function clean_user($user) { if ($user->name != sanitize_tags($user->name)) { $x = sanitize_tags($user->name); echo "ID: {$user->id}\nname: {$user->name}\nstripped name: {$x}\nemail: {$user->email_addr}\n-----\n"; $x = boinc_real_escape_string($x); $x = trim($x); $query = "update user set name='{$x}' where id={$user->id}"; $retval = mysql_query($query); echo $query; } }
function handle_add($job, $inst) { $f = null; $f->x = get_int('pic_x'); $f->y = get_int('pic_y'); $f->type = sanitize_tags(get_str('type')); $c = sanitize_tags(get_str('comment', true)); if (strstr($c, "(optional)")) { $c = ""; } $f->comment = $c; $output = $inst->get_opaque_data(); $output->features[] = $f; $inst->set_opaque_data($output); header("location: bossa_example4.php?bji={$inst->id}"); }
// either version 3 of the License, or (at your option) any later version. // // BOINC is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. // See the GNU Lesser General Public License for more details. // // You should have received a copy of the GNU Lesser General Public License // along with BOINC. If not, see <http://www.gnu.org/licenses/>. include_once "../inc/db.inc"; include_once "../inc/util.inc"; include_once "../inc/prefs.inc"; $user = get_logged_in_user(); $action = sanitize_tags(get_str("action", true)); $subset = sanitize_tags(get_str("subset")); $venue = sanitize_tags(get_str("venue", true)); $columns = get_str("cols", true); $c = $columns ? "&cols={$columns}" : ""; check_subset($subset); if ($action) { check_tokens($user->authenticator); if ($subset == "global") { $main_prefs = prefs_parse_global($user->global_prefs); if ($venue) { $prefs = $main_prefs->{$venue}; } else { $prefs = $main_prefs; } $error = prefs_global_parse_form($prefs); if ($error != false) { $title = tra("Edit %1 preferences", subset_name($subset));
exit; } page_head(tra("Profiles")); echo "\n <p>" . tra("%1Profiles%2 let individuals share backgrounds and opinions with the %3 community.", "<b>", "</b>", PROJECT) . " " . tra("Explore the diversity of your fellow volunteers, and contribute your own views for others to enjoy.") . "\n <p>" . tra("If you haven't already, you can %1create your own user profile%2 for others to see!", "<a href=\"create_profile.php\">", "</a>"); start_table_noborder(); $today = getdate(time()); $UOTD_heading = tra("User of the Day") . " -- " . $today['month'] . " " . $today['mday'] . ", " . $today['year']; row1($UOTD_heading); echo "<tr><td>"; $profile = get_current_uotd(); if ($profile) { $user = BoincUser::lookup_id($profile->userid); echo uotd_thumbnail($profile, $user); echo user_links($user) . "<br>"; $resp = output_transform($profile->response1); $resp = sanitize_tags($resp); echo sub_sentence($resp, ' ', 150, true); } echo "</td></tr>"; row1(tra("User Profile Explorer")); echo "<tr><td>\n <ul>\n <li>" . tra("View the %1User Picture Gallery%2.", "<a href=\"" . URL_BASE . "user_profile/user_gallery_1.html\">", "</a>") . "</li>\n <li>" . tra("Browse profiles %1by country%2.", "<a href=\"" . URL_BASE . "user_profile/profile_country.html\">", "</a>") . "</li>\n <li>" . tra("Browse profiles %1at random%2, %3at random with pictures%2, or %4at random without pictures%2.", "<a href=\"?cmd=rand&pic=-1\">", "</a>", "<a href=\"?cmd=rand&pic=1\">", "<a href=\"?cmd=rand&pic=0\">") . "</li>\n"; if (file_exists(PROFILE_PATH . "profile_alpha.html")) { echo "<li>" . tra("Alphabetical profile listings:") . "<br>"; include PROFILE_PATH . "profile_alpha.html"; } echo "</ul></td></tr>"; row1(tra("Search profile text")); rowify("\n <form action=\"profile_search_action.php\" method=\"GET\">\n <input type=\"text\" name=\"search_string\">\n <input type=\"submit\" value=\"" . tra("Search") . "\">\n </form>\n"); end_table(); page_tail(); function select_profile($cmd)
