diff --git a/core/event.php b/core/event.php
index 63e14781..999c7c3e 100644
--- a/core/event.php
+++ b/core/event.php
@@ -101,6 +101,15 @@ class PageRequestEvent extends Event
}
}
+ public function req_GET(string $key): string
+ {
+ $value = $this->get_GET($key);
+ if($value === null) {
+ throw new UserErrorException("Missing GET parameter {$key}");
+ }
+ return $value;
+ }
+
public function get_POST(string $key): ?string
{
if(array_key_exists($key, $this->POST)) {
@@ -113,6 +122,15 @@ class PageRequestEvent extends Event
}
}
+ public function req_POST(string $key): string
+ {
+ $value = $this->get_POST($key);
+ if($value === null) {
+ throw new UserErrorException("Missing POST parameter {$key}");
+ }
+ return $value;
+ }
+
/**
* Test if the requested path matches a given pattern.
*
diff --git a/ext/admin/main.php b/ext/admin/main.php
index 8e17fb7d..813fc5d2 100644
--- a/ext/admin/main.php
+++ b/ext/admin/main.php
@@ -57,7 +57,7 @@ class AdminPage extends Extension
send_event(new AdminBuildingEvent($page));
} else {
$action = $event->get_arg(0);
- $aae = new AdminActionEvent($action, $_POST);
+ $aae = new AdminActionEvent($action, $event->POST);
if ($user->check_auth_token()) {
log_info("admin", "Util: $action");
diff --git a/ext/approval/main.php b/ext/approval/main.php
index 7a8b5bc0..5223e4d7 100644
--- a/ext/approval/main.php
+++ b/ext/approval/main.php
@@ -42,14 +42,7 @@ class Approval extends Extension
if ($event->page_matches("approve_image") && $user->can(Permissions::APPROVE_IMAGE)) {
// Try to get the image ID
- $image_id = int_escape($event->get_arg(0));
- if (empty($image_id)) {
- $image_id = isset($_POST['image_id']) ? $_POST['image_id'] : null;
- }
- if (empty($image_id)) {
- throw new SCoreException("Can not approve post: No valid Post ID given.");
- }
-
+ $image_id = int_escape(null_throws($event->get_arg(0)));
self::approve_image($image_id);
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("post/view/" . $image_id));
@@ -57,14 +50,7 @@ class Approval extends Extension
if ($event->page_matches("disapprove_image") && $user->can(Permissions::APPROVE_IMAGE)) {
// Try to get the image ID
- $image_id = int_escape($event->get_arg(0));
- if (empty($image_id)) {
- $image_id = isset($_POST['image_id']) ? $_POST['image_id'] : null;
- }
- if (empty($image_id)) {
- throw new SCoreException("Can not disapprove image: No valid Post ID given.");
- }
-
+ $image_id = int_escape(null_throws($event->get_arg(0)));
self::disapprove_image($image_id);
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("post/view/".$image_id));
diff --git a/ext/approval/theme.php b/ext/approval/theme.php
index 2dc28226..e1783625 100644
--- a/ext/approval/theme.php
+++ b/ext/approval/theme.php
@@ -17,13 +17,11 @@ class ApprovalTheme extends Themelet
if ($image['approved'] === true) {
$form = SHM_SIMPLE_FORM(
'disapprove_image/'.$image->id,
- INPUT(["type" => 'hidden', "name" => 'image_id', "value" => $image->id]),
SHM_SUBMIT("Disapprove")
);
} else {
$form = SHM_SIMPLE_FORM(
'approve_image/'.$image->id,
- INPUT(["type" => 'hidden', "name" => 'image_id', "value" => $image->id]),
SHM_SUBMIT("Approve")
);
}
diff --git a/ext/artists/main.php b/ext/artists/main.php
index ec71d447..e1c259f7 100644
--- a/ext/artists/main.php
+++ b/ext/artists/main.php
@@ -256,14 +256,14 @@ class Artists extends Extension
}
case "edit_artist":
{
- $artistID = $_POST['artist_id'];
+ $artistID = int_escape($event->req_POST('artist_id'));
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("artist/edit/".$artistID));
break;
}
case "edited":
{
- $artistID = int_escape($_POST['id']);
+ $artistID = int_escape($event->get_POST('id'));
$this->update_artist();
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("artist/view/".$artistID));
@@ -271,7 +271,7 @@ class Artists extends Extension
}
case "nuke_artist":
{
- $artistID = $_POST['artist_id'];
+ $artistID = int_escape($event->req_POST('artist_id'));
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("artist/nuke/".$artistID));
break;
@@ -286,19 +286,19 @@ class Artists extends Extension
}
case "add_alias":
{
- $artistID = $_POST['artist_id'];
+ $artistID = int_escape($event->req_POST('artist_id'));
$this->theme->show_new_alias_composer($artistID);
break;
}
case "add_member":
{
- $artistID = $_POST['artist_id'];
+ $artistID = int_escape($event->req_POST('artist_id'));
$this->theme->show_new_member_composer($artistID);
break;
}
case "add_url":
{
- $artistID = $_POST['artist_id'];
+ $artistID = int_escape($event->req_POST('artist_id'));
$this->theme->show_new_url_composer($artistID);
break;
}
@@ -308,7 +308,7 @@ class Artists extends Extension
switch ($event->get_arg(1)) {
case "add":
{
- $artistID = $_POST['artistID'];
+ $artistID = int_escape($event->req_POST('artist_id'));
$this->add_alias();
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("artist/view/".$artistID));
@@ -333,7 +333,7 @@ class Artists extends Extension
case "edited":
{
$this->update_alias();
- $aliasID = int_escape($_POST['aliasID']);
+ $aliasID = int_escape($event->req_POST('aliasID'));
