diff options
| -rw-r--r-- | food_search.php | 11 | ||||
| -rw-r--r-- | lib/standard.lib.php | 48 |
2 files changed, 40 insertions, 19 deletions
diff --git a/food_search.php b/food_search.php index 73bba79..517a930 100644 --- a/food_search.php +++ b/food_search.php @@ -12,18 +12,20 @@ # and libraries are included require("config.php"); -# don't go any farther if the user didn't enter any search string +# Don't go any farther if the user didn't enter any search string # as such a query could return thousands and thousands of records # and be more or less useless and a resource killer ... there is already # javascript validation on this field, but this is here as a safety net $searchString = trim($_REQUEST['searchString']); if ( empty($searchString) ) { + print_r($_REQUEST); exit; $_SESSION['systemMsg'] = "<span class='msgError'>Please enter at least one search word.</span>"; header("Location: {$config->_rootUri}/"); exit; } -# let's implement the PRG (Post->Redirect->Get) method here so that + +# Let's implement the PRG (Post->Redirect->Get) method here so that # users can use the back button freely without browser warnings if ( isset($_POST['doSearch']) ) { # build the query string @@ -50,9 +52,8 @@ if ( exit; } -# trim search string of any whitespace -$searchString = trim($_GET['searchString']); - +# Sanitize $searchString +$searchString = sanitizeUserInput($_GET['searchString']); # assign the vars to the smarty template # these will simply be used to remind the user of how they searched diff --git a/lib/standard.lib.php b/lib/standard.lib.php index 503052e..e338f67 100644 --- a/lib/standard.lib.php +++ b/lib/standard.lib.php @@ -1,8 +1,10 @@ <?php -# this function will simply initialize a variable to -# an empty string unless it already has a value, in -# which case it will simply return the existing value +/** + * This function will simply initialize a variable to + * an empty string unless it already has a value, in + * which case it will simply return the existing value + */ function initVar($var) { $var = empty($var) ? "" : $var; @@ -10,13 +12,15 @@ function initVar($var) { } -# this function will initialize a variable to an empty -# string unless it already has a value, in which case -# it will simply return the existing value ... the only -# diff. between this function and initVar() is that this -# fuction encodes HTML special characters and then echos -# the variable ... useful for initializing and printing -# a variable all in one step +/** + * This function will initialize a variable to an empty + * string unless it already has a value, in which case + * it will simply return the existing value ... the only + * diff. between this function and initVar() is that this + * fuction encodes HTML special characters and then echos + * the variable ... useful for initializing and printing + * a variable all in one step + */ function printVar($var) { $var = empty($var) ? "" : htmlspecialchars($var,ENT_QUOTES); @@ -25,10 +29,12 @@ function printVar($var) { } -# create pagination, including a page navigation bar. the -# output should be fairly generic, enclosed in a div with -# a css class of 'paginationNav', and more or less suitable -# to be dropped into just about any page. +/** + * Create pagination, including a page navigation bar. the + * output should be fairly generic, enclosed in a div with + * css class of 'paginationNav', and more or less suitable + * to be dropped into just about any page. + */ function getPagination($page = 1, $pageOffset, $uri , $paginationSql) { global $config, $db; @@ -109,4 +115,18 @@ HTML; } +/** + * Sanitize user form input, which at the moment means: + * - trim any leading and trailing whitespace + * - convert HTML special chars to HTML entities + */ +function sanitizeUserInput($input) { + + $output = trim($input); + $output = htmlspecialchars($output); + + return $output; + +} + ?> |