2.11.22 Update web service

src/add-to-your-blog.php

@@ -95,7 +95,7 @@
 			 */
 			$lEnableJavaScriptValidation = TRUE;
 			$lEnableHTMLControls = TRUE;
-			$lProtectAgainstMethodTampering = TRUE;
+			$lProtectAgainstMethodTampering = true;
    		break;
    	}// end switch
 

src/ajax/lookup-pen-test-tool.php

@@ -58,7 +58,7 @@
 	   		case "4":
     		case "5": // This code is fairly secure
     			$lUseServerSideValidation = TRUE;
-    			$lProtectAgainstMethodTampering = TRUE;
+    			$lProtectAgainstMethodTampering = true;
 	  			/*
 	  			 * NOTE: Input validation is excellent but not enough. The output must be
 	  			 * encoded per context. For example, if output is placed in HTML,

src/conference-room-lookup.php

@@ -41,7 +41,7 @@ function encodeForLDAP(/*string*/ $pString) {
     			$lProtectAgainstLDAPInjection=TRUE;
 				$lEnableHTMLControls = TRUE;
     			$lEnableJavaScriptValidation = TRUE;
-   				$lProtectAgainstMethodTampering = TRUE;
+   				$lProtectAgainstMethodTampering = true;
     		break;
     	}// end switch
 

src/content-security-policy.php

@@ -10,16 +10,16 @@
             $lEnableJavaScriptValidation = FALSE;
             $lEnableHTMLControls = FALSE;
             $lProtectAgainstMethodTampering = FALSE;
-            $lProtectAgainstCommandInjection=FALSE;
-            $lProtectAgainstXSS = FALSE;
+            $lProtectAgainstCommandInjection=false;
+            $lProtectAgainstXSS = false;
             break;
 
         case "1": // This code is insecure. No input validation is performed.
             $lEnableJavaScriptValidation = TRUE;
             $lEnableHTMLControls = TRUE;
             $lProtectAgainstMethodTampering = FALSE;
-            $lProtectAgainstCommandInjection=FALSE;
-            $lProtectAgainstXSS = FALSE;
+            $lProtectAgainstCommandInjection=false;
+            $lProtectAgainstXSS = false;
             break;
 
         case "2":
@@ -29,8 +29,8 @@
             $lProtectAgainstCommandInjection=TRUE;
             $lEnableHTMLControls = TRUE;
             $lEnableJavaScriptValidation = TRUE;
-            $lProtectAgainstMethodTampering = TRUE;
-            $lProtectAgainstXSS = TRUE;
+            $lProtectAgainstMethodTampering = true;
+            $lProtectAgainstXSS = true;
             break;
     }// end switch
 

src/dns-lookup.php

@@ -10,16 +10,16 @@
 				$lEnableJavaScriptValidation = FALSE;
 				$lEnableHTMLControls = FALSE;
 				$lProtectAgainstMethodTampering = FALSE;
-				$lProtectAgainstCommandInjection=FALSE;
-				$lProtectAgainstXSS = FALSE;
+				$lProtectAgainstCommandInjection=false;
+				$lProtectAgainstXSS = false;
     		break;
 
     		case "1": // This code is insecure. No input validation is performed.
 				$lEnableJavaScriptValidation = TRUE;
 				$lEnableHTMLControls = TRUE;
 				$lProtectAgainstMethodTampering = FALSE;
-				$lProtectAgainstCommandInjection=FALSE;
-				$lProtectAgainstXSS = FALSE;
+				$lProtectAgainstCommandInjection=false;
+				$lProtectAgainstXSS = false;
     		break;
 
 	   		case "2":
@@ -29,8 +29,8 @@
     			$lProtectAgainstCommandInjection=TRUE;
 				$lEnableHTMLControls = TRUE;
     			$lEnableJavaScriptValidation = TRUE;
-   				$lProtectAgainstMethodTampering = TRUE;
-   				$lProtectAgainstXSS = TRUE;
+   				$lProtectAgainstMethodTampering = true;
+   				$lProtectAgainstXSS = true;
     		break;
     	}// end switch
 
@@ -48,7 +48,7 @@
 				 * We validate that an IP is 4 octets, IPV6 fits the pattern, and that domain name is IANA format */
     			$lTargetHostValidated = preg_match(IPV4_REGEX_PATTERN, $lTargetHost) || preg_match(DOMAIN_NAME_REGEX_PATTERN, $lTargetHost) || preg_match(IPV6_REGEX_PATTERN, $lTargetHost);
 	    	}else{
-    			$lTargetHostValidated=TRUE; 			// do not perform validation
+    			$lTargetHostValidated = true; 			// do not perform validation
 	    	}// end if
 
 	    	if ($lProtectAgainstXSS) {

src/echo.php

@@ -10,16 +10,16 @@
 				$lEnableJavaScriptValidation = FALSE;
 				$lEnableHTMLControls = FALSE;
 				$lProtectAgainstMethodTampering = FALSE;
-				$lProtectAgainstCommandInjection=FALSE;
-				$lProtectAgainstXSS = FALSE;
+				$lProtectAgainstCommandInjection=false;
+				$lProtectAgainstXSS = false;
     		break;
 
