diff --git a/Source/Config/Clean.php b/Source/Config/Clean.php index afe2b26..48083be 100644 --- a/Source/Config/Clean.php +++ b/Source/Config/Clean.php @@ -15,11 +15,30 @@ class Clean public static function simpleString(string $string): string { - $string = trim($string); - $string = strip_tags($string); - return htmlspecialchars($string); + $string = trim($string); + $string = strip_tags($string); + return htmlspecialchars($string); } + /** + * Cette fonction prend un tableau de chaînes de caractères en entrée et retourne un tableau de chaînes + * nettoyées. + * Elle supprime les espaces de début et de fin, ainsi que toutes les balises HTML, et encode les + * caractères spéciaux. + * + * @param array $array Le tableau de chaînes à nettoyer + * @return array Le tableau de chaînes nettoyées + */ + + public static function simpleStringArray(array $array): array + { + $array = array_map('trim', $array); + $array = array_map('strip_tags', $array); + $array = array_map('htmlspecialchars', $array); + return $array; + } + + /** * Cette fonction prend une chaîne de caractères en entrée et retourne une version nettoyée de cette chaîne. * Elle supprime les espaces de début et de fin, ainsi que toutes les balises HTML, et encode les @@ -45,4 +64,6 @@ class Clean { return filter_var($int, FILTER_SANITIZE_NUMBER_INT); } + + } diff --git a/Source/Config/Validate.php b/Source/Config/Validate.php index 69e9447..50e0796 100644 --- a/Source/Config/Validate.php +++ b/Source/Config/Validate.php @@ -98,10 +98,35 @@ class Validate global $responseMaxLength; return (strlen($response) <= $responseMaxLength); } + + /** + * Vérifie si le nom est valide. + * + * @param string $name Le nom a vérifié. + * @return bool Vrai si le nom est valide, faux sinon. + */ + public static function username(string $username): bool { global $usernameMaxLength; return (strlen($username) >= 3 && preg_match("#[a-zA-Z0-9]+#", $username) && strlen($username) <= $usernameMaxLength); } + /** + * Vérifie si la description est valide. + * + * @param string $description La description a vérifié. + * @return bool Vrai si la description est valide, faux sinon. + */ + + public static function categories(array $categories): bool + { + global $categoryMaxLength; + foreach ($categories as $category) { + if (strlen($category) > $categoryMaxLength) { + return false; + } + } + return true; + } } diff --git a/Source/Config/config.php b/Source/Config/config.php index 5d2e867..f3ab39c 100644 --- a/Source/Config/config.php +++ b/Source/Config/config.php @@ -49,4 +49,5 @@ $keyWordMaxLength=50; $titleMaxLength=50; $typeMaxLength=50; $responseMaxLength=200; +$categoryMaxLenght=150; diff --git a/Source/Controller/ControllerAdmin.php b/Source/Controller/ControllerAdmin.php index 5dd5f8d..9b2ae6d 100644 --- a/Source/Controller/ControllerAdmin.php +++ b/Source/Controller/ControllerAdmin.php @@ -3,6 +3,8 @@ namespace Controller; use Model\ModelAdmin; +use Config\Clean; +use Config\Validate; /** * Permet de controller les réponses à fournir en fonction des actions passer dans l'URL @@ -19,7 +21,7 @@ class ControllerAdmin */ public function addQuestion(): void { - $type = $_POST['type']; + $type = Clean::simpleString($_POST['type']); $idQuestion = (new ModelAdmin())->addQuestion(); if (strcmp($type, "BusinessClass\TextQuestion") == 0) { $this->goToQuestions(); @@ -52,9 +54,9 @@ class ControllerAdmin { (new ModelAdmin())->addResponse(); $categories = (new ModelAdmin())->getCategories(); - $idQuestion = $_POST['idQuestion']; - $questionContent = $_POST['question']; - $type = $_POST['type']; + $idQuestion = Clean::int($_POST['idQuestion']); + $questionContent = Clean::simpleString($_POST['question']); + $type = Clean::simpleString($_POST['type']); global $rep, $views; require_once($rep.$views['continue']); } @@ -79,12 +81,12 @@ class ControllerAdmin */ public function continueResponse(): void { - $choose = $_POST['choose']; + $choose = Clean::simpleString($_POST['choose']); if ($choose == "Oui") { - $idQuestion = $_POST['idQuestion']; + $idQuestion = Clean::int($_POST['idQuestion']); $categories = (new ModelAdmin())->getCategories(); - $questionContent = $_POST['question']; - $type = $_POST['type']; + $questionContent = Clean::simpleString($_POST['question']); + $type = Clean::simpleString($_POST['type']); global $rep, $views; require_once($rep.