function getProduct($productID, $db_handle)
{
try {
$statement_handle = $db_handle->prepare("SELECT * FROM products WHERE productID=(:productID)");
if (ALL_PRODUCTS == $productID) {
$statement_handle->bindParam(':productID', ALL_PRODUCTS);
} else {
$statement_handle->bindParam(':productID', $productID);
}
$statement_handle->execute();
} catch (PDOException $e) {
clearAndInitErrors();
addError($e->getMessage());
}
$db_handle = null;
return $statement_handle->fetchAll();
displayErrors();
}
public function add()
{
if ($_POST) {
$dbName = substr(BASEURL2, 0, -1);
$name = 'topBanner' . $dbName;
//Processing the SiteImage.
$config['upload_path'] = './uploads/';
$config['allowed_types'] = 'gif|jpg|png|jpeg';
$config['max_size'] = '1024';
$config['max_width'] = '0';
$config['max_height'] = '0';
$config['file_name'] = $name;
$config['overwrite'] = TRUE;
$this->load->library('upload', $config);
if (!$this->upload->do_upload('banner')) {
addError(getTxt('FailMoveFile') . $this->upload->display_errors());
} else {
$uploaddata = $this->upload->data();
$ext = $uploaddata['file_ext'];
//Delete any other files.
$this->deleteOthers($name, $ext);
addSuccess(getTxt('SiteSuccessfullyEdited'));
}
}
$data = $this->StyleData;
$this->load->view('banner/add', $data);
}
public static function run($input)
{
if (!$input) {
$input = $_REQUEST;
}
if (!count($input)) {
return false;
}
self::$input = $input;
//die(print_r(self::$data));
$passed = true;
foreach (self::$data as $fieldName => &$field) {
foreach ($field['rules'] as &$rule) {
$func = $rule['rule'];
if (method_exists(__CLASS__, $func)) {
if (isset($rule['vars'])) {
$rule['passed'] = (int) call_user_func(array('MG_Validation', $func), $fieldName, $rule['vars']);
} else {
$rule['passed'] = (int) call_user_func(array('MG_Validation', $func), $fieldName);
}
} else {
$rule['passed'] = (int) call_user_func($func, self::$input[$fieldName]);
}
if (!$rule['passed']) {
addError(str_replace("%", $field['friendlyName'], MG_Lang::translate('validation_' . $rule['rule'])));
$passed = 0;
$field['passed'] = 0;
}
}
}
return $passed;
}
function MDB2Error($MDB2Object, $msg = "")
{
if (PEAR::isError($MDB2Object)) {
addError($msg . "<br>" . $MDB2Object->getMessage());
if (EC_DEBUG) {
addError($MDB2Object->getUserinfo());
}
show_errors();
die;
}
}
function deleteall()
{
$params = Core::Request();
$problemModel = $this->loadmodel('SearchModel');
if ($problemModel->query("DELETE FROM `problems`")) {
$data['msg'] = addSuccess(lang('history has been deleted.'));
} else {
$data['msg'] = addError(lang('Unsuccess delete this history.'));
}
$this->index();
}
function setRating($objId, $rating, $remoteData = array())
{
global $db, $page, $user;
// checks
if (!is_numeric($rating) || $rating < $this->minValue || $rating > $this->maxValue) {
addError("invalid or empty rating");
return;
}
if (!empty($remoteData)) {
// this rating comes from another node...
// TODO
} elseif ($page->loggedIn()) {
// local rating from registered user
$this->find($objId, $user->id);
$this->set('rate', $rating);
$this->set('host', getHostName());
$this->set('entered', $this->db->getTimestampTz());
if ($this->exists()) {
// change existing rating
$this->update();
} else {
// new rating
$this->set('prog_id', $objId);
$this->set('user_id', $user->id);
$this->set('user_node_id', 0);
$this->create();
}
} else {
// anonymous rating
// TODO: if there was a rating request from the same host within x minutes, then reject
$key = $page->getAuthKey();
if ($key) {
$this->findAnon($objId, $key);
$this->set('rate', $rating);
$this->set('host', getHostName());
$this->set('entered', $this->db->getTimestampTz());
if ($this->exists()) {
// change existing rating
$this->update();
} else {
// new rating
$this->set('prog_id', $objId);
$this->set('auth_key', $key);
$this->create();
}
} else {
addError($page->getlocalized("cannot_rate_no_authkey"));
// or $this->set('problem', 'no_auth_key');
return;
}
}
$this->updateInstant($objId);
}
function getTopTopics($maxHits)
{
$res = $this->db->limitQuery("SELECT tc.* FROM sotf_topics_counter tc, sotf_topic_tree_defs td WHERE tc.topic_id=td.id AND td.supertopic != 0 AND total > 0 ORDER BY total DESC", 0, $maxHits);
if (DB::isError($res)) {
addError($res);
return array();
}
while (DB_OK === $res->fetchInto($item)) {
$item['name'] = $this->getTopicName($item['topic_id']);
$list[] = $item;
}
return $list;
}
function delete($post)
{
//pre($post);exit;
$office = $this->loadmodel('OfficeModel');
$office->id = $post['params'];
if ($office->Delete()) {
$data['msg'] = addSuccess(lang('1 office has been deleted.'));
} else {
$data['msg'] = addError(lang('Unsuccess delete this office.'));
}
$data['title'] = lang('Management office');
$data['header'] = lang('Management office');
$this->data = $data;
$this->index();
$office->All();
$data['office'] = $office->variables;
}
function delete($post)
{
//pre($post);exit;
$kinerja = $this->loadmodel('KinerjaModel');
$kinerja->id = $post['params'];
if ($kinerja->Delete()) {
$data['msg'] = addSuccess(lang('1 kinerja has been deleted.'));
} else {
$data['msg'] = addError(lang('Unsuccess delete this kinerja.'));
}
$data['title'] = lang('Management kinerja');
$data['header'] = lang('Management kinerja');
$this->data = $data;
$this->index();
$kinerja->All();
$data['kinerja'] = $kinerja->variables;
}
function call($url, $method, $params)
{
// xmlrpc encode parameters
for ($i = 0; $i < count($params); $i++) {
if (get_class($params[$i]) != 'xmlrpcval') {
$params[$i] = xmlrpc_encoder($params[$i]);
}
}
// send request
$message = new xmlrpcmsg($method, $params);
if ($this->debug) {
// $this->display_xml($message->serialize());
print "<PRE>" . htmlentities($message->serialize()) . "</PRE>\n";
//("XML-RPC message:\n $message->serialize()",0);
}
$addr = parse_url($url);
$client = new xmlrpc_client($url, $addr['host'], $addr['port'], $this->connTimeout, $this->recvTimeout);
if ($this->debug) {
$client->setDebug(1);
}
debug("XML-RPC", "call to " . $url);
$response = $client->send($message);
if ($this->debug) {
print "<PRE>" . htmlentities($response->serialize()) . "</PRE>\n";
}
// process response
//debug("XML-RPC Response", $response->serialize());
if (!$response) {
addError("No response: probably host is unreachable");
} elseif ($response->faultCode() > 0) {
// there was an error
addError("Error response: " . $response->faultCode() . " " . $response->faultString());
} else {
$retval = $response->value();
if ($retval) {
$retval = xmlrpc_decoder($retval);
}
//debug("Response", $retval);
return $retval;
}
return NULL;
}
function check_database($password)
{
//Field validation succeeded. Validate against database
$username = $this->input->post('username');
//query the database
$result = $this->users->login($username, $password);
if ($result) {
foreach ($result as $row) {
//Set the SESSION
fetch_session();
$_SESSION['username'] = $username;
$_SESSION['user_auth'] = $row->authority;
addSuccess(getTxt('LogInSuccess'));
}
return TRUE;
} else {
addError(getTxt('Incorrect'));
return false;
}
}
function doAction($action)
{
$forwardpage = "";
$forward = true;
$loggedin = isUserLoggedIn();
if (!$loggedin && strcmp($action, "login") != 0 && strcmp($action, "register") != 0 && strcmp($action, "getTags") != 0) {
addError("fatal", "user.unathorized");
outputJSON("error");
} else {
if (strcmp($action, "login") == 0) {
login();
} else {
if (strcmp($action, "logout") == 0) {
logout();
} else {
if (strcmp($action, "isLoggedIn") == 0) {
isLoggedIn();
} else {
if (strcmp($action, "register") == 0) {
register();
} else {
if (strcmp($action, "addquestion") == 0) {
addQuestion();
} else {