// // BOINC is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. // See the GNU Lesser General Public License for more details. // // You should have received a copy of the GNU Lesser General Public License // along with BOINC. If not, see <http://www.gnu.org/licenses/>. require_once "../inc/util.inc"; require_once "../inc/prefs.inc"; require_once "../inc/prefs_project.inc"; $user = get_logged_in_user(); check_tokens($user->authenticator); $action = sanitize_tags(get_str("action", true)); $subset = sanitize_tags(get_str("subset")); $venue = sanitize_tags(get_str("venue")); $columns = get_int("cols", true); $c = $columns ? "&cols={$columns}" : ""; check_venue($venue); check_subset($subset); if ($action) { if ($subset == "global") { $prefs = prefs_parse_global($user->global_prefs); $prefs->{$venue} = $prefs; $error = prefs_global_parse_form($new_prefs); if ($error != false) { $title = tra("Edit %1 preferences", subset_name($subset)); if ($venue) { $title = "{$title} for {$venue}"; } page_head($title);
$delete_problem .= "Cannot delete user: User has " . $c->count . " forum posts.<br/>"; } if ($delete_problem) { return false; } $q = "DELETE FROM user WHERE id=" . $user->id; $result = mysql_query($q); $delete_problem .= "User " . $user->id . " deleted."; unset($user); } $delete_problem = ""; // Process user search form $matches = ""; if (isset($_POST['search_submit'])) { $search_name = post_str('search_text'); $search_name = BoincDb::escape_string(sanitize_tags($search_name)); if (!empty($search_name)) { $result = mysql_query("SELECT * FROM user WHERE name='{$search_name}'"); if (mysql_num_rows($result) == 1) { $user = mysql_fetch_object($result); mysql_free_result($result); } else { $q = "SELECT * FROM user WHERE name LIKE '%" . $search_name . "%'"; $result = mysql_query($q); if (mysql_num_rows($result) == 1) { $user = mysql_fetch_object($result); mysql_free_result($result); } if (mysql_num_rows($result) > 1) { while ($row = mysql_fetch_object($result)) { if (!empty($matches)) {
xml_header(); $retval = db_init_xml(); if ($retval) { xml_error($retval); } $auth = get_str("account_key"); $user = BoincUser::lookup_auth($auth); if (!$user) { xml_error(ERR_DB_NOT_FOUND); } $name = $_GET["name"]; if (strlen($name) == 0) { xml_error(-1, "must set team name"); } $url = sanitize_tags(get_str("url")); $type_name = sanitize_tags(get_str("type")); // textual $type = team_type_num($type_name); $name_html = get_str("name_html"); $description = get_str("description"); $country = get_str("country"); if ($country == "") { $country = "International"; } // the following DB-escapes its args // $new_team = make_team($user->id, $name, $url, $type, $name_html, $description, $country); if ($new_team) { user_join_team($new_team, $user); echo "<create_team_reply>\n <success/>\n <team_id>{$new_team->id}</team_id>\n</create_team_reply>\n"; } else {
// // You should have received a copy of the GNU Lesser General Public License // along with BOINC. If not, see <http://www.gnu.org/licenses/>. require_once "../inc/boinc_db.inc"; require_once "../inc/util.inc"; if (DISABLE_PROFILES) { error_page("Profiles are disabled"); } check_get_args(array("search_string", "offset")); function show_profile_link2($profile, $n) { $user = BoincUser::lookup_id($profile->userid); echo "<tr><td>" . user_links($user) . "</td><td>" . date_str($user->create_time) . "</td><td>{$user->country}</td><td>" . (int) $user->total_credit . "</td><td>" . (int) $user->expavg_credit . "</td></tr>\n"; } $search_string = get_str('search_string'); $search_string = sanitize_tags($search_string); $search_string = BoincDb::escape_string($search_string); $offset = get_int('offset', true); if (!$offset) { $offset = 0; } $count = 10; page_head(tra("Profiles containing '%1'", $search_string)); $profiles = BoincProfile::enum("match(response1, response2) against ('{$search_string}') limit {$offset},{$count}"); start_table(); echo "\n <tr><th>" . tra("User name") . "</th>\n <th>" . tra("Joined project") . "</th>\n <th>" . tra("Country") . "</th>\n <th>" . tra("Total credit") . "</th>\n <th>" . tra("Recent credit") . "</th></tr>\n"; $n = 0; foreach ($profiles as $profile) { show_profile_link2($profile, $n + $offset + 1); $n += 1; }
