source: branches/rel/html/admin/system/input.php @ 14993

Revision 14993, 6.6 KB checked in by adati, 15 years ago (diff)

CSRF対策:システム>メンバー管理の脆弱性を修正

Line 
1<?php
2/*
3 * Copyright(c) 2000-2007 LOCKON CO.,LTD. All Rights Reserved.
4 *
5 * http://www.lockon.co.jp/
6 */
7require_once("../require.php");
8
9class LC_Page {
10    var $arrErr;        // ¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸½ÐÎÏÍÑ
11    var $tpl_recv;      // ÆþÎϾðÊóPOSTÀè
12    var $tpl_onload;    // ¥Ú¡¼¥¸Æɤ߹þ¤ß»þ¤Î¥¤¥Ù¥ó¥È
13    var $arrForm;       // ¥Õ¥©¡¼¥à½ÐÎÏÍÑ
14    var $tpl_mode;      // ¿·µ¬ºîÀ®:new or ÊÔ½¸:edit
15    var $tpl_member_id; // ÊÔ½¸»þ¤Ë»ÈÍѤ¹¤ë¡£
16    var $tpl_pageno;
17    var $tpl_onfocus;   // ¥Ñ¥¹¥ï¡¼¥É¹àÌÜÁªÂò»þ¤Î¥¤¥Ù¥ó¥ÈÍÑ
18    var $tpl_old_login_id;
19    function LC_Page() {
20        $this->tpl_recv =  'input.php';
21        $this->tpl_pageno = $_REQUEST['pageno'];
22        $this->SHORTTEXT_MAX = STEXT_LEN;
23        $this->MIDDLETEXT_MAX = MTEXT_LEN;
24        $this->LONGTEXT_MAX = LTEXT_LEN;
25        global $arrAUTHORITY;
26        $this->arrAUTHORITY = $arrAUTHORITY;
27    }
28}
29
30$conn = new SC_DbConn();
31$objPage = new LC_Page();
32$objView = new SC_AdminView();
33
34// ǧ¾Ú²ÄÈݤÎȽÄê
35$objSess = new SC_Session();
36sfIsSuccess($objSess);
37
38// member_id¤¬»ØÄꤵ¤ì¤Æ¤¤¤¿¾ì¹ç¡¢ÊÔ½¸¥â¡¼¥É¤È¤¹¤ë¡£
39if(sfIsInt($_GET['id'])) {
40    $objPage->tpl_mode = 'edit';
41    $objPage->tpl_member_id = $_GET['id'];
42    $objPage->tpl_onfocus = "fnClearText(this.name);";
43    // DB¤Î¥á¥ó¥Ð¡¼¾ðÊó¤òÆɤ߽Ф¹
44    $data_list = fnGetMember($conn, $_GET['id']);
45    // ³ºÅö¥æ¡¼¥¶¤òɽ¼¨¤µ¤»¤ë
46    $objPage->arrForm = $data_list[0];
47    // ¥À¥ß¡¼¤Î¥Ñ¥¹¥ï¡¼¥É¤ò¥»¥Ã¥È¤·¤Æ¤ª¤¯¡£
48    $objPage->arrForm['password'] = DUMMY_PASS;
49    // ¥í¥°¥¤¥óID¤òÊݴɤ·¤Æ¤ª¤¯¡£
50    $objPage->tpl_old_login_id = $data_list[0]['login_id'];
51   
52    $objPage->tpl_uniqid = $objSess->getUniqId();
53} else {
54    // ¿·µ¬ºîÀ®¥â¡¼¥É
55    $objPage->tpl_mode = "new";
56    $objPage->arrForm['authority'] = -1;
57}
58
59// ¿·µ¬ºîÀ®¥â¡¼¥É or ÊÔ½¸¥â¡¼¥É
60if( $_POST['mode'] == 'new' || $_POST['mode'] == 'edit') {
61    // ²èÌÌÁ«°Ü¤ÎÀµÅöÀ­¥Á¥§¥Ã¥¯
62    if (sfIsValidTransition($objSess) == false) {
63        sfDispError(INVALID_MOVE_ERRORR);
64    }
65    // ÆþÎÏ¥¨¥é¡¼¥Á¥§¥Ã¥¯
66    $objPage->arrErr = fnErrorCheck($conn);
67   
68    // ÆþÎϤ¬Àµ¾ï¤Ç¤¢¤Ã¤¿¾ì¹ç¤Ï¡¢DB¤Ë½ñ¤­¹þ¤à
69    if(count($objPage->arrErr) == 0) {
70        if($_POST['mode'] == 'new') {
71            // ¥á¥ó¥Ð¡¼¤ÎÄɲÃ
72            fnInsertMember();
73            // ¥ê¥í¡¼¥É¤Ë¤è¤ëÆó½ÅÅÐÏ¿Âкö¤Î¤¿¤á¡¢Æ±¤¸¥Ú¡¼¥¸¤ËÈô¤Ð¤¹¡£
74            header("Location: ". $_SERVER['PHP_SELF'] . "?mode=reload");   
75            exit;
76        }
