150 }
151 }
152
153 //-----------------------------------------------------------------------------
154 /**
155 * VALIDATES A DATE
156 *
157 * must be in YYYY-MM-DD format
158 *
159 * @param string $str - date in requested format
160 * @return string|bool - the string itselfs only for valid date
161 */
162 function ft_validdate($str)
163 {
164 if (preg_match("/([0-9]{4})-([0-9]{1,2})-([0-9]{1,2})/", $str)) {
165 $arr = explode("-", $str); // splitting the array
166 $yy = $arr[0]; // first element of the array is year
167 $mm = $arr[1]; // second element is month
168 $dd = $arr[2]; // third element is days
169 return ( checkdate($mm, $dd, $yy) ? $str : false );
170 } else {
171 return false;
172 }
173 }
174
175 //-----------------------------------------------------------------------------
176 /**
177 * VALIDATES AN EMAIL
178 *
179 * implies RFC 2822
180 *
181 * @param string $str - email to validate
182 * @return string|bool - the string itselfs only for valid email
183 */
184 function ft_email($email)
185 {
186 if (MAGICQUOTES) {
187 $value = stripslashes($email);
188 }
189
190 // check for @ symbol and maximum allowed lengths
191 if (!preg_match("/^[^@]{1,64}@[^@]{1,255}$/", $email)) {
192 return false;
193 }
194
195 // split for sections
196 $email_array = explode("@", $email);
197 $local_array = explode(".", $email_array[0]);
198
199 for ($i = 0; $i < sizeof($local_array); $i++) {
200 if (!preg_match("/^(([A-Za-z0-9!#$%&'*+\/=?^_`{|}~-][A-Za-z0-9!#$%&'*+\/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$/", $local_array[$i])) {
201 return false;
202 }
203 }
204
205 if (!preg_match("/^\[?[0-9\.]+\]?$/", $email_array[1])) {
206 // verify if domain is IP. If not, it must be a valid domain name
207 $domain_array = explode(".", $email_array[1]);
208 if (sizeof($domain_array) < 2) {
209 return false;
210 }
211
212 for ($i = 0; $i < sizeof($domain_array); $i++) {
213 if (!preg_match("/^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$/", $domain_array[$i])) {
214 return false;
215 }
216 }
217 } // if
218
219 return $email;
220 }
221
222 //-----------------------------------------------------------------------------
223 /**
224 * PREPARES THE INPUT FOR DATABASE
225 *
226 * works with mysql/postgresql
227 *
228 * @param string $value - email to validate
229 * @param string $db_type - allow two constants MYSQL | PGSQL
230 * @return string|bool $value sanitized value
231 */
232 function ft_dbsql($value, $db_type = 'MYSQL')
233 {
234 if (MAGICQUOTES) {
235 $value = stripslashes($value);
236 }
237
238 // Quote if not a number or a numeric string
239 if (!is_numeric($value)) {
240 switch ($db_type) {
241 case 'MYSQL':
242 $value = add_escape_custom($value);
243 break;
244 case 'PGSQL':
245 $value = pg_escape_string($value);
246 break;
247 }
248 }
249
250 return $value;
251 }
252
253
254 //-----------------------------------------------------------------------------
255 /**
256 * WORKS ON A STRING WITH REGEX EXPRESSION
257 *
258 * checks a string for specified characters
259 *
260 * @param string $value - variable to sanitize
261 * @param string $regex - is in a special form detailed below:
262 * it contains ONLY allowed characters, ANY other characters making invalid string
263 * it must NOT contain begin/end delimitators /[... ]/
264 * eg: 0-9, 0-9A-Za-z, AERS
265 * @param int $cv - 1 or 2
266 * @return string|bool return string if check succeed ($cv = 1) or string with replaced chars
267
268 */
269 function ft_strregex($value, $regex, $cv = 1)
270 {
271 $s = true; //var control
272 $regexfull = "/[^" . $regex . "]/";
273
274 // function of $cv might be a clean up operation, or just verifying
275 switch ($cv) {
276 // verify the string
277 case '1':
278 $s = ( preg_match($regexfull, $value) ? false : true );
279 break;
280
281 // cleanup the string
282 case '2':
283 $value = preg_replace($regexfull, '', $value);
284 break;
285
286 // if $cv is not specified or it's wrong
287 default:
288 if (preg_match($regexfull, $value)) {
289 $s = false;
290 }
291 }
292
293 return ( $s ? $value : false );
294 }
295
296
297
298 //-----------------------------------------------------------------------------
299 /**
300 * CLEANS AGAINST XSS
301 *
302 * NOTE all credits goes to codeigniter.com
303 * @param string $str - string to check
304 * @param string $charset - character set (default ISO-8859-1)
305 * @return string|bool $value sanitized string
306 */
307 function ft_xss($str, $charset = 'ISO-8859-1')
308 {
309 /*
310 * Remove Null Characters
311 *
312 * This prevents sandwiching null characters
313 * between ascii characters, like Java\0script.
314 *
315 */
316 $str = preg_replace('/\0+/', '', $str);
317 $str = preg_replace('/(\\\\0)+/', '', $str);
318
319 /*
320 * Validate standard character entities
321 *
322 * Add a semicolon if missing. We do this to enable
323 * the conversion of entities to ASCII later.
324 *
325 */
326 $str = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u', "\\1;", $str);
327
328 /*
329 * Validate UTF16 two byte encoding (x00)
330 *
331 * Just as above, adds a semicolon if missing.