if (strcmp($action, "getTags") == 0) {
getTags();
} else {
if (strcmp($action, "getquestions") == 0) {
getQuestions();
}
}
}
}
}
}
}
}
}
/**
* Validate an array
*
* @param array $array
* @param string $message
* @param integer/null $lowerLimit
* @param integer/null $upperLimit
* @return boolean
*
* @author Liviu
* @since May 07, 2009
*/
function validateArray($array, $message = null, $lowerLimit = null, $upperLimit = null)
{
if (!is_array($array)) {
$message != null ? addError($message) : null;
return false;
}
if (is_array($array) and $lowerLimit != null and count($array) < $lowerLimit) {
$message != null ? addError($message) : null;
return false;
}
if (is_array($array) and $upperLimit != null and count($array) > $upperLimit) {
$message != null ? addError($message) : null;
return false;
}
return true;
}
if (isset($_POST['flubber_submit'])) {
$username = isset($_POST['flubber_username']) ? $_POST['flubber_username'] : "";
$password = isset($_POST['flubber_password']) ? $_POST['flubber_password'] : "";
if ($username == "") {
addError("login.username.missing");
}
if ($password == "") {
addError("login.password.missing");
}
if (getErrorCount() > 0) {
$forwardpage = "views\\index.php";
} else {
if (validate($username, $password) == true) {
$_SESSION['username'] = $username;
if (isset($_SESSION['current_url'])) {
$curl = $_SESSION['current_url'];
unset($_SESSION['current_url']);
doAction("redirect", $curl);
} else {
doAction("home");
}
$forward = false;
} else {
addError("login.account.invalid");
$forwardpage = "views\\index.php";
}
}
} else {
$_SESSION['current_url'] = currentURL();
$forwardpage = "views/index.php";
}
function delete($post)
{
$jurnal = $this->loadmodel('JurnalModel');
$jurnal->id_jurnal = $post['params'];
$jurnal->Find();
$filepath = $jurnal->variables['filepath'];
$filetext = $jurnal->variables['filetext'];
if ($jurnal->Delete()) {
if (!empty($filepath) && file_exists(FILE_PATH . $filepath)) {
$unlink = unlink(FILE_PATH . $filepath);
}
if (!empty($filetext) && file_exists(FILE_DIR . 'xml' . DS . $filetext)) {
$unlink = unlink(FILE_DIR . 'xml' . DS . $filetext);
}
$data['msg'] = addSuccess(lang('1 jurnal has been deleted.'));
} else {
$data['msg'] = addError(lang('Unsuccess delete this jurnal.'));
}
$data['title'] = lang('Management jurnal');
$data['header'] = lang('Management jurnal');
$data['layout'] = 'adminhtml';
$this->data = $data;
$this->index();
$jurnal->All();
$data['jurnal'] = $jurnal->variables;
}
function parse()
{
// scan all tokens
for ($i = 0, $tokencount = count($this->tokens); $i < $tokencount; $i++, $this->tif++) {
if (is_array($this->tokens[$i])) {
$token_name = $this->tokens[$i][0];
$token_value = $this->tokens[$i][1];
$line_nr = $this->tokens[$i][2];
// add preloader info for big files
if ($line_nr % PRELOAD_SHOW_LINE == 0) {
echo $GLOBALS['fit'] . '|' . $GLOBALS['file_amount'] . '|' . $this->file_pointer . ' (line ' . $line_nr . ')|' . $GLOBALS['timeleft'] . '|' . "\n";
@ob_flush();
flush();
}
# debug
#echo "file:".$file_name.",line:".$line_nr.",token:".token_name($token_name).",";
#echo "value:".htmlentities($token_value).",";
#echo "in_function:".$in_function.",in_class:".$in_class."<br>";
/*************************
T_VARIABLE
*************************/
if ($token_name === T_VARIABLE) {
// $var()
if ($this->tokens[$i + 1][0] === '(') {
$this->variable_scan($i, 0, 'eval', 'Userinput is used as dynamic function name. Arbitrary functions may be called.');
} else {
if (($this->tokens[$i - 1] === '$' || $this->tokens[$i - 1] === '{' && $this->tokens[$i - 2] === '$') && ($this->tokens[$i + 1] === '=' || in_array($this->tokens[$i + 1][0], Tokens::$T_ASSIGNMENT))) {
$this->variable_scan($i, $this->tokens[$i - 1] === '{' ? 2 : 1, 'extract', 'Userinput is used to build the variable name. Arbitrary variables may be overwritten/initialized which may lead to further vulnerabilities.');
} else {
if ($this->tokens[$i - 1][0] === T_AS || $this->tokens[$i - 1][0] === T_DOUBLE_ARROW && $this->tokens[$i - 2][0] === T_VARIABLE && $this->tokens[$i - 3][0] === T_AS) {
$c = 3;
while ($this->tokens[$i - $c][0] !== T_FOREACH) {
$c++;
if ($i - $c < 0 || $this->tokens[$i - $c] === ';') {
addError('Could not find FOREACH token before AS token', array_slice($this->tokens, $i - 5, 10), $this->tokens[$i - 1][2], $this->file_pointer);
break;
}
}
$this->variable_add($token_value, array_slice($this->tokens, $i - $c, $c + Analyzer::getBraceEnd($this->tokens, $i)), '', 0, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array());
} else {
if ($this->tokens[$i - 2][0] === T_FOR && ($this->tokens[$i + 1] === '=' || in_array($this->tokens[$i + 1][0], Tokens::$T_ASSIGNMENT))) {
$c = 1;
$newbraceopen = 1;
$firstsemi = 0;
// do not use getBraceEnd() here, because we dont want to stop at ';' in for(;;)
while ($newbraceopen !== 0) {
// watch function calls in function call
if ($this->tokens[$i + $c] === '(') {
$newbraceopen++;
} else {
if ($this->tokens[$i + $c] === ')') {
$newbraceopen--;
} else {
if ($this->tokens[$i + $c] === ';' && $firstsemi < 1) {
$firstsemi = $c;
}
}
}
$c++;
if (!isset($this->tokens[$i + $c])) {
addError('Could not find closing parenthesis of for-statement.', array_slice($this->tokens, $i - 2, 10), $this->tokens[$i - 2][2], $this->file_pointer);
break;
}
}
// overwrite value of first var because it is looped
// this is an assumption, other vars could be declared for($var1=1;$var2=2;...)
$this->tokens[$i + 2][0] = T_ENCAPSED_AND_WHITESPACE;
$this->tokens[$i + 2][1] = '*';
$this->variable_add($token_value, array_slice($this->tokens, $i - 2, $c + 2), '', 1, 2 + $firstsemi, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array());
} else {
if ($this->tokens[$i + 1] === '=' || in_array($this->tokens[$i + 1][0], Tokens::$T_ASSIGNMENT)) {
$vardeclare = array();
// $var = array(1,2,3,4);
if ($this->tokens[$i + 2][0] === T_ARRAY && $this->tokens[$i + 3] === '(' && $this->tokens[$i + 4] !== ')') {
$d = 4;
$keyindex = 0;
$newbraceopen = 1;
$keytokens = array();
$valuetokens = array();
while (!($newbraceopen === 0 || $this->tokens[$i + $d] === ';') && $keyindex < MAX_ARRAY_ELEMENTS) {
// count parameters
if ($newbraceopen === 1 && ($this->tokens[$i + $d] === ',' || $this->tokens[$i + $d] === ')')) {
$newindexvar = $this->tokens[$i];
$newindexvar[3][] = empty($keytokens) ? $keyindex : $keytokens;
$this->variable_add($token_value, array_merge(array($newindexvar, $this->tokens[$i + 1]), $valuetokens), ' array() ', in_array($this->tokens[$i + 1][0], Tokens::$T_ASSIGNMENT) ? 0 : 1, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array(), empty($keytokens) ? $keyindex : $keytokens);
$keyindex++;
$keytokens = array();
$valuetokens = array();
} else {
if ($this->tokens[$i + $d] === '(') {
$newbraceopen++;
} else {
if ($this->tokens[$i + $d] === ')') {
$newbraceopen--;
} else {
if ($this->tokens[$i + $d][0] === T_DOUBLE_ARROW) {
$keytokens = $valuetokens;
$valuetokens = array();
} else {
$valuetokens[] = $this->tokens[$i + $d];
}
}
}
}
$d++;
if (!isset($this->tokens[$i + $d])) {
addError('Could not find closing parenthesis of array()-declaration.', array_slice($this->tokens, $i, 10), $this->tokens[$i + 2][2], $this->file_pointer);
break;
}
}
$vardeclare['end'] = Analyzer::getBraceEnd($this->tokens, $i) + 1;
// $var = anything;
} else {
$this->variable_add($token_value, array_slice($this->tokens, $i, $vardeclare['end'] = Analyzer::getBraceEnd($this->tokens, $i) + 1), '', in_array($this->tokens[$i + 1][0], Tokens::$T_ASSIGNMENT) ? 0 : 1, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array());
}
// save var and var declare scope for data leak scan
