Yoshihisa Fukuhara
higef****@users*****
2005年 12月 23日 (金) 21:29:25 JST
Index: affelio/apps/album/Album.pm
diff -u affelio/apps/album/Album.pm:1.21 affelio/apps/album/Album.pm:1.22
--- affelio/apps/album/Album.pm:1.21 Fri Dec 23 11:55:29 2005
+++ affelio/apps/album/Album.pm Fri Dec 23 21:29:24 2005
@@ -118,11 +118,12 @@
unless ($time) { $time = time; }
my $id = $self->getColumn("SELECT MAX(id) FROM $self->{album_tb}");
- $title = $self->validate($title);
- $user = $self->validate($user);
- $contents = $self->validate($contents);
+ $title = $self->escape($title);
+ $user = $self->escape($user);
+ $contents = $self->escape($contents);
+
+ $self->{dbh}->do("INSERT INTO $self->{album_tb} (title, contents, timestamp, update_time, user, afid, pswd, ord) VALUES ('$title', '$contents', $time, $time, '$user', '$afid', '', '')");
- $self->{dbh}->do("INSERT INTO $self->{album_tb} (title, contents, timestamp, update_time, user, afid, pswd, ord) VALUES ($title, $contents, $time, $time, $user, '$afid', '', '')");
$id = $self->getColumn("SELECT MAX(id) FROM $self->{album_tb}");
my $data_dir=$self->{afap}->get_userdata_dir()."/";
@@ -135,7 +136,7 @@
mkdir $data_dir, 0777;
}
- $self->{afap}->post_news('$title', "", '$user',
+ $self->{afap}->post_news($title, "", $user,
$self->{afap}->get_site_info("web_root") . "/apps/".
$self->{afap}->{install_name} . "/album.cgi?id=".$id);
}
@@ -148,16 +149,16 @@
my ($self, $id, $title, $user, $afid, $comment, $image) = @_;
my $time = time;
- $title = $self->validate($title);
- $comment = $self->validate($comment);
- $image = $self->validate($image);
- $user = $self->validate($user);
+ $title = $self->escape($title);
+ $comment = $self->escape($comment);
+ $image = $self->escape($image);
+ $user = $self->escape($user);
- my @same = $self->getall("SELECT id FROM $self->{image_tb} WHERE id = $id AND image = $image");
+ my @same = $self->getall("SELECT id FROM $self->{image_tb} WHERE id = $id AND image = '$image'");
if($#same > 0) {
- $self->{dbh}->do("UPDATE $self->{image_tb} SET title = $title, comment=$comment, user=$user, afid='$afid', time=$time WHERE id = $id AND image=$image");
+ $self->{dbh}->do("UPDATE $self->{image_tb} SET title = '$title', comment='$comment', user='$user', afid='$afid', time=$time WHERE id = $id AND image='$image'");
}else{
- $self->{dbh}->do("INSERT INTO $self->{image_tb} (id, image, title, user, afid, comment, pswd, timestamp) VALUES ($id, $image, $title, $user, '$afid', $comment, '', $time)");
+ $self->{dbh}->do("INSERT INTO $self->{image_tb} (id, image, title, user, afid, comment, pswd, timestamp) VALUES ($id, '$image', '$title', '$user', '$afid', '$comment', '', $time)");
}
}
@@ -169,10 +170,10 @@
sub updateEntry {
my ($self, $id, $title, $contents) = @_;
- $title = $self->validate($title);
- $contents = $self->validate($contents);
+ $title = $self->escape($title);
+ $contents = $self->escape($contents);
my $time = time;
- $self->{dbh}->do("UPDATE $self->{album_tb} SET title = $title, contents = $contents, update_time=$time WHERE id = $id");
+ $self->{dbh}->do("UPDATE $self->{album_tb} SET title = '$title', contents = '$contents', update_time=$time WHERE id = $id");
}
##############################################
@@ -181,11 +182,11 @@
sub updateImage {
my ($self, $id, $title, $comment, $image) = @_;
- $title = $self->validate($title);
- $comment = $self->validate($comment);
- $image = $self->validate($image);
+ $title = $self->escape($title);
+ $comment = $self->escape($comment);
+ $image = $self->escape($image);
my $time = time;
- $self->{dbh}->do("UPDATE $self->{image_tb} SET title = $title, comment = $comment WHERE id = $id AND image=$image");
+ $self->{dbh}->do("UPDATE $self->{image_tb} SET title = '$title', comment = '$comment' WHERE id = $id AND image='$image'");
}
##############################################
@@ -279,6 +280,7 @@
sub checkImagefile {
my ($self, $id, $image) = @_;
+ $image = escape($image);
my @ret = $self->getall("SELECT * FROM $self->{image_tb} WHERE id = $id AND image='$image'");
return $ret[0];
}
@@ -320,14 +322,14 @@
sub addComment {
my ($self, $id, $user, $afid, $comment) = @_;
my $time = time;
- $user = $self->validate($user);
- $comment = $self->validate($comment);
+ $user = $self->escape($user);
+ $comment = $self->escape($comment);
#
- my @same = $self->getall("SELECT id FROM $self->{comment_tb} WHERE user = $user AND comment = $comment");
+ my @same = $self->getall("SELECT id FROM $self->{comment_tb} WHERE user = '$user' AND comment = '$comment'");
if($#same >= 0) { return; }
- $self->{dbh}->do("INSERT INTO $self->{comment_tb} (id, user, afid, comment, pswd, timestamp) VALUES ($id, $user, '$afid', $comment, '', $time)");
+ $self->{dbh}->do("INSERT INTO $self->{comment_tb} (id, user, afid, comment, pswd, timestamp) VALUES ($id, '$user', '$afid', '$comment', '', $time)");
}
@@ -385,9 +387,9 @@
}
##############################################
-# validate
+# escape
##############################################
-sub validate {
+sub escape {
my ($self, $str) = @_;
$str =~ s/[\t\a]//g;
@@ -478,6 +480,49 @@
exit;
}
+##############################################
+# escape
+##############################################
+sub escape {
+ my ($self, $str, $type) = @_;
+
+ if ($type eq 'int') {
+ return int($str);
+ }
+ else {
+ $str =~ s/[\t\a]//g;
+ $str =~ s/&/&/g;
+ $str =~ s/["']/"/g;
+ $str =~ s/</</g;
+ $str =~ s/>/>/g;
+ $str =~ s/<(\/?)(a|p|i|b|big|strong|small|em|u|blockquote)>/<$1$2>/ig;
+ $str =~ s/<a +href=(")?(s?https?:\/\/[-_.!~*'()a-zA-Z0-9;\/?:\@&=+\$,%#]+) *(&quo\
+t;)? *>/<a href="$2">/ig;
+ $str =~ s/""/"/g;
+ $str =~ s/(\r\n|\r|\n)/<br \/>/g;
+
+ while ($str =~ /(<(a|p|i|b|big|strong|small|em|u|blockquote)\b(?:(?!<\/\2>).)*(?:<\2>|$))\
+/sigx) {
+ $self->errorExit("Error: You may mistype a tag or forget to close it.");
+ }
+ }
+
+ return $str;
+}
+
+sub escape_all {
+ my ($self, $str) = @_;
+
+ $str =~ s/[\t\a]//g;
+ $str =~ s/&/&/g;
+ $str =~ s/['"]/"/g;
+ $str =~ s/</</g;
+ $str =~ s/>/>/g;
+ $str =~ s/(\r\n|\r|\n)/<br \/>/g;
+
+ return $str;
+}
+
1;