/**
* cleanup values that are passed by GET, POST or COOKIE
*
* the php "feature" magic_quotes automatically escapes values passed from the
* user to write them into the database. unfortunately it uses the wrong funtion
* ({@link addslashes() addslashes()} instead of
* {@link mysql_real_string_escape() mysql_real_string_escape()}) is used
* and often, one does not write these infos to
* the database. this function checks, whether magic_quotes is turned on or not
* and strips the slashes if necessary. this function also handles cleaning of
* arrays by cleaning them recursively. it should be called on every string passed
* by GET, POST or COOKIE that is used.
* @static
* @param string|array $val string/array to clean up
* @param boolean $htmlAllowed is html allowed in the strings?
* @return string cleaned string
*/
function cleanGPC($val, $htmlAllowed = true)
{
if (is_array($val)) {
$tmp = array();
foreach ($val as $k => $v) {
$tmp[is_numeric($k) ? $k : stripslashes($k)] = StringHelper::cleanGPC($v, $htmlAllowed);
}
return $tmp;
}
if (get_magic_quotes_gpc()) {
$val = stripslashes($val);
}
if ($htmlAllowed) {
return $val;
}
return htmlentities($val, ENT_QUOTES, 'UTF-8');
}
/**
* Returns true on success false on errors (contact NOT saved -> check errorHandler then)
*/
function saveContactFromPost(&$contact, &$post, $pictureFile = null, $adminsave = false)
{
$this->contact =& $contact;
// force by reference
$post['URLtoMugshot'] = $pictureFile;
return $this->contact->saveContactFromArray(StringHelper::cleanGPC($post), $adminsave);
}
* Map PLUGIN for THE ADDRESS BOOK
*************************************************************
* @package plugins
* @author Thomas Katzlberger
*/
chdir('../../');
require_once 'lib/init.php';
require_once 'Contact.class.php';
require_once 'DB.class.php';
require_once 'StringHelper.class.php';
require_once 'ErrorHandler.class.php';
if (isset($_GET['id'])) {
$address_id = StringHelper::cleanGPC($_GET['id']);
}
if (isset($_GET['cid'])) {
$contact = Contact::newContact(intval(StringHelper::cleanGPC($_GET['cid'])));
}
// use for the google-bubble?
// search correct address in value group ... not very efficient
$adds = $contact->getValueGroup('addresses');
foreach ($adds as $a) {
if ($a['refid'] == $address_id) {
$add =& $a;
break;
}
}
if (!isset($add)) {
$errorHandler->error('argVal', 'The address with id=' . $address_id . ' does not exist');
}
$errorMessage = 'Unable to map this address. The address may not be included in any geocoder currently available here, or it is simply misspelled. Sorry!';
// Cache Geocode ... currently not available, needs API key
/**
* saves the table (has not to be called by user, called by {@link TableEditor} itself)
*
* this function checks for each row and field, if it may be saved by the user, and
* if the value passed by the user is a legal value (for enum types)
*/
function save()
{
$fields = array();
$header = null;
$this->popFields($fields, $header, TRUE);
$allowedIDs = null;
if ($this->sql !== null) {
// same query as display again before save to verify the primKeys that we sent out?