     		case "1": // This code is insecure. No input validation is performed.
 				$lEnableJavaScriptValidation = TRUE;
 				$lEnableHTMLControls = TRUE;
 				$lProtectAgainstMethodTampering = FALSE;
-				$lProtectAgainstCommandInjection=FALSE;
-				$lProtectAgainstXSS = FALSE;
+				$lProtectAgainstCommandInjection=false;
+				$lProtectAgainstXSS = false;
     		break;
 
 	   		case "2":
@@ -29,8 +29,8 @@
     			$lProtectAgainstCommandInjection=TRUE;
 				$lEnableHTMLControls = TRUE;
     			$lEnableJavaScriptValidation = TRUE;
-   				$lProtectAgainstMethodTampering = TRUE;
-   				$lProtectAgainstXSS = TRUE;
+   				$lProtectAgainstMethodTampering = true;
+   				$lProtectAgainstXSS = true;
     		break;
     	}// end switch
 

src/pen-test-tool-lookup.php

@@ -24,7 +24,7 @@
     			$lUseSafeJSONParser = TRUE;
     			$lUseJavaScriptValidation = TRUE;
     			$lUseServerSideValidation = TRUE;
-    			$lProtectAgainstMethodTampering = TRUE;
+    			$lProtectAgainstMethodTampering = true;
 	  			/* 
 	  			 * NOTE: Input validation is excellent but not enough. The output must be
 	  			 * encoded per context. For example, if output is placed in HTML,

src/styling-frame.php

@@ -12,7 +12,7 @@
 			case "3":
 			case "4":
 			case "5": // This code is fairly secure
-				$lProtectAgainstMethodTampering = TRUE;
+				$lProtectAgainstMethodTampering = true;
 				$lEncodeOutput = TRUE;
 				break;
 		};//end switch

src/styling.php

@@ -32,7 +32,7 @@
 				require_once ('./includes/constants.php');
 				require_once (__SITE_ROOT__.'/classes/EncodingHandler.php');
     			$Encoder = new EncodingHandler();
-    			$lProtectAgainstMethodTampering = TRUE;
+    			$lProtectAgainstMethodTampering = true;
 				$lEncodeOutput = TRUE;
 			break;
     	};//end switch

src/test-connectivity.php

@@ -9,15 +9,15 @@
     	switch ($_SESSION["security-level"]){
     		case "0": // This code is insecure. No input validation is performed.
 				$lProtectAgainstMethodTampering = FALSE;
-				$lProtectAgainstCommandInjection=FALSE;
-				$lProtectAgainstXSS = FALSE;
+				$lProtectAgainstCommandInjection=false;
+				$lProtectAgainstXSS = false;
 				$lProtectAgainstSSRF = FALSE;
     		break;
 
     		case "1": // This code is insecure. No input validation is performed.
 				$lProtectAgainstMethodTampering = FALSE;
-				$lProtectAgainstCommandInjection=FALSE;
-				$lProtectAgainstXSS = FALSE;
+				$lProtectAgainstCommandInjection=false;
+				$lProtectAgainstXSS = false;
 				$lProtectAgainstSSRF = FALSE;
     		break;
 
@@ -26,8 +26,8 @@
 	   		case "4":
     		case "5": // This code is fairly secure
     			$lProtectAgainstCommandInjection=TRUE;
-   				$lProtectAgainstMethodTampering = TRUE;
-   				$lProtectAgainstXSS = TRUE;
+   				$lProtectAgainstMethodTampering = true;
+   				$lProtectAgainstXSS = true;
    				$lProtectAgainstSSRF = TRUE;
     		break;
     	}// end switch

src/text-file-viewer.php

@@ -34,7 +34,7 @@
 				$lEnableHTMLControls = TRUE;
 	   			$lUseTokenization = TRUE;
 				$lEncodeOutput = TRUE;
-				$lProtectAgainstMethodTampering = TRUE;
+				$lProtectAgainstMethodTampering = true;
 			break;
 	   	}// end switch ($_SESSION["security-level"])
 

src/user-info-xpath.php

@@ -29,7 +29,7 @@
 				$lEnableHTMLControls = TRUE;
     			$lFormMethod = "POST";
 				$lEnableJavaScriptValidation = TRUE;
-				$lProtectAgainstMethodTampering = TRUE;
+				$lProtectAgainstMethodTampering = true;
 				$lEncodeOutput = TRUE;
 				$lProtectAgainstXPathInjection = TRUE;
 			break;

src/user-poll.php

@@ -12,34 +12,34 @@
 	require_once (__SITE_ROOT__.'/classes/CSRFTokenHandler.php');
 	$lCSRFTokenHandler = new CSRFTokenHandler($_SESSION["security-level"], "register-user");
 