$vardeclare['start'] = $i;
$vardeclare['name'] = $token_value;
$vardeclare['linenr'] = $line_nr;
$vardeclare['end'] += $i - 1;
}
}
}
}
}
// $class->var
//else if ($token_name === T_STRING && $tokens[$i-1][0] === T_OBJECT_OPERATOR && $tokens[$i-2][0] === T_VARIABLE)
// add user input variables to global finding list
if (in_array($token_value, Sources::$V_USERINPUT)) {
if (isset($this->tokens[$i][3])) {
if (!is_array($this->tokens[$i][3][0])) {
$GLOBALS['user_input'][$token_value . '[' . $this->tokens[$i][3][0] . ']'][$this->file_pointer][] = $line_nr;
} else {
$GLOBALS['user_input'][$token_value . '[' . Analyzer::get_tokens_value($this->file_pointer, $this->tokens[$i][3][0], $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i) . ']'][$this->file_pointer][] = $line_nr;
}
} else {
$GLOBALS['user_input'][$token_value][$this->file_pointer][] = $line_nr;
}
// count found userinput in function for graphs
if ($this->in_function) {
$GLOBALS['user_functions_offset'][$this->function_obj->name][5]++;
} else {
$GLOBALS['user_functions_offset']['__main__'][5]++;
}
}
} else {
if (in_array($token_name, Tokens::$T_FUNCTIONS) || in_array($token_name, Tokens::$T_XSS) && ($_POST['vector'] == 'client' || $_POST['vector'] == 'xss' || $_POST['vector'] == 'all')) {
$class = '';
/*************************
T_STRING
*************************/
if ($token_name === T_STRING && $this->tokens[$i + 1] === '(') {
// define("FOO", $_GET['asd']);
if ($token_value === 'define') {
$c = 1;
while ($this->tokens[$i + $c] !== ',') {
$c++;
if ($this->tokens[$i + $c] === ';' || !isset($this->tokens[$i + $c])) {
addError('Second parameter of define() is missing.', array_slice($this->tokens, $i, $c), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
$this->variable_add(str_replace(array('"', "'"), '', $this->tokens[$i + 2][1]), array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i) + 1), ' define() ', $c, 0, $line_nr, $i);
} else {
if ($token_value === 'ini_set') {
$setting = str_replace(array("'", '"'), '', $this->tokens[$i + 2][1]);
// ini_set('include_path', 'foo/bar')
if ($setting === 'include_path') {
$path = Analyzer::get_tokens_value($this->file_pointer, array_slice($this->tokens, $i + 4, Analyzer::getBraceEnd($this->tokens, $i + 4) + 1), $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i);
$this->include_paths = array_unique(array_merge($this->include_paths, Analyzer::get_ini_paths($path)));
}
} else {
if ($token_value === 'set_include_path') {
$path = Analyzer::get_tokens_value($this->file_pointer, array_slice($this->tokens, $i + 1, Analyzer::getBraceEnd($this->tokens, $i + 1) + 1), $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i);
$this->include_paths = array_unique(array_merge($this->include_paths, Analyzer::get_ini_paths($path)));
} else {
if ($token_value === 'set_error_handler') {
$token_value = str_replace(array('"', "'"), '', $this->tokens[$i + 2][1]);
} else {
if ($token_value === 'compact' && $this->tokens[$i - 2][0] === T_VARIABLE) {
$f = 2;
while ($this->tokens[$i + $f] !== ')') {
// for all array keys save new variable declarations
if ($this->tokens[$i + $f][0] === T_CONSTANT_ENCAPSED_STRING) {
$this->variable_add($this->tokens[$i - 2][1], array(array(T_VARIABLE, $this->tokens[$i - 2][1], $line_nr, array(str_replace(array('"', "'"), '', $this->tokens[$i + $f][1]))), '=', array(T_VARIABLE, '$' . str_replace(array('"', "'"), '', $this->tokens[$i + $f][1]), $line_nr), ';'), ' compact() ', 2, 0, $line_nr, $i, $tokens[$i - 2][3], str_replace(array('"', "'"), '', $this->tokens[$i + $f][1]));
}
$f++;
if ($this->tokens[$i + $f] === ';' || !isset($this->tokens[$i + $f])) {
addError('Closing parenthesis of compact() is missing.', array_slice($this->tokens, $i, $f), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
} else {
if ($token_value === 'preg_match' || $token_value === 'preg_match_all') {
$c = 2;
$parameter = 1;
$newbraceopen = 1;
while ($newbraceopen !== 0) {
if (is_array($this->tokens[$i + $c]) && $this->tokens[$i + $c][0] === T_VARIABLE && $parameter == 3) {
// add variable declaration to beginning of varlist
// fake assignment parameter so it will not get traced
$this->variable_add($this->tokens[$i + $c][1], array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i + 2) + 3), ' preg_match() ', 0, $c - 1, $this->tokens[$i + $c][2], $i, isset($this->tokens[$i + $c][3]) ? $this->tokens[$i + $c][3] : array());
} else {
if ($newbraceopen === 1 && $this->tokens[$i + $c] === ',') {
$parameter++;
} else {
if ($this->tokens[$i + $c] === '(') {
$newbraceopen++;
} else {
if ($this->tokens[$i + $c] === ')') {
$newbraceopen--;
} else {
if ($this->tokens[$i + $c] === ';' || !isset($this->tokens[$i + $c])) {
addError('Closing parenthesis of ' . $token_value . '() is missing.', array_slice($this->tokens, $i, $c), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
}
}
}
$c++;
}
} else {
if ($token_value === 'import_request_variables') {
// add register_globals implementation
$this->variable_add('register_globals', array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i + 1) + 1), 'register_globals implementation', 0, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array());
} else {
if ($token_value === 'parse_str') {
$c = 2;
$parameter = 1;
$newbraceopen = 1;
while ($newbraceopen !== 0) {
if (is_array($this->tokens[$i + $c]) && $this->tokens[$i + $c][0] === T_VARIABLE && $parameter == 2) {
// add variable declaration to beginning of varlist
// fake assignment parameter so it will not get traced
$this->variable_add($this->tokens[$i + $c][1], array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i + 2) + 3), ' parse_str() ', 0, $c - 1, $this->tokens[$i + $c][2], $i, isset($this->tokens[$i + $c][3]) ? $this->tokens[$i + $c][3] : array());
} else {
if ($newbraceopen === 1 && $this->tokens[$i + $c] === ',') {
$parameter++;
} else {
if ($this->tokens[$i + $c] === '(') {
$newbraceopen++;
} else {
if ($this->tokens[$i + $c] === ')') {
$newbraceopen--;
} else {
if ($this->tokens[$i + $c] === ';' || !isset($this->tokens[$i + $c])) {
addError('Closing parenthesis of ' . $token_value . '() is missing.', array_slice($this->tokens, $i, $c), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
}
}
}
$c++;
}
}
}
}
}
}
}
}
}
//add interesting function calls to info gathering
if (isset($this->info_functions[$token_value])) {
$GLOBALS['info'][] = $this->info_functions[$token_value];
} else {
if ($this->tokens[$i - 1][0] !== T_NEW && isset($this->vuln_classes[$token_value])) {
$this->class_vars[$this->tokens[$i - 2][1]] = $token_value;
} else {
// $classvar->bla()
if ($this->tokens[$i - 1][0] === T_OBJECT_OPERATOR) {
$classvar = $this->tokens[$i - 2][1];
if ($classvar[0] !== '$') {
$classvar = '$' . $classvar;
}
$class = $classvar === '$this' || $classvar === '$self' ? $this->class_name : $this->class_vars[$classvar];
} else {
if ($this->tokens[$i - 1][0] === T_DOUBLE_COLON) {
$class = $this->tokens[$i - 2][1];
}
}
// save function call for graph
if (isset($GLOBALS['user_functions_offset'][($class ? $class . '::' : '') . $token_value])) {
$GLOBALS['user_functions_offset'][($class ? $class . '::' : '') . $token_value][3][] = array($this->file_pointer, $line_nr);
if ($this->in_function) {
$GLOBALS['user_functions_offset'][$this->function_obj->name][4][] = $token_value;
} else {
$GLOBALS['user_functions_offset']['__main__'][4][] = $token_value;
}
}
// check if token is function call that affects variable scope (global)
if (isset($this->globals_from_function[$token_value])) {
// put all previously saved global var assignments to global scope
foreach ($this->globals_from_function[$token_value] as $var_name => $new_vars) {