$allowedIDs = array();
$this->db->query($this->sql);
while ($r = $this->db->next()) {
$allowedIDs[] = $r[$this->primKey];
}
}
for ($i = 0; isset($_POST[$this->tableName][$i]); $i++) {
$cur = StringHelper::cleanGPC($_POST[$this->tableName][$i]);
$this->processed++;
if (!isset($cur[$this->primKey])) {
continue;
}
if ($allowedIDs !== null && !in_array($cur[$this->primKey], $allowedIDs)) {
continue;
}
$tmp = '';
foreach ($fields as $k => $v) {
if ($v == 'visible' || !isset($cur[$k])) {
continue;
}
if (is_array($v) && !isset($v[$cur[$k]])) {
continue;
}
if (is_array($v) && $cur[$k] == 'NULL') {
$tmp .= $k . ' = NULL, ';
} else {
$tmp .= $k . ' = ' . $this->db->escape($cur[$k]) . ', ';
}
}
if (!$tmp) {
continue;
}
$tmp = 'UPDATE ' . $this->tableName . ' SET ' . mb_substr($tmp, 0, -2);
$tmp .= ' WHERE ' . $this->primKey . ' = ' . $this->db->escape($cur[$this->primKey]);
$this->db->query($tmp);
$this->saved++;
}
}
*
*************************************************************/
chdir("..");
require_once 'lib/init.php';
if (!isset($_SESSION['user']) || !$_SESSION['user']->isAtLeast('guest')) {
exit;
}
require_once 'DB.class.php';
require_once 'StringHelper.class.php';
if (isset($_COOKIE["searchtype"])) {
$type = StringHelper::cleanGPC($_COOKIE["searchtype"]);
} else {
$type = "name";
}
$admin = intval($_SESSION['user']->isAtLeast('admin'));
$p = $db->escape(StringHelper::cleanGPC($_POST['goTo']));
if ($p[0] == "'") {
$p = mb_substr($p, 1, -1);
}
$limit = $options->getOption('autocompleteLimit');
switch ($type) {
case 'name':
$sel_lname = "SELECT CONCAT(lastname,', ',firstname) AS fullname, '' AS value FROM " . TABLE_CONTACT . " AS contact WHERE ";
$sel_fname = "SELECT CONCAT(firstname,' ',lastname) AS fullname, '' AS value FROM " . TABLE_CONTACT . " AS contact WHERE ";
$sel_nname = "SELECT CONCAT(lastname,', ',firstname) AS fullname, nickname AS value FROM " . TABLE_CONTACT . " AS contact WHERE ";
$where_lname = "(lastname LIKE '{$p}%') AND (hidden = 0 OR {$admin})";
$where_fname = "(firstname LIKE '{$p}%') AND (hidden = 0 OR {$admin})";
$where_nname = "(nickname LIKE '{$p}%') AND (hidden = 0 OR {$admin})";
$sql = "({$sel_lname} {$where_lname}) UNION ({$sel_fname} {$where_fname}) UNION ({$sel_nname} {$where_nname}) ORDER BY fullname ASC LIMIT {$limit}";
break;
case 'email':
}
// do we have a password?
if (!isset($_POST['user_password']) || !$_POST['user_password']) {
$errorHandler->error('login', 'Please enter a password');
// fatal
// redisplay login page
$page = new PageLoginScreen(isset($_GET['redirect']) ? $_GET['redirect'] : '');
echo $page->create();
exit;
}
// create user class with email
$user = new User(StringHelper::cleanGPC($_POST['user_email']));
// was the email correct?
if ($user->id !== null) {
// was the password correct?
if ($user->login(StringHelper::cleanGPC($_POST['user_password']))) {
$_SESSION['user'] =& $user;
$options = new Options($user);
if ($user->getType() == 'register') {
if ($user->isConfirmed()) {
// New User -> Attach Contact
if ($user->attachContact()) {
$flag = 'found';
} else {
$flag = 'created';
}
$page = new PageRegister('confirm', $flag, isset($_GET['redirect']) ? $_GET['redirect'] : '');
echo $page->create();
exit;
} else {
// User#136 has set an error message; redisplay login page
function postEmail($eUser)
{
global $errorHandler;
if (isset($_POST['email'])) {
$eUser->setEmail(StringHelper::cleanGPC($_POST['email']));
if (($err = $errorHandler->getLastError('register')) || ($err = $errorHandler->getLastError('mail'))) {
break;
}
if ($eUser->id == $_SESSION['user']->id) {
$_SESSION['user'] = null;
header('Location:' . Navigation::mainPageUrl());
}
}
}
require_once 'ErrorHandler.class.php';
require_once 'StringHelper.class.php';
require_once 'PageSearchResult.class.php';
require_once 'PageContact.class.php';
// Is a user logged in?
