Cleaning PHP (eew)

2015-04-09 10:00:15 +02:00 · 2015-04-09 10:00:15 +02:00 · 0bbd0fb44a
parent 5c9390da90
commit 0bbd0fb44a
3 changed files with 41 additions and 26 deletions
--- a/stream/index.php
+++ b/stream/index.php
@ -21,31 +21,7 @@
        <script src="/js/CameraContainer.js"></script>
        <script src="/js/Tools.js"></script>
        <script src="/js/ProgressiveSphere.js"></script>
-        <?php
-            // Set global variables
-            $default = 5;
-            $res = null;
-            try
-            {
-                if (isset($_GET['res']))
-                {
-                    $res = intval($_GET['res']);
-                    if ($res < 1 || $res > 25)
-                    {
-                        throw new Exception('Variable res not set');
-                    }
-                }
-                else
-                {
-                    throw new Exception('Variable res not set');
-                }
-            }
-            catch (Exception $e)
-            {
-                $res = $default;
-            }
-            echo "<script>var global_array = {res: " . $res . "};</script>\n";
-        ?>
+        <script src="js/Params.js.php?<?php echo htmlentities($_SERVER['QUERY_STRING']); ?>"></script>
        <script src="js/main.js"></script>
    </body>
 </html>
--- a/stream/js/Params.js.php
+++ b/stream/js/Params.js.php
@ -0,0 +1,39 @@
+<?php
+
+    // This file will generate a js script
+    header("Content-Type: text/javascript");
+
+    echo "params = {};\n";
+    echo "params.get = {};\n";
+    echo "params.post = {};\n";
+
+    // Next part is to check the value of the parameters
+    // All this is necessary, we must be sure that res is a number before
+    // generating js code, otherwise, a malicious user might inject js code
+    // For example, if we simply did
+    // echo "params.get.res = " . $_GET['res'] . ";\n";
+    // One could inject a js alert by going to
+    // http://localhost/stream?res=3;alert('toto')
+
+    // Default value, will be applied if the res variable is not correct
+    $default = 5;
+    $res = null;
+
+    try
+    {
+        // Cast res to an int and check if it's in the bounds
+        // res will be 0 if filter_var returns false
+        $res = intval(filter_var($_GET['res'], FILTER_VALIDATE_INT));
+        if ($res < 1 || $res > 25)
+        {
+            throw new Exception('Variable res not set');
+        }
+    }
+    catch (Exception $e)
+    {
+        // If an exception occur, let's just set the default value
+        $res = $default;
+    }
+
+    // And finally, generate a correct js code with no possible injection
+    echo "params.get.res = " . $res . ";\n";
--- a/stream/js/main.js
+++ b/stream/js/main.js
@ -46,7 +46,7 @@ function init() {

    // Load the scene
    loader = new THREE.OBJLoader();
-    sphere = new ProgessiveSphere(loader, global_array.res);
+    sphere = new ProgessiveSphere(loader, params.get.res);

    plane = new Plane(1000,1000);
    plane.translate(0,0,-100);