function check($input, $flags, $min = '', $max = '') { $oldput = $input; if ($flags & UTF8) { $input = my_utf8_decode($input); } if ($flags & PARANOID) { $input = sanitize_paranoid_string($input, $min, $max); } if ($flags & INT) { $input = sanitize_int($input, $min, $max); } if ($flags & FLOAT) { $input = sanitize_float($input, $min, $max); } if ($flags & HTML) { $input = sanitize_html_string($input, $min, $max); } if ($flags & LDAP) { $input = sanitize_ldap_string($input, $min, $max); } if ($flags & SYSTEM) { $input = sanitize_system_string($input, $min, $max, TRUE); } if ($input != $oldput) { return FALSE; } return TRUE; }
function createinsertquery() { global $thissurvey, $timeadjust, $move, $thisstep; global $deletenonvalues, $thistpl; global $surveyid, $connect, $clang, $postedfieldnames, $bFinalizeThisAnswer; require_once "classes/inputfilter/class.inputfilter_clean.php"; $myFilter = new InputFilter('', '', 1, 1, 1); $fieldmap = createFieldMap($surveyid); //Creates a list of the legitimate questions for this survey if (isset($_SESSION['insertarray']) && is_array($_SESSION['insertarray'])) { $inserts = array_unique($_SESSION['insertarray']); $colnames_hidden = array(); foreach ($inserts as $value) { //Work out if the field actually exists in this survey $fieldexists = ''; if (isset($fieldmap[$value])) { $fieldexists = $fieldmap[$value]; } //Iterate through possible responses if (isset($_SESSION[$value]) && !empty($fieldexists)) { //Only create column name and data entry if there is actually data! $colnames[] = $value; //If deletenonvalues is ON, delete any values that shouldn't exist if ($deletenonvalues == 1 && !checkconfield($value)) { $values[] = 'NULL'; $colnames_hidden[] = $value; } elseif ($_SESSION[$value] == '' && $fieldexists['type'] == 'D' || $_SESSION[$value] == '' && $fieldexists['type'] == 'K' || $_SESSION[$value] == '' && $fieldexists['type'] == 'N') { // most databases do not allow to insert an empty value into a datefield, // therefore if no date was chosen in a date question the insert value has to be NULL $values[] = 'NULL'; } else { // Empty the 'Other' field if a value other than '-oth-' was set for the main field (prevent invalid other values being saved - for example if Javascript fails to hide the 'Other' input field) if ($fieldexists['type'] == '!' && $fieldmap[$value]['aid'] == 'other' && isset($_POST[substr($value, 0, strlen($value) - 5)]) && $_POST[substr($value, 0, strlen($value) - 5)] != '-oth-') { $_SESSION[$value] = ''; } elseif ($fieldexists['type'] == 'N') { $_SESSION[$value] = sanitize_float($_SESSION[$value]); } elseif ($fieldexists['type'] == 'D' && is_array($postedfieldnames) && in_array($value, $postedfieldnames)) { // convert the date to the right DB Format but only if it was posted $dateformatdatat = getDateFormatData($thissurvey['surveyls_dateformat']); $datetimeobj = new Date_Time_Converter($_SESSION[$value], $dateformatdatat['phpdate']); $_SESSION[$value] = $datetimeobj->convert("Y-m-d"); $_SESSION[$value] = $connect->BindDate($_SESSION[$value]); } $values[] = $connect->qstr($_SESSION[$value], get_magic_quotes_gpc()); } } } if ($thissurvey['datestamp'] == "Y") { $_SESSION['datestamp'] = date_shift(date("Y-m-d H:i:s"), "Y-m-d H:i:s", $timeadjust); } // First compute the submitdate if ($thissurvey['private'] == "Y" && $thissurvey['datestamp'] == "N") { // In case of anonymous answers survey with no datestamp // then the the answer submutdate gets a conventional timestamp // 1st Jan 1980 $mysubmitdate = date("Y-m-d H:i:s", mktime(0, 0, 0, 1, 1, 1980)); } else { $mysubmitdate = date_shift(date("Y-m-d H:i:s"), "Y-m-d H:i:s", $timeadjust); } // CHECK TO SEE IF ROW ALREADY EXISTS // srid (=Survey Record ID ) is set when the there were already answers saved for that survey if (!isset($_SESSION['srid'])) { //Prepare row insertion if (!isset($colnames) || !is_array($colnames)) { echo submitfailed(); exit; } // INSERT NEW ROW $query = "INSERT INTO " . db_quote_id($thissurvey['tablename']) . "\n" . "(" . implode(', ', array_map('db_quote_id', $colnames)); $query .