77        if($_POST['mode'] == 'edit') {
78            // ¥á¥ó¥Ð¡¼¤ÎÄɲÃ
79            if(fnUpdateMember($_POST['member_id'])) {
80                // ¿Æ¥¦¥£¥ó¥É¥¦¤ò¹¹¿·¸å¡¢¼«¥¦¥£¥ó¥É¥¦¤òÊĤ¸¤ë¡£
81                $url = URL_SYSTEM_TOP . "?pageno=".$_POST['pageno'];
82                $objPage->tpl_onload="fnUpdateParent('".$url."'); window.close();";
83            }
84        }
85    // ÆþÎÏ¥¨¥é¡¼¤¬È¯À¸¤·¤¿¾ì¹ç
86    } else {
87        // ¥â¡¼¥É¤ÎÀßÄê
88        $objPage->tpl_mode = $_POST['mode'];
89        $objPage->tpl_member_id = $_POST['member_id'];
90        $objPage->tpl_old_login_id = $_POST['old_login_id'];
91        // ¤¹¤Ç¤ËÆþÎϤ·¤¿Ãͤòɽ¼¨¤¹¤ë¡£
92        $objPage->arrForm = $_POST;
93        // Ä̾ïÆþÎϤΥѥ¹¥ï¡¼¥É¤Ï°ú¤­·Ñ¤¬¤Ê¤¤¡£
94        if($objPage->arrForm['password'] != DUMMY_PASS) {
95            $objPage->arrForm['password'] = '';
96        }
97    }
98}
99
100// ¥ê¥í¡¼¥É¤Î»ØÄ꤬¤¢¤Ã¤¿¾ì¹ç
101if( $_GET['mode'] == 'reload') {
102    // ¿Æ¥¦¥£¥ó¥É¥¦¤ò¹¹¿·¤¹¤ë¤è¤¦¤Ë¥»¥Ã¥È¤¹¤ë¡£
103    $url = URL_SYSTEM_TOP;
104    $objPage->tpl_onload="fnUpdateParent('".$url."')";
105}
106
107// ²èÌÌÁ«°Ü¤ÎÀµÅöÀ­¥Á¥§¥Ã¥¯ÍѤËuniqid¤òËä¤á¹þ¤à
108$objPage->tpl_uniqid = $objSess->getUniqId();
109
110// ¥Æ¥ó¥×¥ì¡¼¥ÈÍÑÊÑ¿ô¤Î³ä¤êÅö¤Æ
111$objView->assignobj($objPage);
112$objView->display('system/input.tpl');
113
114/* ÆþÎÏ¥¨¥é¡¼¤Î¥Á¥§¥Ã¥¯ */
115function fnErrorCheck($conn) {
116   
117    $objErr = new SC_CheckError();
118   
119    $_POST["name"] = mb_convert_kana($_POST["name"] ,"KV");
120    $_POST["department"] = mb_convert_kana($_POST["department"] ,"KV");
121   
122    // ̾Á°¥Á¥§¥Ã¥¯
123    $objErr->doFunc(array("̾Á°",'name'), array("EXIST_CHECK"));
124    $objErr->doFunc(array("̾Á°",'name',STEXT_LEN,"BIG"), array("MAX_LENGTH_CHECK"));
125   
126    // ÊÔ½¸¥â¡¼¥É¤Ç¤Ê¤¤¾ì¹ç¤Ï¡¢½ÅÊ£¥Á¥§¥Ã¥¯
127    if (!isset($objErr->arrErr['name']) && $_POST['mode'] != 'edit') {
128        $sql = "SELECT name FROM dtb_member WHERE del_flg <> 1 AND name = ?";
129        $result = $conn->getOne($sql, array($_POST['name']));
130        if ( $result ) {
131            $objErr->arrErr['name'] = "´û¤ËÅÐÏ¿¤µ¤ì¤Æ¤¤¤ë̾Á°¤Ê¤Î¤ÇÍøÍѤǤ­¤Þ¤»¤ó¡£<br>";
132        }
133    }
134       
135    // ¥í¥°¥¤¥óID¥Á¥§¥Ã¥¯
136    $objErr->doFunc(array("¥í¥°¥¤¥óID",'login_id'), array("EXIST_CHECK", "ALNUM_CHECK"));
137    $objErr->doFunc(array("¥í¥°¥¤¥óID",'login_id',ID_MIN_LEN , ID_MAX_LEN) ,array("NUM_RANGE_CHECK"));
138
139    // ¿·µ¬¥â¡¼¥É¤â¤·¤¯¤Ï¡¢ÊÔ½¸¥â¡¼¥É¤Ç¥í¥°¥¤¥óID¤¬Êѹ¹¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ï¥Á¥§¥Ã¥¯¤¹¤ë¡£
140    if (!isset($objErr->arrErr['login_id']) && $_POST['mode'] != 'edit' || ($_POST['mode'] == 'edit' && $_POST['login_id'] != $_POST['old_login_id'])) {
141        $sql = "SELECT login_id FROM dtb_member WHERE del_flg <> 1 AND login_id = ?";