$artistID = $this->get_artistID_by_aliasID($aliasID);
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("artist/view/".$artistID));
@@ -349,7 +349,7 @@ class Artists extends Extension
switch ($event->get_arg(1)) {
case "add":
{
- $artistID = $_POST['artistID'];
+ $artistID = int_escape($event->req_POST('artist_id'));
$this->add_urls();
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("artist/view/".$artistID));
@@ -374,7 +374,7 @@ class Artists extends Extension
case "edited":
{
$this->update_url();
- $urlID = int_escape($_POST['urlID']);
+ $urlID = int_escape($event->req_POST('urlID'));
$artistID = $this->get_artistID_by_urlID($urlID);
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("artist/view/".$artistID));
@@ -389,7 +389,7 @@ class Artists extends Extension
switch ($event->get_arg(1)) {
case "add":
{
- $artistID = $_POST['artistID'];
+ $artistID = int_escape($event->req_POST('artist_id'));
$this->add_members();
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("artist/view/".$artistID));
@@ -414,7 +414,7 @@ class Artists extends Extension
case "edited":
{
$this->update_member();
- $memberID = int_escape($_POST['memberID']);
+ $memberID = int_escape($event->req_POST('memberID'));
$artistID = $this->get_artistID_by_memberID($memberID);
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("artist/view/".$artistID));
diff --git a/ext/biography/main.php b/ext/biography/main.php
index d645cd93..fbe5ada3 100644
--- a/ext/biography/main.php
+++ b/ext/biography/main.php
@@ -28,7 +28,7 @@ class Biography extends Extension
global $page, $user, $user_config;
if ($event->page_matches("biography")) {
if ($user->check_auth_token()) {
- $user_config->set_string("biography", $_POST['biography']);
+ $user_config->set_string("biography", $event->get_POST('biography'));
$page->flash("Bio Updated");
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(referer_or(make_link()));
diff --git a/ext/blocks/main.php b/ext/blocks/main.php
index e06eccaa..bd4bf1f1 100644
--- a/ext/blocks/main.php
+++ b/ext/blocks/main.php
@@ -74,8 +74,8 @@ class Blocks extends Extension
$database->execute("
INSERT INTO blocks (pages, title, area, priority, content, userclass)
VALUES (:pages, :title, :area, :priority, :content, :userclass)
- ", ['pages' => $_POST['pages'], 'title' => $_POST['title'], 'area' => $_POST['area'], 'priority' => (int)$_POST['priority'], 'content' => $_POST['content'], 'userclass' => $_POST['userclass']]);
- log_info("blocks", "Added Block #".($database->get_last_insert_id('blocks_id_seq'))." (".$_POST['title'].")");
+ ", ['pages' => $event->req_POST('pages'), 'title' => $event->req_POST('title'), 'area' => $event->req_POST('area'), 'priority' => (int)$event->req_POST('priority'), 'content' => $event->req_POST('content'), 'userclass' => $event->req_POST('userclass')]);
+ log_info("blocks", "Added Block #".($database->get_last_insert_id('blocks_id_seq'))." (".$event->req_POST('title').")");
$cache->delete("blocks");
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("blocks/list"));
@@ -83,18 +83,18 @@ class Blocks extends Extension
}
if ($event->get_arg(0) == "update") {
if ($user->check_auth_token()) {
- if (!empty($_POST['delete'])) {
+ if (!empty($event->req_POST('delete'))) {
$database->execute("
DELETE FROM blocks
WHERE id=:id
- ", ['id' => $_POST['id']]);
- log_info("blocks", "Deleted Block #".$_POST['id']);
+ ", ['id' => $event->req_POST('id')]);
+ log_info("blocks", "Deleted Block #".$event->req_POST('id'));
} else {
$database->execute("
UPDATE blocks SET pages=:pages, title=:title, area=:area, priority=:priority, content=:content, userclass=:userclass
WHERE id=:id
- ", ['pages' => $_POST['pages'], 'title' => $_POST['title'], 'area' => $_POST['area'], 'priority' => (int)$_POST['priority'], 'content' => $_POST['content'], 'userclass' => $_POST['userclass'], 'id' => $_POST['id']]);
- log_info("blocks", "Updated Block #".$_POST['id']." (".$_POST['title'].")");
+ ", ['pages' => $event->req_POST('pages'), 'title' => $event->req_POST('title'), 'area' => $event->req_POST('area'), 'priority' => (int)$event->req_POST('priority'), 'content' => $event->req_POST('content'), 'userclass' => $event->req_POST('userclass'), 'id' => $event->req_POST('id')]);
+ log_info("blocks", "Updated Block #".$event->req_POST('id')." (".$event->req_POST('title').")");
}
$cache->delete("blocks");
$page->set_mode(PageMode::REDIRECT);
diff --git a/ext/blotter/main.php b/ext/blotter/main.php
index 0a4dc1bb..fc2eb506 100644
--- a/ext/blotter/main.php
+++ b/ext/blotter/main.php
@@ -92,11 +92,8 @@ class Blotter extends Extension
if (!$user->can(Permissions::BLOTTER_ADMIN) || !$user->check_auth_token()) {
$this->theme->display_permission_denied();
} else {
- $entry_text = $_POST['entry_text'];
- if ($entry_text == "") {
- die("No entry message!");
- }
- $important = isset($_POST['important']);
+ $entry_text = $event->req_POST('entry_text');
+ $important = !is_null($event->get_POST('important'));
// Now insert into db:
$database->execute(
"INSERT INTO blotter (entry_date, entry_text, important) VALUES (now(), :text, :important)",
