From 52446c8327426c59da74257885fd09591c9e1fb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gae=CC=88tan=20Muller?= Date: Tue, 3 Feb 2015 20:56:48 +0100 Subject: [ticket/13455] Remove `request_var()` references from comments PHPBB3-13455 --- phpBB/phpbb/request/deactivated_super_global.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/phpbb/request') diff --git a/phpBB/phpbb/request/deactivated_super_global.php b/phpBB/phpbb/request/deactivated_super_global.php index b6cad59be4..ab56240b14 100644 --- a/phpBB/phpbb/request/deactivated_super_global.php +++ b/phpBB/phpbb/request/deactivated_super_global.php @@ -56,7 +56,7 @@ class deactivated_super_global implements \ArrayAccess, \Countable, \IteratorAgg $file = ''; $line = 0; - $message = 'Illegal use of $' . $this->name . '. You must use the request class or request_var() to access input data. Found in %s on line %d. This error message was generated by deactivated_super_global.'; + $message = 'Illegal use of $' . $this->name . '. You must use the request class to access input data. Found in %s on line %d. This error message was generated by deactivated_super_global.'; $backtrace = debug_backtrace(); if (isset($backtrace[1])) -- cgit v1.2.1 From 7a6a16e3a52128179a4f518958f22e773dd94084 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 5 Dec 2015 13:45:16 +0100 Subject: [ticket/13454] Remove unused variables This is part 5 and there is more to come. PHPBB3-13454 --- phpBB/phpbb/request/type_cast_helper.php | 1 - 1 file changed, 1 deletion(-) (limited to 'phpBB/phpbb/request') diff --git a/phpBB/phpbb/request/type_cast_helper.php b/phpBB/phpbb/request/type_cast_helper.php index bc654e6182..96e66950ca 100644 --- a/phpBB/phpbb/request/type_cast_helper.php +++ b/phpBB/phpbb/request/type_cast_helper.php @@ -172,7 +172,6 @@ class type_cast_helper implements \phpbb\request\type_cast_helper_interface } list($default_key, $default_value) = each($default); - $value_type = gettype($default_value); $key_type = gettype($default_key); $_var = $var; -- cgit v1.2.1 From 9aa017d0f7ce13a11114cbae24b694e935931342 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 25 Nov 2016 22:15:13 +0100 Subject: [ticket/14875] Add method for raw input to request and add to installer A method for retrieving raw input has been added to the request class. This will be used in the installer to retrieve the datatabase password while also allowing utf8 characters. Not escaping the input is ok in this case as it won't be put anywhere in this raw form and only be used to populate the entry for the password field in config.php. PHPBB3-14875 --- phpBB/phpbb/request/request.php | 62 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) (limited to 'phpBB/phpbb/request') diff --git a/phpBB/phpbb/request/request.php b/phpBB/phpbb/request/request.php index 4cac6fbaea..318d9f66f9 100644 --- a/phpBB/phpbb/request/request.php +++ b/phpBB/phpbb/request/request.php @@ -224,6 +224,68 @@ class request implements \phpbb\request\request_interface return $this->_variable($var_name, $default, $multibyte, $super_global, false); } + /** + * Get a variable without trimming strings and without escaping. + * This method MUST NOT be used with queries. + * Same functionality as variable(), except does not run trim() on strings + * and does not escape input. + * This method should only be used when the raw input is needed without + * any escaping, i.e. for database password during the installation. + * + * @param string|array $var_name The form variable's name from which data shall be retrieved. + * If the value is an array this may be an array of indizes which will give + * direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a") + * then specifying array("var", 1) as the name will return "a". + * @param mixed $default A default value that is returned if the variable was not set. + * This function will always return a value of the same type as the default. + * @param \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE $super_global + * Specifies which super global should be used + * + * @return mixed The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the + * the same as that of $default. If the variable is not set $default is returned. + */ + public function raw_variable($var_name, $default, $super_global = \phpbb\request\request_interface::REQUEST) + { + $path = false; + + // deep direct access to multi dimensional arrays + if (is_array($var_name)) + { + $path = $var_name; + // make sure at least the variable name is specified + if (empty($path)) + { + return (is_array($default)) ? array() : $default; + } + // the variable name is the first element on the path + $var_name = array_shift($path); + } + + if (!isset($this->input[$super_global][$var_name])) + { + return (is_array($default)) ? array() : $default; + } + $var = $this->input[$super_global][$var_name]; + + if ($path) + { + // walk through the array structure and find the element we are looking for + foreach ($path as $key) + { + if (is_array($var) && isset($var[$key])) + { + $var = $var[$key]; + } + else + { + return (is_array($default)) ? array() : $default; + } + } + } + + return $var; + } + /** * Shortcut method to retrieve SERVER variables. * -- cgit v1.2.1 From 08bf8812d3bc7c22671e7e0dc88a0e99fcf403d7 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 