332 *
333 */
334 $str = preg_replace('#(&\#x*)([0-9A-F]+);*#iu', "\\1\\2;", $str);
335
336 /*
337 * URL Decode
338 *
339 * Just in case stuff like this is submitted:
340 *
341 * <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
342 *
343 * Note: Normally urldecode() would be easier but it removes plus signs
344 *
345 */
346 $str = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $str);
347 $str = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $str);
348
349 /*
350 * Convert character entities to ASCII
351 *
352 * This permits our tests below to work reliably.
353 * We only convert entities that are within tags since
354 * these are the ones that will pose security problems.
355 *
356 */
357 if (preg_match_all("/<(.+?)>/si", $str, $matches)) {
358 for ($i = 0; $i < count($matches['0']); $i++) {
359 $str = str_replace(
360 $matches['1'][$i],
361 html_entity_decode($matches['1'][$i], ENT_COMPAT, $charset),
362 $str
363 );
364 }
365 }
366
367 /*
368 * Convert all tabs to spaces
369 *
370 * This prevents strings like this: ja vascript
371 * Note: we deal with spaces between characters later.
372 *
373 */
374 $str = preg_replace("#\t+#", " ", $str);
375
376 /*
377 * Makes PHP tags safe
378 *
379 * Note: XML tags are inadvertently replaced too:
380 *
381 * <?xml
382 *
383 * But it doesn't seem to pose a problem.
384 *
385 */
386 $str = str_replace(array('<?php', '<?PHP', '<?', '?>'), array('&lt;?php', '&lt;?PHP', '&lt;?', '?&gt;'), $str);
387
388 /*
389 * Compact any exploded words
390 *
391 * This corrects words like: j a v a s c r i p t
392 * These words are compacted back to their correct state.
393 *
394 */
395 $words = array('javascript', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
396 foreach ($words as $word) {
397 $temp = '';
398 for ($i = 0; $i < strlen($word); $i++) {
399 $temp .= substr($word, $i, 1)."\s*";
400 }
401
402 $temp = substr($temp, 0, -3);
403 $str = preg_replace('#'.$temp.'#s', $word, $str);
404 $str = preg_replace('#'.ucfirst($temp).'#s', ucfirst($word), $str);
405 }
406
407 /*
408 * Remove disallowed Javascript in links or img tags
409 */
410 $str = preg_replace("#<a.+?href=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>.*?</a>#si", "", $str);
411 $str = preg_replace("#<img.+?src=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>#si", "", $str);
412 $str = preg_replace("#<(script|xss).*?\>#si", "", $str);
413
414 /*
415 * Remove JavaScript Event Handlers
416 *
417 * Note: This code is a little blunt. It removes
418 * the event handler and anything up to the closing >,
419 * but it's unlikely to be a problem.
420 *
421 */
422 $str = preg_replace('#(<[^>]+.*?)(onblur|onchange|onclick|onfocus|onload|onmouseover|onmouseup|onmousedown|onselect|onsubmit|onunload|onkeypress|onkeydown|onkeyup|onresize)[^>]*>#iU', "\\1>", $str);
423
424 /*
425 * Sanitize naughty HTML elements
426 *
427 * If a tag containing any of the words in the list
428 * below is found, the tag gets converted to entities.
429 *
430 * So this: <blink>
431 * Becomes: &lt;blink&gt;
432 *
433 */
434 $str = preg_replace('#<(/*\s*)(alert|applet|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|layer|link|meta|object|plaintext|style|script|textarea|title|xml|xss)([^>]*)>#is', "&lt;\\1\\2\\3&gt;", $str);
435
436 /*
437 * Sanitize naughty scripting elements
438 *
439 * Similar to above, only instead of looking for
440 * tags it looks for PHP and JavaScript commands
441 * that are disallowed. Rather than removing the
442 * code, it simply converts the parenthesis to entities
443 * rendering the code un-executable.
444 *
445 * For example: eval('some code')
446 * Becomes: eval&#40;'some code'&#41;
447 *
448 */
449 $str = preg_replace('#(alert|cmd|passthru|eval|exec|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2&#40;\\3&#41;", $str);
450
451 /*
452 * Final clean up
453 *
454 * This adds a bit of extra precaution in case
455 * something got through the above filters
456 *
457 */
458
459 $bad = array(
460 'document.cookie' => '',
461 'document.write' => '',
462 'window.location' => '',
463 "javascript\s*:" => '',
464 "Redirect\s+302" => '',
465 '<!--' => '&lt;!--',
466 '-->' => '--&gt;'
467 );
468
469 foreach ($bad as $key => $val) {
470 $str = preg_replace("#".$key."#i", $val, $str);
471 }
472
473 return $str;
474 }
475
476 //-----------------------------------------------------------------------------
477 /**
478 * DISPLAY ERRORS
479 *
480 * @param int $mode - if 1 then echo the string; if 2 then echo the string
481 * @return void
482 */
483 function display_error($mode = 1)
484 {
485 $errstr = ( $this->error ) ? $this->error : '';
486 if ($mode == 1) {
487 echo '<br />' .$this->ft_xss($errstr) . '<br />';
488 } else {
489 return $this->ft_xss($errstr);
490 }
491 }
492
493
494 //-----------------------------------------------------------------------------
495 /**
496 * REAL COMPARASION BETWEEN FLOATS
497 *
498 * 0 - for ==, 1 for r1 > r2, -1 for r1 '<' r2
499 *
500 * @param float $r1
501 * @param float $r2
502 * @return int
503 */
504 function ft_realcmp($r1, $r2)
505 {
506 $diff = $r1 - $r2;
507
508 if (abs($diff) < EPSILON) {
509 return 0;
510 } else {
511 return $diff < 0 ? -1 : 1;
512 }
513 }
514
515
516 //-----------------------------------------------------------------------------
517 } // class
Mirror of official OpenEMR Sourceforge repository