function get_value($dest = DST_VARIABLE, $parent = null) { if ($dest == DST_DATABASE) { if (isset($this->value) && imp($this->value) || $this->empty_to_null == false) { return "'" . db_esc($this->value) . "'"; } else { return "NULL"; } } else { if ($dest == DST_HTML_DISPLAY) { if ($this->type == "money" && imp($this->value)) { $c = $parent->currency; if ($this->currency && isset($parent->data_fields[$this->currency])) { $c = $parent->get_value($this->currency); } if (!$c) { alloc_error("db_field::get_value(): No currency specified for " . $parent->classname . "." . $this->name . " (currency:" . $c . ")"); } else { if ($this->value == $parent->all_row_fields[$this->name]) { return page::money($c, $this->value, "%mo"); } } } return page::htmlentities($this->value); } else { return $this->value; } } }
function show_permission_list($template_name) { global $TPL; $roles = permission::get_roles(); if ($_REQUEST["submit"] || $_REQUEST["filter"] != "") { $where = " where tableName like '%" . db_esc($_REQUEST["filter"]) . "%' "; // TODO: Add filtering to permission list } $db = new db_alloc(); $db->query("SELECT * FROM permission {$where} ORDER BY tableName, sortKey"); while ($db->next_record()) { $permission = new permission(); $permission->read_db_record($db); $permission->set_values(); $TPL["actions"] = $permission->describe_actions(); $TPL["odd_even"] = $TPL["odd_even"] == "odd" ? "even" : "odd"; $TPL["roleName"] = $roles[$TPL["roleName"]]; include_template($template_name); } }
function get_assoc_array($key = false, $value = false, $sel = false, $where = array()) { $key or $key = $this->key_field->get_name(); $value or $value = "*"; $value != "*" and $key_sql = $key . ","; $q = sprintf('SELECT %s %s FROM %s WHERE 1=1 ', db_esc($key_sql), db_esc($value), db_esc($this->data_table)); $pkey_sql = " OR " . $this->key_field->get_name() . " = "; if (is_array($sel) && count($sel)) { foreach ($sel as $s) { $extra .= $pkey_sql . sprintf("%d", $s); } } else { if ($sel) { $extra = $pkey_sql . db_esc($sel); } } // If they haven't specifically asked for inactive or all // records, we default to giving them only active records. if (is_object($this->data_fields[$this->data_table . "Active"]) && !isset($where[$this->data_table . "Active"])) { $where[$this->data_table . "Active"] = 1; // Else get all records } else { if ($where[$this->data_table . "Active"] == "all") { unset($where[$this->data_table . "Active"]); } } if (is_array($where) && count($where)) { foreach ($where as $colname => $colvalue) { $q .= " AND " . $colname . " = '" . db_esc($colvalue) . "'"; } } $q .= $extra; if (is_object($this->data_fields[$this->data_table . "Sequence"])) { $q .= " ORDER BY " . db_esc($this->data_table) . "Sequence"; } else { if (is_object($this->data_fields[$this->data_table . "Seq"])) { $q .= " ORDER BY " . db_esc($this->data_table) . "Seq"; } else { if ($value != "*") { $q .= " ORDER BY " . db_esc($value); } } } $db = new db_alloc(); $db->query($q); $rows = array(); while ($row = $db->row()) { if ($this->read_db_record($db)) { if ($value && $value != "*") { $v = $row[$value]; } else { $v = $row; } $rows[$row[$key]] = $v; } } return $rows; }
function prepare() { $args = func_get_args(); if (count($args) == 1) { return $args[0]; } // First element of $args get assigned to zero index of $clean_args // Array_shift removes the first value and returns it.. $clean_args[] = array_shift($args); // The rest of $args are escaped and then assigned to $clean_args foreach ($args as $arg) { if (is_array($arg)) { foreach ((array) $arg as $v) { $str .= $comma . "'" . db_esc($v) . "'"; $comma = ","; } $clean_args[] = $str; } else { $clean_args[] = db_esc($arg); } } // Have to use this coz we don't know how many args we're gonna pass to sprintf.. $query = @call_user_func_array("sprintf", $clean_args); // Trackdown poorly formulated queries $err = error_get_last(); if ($err["type"] == 2 && in_str("sprintf", $err["message"])) { $e = new Exception(); alloc_error("Error in prepared query: \n" . $e->getTraceAsString() . "\n" . print_r($err, 1) . "\n" . print_r($clean_args, 1)); } return $query; }
