issue60, if tags are provided in the calling URL they will now get verified

git-svn-id: file:///var/lib/svn/phpfspot/trunk@263 fa6a889d-dae6-447d-9e79-4ba9a3039384

diff --git a/phpfspot.class.php b/phpfspot.class.php
index 3d707a82fb7137142608091c9a4a627fbc914f29..e500dbe41c09dd427ca872202c51a672f4ea8adb 100644 (file)
--- a/phpfspot.class.php
+++ b/phpfspot.class.php
@@ -112,7 +112,7 @@ class PHPFSPOT {
       switch($_GET['mode']) {
          case 'showpi':
             if(isset($_GET['tags'])) {
-               $_SESSION['selected_tags'] = split(',', $_GET['tags']);
+               $_SESSION['selected_tags'] = $this->extractTags($_GET['tags']);
             }
             if(isset($_GET['from_date']) && $this->isValidDate($_GET['from_date'])) {
                $_SESSION['from_date'] = strtotime($_GET['from_date']);
@@ -123,7 +123,7 @@ class PHPFSPOT {
             break;
          case 'showp':
             if(isset($_GET['tags'])) {
-               $_SESSION['selected_tags'] = split(',', $_GET['tags']);
+               $_SESSION['selected_tags'] = $this->extractTags($_GET['tags']);
                $_SESSION['start_action'] = 'showp';
             }
             if(isset($_GET['id'])) {
@@ -156,7 +156,6 @@ class PHPFSPOT {
       $this->tmpl->assign('content_page', 'welcome.tpl');
       $this->tmpl->show("index.tpl");
 
-
    } // show()
 
    /**
@@ -1796,6 +1795,20 @@ class PHPFSPOT {
       return strftime("%Y-%m-%d", $timestamp);
    } // ts2str()
 
+   private function extractTags($tags_str)
+   {
+      $not_validated = split(',', $_GET['tags']);
+      $validated = array();
+
+      foreach($not_validated as $tag) {
+         if(is_numeric($tag))
+            array_push($validated, $tag);
+      }
+   
+      return $validated;
+   
+   } // extractTags()
+
 }
 
 ?>

diff --git a/rpc.php b/rpc.php
index 39e2b7726efa606ba11637d5b8359916ac962ba6..bdb7004ad6de1d6a03ec68c1760077517aa8e67d 100644 (file)
--- a/rpc.php
+++ b/rpc.php
@@ -106,6 +106,7 @@ class PHPFSPOT_RPC {
             break;
 
          case 'get_export':
+            /* $_GET['mode'] will be validated by getExport() */
             $fspot->getExport($_GET['mode']);
             break;