fix Abitrary File Read and Sql Injection

[trichimtrich]

Sql Injection: #47
Abitrary File Read: #48

[matlam]

The fix for the arbitrary file read breaks the help function, because the help files are in subdirectories and url is e.g. circulation/index.md
The solution that I came up with, is to use this function instead of file_exists:

function isValidHelpFile($file) {
    global $sysconf;
    $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator(HELP . '/' . $sysconf['default_lang'] . '/', FilesystemIterator::SKIP_DOTS | FilesystemIterator::CURRENT_AS_PATHNAME));
    foreach ($iterator as $helpfile) {
        if ($helpfile === $file) {
            return true;
        }
    }
    return false;
}

But it seems a bit wasteful

[trichimtrich]

I think it's still ok, but when we add new help file, we need to update config too.
Another the solution is use realpath($file_path) and check if it starts with HELP directory.
With that we can confirm request file is valid or not, and also can use sub directory.

[heroesoebekti]

I have a solution, that is by filtering the file extension .md

if(!file_exists($file_path) || !preg_match("/^.*\.(md)$/i", $file_path)) {..