$views['possibleResponsesForm']); } else { diff --git a/Source/Model/ModelAdmin.php b/Source/Model/ModelAdmin.php index 1838a38..0eb8995 100644 --- a/Source/Model/ModelAdmin.php +++ b/Source/Model/ModelAdmin.php @@ -7,6 +7,8 @@ use Exception; use GuzzleHttp\Client; use GuzzleHttp\Exception\GuzzleException; use PDOException; +use Config\Validate; +use Config\Clean; /** * Permet de développer les fonctions appelées par le controllerAdmin pour gérer @@ -39,26 +41,29 @@ class ModelAdmin */ public function addQuestion(): int { - $questionContent = $_POST['question']; - $type = $_POST['type']; + $questionContent = Clean::simpleString($_POST['question']); + $type = Clean::simpleString($_POST['type']); try { - - + if (validate::type($type)) { $question = new $type(0, $questionContent); $res = $this->client->request('GET', 'https://codefirst.iut.uca.fr/containers/Temoignages-deploy_api_form/getForm'); $form = json_decode($res->getBody()); if (!empty($form)) { - $res = $this->client->request('POST', 'https://codefirst.iut.uca.fr/containers/Temoignages-deploy_api_form/addQuestion? - content='.$questionContent.'& - classQuestion='.get_class($question).'& - idForm='.$form[0]['id'] + $res = $this->client->request( + 'POST', + 'https://codefirst.iut.uca.fr/containers/Temoignages-deploy_api_form/addQuestion? + content='.$questionContent.'& + classQuestion='.get_class($question).'& + idForm='.$form[0]['id'] ); return json_decode($res->getBody()); } + } else { + throw new Exception('Type de question invalide'); + } }catch (GuzzleException $g){ throw new Exception($g->getMessage(),$g->getCode(),$g); } - return -1; } @@ -70,9 +75,12 @@ class ModelAdmin */ public function deleteQuestion():void { - $idQuestion = $_POST["idQuestion"]; - $type = $_POST["type"]; + $idQuestion = Clean::int($_POST["idQuestion"]); + $type = Clean::simpleString($_POST["type"]); try { + if (!validate::type($type)) { + throw new Exception('Type de question invalide'); + } $res = $this->client->request('DELETE', 'https://codefirst.iut.uca.fr/containers/Temoignages-deploy_api_form/deleteQuestion? classQuestion='.$type.'& id='.$idQuestion @@ -93,13 +101,16 @@ class ModelAdmin */ public function addResponse(): void { - $idQuestion = $_POST['idQuestion']; - $response = $_POST['response']; - $categories = $_POST['categories']; + $idQuestion = Clean::int($_POST['idQuestion']); + $response = Clean::simpleString($_POST['response']); + $categories = Clean::simpleStringArray($_POST['categories']); if ($categories == null) { $categories = []; } try { + if(!validate::categories($categories)){ + throw new Exception('Categories invalides'); + } $this->client->request('POST', 'https://codefirst.iut.uca.fr/containers/Temoignages-deploy_api_form/insertResponseInQuestion? response='.$response.'& categories='.$categories.'& @@ -162,8 +173,11 @@ class ModelAdmin */ public function addKeyword(): void { - $keyword = $_POST['keyword']; + $keyword = Clean::simpleString($_POST['keyword']); try { + if(!validate::keyword($keyword)){ + throw new Exception('Mot-clef invalide'); + } $this->client->request('POST', 'https://codefirst.iut.uca.fr/containers/Temoignages-deploy_api_form/insertKeyword? keyword='.$keyword ); @@ -276,7 +290,7 @@ class ModelAdmin { try { $res = $this->client->request('DELETE', 'https://codefirst.iut.uca.fr/containers/Temoignages-deploy_api_form/deleteListResponseOfCandidate? - id='.$_POST["idResponseCandidate"] + id='.Clean::int($_POST["idResponseCandidate"]) ); if ($res->getStatusCode()!=200){ throw new Exception('DeleteListResponseOfCandidate failed'); diff --git a/Source/Model/ModelCandidate.php b/Source/Model/ModelCandidate.php index ac91bde..ab6c66c 100644 --- a/Source/Model/ModelCandidate.php +++ b/Source/Model/ModelCandidate.php @@ -32,9 +32,8 @@ class ModelCandidate public function submitForm(): void { $answersAndCategories = $_POST['answers']; - $dataIds = null; - if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && $_POST['action'] === 'submitForm') { + if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && Clean::simpleString($_POST['action']) === 'submitForm') { $dataIdsJson = $_POST['data_ids']; $dataIds = json_decode($dataIdsJson); }