/** * @todo document this */ function disallow() { ACTIONLOG::add(WARNING, _ACTIONLOG_DISALLOWED . serverVar('REQUEST_URI')); $this->error(_ERROR_DISALLOWED); }
function event_InitSkinParse($data) { global $blogid, $CONF, $manager; $feedurl = array('rss1.xml', 'index.rdf', 'rss2.xml', 'atom.xml'); $reqPaths = explode('/', serverVar('PATH_INFO')); $reqPath = end($reqPaths); $feeds = in_array($reqPath, $feedurl, true); if (!$feeds) { return; } else { $p_info = trim(serverVar('PATH_INFO'), '/'); $path_arr = explode('/', $p_info); switch (end($path_arr)) { case 'rss1.xml': case 'index.rdf': $skinName = 'feeds/rss10'; break; case 'rss2.xml': $skinName = 'feeds/rss20'; break; case 'atom.xml': $skinName = 'feeds/atom'; break; } if (SKIN::exists($skinName)) { $skin =& SKIN::createFromName($skinName); $data['skin']->SKIN($skin->getID()); $skinData =& $data['skin']; $pageType = $data['type']; if (!$CONF['DisableSite']) { ob_start(); $skinID = $skinData->id; $contents = $this->getSkinContent($pageType, $skinID); $actions = SKIN::getAllowedActionsForType($pageType); $dataArray = array('skin' => &$skinData, 'type' => $pageType, 'contents' => &$contents); $manager->notify('PreSkinParse', $dataArray); PARSER::setProperty('IncludeMode', SKIN::getIncludeMode()); PARSER::setProperty('IncludePrefix', SKIN::getIncludePrefix()); $handler = new ACTIONS($pageType, $skinData); $parser = new PARSER($actions, $handler); $handler->setParser($parser); $handler->setSkin($skinData); $parser->parse($contents); $dataArray = array('skin' => &$skinData, 'type' => $pageType); $manager->notify('PostSkinParse', $dataArray); $feed = ob_get_contents(); ob_end_clean(); $eTag = '"' . md5($feed) . '"'; header('Etag: ' . $eTag); if ($eTag == serverVar('HTTP_IF_NONE_MATCH')) { header('HTTP/1.0 304 Not Modified'); header('Content-Length: 0'); } else { if (extension_loaded('mbstring')) { $feed = mb_convert_encoding($feed, 'UTF-8', _CHARSET); $charset = 'UTF-8'; } else { $charset = _CHARSET; } header('Content-Type: application/xml; charset=' . $charset); header('Generator: Nucleus CMS ' . $nucleus['version']); // dump feed echo $feed; } } else { echo '<' . '?xml version="1.0" encoding="ISO-8859-1"?' . '>'; ?> <rss version="2.0"> <channel> <title><?php echo $this->hsc($CONF['SiteName'], ENT_QUOTES); ?> </title> <link><?php echo $this->hsc($CONF['IndexURL'], ENT_QUOTES); ?> </link> <description></description> <docs>http://backend.userland.com/rss</docs> </channel> </rss> <?php } } exit; } }
function disallow() { ACTIONLOG::add(WARNING, _ACTIONLOG_DISALLOWED . serverVar('REQUEST_URI')); $msg = array(0, _CURL_ERROR_DISALLOWED, '***', _DISALLOWED_MSG); $this->error($msg); }
* @version $Id: atom.php 1131 2011-02-01 06:19:31Z sakamocchi $ * $NucleusJP: atom.php,v 1.6 2006/07/12 07:11:45 kimitake Exp $ */ header('Pragma: no-cache'); $CONF = array(); $CONF['Self'] = 'atom.php'; include './config.php'; if (!$CONF['DisableSite']) { // get feed into $feed ob_start(); selectSkin('feeds/atom'); selector(); $feed = ob_get_contents(); ob_end_clean(); // create ETAG (hash of feed) // (HTTP_IF_NONE_MATCH has quotes around it) $eTag = '"' . md5($feed) . '"'; header('Etag: ' . $eTag); // compare Etag to what we got if ($eTag == serverVar('HTTP_IF_NONE_MATCH')) { header('HTTP/1.0 304 Not Modified'); header('Content-Length: 0'); } else { if (strtolower(_CHARSET) != 'utf-8') { $feed = mb_convert_encoding($feed, "UTF-8", _CHARSET); } header("Content-Type: application/xml"); // dump feed echo $feed; } }
/** * Adds a new comment to the database * @param string $timestamp * @param array $comment * @return mixed */ function addComment($timestamp, $comment) { global $CONF, $member, $manager; $blogid = getBlogIDFromItemID($this->itemid); $settings =& $manager->getBlog($blogid); $settings->readSettings(); // begin if: comments disabled if (!$settings->commentsEnabled()) { return _ERROR_COMMENTS_DISABLED; } // end if // begin if: public cannot comment if (!$settings->isPublic() && !$member->isLoggedIn()) { return _ERROR_COMMENTS_NONPUBLIC; } // end if // begin if: comment uses a protected member name if ($CONF['ProtectMemNames'] && !