@@ -114,7 +111,7 @@ class Blotter extends Extension
if (!$user->can(Permissions::BLOTTER_ADMIN) || !$user->check_auth_token()) {
$this->theme->display_permission_denied();
} else {
- $id = int_escape($_POST['id']);
+ $id = int_escape($event->req_POST('id'));
$database->execute("DELETE FROM blotter WHERE id=:id", ["id" => $id]);
log_info("blotter", "Removed Entry #$id");
$page->set_mode(PageMode::REDIRECT);
diff --git a/ext/bulk_actions/main.php b/ext/bulk_actions/main.php
index 90a727d5..deea4e7a 100644
--- a/ext/bulk_actions/main.php
+++ b/ext/bulk_actions/main.php
@@ -170,11 +170,7 @@ class BulkActions extends Extension
{
global $page, $user;
if ($event->page_matches("bulk_action") && $user->can(Permissions::PERFORM_BULK_ACTIONS)) {
- if (!isset($_POST['bulk_action'])) {
- return;
- }
-
- $action = $_POST['bulk_action'];
+ $action = $event->req_POST('bulk_action');
try {
$items = null;
diff --git a/ext/bulk_add/main.php b/ext/bulk_add/main.php
index 88e44ce8..697f333a 100644
--- a/ext/bulk_add/main.php
+++ b/ext/bulk_add/main.php
@@ -31,9 +31,10 @@ class BulkAdd extends Extension
{
global $page, $user;
if ($event->page_matches("bulk_add")) {
- if ($user->can(Permissions::BULK_ADD) && $user->check_auth_token() && isset($_POST['dir'])) {
+ $dir = $event->get_POST('dir');
+ if ($user->can(Permissions::BULK_ADD) && $user->check_auth_token() && $dir) {
shm_set_timeout(null);
- $bae = send_event(new BulkAddEvent($_POST['dir']));
+ $bae = send_event(new BulkAddEvent($dir));
$this->theme->display_upload_results($page, $bae->results);
}
}
diff --git a/ext/bulk_add_csv/main.php b/ext/bulk_add_csv/main.php
index 94e93fcf..cbdd7f62 100644
--- a/ext/bulk_add_csv/main.php
+++ b/ext/bulk_add_csv/main.php
@@ -17,9 +17,10 @@ class BulkAddCSV extends Extension
{
global $page, $user;
if ($event->page_matches("bulk_add_csv")) {
- if ($user->can(Permissions::BULK_ADD) && $user->check_auth_token() && isset($_POST['csv'])) {
+ $csv = $event->get_POST('csv');
+ if ($user->can(Permissions::BULK_ADD) && $user->check_auth_token() && $csv) {
shm_set_timeout(null);
- $this->add_csv($_POST['csv']);
+ $this->add_csv($csv);
$this->theme->display_upload_results($page);
}
}
diff --git a/ext/et_server/main.php b/ext/et_server/main.php
index c78c30b2..5543fdf4 100644
--- a/ext/et_server/main.php
+++ b/ext/et_server/main.php
@@ -12,10 +12,11 @@ class ETServer extends Extension
{
global $database, $page, $user;
if ($event->page_matches("register.php")) {
- if (isset($_POST["data"])) {
+ $data = $event->get_POST("data");
+ if ($data) {
$database->execute(
"INSERT INTO registration(data) VALUES(:data)",
- ["data" => $_POST["data"]]
+ ["data" => $data]
);
$page->set_title("Thanks!");
$page->set_heading("Thanks!");
diff --git a/ext/ext_manager/main.php b/ext/ext_manager/main.php
index 55f21024..74bc5459 100644
--- a/ext/ext_manager/main.php
+++ b/ext/ext_manager/main.php
@@ -32,7 +32,7 @@ class ExtManager extends Extension
if ($user->can(Permissions::MANAGE_EXTENSION_LIST)) {
if ($event->count_args() == 1 && $event->get_arg(0) == "set" && $user->check_auth_token()) {
if (is_writable("data/config")) {
- $this->set_things($_POST);
+ $this->set_things($event->POST);
log_warning("ext_manager", "Active extensions changed", "Active extensions changed");
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("ext_manager"));
diff --git a/ext/favorites/main.php b/ext/favorites/main.php
index 459cf5a6..4fc1dab2 100644
--- a/ext/favorites/main.php
+++ b/ext/favorites/main.php
@@ -60,9 +60,10 @@ class Favorites extends Extension
{
global $page, $user;
if ($event->page_matches("change_favorite") && !$user->is_anonymous() && $user->check_auth_token()) {
- $image_id = int_escape($_POST['image_id']);
- if ((($_POST['favorite_action'] == "set") || ($_POST['favorite_action'] == "unset")) && ($image_id > 0)) {
- if ($_POST['favorite_action'] == "set") {
+ $image_id = int_escape($event->req_POST('image_id'));
+ $action = $event->req_POST('favorite_action');
+ if ((($action == "set") || ($action == "unset")) && ($image_id > 0)) {
+ if ($action == "set") {
send_event(new FavoriteSetEvent($image_id, $user, true));
log_debug("favourite", "Favourite set for $image_id", "Favourite added");
} else {
diff --git a/ext/featured/main.php b/ext/featured/main.php
index e0d05f0b..803f5cb1 100644
--- a/ext/featured/main.php
+++ b/ext/featured/main.php
@@ -20,14 +20,12 @@ class Featured extends Extension
global $config, $page, $user;
if ($event->page_matches("featured_image")) {
if ($event->get_arg(0) == "set" && $user->check_auth_token()) {
- if ($user->can(Permissions::EDIT_FEATURE) && isset($_POST['image_id'])) {
- $id = int_escape($_POST['image_id']);
- if ($id > 0) {
- $config->set_int("featured_id", $id);
- log_info("featured", "Featured post set to >>$id", "Featured post set");
- $page->set_mode(PageMode::REDIRECT);
- $page->set_redirect(make_link("post/view/$id"));
- }
+ $id = int_escape($event->get_POST('image_id'));
+ if ($user->can(Permissions::EDIT_FEATURE) && $id > 0) {
+ $config->set_int("featured_id", $id);
