function check($input, $flags, $min = '', $max = '')
{
    $oldput = $input;
    if ($flags & UTF8) {
        $input = my_utf8_decode($input);
    }
    if ($flags & PARANOID) {
        $input = sanitize_paranoid_string($input, $min, $max);
    }
    if ($flags & INT) {
        $input = sanitize_int($input, $min, $max);
    }
    if ($flags & FLOAT) {
        $input = sanitize_float($input, $min, $max);
    }
    if ($flags & HTML) {
        $input = sanitize_html_string($input, $min, $max);
    }
    if ($flags & LDAP) {
        $input = sanitize_ldap_string($input, $min, $max);
    }
    if ($flags & SYSTEM) {
        $input = sanitize_system_string($input, $min, $max, TRUE);
    }
    if ($input != $oldput) {
        return FALSE;
    }
    return TRUE;
}
Beispiel #2
0
function createinsertquery()
{
    global $thissurvey, $timeadjust, $move, $thisstep;
    global $deletenonvalues, $thistpl;
    global $surveyid, $connect, $clang, $postedfieldnames, $bFinalizeThisAnswer;
    require_once "classes/inputfilter/class.inputfilter_clean.php";
    $myFilter = new InputFilter('', '', 1, 1, 1);
    $fieldmap = createFieldMap($surveyid);
    //Creates a list of the legitimate questions for this survey
    if (isset($_SESSION['insertarray']) && is_array($_SESSION['insertarray'])) {
        $inserts = array_unique($_SESSION['insertarray']);
        $colnames_hidden = array();
        foreach ($inserts as $value) {
            //Work out if the field actually exists in this survey
            $fieldexists = '';
            if (isset($fieldmap[$value])) {
                $fieldexists = $fieldmap[$value];
            }
            //Iterate through possible responses
            if (isset($_SESSION[$value]) && !empty($fieldexists)) {
                //Only create column name and data entry if there is actually data!
                $colnames[] = $value;
                //If deletenonvalues is ON, delete any values that shouldn't exist
                if ($deletenonvalues == 1 && !checkconfield($value)) {
                    $values[] = 'NULL';
                    $colnames_hidden[] = $value;
                } elseif ($_SESSION[$value] == '' && $fieldexists['type'] == 'D' || $_SESSION[$value] == '' && $fieldexists['type'] == 'K' || $_SESSION[$value] == '' && $fieldexists['type'] == 'N') {
                    // most databases do not allow to insert an empty value into a datefield,
                    // therefore if no date was chosen in a date question the insert value has to be NULL
                    $values[] = 'NULL';
                } else {
                    // Empty the 'Other' field if a value other than '-oth-' was set for the main field (prevent invalid other values being saved - for example if Javascript fails to hide the 'Other' input field)
                    if ($fieldexists['type'] == '!' && $fieldmap[$value]['aid'] == 'other' && isset($_POST[substr($value, 0, strlen($value) - 5)]) && $_POST[substr($value, 0, strlen($value) - 5)] != '-oth-') {
                        $_SESSION[$value] = '';
                    } elseif ($fieldexists['type'] == 'N') {
                        $_SESSION[$value] = sanitize_float($_SESSION[$value]);
                    } elseif ($fieldexists['type'] == 'D' && is_array($postedfieldnames) && in_array($value, $postedfieldnames)) {
                        // convert the date to the right DB Format but only if it was posted
                        $dateformatdatat = getDateFormatData($thissurvey['surveyls_dateformat']);
                        $datetimeobj = new Date_Time_Converter($_SESSION[$value], $dateformatdatat['phpdate']);
                        $_SESSION[$value] = $datetimeobj->convert("Y-m-d");
                        $_SESSION[$value] = $connect->BindDate($_SESSION[$value]);
                    }
                    $values[] = $connect->qstr($_SESSION[$value], get_magic_quotes_gpc());
                }
            }
        }
        if ($thissurvey['datestamp'] == "Y") {
            $_SESSION['datestamp'] = date_shift(date("Y-m-d H:i:s"), "Y-m-d H:i:s", $timeadjust);
        }
        // First compute the submitdate
        if ($thissurvey['private'] == "Y" && $thissurvey['datestamp'] == "N") {
            // In case of anonymous answers survey with no datestamp
            // then the the answer submutdate gets a conventional timestamp
            // 1st Jan 1980
            $mysubmitdate = date("Y-m-d H:i:s", mktime(0, 0, 0, 1, 1, 1980));
