From 00de0ce0817f36b5acba70362a4c30c8fa7aaf11 Mon Sep 17 00:00:00 2001
From: Cassio de Campos <cassiopc@gmail.com>
Date: Mon, 31 Jul 2017 20:29:41 +0100
Subject: sanitising

---
 src/fproblem.php | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'src/fproblem.php')

diff --git a/src/fproblem.php b/src/fproblem.php
index c3eed4a..6954836 100644
--- a/src/fproblem.php
+++ b/src/fproblem.php
@@ -168,8 +168,8 @@ function DBGetFullProblemData($contestnumber,$freeproblems=false) {
 						if(!$failed) {
 							$descfile='';
 							if(isset($info['descfile']))
-								$descfile=trim(sanitizeText($info['descfile']));
-							$basename=trim(sanitizeText($info['basename']));
+								$descfile=trim(sanitizeFilename($info['descfile']));
+							$basename=trim(sanitizeFilename($info['basename']));
 							$fullname=trim(sanitizeText($info['fullname']));
 							if($basename=='' || $fullname=='')
 								$failed=3;
@@ -229,7 +229,7 @@ function DBDeleteProblem($contestnumber, $param, $c=null) {
 	$ac=array('number','inputfilename');
 	foreach($ac as $key) {
 		if(!isset($param[$key])) return false;
-		$$key = sanitizeText($param[$key]);
+		$$key = myhtmlspecialchars($param[$key]);
 	}
 
 	$sql = "select * from problemtable where problemnumber=$number and contestnumber=$contestnumber and fake='f'";
@@ -289,6 +289,7 @@ function DBNewProblem($contestnumber, $param, $c=null) {
 	if(isset($param['problemcolor']) && !isset($param['color'])) $param['color']=$param['problemcolor'];
 	if(isset($param['probleminputfile']) && !isset($param['inputfilepath'])) $param['inputfilepath']=$param['probleminputfile'];
 	if(isset($param['probleminputfilename']) && !isset($param['inputfilename'])) $param['inputfilename']=$param['probleminputfilename'];
+	$param['basename'] = sanitizeFilename($param['basename']);
 	
 	$ac=array('number','name');
 	$type['number']=1;
@@ -307,7 +308,7 @@ function DBNewProblem($contestnumber, $param, $c=null) {
 			MSGError("DBNewProblem param error: $key is not numeric");
 			return false;
 		}
-		$$key = sanitizeText($param[$key]);
+		$$key = myhtmlspecialchars($param[$key]);
 	}
 	$basename='';
 	$inputfilename='';
@@ -320,7 +321,7 @@ function DBNewProblem($contestnumber, $param, $c=null) {
 				MSGError("DBNewProblem param error: $key is not numeric");
 				return false;
 			}
-			$$key = sanitizeText($param[$key]);
+			$$key = myhtmlspecialchars($param[$key]);
 		}
 	}
 	$t = time();
-- 
cgit v1.2.3