+ log_info("featured", "Featured post set to >>$id", "Featured post set");
+ $page->set_mode(PageMode::REDIRECT);
+ $page->set_redirect(make_link("post/view/$id"));
}
}
if ($event->get_arg(0) == "download") {
diff --git a/ext/media/main.php b/ext/media/main.php
index 3d57a9e1..29c4312b 100644
--- a/ext/media/main.php
+++ b/ext/media/main.php
@@ -74,8 +74,12 @@ class Media extends Extension
{
global $page, $user;
- if ($event->page_matches("media_rescan/") && $user->can(Permissions::RESCAN_MEDIA) && isset($_POST['image_id'])) {
- $image = Image::by_id(int_escape($_POST['image_id']));
+ if (
+ $event->page_matches("media_rescan/") &&
+ $user->can(Permissions::RESCAN_MEDIA) &&
+ $event->get_POST('image_id')
+ ) {
+ $image = Image::by_id(int_escape($event->get_POST('image_id')));
send_event(new MediaCheckPropertiesEvent($image));
$image->save_to_db();
diff --git a/ext/notes/main.php b/ext/notes/main.php
index a495b006..bee206bd 100644
--- a/ext/notes/main.php
+++ b/ext/notes/main.php
@@ -108,18 +108,20 @@ class Notes extends Extension
break;
case "add_request":
+ $image_id = int_escape($event->req_POST("image_id"));
if (!$user->is_anonymous()) {
- $this->add_note_request();
+ $this->add_note_request($image_id);
}
$page->set_mode(PageMode::REDIRECT);
- $page->set_redirect(make_link("post/view/".$_POST["image_id"]));
+ $page->set_redirect(make_link("post/view/$image_id"));
break;
case "nuke_requests":
+ $image_id = int_escape($event->req_POST("image_id"));
if ($user->can(Permissions::NOTES_ADMIN)) {
- $this->nuke_requests();
+ $this->nuke_requests($image_id);
}
$page->set_mode(PageMode::REDIRECT);
- $page->set_redirect(make_link("post/view/".$_POST["image_id"]));
+ $page->set_redirect(make_link("post/view/$image_id"));
break;
case "create_note":
@@ -147,12 +149,13 @@ class Notes extends Extension
}
break;
case "nuke_notes":
+ $image_id = int_escape($event->req_POST("image_id"));
if ($user->can(Permissions::NOTES_ADMIN)) {
- $this->nuke_notes();
+ $this->nuke_notes($image_id);
}
$page->set_mode(PageMode::REDIRECT);
- $page->set_redirect(make_link("post/view/".$_POST["image_id"]));
+ $page->set_redirect(make_link("post/view/$image_id"));
break;
default:
@@ -295,11 +298,10 @@ class Notes extends Extension
return $noteID;
}
- private function add_note_request(): void
+ private function add_note_request(int $image_id): void
{
global $database, $user;
- $image_id = int_escape($_POST["image_id"]);
$user_id = $user->id;
$database->execute(
@@ -346,18 +348,16 @@ class Notes extends Extension
log_info("notes", "Note deleted {$note["note_id"]} by {$user->name}");
}
- private function nuke_notes(): void
+ private function nuke_notes(int $image_id): void
{
global $database, $user;
- $image_id = int_escape($_POST["image_id"]);
$database->execute("DELETE FROM notes WHERE image_id = :image_id", ['image_id' => $image_id]);
log_info("notes", "Notes deleted from {$image_id} by {$user->name}");
}
- private function nuke_requests(): void
+ private function nuke_requests(int $image_id): void
{
global $database, $user;
- $image_id = int_escape($_POST["image_id"]);
$database->execute("DELETE FROM note_request WHERE image_id = :image_id", ['image_id' => $image_id]);
diff --git a/ext/numeric_score/main.php b/ext/numeric_score/main.php
index b11d36ec..a257fb95 100644
--- a/ext/numeric_score/main.php
+++ b/ext/numeric_score/main.php
@@ -158,8 +158,8 @@ class NumericScore extends Extension
die($html);
} elseif ($event->page_matches("numeric_score_vote") && $user->check_auth_token()) {
if ($user->can(Permissions::CREATE_VOTE)) {
- $image_id = int_escape($_POST['image_id']);
- $score = int_escape($_POST['vote']);
+ $image_id = int_escape($event->req_POST("image_id"));
+ $score = int_escape($event->req_POST("vote"));
if (($score == -1 || $score == 0 || $score == 1) && $image_id > 0) {
send_event(new NumericScoreSetEvent($image_id, $user, $score));
}
@@ -168,7 +168,7 @@ class NumericScore extends Extension
}
} elseif ($event->page_matches("numeric_score/remove_votes_on") && $user->check_auth_token()) {
if ($user->can(Permissions::EDIT_OTHER_VOTE)) {
- $image_id = int_escape($_POST['image_id']);
+ $image_id = int_escape($event->req_POST("image_id"));
$database->execute(
"DELETE FROM numeric_score_votes WHERE image_id=:image_id",
['image_id' => $image_id]
@@ -182,7 +182,7 @@ class NumericScore extends Extension
}
} elseif ($event->page_matches("numeric_score/remove_votes_by") && $user->check_auth_token()) {
if ($user->can(Permissions::EDIT_OTHER_VOTE)) {
- $this->delete_votes_by(int_escape($_POST['user_id']));
+ $this->delete_votes_by(int_escape($event->req_POST('user_id')));
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link());
}
diff --git a/ext/pm/main.php b/ext/pm/main.php
index 4d8bdb4f..b77654d5 100644
--- a/ext/pm/main.php
+++ b/ext/pm/main.php
@@ -254,7 +254,7 @@ class PrivMsg extends Extension
case "delete":
if ($user->can(Permissions::READ_PM)) {
if ($user->check_auth_token()) {
- $pm_id = int_escape($_POST["pm_id"]);
+ $pm_id = int_escape($event->get_POST("pm_id"));
$pm = $database->get_row("SELECT * FROM private_message WHERE id = :id", ["id" => $pm_id]);
