function content() { if (!user_logged_in()) { return must_log_in(); } $user = fetch_one_or_none('users', 'id', user_logged_in()); if (!array_key_exists('token', $_GET) || !$_GET['token'] || $_GET['token'] != sha1($user->new_email_address)) { $errors[] = 'Invalid reset token'; } # This can happen if two accounts try to change address at similar times. if (count($errors) == 0 && count(fetch_all('users', 'email_address', $user->new_email_address))) { $errors[] = "A user with this email address already exists"; } if (count($errors) == 0) { update_all('users', array('email_address' => $user->new_email_address, 'new_email_address' => null), 'id', user_logged_in()); ?> <h2>Address changed</h2> <p>Your email address has been changed to <tt><?php esc($user->new_email_address); ?> </tt>.</p> <?php return; } page_header('Address verification failed'); show_error_list($errors); }
/** * Performs simple auto-escaping of data for security reasons. * Might consider making this more complex at a later date. * * If $data is a string, then it simply escapes and returns it. * If $data is an array, then it loops over it, escaping each * 'value' of the key/value pairs. * * Valid context values: html, js, css, url, attr, raw, null * * @param string|array $data * @param string $context * @param string $encoding * * @return $data */ function esc($data, $context = 'html', $encoding = null) { if (is_array($data)) { foreach ($data as $key => &$value) { $value = esc($value, $context); } } if (is_string($data)) { $context = strtolower($context); // Provide a way to NOT escape data since // this could be called automatically by // the View library. if (empty($context) || $context == 'raw') { return $data; } if (!in_array($context, ['html', 'js', 'css', 'url', 'attr'])) { throw new \InvalidArgumentException('Invalid escape context provided.'); } if ($context == 'attr') { $method = 'escapeHtmlAttr'; } else { $method = 'escape' . ucfirst($context); } $escaper = new \Zend\Escaper\Escaper($encoding); $data = $escaper->{$method}($data); } return $data; }
private function navLabel($node) { $nodetype = $node->has('nodetype_name') ? $node->get('nodetype_name') : $node->getNodetype()->displayField(); $icon = $node->has('nodetype_icon') ? $node->get('nodetype_icon') : $node->getNodetype()->getIcon(); $label = '<span class="badge-icon" title="' . esc($nodetype) . '"><i class="' . $icon . '"></i></span>'; return $label . ' <span class="title">' . clean($node->getTitle()) . '</span>'; }
public function testEsc() { $expectations = [['Strings', "Strings"], ['Stri"ngs', "Stri"ngs"], ['Stri\'ngs', "Stri'ngs"]]; foreach ($expectations as $expect) { $this->assertEquals($expect[1], esc($expect[0])); } }
function content() { $users = fetch_wol('*', 'users', 'date_verified IS NOT NULL AND date_approved IS NOT NULL', 'name ASC'); ?> <h2>Accounts</h2> <table> <?php foreach ($users as $u) { ?> <tr> <td class="name"><a href="<?php esc($u->id); ?> "><?php esc($u->name); ?> </a></td> </tr> <?php } ?> </table> <?php }
public function render($doctype, $environment) { $languages = ipContent()->getLanguages(); $answer = ''; foreach ($languages as $language) { $langValue = ''; $fieldValue = $this->getValue(); if (is_array($fieldValue)) { if (!empty($fieldValue[$language->getCode()])) { $langValue = $fieldValue[$language->getCode()]; } } if (!is_string($langValue)) { //just in case we have an array or something else incompatible with below code in the database $langValue = ''; } $answer .= ' <div class="input-group"> <span class="input-group-addon">' . esc($language->getAbbreviation()) . '</span> <input ' . $this->getAttributesStr($doctype) . ' class="form-control ' . implode(' ', $this->getClasses()) . '" name="' . escAttr($this->getName() . '[' . $language->getCode() . ']" ') . $this->getValidationAttributesStr($doctype) . ' type="text" value="' . escAttr($langValue) . '" /> </div> '; } return $answer; }
