[Mapbender-commits] r4868 - trunk/mapbender/http/javascripts

svn_mapbender at osgeo.org svn_mapbender at osgeo.org
Tue Oct 27 12:38:18 EDT 2009 

Author: christoph
Date: 2009-10-27 12:38:18 -0400 (Tue, 27 Oct 2009)
New Revision: 4868

Modified:
   trunk/mapbender/http/javascripts/mod_poi.php
Log:


Modified: trunk/mapbender/http/javascripts/mod_poi.php
===================================================================
--- trunk/mapbender/http/javascripts/mod_poi.php	2009-10-27 16:36:52 UTC (rev 4867)
+++ trunk/mapbender/http/javascripts/mod_poi.php	2009-10-27 16:38:18 UTC (rev 4868)
@@ -88,14 +88,49 @@
 #$language = parse_ini_file("../language/".$lingo.".txt");
 
 echo "<script type='text/javascript'>";  
-echo "var conffile = '".$_REQUEST["conf_file"]."';";
-echo "var lingo = '".$_REQUEST["lingo"]."';";
-echo "var backlink = '".$_REQUEST["backlink"]."';";
 
+$queryString = $_REQUEST["search"];
+if (!preg_match("/^[a-zA-Z0-9_- \*]+$/", $search)) {
+
+	$errorMessage = _mb("Invalid search term");
+	echo htmlentities($errorMessage, ENT_QUOTES, CHARSET);
+	$e = new mb_exception($errorMessage);
+	$queryString = "";
+}
+
+$backlink = $_REQUEST["backlink"];
+
+if ($backlink !== "parent") {
+	$backlink = false;
+}
+echo "var backlink = '".$backlink."';";
+
 $lingo = $_REQUEST["lingo"];
+if (!preg_match("/^[a-zA-Z]+$/", $lingo)) {
+
+	$errorMessage = _mb("Invalid language") . ": " . $lingo;
+	echo htmlentities($errorMessage, ENT_QUOTES, CHARSET);
+	$e = new mb_exception($errorMessage);
+	die;
+}
+echo "var lingo = '".$lingo."';";
+
+
 $title = "layername_".$lingo;
-require_once(dirname(__FILE__) . "/../../conf/".$_REQUEST["conf_file"]);
 
+$confFile = basename($_REQUEST["conf_file"]);
+if (!preg_match("/^[a-zA-Z0-9_-]+(\.[a-zA-Z0-9]+)$/", $confFile) || 
+	!file_exists($confFile)) {
+
+	$errorMessage = _mb("Invalid configuration file") . ": " . $confFile;
+	echo htmlentities($errorMessage, ENT_QUOTES, CHARSET);
+	$e = new mb_exception($errorMessage);
+	die;
+}
+echo "var conffile = '".$confFile."';";
+
+require_once(dirname(__FILE__) . "/../../conf/".$confFile);
+
 echo "</script>"; 
 ?>
 <script type="text/javascript">
@@ -104,7 +139,7 @@
 function validate(){
 
    if(document.form1.search.value.length < 1){
-      alert("Bitte vervollst�ndigen Sie die Angaben!");
+      alert("Bitte vervollständigen Sie die Angaben!");
       document.form1.search.focus();
       return false;
    }
@@ -188,7 +223,7 @@
 <body leftmargin="2" topmargin="0" bgcolor="#ffffff">
 <?php
 
-if(!isset($_REQUEST["search"]) || $_REQUEST["search"] == ""){
+if(!isset($queryString) || $queryString == ""){
 	echo "<form name='form1' target='result' onsubmit='return validate();'>";
 	echo "Suchen: &nbsp;&nbsp;<input class='textfield' name='search' type='text'> ";
 	echo "<input class='sbutton' type='submit' name='send'  value='ok'>";
@@ -196,8 +231,8 @@
 	echo "</form>";
 }
 else{
-	if(preg_match("/\*/",$_REQUEST["search"])){
-		$search = trim(preg_replace("/\*/i","", $_REQUEST["search"]));
+	if(preg_match("/\*/",$queryString)){
+		$search = trim(preg_replace("/\*/i","", $queryString));
 	}
 
 	$con = pg_connect ($con_string) or die ("Error while connecting database $dbname");
@@ -213,7 +248,7 @@
 		$md_fileidentifier[$cnt] = pg_result($res,$cnt,"md_fileidentifier"); # Layername
 		$layername[$cnt] = pg_result($res,$cnt,"md_fileidentifier"); # Layername in der Mapdatei
 		$result_title[$cnt] = pg_result($res,$cnt,"\"".$title."\""); # layer_deutsch Ergebnisname
-		$search_columns[$cnt] = pg_result($res,$cnt,"search_columns"); # Suchspalten, Trennung �ber ,
+		$search_columns[$cnt] = pg_result($res,$cnt,"search_columns"); # Suchspalten, Trennung über ,
 		$search_result[$cnt] = pg_result($res,$cnt,"search_result"); # Ergebnisspalte
 		$search_keywords[$cnt] = pg_result($res,$cnt,"search_keywords"); # Ergebnisspalte
 		$wms_title[$cnt] = pg_result($res,$cnt,"wms_title"); # WMS tile
@@ -223,7 +258,7 @@
 			$array_search_keywords = explode(",", $search_keywords[$cnt]);
 			$all[$cnt] = false;
 			for ($p=0 ; $p<count($array_search_keywords);$p++){
-				$hit = preg_match("/".$_REQUEST["search"]."/i",$array_search_keywords[$p]);
+				$hit = preg_match("/".$queryString."/i",$array_search_keywords[$p]);
 				if ($hit >0){	
 					$all[$cnt] = true;
 				}
@@ -270,7 +305,7 @@
 						};
 						$field_has_parent = true;
 						$sql1 .= pg_field_name($res,$j) ." ILIKE ";
-						$sql1 .= "'%".$_REQUEST["search"]."%'";
+						$sql1 .= "'%".$queryString."%'";
 					}
 				}
 				$field_has_parent = false;
@@ -291,7 +326,7 @@
 					$title = "layername_".$lingo;
 					echo "<div class='header'>".$result_title[$i]. "</div>";
 				}
-				if($_REQUEST["backlink"]=='parent'){
+				if($backlink=='parent'){
 					echo "<nobr><a href='javascript:hideHighlight();parent.parent.mb_repaintScale(\"mapframe1\"," .pg_result($res1,$cnt,"x"). ",".pg_result($res1,$cnt,"y"). ",$scale);'";
 				}
 				else{

More information about the Mapbender_commits mailing list