Changeset 21 for trunk/admin/admin.php

Timestamp:

Mar 1, 2010, 11:22:47 PM (14 years ago)

Author:

roby

Message:

Correzione per gestione accentate nei grafici e sostituita eregi in admin

File:

• trunk/admin/admin.php (modified) (4 diffs)

trunk/admin/admin.php

@@ -71 +71 @@
 
 foreach ($_GET as $sec_key => $secvalue) {
-    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
-        (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
-        (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
-        (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
-        (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
-        (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
-        (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
-        (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
-        (eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
-        (eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||
-        (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
-        (eregi("\"", $secvalue)) ||
-        (eregi("inside_mod", $sec_key))) {
+    if ((preg_match("/<[^>]*script*\"?[^>]*>/i",$secvalue)) ||
+        (preg_match("/<[^>]*object*\"?[^>]*>/i", $secvalue)) ||
+        (preg_match("/<[^>]*iframe*\"?[^>]*>/i", $secvalue)) ||
+        (preg_match("/<[^>]*applet*\"?[^>]*>/i", $secvalue)) ||
+        (preg_match("/<[^>]*meta*\"?[^>]*>/i", $secvalue)) ||
+        (preg_match("/<[^>]*style*\"?[^>]*>/i", $secvalue)) ||
+        (preg_match("/<[^>]*form*\"?[^>]*>/i", $secvalue)) ||
+        (preg_match("/<[^>]*img*\"?[^>]*>/i", $secvalue)) ||
+        (preg_match("/<[^>]*onmouseover*\"?[^>]*>/i", $secvalue)) ||
+        (preg_match("/<[^>]*body*\"?[^>]*>/i", $secvalue)) ||
+        (preg_match("/\([^>]*\"?[^)]*\)/", $secvalue)) ||
+        (preg_match("/\"/", $secvalue)) ||
+        (preg_match("/inside_mod/i", $sec_key))) {
         die ("Operazione non consentita");
      }
@@ -89 +89 @@
 
   foreach ($_POST as $secvalue) {
-    if ((eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) || (eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*body*\"?[^>]*>", $secvalue)) || (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
+    if ((preg_match("/<[^>]*onmouseover*\"?[^>]*>/i", $secvalue)) || (preg_match("/<[^>]script*\"?[^>]*>/i", $secvalue)) || (preg_match("/<[^>]*body*\"?[^>]*>/i", $secvalue)) || (preg_match("/<[^>]style*\"?[^>]*>/i", $secvalue))) {
       die ('Operazione non consentita');
     }
@@ -124 +124 @@
                 $dbi=mysql_connect($dbhost, $dbuname, $dbpass) or die("Connessione non riuscita: " . mysql_error());
                 mysql_select_db($dbname)or die("Connessione non riuscita:" . mysql_error());
-                mysql_set_charset('utf8', $dbi);
+#               mysql_set_charset('utf8', $dbi);
+        mysql_query("SET NAMES 'utf8'", $dbi);
 //---10/05/2009  gestione consultazione predefinita
                 $res_config = mysql_query("select * from ".$prefix."_config ",$dbi);
@@ -161 +162 @@
         if (strlen($aid)>25 ) { die ("Nome utente troppo lungo: $aid"); }       
         if (!isset($param['id_ses']) or $param['id_ses'] != session_id()) logout();
-        if (ereg(" ", $aid)) { die ("Gli spazi non sono ammessi nel nome utente: $aid"); }
+        if (strstr( $aid," ")) { die ("Gli spazi non sono ammessi nel nome utente: $aid"); }
         if (isset($_SESSION['aid'])){
                 logout();//se hai gia' una sessione aperta non puoi postare 'aid'