function do_send($logged_in_user) { global $replyto, $userid; check_banished($logged_in_user); check_tokens($logged_in_user->authenticator); $to = sanitize_tags(post_str("to", true)); $subject = post_str("subject", true); $content = post_str("content", true); if (post_str("preview", true) == tra("Preview")) { pm_form($replyto, $userid); } if ($to == null || $subject == null || $content == null) { pm_form($replyto, $userid, tra("You need to fill all fields to send a private message")); } else { if (!akismet_check($logged_in_user, $content)) { pm_form($replyto, $userid, tra("Your message was flagged as spam\n by the Akismet anti-spam system.\n Please modify your text and try again.")); } $to = str_replace(", ", ",", $to); // Filter out spaces after separator $users = explode(",", $to); $userlist = array(); $userids = array(); // To prevent from spamming a single user by adding it multiple times foreach ($users as $username) { $user = explode(" ", $username); if (is_numeric($user[0])) { // user ID is gived $userid = $user[0]; $user = BoincUser::lookup_id($userid); if ($user == null) { pm_form($replyto, $userid, tra("Could not find user with id %1", $userid)); } } else { $user = BoincUser::lookup_name($username); if ($user == null) { pm_form($replyto, $userid, tra("Could not find user with username %1", $username)); } elseif ($user == -1) { // Non-unique username pm_form($replyto, $userid, tra("%1 is not a unique username; you will have to use user ID", $username)); } } BoincForumPrefs::lookup($user); if (is_ignoring($user, $logged_in_user)) { pm_form($replyto, $userid, tra("User %1 (ID: %2) is not accepting private messages from you.", $user->name, $user->id)); } if (!isset($userids[$user->id])) { $userlist[] = $user; $userids[$user->id] = true; } } foreach ($userlist as $user) { if (!is_moderator($logged_in_user, null)) { check_pm_count($logged_in_user->id); } pm_send_msg($logged_in_user, $user, $subject, $content, true); } Header("Location: pm.php?action=inbox&sent=1"); } }
require_once "../inc/sanitize_html.inc"; require_once "../inc/boinc_db.inc"; check_get_args(array()); $user = get_logged_in_user(); $teamid = post_int("teamid"); $team = BoincTeam::lookup_id($teamid); if (!$team) { error_page(tra("no such team")); } require_admin($user, $team); $team_url = BoincDb::escape_string(sanitize_tags(post_str("url", true))); $x = strstr($team_url, "http://"); if ($x) { $team_url = substr($team_url, 7); } $team_name = BoincDb::escape_string(sanitize_tags(post_str("name"))); $team_name_lc = strtolower($team_name); $tnh = post_str("name_html", true); $team_name_html = sanitize_html($tnh); $team_name_html = BoincDb::escape_string($team_name_html); $team_description = BoincDb::escape_string(post_str("description", true)); $type = BoincDb::escape_string(post_str("type", true)); $country = BoincDb::escape_string(post_str("country", true)); if ($country == "") { $country = "International"; } if (!is_valid_country($country)) { error_page(tra("bad country")); } $joinable = post_str('joinable', true) ? 1 : 0; $t = BoincTeam::lookup("name='{$team_name}'");
