function content()
{
if (!user_logged_in()) {
return must_log_in();
}
$user = fetch_one_or_none('users', 'id', user_logged_in());
if (!array_key_exists('token', $_GET) || !$_GET['token'] || $_GET['token'] != sha1($user->new_email_address)) {
$errors[] = 'Invalid reset token';
}
# This can happen if two accounts try to change address at similar times.
if (count($errors) == 0 && count(fetch_all('users', 'email_address', $user->new_email_address))) {
$errors[] = "A user with this email address already exists";
}
if (count($errors) == 0) {
update_all('users', array('email_address' => $user->new_email_address, 'new_email_address' => null), 'id', user_logged_in());
?>
<h2>Address changed</h2>
<p>Your email address has been changed to
<tt><?php
esc($user->new_email_address);
?>
</tt>.</p>
<?php
return;
}
page_header('Address verification failed');
show_error_list($errors);
}
/**
* Performs simple auto-escaping of data for security reasons.
* Might consider making this more complex at a later date.
*
* If $data is a string, then it simply escapes and returns it.
* If $data is an array, then it loops over it, escaping each
* 'value' of the key/value pairs.
*
* Valid context values: html, js, css, url, attr, raw, null
*
* @param string|array $data
* @param string $context
* @param string $encoding
*
* @return $data
*/
function esc($data, $context = 'html', $encoding = null)
{
if (is_array($data)) {
foreach ($data as $key => &$value) {
$value = esc($value, $context);
}
}
if (is_string($data)) {
$context = strtolower($context);
// Provide a way to NOT escape data since
// this could be called automatically by
// the View library.
if (empty($context) || $context == 'raw') {
return $data;
}
if (!in_array($context, ['html', 'js', 'css', 'url', 'attr'])) {
throw new \InvalidArgumentException('Invalid escape context provided.');
}
if ($context == 'attr') {
$method = 'escapeHtmlAttr';
} else {
$method = 'escape' . ucfirst($context);
}
$escaper = new \Zend\Escaper\Escaper($encoding);
$data = $escaper->{$method}($data);
}
return $data;
}
private function navLabel($node)
{
$nodetype = $node->has('nodetype_name') ? $node->get('nodetype_name') : $node->getNodetype()->displayField();
$icon = $node->has('nodetype_icon') ? $node->get('nodetype_icon') : $node->getNodetype()->getIcon();
$label = '<span class="badge-icon" title="' . esc($nodetype) . '"><i class="' . $icon . '"></i></span>';
return $label . ' <span class="title">' . clean($node->getTitle()) . '</span>';
}
public function testEsc()
{
$expectations = [['Strings', "Strings"], ['Stri"ngs', "Stri"ngs"], ['Stri\'ngs', "Stri'ngs"]];
foreach ($expectations as $expect) {
$this->assertEquals($expect[1], esc($expect[0]));
}
}
function content()
{
$users = fetch_wol('*', 'users', 'date_verified IS NOT NULL AND date_approved IS NOT NULL', 'name ASC');
?>
<h2>Accounts</h2>
<table>
<?php
foreach ($users as $u) {
?>
<tr>
<td class="name"><a href="<?php
esc($u->id);
?>
"><?php
esc($u->name);
?>
</a></td>
</tr>
<?php
}
?>
</table>
<?php
}
public function render($doctype, $environment)
{
$languages = ipContent()->getLanguages();
$answer = '';
foreach ($languages as $language) {
$langValue = '';
$fieldValue = $this->getValue();
if (is_array($fieldValue)) {
if (!empty($fieldValue[$language->getCode()])) {
$langValue = $fieldValue[$language->getCode()];
}
}
if (!is_string($langValue)) {
//just in case we have an array or something else incompatible with below code in the database
$langValue = '';
}
$answer .= '
<div class="input-group">
