From 8223eed3290bc66d0a32b1706d20920a579176c4 Mon Sep 17 00:00:00 2001
From: Andreas Unterkircher <unki@netshadow.at>
Date: Sun, 29 Jul 2007 09:01:40 +0000
Subject: issue60, input validation for provided dates via RPC or $_GET

git-svn-id: file:///var/lib/svn/phpfspot/trunk@262 fa6a889d-dae6-447d-9e79-4ba9a3039384
---
 phpfspot.class.php | 69 ++++++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 51 insertions(+), 18 deletions(-)

(limited to 'phpfspot.class.php')

diff --git a/phpfspot.class.php b/phpfspot.class.php
index 9d3f548..3d707a8 100644
--- a/phpfspot.class.php
+++ b/phpfspot.class.php
@@ -114,11 +114,11 @@ class PHPFSPOT {
             if(isset($_GET['tags'])) {
                $_SESSION['selected_tags'] = split(',', $_GET['tags']);
             }
-            if(isset($_GET['from_date'])) {
-               $_SESSION['from_date'] = $_GET['from_date'];
+            if(isset($_GET['from_date']) && $this->isValidDate($_GET['from_date'])) {
+               $_SESSION['from_date'] = strtotime($_GET['from_date']);
             }
-            if(isset($_GET['to_date'])) {
-               $_SESSION['to_date'] = $_GET['to_date'];
+            if(isset($_GET['to_date']) && $this->isValidDate($_GET['to_date'])) {
+               $_SESSION['to_date'] = strtotime($_GET['to_date']);
             }
             break;
          case 'showp':
@@ -130,11 +130,11 @@ class PHPFSPOT {
                $_SESSION['current_photo'] = $_GET['id'];
                $_SESSION['start_action'] = 'showp';
             }
-            if(isset($_GET['from_date'])) {
-               $_SESSION['from_date'] = $_GET['from_date'];
+            if(isset($_GET['from_date']) && $this->isValidDate($_GET['from_date'])) {
+               $_SESSION['from_date'] = strtotime($_GET['from_date']);
             }
-            if(isset($_GET['to_date'])) {
-               $_SESSION['to_date'] = $_GET['to_date'];
+            if(isset($_GET['to_date']) && $this->isValidDate($_GET['to_date'])) {
+               $_SESSION['to_date'] = strtotime($_GET['to_date']);
             }
             break;
          case 'export':
@@ -148,7 +148,7 @@ class PHPFSPOT {
       }
 
       if(isset($_SESSION['from_date']) && isset($_SESSION['to_date']))
-       $this->tmpl->assign('date_search_enabled', true);
+         $this->tmpl->assign('date_search_enabled', true);
 
       $this->tmpl->assign('from_date', $this->get_calendar('from'));
       $this->tmpl->assign('to_date', $this->get_calendar('to'));
@@ -330,7 +330,7 @@ class PHPFSPOT {
          $extern_link.= "&tags=". $current_tags;
       }
       if(isset($_SESSION['from_date']) && isset($_SESSION['to_date'])) {
-         $extern_link.= "&from_date=". $_SESSION['from_date'] ."&to_date=". $_SESSION['to_date'];
+         $extern_link.= "&from_date=". $this->ts2str($_SESSION['from_date']) ."&to_date=". $this->ts2str($_SESSION['to_date']);
       }
 
       $this->tmpl->assign('extern_link', $extern_link);
@@ -567,8 +567,8 @@ class PHPFSPOT {
       $matched_photos = Array();
 
       if(isset($_SESSION['from_date']) && isset($_SESSION['to_date'])) {
-         $from_date = strtotime($_SESSION['from_date'] ." 00:00:00");
-         $to_date = strtotime($_SESSION['to_date'] ." 23:59:59");
+         $from_date = $_SESSION['from_date'];
+         $to_date = $_SESSION['to_date'];
          $additional_where_cond = "
                p.time>='". $from_date ."'
             AND
@@ -783,8 +783,8 @@ class PHPFSPOT {
          $this->tmpl->assign('searchfor', $_SESSION['searchfor']);
 
       if(isset($_SESSION['from_date']) && isset($_SESSION['to_date'])) {
-         $this->tmpl->assign('from_date', $_SESSION['from_date']);
-         $this->tmpl->assign('to_date', $_SESSION['to_date']);
+         $this->tmpl->assign('from_date', $this->ts2str($_SESSION['from_date']));
+         $this->tmpl->assign('to_date', $this->ts2str($_SESSION['to_date']));
       }
 
       if(isset($_SESSION['selected_tags']) && !empty($_SESSION['selected_tags'])) {
@@ -876,7 +876,7 @@ class PHPFSPOT {
          $extern_link.= "&tags=". $current_tags;
       }
       if(isset($_SESSION['from_date']) && isset($_SESSION['to_date'])) {
-         $extern_link.= "&from_date=". $_SESSION['from_date'] ."&to_date=". $_SESSION['to_date'];
+         $extern_link.= "&from_date=". $this->ts2str($_SESSION['from_date']) ."&to_date=". $this->ts2str($_SESSION['to_date']);
       }
 
       $export_link = "index.php?mode=export";
@@ -1213,12 +1213,18 @@ class PHPFSPOT {
     * getPhotoSelection() will then only return the matching
     * photos.
     */
-   public function startSearch($searchfor, $from, $to, $sort_order)
+   public function startSearch($searchfor, $sort_order, $from = 0, $to = 0)
    {
       $_SESSION['searchfor'] = $searchfor;
-      $_SESSION['from_date'] = $from;
-      $_SESSION['to_date'] = $to;
       $_SESSION['sort_order'] = $sort_order;
+      if($from != 0)
+         $_SESSION['from_date'] = strtotime($from);
+      else
+         unset($_SESSION['from_date']);
+      if($to != 0)
+         $_SESSION['to_date'] = strtotime($to);
+      else
+         unset($_SESSION['to_date']);
 
       if($searchfor != "") {
          /* new search, reset the current selected tags */
@@ -1228,6 +1234,7 @@ class PHPFSPOT {
                array_push($_SESSION['selected_tags'], $tag);
          }
       }
+
    } // startSearch()
 
    /**
@@ -1763,6 +1770,32 @@ class PHPFSPOT {
 
    } // get_random_photo()
 
+   /**
+    * validates provided date
+    *
+    * this function validates if the provided date
+    * contains a valid date and will return true 
+    * if it is.
+    */
+   public function isValidDate($date_str)
+   {
+      $timestamp = strtotime($date_str);
+   
+      if(is_numeric($timestamp))
+         return true;
+      
+      return false;
+
+   } // isValidDate()
+
+   /**
+    * timestamp to string conversion
+    */
+   private function ts2str($timestamp)
+   {
+      return strftime("%Y-%m-%d", $timestamp);
+   } // ts2str()
+
 }
 
 ?>
-- 
cgit v1.2.3-18-g5258