= "," . db_quote_id('lastpage'); if ($thissurvey['datestamp'] == "Y") { $query .= "," . db_quote_id('datestamp'); $query .= "," . db_quote_id('startdate'); } if ($thissurvey['ipaddr'] == "Y") { $query .= "," . db_quote_id('ipaddr'); } $query .= "," . db_quote_id('startlanguage'); if ($thissurvey['refurl'] == "Y") { $query .= "," . db_quote_id('refurl'); } if ($bFinalizeThisAnswer === true && $thissurvey['format'] != "A") { $query .= "," . db_quote_id('submitdate'); } $query .= ") "; $query .= "VALUES (" . implode(", ", $values); $query .= "," . ($thisstep + 1); if ($thissurvey['datestamp'] == "Y") { $query .= ", '" . $_SESSION['datestamp'] . "'"; $query .= ", '" . $_SESSION['datestamp'] . "'"; } if ($thissurvey['ipaddr'] == "Y") { $query .= ", '" . $_SERVER['REMOTE_ADDR'] . "'"; } $query .= ", '" . $_SESSION['s_lang'] . "'"; if ($thissurvey['refurl'] == "Y") { $query .= ", '" . $_SESSION['refurl'] . "'"; } if ($bFinalizeThisAnswer === true && $thissurvey['format'] != "A") { // is if a ALL-IN-ONE survey, we don't set the submit date before the data is validated $query .= ", " . $connect->DBDate($mysubmitdate); } $query .= ")"; } else { // UPDATE EXISTING ROW // Updates only the MODIFIED fields posted on current page. if (isset($postedfieldnames) && $postedfieldnames) { $query = "UPDATE {$thissurvey['tablename']} SET "; $query .= " lastpage = '" . $thisstep . "',"; if ($thissurvey['datestamp'] == "Y") { $query .= " datestamp = '" . $_SESSION['datestamp'] . "',"; } if ($thissurvey['ipaddr'] == "Y") { $query .= " ipaddr = '" . $_SERVER['REMOTE_ADDR'] . "',"; } // is if a ALL-IN-ONE survey, we don't set the submit date before the data is validated if ($bFinalizeThisAnswer === true && $thissurvey['format'] != "A") { $query .= " submitdate = " . $connect->DBDate($mysubmitdate) . ", "; } // Resets fields hidden due to conditions if ($deletenonvalues == 1) { $hiddenfields = array_unique(array_values($colnames_hidden)); foreach ($hiddenfields as $hiddenfield) { //$fieldinfo = arraySearchByKey($hiddenfield, $fieldmap, "fieldname", 1); //if ($fieldinfo['type']=='D' || $fieldinfo['type']=='N' || $fieldinfo['type']=='K') //{ $query .= db_quote_id($hiddenfield) . " = NULL,"; //} //else //{ // $query .= db_quote_id($hiddenfield)." = '',"; //} } } else { $hiddenfields = array(); } $fields = $postedfieldnames; $fields = array_unique($fields); $fields = array_diff($fields, $hiddenfields); // Do not take fields that are hidden foreach ($fields as $field) { if (!empty($field)) { $fieldinfo = $fieldmap[$field]; if (!isset($_POST[$field])) { $_POST[$field] = ''; } //fixed numerical question fields. They have to be NULL instead of '' to avoid database errors if ($_POST[$field] == '' && $fieldinfo['type'] == 'D' || $_POST[$field] == '' && $fieldinfo['type'] == 'N' || $_POST[$field] == '' && $fieldinfo['type'] == 'K') { $query .= db_quote_id($field) . " = NULL,"; } else { // Empty the 'Other' field if a value other than '-oth-' was set for the main field (prevent invalid other values being saved - for example if Javascript fails to hide the 'Other' input field) if ($fieldinfo['type'] == '!' && $fieldmap[$field]['aid'] == 'other' && $_POST[substr($field, 0, strlen($field) - 5)] != '-oth-') { $qfield = "''"; } elseif ($fieldinfo['type'] == 'N') { $qfield = db_quoteall(sanitize_float($_POST[$field])); } elseif ($fieldinfo['type'] == 'D') { $dateformatdatat = getDateFormatData($thissurvey['surveyls_dateformat']); $datetimeobj = new Date_Time_Converter($_POST[$field], $dateformatdatat['phpdate']); $qfield = db_quoteall($connect->BindDate($datetimeobj->convert("Y-m-d"))); } else { $qfield = db_quoteall($_POST[$field], true); } $query .