Improved conversations ID security check

This commit is contained in:
Pierre 2017-12-29 18:03:41 +01:00
parent 50c2848a1b
commit a0373ccdb6
2 changed files with 43 additions and 2 deletions

View File

@ -655,6 +655,21 @@ class conversations {
return $messages; return $messages;
} }
/**
* Check whether a conversation exists or not
*
* @param int $convID The ID of the conversation to check
* @return bool TRUE if it exists / false else
*/
public function exist(int $convID) : bool {
//Perform a request on the database
$tableName = $this->conversationsListTable;
return CS::get()->db->count($tableName, "WHERE ID = ?", array($convID)) > 0;
}
} }
//Register component //Register component

View File

@ -60,9 +60,9 @@ function numbers_list_to_array($list) : array{
* Securely transform user given number (mixed) to integer (int) * Securely transform user given number (mixed) to integer (int)
* *
* @param Mixed $input The input variable (mixed) * @param Mixed $input The input variable (mixed)
* @return Integer $output The output (safe integer) * @return int $output The output (safe integer)
*/ */
function toInt($input){ function toInt($input) : int{
return floor($input*1); return floor($input*1);
} }
@ -161,3 +161,29 @@ function getPostUserID(string $name = "userID") : int {
return $userID; return $userID;
} }
/**
* Get the ID of a conversation posted in a request and return
* if it is a valid ID
*
* @param string $name Optionnal, the name of the post field
* @return int $convID The ID of the conversation
*/
function getPostConversationID(string $name = "conversationID") : int {
//Get conversationID
if(!isset($_POST[$name]))
Rest_fatal_error(400, "Exepted conversation ID in '".$name."' !");
$conversationID = toInt($_POST[$name]);
//Check conversationID validity
if($conversationID < 1)
Rest_fatal_error(400, "Invalid conversation ID !");
//Check if conversation exists
if(!CS::get()->components->conversations->exist($conversationID))
Rest_fatal_error(404, "Specified conversation not found!");
return $conversationID;
}