        } else {
            $mysubmitdate = date_shift(date("Y-m-d H:i:s"), "Y-m-d H:i:s", $timeadjust);
        }
        // CHECK TO SEE IF ROW ALREADY EXISTS
        // srid (=Survey Record ID ) is set when the there were already answers saved for that survey
        if (!isset($_SESSION['srid'])) {
            //Prepare row insertion
            if (!isset($colnames) || !is_array($colnames)) {
                echo submitfailed();
                exit;
            }
            // INSERT NEW ROW
            $query = "INSERT INTO " . db_quote_id($thissurvey['tablename']) . "\n" . "(" . implode(', ', array_map('db_quote_id', $colnames));
            $query .= "," . db_quote_id('lastpage');
            if ($thissurvey['datestamp'] == "Y") {
                $query .= "," . db_quote_id('datestamp');
                $query .= "," . db_quote_id('startdate');
            }
            if ($thissurvey['ipaddr'] == "Y") {
                $query .= "," . db_quote_id('ipaddr');
            }
            $query .= "," . db_quote_id('startlanguage');
            if ($thissurvey['refurl'] == "Y") {
                $query .= "," . db_quote_id('refurl');
            }
            if ($bFinalizeThisAnswer === true && $thissurvey['format'] != "A") {
                $query .= "," . db_quote_id('submitdate');
            }
            $query .= ") ";
            $query .= "VALUES (" . implode(", ", $values);
            $query .= "," . ($thisstep + 1);
            if ($thissurvey['datestamp'] == "Y") {
                $query .= ", '" . $_SESSION['datestamp'] . "'";
                $query .= ", '" . $_SESSION['datestamp'] . "'";
            }
            if ($thissurvey['ipaddr'] == "Y") {
                $query .= ", '" . $_SERVER['REMOTE_ADDR'] . "'";
            }
            $query .= ", '" . $_SESSION['s_lang'] . "'";
            if ($thissurvey['refurl'] == "Y") {
                $query .= ", '" . $_SESSION['refurl'] . "'";
            }
            if ($bFinalizeThisAnswer === true && $thissurvey['format'] != "A") {
                // is if a ALL-IN-ONE survey, we don't set the submit date before the data is validated
                $query .= ", " . $connect->DBDate($mysubmitdate);
            }
            $query .= ")";
        } else {
            // UPDATE EXISTING ROW
            // Updates only the MODIFIED fields posted on current page.
            if (isset($postedfieldnames) && $postedfieldnames) {
                $query = "UPDATE {$thissurvey['tablename']} SET ";
                $query .= " lastpage = '" . $thisstep . "',";
                if ($thissurvey['datestamp'] == "Y") {
                    $query .= " datestamp = '" . $_SESSION['datestamp'] . "',";
                }
                if ($thissurvey['ipaddr'] == "Y") {
                    $query .= " ipaddr = '" . $_SERVER['REMOTE_ADDR'] . "',";
                }
                // is if a ALL-IN-ONE survey, we don't set the submit date before the data is validated
                if ($bFinalizeThisAnswer === true && $thissurvey['format'] != "A") {
                    $query .= " submitdate = " . $connect->DBDate($mysubmitdate) . ", ";
                }
                // Resets fields hidden due to conditions
                if ($deletenonvalues == 1) {
                    $hiddenfields = array_unique(array_values($colnames_hidden));
                    foreach ($hiddenfields as $hiddenfield) {
                        //$fieldinfo = arraySearchByKey($hiddenfield, $fieldmap, "fieldname", 1);
                        //if ($fieldinfo['type']=='D' || $fieldinfo['type']=='N' || $fieldinfo['type']=='K')
                        //{
                        $query .= db_quote_id($hiddenfield) . " = NULL,";
                        //}
                        //else
                        //{
                        //	$query .= db_quote_id($hiddenfield)." = '',";
                        //}
                    }
                } else {
                    $hiddenfields = array();
                }
                $fields = $postedfieldnames;
                $fields = array_unique($fields);
                $fields = array_diff($fields, $hiddenfields);
                // Do not take fields that are hidden
                foreach ($fields as $field) {
                    if (!empty($field)) {
                        $fieldinfo = $fieldmap[$field];
                        if (!isset($_POST[$field])) {
