Replace extract() with proper check (#297)

* Replace extract() with proper check 28d1ca6 extract may lead to overwriting other variable, which can lead to disaster when the function is called over used supplied data. Fixes #252 * Prevent undefined index warning b754708 * Code format eec434e * Remove more extract calls 4554531
symphonycms · Oct 24, 2017 · e36619a · e36619a
1 parent 0c889e9
commit e36619a
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 18 deletions.
diff --git a/fields/field.memberemail.php b/fields/field.memberemail.php
@@ -56,10 +56,10 @@ public function createTable(){
 	-------------------------------------------------------------------------*/
 
 		public function fetchMemberIDBy($needle, $member_id = null) {
-			if(is_array($needle)) {
-				extract($needle);
-			}
-			else {
+			$email = null;
+			if (is_array($needle) && !empty($needle['email'])) {
+				$emaill = $needle['email'];
+			} else {
 				$email = $needle;
 			}
 

diff --git a/fields/field.memberpassword.php b/fields/field.memberpassword.php
@@ -96,10 +96,10 @@ public function createTable(){
 		 */
 		public function fetchMemberIDBy($needle, $member_id = null, $isHashed = false) {
 			$valid = true;
-			if(is_array($needle)) {
-				extract($needle);
-			}
-			else {
+			$password = null;
+			if (is_array($needle) && !empty($needle['password'])) {
+				$password = $needle['password'];
+			} else {
 				$password = $needle;
 			}
 
@@ -155,15 +155,17 @@ public function fetchMemberIDBy($needle, $member_id = null, $isHashed = false) {
 			}
 
 			// Check that if the password has been reset that it is still valid
-			if($valid && $data['reset'] == 'yes') {
+			if($valid && !empty($data['reset']) && $data['reset'] == 'yes') {
 				$valid_id = Symphony::Database()->fetchVar('entry_id', 0, sprintf("
 						SELECT `entry_id`
 						FROM `tbl_entries_data_%d`
 						WHERE `entry_id` = %d
 						AND DATE_FORMAT(expires, '%%Y-%%m-%%d %%H:%%i:%%s') > '%s'
 						LIMIT 1
 					",
-					$this->get('id'), $data['entry_id'], DateTimeObj::get('Y-m-d H:i:s', strtotime('now - '. $this->get('code_expiry')))
+					$this->get('id'),
+					$data['entry_id'],
+					DateTimeObj::get('Y-m-d H:i:s', strtotime('now - '. $this->get('code_expiry')))
 				));
 
 				// If we didn't get an entry_id back, then it's because it was expired

diff --git a/fields/field.memberusername.php b/fields/field.memberusername.php
@@ -64,10 +64,10 @@ public function createTable(){
 		 * @return Entry
 		 */
 		public function fetchMemberIDBy($needle, $member_id = null) {
-			if(is_array($needle)) {
-				extract($needle);
-			}
-			else {
+			$username = null;
+			if (is_array($needle) && !empty($needle['username'])) {
+				$username = $needle['username'];
+			} else {
 				$username = $needle;
 			}
 

diff --git a/lib/member.symphony.php b/lib/member.symphony.php
@@ -20,10 +20,10 @@
 		 * @return Field
 		 */
 		public function setIdentityField(array $credentials, $simplified = true) {
-			if($simplified) {
-				extract($credentials);
-			}
-			else {
+			if ($simplified) {
+				$username = empty($credentials['username']) ? null : $credentials['username'];
+				$email = empty($credentials['email']) ? null : $credentials['email'];
+			} else {
 				// Map POST data to simple terms
 				if(isset($credentials[$this->section->getFieldHandle('identity')])) {
 					$username = $credentials[$this->section->getFieldHandle('identity')];