diff options
Diffstat (limited to 'web/process.php')
| -rw-r--r-- | web/process.php | 60 |
1 files changed, 39 insertions, 21 deletions
diff --git a/web/process.php b/web/process.php index 43827b9..238e843 100644 --- a/web/process.php +++ b/web/process.php @@ -8,27 +8,42 @@ if (RECAPTCHA_ENABLED) { require_once "recaptcha.php"; + $remoteAddress = filter_input(INPUT_SERVER, + "remote_addr", + FILTER_VALIDATE_IP); + $challenge = filter_input(INPUT_POST, + "recaptcha_challenge_field", + FILTER_UNSAFE_RAW); + $response = filter_input(INPUT_POST, + "recaptcha_response_field", + FILTER_UNSAFE_RAW); + $resp = recaptcha_check_answer(RECAPTCHA_PRIVATE_KEY, - $_SERVER["REMOTE_ADDR"], - $_POST["recaptcha_challenge_field"], - $_POST["recaptcha_response_field"]); + $remoteAddress, + $challenge, + $response); if (!$resp->is_valid) { die("CAPTCHA was incorrect"); } } + function sanitize_shellarg($arg) { + return escapeshellarg($arg); + } + define("FILTER_SANITIZE_SHELL", array("options" => "sanitize_shellarg")); + $buildID = uniqid(); - $bootMegabytes = intval($_POST["boot_size"]); - $swapMegabytes = intval($_POST["swap_size"]); - $rootMegabytes = intval($_POST["root_size"]); - $timezone = escapeshellarg($_POST["timezone"]); - $hostname = escapeshellarg($_POST["hostname"]); - $username = escapeshellarg($_POST["username"]); - $password = escapeshellarg($_POST["password"]); - $rootPassword = escapeshellarg($_POST["rootpassword"]); - $packagesList = escapeshellarg($_POST["packages"]); - $outputFormat = escapeshellarg($_POST["format"]); + $bootMegabytes = filter_input(INPUT_POST, "boot_size", FILTER_VALIDATE_INT); + $swapMegabytes = filter_input(INPUT_POST, "swap_size", FILTER_VALIDATE_INT); + $rootMegabytes = filter_input(INPUT_POST, "root_size", FILTER_VALIDATE_INT); + $timezone = filter_input(INPUT_POST, "timezone", FILTER_SANITIZE_SHELL); + $hostname = filter_input(INPUT_POST, "hostname", FILTER_SANITIZE_SHELL); + $username = filter_input(INPUT_POST, "username", FILTER_SANITIZE_SHELL); + $password = filter_input(INPUT_POST, "password", FILTER_SANITIZE_SHELL); + $rootPass = filter_input(INPUT_POST, "rootpassword", FILTER_SANITIZE_SHELL); + $packagesList = filter_input(INPUT_POST, "packages", FILTER_SANITIZE_SHELL); + $outputFormat = filter_input(INPUT_POST, "format", FILTER_SANITIZE_SHELL); $packagesList = str_replace("\r\n", " ", $packagesList); $packagesList = str_replace("\n", " ", $packagesList); @@ -41,7 +56,7 @@ SWAP_MEGABYTES='$swapMegabytes' ROOT_MEGABYTES='$rootMegabytes' TIMEZONE=$timezone HOSTNAME=$hostname -ROOT_PASSWORD=$rootPassword +ROOT_PASSWORD=$rootPass DEFAULT_USERNAME=$username DEFAULT_PASSWORD=$password USE_FLAGS='' @@ -55,13 +70,16 @@ OUTPUT_FORMAT=$outputFormat"; $client->addServer(); $handle = $client->doBackground("invoke_image_build", $iniString); - $db = mysql_connect(MYSQL_HOSTNAME, MYSQL_USERNAME, MYSQL_PASSWORD); - if (!$db) { - die("Could not connect to database ".mysql_error()); + $db = new mysqli(MYSQL_HOSTNAME, MYSQL_USERNAME, + MYSQL_PASSWORD, MYSQL_DATABASE); + if (mysqli_connect_errno()) { + die("Could not connect to database ".mysqli_connect_error()); } - mysql_select_db(MYSQL_DATABASE); - $query = "INSERT INTO builds (id, handle) ". - "VALUES('".$buildID."','".$handle."')"; - mysql_query($query); + + $stmt = $db->prepare("INSERT INTO builds (id, handle) VALUES(?, ?)"); + $stmt->bind_param("ss", $buildID, $handle); + $stmt->execute(); + $stmt->close(); + $db->close(); header("Location: finished.php?uuid=".$buildID);
\ No newline at end of file |