<?php // Update old entries in the interested parties table that don't have names $db = new db_alloc(); $db2 = new db_alloc(); $extra_interested_parties = config::get_config_item("defaultInterestedParties"); foreach ((array) $extra_interested_parties as $name => $email) { $q = prepare("UPDATE interestedParty SET fullName = '%s' WHERE emailAddress = '%s' AND (fullName is NULL or fullName = '')", db_esc($name), db_esc($email)); $db2->query($q); }
} } if ($_POST["table_num_op_2"][$v] != "") { if (preg_match("/([^\\d]{1,2})(\\d\\d\\d\\d-\\d\\d?-\\d\\d?)/", $_POST["table_num_op_2"][$v], $m)) { $query["where"] .= " AND " . db_esc($_POST["table_name"][$v]) . " " . db_esc($m[1]) . "'" . db_esc($m[2]) . "'"; } else { $query["where"] .= " AND " . db_esc($_POST["table_name"][$v]) . " " . db_esc($_POST["table_num_op_2"][$v]); } } } } if ($_POST["table_groupby"] != "") { if (!isset($query["group"])) { $query["group"] = " GROUP BY " . db_esc($_POST["table_groupby"]); } else { $query["group"] .= "," . db_esc($_POST["table_groupby"]); } } $final_query = $query["start"] . $query["select"] . $query["from"] . $query["join"] . $query["where"] . $query["group"]; if ($query["select"]) { $db = new db_alloc(); $db->query($final_query); $fields = explode(",", $query["select"]); $TPL["result_row"] = "<tr>"; foreach ($fields as $field) { $TPL["result_row"] .= "<th>" . $field . "</th>"; } $TPL["result_row"] .= "</tr>"; if (!$_POST["generate_file"]) { $start_row_separator = "<tr class='%s'>"; $end_row_separator = "</tr>\n";
public static function get_permitted_tfs($requested_tfs = array()) { $current_user =& singleton("current_user"); // If admin, just use the requested tfs if ($current_user->have_role('admin')) { $rtn = $requested_tfs; // If not admin, then remove the items from $requested_tfs that the user can't access } else { $allowed_tfs = (array) tf::get_tfs_for_person($current_user->get_id()); foreach ((array) $requested_tfs as $tf) { if (in_array($tf, $allowed_tfs)) { $rtn[] = $tf; } } } // db_esc everything foreach ((array) $rtn as $tf) { $r[] = db_esc($tf); } return (array) array_unique((array) $r); }
function install_peopleaggregator() { global $path_prefix; ?> <h2>Detecting URLs</h2> <ul> <?php // find base url (minus http:// suffix) if (!preg_match("|^(.*?)/config/index.php\$|", $_SERVER['HTTP_HOST'] . $_SERVER['SCRIPT_NAME'], $m)) { dienow("Unable to find base URL"); } $base_url_bare = $m[1]; // make sure the base url is valid if (!can_get_peepagg_txt("http://{$base_url_bare}/peopleaggregator.txt")) { dienow("Unable to guess base URL - I think it should be http://{$base_url_bare}/ but that URL does not seem to work."); } note("Good: we can access the system at http://{$base_url_bare}/"); // try stripping off the first url part (i.e. www.asdf -> asdf) $base_url_suffix = preg_replace("|^[^\\.]+\\.(.*)\$|", "\$1", $base_url_bare); $allow_spawning = FALSE; // check if it doesn't have any dots (e.g. http://colinux/web/config/) // - i.e. not suitable for sharing cookies over domains. if ($base_url_suffix == $base_url_bare) { note("Apparently running on an internal web server - not possible to run multiple networks."); } else { if (preg_match("|^\\d+\\.\\d+\\.\\d+\\.\\d+|", $base_url_bare)) { note("Running with an IP address rather than a domain name - not possible to run multiple networks."); } else { if (can_get_peepagg_txt("http://{$base_url_suffix}/peopleaggregator.txt")) { note("It looks like it is also accessible at <code>http://{$base_url_suffix}/</code>; trying <code>{$base_url_suffix}</code> as the root URL."); } else { note("It is not accessible at <code>http://{$base_url_suffix}/</code>; trying <code>{$base_url_bare}</code> as the root URL."); $base_url_suffix = $base_url_bare; } if (can_get_peepagg_txt("http://some-random-domain.