                            $_POST[$field] = '';
                        }
                        //fixed numerical question fields. They have to be NULL instead of '' to avoid database errors
                        if ($_POST[$field] == '' && $fieldinfo['type'] == 'D' || $_POST[$field] == '' && $fieldinfo['type'] == 'N' || $_POST[$field] == '' && $fieldinfo['type'] == 'K') {
                            $query .= db_quote_id($field) . " = NULL,";
                        } else {
                            // Empty the 'Other' field if a value other than '-oth-' was set for the main field (prevent invalid other values being saved - for example if Javascript fails to hide the 'Other' input field)
                            if ($fieldinfo['type'] == '!' && $fieldmap[$field]['aid'] == 'other' && $_POST[substr($field, 0, strlen($field) - 5)] != '-oth-') {
                                $qfield = "''";
                            } elseif ($fieldinfo['type'] == 'N') {
                                $qfield = db_quoteall(sanitize_float($_POST[$field]));
                            } elseif ($fieldinfo['type'] == 'D') {
                                $dateformatdatat = getDateFormatData($thissurvey['surveyls_dateformat']);
                                $datetimeobj = new Date_Time_Converter($_POST[$field], $dateformatdatat['phpdate']);
                                $qfield = db_quoteall($connect->BindDate($datetimeobj->convert("Y-m-d")));
                            } else {
                                $qfield = db_quoteall($_POST[$field], true);
                            }
                            $query .= db_quote_id($field) . " = " . $qfield . ",";
                        }
                    }
                }
                $query .= "WHERE id=" . $_SESSION['srid'];
                $query = str_replace(",WHERE", " WHERE", $query);
                // remove comma before WHERE clause
            } else {
                $query = "";
                if ($bFinalizeThisAnswer === true) {
                    $query = "UPDATE {$thissurvey['tablename']} SET ";
                    $query .= " submitdate = " . $connect->DBDate($mysubmitdate);
                    $query .= " WHERE id=" . $_SESSION['srid'];
                }
            }
        }
        //DEBUG START
        //echo $query;
        //DEBUG END
        return $query;
    } else {
        sendcacheheaders();
        doHeader();
        foreach (file("{$thistpl}/startpage.pstpl") as $op) {
            echo templatereplace($op);
        }
        echo "<br /><center><font face='verdana' size='2'><font color='red'><strong>" . $clang->gT("Error") . "</strong></font><br /><br />\n";
        echo $clang->gT("Cannot submit results - there are none to submit.") . "<br /><br />\n";
        echo "<font size='1'>" . $clang->gT("This error can occur if you have already submitted your responses and pressed 'refresh' on your browser. In this case, your responses have already been saved.") . "<br /><br />" . $clang->gT("If you receive this message in the middle of completing a survey, you should choose '<- BACK' on your browser and then refresh/reload the previous page. While you will lose answers from the last page all your others will still exist. This problem can occur if the webserver is suffering from overload or excessive use. We apologise for this problem.") . "<br />\n";
        echo "</font></center><br /><br />";
        exit;
    }
}
 /**
  * Cleanse the $_POSTed data and update $_SESSION variables accordingly
  */
 static function ProcessCurrentResponses()
 {
     $LEM =& LimeExpressionManager::singleton();
     if (!isset($LEM->currentQset)) {
         return array();
     }
     $updatedValues = array();
     $radixchange = $LEM->surveyOptions['radix'] == ',' ? true : false;
     foreach ($LEM->currentQset as $qinfo) {
         $relevant = false;
         $qid = $qinfo['info']['qid'];
         $gseq = $qinfo['info']['gseq'];
         $relevant = isset($_POST['relevance' . $qid]) ? $_POST['relevance' . $qid] == 1 : false;
         $grelevant = isset($_POST['relevanceG' . $gseq]) ? $_POST['relevanceG' . $gseq] == 1 : false;
         $_SESSION[$LEM->sessid]['relevanceStatus'][$qid] = $relevant;
         $_SESSION[$LEM->sessid]['relevanceStatus']['G' . $gseq] = $grelevant;
         foreach (explode('|', $qinfo['sgqa']) as $sq) {
             $sqrelevant = true;