$member->isLoggedIn() && MEMBER::isNameProtected($comment['user'])) { return _ERROR_COMMENTS_MEMBERNICK; } // end if // begin if: email required, but missing (doesn't apply to members) if ($settings->emailRequired() && strlen($comment['email']) == 0 && !$member->isLoggedIn()) { return _ERROR_EMAIL_REQUIRED; } // end if ## Note usage of mb_strlen() vs strlen() below ## // begin if: commenter's name is too long if (mb_strlen($comment['user']) > 40) { return _ERROR_USER_TOO_LONG; } // end if // begin if: commenter's email is too long if (mb_strlen($comment['email']) > 100) { return _ERROR_EMAIL_TOO_LONG; } // end if // begin if: commenter's url is too long if (mb_strlen($comment['userid']) > 100) { return _ERROR_URL_TOO_LONG; } // end if $comment['timestamp'] = $timestamp; $comment['host'] = gethostbyaddr(serverVar('REMOTE_ADDR')); $comment['ip'] = serverVar('REMOTE_ADDR'); // begin if: member is logged in, use that data if ($member->isLoggedIn()) { $comment['memberid'] = $member->getID(); $comment['user'] = ''; $comment['userid'] = ''; $comment['email'] = ''; } else { $comment['memberid'] = 0; } // spam check $continue = FALSE; $plugins = array(); if (isset($manager->subscriptions['ValidateForm'])) { $plugins = array_merge($plugins, $manager->subscriptions['ValidateForm']); } if (isset($manager->subscriptions['PreAddComment'])) { $plugins = array_merge($plugins, $manager->subscriptions['PreAddComment']); } if (isset($manager->subscriptions['PostAddComment'])) { $plugins = array_merge($plugins, $manager->subscriptions['PostAddComment']); } $plugins = array_unique($plugins); while (list(, $plugin) = each($plugins)) { $p = $manager->getPlugin($plugin); $continue = $continue || $p->supportsFeature('handleSpam'); } $spamcheck = array('type' => 'comment', 'body' => $comment['body'], 'id' => $comment['itemid'], 'live' => TRUE, 'return' => $continue); // begin if: member logged in if ($member->isLoggedIn()) { $spamcheck['author'] = $member->displayname; $spamcheck['email'] = $member->email; } else { $spamcheck['author'] = $comment['user']; $spamcheck['email'] = $comment['email']; $spamcheck['url'] = $comment['userid']; } // end if $manager->notify('SpamCheck', array('spamcheck' => &$spamcheck)); if (!$continue && isset($spamcheck['result']) && $spamcheck['result'] == TRUE) { return _ERROR_COMMENTS_SPAM; } // isValidComment returns either "1" or an error message $isvalid = $this->isValidComment($comment, $spamcheck); if ($isvalid != 1) { return $isvalid; } // begin if: send email to notification address if ($settings->getNotifyAddress() && $settings->notifyOnComment()) { $mailto_msg = _NOTIFY_NC_MSG . ' ' . $this->itemid . "\n"; // $mailto_msg .= $CONF['IndexURL'] . 'index.php?itemid=' . $this->itemid . "\n\n"; $temp = parse_url($CONF['Self']); if ($temp['scheme']) { $mailto_msg .= createItemLink($this->itemid) . "\n\n"; } else { $tempurl = $settings->getURL(); if (substr($tempurl, -1) == '/' || substr($tempurl, -4) == '.php') { $mailto_msg .= $tempurl . '?itemid=' . $this->itemid . "\n\n"; } else { $mailto_msg .= $tempurl . '/?itemid=' . $this->itemid . "\n\n"; } } if ($comment['memberid'] == 0) { $mailto_msg .= _NOTIFY_USER . ' ' . $comment['user'] . "\n"; $mailto_msg .= _NOTIFY_USERID . ' ' . $comment['userid'] . "\n"; } else { $mailto_msg .= _NOTIFY_MEMBER . ' ' . $member->getDisplayName() . ' (ID=' . $member->getID() . ")\n"; } $mailto_msg .= _NOTIFY_HOST . ' ' . $comment['host'] . "\n"; $mailto_msg .= _NOTIFY_COMMENT . "\n " . $comment['body'] . "\n"; $mailto_msg .= getMailFooter(); $item =& $manager->getItem($this->itemid, 0, 0); $mailto_title = _NOTIFY_NC_TITLE . ' ' . strip_tags($item['title']) . ' (' . $this->itemid . ')'; $frommail = $member->getNotifyFromMailAddress($comment['email']); $notify =& new NOTIFICATION($settings->getNotifyAddress()); $notify->notify($mailto_title, $mailto_msg, $frommail); } $comment = COMMENT::prepare($comment); $manager->notify('PreAddComment', array('comment' => &$comment, 'spamcheck' => &$spamcheck)); $name = sql_real_escape_string($comment['user']); $url = sql_real_escape_string($comment['userid']); $email = sql_real_escape_string($comment['email']); $body = sql_real_escape_string($comment['body']); $host = sql_real_escape_string($comment['host']); $ip = sql_real_escape_string($comment['ip']); $memberid = intval($comment['memberid']); $timestamp = date('Y-m-d H:i:s', $comment['timestamp']); $itemid = $this->itemid; $qSql = 'SELECT COUNT(*) AS result ' . 