if (is_null($pm)) {
$this->theme->display_error(404, "No such PM", "There is no PM #$pm_id");
@@ -271,10 +271,10 @@ class PrivMsg extends Extension
case "send":
if ($user->can(Permissions::SEND_PM)) {
if ($user->check_auth_token()) {
- $to_id = int_escape($_POST["to_id"]);
+ $to_id = int_escape($event->get_POST("to_id"));
$from_id = $user->id;
- $subject = $_POST["subject"];
- $message = $_POST["message"];
+ $subject = $event->req_POST("subject");
+ $message = $event->req_POST("message");
send_event(new SendPMEvent(new PM($from_id, get_real_ip(), $to_id, $subject, $message)));
$page->flash("PM sent");
$page->set_mode(PageMode::REDIRECT);
diff --git a/ext/pools/main.php b/ext/pools/main.php
index e1a4dde4..fe5bf924 100644
--- a/ext/pools/main.php
+++ b/ext/pools/main.php
@@ -263,12 +263,11 @@ class Pools extends Extension
case "create": // ADD _POST
try {
- $title = $_POST["title"];
$event = send_event(new PoolCreationEvent(
- $title,
+ $event->req_POST("title"),
$user,
- bool_escape($_POST["public"]),
- $_POST["description"]
+ bool_escape($event->req_POST("public")),
+ $event->req_POST("description")
));
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("pool/view/" . $event->new_id));
@@ -296,7 +295,7 @@ class Pools extends Extension
break;
case "edit": // Edit the pool (remove images)
- $pool_id = int_escape($_POST["pool_id"]);
+ $pool_id = int_escape($event->req_POST("pool_id"));
$pool = $this->get_single_pool($pool_id);
if ($this->have_permission($user, $pool)) {
@@ -313,10 +312,10 @@ class Pools extends Extension
break;
case "order": // Order the pool (view and change the order of images within the pool)
- $pool_id = int_escape($_POST["pool_id"]);
+ $pool_id = int_escape($event->req_POST("pool_id"));
$pool = $this->get_single_pool($pool_id);
- if (isset($_POST["order_view"])) {
+ if (isset($event->req_POST("order_view"))) {
if ($this->have_permission($user, $pool)) {
$result = $database->execute(
"SELECT image_id FROM pool_images WHERE pool_id=:pid ORDER BY image_order ASC",
@@ -342,14 +341,14 @@ class Pools extends Extension
}
} else {
if ($this->have_permission($user, $pool)) {
- foreach ($_POST['imgs'] as $data) {
+ foreach ($event->req_POST('imgs') as $data) {
list($imageORDER, $imageID) = $data;
$database->execute(
"
UPDATE pool_images
SET image_order = :ord
WHERE pool_id = :pid AND image_id = :iid",
- ["ord" => $imageORDER, "pid" => int_escape($_POST['pool_id']), "iid" => $imageID]
+ ["ord" => $imageORDER, "pid" => int_escape($event->req_POST('pool_id')), "iid" => $imageID]
);
}
$page->set_mode(PageMode::REDIRECT);
@@ -360,7 +359,7 @@ class Pools extends Extension
}
break;
case "reverse":
- $pool_id = int_escape($_POST["pool_id"]);
+ $pool_id = int_escape($event->req_POST("pool_id"));
$pool = $this->get_single_pool($pool_id);
if ($this->have_permission($user, $pool)) {
@@ -389,13 +388,13 @@ class Pools extends Extension
}
break;
case "import":
- $pool_id = int_escape($_POST["pool_id"]);
+ $pool_id = int_escape($event->req_POST("pool_id"));
$pool = $this->get_single_pool($pool_id);
if ($this->have_permission($user, $pool)) {
$images = Search::find_images(
limit: $config->get_int(PoolsConfig::MAX_IMPORT_RESULTS, 1000),
- tags: Tag::explode($_POST["pool_tag"])
+ tags: Tag::explode($event->req_POST("pool_tag"))
);
$this->theme->pool_result($page, $images, $pool);
} else {
@@ -404,11 +403,11 @@ class Pools extends Extension
break;
case "add_posts":
- $pool_id = int_escape($_POST["pool_id"]);
+ $pool_id = int_escape($event->req_POST("pool_id"));
$pool = $this->get_single_pool($pool_id);
if ($this->have_permission($user, $pool)) {
- $image_ids = array_map('intval', $_POST['check']);
+ $image_ids = array_map('intval', $event->req_POST('check'));
send_event(new PoolAddPostsEvent($pool_id, $image_ids));
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("pool/view/" . $pool_id));
@@ -418,12 +417,12 @@ class Pools extends Extension
break;
case "remove_posts":
- $pool_id = int_escape($_POST["pool_id"]);
+ $pool_id = int_escape($event->req_POST("pool_id"));
$pool = $this->get_single_pool($pool_id);
if ($this->have_permission($user, $pool)) {
$images = "";
- foreach ($_POST['check'] as $imageID) {
+ foreach ($event->req_POST('check') as $imageID) {
$database->execute(
"DELETE FROM pool_images WHERE pool_id = :pid AND image_id = :iid",
["pid" => $pool_id, "iid" => $imageID]
@@ -444,13 +443,13 @@ class Pools extends Extension
break;
case "edit_description":
- $pool_id = int_escape($_POST["pool_id"]);
+ $pool_id = int_escape($event->req_POST("pool_id"));
$pool = $this->get_single_pool($pool_id);
if ($this->have_permission($user, $pool)) {
$database->execute(
"UPDATE pools SET description=:dsc,lastupdated=CURRENT_TIMESTAMP WHERE id=:pid",
- ["dsc" => $_POST['description'], "pid" => $pool_id]
+ ["dsc" => $event->req_POST('description'), "pid" => $pool_id]
);
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("pool/view/" . $pool_id));
@@ -463,7 +462,7 @@ class Pools extends Extension
case "nuke":
// Completely remove the given pool.