/** * @ignore * @param int $callLevel * @return string * @throws \Ip\Exception */ public static function ipRelativeDir($callLevel = 0) { $backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS, $callLevel + 1); if (!isset($backtrace[$callLevel]['file'])) { throw new \Ip\Exception("Can't find caller"); } $absoluteFile = $backtrace[$callLevel]['file']; if (DIRECTORY_SEPARATOR == '\\') { // Replace windows paths $absoluteFile = str_replace('\\', '/', $absoluteFile); } $overrides = ipConfig()->get('fileOverrides'); if ($overrides) { foreach ($overrides as $relativePath => $fullPath) { if (DIRECTORY_SEPARATOR == '\\') { // Replace windows paths $fullPath = str_replace('\\', '/', $fullPath); } if (strpos($absoluteFile, $fullPath) === 0) { $relativeFile = substr_replace($absoluteFile, $relativePath, 0, strlen($fullPath)); return substr($relativeFile, 0, strrpos($relativeFile, '/') + 1); } } } $baseDir = ipConfig()->get('baseDir'); $baseDir = str_replace('\\', '/', $baseDir); if (strpos($absoluteFile, $baseDir) !== 0) { throw new \Ip\Exception('Cannot find relative path for file ' . esc($absoluteFile)); } $relativeFile = substr($absoluteFile, strlen($baseDir) + 1); return substr($relativeFile, 0, strrpos($relativeFile, '/') + 1); }
/** * Saves a document in the database * * @param string $order_id the id of the order * @param string $location the current location of the file * @return void */ function document_save($order_id, $location) { static $count = 0; $document_id = sprintf('DOC_%d_%d', $order_id, $count); $query = "INSERT INTO document (DOCUMENT_ID, DOCUMENT_TYPE_ID, DATE_CREATED, COMMENTS, DOCUMENT_LOCATION, CREATED_STAMP, CREATED_TX_STAMP)\n\t\t\t VALUES ('{$document_id}', '" . DOC_REQUISION . "', NOW(), 'Document for order {$order_id}', '" . esc($location) . "', '" . now() . "', NOW())"; db_query($query); $count++; }
public function check_true($value, $field = null) { if ($field === null) { $field = $this->primary_key; } $sql = "SELECT * FROM `{$this->table}` WHERE `{$field}` = '" . esc($value) . "' LIMIT 1"; $rows = db_get_all($sql); return isset($rows[0]) ? true : false; }
public function getBy($value, $field = null) { if ($field === null) { $field = $this->primary_key; } $sql = "SELECT `{$this->table}`.*,`posts`.`Title` FROM `{$this->table}`,`posts` WHERE `{$this->table}`.`{$field}` = " . esc($value) . " and `{$this->table}`.`{$field}`= `posts`.`post_id`"; $rows = db_get_all($sql); return isset($rows) ? $rows : false; }
function page_header($title) { ?> <h2><?php esc($title); ?> </h2> <?php }
public function loadHits() { $page = $_SERVER['REQUEST_URI']; $rowAll = Framework::getDb()->getFirstRow("SELECT SUM(hits) AS hits FROM page_hits WHERE page = '" . esc($page) . "'"); $rowToday = Framework::getDb()->getFirstRow("SELECT SUM(hits) AS hits FROM page_hits WHERE page = '" . esc($page) . "' AND added >= DATE_FORMAT('Y-m-d', NOW())"); $rowMonth = Framework::getDb()->getFirstRow("SELECT SUM(hits) AS hits FROM page_hits WHERE page = '" . esc($page) . "' AND added >= DATE_FORMAT('Y-m', NOW())"); $rowYear = Framework::getDb()->getFirstRow("SELECT SUM(hits) AS hits FROM page_hits WHERE page = '" . esc($page) . "' AND added >= DATE_FORMAT('Y', NOW())"); $this->PageHits = array('all' => $rowAll ? $rowAll['hits'] : 0, 'today' => $rowToday ? $rowToday['hits'] : 0, 'month' => $rowMonth ? $rowMonth['hits'] : 0, 'hits' => $rowYear ? $rowYear['hits'] : 0); }