'FROM ' . sql_table('comment') . ' WHERE ' . 'cmail = "' . $url . '"' . ' AND cmember = "' . $memberid . '"' . ' AND cbody = "' . $body . '"' . ' AND citem = "' . $itemid . '"' . ' AND cblog = "' . $blogid . '"'; $result = (int) quickQuery($qSql); if ($result > 0) { return _ERROR_BADACTION; } $query = 'INSERT INTO ' . sql_table('comment') . ' (CUSER, CMAIL, CEMAIL, CMEMBER, CBODY, CITEM, CTIME, CHOST, CIP, CBLOG) ' . "VALUES ('{$name}', '{$url}', '{$email}', {$memberid}, '{$body}', {$itemid}, '{$timestamp}', '{$host}', '{$ip}', '{$blogid}')"; sql_query($query); // post add comment $commentid = sql_insert_id(); $manager->notify('PostAddComment', array('comment' => &$comment, 'commentid' => &$commentid, 'spamcheck' => &$spamcheck)); // succeeded ! return TRUE; }
function getNoDecodeQuery($q) { // Get urlencoded TAGs global $CONF, $manager; // FancyURL if ($CONF['URLMode'] == 'pathinfo') { $urlq = serverVar('REQUEST_URI'); $tempq = explode($q . '/', $urlq, 2); if ($this->maURL) { //($manager->pluginInstalled('NP_MagicalURL2') || $manager->pluginInstalled('NP_Magical')) { $tempq = explode($q . '_', $urlq, 2); } // if ($tempq[1]) { if (!empty($tempq[1])) { $tagq = explode('/', $tempq[1]); if ($this->maURL) { //($manager->pluginInstalled('NP_MagicalURL2') || $manager->pluginInstalled('NP_Magical')) { $tagq = explode('_', $tempq[1]); } $str = preg_replace('|[^a-z0-9-~+_.#;,:@%]|i', '', $tagq[0]); return $str; } } else { // NormalURL $urlq = serverVar('QUERY_STRING'); $urlq = str_replace('?', '', $urlq); $urlq = explode('&', $urlq); $qCnt = count($urlq); for ($i = 0; $i < $qCnt; $i++) { $tempq = explode('=', $urlq[$i]); if ($tempq[0] == $q) { $str = preg_replace('|[^a-z0-9-~+_.#;,:@%]|i', '', $tempq[1]); return $str; } } } return FALSE; }
function showInstallForm() { // 0. pre check if all necessary files exist doCheckFiles(); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <title><?php echo _TITLE; ?> </title> <style type="text/css"><!-- @import url('../nucleus/documentation/styles/manual.css'); --></style> <script type="text/javascript"><!-- var submitcount = 0; // function to make sure the submit button only gets pressed once function checkSubmit() { if (submitcount == 0) { submitcount++; return true; } else { return false; } } --></script> </head> <body> <div style="text-align:center"><img src="../nucleus/styles/logo.gif" alt="<?php echo _ALT_NUCLEUS_CMS_LOGO; ?> " /></div> <!-- Nucleus logo --> <form method="post" action="index.php"> <h1><?php echo _HEADER1; ?> </h1> <?php echo _TEXT1; ?> <h1><?php echo _HEADER1_2; ?> </h1> <?php echo _TEXT1_2; ?> <fieldset> <legend><?php echo _TEXT1_2_TAB_HEAD; ?> </legend> <table> <tr> <td><?php echo _TEXT1_2_TAB_FIELD1; ?> </td> <td> <select name="charset" tabindex="10000"> <option value="utf8" selected="selected">UTF-8</option> <option value="ujis" >EUC-JP</option> </select> </td> </tr> </table> </fieldset> <h1><?php echo _HEADER2; ?> </h1> <?php echo _TEXT2; ?> <ul> <li>PHP: <?php echo phpversion(); ?> </li> <li>MySQL: <?php // Turn on output buffer // Needed to repress the output of the sql function that are // not part of php (in this case the @ operator doesn't work) ob_start(); // note: this piece of code is taken from phpMyAdmin $conn = sql_connect_args('localhost', '', ''); $result = @sql_query('SELECT VERSION() AS version', $conn); if ($result != FALSE && sql_num_rows($result) > 0) { $row = sql_fetch_array($result); $match = explode('.', $row['version']); } else { $result = @sql_query('SHOW VARIABLES LIKE \'version\'', $conn); if ($result != FALSE && @sql_num_rows($result) > 0) { $row = sql_fetch_row($result); $match = explode('.', $row[1]); } else { $output = function_exists('shell_exec') ? @shell_exec('mysql -V') : '0.0.0'; preg_match('#[0-9]+\\.[0-9]+\\.[0-9]+#', $output, $version); $match = explode('.', $version[0]); if ($match[0] == '') { $match[0] = '0'; $match[1] = '0'; $match[2] = '0'; } } } @sql_disconnect($conn); //End and clean output buffer ob_end_clean(); $mySqlVersion = implode($match, '.'); $minVersion = '3.23'; if (version_compare($mySqlVersion, '0.0.0', '==')) { echo _NOTIFICATION1; } else { echo $mySqlVersion; } if (version_compare($mySqlVersion, $minVersion, '<')) { echo ' <span class="warning" style="display:block">' . sprintf(_TEXT2_WARN1, $minVersion) . '</span>'; } ?