function mysql_insert($tableName, $colsToValues, $tempDisableMysqlStrictMode = false) { // $tableName = getTableNameWithPrefix($tableName); $set = mysql_getMysqlSetValues($colsToValues); $insert = "INSERT INTO `{$tableName}` SET {$set}"; // if ($tempDisableMysqlStrictMode) { mysqlStrictMode(false); } mysql_query($insert) or dieAsCaller("MySQL Error: " . mysql_error() . "\n"); $recordNum = mysql_insert_id(); if ($tempDisableMysqlStrictMode) { mysqlStrictMode(true); } return $recordNum; }
//set error messages if (!@$_REQUEST['name']) { $errorsAndAlerts .= "<li>Please enter your name.</li>"; } if (!@$_REQUEST['email']) { $errorsAndAlerts .= "<li>Please enter your email address.</li>"; } elseif (!isValidEmail(@$_REQUEST['email'])) { $errorsAndAlerts .= "<li>Please enter a valid email address.</li>"; } if (!@$_REQUEST['comment']) { $errorsAndAlerts .= "<li>Please enter your comment.</li>"; } // IF NO ERRORS, SUBMIT FORM if (!@$errorsAndAlerts) { // turn off strict mysql error checking for: STRICT_ALL_TABLES mysqlStrictMode(false); // disable Mysql strict errors for when a field isn't defined below (can be caused when fields are added later) // add record mysql_query("INSERT INTO `{$TABLE_PREFIX}contact_form_submissions` SET\n\t name = '" . mysql_real_escape_string($_REQUEST['name']) . "',\n\t email_address = '" . mysql_real_escape_string($_REQUEST['email']) . "',\n\t comment = '" . mysql_real_escape_string($_REQUEST['comment']) . "',\n\n\t createdDate = NOW(),\n\t updatedDate = NOW(),\n\t createdByUserNum = '0',\n\t updatedByUserNum = '0'") or die("MySQL Error Creating Record:<br/>\n" . htmlspecialchars(mysql_error()) . "\n"); $recordNum = mysql_insert_id(); // email everyone who wants to know // $emailHeaders = emailTemplate_loadFromDB(array( // 'template_id' => 'CMS-CONTACT-US', // 'placeholders' => array( // 'user.name' => $_REQUEST['name'], // 'user.email' => $_REQUEST['email'], // 'user.comment' => $_REQUEST['comment'], // 'yyyy-mm-dd' => date("Y-m-d"), // 'time' => date("H:i"), // ), // ));
function installIfNeeded() { global $SETTINGS, $APP, $TABLE_PREFIX; if (isInstalled()) { return; } // skip if already installed // rename default files renameOrRemoveDefaultFiles(); // error checking if ($SETTINGS['uploadDir'] && !is_dir($SETTINGS['uploadDir'])) { print "Upload directory doesn't exist, please update 'uploadDir' in /data/" . SETTINGS_FILENAME . "<br/>\n"; print "Current uploadDir value: " . htmlencode($SETTINGS['uploadDir']) . "<br/>\n"; print "Suggested uploadDir value: uploads/ or ../uploads/<br/>\n"; exit; } // error checking checkFilePermissions(); // display license if (@$_REQUEST['menu'] == 'license') { showInterface('license.php'); } // save if (@$_REQUEST['save']) { // error checking if (!$_REQUEST['licenseCompanyName']) { alert("Please enter your 'Company Name'<br/>\n"); } if (!$_REQUEST['licenseDomainName']) { alert("Please enter your 'Domain Name'<br/>\n"); } if (!$_REQUEST['licenseProductId']) { alert("Please enter your 'Product Id'<br/>\n"); } else { if (!isValidProductId($_REQUEST['licenseProductId'])) { alert("Invalid Product Id!<br/>\n"); } } if (!$_REQUEST['agreeToOneInstall']) { alert("Please check 'I agree not to use this 'Product Id' for multiple installs'<br/>\n"); } if (!$_REQUEST['understandTermination']) { alert("Please check 'I understand doing so may cause be to lose my right to use this software'<br/>\n"); } if (!$_REQUEST['agreeToLicense']) { alert("Please check 'I accept the terms of the License Agreement'<br/>\n"); } if (!$_REQUEST['mysqlHostname']) { alert("Please enter your 'MySQL Hostname'<br/>\n"); } if (!$_REQUEST['mysqlDatabase']) { alert("Please enter your 'MySQL Database'<br/>\n"); } if (!