From bc07a929dbc01138feebc39f17036e3635ad8b68 Mon Sep 17 00:00:00 2001 From: INOPIAE Date: Sun, 9 Jun 2013 20:12:37 +0200 Subject: bug 1137: corrected some checks in wot.inc.php and wot.php --- includes/wot.inc.php | 27 ++++++++++++++++++++------- pages/wot/6.php | 2 -- www/wot.php | 6 ++++++ 3 files changed, 26 insertions(+), 9 deletions(-) diff --git a/includes/wot.inc.php b/includes/wot.inc.php index 94253c9..b2d9a75 100644 --- a/includes/wot.inc.php +++ b/includes/wot.inc.php @@ -630,6 +630,7 @@ function AssureFoot($oldid,$confirm) // double with notray.inc /** * write_user_agreement() + * writes a new record to the table user_agreement * * @param mixed $memid * @param mixed $document @@ -640,40 +641,52 @@ function AssureFoot($oldid,$confirm) * @return */ function write_user_agreement($memid, $document, $method, $comment, $active=1, $secmemid=0){ - // write a new record to the table user_agreement - $query="insert into `user_agreements` set `memid`=".$memid.", `secmemid`=".$secmemid. - ",`document`='".$document."',`date`=NOW(), `active`=".$active.",`method`='".$method."',`comment`='".$comment."'" ; + // + $query="insert into `user_agreements` set `memid`=".intval($memid).", `secmemid`=".intval($secmemid). + ",`document`='".$document."',`date`=NOW(), `active`=".intval($active).",`method`='".$method."',`comment`='".$comment."'" ; $res = mysql_query($query); } /** * check_date_format() + * checks if the date is entered in the right date format YYYY-MM-DD and + * if the date is after the 1st January of the given year * * @param mixed $date * @param integer $year * @return */ function check_date_format($date, $year=2000){ - //checks if the date is entered in the right date format YYYY-MM-DD and if if (!strpos($date,'-')) { return FALSE; } $arr=explode('-',$date); + + if ((count($arr)!=3)) { + return FALSE; + } if (intval($arr[0])<=$year) { + + } + if (intval($arr[1])>12 or intval($arr[1])<=0) { + return FALSE; + } + if (intval($arr[2])>31 or intval($arr[2])<=0) { return FALSE; } - return checkdate(intval($arr[1]), intval($arr[2]), intval($arr[0])); + + return checkdate( intval($arr[1]), intval($arr[2]), intval($arr[0])); } /** * check_date_differnce() + * returns false if the date is larger then today + time diffrence * * @param mixed $date * @param integer $diff * @return */ function check_date_differnce($date, $diff=1){ - //returns false if the date is larger then today + time diffrence return (strtotime($date)<=time()+$diff*86400); -} \ No newline at end of file +} diff --git a/pages/wot/6.php b/pages/wot/6.php index a1f7489..fda3fc3 100644 --- a/pages/wot/6.php +++ b/pages/wot/6.php @@ -55,7 +55,5 @@ AssureBoxLine("rules",_("I have read and understood the CAcert Community Agreement (CCA), Assurance Policy and the Assurance Handbook. I am making this Assurance subject to and in compliance with the CCA, Assurance policy and handbook."),array_key_exists('rules',$_POST) && $_POST['rules'] == 1); AssureTextLine(_("Policy"),""._("CAcert Community Agreement")." -"._("Assurance Policy")." - "._("Assurance Handbook").""); AssureInboxLine("points",_("Points"),"","
(Max. ".maxpoints().")"); -// AssureCCABoxLine("CCAAgreed",sprintf(_("Check this box only if %s agreed to the CAcert Community Agreement"),$fname)); -// AssureCCABoxLine("CCAAgree",_("Check this box only if YOU agree to the CAcert Community Agreement")); AssureFoot($id,_("I confirm this Assurance")); ?> diff --git a/www/wot.php b/www/wot.php index a470b96..e35bdb0 100644 --- a/www/wot.php +++ b/www/wot.php @@ -266,6 +266,12 @@ $iecho= "c"; exit; } + if($_REQUEST['points'] <0 || ($_REQUEST['points']>35)) + { + show_page("VerifyData","",_("The number of points you entered are out of the range given by policy.")); + exit; + } + $query = "select * from `users` where `id`='".$_SESSION['_config']['notarise']['id']."'"; $res = mysql_query($query); $row = mysql_fetch_assoc($res); -- cgit v1.2.1