<span class="input-group-addon">' . esc($language->getAbbreviation()) . '</span>
<input ' . $this->getAttributesStr($doctype) . ' class="form-control ' . implode(' ', $this->getClasses()) . '" name="' . escAttr($this->getName() . '[' . $language->getCode() . ']" ') . $this->getValidationAttributesStr($doctype) . ' type="text" value="' . escAttr($langValue) . '" />
</div>
';
}
return $answer;
}
/**
* @ignore
* @param int $callLevel
* @return string
* @throws \Ip\Exception
*/
public static function ipRelativeDir($callLevel = 0)
{
$backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS, $callLevel + 1);
if (!isset($backtrace[$callLevel]['file'])) {
throw new \Ip\Exception("Can't find caller");
}
$absoluteFile = $backtrace[$callLevel]['file'];
if (DIRECTORY_SEPARATOR == '\\') {
// Replace windows paths
$absoluteFile = str_replace('\\', '/', $absoluteFile);
}
$overrides = ipConfig()->get('fileOverrides');
if ($overrides) {
foreach ($overrides as $relativePath => $fullPath) {
if (DIRECTORY_SEPARATOR == '\\') {
// Replace windows paths
$fullPath = str_replace('\\', '/', $fullPath);
}
if (strpos($absoluteFile, $fullPath) === 0) {
$relativeFile = substr_replace($absoluteFile, $relativePath, 0, strlen($fullPath));
return substr($relativeFile, 0, strrpos($relativeFile, '/') + 1);
}
}
}
$baseDir = ipConfig()->get('baseDir');
$baseDir = str_replace('\\', '/', $baseDir);
if (strpos($absoluteFile, $baseDir) !== 0) {
throw new \Ip\Exception('Cannot find relative path for file ' . esc($absoluteFile));
}
$relativeFile = substr($absoluteFile, strlen($baseDir) + 1);
return substr($relativeFile, 0, strrpos($relativeFile, '/') + 1);
}
/**
* Saves a document in the database
*
* @param string $order_id the id of the order
* @param string $location the current location of the file
* @return void
*/
function document_save($order_id, $location)
{
static $count = 0;
$document_id = sprintf('DOC_%d_%d', $order_id, $count);
$query = "INSERT INTO document (DOCUMENT_ID, DOCUMENT_TYPE_ID, DATE_CREATED, COMMENTS, DOCUMENT_LOCATION, CREATED_STAMP, CREATED_TX_STAMP)\n\t\t\t VALUES ('{$document_id}', '" . DOC_REQUISION . "', NOW(), 'Document for order {$order_id}', '" . esc($location) . "', '" . now() . "', NOW())";
db_query($query);
$count++;
}
public function check_true($value, $field = null)
{
if ($field === null) {
$field = $this->primary_key;
}
$sql = "SELECT * FROM `{$this->table}` WHERE `{$field}` = '" . esc($value) . "' LIMIT 1";
$rows = db_get_all($sql);
return isset($rows[0]) ? true : false;
}
public function getBy($value, $field = null)
{
if ($field === null) {
$field = $this->primary_key;
}
$sql = "SELECT `{$this->table}`.*,`posts`.`Title` FROM `{$this->table}`,`posts` WHERE `{$this->table}`.`{$field}` = " . esc($value) . " and `{$this->table}`.`{$field}`= `posts`.`post_id`";
$rows = db_get_all($sql);
return isset($rows) ? $rows : false;
}
function page_header($title)
{
?>
<h2><?php
esc($title);
?>
</h2>
<?php
}
public function loadHits()
{
$page = $_SERVER['REQUEST_URI'];
$rowAll = Framework::getDb()->getFirstRow("SELECT SUM(hits) AS hits FROM page_hits WHERE page = '" . esc($page) . "'");
$rowToday = Framework::getDb()->getFirstRow("SELECT SUM(hits) AS hits FROM page_hits WHERE page = '" . esc($page) . "' AND added >= DATE_FORMAT('Y-m-d', NOW())");
$rowMonth = Framework::getDb()->getFirstRow("SELECT SUM(hits) AS hits FROM page_hits WHERE page = '" . esc($page) . "' AND added >= DATE_FORMAT('Y-m', NOW())");
$rowYear = Framework::getDb()->getFirstRow("SELECT SUM(hits) AS hits FROM page_hits WHERE page = '" . esc($page) . "' AND added >= DATE_FORMAT('Y', NOW())");
