1. 20 May, 2017 2 commits
    • Carsten  Rose's avatar
      #3769 / Allow specific GET variables longer than SECURITY_GET_MAX_LENGTH. · c11f75ad
      Carsten Rose authored
      Manual.rst: notes how to setup length-exceptions to SECURITY_GET_MAX_LENGTH
      config.php: implemented special handling of GET vars, named with '..._<num>'.
      c11f75ad
    • Carsten  Rose's avatar
      #3766 / SQL_LOG per tt_content record einstellbar machen · 4b0d1413
      Carsten Rose authored
      Add `sqlLog` and `sqlLogMode` to QFQ tt-content records.
      Add mode 'error' and `none` to sqlLogMode.
      Manual.rst: Added explanations for SQL_LOG, SQL_LOG_MODE, and tt-content pendants sqlLog, sqlLogMode. Update config.qfq.ini to latest attributes.
      Database.php: rename $mode to $currentQueryMode to make it more descriptive. Recode dbLog().
      Logger.php: do nothing if there is no file defined.
      Report.php: new function checkUpdateLog().
      Config.php: Set defaults for config.qfq.ini SQL_LOG and SQL_LOG_MODE
      Store.php: Fix problem that an empty SQL_LOG will be prependad with SYSTEM_PATH_EXT.
      4b0d1413
  2. 18 May, 2017 1 commit
  3. 24 Apr, 2017 2 commits
    • Carsten  Rose's avatar
      Implemented new escape class 'mysql' (realEscapeString). · ba817c0e
      Carsten Rose authored
      Implemented defaultEscapeType. configurable via config.qfq.ini (global) and per Form.
      Implemented max GET parameter lenght. Default: 50. BTW: in phpunit test there have been a parameter 'file' which exceeds the limit of 32.
      
      Config.qfq: Skip empty variable names - happens in phpunit tests. Read new `systemEscapeTypeDefault`.
      Constants.php: renamed  TOKEN_LDAP_ESCAPE_* to TOKEN_ESCAPE_LDAP_*. Add TOKEN_ESCAPE_MYSQL, TOKEN_ESCAPE_NONE
      Database.php: Set charset to real_escape_string() functions properly. Proxy for mysqli::real_escape_string()
      Evaluate.php: Respect global escapeTypeDefault. Implement
      formEditor.sql: add column `escapeTypeDefault`. Add FormElement 'escapeTypeDefault'.
      ba817c0e
    • Carsten  Rose's avatar
      Security: Honeypot vars - check if any of the honeypot vars is filled - if yes, it's an attack. · f5d7ba73
      Carsten Rose authored
      Config.php: Defaults are now set in Config.php, not in Store.php anymore. New function setDefaults(), checkForAttack().
      f5d7ba73
  4. 23 Mar, 2017 1 commit
  5. 14 Mar, 2017 1 commit
  6. 06 Mar, 2017 1 commit