             if (isset($LEM->subQrelInfo[$qid][$sq]['rowdivid'])) {
                 $rowdivid = $LEM->subQrelInfo[$qid][$sq]['rowdivid'];
                 if ($rowdivid != '' && isset($_POST['relevance' . $rowdivid])) {
                     $sqrelevant = $_POST['relevance' . $rowdivid] == 1;
                     $_SESSION[$LEM->sessid]['relevanceStatus'][$rowdivid] = $sqrelevant;
                 }
             }
             $type = $qinfo['info']['type'];
             if ($relevant && $grelevant && $sqrelevant || !$LEM->surveyOptions['deletenonvalues']) {
                 if ($qinfo['info']['hidden'] && !isset($_POST[$sq])) {
                     $value = isset($_SESSION[$LEM->sessid][$sq]) ? $_SESSION[$LEM->sessid][$sq] : '';
                     // if always hidden, use the default value, if any
                 } else {
                     $value = isset($_POST[$sq]) ? $_POST[$sq] : '';
                 }
                 // Check for and adjust ',' and '.' in numbers
                 $isOnlyNum = isset($LEM->knownVars[$sq]['onlynum']) && $LEM->knownVars[$sq]['onlynum'] == '1';
                 if ($radixchange && $isOnlyNum) {
                     // Convert from comma back to decimal
                     // Also make sure to be able to convert numbers like 1.100,10
                     $value = preg_replace('|\\.|', '', $value);
                     $value = preg_replace('|\\,|', '.', $value);
                 } elseif (!$radixchange && $isOnlyNum) {
                     // Still have to remove all ',' introduced by the thousand separator
                     $value = preg_replace('|\\,|', '', $value);
                 }
                 switch ($type) {
                     case 'D':
                         //DATE
                         $value = trim($value);
                         if ($value != "" && $value != "INVALID") {
                             $aAttributes = $LEM->getQuestionAttributesForEM($LEM->sid, $qid, $_SESSION['LEMlang']);
                             if (!isset($aAttributes[$qid])) {
                                 $aAttributes[$qid] = array();
                             }
                             $aDateFormatData = getDateFormatDataForQID($aAttributes[$qid], $LEM->surveyOptions);
                             // We don't really validate date here : if date is invalid : return 1999-12-01 00:00
                             $oDateTimeConverter = new Date_Time_Converter(trim($value), $aDateFormatData['phpdate']);
                             $newValue = $oDateTimeConverter->convert("Y-m-d H:i");
                             $oDateTimeConverter = new Date_Time_Converter($newValue, "Y-m-d H:i");
                             if ($value == $oDateTimeConverter->convert($aDateFormatData['phpdate'])) {
                                 $value = $newValue;
                             } else {
                                 $value = "";
                                 // Or $value="INVALID" ? : dropdown is OK with this not default.
                             }
                         }
                         break;
                         #                            case 'N': //NUMERICAL QUESTION TYPE
                         #                            case 'K': //MULTIPLE NUMERICAL QUESTION
                         #                                if (trim($value)=="") {
                         #                                    $value = "";
                         #                                }
                         #                                else {
                         #                                    $value = sanitize_float($value);
                         #                                }
                         break;
                     case '|':
                         //File Upload
                         if (!preg_match('/_filecount$/', $sq)) {
                             $json = $value;
                             $phparray = json_decode(stripslashes($json));
                             // if the files have not been saved already,
                             // move the files from tmp to the files folder
                             $tmp = $LEM->surveyOptions['tempdir'] . 'upload' . DIRECTORY_SEPARATOR;
                             if (!is_null($phparray) && count($phparray) > 0) {
                                 // Move the (unmoved, temp) files from temp to files directory.