-	if (!isSet($logged_in_user)) {
-		throw new Exception("$logged_in_user is not set. Page add-to-your-blog.php requires this variable.");
-	}// end if
+	if (!isSet($logged_in_user)) {
+		throw new Exception("$logged_in_user is not set. Page add-to-your-blog.php requires this variable.");
+	}// end if
 
 	function isParameterPollutionDetected(/*String*/ $pQueryString){
 
 		try {
-			// Detect multiple params with same name (HTTP Parameter Pollution)
-			$lQueryString  = explode('&', $pQueryString);
-			$lKeys = array();
-			$lPair = array();
+			// Detect multiple params with same name (HTTP Parameter Pollution)
+			$lQueryString  = explode('&', $pQueryString);
+			$lKeys = array();
+			$lPair = array();
 			$lParameter = "";
 			$lCountUnique = 0;
-			$lCountTotal = 0;
-
-			foreach ($lQueryString as $lParameter){
-				$lPair = explode('=', $lParameter);
-				array_push($lKeys, $lPair[0]);
-			}//end for each
-
-			$lCountUnique = count(array_unique($lKeys));
-			$lCountTotal = count($lKeys);
-
+			$lCountTotal = 0;
+
+			foreach ($lQueryString as $lParameter){
+				$lPair = explode('=', $lParameter);
+				array_push($lKeys, $lPair[0]);
+			}//end for each
+
+			$lCountUnique = count(array_unique($lKeys));
+			$lCountTotal = count($lKeys);
+
 			return ($lCountUnique < $lCountTotal);
-
+
 		} catch (Exception $e) {
-				return FALSE;
-		}//end catch
+				return FALSE;
+		}//end catch
 
 	}//end function isParameterPollutionDetected()
 
@@ -67,7 +67,7 @@ function isParameterPollutionDetected(/*String*/ $pQueryString){
 		case "5": // This code is fairly secure
 			$lEnableHTMLControls = TRUE;
 			$lEncodeOutput = TRUE;
-			$lProtectAgainstMethodTampering = TRUE;
+			$lProtectAgainstMethodTampering = true;
 			$lHTTPParameterPollutionDetected = isParameterPollutionDetected($_SERVER['QUERY_STRING']);
 			$lLoggedInUser = $MySQLHandler->escapeDangerousCharacters($logged_in_user);
    		break;
@@ -116,19 +116,19 @@ function isParameterPollutionDetected(/*String*/ $pQueryString){
 				$LogHandler->writeToLog("User voted for {$lUserChoice}");
 		   	}// end if
 
-		   	// Encode output to protect against cross site scripting
-		   	if ($lEncodeOutput){
-		   		$lUserInitials = $Encoder->encodeForHTML($lUserInitials);
+		   	// Encode output to protect against cross site scripting
+		   	if ($lEncodeOutput){
+		   		$lUserInitials = $Encoder->encodeForHTML($lUserInitials);
 		   		$lUserChoice = $Encoder->encodeForHTML($lUserChoice);
-	   			$lUserChoiceMessage = $Encoder->encodeForHTML($lUserChoiceMessage);
-		   	}// end if
+	   			$lUserChoiceMessage = $Encoder->encodeForHTML($lUserChoiceMessage);
+		   	}// end if
 
 		   	//Insert vote into database
-		   	try {
-		   		$SQLQueryHandler->insertVoteIntoUserPoll($lUserChoice, $lLoggedInUser);
-		   	} catch (Exception $e) {
-		   		echo $CustomErrorHandler->FormatError($e, "Error inserting user vote for " . $lLoggedInUser);
-		   	}//end try
+		   	try {
+		   		$SQLQueryHandler->insertVoteIntoUserPoll($lUserChoice, $lLoggedInUser);
+		   	} catch (Exception $e) {
+		   		echo $CustomErrorHandler->FormatError($e, "Error inserting user vote for " . $lLoggedInUser);
+		   	}//end try
 
 	   	} catch (Exception $e) {
 	   		echo $CustomErrorHandler->FormatError($e, "Vote was not counted");
@@ -203,17 +203,17 @@ function isParameterPollutionDetected(/*String*/ $pQueryString){
 
 <?php
 	try{// to draw table
-		//Get votes from database
-		try {
-			$lQueryResult = $SQLQueryHandler->getUserPollVotes();
-		} catch (Exception $e) {
-			echo $CustomErrorHandler->FormatError($e, "Error getting user votes");
+		//Get votes from database
+		try {
+			$lQueryResult = $SQLQueryHandler->getUserPollVotes();
+		} catch (Exception $e) {
+			echo $CustomErrorHandler->FormatError($e, "Error getting user votes");
 		}//end try
 
 		if($lQueryResult->num_rows > 0){
 
 			// we have rows. Begin drawing output.
-			echo '<br/>';
+			echo '<br/>';
 			echo '<fieldset>';
 			echo '<legend>Poll Results</legend>';
 			echo '<table style="width:50%;" class="results-table">';

src/view-someones-blog.php

@@ -55,7 +55,7 @@
 			$lTokenizeAllowedMarkup = TRUE;
 
 			/* If we are in secure mode, we need to protect against SQLi */
-			$lProtectAgainstMethodTampering = TRUE;
+			$lProtectAgainstMethodTampering = true;
    		break;
    	}// end switch