// -> Only admins and owners may do this
- $pool_id = int_escape($_POST["pool_id"]);
+ $pool_id = int_escape($event->req_POST("pool_id"));
$pool = $this->get_single_pool($pool_id);
if ($user->can(Permissions::POOLS_ADMIN) || $user->id == $pool->user_id) {
diff --git a/ext/private_image/main.php b/ext/private_image/main.php
index 81d01836..c87be1ea 100644
--- a/ext/private_image/main.php
+++ b/ext/private_image/main.php
@@ -45,13 +45,7 @@ class PrivateImage extends Extension
if ($event->page_matches("privatize_image") && $user->can(Permissions::SET_PRIVATE_IMAGE)) {
// Try to get the image ID
- $image_id = int_escape($event->get_arg(0));
- if (empty($image_id)) {
- $image_id = isset($_POST['image_id']) ? $_POST['image_id'] : null;
- }
- if (empty($image_id)) {
- throw new SCoreException("Can not make image private: No valid Post ID given.");
- }
+ $image_id = int_escape(null_throws($event->get_arg(0)));
$image = Image::by_id($image_id);
if ($image == null) {
throw new SCoreException("Post not found.");
@@ -67,13 +61,7 @@ class PrivateImage extends Extension
if ($event->page_matches("publicize_image")) {
// Try to get the image ID
- $image_id = int_escape($event->get_arg(0));
- if (empty($image_id)) {
- $image_id = isset($_POST['image_id']) ? $_POST['image_id'] : null;
- }
- if (empty($image_id)) {
- throw new SCoreException("Can not make image public: No valid Post ID given.");
- }
+ $image_id = int_escape(null_throws($event->get_arg(0)));
$image = Image::by_id($image_id);
if ($image == null) {
throw new SCoreException("Post not found.");
@@ -93,15 +81,12 @@ class PrivateImage extends Extension
}
switch ($event->get_arg(0)) {
case "private_image":
- if (!array_key_exists("id", $_POST) || empty($_POST["id"])) {
- return;
- }
- $id = intval($_POST["id"]);
+ $id = int_escape($event->req_POST('id'));
if ($id != $user->id) {
throw new SCoreException("Cannot change another user's settings");
}
- $set_default = array_key_exists("set_default", $_POST);
- $view_default = array_key_exists("view_default", $_POST);
+ $set_default = array_key_exists("set_default", $event->POST);
+ $view_default = array_key_exists("view_default", $event->POST);
$user_config->set_bool(PrivateImageConfig::USER_SET_DEFAULT, $set_default);
$user_config->set_bool(PrivateImageConfig::USER_VIEW_DEFAULT, $view_default);
diff --git a/ext/private_image/theme.php b/ext/private_image/theme.php
index 9e8fe687..dc5d2fb8 100644
--- a/ext/private_image/theme.php
+++ b/ext/private_image/theme.php
@@ -13,13 +13,11 @@ class PrivateImageTheme extends Themelet
if ($image['private'] === false) {
$html = SHM_SIMPLE_FORM(
'privatize_image/'.$image->id,
- INPUT(["type" => 'hidden', "name" => 'image_id', "value" => $image->id]),
SHM_SUBMIT("Make Private")
);
} else {
$html = SHM_SIMPLE_FORM(
'publicize_image/'.$image->id,
- INPUT(["type" => 'hidden', "name" => 'image_id', "value" => $image->id]),
SHM_SUBMIT("Make Public")
);
}
diff --git a/ext/rating/main.php b/ext/rating/main.php
index c845b609..cc6f19a7 100644
--- a/ext/rating/main.php
+++ b/ext/rating/main.php
@@ -380,7 +380,7 @@ class Ratings extends Extension
} else {
$n = 0;
while (true) {
- $images = Search::find_images($n, 100, Tag::explode($_POST["query"]));
+ $images = Search::find_images($n, 100, Tag::explode($event->req_POST("query")));
if (count($images) == 0) {
break;
}
@@ -388,15 +388,10 @@ class Ratings extends Extension
reset($images); // rewind to first element in array.
foreach ($images as $image) {
- send_event(new RatingSetEvent($image, $_POST['rating']));
+ send_event(new RatingSetEvent($image, $event->req_POST('rating')));
}
$n += 100;
}
- #$database->execute("
- # update images set rating=:rating where images.id in (
- # select image_id from image_tags join tags
- # on image_tags.tag_id = tags.id where tags.tag = :tag);
- # ", ['rating'=>$_POST["rating"], 'tag'=>$_POST["tag"]]);
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link());
}
diff --git a/ext/replace_file/main.php b/ext/replace_file/main.php
index 0ee32fff..2351ee2a 100644
--- a/ext/replace_file/main.php
+++ b/ext/replace_file/main.php
@@ -28,15 +28,15 @@ class ReplaceFile extends Extension
if($event->method == "GET") {
$this->theme->display_replace_page($page, $image_id);
} elseif($event->method == "POST") {
- if (!empty($_POST["url"])) {
+ if (!empty($event->get_POST("url"))) {
$tmp_filename = shm_tempnam("transload");
- fetch_url($_POST["url"], $tmp_filename);
+ fetch_url($event->req_POST("url"), $tmp_filename);
send_event(new ImageReplaceEvent($image, $tmp_filename));
} elseif (count($_FILES) > 0) {
send_event(new ImageReplaceEvent($image, $_FILES["data"]['tmp_name']));
}
- if(!empty($_POST["source"])) {
- send_event(new SourceSetEvent($image, $_POST["source"]));
+ if($event->get_POST("source")) {
+ send_event(new SourceSetEvent($image, $event->req_POST("source")));
}
$cache->delete("thumb-block:{$image_id}");
$page->set_mode(PageMode::REDIRECT);
diff --git a/ext/resize/main.php b/ext/resize/main.php
index fd6faeaa..ab7a28fc 100644
--- a/ext/resize/main.php
+++ b/ext/resize/main.php
@@ -123,14 +123,7 @@ class ResizeImage extends Extension
if ($event->page_matches("resize") && $user->can(Permissions::EDIT_FILES)) {
// Try to get the image ID
- $image_id = int_escape($event->get_arg(0));
- if (empty($image_id)) {
- $image_id = isset($_POST['image_id']) ? int_escape($_POST['image_id']) : null;
- }
- if (empty($image_id)) {
- throw new ImageResizeException("Can not resize Image: No valid Post ID given.");
- }
-
+ $image_id = int_escape(null_throws($event->get_arg(0)));
$image = Image::by_id($image_id);
if (is_null($image)) {
$this->theme->display_error(404, "Post not found", "No image in the database has the ID #$image_id");
diff --git a/ext/resize/theme.php b/ext/resize/theme.php
index 36cbef8a..74dfb705 100644
--- a/ext/resize/theme.php
+++ b/ext/resize/theme.php
@@ -27,7 +27,6 @@ class ResizeImageTheme extends Themelet
$html = rawHTML("
".make_form(make_link("resize/{$image->id}"))."