require_once "../inc/util.inc"; require_once "../inc/email.inc"; $auth = post_str("auth"); $name = post_str("name"); if (strlen($name) == 0) { error_page(tra("You must supply a name for your account")); } if ($name != sanitize_tags($name)) { error_page(tra("HTML tags not allowed in name")); } $country = post_str("country"); if (!is_valid_country($country)) { error_page("invalid country"); } $country = BoincDb::escape_string($country); $postal_code = BoincDb::escape_string(sanitize_tags(post_str("postal_code", true))); $auth = BoincDb::escape_string($auth); $name = BoincDb::escape_string($name); $postal_code = BoincDb::escape_string($postal_code); $user = BoincUser::lookup("authenticator='{$auth}'"); if (!$user) { error_page("no such user"); } $retval = $user->update("name='{$name}', country='{$country}', postal_code='{$postal_code}'"); if (!$retval) { error_page("database error"); } // team may have already been joined in create_account RPC. // if so, skip team-finder // if ($user->teamid) {
function handle_accept($user) { $srcid = get_int('userid'); $srcuser = BoincUser::lookup_id($srcid); if (!$srcuser) { error_page("No such user"); } $friend = BoincFriend::lookup($srcid, $user->id); if (!$friend) { error_page("No request"); } $friend->update("reciprocated=1"); // "accept message" not implemented in interface yet $msg = post_str('message', true); if ($msg) { $msg = sanitize_tags(BoincDb::escape_string($msg)); } $now = time(); $ret = BoincFriend::replace("user_src={$user->id}, user_dest={$srcid}, message='{$msg}', create_time={$now}, reciprocated=1"); if (!$ret) { error_page(tra("Database error")); } $type = NOTIFY_FRIEND_ACCEPT; BoincNotify::replace("userid={$srcid}, create_time={$now}, type={$type}, opaque={$user->id}"); BoincForumPrefs::lookup($srcuser); if ($srcuser->prefs->pm_notification == 1) { send_friend_accept_email($user, $srcuser, $msg); } $notify = BoincNotify::lookup($user->id, NOTIFY_FRIEND_REQ, $srcid); if ($notify) { $notify->delete(); } page_head(tra("Friendship confirmed")); echo tra("Your friendship with %1 has been confirmed.", "<b>" . $srcuser->name . "</b>"); page_tail(); }
/** * Sanatize Tags * * @param $data Data */ function sanitize_tags($data) { if (is_array($data)) { foreach ($data as $k => $v) { $data[$k] = sanitize_tags($v); } } else { $data = str_replace('<', '<', $data); $data = str_replace('>', '>', $data); } return $data; }
select_profile($option); exit; } page_head(tra("Profiles")); echo "\n <p>" . tra("%1Profiles%2 let individuals share backgrounds and opinions with the %3 community.", "<b>", "</b>", PROJECT) . " " . tra("Explore the diversity of your fellow volunteers, and contribute your own views for others to enjoy.") . "\n <p>" . tra("If you haven't already, you can %1create your own user profile%2 for others to see!", "<a href=\"create_profile.php\">", "</a>"); start_table_noborder(); $today = getdate(time()); $UOTD_heading = tra("User of the Day") . " -- " . $today['month'] . " " . $today['mday'] . ", " . $today['year']; row1($UOTD_heading); echo "<tr><td>"; $profile = get_current_uotd(); if ($profile) { $user = lookup_user_id($profile->userid); echo uotd_thumbnail($profile, $user); echo user_links($user) . "<br>"; echo sub_sentence(output_transform(sanitize_tags($profile->response1)), ' ', 150, true); } echo "</td></tr>"; row1(tra("User Profile Explorer")); echo "<tr><td>\n <ul>\n <li>" . tra("View the %1User Picture Gallery%2.", "<a href=\"" . URL_BASE . "user_profile/user_gallery_1.html\">", "</a>") . "</li>\n <li>" . tra("Browse profiles %1by country%2.", "<a href=\"" . URL_BASE . "user_profile/profile_country.html\">", "</a>") . "</li>\n <li>" . tra("Browse profiles %1at random%2, %3at random with pictures%2, or %4at random without pictures%2.", "<a href=\"?cmd=rand&pic=-1\">", "</a>", "<a href=\"?cmd=rand&pic=1\">", "<a href=\"?cmd=rand&pic=0\">") . "</li>\n"; if (file_exists(PROFILE_PATH . "profile_alpha.html")) { echo "<li>" . tra("Alphabetical profile listings:") . "<br>"; include PROFILE_PATH . "profile_alpha.html"; } echo "</ul></td></tr>"; row1(tra("Search profile text")); rowify("\n <form action=\"profile_search_action.php\" method=\"GET\">\n <input type=\"text\" name=\"search_string\">\n <input type=\"submit\" value=\"" . tra("Search") . "\">\n </form>\n"); end_table(); page_tail(); function select_profile($cmd) {