function content() { if (!user_logged_in()) { return must_log_in(); } $user = fetch_one_or_none('users', 'id', user_logged_in()); $errors = array(); if (array_key_exists('change', $_POST)) { if (!isset($_POST['email']) || !$_POST['email']) { $errors[] = "Please enter an email address"; } else { $email = $_POST['email']; if ($email && !validate_email_address($email)) { $errors[] = "Invalid email address"; } if (count($errors) == 0 && count(fetch_all('users', 'email_address', $email))) { $errors[] = "A user with this email address already exists"; } if (count($errors) == 0) { update_all('users', array('new_email_address' => $email), 'id', user_logged_in()); send_email_change_email($email, $user->name); ?> <p>We have sent an email to your new address requesting that you confirm that change of address.</p> <?php return; } } } $fields = array(); page_header('Change email address'); show_error_list($errors); ?> <form method="post" action="" accept-charset="UTF-8"> <div class="fieldrow"> <div class="field"> <label>Current address:</label> <div><tt><?php esc($user->email_address); ?> </tt></div> </div> </div> <div class="fieldrow"> <?php text_field($fields, 'email', 'New address'); ?> </div> <div class="fieldrow"> <input type="submit" name="change" value="Change"/> </div> </form> <?php }
function content() { global $config; ?> <p>Welcome to <?php esc($config['title']); ?> .</p> <?php }
/** * Generate field value preview for table view. HTML is allowed * @param $recordData * @internal param array $data current record data * @return string */ public function preview($recordData) { if ($this->previewMethod) { return call_user_func($this->previewMethod, $recordData); } else { if (isset($recordData[$this->field])) { return esc($recordData[$this->field]); } } }
public function field($key, $field = null) { if (is_null($field)) { $field = $key; } $value = a::get($this->data, $field); if ($key == 'url' and !v::url($value)) { $value = null; } $this->{$key} = new Field($this->page, $key, esc($value)); }
public function preview($recordData) { $previewValue = $recordData[$this->field]; foreach ($this->values as $value) { if (is_array($value) && isset($value[1]) && $value[0] == $previewValue) { $previewValue = $value[1]; break; } } return esc($previewValue); }
public static function showImage($value, $recordData = null) { if ($value) { $transform = array('type' => 'fit', 'width' => 100, 'height' => 100); $thumbnailUrl = ipReflection($value, $transform, 'preview.jpg'); $imageHtml = '<a href="' . ipFileUrl('file/repository/' . $value) . '" target="blank"><img src="' . $thumbnailUrl . '" alt="' . esc($value) . '"></a>'; return $imageHtml; } else { return false; } }
public function preview($recordData) { if ($this->fileLimit == 1) { return esc($recordData[$this->field]); } else { $data = json_decode($recordData[$this->field]); if (is_array($data)) { $data = implode(', ', $data); } return esc($data); } }
function error_404_content() { ?> <h2>Error: 404 Not Found</h2> <p>The requested URL <tt><?php esc($_SERVER['REQUEST_URI']); ?> </tt> was not found on this server.</p> <?php }
public static function previewMessage($value, $recordData) { $context = json_decode($recordData['context'], true); $replace = array(); foreach ($context as $key => $val) { if (is_string($val) || is_numeric($val)) { $replace['{' . $key . '}'] = '<em>' . esc($val) . '</em>'; } } $message = esc($recordData['message']); return strtr($message, $replace); }