foreach ($new_vars as $new_var) {
$new_var->comment = $new_var->comment . " by {$token_value}()";
if (!isset($this->var_declares_global[$var_name])) {
$this->var_declares_global[$var_name] = array($new_var);
} else {
array_unshift($this->var_declares_global[$var_name], $new_var);
}
}
}
}
}
}
} else {
if (in_array($token_name, Tokens::$T_INCLUDES) && !$this->in_function) {
$GLOBALS['count_inc']++;
// include('xxx')
if ($this->tokens[$i + 1] === '(' && $this->tokens[$i + 2][0] === T_CONSTANT_ENCAPSED_STRING && $this->tokens[$i + 3] === ')' || is_array($this->tokens[$i + 1]) && $this->tokens[$i + 1][0] === T_CONSTANT_ENCAPSED_STRING && $this->tokens[$i + 2] === ';') {
// include('file')
if ($this->tokens[$i + 1] === '(') {
$inc_file = substr($this->tokens[$i + 2][1], 1, -1);
$skip = 5;
} else {
$inc_file = substr($this->tokens[$i + 1][1], 1, -1);
$skip = 3;
}
} else {
$inc_file = Analyzer::get_tokens_value($this->file_pointer, array_slice($this->tokens, $i + 1, $c = Analyzer::getBraceEnd($this->tokens, $i + 1) + 1), $this->in_function ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i);
// in case the get_var_value added several php files, take the first
$several = explode('.php', $inc_file);
if (count($several) > 1) {
$try_file = $several[0] . '.php';
}
$skip = $c + 1;
// important to save $c+1 here
}
$try_file = $inc_file;
// try absolute include path
foreach ($this->include_paths as $include_path) {
if (is_file("{$include_path}/{$try_file}")) {
$try_file = "{$include_path}/{$try_file}";
break;
}
}
// if dirname(__FILE__) appeared it was an absolute path
if (!is_file($try_file)) {
// check relativ path
$try_file = dirname($this->file_name) . '/' . $inc_file;
if (!is_file($try_file)) {
$other_try_file = dirname($this->file_pointer) . '/' . $inc_file;
// if file can not be found check include_path if set
if (!is_file($other_try_file)) {
if (isset($this->include_paths[0])) {
foreach ($this->include_paths as $include_path) {
if (is_file(dirname($this->file_name) . '/' . $include_path . '/' . $inc_file)) {
$try_file = dirname($this->file_name) . '/' . $include_path . '/' . $inc_file;
break;
} else {
if (is_file(dirname($this->file_pointer) . '/' . $include_path . '/' . $inc_file)) {
$try_file = dirname($this->file_pointer) . '/' . $include_path . '/' . $inc_file;
break;
}
}
}
}
// if still not a valid file, look a directory above
if (!is_file($try_file)) {
$try_file = str_replace('\\', '/', $try_file);
$pos = strlen($try_file);
// replace each found / with /../, start from the end of file name
for ($c = 1; $c < substr_count($try_file, '/'); $c++) {
$pos = strripos(substr($try_file, 1, $pos), '/');
if (is_file(substr_replace($try_file, '/../', $pos + 1, 1))) {
$try_file = substr_replace($try_file, '/../', $pos + 1, 1);
break;
}
}
if (!is_file($try_file)) {
$try_file = str_replace('\\', '/', $other_try_file);
$pos = strlen($try_file);
// replace each found / with /../, start from the end of file name
for ($c = 1; $c < substr_count($try_file, '/'); $c++) {
$pos = strripos(substr($try_file, 1, $pos), '/');
if (is_file(substr_replace($try_file, '/../', $pos + 1, 1))) {
$try_file = substr_replace($try_file, '/../', $pos + 1, 1);
break;
}
}
// if still not a valid file, guess it
if (!is_file($try_file)) {
$searchfile = basename($try_file);
if (!strstr($searchfile, '$_USERINPUT')) {
foreach ($GLOBALS['files'] as $cfile) {
if (basename($cfile) == $searchfile) {
$try_file = $cfile;
break;
}
}
}
}
}
}
} else {
$try_file = $other_try_file;
}
}
}
$try_file_unreal = $try_file;
$try_file = realpath($try_file);
// file is valid
if (!empty($try_file_unreal) && !empty($try_file) && ($inc_lines = @file($try_file_unreal))) {
// file name has not been included
if (!in_array($try_file, $this->inc_map)) {
// Tokens
$tokenizer = new Tokenizer($try_file);
$inc_tokens = $tokenizer->tokenize(implode('', $inc_lines));
unset($tokenizer);
// if(include('file')) { - include tokens after { and not into the condition :S
if ($this->in_condition) {
$this->tokens = array_merge(array_slice($this->tokens, 0, $this->in_condition + 1), $inc_tokens, array(array(T_INCLUDE_END, 0, 1)), array_slice($this->tokens, $this->in_condition + 1));
} else {
// insert included tokens in current tokenlist and mark end
$this->tokens = array_merge(array_slice($this->tokens, 0, $i + $skip), $inc_tokens, array(array(T_INCLUDE_END, 0, 1)), array_slice($this->tokens, $i + $skip));
}
$tokencount = count($this->tokens);
// set lines pointer to included lines, save last pointer
// (the following tokens will be the included ones)
$this->lines_stack[] = $inc_lines;
$this->lines_pointer = end($this->lines_stack);
// tokennr in file
$this->tif_stack[] = $this->tif;
$this->tif = -$skip;
// set the current file pointer
$this->file_pointer = $try_file;
if (!isset($GLOBALS['file_sinks_count'][$this->file_pointer])) {
$GLOBALS['file_sinks_count'][$this->file_pointer] = 0;
}
echo $GLOBALS['fit'] . '|' . $GLOBALS['file_amount'] . '|' . $this->file_pointer . '|' . $GLOBALS['timeleft'] . '|' . "\n";
@ob_flush();
flush();
$this->comment = basename($inc_file);
$this->inc_file_stack[] = $try_file;
// build include map for file list
$this->inc_map[] = $try_file;
// all basic includes
}
} else {
$GLOBALS['count_inc_fail']++;
// add information about include error in debug mode
if ($GLOBALS['verbosity'] == 5) {
// add include command to output
$found_value = highlightline(array_slice($this->tokens, $i, $skip), $this->comment, $line_nr, $token_value);
$new_find = new InfoTreeNode($found_value);
$new_find->lines[] = $line_nr;
$new_find->filename = $this->file_pointer;
$new_find->title = "Include error: tried to include: " . $try_file_unreal;
if (isset($GLOBALS['output'][$this->file_name]['inc'])) {
$GLOBALS['output'][$this->file_name]['inc']->treenodes[] = $new_find;
} else {
$new_block = new VulnBlock($this->tif . '_' . $this->tokens[$i][2] . '_' . basename($this->file_pointer), 'Debug');
$new_block->treenodes[] = $new_find;
$new_block->vuln = true;
$GLOBALS['output'][$this->file_name]['inc'] = $new_block;
}
}
}
}
}
/*************************
TAINT ANALYSIS
*************************/
if (isset($this->scan_functions[$token_value]) && $GLOBALS['verbosity'] != 5 && (empty($class) || ($this->in_function && is_array($function_obj->parameters) && in_array($classvar, $function_obj->parameters) || @in_array($token_value, $this->vuln_classes[$class])))) {
if (!$this->already_scanned($i)) {
// build new find
$new_find = new VulnTreeNode();
$new_find->name = $token_value;
$new_find->lines[] = $line_nr;
// add dependencies (already here, because checked during var trace
foreach ($this->dependencies as $deplinenr => $dependency) {
if (!empty($dependency)) {
$new_find->dependencies[$deplinenr] = $dependency;
}
}
// count sinks
$GLOBALS['file_sinks_count'][$this->file_pointer]++;
if ($this->in_function) {
$GLOBALS['user_functions_offset'][$this->function_obj->name][6]++;
} else {
$GLOBALS['user_functions_offset']['__main__'][6]++;
}
$parameter = 1;
$var_counter = 0;
$vulnparams = array(0);
$has_vuln_parameters = false;
$parameter_has_userinput = false;
$parameter_func_depend = false;
$secured_by_start = false;
// function calls without quotes (require $inc;) --> no brace count
$parentheses_open = $this->tokens[$i + 1] === '(' ? 1 : -2;
// -2: detection of braces doesnt matter
$parentheses_save = -1;
$in_securing = false;
$ignore_securing = false;
$c = $this->tokens[$i + 1] === '(' ? 2 : 1;
// important
$tainted_vars = array();
$reconstructstr = '';
$addtitle = '';
$this->securedby = array();
// get all variables in parameter list between (...)