$_REQUEST['mysqlUsername']) { alert("Please enter your 'MySQL Username'<br/>\n"); } if (!$_REQUEST['mysqlTablePrefix']) { alert("Please enter your 'MySQL Table Prefix'<br/>\n"); } elseif (preg_match("/[A-Z]/", $_REQUEST['mysqlTablePrefix'])) { alert("Value for 'MySQL Table Prefix' must be lowercase.<br/>\n"); } elseif (!preg_match("/^[a-z]/i", $_REQUEST['mysqlTablePrefix'])) { alert("Value for 'MySQL Table Prefix' must start with a letter.<br/>\n"); } elseif (!preg_match("/_\$/", $_REQUEST['mysqlTablePrefix'])) { alert("Value for 'MySQL Table Prefix' must end in underscore.<br/>\n"); } // New Installation if (!@$_REQUEST['restoreFromBackup']) { if (!$_REQUEST['adminFullname']) { alert("Please enter 'Admin Full Name'<br/>\n"); } if (!$_REQUEST['adminEmail']) { alert("Please enter 'Admin Email'<br/>\n"); } elseif (!isValidEmail($_REQUEST['adminEmail'])) { alert("Please enter a valid email for 'Admin Email' (Example: user@example.com)<br/>\n"); } if (!$_REQUEST['adminUsername']) { alert("Please enter 'Admin Username'<br/>\n"); } $passwordErrors = getNewPasswordErrors($_REQUEST['adminPassword1'], $_REQUEST['adminPassword2'], $_REQUEST['adminUsername']); // v2.52 if ($passwordErrors) { alert(nl2br(htmlencode($passwordErrors))); } } // Restore from Backup if (@$_REQUEST['restoreFromBackup']) { if (!$_REQUEST['restore']) { alert("Please select a backup file to restore<br/>\n"); } } // Advanced - v2.53 if (!@$_REQUEST['useCustomSettingsFile']) { if (is_file(SETTINGS_DEV_FILEPATH)) { alert(t("You must select 'Use Custom Settings File' since a custom settings file for this domain already exists!") . "<br/>\n"); } elseif (isDevServer()) { alert("This is a development server, you must select 'Use Custom Settings File'." . "<br/>\n"); } } if (@$_REQUEST['webPrefixUrl'] != '') { if (!preg_match("|^(\\w+:/)?/|", $_REQUEST['webPrefixUrl'])) { alert(t("Website Prefix URL must start with /") . "<br/>\n"); } if (preg_match("|/\$|", $_REQUEST['webPrefixUrl'])) { alert(t("Website Prefix URL cannot end with /") . "<br/>\n"); } } // update settings (not saved unless there are no errors) $SETTINGS['cookiePrefix'] = substr(md5(mt_rand()), 0, 5) . '_'; //v2.51 shortened prefix so it's easy to see full cookie names in browser cookie list $SETTINGS['adminEmail'] = @$SETTINGS['adminEmail'] ? $SETTINGS['adminEmail'] : $_REQUEST['adminEmail']; $SETTINGS['licenseCompanyName'] = $_REQUEST['licenseCompanyName']; $SETTINGS['licenseDomainName'] = $_REQUEST['licenseDomainName']; $SETTINGS['licenseProductId'] = $_REQUEST['licenseProductId']; $SETTINGS['webRootDir'] = @$SETTINGS['webRootDir'] ? $SETTINGS['webRootDir'] : @$_SERVER['DOCUMENT_ROOT']; $SETTINGS['mysql']['hostname'] = $_REQUEST['mysqlHostname']; $SETTINGS['mysql']['database'] = $_REQUEST['mysqlDatabase']; $SETTINGS['mysql']['username'] = $_REQUEST['mysqlUsername']; $SETTINGS['mysql']['password'] = $_REQUEST['mysqlPassword']; $SETTINGS['mysql']['tablePrefix'] = $_REQUEST['mysqlTablePrefix']; $TABLE_PREFIX = $_REQUEST['mysqlTablePrefix']; // update TABLE_PREFIX global as well. $SETTINGS['webPrefixUrl'] = $_REQUEST['webPrefixUrl']; // display errors if (alert()) { require "lib/menus/install.php"; exit; } // connect to mysql $errors = connectToMySQL('returnErrors'); if ($errors) { alert($errors); require "lib/menus/install.php"; exit; } else { connectToMySQL(); } // create schema tables createMissingSchemaTablesAndFields(); clearAlertsAndNotices(); // don't show "created table/field" alerts // New Installation: check if admin user already exists if (!