0,0 → 1,119 |
<?php |
/* $Id: grab_globals.lib.php,v 2.27.2.1 2006/04/11 16:33:33 cybot_tm Exp $ */ |
// vim: expandtab sw=4 ts=4 sts=4: |
|
|
/** |
* This library grabs the names and values of the variables sent or posted to a |
* script in the $_* arrays and sets simple globals variables from them. It does |
* the same work for the $PHP_SELF, $HTTP_ACCEPT_LANGUAGE and |
* $HTTP_AUTHORIZATION variables. |
* |
* loic1 - 2001/25/11: use the new globals arrays defined with php 4.1+ |
*/ |
|
/** |
* copy values from one array to another, usally from a superglobal into $GLOBALS |
* |
* @uses $GLOBALS['_import_blacklist'] |
* @uses preg_replace() |
* @uses array_keys() |
* @uses array_unique() |
* @uses stripslashes() |
* @param array $array values from |
* @param array $target values to |
* @param boolean $sanitize prevent importing key names in $_import_blacklist |
*/ |
function PMA_gpc_extract($array, &$target, $sanitize = true) |
{ |
if ( ! is_array($array) ) { |
return false; |
} |
|
if ( $sanitize ) { |
$valid_variables = preg_replace($GLOBALS['_import_blacklist'], '', |
array_keys($array)); |
$valid_variables = array_unique($valid_variables); |
} else { |
$valid_variables = array_keys($array); |
} |
|
foreach ( $valid_variables as $key ) { |
|
if ( strlen($key) === 0 ) { |
continue; |
} |
|
if ( is_array($array[$key]) ) { |
// there could be a variable coming from a cookie of |
// another application, with the same name as this array |
unset( $target[$key] ); |
|
PMA_gpc_extract($array[$key], $target[$key], false); |
} else { |
$target[$key] = $array[$key]; |
} |
} |
return true; |
} |
|
|
/** |
* @var array $_import_blacklist variable names that should NEVER be imported |
* from superglobals |
*/ |
$_import_blacklist = array( |
'/^cfg$/i', // PMA configuration |
'/^server$/i', // selected server |
'/^db$/i', // page to display |
'/^table$/i', // page to display |
'/^goto$/i', // page to display |
'/^back$/i', // the page go back |
'/^lang$/i', // selected language |
'/^convcharset$/i', // PMA convert charset |
'/^collation_connection$/i', // |
'/^set_theme$/i', // |
'/^sql_query$/i', // the query to be executed |
'/^GLOBALS$/i', // the global scope |
'/^str.*$/i', // PMA localized strings |
'/^_.*$/i', // PMA does not use variables starting with _ from extern |
'/^.*\s+.*$/i', // no whitespaces anywhere |
'/^[0-9]+.*$/i', // numeric variable names |
//'/^PMA_.*$/i', // other PMA variables |
); |
|
if ( ! empty( $_GET ) ) { |
PMA_gpc_extract($_GET, $GLOBALS); |
} |
|
if ( ! empty( $_POST ) ) { |
PMA_gpc_extract($_POST, $GLOBALS); |
} |
|
if ( ! empty( $_FILES ) ) { |
foreach ( $_FILES AS $name => $value ) { |
$$name = $value['tmp_name']; |
${$name . '_name'} = $value['name']; |
} |
unset( $name, $value ); |
} |
|
/** |
* globalize some environment variables |
*/ |
$server_vars = array('PHP_SELF', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION'); |
foreach ( $server_vars as $current ) { |
// its not important HOW we detect html tags |
// its more important to prevent XSS |
// so its not important if we result in an invalid string, |
// its even better than a XSS capable string |
if (PMA_getenv($current) && false === strpos(PMA_getenv($current), '<')) { |
$$current = PMA_getenv($current); |
// already importet by register_globals? |
} elseif ( ! isset( $$current ) || false !== strpos($$current, '<') ) { |
$$current = ''; |
} |
} |
unset($server_vars, $current, $_import_blacklist); |
|
?> |