{$base_url_suffix}/peopleaggregator.txt")) { note("It looks like the server is set up to host <code>*.{$base_url_suffix}</code>, so network spawning is possible."); $allow_spawning = TRUE; } else { warn("Wildcard domains do not appear to be enabled (cannot access the root of this install at http://some_random_domain.{$base_url_suffix}/) so network spawning will be disabled."); } } } global $base_url, $domain_suffix; if ($allow_spawning) { $base_url = "http://%network_name%.{$base_url_suffix}"; } else { $base_url = "http://{$base_url_bare}"; } $domain_suffix = preg_replace("|/.*\$|", "", $base_url_suffix); // stash $base_url away as config.inc will modify it $base_url_config = $base_url; note("Base URL: <code>{$base_url}</code>" . ($domain_suffix ? "; domain suffix: <code>{$domain_suffix}</code>" : "")); ?> </ul> <h2>Configuration</h2> <?php $admin_password = get_default("admin_password", ""); $admin_password2 = get_default("admin_password2", ""); $mysql_server = get_default("mysql_server", "localhost"); $mysql_dbname = get_default("mysql_dbname", "peopleaggregator"); $mysql_username = get_default("mysql_username", "peopleaggregator"); $mysql_password = get_default("mysql_password", ""); $mysql_root_username = get_default("mysql_root_username", "root"); $mysql_root_password = get_default("mysql_root_password", ""); $home_network_config = str_replace("%network_name%", "www", $base_url) . "/config/"; ?> <form method="POST" action="<?php echo $home_network_config; ?> #check"> <div class="config"> <p>Some operations (upgrading, and content administration) require an administrator password for access. Please enter an administrator password here.</p> <div class="config_item"><label for="admin_password">Admin password</label> <input type="password" id="admin_password" name="admin_password" value="<?php echo $admin_password; ?> "><?php if (!$admin_password) { echo " ← must not be blank!"; } ?> </div> <div class="config_item"><label for="admin_password">Repeat admin password</label> <input type="password" id="admin_password2" name="admin_password2" value="<?php echo $admin_password2; ?> "><?php if (!$admin_password2) { echo " ← must not be blank!"; } else { if ($admin_password != $admin_password2) { echo " ← must be the same as above!"; } } ?> </div> <p>Enter your database details below.</p> <div class="config_item"><label for="mysql_server">MySQL server</label> <input type="text" name="mysql_server" value="<?php echo $mysql_server; ?> "></div> <div class="config_item"><label for="mysql_dbname">MySQL database name</label> <input type="text" name="mysql_dbname" value="<?php echo $mysql_dbname; ?> "></div> <div class="config_item"><label for="mysql_username">MySQL username</label> <input type="text" name="mysql_username" value="<?php echo $mysql_username; ?> "></div> <div class="config_item"><label for="mysql_password">MySQL password</label> <input type="password" name="mysql_password" value="<?php echo $mysql_password; ?> "><?php if (!$mysql_password) { echo " ← must not be blank!"; } ?> </div> <p>If the database has not been created yet, you can enter your database administrator ("root") login details here to have it created automatically:</p> <div class="config_item"><label for="mysql_root_username">Administrator username</label> <input type="text" name="mysql_root_username" value="<?php echo $mysql_root_username; ?> "></div> <div class="config_item"><label for="mysql_root_password">Administrator password</label> <input type="password" name="mysql_root_password" value="<?php echo $mysql_root_password; ?