@$_REQUEST['restoreFromBackup']) { $passwordHash = getPasswordDigest($_REQUEST['adminPassword1']); $identicalUserExists = mysql_count('accounts', array('username' => $_REQUEST['adminUsername'], 'password' => $passwordHash, 'isAdmin' => '1')); if (!$identicalUserExists) { // if the don't exist, check if a user with the same username exists and show an error if they do $count = mysql_count('accounts', array('username' => $_REQUEST['adminUsername'])); if (!$identicalUserExists && $count > 0) { alert("Admin username already exists, please choose another.<br/>\n"); } } // create admin user if (!$identicalUserExists && !alert()) { mysqlStrictMode(false); // disable Mysql strict errors for when a field isn't defined below (can be caused when fields are added later) mysql_query("INSERT INTO `{$TABLE_PREFIX}accounts` SET\n createdDate = NOW(),\n createdByUserNum = '0',\n updatedDate = NOW(),\n updatedByUserNum = '0',\n fullname = '" . mysql_escape($_REQUEST['adminFullname']) . "', email = '" . mysql_escape($_REQUEST['adminEmail']) . "',\n username = '******'adminUsername']) . "', password = '******',\n disabled = '0',\n isAdmin = '1',\n expiresDate = '0000-00-00 00:00:00',\n neverExpires = '1'") or alert("MySQL Error Creating Admin User:<br/>\n" . htmlencode(mysql_error()) . "\n"); // create accesslist entry mysql_query("INSERT INTO `{$TABLE_PREFIX}_accesslist` (userNum, tableName, accessLevel, maxRecords, randomSaveId)\n VALUES (LAST_INSERT_ID(), 'all', '9', NULL, '1234567890')") or alert("MySQL Error Creating Admin Access List:<br/>\n" . htmlencode(mysql_error()) . "\n"); } } // Restore from Backup: Restore backup file if (@$_REQUEST['restoreFromBackup']) { $userCount = mysql_count('accounts'); if ($userCount) { $userTable = $TABLE_PREFIX . 'accounts'; $errorMessage = sprintf("Can't restore from backup because it would overwrite the %s existing user accounts in the specified database location.<br/>\n", $userCount); $errorMessage .= sprintf("Try changing the MySQL Database or Table Prefix to restore to a different location, or remove existing users from '%s'.<br/>\n", $userTable); alert($errorMessage); } else { // restore database $filename = @$_REQUEST['restore']; mysqlStrictMode(false); // disable Mysql strict errors restoreDatabase(DATA_DIR . '/backups/' . $filename); notice("Restored backup file /data/backups/{$filename}"); makeAllUploadRecordsRelative(); } } // save settings if (!alert()) { saveSettings(@$_REQUEST['useCustomSettingsFile']); isInstalled(true); // save installed status redirectBrowserToURL('?menu=home', true); // refresh page exitl; } } // set defaults if (!array_key_exists('licenseDomainName', $_REQUEST)) { $_REQUEST['licenseDomainName'] = $_SERVER['HTTP_HOST']; } if (!array_key_exists('mysqlHostname', $_REQUEST)) { $_REQUEST['mysqlHostname'] = $SETTINGS['mysql']['hostname']; } if (!array_key_exists('mysqlDatabase', $_REQUEST)) { $_REQUEST['mysqlDatabase'] = $SETTINGS['mysql']['database']; } if (!array_key_exists('mysqlUsername', $_REQUEST)) { $_REQUEST['mysqlUsername'] = $SETTINGS['mysql']['username']; } if (!array_key_exists('mysqlTablePrefix', $_REQUEST)) { $_REQUEST['mysqlTablePrefix'] = $SETTINGS['mysql']['tablePrefix']; } // show form require "lib/menus/install.php"; exit; }