> </li> </ul> <?php if (phpversion() < '5.0.0') { echo ' <p class="deprecated">' . _TEXT2_WARN2 . '</p>'; ?> </form> </body> </html> <?php exit; } // tell people how they can have their config file filled out automatically if (@file_exists('../config.php') && @(!is_writable('../config.php'))) { ?> <h1><?php echo _HEADER3; ?> </h1> <?php echo _TEXT3; } ?> <h1><?php echo _HEADER4; ?> </h1> <?php echo _TEXT4; ?> <fieldset> <legend><?php echo _TEXT4_TAB_HEAD; ?> </legend> <table> <tr> <td><label for="if_mySQL_host"><?php echo _TEXT4_TAB_FIELD1; ?> :</label></td> <td><input id="if_mySQL_host" name="mySQL_host" value="DUMMY_DB_HOST" tabindex="10010" /></td> </tr> <tr> <td><label for="if_mySQL_user"><?php echo _TEXT4_TAB_FIELD2; ?> :</label></td> <td><input id="if_mySQL_user" name="mySQL_user" value="DUMMY_PROJECT_NAME" tabindex="10020" /></td> </tr> <tr> <td><label for="if_mySQL_password"><?php echo _TEXT4_TAB_FIELD3; ?> :</label></td> <td><input id="if_mySQL_password" name="mySQL_password" value="DUMMY_DB_PASSWORD" type="password" tabindex="10030" /></td> </tr> <tr> <td><label for="if_mySQL_database"><?php echo _TEXT4_TAB_FIELD4; ?> :</label></td> <td><input id="if_mySQL_database" name="mySQL_database" value="DUMMY_PROJECT_NAME" tabindex="10040" /> (<input name="mySQL_create" value="1" type="checkbox" id="mySQL_create" tabindex="10050" /><label for="mySQL_create"><?php echo _TEXT4_TAB_FIELD4_ADD; ?> </label>)</td> </tr> </table> </fieldset> <fieldset> <legend><?php echo _TEXT4_TAB2_HEAD; ?> </legend> <table> <tr> <td><input name="mySQL_usePrefix" value="1" type="checkbox" id="mySQL_usePrefix" tabindex="10060" /><label for="mySQL_usePrefix"><?php echo _TEXT4_TAB2_FIELD; ?> :</label></td> <td><input name="mySQL_tablePrefix" value="" tabindex="10070" /></td> </tr> </table> <?php echo _TEXT4_TAB2_ADD; ?> </fieldset> <h1><?php echo _HEADER5; ?> </h1> <?php echo _TEXT5; ?> <?php // no need to this all! dirname(__FILE__) is all we need -- moraes /* // discover full path $fullPath = serverVar('PATH_TRANSLATED'); if ($fullPath == '') { $fullPath = serverVar('SCRIPT_FILENAME'); } $basePath = str_replace('install.php', '', $fullPath); $basePath = replaceDoubleBackslash($basePath); $basePath = replaceDoubleBackslash($basePath); // add slash at end if necessary if (!endsWithSlash($basePath) ) { $basePath .= '/'; } */ $basePath = str_replace('install', '', dirname(__FILE__)); ?> <fieldset> <legend><?php echo _TEXT5_TAB_HEAD; ?> </legend> <table> <tr> <td><label for="if_IndexURL"><?php echo _TEXT5_TAB_FIELD1; ?> :</label></td> <td><input id="if_IndexURL" name="IndexURL" size="60" value="<?php $url = 'http://' . serverVar('HTTP_HOST') . serverVar('PHP_SELF'); $url = str_replace('install/index.php', '', $url); $url = replaceDoubleBackslash($url); // add slash at end if necessary if (!endsWithSlash($url)) { $url .= '/'; } echo $url; ?> " tabindex="10080" /></td> </tr> <tr> <td><label for="if_AdminURL"><?php echo _TEXT5_TAB_FIELD2; ?> :</label></td> <td><input id="if_AdminURL" name="AdminURL" size="60" value="<?php if ($url) { echo $url . 'nucleus/'; } ?> " tabindex="10090" /></td> </tr> <tr> <td><label for="if_AdminPath"><?php echo _TEXT5_TAB_FIELD3; ?> :</label></td> <td><input id="if_AdminPath" name="AdminPath" size="60" value="<?php if ($basePath) { echo $basePath . 'nucleus/'; } ?> " tabindex="10100" /></td> </tr> <tr> <td><label for="if_MediaURL"><?php echo _TEXT5_TAB_FIELD4; ?> :</label></td> <td><input id="if_MediaURL" name="MediaURL" size="60" value="<?php if ($url) { echo $url . 'media/'; } ?> " tabindex="10110" /></td> </tr> <tr> <td><label for="if_MediaPath"><?php echo _TEXT5_TAB_FIELD5; ?> :</label></td> <td><input id="if_MediaPath" name="MediaPath" size="60" value="<?php if ($basePath) { echo $basePath . 'media/'; } ?> " tabindex="10120" /></td> </tr> <tr> <td><label for="if_SkinsURL"><?php echo _TEXT5_TAB_FIELD6; ?> :</label></td> <td><input id="if_SkinsURL" name="SkinsURL" size="60" value="<?php if ($url) { echo $url . 'skins/'; } ?> " tabindex="10130" /> <br />(<?php echo _TEXT5_TAB_FIELD7_2; ?