= db_quote_id($field) . " = " . $qfield . ","; } } } $query .= "WHERE id=" . $_SESSION['srid']; $query = str_replace(",WHERE", " WHERE", $query); // remove comma before WHERE clause } else { $query = ""; if ($bFinalizeThisAnswer === true) { $query = "UPDATE {$thissurvey['tablename']} SET "; $query .= " submitdate = " . $connect->DBDate($mysubmitdate); $query .= " WHERE id=" . $_SESSION['srid']; } } } //DEBUG START //echo $query; //DEBUG END return $query; } else { sendcacheheaders(); doHeader(); foreach (file("{$thistpl}/startpage.pstpl") as $op) { echo templatereplace($op); } echo "<br /><center><font face='verdana' size='2'><font color='red'><strong>" . $clang->gT("Error") . "</strong></font><br /><br />\n"; echo $clang->gT("Cannot submit results - there are none to submit.") . "<br /><br />\n"; echo "<font size='1'>" . $clang->gT("This error can occur if you have already submitted your responses and pressed 'refresh' on your browser. In this case, your responses have already been saved.") . "<br /><br />" . $clang->gT("If you receive this message in the middle of completing a survey, you should choose '<- BACK' on your browser and then refresh/reload the previous page. While you will lose answers from the last page all your others will still exist. This problem can occur if the webserver is suffering from overload or excessive use. We apologise for this problem.") . "<br />\n"; echo "</font></center><br /><br />"; exit; } }
/** * Cleanse the $_POSTed data and update $_SESSION variables accordingly */ static function ProcessCurrentResponses() { $LEM =& LimeExpressionManager::singleton(); if (!isset($LEM->currentQset)) { return array(); } $updatedValues = array(); $radixchange = $LEM->surveyOptions['radix'] == ',' ? true : false; foreach ($LEM->currentQset as $qinfo) { $relevant = false; $qid = $qinfo['info']['qid']; $gseq = $qinfo['info']['gseq']; $relevant = isset($_POST['relevance' . $qid]) ? $_POST['relevance' . $qid] == 1 : false; $grelevant = isset($_POST['relevanceG' . $gseq]) ? $_POST['relevanceG' . $gseq] == 1 : false; $_SESSION[$LEM->sessid]['relevanceStatus'][$qid] = $relevant; $_SESSION[$LEM->sessid]['relevanceStatus']['G' . $gseq] = $grelevant; foreach (explode('|', $qinfo['sgqa']) as $sq) { $sqrelevant = true; if (isset($LEM->subQrelInfo[$qid][$sq]['rowdivid'])) { $rowdivid = $LEM->subQrelInfo[$qid][$sq]['rowdivid']; if ($rowdivid != '' && isset($_POST['relevance' . $rowdivid])) { $sqrelevant = $_POST['relevance' . $rowdivid] == 1; $_SESSION[$LEM->sessid]['relevanceStatus'][$rowdivid] = $sqrelevant; } } $type = $qinfo['info']['type']; if ($relevant && $grelevant && $sqrelevant || !$LEM->surveyOptions['deletenonvalues']) { if ($qinfo['info']['hidden'] && !isset($_POST[$sq])) { $value = isset($_SESSION[$LEM->sessid][$sq]) ? $_SESSION[$LEM->sessid][$sq] : ''; // if always hidden, use the default value, if any } else { $value = isset($_POST[$sq]) ? $_POST[$sq] : ''; } // Check for and adjust ',' and '.' in numbers $isOnlyNum = isset($LEM->knownVars[$sq]['onlynum']) && $LEM->knownVars[$sq]['onlynum'] == '1'; if ($radixchange && $isOnlyNum) { // Convert from comma back to decimal // Also make sure to be able to convert numbers like 1.100,10 $value = preg_replace('|\\.|', '', $value); $value = preg_replace('|\\,|', '.', $value); } elseif (!