if (!isset($_SESSION['user']) || !$_SESSION['user']->isAtLeast('guest')) {
$errorHandler->standardError('NOT_LOGGED_IN', basename($_SERVER['SCRIPT_NAME']));
}
// Do we have something from the text field??
if (isset($_POST['goTo'])) {
if ($_POST['goTo'] == 'whoami' && isset($_SESSION['user']->contact['id'])) {
header("Location: " . $CONFIG_TAB_ROOT . 'contact/contact.php?id=' . $_SESSION['user']->contact['id']);
exit;
}
// Remove single quotes which come from $db->escape
$goTo = mb_substr($db->escape(StringHelper::cleanGPC($_POST['goTo'])), 1, -1);
// Search the database
$cList = new ContactList('SELECT *
FROM ' . TABLE_CONTACT . ' AS contact
WHERE
(
CONCAT(firstname,\' \', lastname) LIKE \'%' . $goTo . '%\' OR
CONCAT(firstname,\' \', middlename,\' \', lastname) LIKE \'%' . $goTo . '%\' OR
nickname LIKE \'%' . $goTo . '%\' OR
CONCAT(lastname,\', \',firstname) LIKE \'%' . $goTo . '%\'
)
AND (hidden = 0 OR ' . $db->escape($_SESSION['user']->isAtLeast('admin')) . ')
ORDER BY lastname ASC, firstname ASC');
// if theres only one contact, show it
if (count($cList->getContacts()) == 1) {
// redirect to the page to have a valid URL in the window
* contact/searchlist.php
* Lists address book entries from a query in the same format as the main list.
* Has a mailing-list function.
*
*************************************************************/
chdir('..');
require_once 'lib/init.php';
require_once 'PageSearchList.class.php';
require_once 'StringHelper.class.php';
require_once 'HTMLBeautifier.class.php';
require_once 'ErrorHandler.class.php';
// Is someone logged in? Terminate if not
if (!isset($_SESSION['user']) || !$_SESSION['user']->isAtLeast('guest')) {
$errorHandler->standardError('NOT_LOGGED_IN', basename($_SERVER['SCRIPT_NAME']));
}
if (!isset($_GET['group']) || $_GET['group'] == 'hidden' && !$_SESSION['user']->isAtLeast('admin')) {
$_GET['group'] = '';
}
if (!isset($_GET['search'])) {
$_GET['search'] = '';
}
if (!isset($_GET['type'])) {
$_GET['type'] = '';
}
if (!isset($_GET['expand'])) {
$_GET['expand'] = 0;
}
// contact/searchlist.php?search=string&type=[name|www|chat|...]
$page = Page::newPage('PageSearchList', StringHelper::cleanGPC($_GET['search']), StringHelper::cleanGPC($_GET['type']), StringHelper::cleanGPC($_GET['expand']));
echo $page->create();
exit;
AND certState != ' . $db->escape('revoked'));
$revokeContacts = new ContactList('SELECT *
FROM ' . TABLE_CONTACT . ' AS contact
WHERE TO_DAYS(certModifiedAt) = TO_DAYS(' . $date . ')
AND certState = ' . $db->escape('revoked'));
break;
case 'expired-list':
// Generate a page that list passwords by group/company
$page = new PageExpiredList();
echo $page->create();
exit;
case 'utrack':
if (!isset($_POST['mails'])) {
break;
}
$lines = explode("\n", StringHelper::cleanGPC($_POST['mails']));
$undone = '';
foreach ($lines as $l) {
$l = trim($l);
if (!$l) {
continue;
}
$sql = 'UPDATE ' . TABLE_CONTACT . ' AS contact, ' . TABLE_PROPERTIES . ' AS properties
SET certLastUsed = NOW(), certState = "used"
WHERE contact.id = properties.id
AND properties.type = "email"
AND properties.value = ' . $db->escape($l) . '
AND ' . VALID_CERT;
$db->query($sql);
if ($db->rowsAffected() <= 0) {
$undone .= $l . ',<br>';
/**
* Create search query
*
* init {@link $contactList}, and menu
* @param search $search partial string to match
* @param searchtype $searchtype [name|email|www|chat|phone|custom_?] Custom searches defined in config.php, shared with autocomplete.