// not only until ';' because: system(get($a),$b,strstr($c));
while ($parentheses_open !== 0 && $this->tokens[$i + $c] !== ';') {
$this_one_is_secure = false;
if (is_array($this->tokens[$i + $c])) {
// scan variables and constants
if ($this->tokens[$i + $c][0] === T_VARIABLE && $this->tokens[$i + $c + 1][0] !== T_OBJECT_OPERATOR || $this->tokens[$i + $c][0] === T_STRING && $this->tokens[$i + $c + 1] !== '(') {
$var_counter++;
// scan only potential vulnerable parameters of function call
if (in_array($parameter, $this->scan_functions[$token_value][0]) || isset($this->scan_functions[$token_value][0][0]) && $this->scan_functions[$token_value][0][0] === 0) {
$has_vuln_parameters = true;
if (is_array($this->tokens[$i + $c - 1]) && in_array($this->tokens[$i + $c - 1][0], Tokens::$T_CASTS) || is_array($this->tokens[$i + $c + 1]) && in_array($this->tokens[$i + $c + 1][0], Tokens::$T_ARITHMETIC) || $in_securing) {
$secured_by_start = true;
$this_one_is_secure = true;
}
if ($in_securing && !$ignore_securing) {
$this->securedby[] = $securing_function;
}
// trace back parameters and look for userinput, trace constants globally
$userinput = $this->scan_parameter($new_find, $new_find, $this->tokens[$i + $c], $this->tokens[$i + $c][3], $i + $c, $this->in_function && $this->tokens[$i + $c][1][0] === '$' ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, false, $this->scan_functions[$token_value][1], false, $ignore_securing, $this_one_is_secure || $in_securing);
$reconstructstr .= Analyzer::get_var_value($this->file_pointer, $this->tokens[$i + $c], $this->in_function && $this->tokens[$i + $c][1][0] === '$' ? $this->var_declares_local : $this->var_declares_global, $this->var_declares_global, $i + $c, $this->source_functions);
if ($userinput) {
$vulnparams[] = $parameter;
if ($userinput == 1) {
$parameter_has_userinput = true;
} else {
if ($userinput == 2) {
$parameter_func_depend = true;
}
}
$tainted_vars[] = $var_counter;
}
}
// mark userinput for quote analysis
if (in_array($this->tokens[$i + $c][1], Sources::$V_USERINPUT)) {
$reconstructstr .= '$_USERINPUT';
}
} else {
if ($this->tokens[$i + $c][0] === T_STRING && in_array($this->tokens[$i + $c][1], $this->source_functions) && (in_array($parameter, $this->scan_functions[$token_value][0]) || isset($this->scan_functions[$token_value][0][0]) && $this->scan_functions[$token_value][0][0] === 0)) {
$has_vuln_parameters = true;
$parameter_has_userinput = true;
$new_find->marker = 1;
$reconstructstr .= '$_USERINPUT';
$new_find->title = 'Userinput returned by function <i>' . $this->tokens[$i + $c][1] . '</i> reaches sensitive sink';
$this->addtriggerfunction($new_find);
} else {
if ($this->tokens[$i + $c][0] === T_STRING && isset($this->tokens[$i + $c][1]) && in_array($this->tokens[$i + $c][1], $GLOBALS['F_INSECURING_STRING']) && $parentheses_save == -1) {
$parentheses_save = $parentheses_open;
$ignore_securing = true;
} else {
if (!$ignore_securing && ($this->tokens[$i + $c][0] === T_STRING && (is_array($this->scan_functions[$token_value][1]) && in_array($this->tokens[$i + $c][1], $this->scan_functions[$token_value][1]) || in_array($this->tokens[$i + $c][1], $GLOBALS['F_SECURING_STRING']))) || in_array($this->tokens[$i + $c][0], Tokens::$T_CASTS) && $this->tokens[$i + $c + 1] === '(') {
$securing_function = $this->tokens[$i + $c][1];
$parentheses_save = $parentheses_open;
$in_securing = true;
$secured_by_start = true;
} else {
if ($this->tokens[$i + $c][0] === T_CONSTANT_ENCAPSED_STRING) {
$reconstructstr .= substr($this->tokens[$i + $c][1], 1, -1);
} else {
if ($this->tokens[$i + $c][0] === T_ENCAPSED_AND_WHITESPACE) {
$reconstructstr .= $this->tokens[$i + $c][1];
}
}
}
}
}
}
} else {
if ($parentheses_open === 1 && $this->tokens[$i + $c] === ',') {
$parameter++;
} else {
if ($this->tokens[$i + $c] === '(') {
$parentheses_open++;
} else {
if ($this->tokens[$i + $c] === ')') {
$parentheses_open--;
if ($parentheses_open === $parentheses_save) {
$parentheses_save = -1;
$in_securing = false;
$securing_function = '';
$ignore_securing = false;
}
} else {
if (!isset($this->tokens[$i + $c])) {
addError('Closing parenthesis of ' . $token_value . '() is missing.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
}
}
}
$c++;
}
// quote analysis for securing functions F_QUOTE_ANALYSIS
// they only protect when return value is embedded into quotes
if ($this->quote_analysis_needed() && substr_count($reconstructstr, '$_USERINPUT') > 0) {
// idea: explode on $_USERINPUT and count quotes in SQL query before
// if not even, then the $_USERINPUT is in an open quote
$parts = explode('$_USERINPUT', $reconstructstr);
foreach ($this->securedby as $var => $securefunction) {
if (in_array($securefunction, $GLOBALS['F_QUOTE_ANALYSIS'])) {
// extract the string before the userinput
$checkstring = '';
$d = 1;
foreach ($parts as $part) {
$checkstring .= $part;
if ($d >= $var) {
break;
}
$d++;
}
// even amount of quotes (or none) in string
// --> no quotes around userinput
// --> securing function is useless
if (substr_count($checkstring, "'") % 2 === 0 && substr_count($checkstring, '"') % 2 === 0) {
$has_vuln_parameters = true;
$parameter_has_userinput = true;
$new_find->title .= "Userinput reaches sensitive sink due to insecure usage of {$securefunction}() without quotes";
}
}
}
}
// add find to output if function call has variable parameters (With userinput)
if ($has_vuln_parameters && ($parameter_has_userinput || $parameter_func_depend) || $GLOBALS['verbosity'] == 4 || isset($this->scan_functions[$token_value][3])) {
$vulnstart = $i;
$vulnadd = 1;
// prepend $var assignment
if (isset($vardeclare)) {
$vulnstart = $vardeclare['start'];
$vulnadd = $vardeclare['end'] - $vardeclare['start'] - $c + 1;
//3;
} else {
if (isset($GLOBALS['F_XSS'][$this->tokens[$i - 1][1]])) {
$vulnstart = $i - 1;
$vulnadd = 2;
} else {
if ($this->tokens[$i - 1][0] === T_DOUBLE_COLON || $this->tokens[$i - 1][0] === T_OBJECT_OPERATOR) {
$vulnstart = $i - 2;
$vulnadd = 2;
}
}
}
if (isset($GLOBALS['user_functions'][$this->file_name][$token_value])) {
$found_line = '<A NAME="' . $token_value . '_call" class="jumplink"></A>';
$found_line .= highlightline(array_slice($this->tokens, $vulnstart, $c + $vulnadd), $this->comment, $line_nr, false, $token_value);
} else {
$found_line = highlightline(array_slice($this->tokens, $vulnstart, $c + $vulnadd), $this->comment, $line_nr, $token_value, false, $tainted_vars);
}
$new_find->value = $found_line;
$new_find->filename = $this->file_pointer;
if ($secured_by_start) {
$new_find->marker = 2;
}
// only show vuln user defined functions
// if call with userinput has been found
if (isset($GLOBALS['user_functions'][$this->file_name][$token_value])) {
$GLOBALS['user_functions'][$this->file_name][$token_value]['called'] = true;
}
if ($this->in_function) {
$this->ignore_securing_function = true;
// mark function in class as vuln
if ($this->in_class) {
$this->vuln_classes[$this->class_name][] = $this->function_obj->name;
}
}
// putenv with userinput --> getenv is treated as userinput
if ($token_value === 'putenv') {
$this->source_functions[] = 'getenv';
$GLOBALS['source_functions'][] = 'getenv';
$new_find->title = 'User can set PHP enviroment variables. Adding getenv() to tainting functions';
} else {
if ($token_value === 'apache_setenv') {
$this->source_functions[] = 'apache_getenv';
$GLOBALS['source_functions'][] = 'apache_getenv';
$new_find->title = 'User can set Apache enviroment variables. Adding apache_getenv() to tainting functions';
} else {
if ($token_value === 'extract' || $token_value === 'parse_str' || $token_value === 'mb_parse_str') {
// add register_globals implementation
$this->variable_add('register_globals', array_slice($this->tokens, $vulnstart, $c + $vulnadd), 'register_globals implementation', 0, 0, $line_nr, $i, isset($this->tokens[$i][3]) ? $this->tokens[$i][3] : array());
}
}
}
// add to output
if (isset($GLOBALS['user_functions'][$this->file_name][$token_value])) {
if (!empty($GLOBALS['output'][$this->file_name])) {
foreach ($GLOBALS['output'][$this->file_name] as $block) {
$calleesadded = array();
foreach ($block->treenodes as $tree) {
if ($tree->funcdepend === $token_value && (array_intersect($tree->funcparamdepend, $vulnparams) || isset($this->scan_functions[$token_value][3]))) {
// if funcdependend already found and added, just add foundcallee=true and continue