                                 // Check all possible file uploads
                                 for ($i = 0; $i < count($phparray); $i++) {
                                     if (file_exists($tmp . $phparray[$i]->filename)) {
                                         $sDestinationFileName = 'fu_' . randomChars(15);
                                         if (!is_dir($LEM->surveyOptions['target'])) {
                                             mkdir($LEM->surveyOptions['target'], 0777, true);
                                         }
                                         if (!rename($tmp . $phparray[$i]->filename, $LEM->surveyOptions['target'] . $sDestinationFileName)) {
                                             echo "Error moving file to target destination";
                                         }
                                         $phparray[$i]->filename = $sDestinationFileName;
                                     }
                                 }
                                 $value = ls_json_encode($phparray);
                                 // so that EM doesn't try to parse it.
                             }
                         }
                         break;
                 }
                 $_SESSION[$LEM->sessid][$sq] = $value;
                 $_update = array('type' => $type, 'value' => $value);
                 $updatedValues[$sq] = $_update;
                 $LEM->updatedValues[$sq] = $_update;
             } else {
                 // irrelevant, so database will be NULLed separately
                 // Must unset the value, rather than setting to '', so that EM can re-use the default value as needed.
                 unset($_SESSION[$LEM->sessid][$sq]);
                 $_update = array('type' => $type, 'value' => NULL);
                 $updatedValues[$sq] = $_update;
                 $LEM->updatedValues[$sq] = $_update;
             }
         }
     }
     if (isset($_POST['timerquestion'])) {
         $_SESSION[$LEM->sessid][$_POST['timerquestion']] = sanitize_float($_POST[$_POST['timerquestion']]);
     }
     return $updatedValues;
 }
Beispiel #4
0
function sanitize($input, $type, $default = null, $more = null)
{
    #
    # if we get a null in, always return a null
    #
    if ($type == 'isset') {
        return isset($input);
    }
    if (!isset($input)) {
        return $default;
    }
    switch ($type) {
        case 'str':
            return sanitize_string($input, false);
        case 'str_multi':
            return sanitize_string($input, true);
        case 'int32':
            return sanitize_int32($input);
        case 'int64':
            return sanitize_int64($input);
        case 'float':
            return sanitize_float($input);
        case 'html':
            # this needs to do class_exists('lib_filter')
            die("not implemented");
        case 'bool':
            return $input ? true : false;
        case 'rx':
            if (preg_match($more, $input)) {
                return $input;
            }
            return $default;
        case 'in':
            foreach ($more as $match) {
                if ($input === $match) {
                    return $input;
                }
            }
            return $default;
    }
    die("Unknown data conversion type: {$type}");
}
 /**
  * Cleanse the $_POSTed data and update $_SESSION variables accordingly
  */
 static function ProcessCurrentResponses()
 {
     $LEM =& LimeExpressionManager::singleton();
     if (!isset($LEM->currentQset)) {
         return array();
     }
     $updatedValues = array();
     $radixchange = $LEM->surveyOptions['radix'] == ',' ? true : false;
     foreach ($LEM->currentQset as $qinfo) {
         $relevant = false;
         $qid = $qinfo['info']['qid'];
         $gseq = $qinfo['info']['gseq'];
         $relevant = isset($_POST['relevance' . $qid]) ? $_POST['relevance' . $qid] == 1 : false;
         $grelevant = isset($_POST['relevanceG' . $gseq]) ? $_POST['relevanceG' . $gseq] == 1 : false;
         $_SESSION[$LEM->sessid]['relevanceStatus'][$qid] = $relevant;
         $_SESSION[$LEM->sessid]['relevanceStatus']['G' . $gseq] = $grelevant;
         foreach (explode('|', $qinfo['sgqa']) as $sq) {
             $sqrelevant = true;
             if (isset($LEM->subQrelInfo[$qid][$sq]['rowdivid'])) {
                 $rowdivid = $LEM->subQrelInfo[$qid][$sq]['rowdivid'];
                 if ($rowdivid != '' && isset($_POST['relevance' . $rowdivid])) {
                     $sqrelevant = $_POST['relevance' . $rowdivid] == 1;
                     $_SESSION[$LEM->sessid]['relevanceStatus'][$rowdivid] = $sqrelevant;
                 }
             }
             $type = $qinfo['info']['type'];
             if ($relevant && $grelevant && $sqrelevant) {
                 if ($qinfo['info']['hidden'] && !isset($_POST[$sq])) {
                     $value = isset($_SESSION[$LEM->sessid][$sq]) ? $_SESSION[$LEM->sessid][$sq] : '';
                     // if always hidden, use the default value, if any