> ) </td> </tr> <tr> <td><label for="if_SkinsPath"><?php echo _TEXT5_TAB_FIELD7; ?> :</label></td> <td><input id="if_SkinsPath" name="SkinsPath" size="60" value="<?php if ($basePath) { echo $basePath . 'skins/'; } ?> " tabindex="10140" /> <br />(<?php echo _TEXT5_TAB_FIELD7_2; ?> ) </td> </tr> <tr> <td><label for="if_PluginURL"><?php echo _TEXT5_TAB_FIELD8; ?> :</label></td> <td><input id="if_PluginURL" name="PluginURL" size="60" value="<?php if ($url) { echo $url . 'nucleus/plugins/'; } ?> " tabindex="10150" /></td> </tr> <tr> <td><label for="if_ActionURL"><?php echo _TEXT5_TAB_FIELD9; ?> :</label></td> <td><input id="if_ActionURL" name="ActionURL" size="60" value="<?php if ($url) { echo $url . 'action.php'; } ?> " tabindex="10160" /> <br />(<?php echo _TEXT5_TAB_FIELD9_2; ?> ) </td> </tr> </table> </fieldset> <?php echo _TEXT5_2; ?> <h1><?php echo _HEADER6; ?> </h1> <?php echo _TEXT6; ?> <fieldset> <legend><?php echo _TEXT6_TAB_HEAD; ?> </legend> <table> <tr> <td><label for="if_User_name"><?php echo _TEXT6_TAB_FIELD1; ?> :</label></td> <td><input id="if_User_name" name="User_name" value="" tabindex="10170" /> <small>(<?php echo _TEXT6_TAB_FIELD1_2; ?> )</small></td> </tr> <tr> <td><label for="if_User_realname"><?php echo _TEXT6_TAB_FIELD2; ?> :</label></td> <td><input id="if_User_realname" name="User_realname" value="" tabindex="10180" /></td> </tr> <tr> <td><label for="if_User_password"><?php echo _TEXT6_TAB_FIELD3; ?> :</label></td> <td><input id="if_User_password" name="User_password" type="password" value="" tabindex="10190" /></td> </tr> <tr> <td><label for="if_User_password2"><?php echo _TEXT6_TAB_FIELD4; ?> :</label></td> <td><input id="if_User_password2" name="User_password2" type="password" value="" tabindex="10200" /></td> </tr> <tr> <td><label for="if_User_email"><?php echo _TEXT6_TAB_FIELD5; ?> :</label></td> <td><input id="if_User_email" name="User_email" value="" tabindex="10210" /> <small>(<?php echo _TEXT6_TAB_FIELD5_2; ?> )</small></td> </tr> </table> </fieldset> <h1><?php echo _HEADER7; ?> </h1> <?php echo _TEXT7; ?> <fieldset> <legend><?php echo _TEXT7_TAB_HEAD; ?> </legend> <table> <tr> <td><label for="if_Blog_name"><?php echo _TEXT7_TAB_FIELD1; ?> :</label></td> <td><input id="if_Blog_name" name="Blog_name" size="60" value="My Nucleus CMS" tabindex="10220" /></td> </tr> <tr> <td><label for="if_Blog_shortname"><?php echo _TEXT7_TAB_FIELD2; ?> :</label></td> <td><input id="if_Blog_shortname" name="Blog_shortname" value="mynucleuscms" tabindex="10230" /> <small>(<?php echo _TEXT7_TAB_FIELD2_2; ?> )</small></td> </tr> </table> </fieldset> <h1><?php echo _HEADER8; ?> </h1> <fieldset> <legend><?php echo _TEXT8_TAB_HEADER; ?> </legend> <table> <tr> <td><input name="Weblog_ping" value="1" type="checkbox" id="Weblog_ping" tabindex="10240" /><label for="Weblog_ping"><?php echo _TEXT8_TAB_FIELD1; ?> </label></td> </tr> </table> </fieldset> <h1><?php echo _HEADER9; ?> </h1> <?php echo _TEXT9; ?> <p> <input name="action" value="go" type="hidden" /> <input type="submit" value="<?php echo _BUTTON1; ?> " onclick="return checkSubmit();" tabindex="10250" /> </p> </form> </body> </html> <?php }
function saveIP() { $query = 'INSERT INTO ' . sql_table('karma') . ' (itemid, ip) VALUES (' . $this->itemid . ",'" . sql_real_escape_string(serverVar('REMOTE_ADDR')) . "')"; sql_query($query); }
function doTemplateVar(&$item, $input) { $itemid = $item->itemid; $remote_ip = serverVar('REMOTE_ADDR'); $timespan = $this->getOption('timespan') * 3600; $now = $_SERVER['REQUEST_TIME']; // get the current Views count $query = sprintf('SELECT views FROM %s WHERE id=%s', sql_table('plugin_views'), $itemid); $result = sql_query($query); $total = sql_num_rows($result); $row = sql_fetch_object($result); $views = intval($row->views); // Only do count updates if "skipcount" is not set if ($input != 'skipcount') { // This takes care of previous items if ($total == 0) { //$views = 0; sql_query(sprintf("INSERT INTO %s (id, views) VALUES('%s', '1')", sql_table('plugin_views'), $itemid)); } // Check the views_log table to see if this IP has a viewtime for this item $param = array(sql_table('plugin_views_log'), $remote_ip, $itemid); $result = sql_query(vsprintf("SELECT viewtime FROM %s WHERE ip='%s' AND