25 Nov 2016 22:51:29 +0100 Subject: [ticket/14875] Use raw_variable() method in _variable() to get raw data The raw_variable() method uses the same exact code the _variable method has been using until now. PHPBB3-14875 --- phpBB/phpbb/request/request.php | 39 ++++++--------------------------------- 1 file changed, 6 insertions(+), 33 deletions(-) (limited to 'phpBB/phpbb/request') diff --git a/phpBB/phpbb/request/request.php b/phpBB/phpbb/request/request.php index 318d9f66f9..0d9ffa1780 100644 --- a/phpBB/phpbb/request/request.php +++ b/phpBB/phpbb/request/request.php @@ -431,41 +431,14 @@ class request implements \phpbb\request\request_interface */ protected function _variable($var_name, $default, $multibyte = false, $super_global = \phpbb\request\request_interface::REQUEST, $trim = true) { - $path = false; - - // deep direct access to multi dimensional arrays - if (is_array($var_name)) - { - $path = $var_name; - // make sure at least the variable name is specified - if (empty($path)) - { - return (is_array($default)) ? array() : $default; - } - // the variable name is the first element on the path - $var_name = array_shift($path); - } - - if (!isset($this->input[$super_global][$var_name])) - { - return (is_array($default)) ? array() : $default; - } - $var = $this->input[$super_global][$var_name]; + $var = $this->raw_variable($var_name, $default, $super_global); - if ($path) + // Return prematurely if raw variable is empty array or the same as + // the default. Using strict comparison to ensure that one can't + // prevent proper type checking on any input variable + if ($var === array() || $var === $default) { - // walk through the array structure and find the element we are looking for - foreach ($path as $key) - { - if (is_array($var) && isset($var[$key])) - { - $var = $var[$key]; - } - else - { - return (is_array($default)) ? array() : $default; - } - } + return $var; } $this->type_cast_helper->recursive_set_var($var, $default, $multibyte, $trim); -- cgit v1.2.1 From 9bdd002f584de78475362067b777749486504172 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 2 Dec 2016 11:36:07 +0100 Subject: [ticket/14875] Move raw_variable() method to request_interface PHPBB3-14875 --- phpBB/phpbb/request/request.php | 19 +------------------ phpBB/phpbb/request/request_interface.php | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+), 18 deletions(-) (limited to 'phpBB/phpbb/request') diff --git a/phpBB/phpbb/request/request.php b/phpBB/phpbb/request/request.php index 0d9ffa1780..92d4213180 100644 --- a/phpBB/phpbb/request/request.php +++ b/phpBB/phpbb/request/request.php @@ -225,24 +225,7 @@ class request implements \phpbb\request\request_interface } /** - * Get a variable without trimming strings and without escaping. - * This method MUST NOT be used with queries. - * Same functionality as variable(), except does not run trim() on strings - * and does not escape input. - * This method should only be used when the raw input is needed without - * any escaping, i.e. for database password during the installation. - * - * @param string|array $var_name The form variable's name from which data shall be retrieved. - * If the value is an array this may be an array of indizes which will give - * direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a") - * then specifying array("var", 1) as the name will return "a". - * @param mixed $default A default value that is returned if the variable was not set. - * This function will always return a value of the same type as the default. - * @param \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE $super_global - * Specifies which super global should be used - * - * @return mixed The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the - * the same as that of $default. If the variable is not set $default is returned. + * {@inheritdoc} */ public function raw_variable($var_name, $default, $super_global = \phpbb\request\request_interface::REQUEST) { diff --git a/phpBB/phpbb/request/request_interface.php b/phpBB/phpbb/request/request_interface.php index 47b3b3a4ed..3bfa8bb424 100644 --- a/phpBB/phpbb/request/request_interface.php +++ b/phpBB/phpbb/request/request_interface.php @@ -64,6 +64,28 @@ interface request_interface */ public function variable($var_name, $default, $multibyte = false, $super_global = \phpbb\request\request_interface::REQUEST); + /** + * Get a variable without trimming strings and without escaping. + * This method MUST NOT be used with queries. + * Same functionality as variable(), except does not run trim() on strings + * and does not escape input. + * This method should only be used when the raw input is needed without + * any escaping, i.e. for database password during the installation. + * + * @param string|array $var_name The form variable's name from which data shall be retrieved. + * If the value is an array this may be an array of indizes which will give + * direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a") + * then specifying array("var", 1) as the name will return "a". + * @param mixed $default A default value that is returned if the variable was not set. + * This function will always return a value of the same type as the default. + * @param \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE $super_global + * Specifies