-
x
diff --git a/ext/rotate/main.php b/ext/rotate/main.php
index 723be202..813dce34 100644
--- a/ext/rotate/main.php
+++ b/ext/rotate/main.php
@@ -55,39 +55,21 @@ class RotateImage extends Extension
if ($event->page_matches("rotate") && $user->can(Permissions::EDIT_FILES)) {
// Try to get the image ID
- $image_id = int_escape($event->get_arg(0));
- if (empty($image_id)) {
- $image_id = isset($_POST['image_id']) ? $_POST['image_id'] : null;
- }
- if (empty($image_id)) {
- throw new ImageRotateException("Can not rotate Image: No valid Post ID given.");
- }
-
+ $image_id = int_escape(null_throws($event->get_arg(0)));
$image = Image::by_id($image_id);
if (is_null($image)) {
$this->theme->display_error(404, "Post not found", "No image in the database has the ID #$image_id");
} else {
/* Check if options were given to rotate an image. */
- if (isset($_POST['rotate_deg'])) {
- /* get options */
+ $deg = int_escape($event->req_POST('rotate_deg'));
- $deg = 0;
-
- if (isset($_POST['rotate_deg'])) {
- $deg = int_escape($_POST['rotate_deg']);
- }
-
- /* Attempt to rotate the image */
- try {
- $this->rotate_image($image_id, $deg);
-
- //$this->theme->display_rotate_page($page, $image_id);
-
- $page->set_mode(PageMode::REDIRECT);
- $page->set_redirect(make_link("post/view/".$image_id));
- } catch (ImageRotateException $e) {
- $this->theme->display_rotate_error($page, "Error Rotating", $e->error);
- }
+ /* Attempt to rotate the image */
+ try {
+ $this->rotate_image($image_id, $deg);
+ $page->set_mode(PageMode::REDIRECT);
+ $page->set_redirect(make_link("post/view/".$image_id));
+ } catch (ImageRotateException $e) {
+ $this->theme->display_rotate_error($page, "Error Rotating", $e->error);
}
}
}
diff --git a/ext/rotate/theme.php b/ext/rotate/theme.php
index 703006ea..cafcb06e 100644
--- a/ext/rotate/theme.php
+++ b/ext/rotate/theme.php
@@ -15,7 +15,6 @@ class RotateImageTheme extends Themelet
{
return SHM_SIMPLE_FORM(
'rotate/'.$image_id,
- INPUT(["type" => 'hidden', "name" => 'image_id', "value" => $image_id]),
INPUT(["type" => 'number', "name" => 'rotate_deg', "id" => "rotate_deg", "placeholder" => "Rotation degrees"]),
INPUT(["type" => 'submit', "value" => 'Rotate', "id" => "rotatebutton"]),
);
diff --git a/ext/trash/main.php b/ext/trash/main.php
index f6e24ac8..53830ec2 100644
--- a/ext/trash/main.php
+++ b/ext/trash/main.php
@@ -30,15 +30,7 @@ class Trash extends Extension
global $page, $user;
if ($event->page_matches("trash_restore") && $user->can(Permissions::VIEW_TRASH)) {
- // Try to get the image ID
- if ($event->count_args() >= 1) {
- $image_id = int_escape($event->get_arg(0));
- } elseif (isset($_POST['image_id'])) {
- $image_id = $_POST['image_id'];
- } else {
- throw new SCoreException("Can not restore post: No valid Post ID given.");
- }
-
+ $image_id = int_escape(null_throws($event->get_arg(0)));
self::set_trash($image_id, false);
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("post/view/".$image_id));
diff --git a/ext/trash/theme.php b/ext/trash/theme.php
index 7844722a..1e8feb2f 100644
--- a/ext/trash/theme.php
+++ b/ext/trash/theme.php
@@ -12,7 +12,6 @@ class TrashTheme extends Themelet
{
return SHM_SIMPLE_FORM(
'trash_restore/'.$image_id,
- INPUT(["type" => 'hidden', "name" => 'image_id', "value" => $image_id]),
INPUT(["type" => 'submit', "value" => 'Restore From Trash']),
);
}
diff --git a/ext/user/main.php b/ext/user/main.php
index fde47e11..bb9e670a 100644
--- a/ext/user/main.php
+++ b/ext/user/main.php
@@ -171,17 +171,23 @@ class UserPage extends Extension
if ($event->page_matches("user_admin")) {
if ($event->get_arg(0) == "login") {
- if (isset($_POST['user']) && isset($_POST['pass'])) {
- $this->page_login($_POST['user'], $_POST['pass']);
+ if ($event->get_POST('user') && $event->get_POST('pass')) {
+ $this->page_login($event->req_POST('user'), $event->req_POST('pass'));
} else {
$this->theme->display_login_page($page);
}
} elseif ($event->get_arg(0) == "recover") {
- $this->page_recover($_POST['username']);
+ $this->page_recover($event->req_POST('username'));
} elseif ($event->get_arg(0) == "create") {
$this->page_create();
} elseif ($event->get_arg(0) == "create_other") {
- send_event(new UserCreationEvent($_POST['name'], $_POST['pass1'], $_POST['pass1'], $_POST['email'], false));
+ send_event(new UserCreationEvent(
+ $event->req_POST("name"),
+ $event->req_POST("pass1"),
+ $event->req_POST("pass1"),
+ $event->req_POST("email"),
+ false
+ ));
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("admin"));
$page->flash("Created new user");
@@ -237,7 +243,11 @@ class UserPage extends Extension
$duser = User::by_id($input['id']);
$this->change_class_wrapper($duser, $input['class']);
} elseif ($event->get_arg(0) == "delete_user") {
- $this->delete_user($page, isset($_POST["with_images"]), isset($_POST["with_comments"]));
+ $this->delete_user(
+ $page,
+ $event->get_POST("with_images") == "on",
+ $event->get_POST("with_comments") == "on"