142        $result = $conn->getOne($sql, array($_POST['login_id']));
143        if ( $result != "" ) {
144            $objErr->arrErr['login_id'] = "´û¤ËÅÐÏ¿¤µ¤ì¤Æ¤¤¤ëID¤Ê¤Î¤ÇÍøÍѤǤ­¤Þ¤»¤ó¡£<br>";
145        }
146    }
147   
148    // ¥Ñ¥¹¥ï¡¼¥É¥Á¥§¥Ã¥¯(ÊÔ½¸¥â¡¼¥É¤ÇDUMMY_PASS¤¬ÆþÎϤµ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ï¡¢¥¹¥ë¡¼¤¹¤ë)
149    if(!($_POST['mode'] == 'edit' && $_POST['password'] == DUMMY_PASS)) {
150        $objErr->doFunc(array("¥Ñ¥¹¥ï¡¼¥É",'password'), array("EXIST_CHECK", "ALNUM_CHECK"));
151        if (!$arrErr['password']) {
152            // ¥Ñ¥¹¥ï¡¼¥É¤Î¥Á¥§¥Ã¥¯
153            $objErr->doFunc( array("¥Ñ¥¹¥ï¡¼¥É",'password',4 ,15 ) ,array( "NUM_RANGE_CHECK" ) );   
154        }
155    }
156   
157    // ¸¢¸Â¥Á¥§¥Ã¥¯
158    $objErr->doFunc(array("¸¢¸Â",'authority'),array("EXIST_CHECK"));
159    return $objErr->arrErr;
160}
161
162/* DB¤Ø¤Î¥Ç¡¼¥¿ÁÞÆþ */
163function fnInsertMember() {
164    // ¥¯¥¨¥ê¡¼¥¯¥é¥¹¤ÎÀë¸À
165    $oquery = new SC_Query();
166    // INSERT¤¹¤ëÃͤòºîÀ®¤¹¤ë¡£
167    $sqlval['name'] = $_POST['name'];
168    $sqlval['department'] = $_POST['department'];
169    $sqlval['login_id'] = $_POST['login_id'];
170    $sqlval['password'] = sha1($_POST['password'] . ":" . AUTH_MAGIC);
171    $sqlval['authority'] = $_POST['authority'];
172    $sqlval['rank']=  $oquery->max("dtb_member", "rank") + 1;
173    $sqlval['work'] = "1"; // ²ÔƯ¤ËÀßÄê
174    $sqlval['del_flg'] = "0";   // ºï½ü¥Õ¥é¥°¤òOFF¤ËÀßÄê
175    $sqlval['creator_id'] = $_SESSION['member_id'];
176    $sqlval['create_date'] = "now()";
177    $sqlval['update_date'] = "now()";
178    // INSERT¤Î¼Â¹Ô
179    $ret = $oquery->insert("dtb_member", $sqlval);
180    return $ret;
181}
182
183/* DB¤Ø¤Î¥Ç¡¼¥¿¹¹¿· */
184function fnUpdateMember($id) {
185    // ¥¯¥¨¥ê¡¼¥¯¥é¥¹¤ÎÀë¸À
186    $oquery = new SC_Query();
187    // INSERT¤¹¤ëÃͤòºîÀ®¤¹¤ë¡£
188    $sqlval['name'] = $_POST['name'];
189    $sqlval['department'] = $_POST['department'];
190    $sqlval['login_id'] = $_POST['login_id'];
191    if($_POST['password'] != DUMMY_PASS) {
192        $sqlval['password'] = sha1($_POST['password'] . ":" . AUTH_MAGIC);
193    }
194    $sqlval['authority'] = $_POST['authority'];
195    $sqlval['update_date'] = "now()";
196    // UPDATE¤Î¼Â¹Ô
197    $where = "member_id = " . $id;
198    $ret = $oquery->update("dtb_member", $sqlval, $where);
199    return $ret;
200}
201
202/* DB¤«¤é¥Ç¡¼¥¿¤ÎÆɤ߹þ¤ß */
203function fnGetMember($conn, $id) {
204    $sqlse = "SELECT name,department,login_id,authority FROM dtb_member WHERE member_id = ?";
205    $ret = $conn->getAll($sqlse, Array($id));
206    return $ret;
207}
208?>
Note: See TracBrowser for help on using the repository browser.