> "></div> <p><input type="submit" value="Set up PeopleAggregator"></p> </div> </form> <?php // only exec the rest after someone clicks 'setup' if (!$_POST) { exit; } // wrap install process in exception handler so we can roll back $rollback_cmds = array(); try { ?> <h2 id="check">Checking config details</h2> <ul> <?php if (!$admin_password) { focus_field("admin_password"); dienow("You must supply an admin password"); } if ($admin_password != $admin_password2) { focus_field("admin_password"); dienow("Both admin paswords must be the same"); } if (!$mysql_password) { focus_field("mysql_password"); dienow("You may not use a blank password for the MySQL connection"); } $user_link = @mysql_connect($mysql_server, $mysql_username, $mysql_password); if ($user_link) { note("Able to connect to the MySQL server at {$mysql_server} with supplied login details."); // make sure the DB isn't already populated if (!mysql_select_db($mysql_dbname, $user_link)) { note("Database does not exist or is inaccessible"); mysql_close($user_link); $user_link = FALSE; } else { $sth = run_query("SHOW TABLES", $user_link); if (mysql_num_rows($sth)) { throw new Installation_Failure("The database {$mysql_dbname} already contains data. Please wipe it out or recreate the database before installing PeopleAggregator. If PeopleAggregator is already installed here, you will have to create your local_config.php file manually."); } } } else { note("Unable to connect to the MySQL server using the supplied login details"); } if (!$user_link) { note("Trying administrator login..."); $admin_link = @mysql_connect($mysql_server, $mysql_root_username, $mysql_root_password); if (!$admin_link) { dienow("Unable to connect to the MySQL server with the supplied login details or as an administrator"); } note("Able to connect to the MySQL server with the supplied administrator login details - a new database will be created."); // make sure the db doesn't already exist if (mysql_select_db($mysql_dbname, $admin_link)) { throw new Installation_Failure("Database {$mysql_dbname} already exists"); } // create it $sql = "CREATE DATABASE " . db_esc($mysql_dbname); $rollback_cmds[] = array("sql", "DROP DATABASE " . db_esc($mysql_dbname), $admin_link); run_query($sql, $admin_link); // now grant permissions with successively looser hostnames until // we find one that lets the web server access the database. foreach (array("localhost", "localhost.localdomain", $_SERVER['SERVER_NAME'], gethostbyname($_SERVER['SERVER_NAME']), "%") as $server_host) { $sql = "GRANT ALL ON " . db_esc($mysql_dbname) . ".* TO " . db_esc($mysql_username) . "@" . db_esc($server_host) . " IDENTIFIED BY '" . mysql_real_escape_string($mysql_password) . "'"; run_query($sql, $admin_link); if (($user_link = mysql_connect($mysql_server, $mysql_username, $mysql_password)) && mysql_select_db($mysql_dbname, $user_link)) { note("Successfully logged in to new database using credentials from host {$server_host}"); break; } } if (!$user_link) { throw new Installation_Failure("Failed to grant access credentials that would allow the web server to access the database. Please try creating the database manually."); } } if (!$user_link) { throw new Installation_Failure("Something went wrong - we should have successfully connected to the DB by now"); } // set all local_config.php vars global $peepagg_dsn; $peepagg_dsn = "mysql://{$mysql_username}:{$mysql_password}@{$mysql_server}/{$mysql_dbname}"; $logger_logFile = "{$path_prefix}/log/pa.log"; $default_relation_id = 1; // now write out local_config.php $local_config_text = "<" . "?php\n\n// local_config.php: This file contains server-specific settings like\n// the database password, the base URL of this installation, and\n// debugging flags. Anything in default_config.php can be overridden\n// here.\n\n// If you want to change project-specific things like the site name,\n// you can use project_config.php.