$radixchange && $isOnlyNum) { // Still have to remove all ',' introduced by the thousand separator $value = preg_replace('|\\,|', '', $value); } switch ($type) { case 'D': //DATE $value = trim($value); if ($value != "" && $value != "INVALID") { $aAttributes = $LEM->getQuestionAttributesForEM($LEM->sid, $qid, $_SESSION['LEMlang']); if (!isset($aAttributes[$qid])) { $aAttributes[$qid] = array(); } $aDateFormatData = getDateFormatDataForQID($aAttributes[$qid], $LEM->surveyOptions); // We don't really validate date here : if date is invalid : return 1999-12-01 00:00 $oDateTimeConverter = new Date_Time_Converter(trim($value), $aDateFormatData['phpdate']); $newValue = $oDateTimeConverter->convert("Y-m-d H:i"); $oDateTimeConverter = new Date_Time_Converter($newValue, "Y-m-d H:i"); if ($value == $oDateTimeConverter->convert($aDateFormatData['phpdate'])) { $value = $newValue; } else { $value = ""; // Or $value="INVALID" ? : dropdown is OK with this not default. } } break; # case 'N': //NUMERICAL QUESTION TYPE # case 'K': //MULTIPLE NUMERICAL QUESTION # if (trim($value)=="") { # $value = ""; # } # else { # $value = sanitize_float($value); # } break; case '|': //File Upload if (!preg_match('/_filecount$/', $sq)) { $json = $value; $phparray = json_decode(stripslashes($json)); // if the files have not been saved already, // move the files from tmp to the files folder $tmp = $LEM->surveyOptions['tempdir'] . 'upload' . DIRECTORY_SEPARATOR; if (!is_null($phparray) && count($phparray) > 0) { // Move the (unmoved, temp) files from temp to files directory. // Check all possible file uploads for ($i = 0; $i < count($phparray); $i++) { if (file_exists($tmp . $phparray[$i]->filename)) { $sDestinationFileName = 'fu_' . randomChars(15); if (!is_dir($LEM->surveyOptions['target'])) { mkdir($LEM->surveyOptions['target'], 0777, true); } if (!rename($tmp . $phparray[$i]->filename, $LEM->surveyOptions['target'] . $sDestinationFileName)) { echo "Error moving file to target destination"; } $phparray[$i]->filename = $sDestinationFileName; } } $value = ls_json_encode($phparray); // so that EM doesn't try to parse it. } } break; } $_SESSION[$LEM->sessid][$sq] = $value; $_update = array('type' => $type, 'value' => $value); $updatedValues[$sq] = $_update; $LEM->updatedValues[$sq] = $_update; } else { // irrelevant, so database will be NULLed separately // Must unset the value, rather than setting to '', so that EM can re-use the default value as needed. unset($_SESSION[$LEM->sessid][$sq]); $_update = array('type' => $type, 'value' => NULL); $updatedValues[$sq] = $_update; $LEM->updatedValues[$sq] = $_update; } } } if (isset($_POST['timerquestion'])) { $_SESSION[$LEM->sessid][$_POST['timerquestion']] = sanitize_float($_POST[$_POST['timerquestion']]); } return $updatedValues; }
function sanitize($input, $type, $default = null, $more = null) { # # if we get a null in, always return a null # if ($type == 'isset') { return isset($input); } if (!isset($input)) { return $default; } switch ($type) { case 'str': return sanitize_string($input, false); case 'str_multi': return sanitize_string($input, true); case 'int32': return sanitize_int32($input); case 'int64': return sanitize_int64($input); case 'float': return sanitize_float($input); case 'html': # this needs to do class_exists('lib_filter') die("not implemented"); case 'bool': return $input ? true : false; case 'rx': if (preg_match($more, $input)) { return $input; } return $default; case 'in': foreach ($more as $match) { if ($input === $match) { return $input; } } return $default; } die("Unknown data conversion type: {$type}"); }
/** * Cleanse the $_POSTed data and update $_SESSION variables accordingly */ static function ProcessCurrentResponses() { $LEM =& LimeExpressionManager::singleton(); if (!isset($LEM->currentQset)) { return array(); } $updatedValues = array(); $radixchange = $LEM->surveyOptions['radix'] == ',' ? true : false; foreach ($LEM->currentQset as $qinfo) { $relevant = false; $qid = $qinfo['info']['qid']; $gseq = $qinfo['info']['gseq']; $relevant = isset($_POST['relevance' . $qid]) ? $_POST['relevance' . $qid] == 1 : false; $grelevant = isset($_POST['relevanceG' . $gseq]) ? $_POST['relevanceG' . $gseq] == 