itemid=%s", $param)); // No views from this IP in the past X hours, so update the Views count if (sql_num_rows($result) == 0) { $views++; $this->_updateViewsCount($itemid, $views); $this->_addViewsLog($itemid, $remote_ip, $now); } else { $viewtime = sql_result($result, 0, 'viewtime'); // It's been longer than X hours, so recount if ($now - $timespan > $viewtime) { $views++; $this->_updateViewsCount($itemid, $views); $this->_updateViewsLog($itemid, $remote_ip, $now); } } } // Clear logs that are more than X hours old $time = $now - $timespan; sql_query(sprintf('DELETE FROM %s WHERE (viewtime < %s)', sql_table('plugin_views_log'), $time)); if ($this->getOption('silent') == 'no') { echo $views; } }
function doSkinVar($skinType, $type = 'cloud', $sort = 'alp', $maxtags = -1, $blogid = "current") { global $blog, $manager, $CONF; if (!$blog) { echo "<!-- TechnoratiTags fatal error: no blog object?? -->"; //ACTIONLOG::add(WARNING, 'TechnoratiTags Error:' . serverVar("REQUEST_URI")); } if ($type == 'tagsearch') { if ($CONF['URLMode'] == 'pathinfo') { $uri = serverVar('REQUEST_URI'); $temp = explode('/', $uri); $i = array_search('tags', $temp); $i++; if (function_exists('mb_convert_encoding')) { $tag = mb_convert_encoding($temp[$i], _CHARSET, _CHARSET); $tag = rawurldecode($tag); } else { // This will not work for UTF-8 tag..... not something // we can fix unless we bundle mb_convert_encoding() $tag = urlencode($temp[$i]); } if ($blog->getId() != 1) { $i = array_search('blogid', $temp); $i++; $blogid = $temp[$i]; } } else { $tag = str_replace(' ', '+', RequestVar('tag')); if (function_exists('mb_convert_encoding')) { $tag = mb_convert_encoding($tag, _CHARSET, _CHARSET); $tag = rawurldecode($tag); } else { // This will not work for UTF-8 tag..... not something // we can fix unless we bundle mb_convert_encoding() $tag = urlencode($tag); } } if ($tag == '') { return; } if ($this->getOption('PlusSwitch') == 'yes') { $displayed_tag = str_replace('+', ' ', $tag); } else { $displayed_tag = $tag; } echo "<div class=\"contenttitle\"><h2>" . $this->getOption('SearchTitleText') . " " . $displayed_tag . "</h2></div>"; // **** need better than tags like %% ??? ***** $query = "select t.itemid, i.ititle from " . $this->tablename . " as t, " . sql_table('item') . " as i where tags like \"%" . $tag . "%\" and t.itemid = i.inumber and i.idraft != 1 "; if (is_numeric($blogid)) { $query .= " and i.iblog = " . $blogid; } else { $query .= " and i.iblog = " . $blog->getID(); } // else for "all", which has not i.iblog=xyz $query .= " order by i.itime desc"; // else for "all" or anything we will show tagged posts from all blogs.... // it's a feature, not a bug..... I could have choke it here... $res = sql_query($query); echo "<br /><br /><ul>"; while ($row = sql_fetch_object($res)) { $link = createItemLink($row->itemid); echo "<li><a href=\"" . $link . "\">" . $row->ititle . "</a></li>"; } echo "</ul>"; } else { if ($type == 'cloud' || $type == 'dcloud' || $type == 'localcloud') { if ($blogid == "current") { $blogid = $blog->getID(); } else { if (is_numeric($blogid)) { // $blogid provided by user } else { $blogid = 0; } } // get all tags and counts $tags = $this->getAllTags($blogid); // Show only top x tags override from skinvar arsort($tags); if ($maxtags > 0) { $tags = array_slice($tags, 0, $maxtags, true); } // spread tags amount 4 levels of formating in the tag cloud $newtags = $tags; $total = sizeof($newtags); $pcnt = 0; $diff = $total / 4; $l = $diff; $m = 2 * $diff; $s = 3 * $diff; foreach ($newtags as $curtag => $curtagcount) { if ($pcnt < $l) { $newtags[$curtag] = 3; } else { if ($pcnt < $m) { $newtags[$curtag] = 2; } else { if ($pcnt < $s) { $newtags[$curtag] = 1; } else { $newtags[$curtag] = 0; } } } $pcnt++; } if ($sort == 'alp') { ksort($newtags); } // for debug count $tc = 0; $sc = 0; $mc = 0; $lc = 0; // cant figure out a good way to fit this in, or even if we want to. $separator = $this->getOption('TagSeparator'); foreach ($newtags as $curtag => $level) { $count = ""; if ($level == 3) { echo "<span class=\"largeT\">"; $lc++; } else { if ($level == 2) { echo "<span class=\"mediumT\">"; $mc++; } else { if ($level == 1) { echo "<span class=\"smallT\">"; $sc++; } else { echo "<span