$this->PageHits = array('all' => $rowAll ? $rowAll['hits'] : 0, 'today' => $rowToday ? $rowToday['hits'] : 0, 'month' => $rowMonth ? $rowMonth['hits'] : 0, 'hits' => $rowYear ? $rowYear['hits'] : 0);
}
function content()
{
if (!user_logged_in()) {
return must_log_in();
}
$user = fetch_one_or_none('users', 'id', user_logged_in());
$errors = array();
if (array_key_exists('change', $_POST)) {
if (!isset($_POST['email']) || !$_POST['email']) {
$errors[] = "Please enter an email address";
} else {
$email = $_POST['email'];
if ($email && !validate_email_address($email)) {
$errors[] = "Invalid email address";
}
if (count($errors) == 0 && count(fetch_all('users', 'email_address', $email))) {
$errors[] = "A user with this email address already exists";
}
if (count($errors) == 0) {
update_all('users', array('new_email_address' => $email), 'id', user_logged_in());
send_email_change_email($email, $user->name);
?>
<p>We have sent an email to your new address requesting that you
confirm that change of address.</p>
<?php
return;
}
}
}
$fields = array();
page_header('Change email address');
show_error_list($errors);
?>
<form method="post" action="" accept-charset="UTF-8">
<div class="fieldrow">
<div class="field">
<label>Current address:</label>
<div><tt><?php
esc($user->email_address);
?>
</tt></div>
</div>
</div>
<div class="fieldrow">
<?php
text_field($fields, 'email', 'New address');
?>
</div>
<div class="fieldrow">
<input type="submit" name="change" value="Change"/>
</div>
</form>
<?php
}
function content()
{
global $config;
?>
<p>Welcome to <?php
esc($config['title']);
?>
.</p>
<?php
}
/**
* Generate field value preview for table view. HTML is allowed
* @param $recordData
* @internal param array $data current record data
* @return string
*/
public function preview($recordData)
{
if ($this->previewMethod) {
return call_user_func($this->previewMethod, $recordData);
} else {
if (isset($recordData[$this->field])) {
return esc($recordData[$this->field]);
}
}
}
public function field($key, $field = null)
{
if (is_null($field)) {
$field = $key;
}
$value = a::get($this->data, $field);
if ($key == 'url' and !v::url($value)) {
$value = null;
}
$this->{$key} = new Field($this->page, $key, esc($value));
}
public function preview($recordData)
{
$previewValue = $recordData[$this->field];
foreach ($this->values as $value) {
if (is_array($value) && isset($value[1]) && $value[0] == $previewValue) {
$previewValue = $value[1];
break;
}
}
return esc($previewValue);
}
public static function showImage($value, $recordData = null)
{
if ($value) {
$transform = array('type' => 'fit', 'width' => 100, 'height' => 100);
$thumbnailUrl = ipReflection($value, $transform, 'preview.jpg');
$imageHtml = '<a href="' . ipFileUrl('file/repository/' . $value) . '" target="blank"><img src="' . $thumbnailUrl . '" alt="' . esc($value) . '"></a>';
return $imageHtml;
} else {
return false;
}
}
public function preview($recordData)
{
if ($this->fileLimit == 1) {
return esc($recordData[$this->field]);
} else {
$data = json_decode($recordData[$this->field]);
if (is_array($data)) {
$data = implode(', ', $data);
}
return esc($data);
}
}
function error_404_content()
{
?>
<h2>Error: 404 Not Found</h2>
<p>The requested URL <tt><?php
esc($_SERVER['REQUEST_URI']);
?>
</tt>
was not found on this server.</p>
<?php
}
public static function previewMessage($value, $recordData)
{
$context = json_decode($recordData['context'], true);
$replace = array();
foreach ($context as $key => $val) {