which super global should be used + * + * @return mixed The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the + * the same as that of $default. If the variable is not set $default is returned. + */ + public function raw_variable($var_name, $default, $super_global = \phpbb\request\request_interface::REQUEST); + /** * Shortcut method to retrieve SERVER variables. * -- cgit v1.2.1 From 8eb48e281287646bb186f831e4f076f4557a14a9 Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Thu, 6 Sep 2018 14:15:08 +0200 Subject: [ticket/15742] Remove get_magic_quotes_gpc() call PHPBB3-15742 --- phpBB/phpbb/request/request.php | 2 -- phpBB/phpbb/request/type_cast_helper.php | 37 ---------------------- phpBB/phpbb/request/type_cast_helper_interface.php | 7 ---- 3 files changed, 46 deletions(-) (limited to 'phpBB/phpbb/request') diff --git a/phpBB/phpbb/request/request.php b/phpBB/phpbb/request/request.php index 00be8fd381..a0267d1370 100644 --- a/phpBB/phpbb/request/request.php +++ b/phpBB/phpbb/request/request.php @@ -150,8 +150,6 @@ class request implements \phpbb\request\request_interface return; } - $this->type_cast_helper->add_magic_quotes($value); - // setting to null means unsetting if ($value === null) { diff --git a/phpBB/phpbb/request/type_cast_helper.php b/phpBB/phpbb/request/type_cast_helper.php index 96e66950ca..1a53206c74 100644 --- a/phpBB/phpbb/request/type_cast_helper.php +++ b/phpBB/phpbb/request/type_cast_helper.php @@ -18,28 +18,6 @@ namespace phpbb\request; */ class type_cast_helper implements \phpbb\request\type_cast_helper_interface { - - /** - * @var string Whether slashes need to be stripped from input - */ - protected $strip; - - /** - * Initialises the type cast helper class. - * All it does is find out whether magic quotes are turned on. - */ - public function __construct() - { - if (version_compare(PHP_VERSION, '5.4.0-dev', '>=')) - { - $this->strip = false; - } - else - { - $this->strip = (@get_magic_quotes_gpc()) ? true : false; - } - } - /** * Recursively applies addslashes to a variable. * @@ -68,19 +46,6 @@ class type_cast_helper implements \phpbb\request\type_cast_helper_interface } } - /** - * Recursively applies addslashes to a variable if magic quotes are turned on. - * - * @param mixed &$var Variable passed by reference to which slashes will be added. - */ - public function add_magic_quotes(&$var) - { - if ($this->strip) - { - $this->addslashes_recursively($var); - } - } - /** * Set variable $result to a particular type. * @@ -129,8 +94,6 @@ class type_cast_helper implements \phpbb\request\type_cast_helper_interface $result = preg_replace('/[\x80-\xFF]/', '?', $result); } } - - $result = ($this->strip) ? stripslashes($result) : $result; } } diff --git a/phpBB/phpbb/request/type_cast_helper_interface.php b/phpBB/phpbb/request/type_cast_helper_interface.php index 2cb28d021f..e22712dc0c 100644 --- a/phpBB/phpbb/request/type_cast_helper_interface.php +++ b/phpBB/phpbb/request/type_cast_helper_interface.php @@ -25,13 +25,6 @@ interface type_cast_helper_interface */ public function addslashes_recursively(&$var); - /** - * Recursively applies addslashes to a variable if magic quotes are turned on. - * - * @param mixed &$var Variable passed by reference to which slashes will be added. - */ - public function add_magic_quotes(&$var); - /** * Set variable $result to a particular type. * -- cgit v1.2.1 From 89d1401a77f7a2f9ee067b90efa975e21363e914 Mon Sep 17 00:00:00 2001 From: Jakub Senko Date: Thu, 13 Sep 2018 18:47:14 +0200 Subject: [ticket/15742] Remove addslashes_recursively() PHPBB3-15742 --- phpBB/phpbb/request/type_cast_helper.php | 28 ---------------------- phpBB/phpbb/request/type_cast_helper_interface.php | 7 ------ 2 files changed, 35 deletions(-) (limited to 'phpBB/phpbb/request') diff --git a/phpBB/phpbb/request/type_cast_helper.php b/phpBB/phpbb/request/type_cast_helper.php index 1a53206c74..912494998d 100644 --- a/phpBB/phpbb/request/type_cast_helper.php +++ b/phpBB/phpbb/request/type_cast_helper.php @@ -18,34 +18,6 @@ namespace phpbb\request; */ class type_cast_helper implements \phpbb\request\type_cast_helper_interface { - /** - * Recursively applies addslashes to a variable. - * - * @param mixed &$var Variable passed by reference to which slashes will be added. - */ - public function addslashes_recursively(&$var) - { - if (is_string($var)) - { - $var = addslashes($var); - } - else if (is_array($var)) - { - $var_copy = $var; - $var = array(); - foreach ($var_copy as $key => $value) - { - if (is_string($key)) - { - $key = addslashes($key); - } - $var[$key] = $value; - - $this->addslashes_recursively($var[$key]); - } - } - } - /** * Set variable $result to a particular type. * diff --git a/phpBB/phpbb/request/type_cast_helper_interface.php b/phpBB/phpbb/request/type_cast_helper_interface.php index e22712dc0c..9671573bf1 100644 --- a/phpBB/phpbb/request/type_cast_helper_interface.php +++ b/phpBB/phpbb/request/type_cast_helper_interface.php @@ -18,13 +18,6 @@ namespace phpbb\request; */ interface type_cast_helper_interface { - /** - * Recursively applies addslashes to a variable. - * - * @param mixed &$var Variable passed by reference to which slashes will be added. - */ - public function addslashes_recursively(&$var); - /** * Set variable $result to a particular type. * -- cgit v1.2.1