* @global array custom searchtypes defined in config.php
* @global DB used for database access
*/
function createQuery()
{
// create an empty default result - any better way to do this
$sql = "SELECT * FROM " . TABLE_CONTACT . " AS contact WHERE id=-1";
$db = DB::getSingleton();
$admin = intval($_SESSION['user']->isAtLeast('admin'));
$post = StringHelper::cleanGPC($_POST);
// projects
$props = array();
$tbls = array();
if (!empty($_POST['p-category'])) {
$tbls[] = TABLE_PROPERTIES . ' AS p1';
$props[] = 'c.id=p1.id AND p1.type="other" AND (p1.visibility = "visible" AND p1.label="Project Category" AND p1.value LIKE BINARY "%' . substr($db->escape($post['p-category']), 1, -1) . '%" )';
}
if (!empty($_POST['p-role'])) {
$tbls[] = TABLE_PROPERTIES . ' AS p2';
$props[] = 'c.id=p2.id AND p2.type="other" AND (p2.visibility = "visible" AND p2.label="Contract Role" AND p2.value=' . $db->escape($post['p-role']) . ')';
}
if (!empty($_POST['p-company'])) {
$tbls[] = TABLE_PROPERTIES . ' AS p3';
$props[] = 'c.id=p3.id AND p3.type="other" AND (p3.visibility = "visible" AND p3.label="Applicant" AND p3.value LIKE "%' . substr($db->escape($post['p-company']), 1, -1) . '%" )';
}
if (!empty($_POST['p-value'])) {
$tbls[] = TABLE_PROPERTIES . ' AS p4';
$props[] = 'c.id=p4.id AND p4.type="other" AND (p4.visibility = "visible" AND p4.label="SWARCO Value" AND p4.value > ' . $db->escape($post['p-value']) . ')';
}
if (!empty($_POST['p-after'])) {
$tbls[] = TABLE_DATES . ' AS d';
$props[] = 'c.id=d.id AND (d.label="Completed" AND d.value1 > ' . $db->escape($post['p-after']) . ')';
}
$propsel = implode(' AND ', $props);
if (!empty($propsel)) {
$tables = implode(', ', $tbls);
$sel = "SELECT DISTINCT c.* FROM " . TABLE_CONTACT . " AS c, {$tables} WHERE ";
$where = "c.xsltDisplayType='project' AND c.hidden=0 AND {$propsel} ORDER BY lastname";
$sql = "{$sel} {$where}";
//echo $sql;
return $sql;
}
// project opportunity
$props = array();
$tbls = array();
if (!empty($_POST['o-category'])) {
$tbls[] = TABLE_PROPERTIES . ' AS p1';
$props[] = 'c.id=p1.id AND p1.type="other" AND (p1.label="Project Category" AND p1.value LIKE BINARY "%' . substr($db->escape($post['o-category']), 1, -1) . '%" )';
}
if (!empty($_POST['o-role'])) {
$tbls[] = TABLE_PROPERTIES . ' AS p2';
$props[] = 'c.id=p2.id AND p2.type="other" AND (p2.label="Contract Role" AND p2.value=' . $db->escape($post['o-role']) . ')';
}
if (!empty($_POST['o-company'])) {
$tbls[] = TABLE_PROPERTIES . ' AS p3';
$props[] = 'c.id=p3.id AND p3.type="other" AND (p3.label="Applicant" AND p3.value LIKE "%' . substr($db->escape($post['o-company']), 1, -1) . '%" )';
}
if (!empty($_POST['o-value'])) {
$tbls[] = TABLE_PROPERTIES . ' AS p4';
$props[] = 'c.id=p4.id AND p4.type="other" AND (p4.label="SWARCO Value" AND p4.value > ' . $db->escape($post['o-value']) . ')';
}
$propsel = implode(' AND ', $props);