if (is_string($val) || is_numeric($val)) {
$replace['{' . $key . '}'] = '<em>' . esc($val) . '</em>';
}
}
$message = esc($recordData['message']);
return strtr($message, $replace);
}
protected static function validatorLocalizationData($namespace)
{
// TODO do this localization on client side
if ($namespace == 'Ip') {
$answer = array('*' => __('Please correct this value', 'Ip'), ':email' => __('Please enter a valid email address', 'Ip'), ':number' => __('Please enter a valid numeric value', 'Ip'), ':url' => __('Please enter a valid URL', 'Ip'), '[max]' => __('Please enter a value no larger than $1', 'Ip'), '[min]' => __('Please enter a value of at least $1', 'Ip'), '[required]' => __('Please complete this mandatory field', 'Ip'));
} elseif ($namespace == 'Ip-admin') {
$answer = array('*' => __('Please correct this value', 'Ip-admin'), ':email' => __('Please enter a valid email address', 'Ip-admin'), ':number' => __('Please enter a valid numeric value', 'Ip-admin'), ':url' => __('Please enter a valid URL', 'Ip-admin'), '[max]' => __('Please enter a value no larger than $1', 'Ip-admin'), '[min]' => __('Please enter a value of at least $1', 'Ip-admin'), '[required]' => __('Please complete this mandatory field', 'Ip-admin'));
} else {
throw new \Ip\Exception('Unknown translation domain: ' . esc($namespace));
}
return $answer;
}
/**
*
* Adds new party to the database
* @param str $type - type of te party
* @param str $user_login_id - login of the person who created the party
*
* @return arr - the new party
*/
function party_add($id, $type, $user_login_id, $data_source_id)
{
$return = false;
if (!party_exists($id)) {
$query = "INSERT INTO party (PARTY_ID, PARTY_TYPE_ID, CREATED_DATE, CREATED_BY_USER_LOGIN, DATA_SOURCE_ID, CREATED_STAMP, CREATED_TX_STAMP)\n\t\t\t\t VALUES ('{$id}', '" . esc($type) . "', NOW(), '" . esc($user_login_id) . "', '" . esc($data_source_id) . "', '" . now() . "', NOW())";
db_query($query);
$return = $id;
} else {
throw new RuntimeException('A client witht his ID already exists');
}
return $return;
}
function get_text($_escape = FALSE)
{
if ($this->url) {
$text = $this->url->get_label();
} else {
$text = $this->text;
}
if ($_escape) {
return esc($text);
}
return $text;
}
function content()
{
$errors = array();
if (!array_key_exists('token', $_GET) || !$_GET['token']) {
$errors[] = 'Invalid activation token';
}
$token = $_GET['token'];
$user = fetch_one_or_none('users', 'activation_token', $_GET['token']);
if (!$user) {
$errors[] = 'Invalid activation token';
}
if (count($errors)) {
page_header('Activation failed');
show_error_list($errors);
return;
}
$admins = fetch_wol('*', 'users', 'date_verified IS NOT NULL AND date_approved IS NOT NULL', 'id ASC');
$sets = array('activation_token' => null, 'date_verified' => date('Y-m-d H:i:s'));
# Auto-approve user 1.
if (count($admins) == 0) {
$sets['date_approved'] = $sets['date_verified'];
$sets['approved_by'] = 1;
}
update_all('users', $sets, 'id', $user->id);
page_header('Account activated');
if (count($admins)) {
send_approval_request($user, $admins);
?>
<p>Thank you for activating your account.
Your request for an account has been forwarded to a site administrator
for approval. You will be notified by email when it is approved.</p>
<?php
} else {
register_user_rdf($user);
# Don't set login cookie now. This is to prevent someone hijacking
# a login token, using it, and benefiting from a pre-logged-in session.
# This way, they still need a password.
global $config;
?>
<p>Thank you for activating your account.