\n\n// Global defaults, which are shared by all other PeopleAggregator\n// installations, are in default_config.php.\n\n// Database details.\n\$peepagg_dsn = \"{$peepagg_dsn}\";\n\n// URL to the root of the server.\n\$base_url = \"{$base_url_config}\";\n\n// Parent domain part of the URL.\n\$domain_suffix = \"{$domain_suffix}\";\n"; if ($allow_spawning) { $local_config_text .= "\n// Network operation is enabled. To disable, set \$_PA->enable_networks\n// to FALSE. To disable network spawning without deactivating existing\n// networks, set \$_PA->enable_network_spawning to FALSE.\n"; } else { $local_config_text .= "\n// Network operation disabled as wildcard domains are not configured.\n// Comment out the following line to enable network creation (after\n// configuring wildcard DNS, etc).\n\$_PA->enable_networks = FALSE;\n"; } $local_config_text .= "\n// Path to log file (you may wish to change this to /var/log/somewhere/pa.log).\n\$logger_logFile = \"\$path_prefix/log/pa.log\";\n\n// Administration password\n\$admin_password = \"{$admin_password}\";\n\n// When a new user registers on the site, they will automatically be marked as a friend of the user with this ID.\n// (The default is 1, so everyone will be a friend of the first user.)\n\$default_relation_id = {$default_relation_id};\n\n?" . ">\n"; global $config_fn; note("Writing local_config.php"); $rollback_cmds[] = array("delete", $config_fn); if (!file_put_contents($config_fn, $local_config_text)) { throw new Installation_Failure("Unable to write {$config_fn}"); } // define LOCAL_CONFIG_OVERRIDE to tell config.inc to load our new // temporary local_config.php rather than look for it in the global // location define("LOCAL_CONFIG_LOCATION_OVERRIDE", $config_fn); // now set up databases note("Initializing database ... "); run_query_file(dirname(__FILE__) . "/../../db/PeepAgg.mysql", $user_link); note("Running database upgrade script and installing default module settings ... "); try { require_once dirname(__FILE__) . "/../update/run_scripts.php"; run_update_scripts(); } catch (Exception $e) { throw new Installation_Failure("Error updating database or installing default module settings: " . $e->getMessage()); } global $do_auto_update; if (!$do_auto_update) { note("Skipping auto-upgrade preparation as it is disabled for this installation."); } else { note("Preparing system for auto-upgradeability ... "); require_once "Subversion/PAStateStore.php"; try { $store = new Subversion_PAStateStore($path_prefix); $store->initialize(); note("Subversion update root: <code>" . $store->get_repository_root() . "</code>; path: <code>" . $store->get_repository_path() . "</code>; revision: " . $store->get_revision()); } catch (Exception $e) { throw new Installation_Failure("Error preparing auto-upgrade system: " . $e->getMessage()); } } ?> </ul> <h2>All done!</h2> <p class="good">Your database has been initialized and a <code>local_config.php</code> file has been written at <code><?php echo $config_fn; ?> </code>. To finish the installation, please move this file up into the parent of the 'web' directory, then <a href="../">click here</a>.</p> <p>The following command will do this on Linux/UNIX:</p> <p style="margin-left: 5em"><code>mv <?php echo realpath($config_fn); ?> <?php echo $path_prefix; ?> /</code></p> <?php //throw new Installation_Failure("foo"); } catch (Installation_Failure $e) { warn("Installation failed (" . $e->getMessage() . ") - undoing operations"); foreach (array_reverse($rollback_cmds) as $cmd) { switch ($cmd[0]) { case 'sql': list(, $sql, $link) = $cmd; note("DB query: {$sql}"); mysql_query($sql, $link); break; case 'delete': list(, $fn) = $cmd; note("Delete: {$fn}"); unlink($fn); break; default: warn("Unknown rollback command type: " . $cmd[0]); break; } } } }