class=\"tinyT\">"; $tc++; } } } if ($this->getOption('ShowCount') == "yes") { $count = " [" . $tags[$curtag] . "]"; } if ($this->getOption('PlusSwitch') == 'yes') { $displayed_tag = str_replace('+', ' ', $curtag); } else { $displayed_tag = $curtag; } $style = 'background: none;padding: 0px; margin: 0px; text-decoration: none;'; if ($type == 'cloud') { echo sprintf('<a href="%s/%s" title="Find tag %s on Technorati" style="%s">%s</a>', $this->technoratiurl, $curtag, $curtag, $style, $displayed_tag, $count); } elseif ($type == 'dcloud') { echo sprintf('<a href="%s/%s" title="Find tag %s on del.icio.us" style="%s">%s</a>', $this->deliciousurl, $curtag, $curtag, $style, $displayed_tag, $count); } else { if ($CONF['URLMode'] == 'pathinfo') { $link = $blog->getURL(); $link .= '/tags/' . $curtag; } else { $self = rtrim(str_replace('index.php', '', $CONF['Self']), '/') . '/'; if ($self === '/') { $self = './'; } $link = "{$self}tags.php?tag={$curtag}"; if ($blog->getId() != 1) { $link .= "&blogid=" . $blog->getId(); } } echo "<a href=\"" . $link . "\" style=\"{$style}\">" . $displayed_tag . $count . "</a>"; } echo "</span>\n"; // finish it off } echo '<!-- ' . $tc . '-' . $sc . '-' . $mc . '-' . $lc . ' -->'; } } }
function sanitizeRequestUri() { $request_uri = serverVar('SCRIPT_NAME'); foreach ($_GET as $name => $val) { // when magic quotes off, need to use stripslashes if (!get_magic_quotes_gpc()) { $val = addslashes($val); } list($val, $tmp) = explode('\\', $val); $request_uri .= sprintf("?%s=%s", $name, $val); } $_SERVER['REQUEST_URI'] = $request_uri; }
/** * Check ticket when not checked in plugin's admin page * to avoid CSRF. * Also avoid the access to plugin/index.php by guest user. */ function ticketForPlugin() { global $CONF, $DIR_PLUGINS, $member, $ticketforplugin; /* initialize */ $ticketforplugin = array(); $ticketforplugin['ticket'] = FALSE; /* Check if using plugin's php file. */ if ($p_translated = serverVar('PATH_TRANSLATED')) { if (!file_exists($p_translated)) { $p_translated = ''; } } if (!$p_translated) { $p_translated = serverVar('SCRIPT_FILENAME'); if (!file_exists($p_translated)) { header("HTTP/1.0 404 Not Found"); exit(''); } } $p_translated = str_replace('\\', '/', $p_translated); $d_plugins = str_replace('\\', '/', $DIR_PLUGINS); if (strpos($p_translated, $d_plugins) !== 0) { return; // This isn't plugin php file. } /* Solve the plugin php file or admin directory */ $phppath = substr($p_translated, strlen($d_plugins)); $phppath = preg_replace('#^/#', '', $phppath); // Remove the first "/" if exists. $path = preg_replace('#^NP_(.*)\\.php$#', '$1', $phppath); // Remove the first "NP_" and the last ".php" if exists. $path = preg_replace('#^([^/]*)/(.*)$#', '$1', $path); // Remove the "/" and beyond. /* Solve the plugin name. */ $plugins = array(); $query = 'SELECT `pfile` FROM ' . sql_table('plugin'); $res = sql_query($query); while ($row = sql_fetch_row($res)) { $name = substr($row[0], 3); $plugins[strtolower($name)] = $name; } sql_free_result($res); if ($plugins[$path]) { $plugin_name = $plugins[$path]; } else { if (in_array($path, $plugins)) { $plugin_name = $path; } else { header("HTTP/1.0 404 Not Found"); exit(''); } } /* Return if not index.php */ if ($phppath != strtolower($plugin_name) . '/' && $phppath != strtolower($plugin_name) . '/index.php') { return; } /* Exit if not logged in. */ if (!$member->isLoggedIn()) { exit(_GFUNCTIONS_YOU_AERNT_LOGGEDIN); } global $manager, $DIR_LIBS, $DIR_LANG, $HTTP_GET_VARS, $HTTP_POST_VARS; /* Check if this feature is needed (ie, if "$manager->checkTicket()" is not included in the script). */ if (!($p_translated = serverVar('PATH_TRANSLATED'))) { $p_translated = serverVar('SCRIPT_FILENAME'); } if ($file = @file($p_translated)) { $prevline = ''; foreach ($file as $line) { if (preg_match('/[\\$]manager([\\s]*)[\\-]>([\\s]*)checkTicket([\\s]*)[\\(]/i', $prevline . $line)) { return; } $prevline = $line; } } /* Show a form if not valid ticket */ if ((strstr(serverVar('REQUEST_URI'), '?') || serverVar('QUERY_STRING') || strtoupper(serverVar('REQUEST_METHOD')) == 'POST') && !