You shouldn't need to do that again. You may now want to
<a href="<?php
esc($config['http_path']);
?>
account/login">log in</a>.</p>
<?php
}
}
private function updateAvg()
{
// Check if the item exists (item_id, refine, slots)
$query = "SELECT * FROM " . self::TABLE_PRICE . " WHERE item_hash = '" . esc($this->getHash()) . "'";
$row = Framework::getDb()->getFirstRow($query);
if ($row != null) {
// Found, update price sum (single price)
$query = "UPDATE " . self::TABLE_PRICE . " SET price_sum = price_sum + " . esc($this->price_one) . ", `count` = `count` + 1 WHERE item_hash = '" . esc($this->getHash()) . "'";
Framework::getDb()->query($query);
} else {
// Add new
$query = "\n\t\t\t\t\t\tINSERT INTO `" . self::TABLE_PRICE . "` \n\t\t\t\t\t\t\t(`item_hash`, `item_id`, `price_sum`, `count`, `last_update`) \n\t\t\t\t\t\tVALUES \n\t\t\t\t\t\t\t('" . esc($this->getHash()) . "', '" . esc($this->id) . "', '" . esc($this->price_one) . "', '1', NOW())";
Framework::getDb()->query($query);
}
}
function sendChatMessage($link, $chatMessage, $userId, $toUserId = 0)
{
$chatMessage = esc($chatMessage);
if (mb_strlen($chatMessage) < 1) {
return 'message_empty';
} elseif (mb_strlen($chatMessage) < 3) {
return 'not_min_message';
} else {
if (!getUserLogin($link, $toUserId)) {
$toUserId = 0;
}
mysqli_query($link, "INSERT INTO `chat`(`chat_from_id`, `chat_to_id`,`chat_message`) VALUES ('{$userId}','{$toUserId}','{$chatMessage}')");
return 'message_send';
}
}
public function save()
{
// Add vender to the database or set to online
$query = "SELECT char_id FROM " . self::TABLE . " WHERE char_id = '" . esc($this->id) . "'";
$row = Framework::getDb()->getFirstRow($query);
if ($row != null) {
// Vender found, update it
// Note: update name incase of name-change
$query = "\n\t\t\t\t\tUPDATE " . self::TABLE . " SET \n\t\t\t\t\t\tname = '" . esc($this->name) . "', \n\t\t\t\t\t\tshopname = '" . esc($this->shopname) . "',\n\t\t\t\t\t\tposX = '" . esc($this->posX) . "', \n\t\t\t\t\t\tposY = '" . esc($this->posY) . "', \n\t\t\t\t\t\tposMap = '" . esc($this->posMap) . "', \n\t\t\t\t\t\tonline = 1,\n\t\t\t\t\t\tseen = NOW()\n\t\t\t\t\tWHERE char_id = '" . esc($this->id) . "'\n\t\t\t\t";
} else {
// New entry
$query = "\n\t\t\t\t\tINSERT INTO " . self::TABLE . "\n\t\t\t\t\t\t(char_id, name, shopname, posX, posY, posMap, seen, online)\n\t\t\t\t\tVALUES\n\t\t\t\t\t\t('" . esc($this->id) . "', '" . esc($this->name) . "', '" . esc($this->shopname) . "', '" . esc($this->posX) . "', '" . esc($this->posY) . "', '" . esc($this->posMap) . "', NOW(), '1')\n\t\t\t\t";
}
Framework::getDb()->query($query);
}
public function testRunClosureRoute()
{
$_SERVER['argv'] = ['index.php', 'pages/about'];
$_SERVER['argc'] = 2;
// Inject mock router.
$routes = Services::routes();
$routes->add('pages/(:segment)', function ($segment) {
echo 'You want to see "' . esc($segment) . '" page.';
});
$router = Services::router($routes);
Services::injectMock('router', $router);
ob_start();
$this->codeigniter->run();
$output = ob_get_clean();
$this->assertContains('You want to see "about" page.', $output);
}
public static function createWidget($widgetName, $data, $skin, $revisionId, $languageId, $blockName, $position, $visible = true)
{
$widgetObject = Model::getWidgetObject($widgetName);
if (!$widgetObject) {
throw new \Ip\Exception("Widget '" . esc($widgetName) . "' doesn't exist");
}
if ($data === null) {
$data = $widgetObject->defaultData();
}
if ($skin === null) {
$skins = $widgetObject->getSkins();
$skin = $skins[0]['name'];
}
$widgetId = Model::createWidget($widgetName, $data, $skin, $revisionId, $languageId, $blockName, $position, $visible);
return $widgetId;
}