                 } else {
                     $value = isset($_POST[$sq]) ? $_POST[$sq] : '';
                 }
                 if ($radixchange && isset($LEM->knownVars[$sq]['onlynum']) && $LEM->knownVars[$sq]['onlynum'] == '1') {
                     // convert from comma back to decimal
                     $value = implode('.', explode(',', $value));
                 }
                 switch ($type) {
                     case 'D':
                         //DATE
                         if (trim($value) == "") {
                             $value = "";
                         } else {
                             $dateformatdatat = getDateFormatData($LEM->surveyOptions['surveyls_dateformat']);
                             $datetimeobj = new Date_Time_Converter($value, $dateformatdatat['phpdate']);
                             $value = $datetimeobj->convert("Y-m-d");
                         }
                         break;
                     case 'N':
                         //NUMERICAL QUESTION TYPE
                     //NUMERICAL QUESTION TYPE
                     case 'K':
                         //MULTIPLE NUMERICAL QUESTION
                         if (trim($value) == "") {
                             $value = "";
                         } else {
                             $value = sanitize_float($value);
                         }
                         break;
                     case '|':
                         //File Upload
                         if (!preg_match('/_filecount$/', $sq)) {
                             $json = $value;
                             $phparray = json_decode(stripslashes($json));
                             // if the files have not been saved already,
                             // move the files from tmp to the files folder
                             $tmp = $LEM->surveyOptions['tempdir'] . 'upload' . DIRECTORY_SEPARATOR;
                             if (!is_null($phparray) && count($phparray) > 0) {
                                 // Move the (unmoved, temp) files from temp to files directory.
                                 // Check all possible file uploads
                                 for ($i = 0; $i < count($phparray); $i++) {
                                     if (file_exists($tmp . $phparray[$i]->filename)) {
                                         $sDestinationFileName = 'fu_' . randomChars(15);
                                         if (!is_dir($LEM->surveyOptions['target'])) {
                                             mkdir($LEM->surveyOptions['target'], 0777, true);
                                         }
                                         if (!rename($tmp . $phparray[$i]->filename, $LEM->surveyOptions['target'] . $sDestinationFileName)) {
                                             echo "Error moving file to target destination";
                                         }
                                         $phparray[$i]->filename = $sDestinationFileName;
                                     }
                                 }
                                 $value = ls_json_encode($phparray);
                                 // so that EM doesn't try to parse it.
                             }
                         }
                         break;
                 }
                 $_SESSION[$LEM->sessid][$sq] = $value;
                 $_update = array('type' => $type, 'value' => $value);
                 $updatedValues[$sq] = $_update;
                 $LEM->updatedValues[$sq] = $_update;
             } else {
                 // irrelevant, so database will be NULLed separately
                 // Must unset the value, rather than setting to '', so that EM can re-use the default value as needed.
                 unset($_SESSION[$LEM->sessid][$sq]);
                 $_update = array('type' => $type, 'value' => NULL);
                 $updatedValues[$sq] = $_update;
                 $LEM->updatedValues[$sq] = $_update;
             }
         }
     }
     if (isset($_POST['timerquestion'])) {
         $_SESSION[$LEM->sessid][$_POST['timerquestion']] = sanitize_float($_POST[$_POST['timerquestion']]);
     }
     return $updatedValues;
 }
Beispiel #6
0
function sanitize($input, $flags, $min = '', $max = '')
{
    if ($flags & UTF8) {
        $input = my_utf8_decode($input);
    }
    if ($flags & PARANOID) {
        $input = sanitize_paranoid_string($input, $min, $max);
    }
    if ($flags & INT) {
        $input = sanitize_int($input, $min, $max);
    }
    if ($flags & FLOAT) {
        $input = sanitize_float($input, $min, $max);
    }
    if ($flags & HTML) {
        $input = sanitize_html_string($input, $min, $max);
    }
    if ($flags & SQL) {
        $input = sanitize_sql_string($input, $min, $max);
    }
    if ($flags & LDAP) {
        $input = sanitize_ldap_string($input, $min, $max);
    }
    if ($flags & SYSTEM) {
        $input = sanitize_system_string($input, $min, $max);
    }
    return $input;
}