// dont add tree again, it is already added to the vulnblock
if (in_array($tree->funcdepend, $calleesadded)) {
$tree->foundcallee = true;
continue;
}
if (isset($this->scan_functions[$token_value][3])) {
$new_find->title = 'Call triggers vulnerability in function <i>' . $token_value . '()</i>';
} else {
if (empty($new_find->title)) {
$new_find->title = 'Userinput is passed through function parameters.';
}
}
$block->treenodes[] = $new_find;
if (!$block->vuln && ($parameter_has_userinput || isset($this->scan_functions[$token_value][3]) || $GLOBALS['verbosity'] == 4)) {
$block->vuln = true;
increaseVulnCounter($block->sink);
}
$tree->foundcallee = true;
$calleesadded[] = $token_value;
}
}
}
// else: dont use the result
}
} else {
if (empty($new_find->title)) {
$new_find->title = 'Userinput reaches sensitive sink. For more information, press the help icon on the left side.';
}
$block = new VulnBlock($this->tif . '_' . $this->tokens[$i][2] . '_' . basename($this->file_pointer), getVulnNodeTitle($token_value), $token_value);
$block->treenodes[] = $new_find;
if ($parameter_has_userinput || $GLOBALS['verbosity'] == 4) {
$block->vuln = true;
increaseVulnCounter($token_value);
}
// if sink in var declare, offer a data leak scan - save infos for that
if (isset($vardeclare)) {
$block->dataleakvar = array($vardeclare['linenr'], $vardeclare['name']);
}
$GLOBALS['output'][$this->file_name][] = $block;
}
}
// if classvar depends on function parameter, add this parameter to list
if (isset($this->classvar) && $this->in_function && in_array($this->classvar, $this->function_obj->parameters)) {
$param = array_search($this->classvar, $this->function_obj->parameters);
$GLOBALS['user_functions'][$this->file_name][$this->function_obj->name][0][$param] = $param + 1;
}
}
}
// taint analysis
} else {
if (in_array($token_name, Tokens::$T_LOOP_CONTROL)) {
// ignore in requirements output: while, for, foreach
// DO..WHILE was rewritten to WHILE in tokenizer
$this->ignore_requirement = true;
$c = 1;
// get variables in loop condition
while ($this->tokens[$i + $c] !== '{') {
if ($this->tokens[$i + $c][0] === T_VARIABLE) {
$this->tokens[$i + $c][3][] = '*';
} else {
if (!isset($this->tokens[$i + $c])) {
addError('Could not find opening brace after ' . $token_value . '-statement.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
$c++;
}
} else {
if (in_array($token_name, Tokens::$T_FLOW_CONTROL)) {
$c = 1;
while ($this->tokens[$i + $c] !== '{') {
$c++;
if (!isset($this->tokens[$i + $c])) {
addError('Could not find opening brace after ' . $token_value . '-statement.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
$this->in_condition = $i + $c;
$this->dependencytokens = array_slice($this->tokens, $i, $c);
} else {
if ($token_name === T_FUNCTION) {
if ($this->in_function) {
#addError('New function declaration in function declaration of '.$this->function_obj->name.'() found. This is valid PHP syntax but not supported by RIPS now.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->file_pointer);
} else {
$this->in_function++;
// the next token is the "function name()"
$i++;
$function_name = isset($this->tokens[$i][1]) ? $this->tokens[$i][1] : $this->tokens[$i + 1][1];
$ref_name = ($this->in_class ? $this->class_name . '::' : '') . $function_name;
// add POP gadgets to info
if (isset($this->info_functions[$function_name])) {
$GLOBALS['info'][] = $ref_name;
// add gadget to output
$found_line = highlightline(array_slice($this->tokens, $i - 1, 4), $this->comment, $line_nr, $function_name, false, $function_name);
$new_find = new InfoTreeNode($found_line);
$new_find->title = "POP gadget {$ref_name}";
$new_find->lines[] = $line_nr;
$new_find->filename = $this->file_pointer;
if (isset($GLOBALS['output'][$this->file_name]['gadgets'])) {
$GLOBALS['output'][$this->file_name]['gadgets']->treenodes[] = $new_find;
} else {
$block = new VulnBlock($this->tif . '_' . $this->tokens[$i][2] . '_' . basename($this->file_pointer), 'POP gadgets');
$block->vuln = true;
$block->treenodes[] = $new_find;
$GLOBALS['output'][$this->file_name]['gadgets'] = $block;
}
}
$c = 3;
while ($this->tokens[$i + $c] !== '{' && $this->tokens[$i + $c] !== ';') {
$c++;
}
// abstract functions ended
if ($this->tokens[$i + $c] === ';') {
$this->in_function--;
}
// write to user_functions offset list for referencing in output
$GLOBALS['user_functions_offset'][$ref_name][0] = $this->file_pointer;
$GLOBALS['user_functions_offset'][$ref_name][1] = $line_nr - 1;
// save function as object
$this->function_obj = new FunctionDeclare($this->dependencytokens = array_slice($this->tokens, $i - 1, $c + 1));
$this->function_obj->lines[] = $line_nr;
$this->function_obj->name = $function_name;
// save all function parameters
$this->function_obj->parameters = array();
$e = 1;
// until function test(...) {
// OR
// interface test { public function test(...); }
while ($this->tokens[$i + $e] !== '{' && $this->tokens[$i + $e] !== ';') {
if (is_array($this->tokens[$i + $e]) && $this->tokens[$i + $e][0] === T_VARIABLE) {
$this->function_obj->parameters[] = $this->tokens[$i + $e][1];
}
$e++;
}
// now skip the params from rest of scan,
// or function test($a=false, $b=false) will be detected as var declaration
$i += $e - 1;
// -1, because '{' must be evaluated again
}
} else {
if ($token_name === T_GLOBAL && $this->in_function) {
$this->globals_from_function[$this->function_obj->name] = array();
// get all globaled variables
$b = 1;
while ($this->tokens[$i + $b] !== ';') {
if ($this->tokens[$i + $b][0] === T_VARIABLE) {
// mark variable as global scope affecting
$this->put_in_global_scope[] = $this->tokens[$i + $b][1];
// add variable declaration to beginning of varlist
$new_var = new VarDeclare(array(array(T_GLOBAL, 'global', $line_nr), array(T_VARIABLE, $this->tokens[$i + $b][1], $line_nr), ';'), $this->comment);
$new_var->line = $line_nr;
$new_var->id = $i;
// overwrite old local vars
$this->var_declares_local[$this->tokens[$i + $b][1]] = array($new_var);
}
$b++;
}
} else {
if ($token_name === T_RETURN && $this->in_function == 1) {
$GLOBALS['userfunction_taints'] = false;
$GLOBALS['userfunction_secures'] = false;
$c = 1;
// get all variables in parameter list
while ($this->tokens[$i + $c] !== ';') {
if (is_array($this->tokens[$i + $c])) {
if ($this->tokens[$i + $c][0] === T_VARIABLE) {
// check if returned var is secured --> securing function
$new_find = new VulnTreeNode();
$userinput = $this->scan_parameter($new_find, $new_find, $this->tokens[$i + $c], $this->tokens[$i + $c][3], $i + $c, $this->var_declares_local, $this->var_declares_global, false, $GLOBALS['F_SECURES_ALL'], TRUE);
// add function to securing functions
// if it returns no userinput/function param
if ((!$userinput || $GLOBALS['userfunction_secures']) && !$this->ignore_securing_function) {
$GLOBALS['F_SECURING_STRING'][] = $this->function_obj->name;
}
// add function to userinput functions if userinput
// is fetched in the function and then returned (userinput == 1)
if ($userinput == 1 || $GLOBALS['userfunction_taints']) {
$this->source_functions[] = $this->function_obj->name;
}
} else {
if (in_array($this->tokens[$i + $c][1], $GLOBALS['F_SECURES_ALL']) || in_array($this->tokens[$i + $c][0], Tokens::$T_CASTS)) {
$GLOBALS['F_SECURING_STRING'][] = $this->function_obj->name;
break;
}
}
}
$c++;
}
} else {
if ($token_name === T_CLASS) {
$i++;
$this->class_name = $this->tokens[$i][1];
$this->vuln_classes[$this->class_name] = array();
$this->in_class = true;
$GLOBALS['info'][] = '<font color="red">Code is object-oriented. This is not supported yet and can lead to false negatives.</font>';
} else {
if ($token_name === T_NEW && $this->tokens[$i - 2][0] === T_VARIABLE) {
$this->class_vars[$this->tokens[$i - 2][1]] = $this->tokens[$i + 1][1];
} else {
if ($token_name === T_EXTENDS && $this->in_class) {
$this->vuln_classes[$this->class_name] = $this->vuln_classes[$this->tokens[$i + 1][1]];
} else {
if ($token_name === T_LIST) {
$d = 2;
while ($this->tokens[$i + $d] !== ')' && $this->tokens[$i + $d] !== ';') {
$d++;
if ($this->tokens[$i + $d] === ';' || !isset($this->tokens[$i + $d])) {
addError('Closing parenthesis of list() is missing.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->file_pointer);
break;
}
}
$tokenscanstart = 0;