+ );
}
}
@@ -825,18 +835,13 @@ class UserPage extends Extension
if (!$user->can(Permissions::DELETE_USER)) {
$page->add_block(new Block("Not Admin", "Only admins can delete accounts"));
- } elseif (!isset($_POST['id']) || !is_numeric($_POST['id'])) {
- $page->add_block(new Block(
- "No ID Specified",
- "You need to specify the account number to edit"
- ));
} else {
- $uid = int_escape((string)$_POST['id']);
+ $uid = int_escape($_POST['id']);
$duser = User::by_id($uid);
log_warning("user", "Deleting user #{$uid} (@{$duser->name})");
if ($with_images) {
- log_warning("user", "Deleting user #{$_POST['id']} (@{$duser->name})'s uploads");
+ log_warning("user", "Deleting user #{$uid} (@{$duser->name})'s uploads");
$image_ids = $database->get_col("SELECT id FROM images WHERE owner_id = :owner_id", ["owner_id" => $_POST['id']]);
foreach ($image_ids as $image_id) {
$image = Image::by_id((int)$image_id);
@@ -847,17 +852,17 @@ class UserPage extends Extension
} else {
$database->execute(
"UPDATE images SET owner_id = :new_owner_id WHERE owner_id = :old_owner_id",
- ["new_owner_id" => $config->get_int('anon_id'), "old_owner_id" => $_POST['id']]
+ ["new_owner_id" => $config->get_int('anon_id'), "old_owner_id" => $uid]
);
}
if ($with_comments) {
- log_warning("user", "Deleting user #{$_POST['id']} (@{$duser->name})'s comments");
- $database->execute("DELETE FROM comments WHERE owner_id = :owner_id", ["owner_id" => $_POST['id']]);
+ log_warning("user", "Deleting user #{$uid} (@{$duser->name})'s comments");
+ $database->execute("DELETE FROM comments WHERE owner_id = :owner_id", ["owner_id" => $uid]);
} else {
$database->execute(
"UPDATE comments SET owner_id = :new_owner_id WHERE owner_id = :old_owner_id",
- ["new_owner_id" => $config->get_int('anon_id'), "old_owner_id" => $_POST['id']]
+ ["new_owner_id" => $config->get_int('anon_id'), "old_owner_id" => $uid]
);
}
@@ -865,7 +870,7 @@ class UserPage extends Extension
$database->execute(
"DELETE FROM users WHERE id = :id",
- ["id" => $_POST['id']]
+ ["id" => $uid]
);
$page->set_mode(PageMode::REDIRECT);
diff --git a/ext/view/main.php b/ext/view/main.php
index 63ccf3dc..e76152ff 100644
--- a/ext/view/main.php
+++ b/ext/view/main.php
@@ -73,14 +73,10 @@ class ViewPost extends Extension
$this->theme->display_error(404, "Post not found", "No post in the database has the ID #$image_id");
}
} elseif ($event->page_matches("post/set")) {
- if (!isset($_POST['image_id'])) {
- return;
- }
-
- $image_id = int_escape($_POST['image_id']);
+ $image_id = int_escape($event->req_POST('image_id'));
$image = Image::by_id($image_id);
if (!$image->is_locked() || $user->can(Permissions::EDIT_IMAGE_LOCK)) {
- send_event(new ImageInfoSetEvent($image, $_POST));
+ send_event(new ImageInfoSetEvent($image, $event->POST));
$page->set_mode(PageMode::REDIRECT);
if ($event->get_GET('search')) {
diff --git a/ext/wiki/main.php b/ext/wiki/main.php
index 41bca541..36a2c436 100644
--- a/ext/wiki/main.php
+++ b/ext/wiki/main.php
@@ -191,13 +191,13 @@ class Wiki extends Extension
$content = $this->get_page($title, $revision);
$this->theme->display_page($page, $content, $this->get_page("wiki:sidebar"));
} elseif ($event->page_matches("wiki_admin/edit")) {
- $content = $this->get_page($_POST['title']);
+ $content = $this->get_page($event->req_POST('title'));
$this->theme->display_page_editor($page, $content);
} elseif ($event->page_matches("wiki_admin/save")) {
- $title = $_POST['title'];
- $rev = int_escape($_POST['revision']);
- $body = $_POST['body'];
- $lock = $user->can(Permissions::WIKI_ADMIN) && isset($_POST['lock']) && ($_POST['lock'] == "on");
+ $title = $event->req_POST('title');
+ $rev = int_escape($event->req_POST('revision'));
+ $body = $event->req_POST('body');
+ $lock = $user->can(Permissions::WIKI_ADMIN) && ($event->get_POST('lock') == "on");
if ($this->can_edit($user, $this->get_page($title))) {
$wikipage = $this->get_page($title);
@@ -216,15 +216,18 @@ class Wiki extends Extension
$this->theme->display_page_history($page, $event->get_GET('title'), $history);
} elseif ($event->page_matches("wiki_admin/delete_revision")) {
if ($user->can(Permissions::WIKI_ADMIN)) {
- send_event(new WikiDeleteRevisionEvent($_POST["title"], (int)$_POST["revision"]));
- $u_title = url_escape($_POST["title"]);
+ $title = $event->req_POST('title');
+ $revision = int_escape($event->req_POST('revision'));
+ send_event(new WikiDeleteRevisionEvent($title, $revision));
+ $u_title = url_escape($title);
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("wiki/$u_title"));
}
} elseif ($event->page_matches("wiki_admin/delete_all")) {
if ($user->can(Permissions::WIKI_ADMIN)) {
- send_event(new WikiDeletePageEvent($_POST["title"]));
- $u_title = url_escape($_POST["title"]);
+ $title = $event->req_POST('title');
+ send_event(new WikiDeletePageEvent($title));
+ $u_title = url_escape($title);
$page->set_mode(PageMode::REDIRECT);
$page->set_redirect(make_link("wiki/$u_title"));
}