if (!empty($propsel)) {
$tables = implode(', ', $tbls);
$sel = "SELECT DISTINCT c.* FROM " . TABLE_CONTACT . " AS c, {$tables} WHERE ";
$where = "c.xsltDisplayType='opportunity' AND c.hidden=0 AND {$propsel} ORDER BY lastname";
$sql = "{$sel} {$where}";
//echo $sql;
return $sql;
}
// project candidate
$props = array();
if (!empty($_POST['c-position'])) {
$props[] = 'd1.label=' . $db->escape($post['c-position']);
}
if (!empty($_POST['c-experience'])) {
$props[] = 'd1.value1 < ' . $db->escape($post['c-experience']);
}
$propsel = implode(' AND ', $props);
if (!empty($propsel)) {
$sel = "SELECT DISTINCT c.* FROM " . TABLE_CONTACT . " AS c, " . TABLE_DATES . " AS d1 WHERE ";
$where = "c.id=d1.id AND ({$propsel}) AND (d1.visibility = 'visible' OR {$admin}) AND (c.hidden = 0 OR {$admin}) AND c.xsltDisplayType='expertise' ORDER BY lastname";
$sql = "{$sel} {$where}";
//echo $sql;
return $sql;
}
return $sql;
}
$classname = StringHelper::cleanGPC($_GET['plugin']);
$plugin = new $classname();
$plugin->installPlugin();
$db->query('UPDATE ' . TABLE_PLUGINS . ' SET state = ' . $db->escape('activated') . '
WHERE name = ' . $db->escape(StringHelper::cleanGPC($_GET['plugin'])));
}
break;
case 'upgrade':
if (isset($_GET['plugin'])) {
$classname = StringHelper::cleanGPC($_GET['plugin']);
$db->query('SELECT version FROM ' . TABLE_PLUGINS . ' WHERE name="' . $classname . '"');
// retrieve old version
$r = $db->next();
$plugin = new $classname();
$plugin->upgradePlugin($r['version']);
}
break;
case 'uninstall':
if (isset($_GET['plugin'])) {
$classname = StringHelper::cleanGPC($_GET['plugin']);
$plugin = new $classname();
$plugin->uninstallPlugin();
$db->query('UPDATE ' . TABLE_PLUGINS . ' SET state = ' . $db->escape('not installed') . '
WHERE name = ' . $db->escape(StringHelper::cleanGPC($_GET['plugin'])));
}
break;
}
// show admin panel
$page = new PageAdminPanel();
echo $page->create();
exit;
$user->setType('user');
if (!$user->attachContact() || !$user->contact['id'] == StringHelper::cleanGPC($_GET['id'])) {
$errorHandler->error('register', 'This e-mail doesn\'t belong to this contact');
$user->delete();
$flag = 'error';
break;
}
$flag = 'ok';
break;
case 'resend':
if (!isset($_GET['email'])) {
break;
}
$user = new User(StringHelper::cleanGPC($_GET['email']));
if ($user->id === null) {
$errorHandler->error('register', 'A user with this e-mail does not exist');
$flag = 'error';
break;
}
if ($user->isConfirmed()) {
$errorHandler->error('register', 'This user does not need to be confirmed');
$flag = 'error';
break;
}
$user->setEmail(StringHelper::cleanGPC($_GET['email']));
$flag = 'ok';
break;
}
$page = new PageRegister(StringHelper::cleanGPC($_GET['mode']), $flag, isset($_GET['redirect']) ? $_GET['redirect'] : '');
echo $page->create();
exit;
* Lists address book entries. This is the main page that is displazed as default after login.