} if ($isMyAccountMenu && $isNewRecord) { die("Record doesn't exist! My Account menu can't create new records."); } doAction('record_save_errorchecking', $tableName, $recordExists, $oldRecord); doAction('record_save_posterrorchecking', $tableName, $recordExists, $oldRecord); ### insert blank record if needed if ($isNewRecord) { // insert blank record mysqlStrictMode(false); // disable strict mode so we don't get errors for not specifying field values mysql_query("INSERT INTO `{$escapedTableName}` () VALUES()"); # or die("MySQL Error: ". htmlencode(mysql_error()) . "\n"); $last_insert_id = mysql_insert_id(); // NOTE: This must come RIGHT after query or it won't work mysqlStrictMode(true); // get record number $_REQUEST['num'] = $last_insert_id; // adopt uploads if ($_REQUEST['preSaveTempId']) { adoptUploads($tableName, $_REQUEST['preSaveTempId'], $last_insert_id); } } ### update record $updateColumnValues = _getColsToValuesForSQLSet($mySqlColsAndTypes, $newRecordValues, $isNewRecord); if ($updateColumnValues) { $updateQuery = "UPDATE `{$escapedTableName}` SET {$updateColumnValues} WHERE num = '" . mysql_escape($_REQUEST['num']) . "'"; $result = @mysql_query($updateQuery); // if error if (!$result) { $error = "MySQL Error: " . mysql_error() . "\n";
function connectToMySQL($returnErrors = false) { global $SETTINGS, $DBH; ### Get connection details $hostname = getFirstDefinedValue(@$SETTINGS["mysql:{$_SERVER['HTTP_HOST']}"]['hostname'], $SETTINGS['mysql']['hostname']); $username = getFirstDefinedValue(@$SETTINGS["mysql:{$_SERVER['HTTP_HOST']}"]['username'], $SETTINGS['mysql']['username']); $password = getFirstDefinedValue(@$SETTINGS["mysql:{$_SERVER['HTTP_HOST']}"]['password'], $SETTINGS['mysql']['password']); $database = getFirstDefinedValue(@$SETTINGS["mysql:{$_SERVER['HTTP_HOST']}"]['database'], $SETTINGS['mysql']['database']); $textOnlyErrors = coalesce(inCLI(), @$SETTINGS["mysql:{$_SERVER['HTTP_HOST']}"]['textOnlyErrors'], $SETTINGS['mysql']['textOnlyErrors']); ## SLOW REMOTE CONNECTION ## If you are connecting to a remote database that is intolerably slow, try ## updating the mysql configuration file (often "/etc/my.cfg") by adding the ## following option to the [mysqld] section: ## ## skip-name-resolve ## ## Here is the MySQL documentation for this option: ## ## --skip-name-resolve ## Do not resolve host names when checking client connections. Use only IP addresses. ## If you use this option, all Host column values in the grant tables must be IP addresses or localhost. ### Connect to database $DBH = @mysql_connect($hostname, $username, $password); if (!$DBH) { $connectionError = mysql_error(); if ($returnErrors) { return "Error connecting to MySQL:<br/>\n{$connectionError}"; } elseif ($textOnlyErrors) { die("Error connecting to MySQL: {$connectionError}"); } else { $libDir = pathinfo(__FILE__, PATHINFO_DIRNAME); // viewers may be in different dirs include "{$libDir}/menus/dbConnectionError.php"; } exit; } // select db $isDbSelected = mysql_select_db($database); if (!$isDbSelected) { mysql_query("CREATE DATABASE `{$database}`") or die("MySQL Error: " . mysql_error() . "\n"); mysql_select_db($database) or die("MySQL Error: " . mysql_error() . "\n"); } ### check for required mysql version $currentVersion = preg_replace("/[^0-9\\.]/", '', mysql_get_server_info()); if (version_compare(REQUIRED_MYSQL_VERSION, $currentVersion, '>')) { $error = "This program requires MySQL v" . REQUIRED_MYSQL_VERSION . " or newer. This server has v{$currentVersion} installed.<br/>\n"; $error .= "Please ask your server administrator to install MySQL v" . REQUIRED_MYSQL_VERSION . " or newer.<br/>\n"; if ($returnErrors) { return $error; } die($error); } ### Set Character Set # note: set through PHP 'set_charset' function so mysql_real_escape string() knows what charset to use. setting the charset # ... through mysql queries with 'set names' didn't cause mysql_client_encoding() to return a different value mysql_set_charset("utf8") or die("Error loading character set utf8: " . mysql_error() . ''); # set MySQL strict mode - http://dev.mysql.com/doc/refman/5.0/en/server-sql-mode.html mysqlStrictMode(true); # set MySQL timezone offset setMySqlTimezone(); // return ''; }