Cleaning PHP (eew)

This commit is contained in:
Thomas FORGIONE 2015-04-09 10:00:15 +02:00
parent 5c9390da90
commit 0bbd0fb44a
3 changed files with 41 additions and 26 deletions

View File

@ -21,31 +21,7 @@
<script src="/js/CameraContainer.js"></script> <script src="/js/CameraContainer.js"></script>
<script src="/js/Tools.js"></script> <script src="/js/Tools.js"></script>
<script src="/js/ProgressiveSphere.js"></script> <script src="/js/ProgressiveSphere.js"></script>
<?php <script src="js/Params.js.php?<?php echo htmlentities($_SERVER['QUERY_STRING']); ?>"></script>
// Set global variables
$default = 5;
$res = null;
try
{
if (isset($_GET['res']))
{
$res = intval($_GET['res']);
if ($res < 1 || $res > 25)
{
throw new Exception('Variable res not set');
}
}
else
{
throw new Exception('Variable res not set');
}
}
catch (Exception $e)
{
$res = $default;
}
echo "<script>var global_array = {res: " . $res . "};</script>\n";
?>
<script src="js/main.js"></script> <script src="js/main.js"></script>
</body> </body>
</html> </html>

39
stream/js/Params.js.php Normal file
View File

@ -0,0 +1,39 @@
<?php
// This file will generate a js script
header("Content-Type: text/javascript");
echo "params = {};\n";
echo "params.get = {};\n";
echo "params.post = {};\n";
// Next part is to check the value of the parameters
// All this is necessary, we must be sure that res is a number before
// generating js code, otherwise, a malicious user might inject js code
// For example, if we simply did
// echo "params.get.res = " . $_GET['res'] . ";\n";
// One could inject a js alert by going to
// http://localhost/stream?res=3;alert('toto')
// Default value, will be applied if the res variable is not correct
$default = 5;
$res = null;
try
{
// Cast res to an int and check if it's in the bounds
// res will be 0 if filter_var returns false
$res = intval(filter_var($_GET['res'], FILTER_VALIDATE_INT));
if ($res < 1 || $res > 25)
{
throw new Exception('Variable res not set');
}
}
catch (Exception $e)
{
// If an exception occur, let's just set the default value
$res = $default;
}
// And finally, generate a correct js code with no possible injection
echo "params.get.res = " . $res . ";\n";

View File

@ -46,7 +46,7 @@ function init() {
// Load the scene // Load the scene
loader = new THREE.OBJLoader(); loader = new THREE.OBJLoader();
sphere = new ProgessiveSphere(loader, global_array.res); sphere = new ProgessiveSphere(loader, params.get.res);
plane = new Plane(1000,1000); plane = new Plane(1000,1000);
plane.translate(0,0,-100); plane.translate(0,0,-100);