if ($this->tokens[$i + $d + 1] === '=' || in_array($this->tokens[$i + $d + 1][0], Tokens::$T_ASSIGNMENT)) {
$tokenscanstart = $d + 1;
}
$c = 2;
for ($c = 2; $c < $d; $c++) {
if (is_array($this->tokens[$i + $c]) && $this->tokens[$i + $c][0] === T_VARIABLE) {
$this->variable_add($this->tokens[$i + $c][1], array_slice($this->tokens, $i, Analyzer::getBraceEnd($this->tokens, $i) + 1), ' list() ', $tokenscanstart, 0, $this->tokens[$i + $c][2], $i, isset($this->tokens[$i + $c][3]) ? $this->tokens[$i + $c][3] : array());
}
}
$i = $i + $c + 2;
} else {
if ($token_name === T_INCLUDE_END) {
array_pop($this->lines_stack);
$this->lines_pointer = end($this->lines_stack);
array_pop($this->inc_file_stack);
$this->file_pointer = end($this->inc_file_stack);
$this->comment = basename($this->file_pointer) == basename($this->file_name) ? '' : basename($this->file_pointer);
$this->tif = array_pop($this->tif_stack);
}
}
}
}
}
}
}
}
}
}
}
}
} else {
/*************************
BRACES
*************************/
// keep track of { program blocks }
// get current dependencies in program flow
if ($this->tokens[$i] === '{' && ($this->tokens[$i - 1] === ')' || $this->tokens[$i - 1] === ':' || $this->tokens[$i - 1] === ';' || is_array($this->tokens[$i - 1]) && ($this->tokens[$i - 1][0] === T_DO || $this->tokens[$i - 1][0] === T_ELSE || $this->tokens[$i - 1][0] === T_STRING || $this->tokens[$i - 1][0] === T_TRY || $this->tokens[$i - 1][0] === T_CATCH))) {
// save brace amount at start of function
if ($this->in_function && $this->brace_save_func < 0) {
$this->brace_save_func = $this->braces_open;
}
// save brace amount at start of class
if ($this->in_class && $this->brace_save_class < 0) {
$this->brace_save_class = $this->braces_open;
}
$this->in_condition = 0;
if (empty($e)) {
if (!$this->ignore_requirement) {
if (!empty($this->dependencytokens) && $this->dependencytokens[0][0] === T_ELSE && $this->dependencytokens[1][0] !== T_IF) {
$this->dependencytokens = $this->last_dependency;
$this->dependencytokens[] = array(T_ELSE, 'else', $this->dependencytokens[0][2]);
}
} else {
$this->ignore_requirement = false;
}
// add dependency (even push empty dependency on stack, it will get poped again)
$this->dependencies[$line_nr] = $this->dependencytokens;
$this->dependencytokens = array();
} else {
unset($e);
}
$this->braces_open++;
} else {
if ($this->tokens[$i] === '}' && ($this->tokens[$i - 1] === ';' || $this->tokens[$i - 1] === '}' || $this->tokens[$i - 1] === '{')) {
$this->braces_open--;
// delete current dependency
$this->last_dependency = array_pop($this->dependencies);
$this->dependencytokens = array();
// end of function found if brace amount = amount before function start
if ($this->in_function && $this->brace_save_func === $this->braces_open) {
$ref_name = ($this->in_class ? $this->class_name . '::' : '') . $this->function_obj->name;
// write ending to user_function list for referencing functions in output
$GLOBALS['user_functions_offset'][$ref_name][2] = $line_nr;
// reset vars for next function declaration
$this->brace_save_func = -1;
$this->ignore_securing_function = false;
$this->in_function--;
$this->function_obj = null;
$this->var_declares_local = array();
$this->put_in_global_scope = array();
// load new found vulnerable user functions to current scanlist
if (isset($GLOBALS['user_functions'][$this->file_name])) {
$this->scan_functions = array_merge($this->scan_functions, $GLOBALS['user_functions'][$this->file_name]);
}
}
// end of class found
if ($this->in_class && $this->brace_save_class === $this->braces_open) {
$this->brace_save_class = -1;
$this->in_class = false;
}
}
}
}
// token scanned
// detect if still in a vardeclare, otherwise delete saved infos
if (isset($vardeclare) && $vardeclare['end'] === $i) {
unset($vardeclare);
}
}
// all tokens scanned.
return $this->inc_map;
}
/** Deletes a jingle */
function deleteJingle($file, $index = '')
{
if (!preg_match("/^jingle/", $file)) {
raiseError("Invalid filename");
}
$file = sotf_Utils::getFileInDir($this->getMetaDir(), $file);
debug("delete file", $file);
if (!unlink($file)) {
addError("Could not delete jingle {$index}!");
}
// TODO: delete from SQL???
}
function saveMetadataFile()
{
global $permissions;
if (!is_dir($this->getMetaDir())) {
addError("Programme dir not found", $this->getMetaDir());
return false;
}
$name = get_class($this);
$name = str_replace("sotf_", "", $name);
$xml = "<{$name}>";
$xml .= sotf_Utils::writeXML('data', $this->data, 1);
$roles = $this->getRoles();
$xml .= sotf_Utils::writeXML('role', $roles, 1);
$perms = $permissions->listUsersAndPermissions($this->id);
$xml .= sotf_Utils::writeXML('permission', $perms, 1);
$links = $this->getAssociatedObjects('sotf_links', 'caption');
$xml .= sotf_Utils::writeXML('link', $links, 1);
$rights = $this->getAssociatedObjects('sotf_rights', 'start_time');
$xml .= sotf_Utils::writeXML('right', $rights, 1);
$topics = $this->getTopics();
$xml .= sotf_Utils::writeXML('topic', $topics, 1);
$xml = $xml . "\n</{$name}>\n";
// TODO: save more data from other tables as well !!!!!
$file = $this->getMetaDir() . '/metadump.xml';
debug("dumping metadata xml in", $file);
$fp = fopen("{$file}", "w");
if (!$fp) {
logError("Could not dump metadata into {$file}");
// TODO: in this case the prg has been deleted in the meantime??
} else {
fwrite($fp, $xml);
fclose($fp);
}
// save XBMF
if (is_writable($this->getMetaDir())) {
$meta = new sotf_Metadata($this);
$xbmf = $meta->getXBMFMetadata();
$file = $this->getMetaDir() . '/metadata.xml';
sotf_Utils::save($file, $xbmf);
}
// to change modify_date
$this->update();
return true;
}
/** creates db record with all fields from 'data' */
function create()
{
global $db, $repository;
reset($this->data);
while (list($key, $val) = each($this->data)) {
$keys[] = $key;
if ($val === NULL) {
$values[] = "NULL";
} else {
if (in_array($key, $this->binaryFields)) {
$values[] = "'" . addslashes($val) . "'";
} else {
$values[] = "'" . sotf_Utils::magicQuotes($val) . "'";
}
}
}
if ($this->id) {
// because ''==0 in PHP :-(
if (!$keys || !in_array($this->idKey, $keys)) {
$keys[] = $this->idKey;
$values[] = "'" . sotf_Utils::magicQuotes($this->id) . "'";
}
}
$keys = implode(",", $keys);
$values = implode(",", $values);
//execute query
$res = $db->query("INSERT INTO " . $this->tablename . "(" . $keys . ") VALUES(" . $values . ")");
//if the query is dead, stop executio, output error
if (DB::isError($res)) {
addError($res);
$this->error = $res->message . '(' . $res->code . ')';
return false;
}
$this->exists = true;
$this->changed = false;
// mark if this change requires a refresh in the metadata.xml file
$this->markParentToUpdate();
return true;
}
}
if($_GET['action'] == 'deletecategory') {
//check if category has products
$error = false;
$results = dbQuery('SELECT * FROM store_products WHERE categories_id = ' . $_GET['id']);
if(dbNumRows($results))
$error = true;
if(!$error) {
dbQuery('DELETE FROM store_categories WHERE categories_id = ' . $_GET['id']);
addMessage("Deleted category successfully");
} else {
addError("Whoops, your must delete the products within the category before you can delete it");
}
redirect(PAGE_STORE."?section=categories");
}
if($_POST['action'] == 'addspecial' || $_POST['action'] == 'editspecial') {
/*
Array ( [action] => addspecial [id] => [products_specials_title] => St. Patricks Day [products_specials_discount] => 20 [products_specials_discount_type] => percentage [
products_specials_shipping] => 1 [products_specials_description] => gdfgdfgdf [products_calendar_date_start] => 05/28/2009 [products_calendar_date_end] => 31/12/1969
[button] => Add Special )
*/
$row['products_specials_title'] = $_POST['products_specials_title'];
$row['products_specials_discount'] = $_POST['products_specials_discount'];
$row['products_specials_discount_type'] = $_POST['products_specials_discount_type'];
$PAGE_SUBMODULE_HEADING = null;
//GET PAGE CONTENT
ob_start();
global $lerror;
if (!$lerror) {
//CONTROLLER
if (!$IS_CLIENTAREA && isset($_REQUEST['modsubpage']) && file_exists(ADDON_DIR . DS . 'pages' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php')) {
require ADDON_DIR . DS . 'pages' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php';
} elseif ($IS_CLIENTAREA && isset($_REQUEST['modsubpage']) && file_exists(ADDON_DIR . DS . 'pages_client' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php')) {