1 : false; $_SESSION[$LEM->sessid]['relevanceStatus'][$qid] = $relevant; $_SESSION[$LEM->sessid]['relevanceStatus']['G' . $gseq] = $grelevant; foreach (explode('|', $qinfo['sgqa']) as $sq) { $sqrelevant = true; if (isset($LEM->subQrelInfo[$qid][$sq]['rowdivid'])) { $rowdivid = $LEM->subQrelInfo[$qid][$sq]['rowdivid']; if ($rowdivid != '' && isset($_POST['relevance' . $rowdivid])) { $sqrelevant = $_POST['relevance' . $rowdivid] == 1; $_SESSION[$LEM->sessid]['relevanceStatus'][$rowdivid] = $sqrelevant; } } $type = $qinfo['info']['type']; if ($relevant && $grelevant && $sqrelevant) { if ($qinfo['info']['hidden'] && !isset($_POST[$sq])) { $value = isset($_SESSION[$LEM->sessid][$sq]) ? $_SESSION[$LEM->sessid][$sq] : ''; // if always hidden, use the default value, if any } else { $value = isset($_POST[$sq]) ? $_POST[$sq] : ''; } if ($radixchange && isset($LEM->knownVars[$sq]['onlynum']) && $LEM->knownVars[$sq]['onlynum'] == '1') { // convert from comma back to decimal $value = implode('.', explode(',', $value)); } switch ($type) { case 'D': //DATE if (trim($value) == "") { $value = ""; } else { $dateformatdatat = getDateFormatData($LEM->surveyOptions['surveyls_dateformat']); $datetimeobj = new Date_Time_Converter($value, $dateformatdatat['phpdate']); $value = $datetimeobj->convert("Y-m-d"); } break; case 'N': //NUMERICAL QUESTION TYPE //NUMERICAL QUESTION TYPE case 'K': //MULTIPLE NUMERICAL QUESTION if (trim($value) == "") { $value = ""; } else { $value = sanitize_float($value); } break; case '|': //File Upload if (!preg_match('/_filecount$/', $sq)) { $json = $value; $phparray = json_decode(stripslashes($json)); // if the files have not been saved already, // move the files from tmp to the files folder $tmp = $LEM->surveyOptions['tempdir'] . 'upload' . DIRECTORY_SEPARATOR; if (!is_null($phparray) && count($phparray) > 0) { // Move the (unmoved, temp) files from temp to files directory. // Check all possible file uploads for ($i = 0; $i < count($phparray); $i++) { if (file_exists($tmp . $phparray[$i]->filename)) { $sDestinationFileName = 'fu_' . randomChars(15); if (!is_dir($LEM->surveyOptions['target'])) { mkdir($LEM->surveyOptions['target'], 0777, true); } if (!rename($tmp . $phparray[$i]->filename, $LEM->surveyOptions['target'] . $sDestinationFileName)) { echo "Error moving file to target destination"; } $phparray[$i]->filename = $sDestinationFileName; } } $value = ls_json_encode($phparray); // so that EM doesn't try to parse it. } } break; } $_SESSION[$LEM->sessid][$sq] = $value; $_update = array('type' => $type, 'value' => $value); $updatedValues[$sq] = $_update; $LEM->updatedValues[$sq] = $_update; } else { // irrelevant, so database will be NULLed separately // Must unset the value, rather than setting to '', so that EM can re-use the default value as needed. unset($_SESSION[$LEM->sessid][$sq]); $_update = array('type' => $type, 'value' => NULL); $updatedValues[$sq] = $_update; $LEM->updatedValues[$sq] = $_update; } } } if (isset($_POST['timerquestion'])) { $_SESSION[$LEM->sessid][$_POST['timerquestion']] = sanitize_float($_POST[$_POST['timerquestion']]); } return $updatedValues; }
function sanitize($input, $flags, $min = '', $max = '') { if ($flags & UTF8) { $input = my_utf8_decode($input); } if ($flags & PARANOID) { $input = sanitize_paranoid_string($input, $min, $max); } if ($flags & INT) { $input = sanitize_int($input, $min, $max); } if ($flags & FLOAT) { $input = sanitize_float($input, $min, $max); } if ($flags & HTML) { $input = sanitize_html_string($input, $min, $max); } if ($flags & SQL) { $input = sanitize_sql_string($input, $min, $max); } if ($flags & LDAP) { $input = sanitize_ldap_string($input, $min, $max); } if ($flags & SYSTEM) { $input = sanitize_system_string($input, $min, $max); } return $input; }