function user_getfieldbyuid($uid, $field)
{
$field = core_query_sanitize($field);
if ($uid && $field) {
$db_query = "SELECT {$field} FROM " . _DB_PREF_ . "_tblUser WHERE flag_deleted='0' AND uid='{$uid}'";
$db_result = dba_query($db_query);
if ($db_row = dba_fetch_array($db_result)) {
$ret = $db_row[$field];
}
}
return $ret;
}
}
foreach ($_GET as $key => $val) {
$_GET[$key] = core_sanitize_inputs($val);
}
// too many codes using $_REQUEST, until we revise them all we use this as a workaround
empty($_REQUEST);
$_REQUEST = array_merge($_GET, $_POST);
// global defines
define('_APP_', core_query_sanitize($_REQUEST['app']));
define('_INC_', core_query_sanitize($_REQUEST['inc']));
define('_OP_', core_query_sanitize($_REQUEST['op']));
define('_ROUTE_', core_query_sanitize($_REQUEST['route']));
define('_PAGE_', core_query_sanitize($_REQUEST['page']));
define('_NAV_', core_query_sanitize($_REQUEST['nav']));
define('_CAT_', core_query_sanitize($_REQUEST['cat']));
define('_PLUGIN_', core_query_sanitize($_REQUEST['plugin']));
// save last $_POST in $_SESSION
if ($_POST['X-CSRF-Token']) {
$_SESSION['tmp']['last_post'][md5(trim(_APP_ . _INC_ . _ROUTE_ . _INC_))] = $_POST;
}
// enable anti-CSRF for anything but webservices
if (!(_APP_ == 'ws' || _APP_ == 'webservices' || $core_config['init']['ignore_csrf'])) {
// print_r($_POST); print_r($_SESSION);
if ($_POST) {
if (!core_csrf_validate()) {
logger_print('WARNING: possible CSRF attack. sid:' . $_SESSION['sid'] . ' ip:' . $_SERVER['REMOTE_ADDR'], 2, 'init');
auth_block();
}
}
$csrf = core_csrf_set();
define('_CSRF_TOKEN_', $csrf['value']);