protected static function validatorLocalizationData($namespace) { // TODO do this localization on client side if ($namespace == 'Ip') { $answer = array('*' => __('Please correct this value', 'Ip'), ':email' => __('Please enter a valid email address', 'Ip'), ':number' => __('Please enter a valid numeric value', 'Ip'), ':url' => __('Please enter a valid URL', 'Ip'), '[max]' => __('Please enter a value no larger than $1', 'Ip'), '[min]' => __('Please enter a value of at least $1', 'Ip'), '[required]' => __('Please complete this mandatory field', 'Ip')); } elseif ($namespace == 'Ip-admin') { $answer = array('*' => __('Please correct this value', 'Ip-admin'), ':email' => __('Please enter a valid email address', 'Ip-admin'), ':number' => __('Please enter a valid numeric value', 'Ip-admin'), ':url' => __('Please enter a valid URL', 'Ip-admin'), '[max]' => __('Please enter a value no larger than $1', 'Ip-admin'), '[min]' => __('Please enter a value of at least $1', 'Ip-admin'), '[required]' => __('Please complete this mandatory field', 'Ip-admin')); } else { throw new \Ip\Exception('Unknown translation domain: ' . esc($namespace)); } return $answer; }
/** * * Adds new party to the database * @param str $type - type of te party * @param str $user_login_id - login of the person who created the party * * @return arr - the new party */ function party_add($id, $type, $user_login_id, $data_source_id) { $return = false; if (!party_exists($id)) { $query = "INSERT INTO party (PARTY_ID, PARTY_TYPE_ID, CREATED_DATE, CREATED_BY_USER_LOGIN, DATA_SOURCE_ID, CREATED_STAMP, CREATED_TX_STAMP)\n\t\t\t\t VALUES ('{$id}', '" . esc($type) . "', NOW(), '" . esc($user_login_id) . "', '" . esc($data_source_id) . "', '" . now() . "', NOW())"; db_query($query); $return = $id; } else { throw new RuntimeException('A client witht his ID already exists'); } return $return; }
function get_text($_escape = FALSE) { if ($this->url) { $text = $this->url->get_label(); } else { $text = $this->text; } if ($_escape) { return esc($text); } return $text; }
function content() { $errors = array(); if (!array_key_exists('token', $_GET) || !$_GET['token']) { $errors[] = 'Invalid activation token'; } $token = $_GET['token']; $user = fetch_one_or_none('users', 'activation_token', $_GET['token']); if (!$user) { $errors[] = 'Invalid activation token'; } if (count($errors)) { page_header('Activation failed'); show_error_list($errors); return; } $admins = fetch_wol('*', 'users', 'date_verified IS NOT NULL AND date_approved IS NOT NULL', 'id ASC'); $sets = array('activation_token' => null, 'date_verified' => date('Y-m-d H:i:s')); # Auto-approve user 1. if (count($admins) == 0) { $sets['date_approved'] = $sets['date_verified']; $sets['approved_by'] = 1; } update_all('users', $sets, 'id', $user->id); page_header('Account activated'); if (count($admins)) { send_approval_request($user, $admins); ?> <p>Thank you for activating your account. Your request for an account has been forwarded to a site administrator for approval. You will be notified by email when it is approved.</p> <?php } else { register_user_rdf($user); # Don't set login cookie now. This is to prevent someone hijacking # a login token, using it, and benefiting from a pre-logged-in session. # This way, they still need a password. global $config; ?> <p>Thank you for activating your account. You shouldn't need to do that again. You may now want to <a href="<?php esc($config['http_path']); ?> account/login">log in</a>.</p> <?php } }