require ADDON_DIR . DS . 'pages_client' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php';
} elseif (!$IS_CLIENTAREA && file_exists(ADDON_DIR . DS . 'pages' . DS . $PAGE . DS . $PAGE . '.php')) {
require ADDON_DIR . DS . 'pages' . DS . $PAGE . DS . $PAGE . '.php';
} elseif ($IS_CLIENTAREA && file_exists(ADDON_DIR . DS . 'pages_client' . DS . $PAGE . DS . $PAGE . '.php')) {
require ADDON_DIR . DS . 'pages_client' . DS . $PAGE . DS . $PAGE . '.php';
} else {
die('Page does not exists!');
}
//LOCATE VIEW FILE AND LOAD IT
if (!$IS_CLIENTAREA && isset($_REQUEST['modsubpage']) && file_exists(ADDON_DIR . DS . 'views' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php')) {
require ADDON_DIR . DS . 'views' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php';
} elseif ($IS_CLIENTAREA && isset($_REQUEST['modsubpage']) && file_exists(ADDON_DIR . DS . 'pages_views' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php')) {
require ADDON_DIR . DS . 'views_client' . DS . $PAGE . DS . $_REQUEST['modsubpage'] . '.php';
} elseif (!$IS_CLIENTAREA && file_exists(ADDON_DIR . DS . 'views' . DS . $PAGE . DS . $PAGE . '.php')) {
require ADDON_DIR . DS . 'views' . DS . $PAGE . DS . $PAGE . '.php';
} elseif ($IS_CLIENTAREA && file_exists(ADDON_DIR . DS . 'views_client' . DS . $PAGE . DS . $PAGE . '.php')) {
require ADDON_DIR . DS . 'views_client' . DS . $PAGE . DS . $PAGE . '.php';
}
} else {
addError($lerror);
}
$CONTENT = ob_get_clean();
<?php
$action = "";
if (isset($_GET['action'])) {
$action = $_GET['action'];
}
if (isset($_POST['action'])) {
$action = $_POST['action'];
}
try {
if (initializeDB() == true) {
doAction($action);
}
} catch (Exception $e) {
if (strcmp($e->getMessage(), "table.initialization.error") == 0) {
$forwardaction = "";
include 'installscript.php';
doAction($forwardaction);
} else {
addError($e->getMessage());
doAction("install");
}
}
function createRSDF($intModelId)
{
if (!self::rsdf_key || !self::rsdf_iv) {
return addError('(createRSDF) RSDF Keyfile is not defined');
}
if (!isset($this->arrModel[$intModelId])) {
return $this->addError('(createRSDF) Data model with Id ' . $intModelId . ' not exists');
}
$strReturn = '';
$strKey = $this->base16Decode(self::rsdf_key);
$strIv = $this->base16Decode(self::rsdf_iv);
# Build RSDF stream
$hdlRSDFCrypt = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CFB, '');
mcrypt_generic_init($hdlRSDFCrypt, $strKey, $strIv);
for ($a = 0; $a < count($this->arrModel[$intModelId]['packages']); $a++) {
for ($b = 0; $b < count($this->arrModel[$intModelId]['packages'][$a]['links']); $b++) {
$strReturn .= base64_encode(mcrypt_generic($hdlRSDFCrypt, $this->arrModel[$intModelId]['packages'][$a]['links'][$b]['url']));
$strReturn .= "\r\n";
}
}
mcrypt_generic_deinit($hdlRSDFCrypt);
mcrypt_module_close($hdlRSDFCrypt);
unset($hdlRSDFCrypt);
return $this->base16Encode($strReturn);
}
exit;
}
$finishpublish = sotf_Utils::getParameter('finishpublish');
$finish = sotf_Utils::getParameter('finish');
$save = sotf_Utils::getParameter('save');
if ($save || $finish || $finishpublish) {
$params = array('title' => 'text', 'alternative_title' => 'text', 'episode_title' => 'text', 'episode_sequence' => 'number', 'keywords' => 'text', 'abstract' => 'text', 'language' => 'text', 'genre_id' => 'number', 'spatial_coverage' => 'text', 'temporal_coverage' => 'date', 'production_date' => 'date', 'broadcast_date' => 'date', 'expiry_date' => 'date');
foreach ($params as $param => $type) {
$value = sotf_Utils::getParameter($param);
if ($type == 'text') {
$value = strip_tags($value);
} elseif ($type == 'number') {
if (empty($value)) {
$value = '';
} elseif (!is_numeric($value)) {
addError($page->getlocalized('not_a_number') . ": {$value}");
continue;
}
} elseif ($type == 'date') {
if (sotf_Utils::getParameter($param . '_radio1') != "unselected") {
$value = sotf_Utils::getParameter($param . 'Year') . '-' . sotf_Utils::getParameter($param . 'Month') . '-' . sotf_Utils::getParameter($param . 'Day');
}
}
$prg->set($param, $value);
}
if ($finishpublish) {
$prg->publish();
$page->redirect("editor.php");
} elseif ($finish) {
$prg->update();
$page->redirect("editor.php");
//UTF-Module for PHP REQUIRED!!!
$file = $userDir . $newname . "." . $extension;
moveUploadedFile('userfile', $file);
$page->redirect("manageFiles.php");
exit;
}
//---------
// delete files
$del = sotf_Utils::getParameter('del');
if ($del) {
reset($_POST);
while (list($k, $fname) = each($_POST)) {
debug("P", $k);
if (substr($k, 0, 4) == 'sel_') {
if (!unlink($user->getUserDir() . '/' . $fname)) {
addError("Could not delete: {$fname}");
}
}
}
$page->redirect("manageFiles.php");
exit;
}
// close
$close = sotf_Utils::getParameter('close');
if ($close) {
$page->redirect("closeAndRefresh.php");
exit;
}
// generate output
$smarty->assign('USERFILES', $user->getUserFiles());
$smarty->assign("USERFTPURL", $user->getUrlForUserFTP());
function update()
{
$request = Core::Request();
//echo '<pre>'; print_r($request);exit;
if (!empty($request)) {
//$this->__validusername($request['username']);
$subcriteria = $this->loadmodel('SubcriteriaModel');
$subcriteria->id = $request['params'];
$subcriteria->sub_criteria = $request['sub_criteria'];
$subcriteria->parent_id = $request['parent_id'];
$subcriteria->kode = $request['kode'];
$subcriteria->persentase = $request['persentase'];
$subcriteria->value = $this->grade($request['persentase']);
$subcriteria->factor = $request['factor'];
//echo '<pre>'; print_r($subcriteria);exit;
if ($subcriteria->Save()) {
$this->data['msg'] = addSuccess(lang('This sub aspek has been updated.'));
$this->index();
} else {
$this->data['msg'] = addError(lang('This sub aspek unsuccess update.'));
$this->index();
}
}
//pre($request);exit;
}
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
$page = 'mydiagrams';
require_once dirname(__FILE__) . '/common/delegate.php';
if (!isset($_SESSION)) {
session_start();
}
require_once dirname(__FILE__) . '/common/rememberme.php';
if (!isset($_SESSION['userId']) || !is_numeric($_SESSION['userId'])) {
addError("Access denied");
redirect('./editor.php');
}
$delegate = new Delegate();
$loggedUser = $delegate->userGetById($_SESSION['userId']);
$allDiagrams = $delegate->diagramGetAll();
/**Exctracts the name of an email address*/
function firstName($email)
{
$rez = strpos($email, '@');
if ($rez) {
return substr($email, 0, $rez);
} else {
return substr($email, 0, 5);
}
}
function doSystemChecks()
{
// Do system checking.
if (version_compare(phpversion(), "5.2.1", "<")) {
addError(kPHPVersion, sprintf(_('This version of PHPDevShell only supports PHP version %s and later. You are currently running version %s.'), '5.2.1', phpversion()));
}
if (check_apache() == false) {
addWarning(kApache, _('You are not running Apache as your web server. This version of PHPDevShell does not officially support non-Apache driven webservers.'));
}
if (check_mysql() == false) {
addError(kMYSQL, _('The MySQL extension for PHP is missing. The installation script will be unable to continue'));
}
if (check_gettext() == false) {
addError(kGETTEXT, _('The gettext extension for PHP is missing. The installation script will be unable to continue'));
}
global $errors;
return count($errors) == 0;
}
<?php
include_once './utility/error.php';
include_once './utility/user.php';
clearAndInitErrors();
if (isset($_POST['username']) && isset($_POST['password'])) {
if (login($_POST['username'], $_POST['password'])) {
} else {
addError('Incorrect username/password combination');
}
} else {
}
?>
<p>login</p>
public function importfile()
{
if ($_POST) {
$result = $this->fileUploadHandler();
if ($result) {
$dataset = $this->processFiles($result);
if ($dataset) {
$rows = count($dataset);
$result = $this->datapoints->addPoints($dataset);
if ($result) {
addSuccess(getTxt('Success'));
$this->updateSC();
} else {
addError(getTxt('ProcessingError') . "Error in data input");
}
}
}
}
//GetSources
$sources = $this->sources->getAll();
$sourceOptions = optionsSource($sources);
//Get Variables
$variables = $this->variables->getAll();
$varOptions = optionsVariable($variables);
//List of CSS to pass to this view
$data = $this->StyleData;
$data['sourcesOptions'] = $sourceOptions;
$data['variableOptions'] = $varOptions;
$this->load->view('datapoint/importfile', $data);
}