$manager->checkTicket()) { if (!class_exists('PluginAdmin')) { $language = getLanguageName(); # replaced ereg_replace() below with preg_replace(). ereg* functions are deprecated in PHP 5.3.0 # original ereg_replace: ereg_replace( '[\\|/]', '', $language) . '.php') # important note that '\' must be matched with '\\\\' in preg* expressions include $DIR_LANG . preg_replace('#[\\\\|/]#', '', $language) . '.php'; include $DIR_LIBS . 'PLUGINADMIN.php'; } $oPluginAdmin = new PluginAdmin($plugin_name); $oPluginAdmin->start(); echo '<p>' . _ERROR_BADTICKET . "</p>\n"; /* Show the form to confirm action */ // PHP 4.0.x support $get = isset($_GET) ? $_GET : $HTTP_GET_VARS; $post = isset($_POST) ? $_POST : $HTTP_POST_VARS; // Resolve URI and QUERY_STRING if ($uri = serverVar('REQUEST_URI')) { list($uri, $qstring) = explode('?', $uri); } else { if (!($uri = serverVar('PHP_SELF'))) { $uri = serverVar('SCRIPT_NAME'); } $qstring = serverVar('QUERY_STRING'); } if ($qstring) { $qstring = '?' . $qstring; } echo '<p>' . _SETTINGS_UPDATE . ' : ' . _QMENU_PLUGINS . ' <span style="color:red;">' . htmlspecialchars($plugin_name) . "</span> ?</p>\n"; switch (strtoupper(serverVar('REQUEST_METHOD'))) { case 'POST': echo '<form method="POST" action="' . htmlspecialchars($uri . $qstring) . '">'; $manager->addTicketHidden(); _addInputTags($post); break; case 'GET': echo '<form method="GET" action="' . htmlspecialchars($uri) . '">'; $manager->addTicketHidden(); _addInputTags($get); default: break; } echo '<input type="submit" value="' . _YES . '" /> '; echo '<input type="button" value="' . _NO . '" onclick="history.back(); return false;" />'; echo "</form>\n"; $oPluginAdmin->end(); exit; } /* Create new ticket */ $ticket = $manager->addTicketToUrl(''); $ticketforplugin['ticket'] = substr($ticket, strpos($ticket, 'ticket=') + 7); }
/** * Parse skinvar referer */ function parse_referer() { echo htmlspecialchars(serverVar('HTTP_REFERER'), ENT_QUOTES); }
function _skinfiles_download() { global $pluginUrl, $manager; $file = _skinfiles_basename(trim(requestVar('file'))); $directory = dirname(trim(requestVar('file'))); $directory = sfExpandDirectory($directory); if (sfValidPath($directory) && file_exists($directory . $file) && is_file($directory . $file) && is_readable($directory . $file)) { if (strstr(serverVar('HTTP_USER_AGENT'), "MSIE")) { $name = preg_replace('/\\./', '%2e', $file, substr_count($file, '.') - 1); } else { $name = $file; } if ($fp = @fopen($directory . $file, 'r')) { header("Cache-Control: "); // leave blank to avoid IE errors header("Pragma: "); // leave blank to avoid IE errors header("Content-type: application/octet-stream"); header('Content-Disposition: attachment; filename="' . $name . '"'); header("Content-length: " . (string) filesize($directory . $file)); sleep(1); fpassthru($fp); fclose($fp); } else { echo _SKINFILES_ERR_DOWNLOAD_FILE1; } } else { echo _SKINFILES_ERR_DOWNLOAD_FILE2; } exit; }
/** * Checks if an IP or IP range is banned */ function checkban($blogid) { // check if banned $ban = BAN::isBanned($blogid, serverVar('REMOTE_ADDR')); if ($ban != 0) { doError(_ERROR_BANNED1 . $ban->iprange . _ERROR_BANNED2 . $ban->message . _ERROR_BANNED3); } }
// create the admin area page $oPluginAdmin = new PluginAdmin('BadBehavior'); $oPluginAdmin->start($newhead); if ($member->isLoggedIn() && $member->canLogin()) { $admin = 1; } else { echo 'You are not logged in.'; $oPluginAdmin->end(); exit; } global $CONF, $manager; // $manager->checkTicket(); $action_url = $CONF['ActionURL']; $thispage = $CONF['PluginURL'] . "badbehavior/index.php"; $adminpage = $CONF['AdminURL']; $thisquerystring = serverVar('QUERY_STRING'); $toplink = '<p class="center"><a href="' . $thispage . '?' . $thisquerystring . '#sitop" alt="Return to Top of Page">-top-</a></p>' . "\n"; $showlist = strtolower(trim(requestVar('showlist'))); if (!in_array($showlist, array('stats', 'admin', 'logs'))) { $showlist = 'stats'; } $tname = stringStripTags(trim(requestVar('tname'))); $fname = stringStripTags(trim(requestVar('fname'))); $oname = stringStripTags(trim(requestVar('oname'))); $iname = stringStripTags(trim(requestVar('iname'))); $iname = preg_replace('|[^a-z0-9.,_/-]|i', '_', $iname); // make sure bad behavior is loaded if (!defined('BB2_CORE')) { //echo "loading necessary bad behavior libraries..."; global $DIR_PLUGINS; $homepath = $DIR_PLUGINS . '/badbehavior/';