private function updateAvg() { // Check if the item exists (item_id, refine, slots) $query = "SELECT * FROM " . self::TABLE_PRICE . " WHERE item_hash = '" . esc($this->getHash()) . "'"; $row = Framework::getDb()->getFirstRow($query); if ($row != null) { // Found, update price sum (single price) $query = "UPDATE " . self::TABLE_PRICE . " SET price_sum = price_sum + " . esc($this->price_one) . ", `count` = `count` + 1 WHERE item_hash = '" . esc($this->getHash()) . "'"; Framework::getDb()->query($query); } else { // Add new $query = "\n\t\t\t\t\t\tINSERT INTO `" . self::TABLE_PRICE . "` \n\t\t\t\t\t\t\t(`item_hash`, `item_id`, `price_sum`, `count`, `last_update`) \n\t\t\t\t\t\tVALUES \n\t\t\t\t\t\t\t('" . esc($this->getHash()) . "', '" . esc($this->id) . "', '" . esc($this->price_one) . "', '1', NOW())"; Framework::getDb()->query($query); } }
function sendChatMessage($link, $chatMessage, $userId, $toUserId = 0) { $chatMessage = esc($chatMessage); if (mb_strlen($chatMessage) < 1) { return 'message_empty'; } elseif (mb_strlen($chatMessage) < 3) { return 'not_min_message'; } else { if (!getUserLogin($link, $toUserId)) { $toUserId = 0; } mysqli_query($link, "INSERT INTO `chat`(`chat_from_id`, `chat_to_id`,`chat_message`) VALUES ('{$userId}','{$toUserId}','{$chatMessage}')"); return 'message_send'; } }
public function save() { // Add vender to the database or set to online $query = "SELECT char_id FROM " . self::TABLE . " WHERE char_id = '" . esc($this->id) . "'"; $row = Framework::getDb()->getFirstRow($query); if ($row != null) { // Vender found, update it // Note: update name incase of name-change $query = "\n\t\t\t\t\tUPDATE " . self::TABLE . " SET \n\t\t\t\t\t\tname = '" . esc($this->name) . "', \n\t\t\t\t\t\tshopname = '" . esc($this->shopname) . "',\n\t\t\t\t\t\tposX = '" . esc($this->posX) . "', \n\t\t\t\t\t\tposY = '" . esc($this->posY) . "', \n\t\t\t\t\t\tposMap = '" . esc($this->posMap) . "', \n\t\t\t\t\t\tonline = 1,\n\t\t\t\t\t\tseen = NOW()\n\t\t\t\t\tWHERE char_id = '" . esc($this->id) . "'\n\t\t\t\t"; } else { // New entry $query = "\n\t\t\t\t\tINSERT INTO " . self::TABLE . "\n\t\t\t\t\t\t(char_id, name, shopname, posX, posY, posMap, seen, online)\n\t\t\t\t\tVALUES\n\t\t\t\t\t\t('" . esc($this->id) . "', '" . esc($this->name) . "', '" . esc($this->shopname) . "', '" . esc($this->posX) . "', '" . esc($this->posY) . "', '" . esc($this->posMap) . "', NOW(), '1')\n\t\t\t\t"; } Framework::getDb()->query($query); }
public function testRunClosureRoute() { $_SERVER['argv'] = ['index.php', 'pages/about']; $_SERVER['argc'] = 2; // Inject mock router. $routes = Services::routes(); $routes->add('pages/(:segment)', function ($segment) { echo 'You want to see "' . esc($segment) . '" page.'; }); $router = Services::router($routes); Services::injectMock('router', $router); ob_start(); $this->codeigniter->run(); $output = ob_get_clean(); $this->assertContains('You want to see "about" page.', $output); }
public static function createWidget($widgetName, $data, $skin, $revisionId, $languageId, $blockName, $position, $visible = true) { $widgetObject = Model::getWidgetObject($widgetName); if (!$widgetObject) { throw new \Ip\Exception("Widget '" . esc($widgetName) . "' doesn't exist"); } if ($data === null) { $data = $widgetObject->defaultData(); } if ($skin === null) { $skins = $widgetObject->getSkins(); $skin = $skins[0]['name']; } $widgetId = Model::createWidget($widgetName, $data, $skin, $revisionId, $languageId, $blockName, $position, $visible); return $widgetId; }