*
*/
chdir('..');
require_once 'lib/init.php';
require_once 'PageList.class.php';
require_once 'StringHelper.class.php';
require_once 'HTMLBeautifier.class.php';
require_once 'ErrorHandler.class.php';
// Is someone logged in? Terminate if not
$rightsManager = RightsManager::getSingleton();
// Allowed to view list
if (!$rightsManager->currentUserIsAllowedTo('view-list')) {
$errorHandler->standardError('PERMISSION_DENIED', basename($_SERVER['SCRIPT_NAME']));
}
if (!isset($_GET['group']) || $_GET['group'] == 'hidden' && !$_SESSION['user']->isAtLeast('admin')) {
$_GET['group'] = '';
}
if (!isset($_GET['begin'])) {
$_GET['begin'] = '';
}
if (!isset($_GET['page'])) {
$_GET['page'] = 0;
}
if (!isset($_GET['expand'])) {
$_GET['expand'] = 0;
}
$page = Page::newPage('PageList', StringHelper::cleanGPC($_GET['group']), $_GET['expand'], StringHelper::cleanGPC($_GET['begin']), intval(StringHelper::cleanGPC($_GET['page'])));
//echo HTMLBeautifier::beautify($page->create());
echo $page->create();
exit;
/**
* Returns true on success false on errors (contact NOT saved -> check errorHandler then)
*/
function saveContactFromPost(&$contact, &$post, $pictureFile = null, $adminsave = false)
{
// interaction PHP/widgEditor
$post['contact']['notes'] = $post['contactNotes'];
$this->contact =& $contact;
// force by reference
$post['URLtoMugshot'] = $pictureFile;
$p = StringHelper::cleanGPC($post);
return $this->contact->saveContactFromArray($p, $adminsave);
}
//Render the frontpage title
$pdf->frontpage_title($frontpage_title, $your_domain, 50, $pdf->y - 100, 80, 80, 200);
$pdf->selectFont($mainFont);
$pdf->ezNewPage();
$pdf->ezStartPageNumbers(560, 25, 10, '', '', 1);
$size = 10;
$height = $pdf->getFontHeight($size);
$textOptions = array('justification' => 'left');
$collecting = 0;
$code = '';
$counter = 0;
//used to count 8 to a page
if (!isset($_GET['group'])) {
$_GET['group'] = '';
}
$list = new GroupContactList(StringHelper::cleanGPC($_GET['group']));
$conts = $list->getContacts();
foreach ($conts as $c) {
$pdf->renderAddress($CONFIG_PDFBOOK_LINE_HEIGHT, $CONFIG_PDFBOOK_FONT_SIZE, createLinesFromContact($c), new ContactImage($c));
}
$pdf->ezStopPageNumbers(1, 1);
// Debug section...............................................................................................
// adding ?d=1 to the url calling this will cause the pdf code itself to ve echoed to the
// browser, this is quite useful for debugging purposes.
if (!empty($_GET['d'])) {
$pdfcode = $pdf->ezOutput(1);
$pdfcode = str_replace("\n", "\n<br>", htmlspecialchars($pdfcode));
echo '<html><body>';
echo trim($pdfcode);
echo '</body></html>';
} else {
}
// delete labels of empty entries to make mandatory entries optional
foreach ($_POST['date'] as &$x) {
if (empty($x['value1']) && empty($x['value2'])) {
$x['label'] = '';
}
}
if (!empty($_POST['contact']['notes'])) {
$_POST['contact']['notes'] = XSLTUtility::arrayToXMLraw($_POST['contact']['notes'], $h = false);
}
$_POST['URLtoMugshot'] = isset($_FILES['contact']['tmp_name']['pictureData']['file']) ? $_FILES['contact']['tmp_name']['pictureData']['file'] : null;
// pic upload error!!
if (!empty($_FILES['contact']['name']['pictureData']['file']) && empty($_FILES['contact']['tmp_name']['pictureData']['file'])) {
$errorHandler->warning('File upload failed! Error code (6 means tmp directory not writeable): ' . $_FILES['contact']['error']['pictureData']['file'], basename($_SERVER['SCRIPT_NAME']));
}
$save = $contact->saveContactFromArray(StringHelper::cleanGPC($_POST));
break;
case 'contact_NoMandatoryEntries':
if ($_POST['duplicateContact'] == 1) {
unset($contact->contact['id']);
foreach ($_POST['address'] as &$x) {
unset($x['refid']);
}
}
// delete labels of empty entries to make mandatory entries optional
if (isset($_POST['www'])) {
foreach ($_POST['www'] as &$x) {
if (empty($x['value'])) {
$x['label'] = '';
}
}