$can_edit_title = $post->parent_post == 0 && $thread_owner->id == $logged_in_user->id && !is_banished($logged_in_user); $content = post_str("content", true); $title = post_str("title", true); $preview = post_str("preview", true); if (post_str('submit', true) && !$preview) { check_tokens($logged_in_user->authenticator); $add_signature = post_str('add_signature', true) == "1" ? 1 : 0; $content = substr($content, 0, 64000); $content = trim($content); if (strlen($content)) { $content = BoincDb::escape_string($content); $now = time(); $post->update("signature={$add_signature}, content='{$content}', modified={$now}"); if ($can_edit_title) { $title = trim($title); $title = sanitize_tags($title); $title = BoincDb::escape_string($title); $thread->update("title='{$title}'"); } header("Location: forum_thread.php?id={$thread->id}&postid={$postid}"); } else { delete_post($post, $thread, $forum); header("Location: forum_forum.php?id={$forum->id}"); } } page_head(tra("Forum"), '', '', '', $bbcode_js); show_forum_header($logged_in_user); switch ($forum->parent_type) { case 0: $category = BoincCategory::lookup_id($forum->category); show_forum_title($category, $forum, $thread);
Header("Location: bolt.php"); break; case 'review': // user chose to do review then repeat an exercise set // $view = finalize_view($view_id, BOLT_ACTION_REVIEW); debug_show_state(unserialize($view->state), "Initial"); $iter = new BoltIter($course_doc); $iter->decode_state($view->state); $iter->at(); if (!$iter->xset) { echo "NO XSET"; exit; } $xset = $iter->xset; $unit_name = sanitize_tags(get_str('unit_name')); $found = $xset->start_review($iter, $unit_name); if (!$found) { echo "REVIEW UNIT MISSING"; exit; } $iter->at(); $mode = default_mode($iter->item); $view_id = create_view($iter, $mode, $view->id); show_item($iter, $view_id, $view->id, $mode); break; case 'repeat': // user chose to repeat an exercise set // $view = finalize_view($view_id, BOLT_ACTION_REPEAT); debug_show_state(unserialize($view->state), "Initial");
} if (!is_ascii($passwd)) { show_error(tra("Passwords may only include ASCII characters.")); } if (strlen($passwd) < $min_passwd_length) { show_error(tra("New password is too short: minimum password length is %1 characters.", $min_passwd_length)); } $passwd_hash = md5($passwd . $new_email_addr); $country = post_str("country"); if ($country == "") { $country = "International"; } if (!is_valid_country($country)) { error_page("bad country"); } $postal_code = sanitize_tags(post_str("postal_code", true)); $user = make_user($new_email_addr, $new_name, $passwd_hash, $country, $postal_code, $project_prefs, $teamid); if (!$user) { show_error(tra("Couldn't create account")); } if (defined('INVITE_CODES')) { error_log("Account '{$new_email_addr}' created using invitation code '{$invite_code}'"); } // In success case, redirect to a fixed page so that user can // return to it without getting "Repost form data" stuff $next_url = post_str('next_url', true); $next_url = sanitize_local_url($next_url); if ($next_url) { Header("Location: " . url_base() . "{$next_url}"); } else { Header("Location: " . url_base() . "home.php");
$next_url = urldecode($next_url); $next_url = sanitize_local_url($next_url); if (strlen($next_url) == 0) { $next_url = "home.php"; } $perm = false; if (isset($_POST['stay_logged_in'])) { $perm = $_POST['stay_logged_in']; } // check for account key case. // see if key is in URL; if not then check for POST data // $authenticator = get_str("key", true); if (!$authenticator) { $authenticator = post_str("authenticator", true); } if ($authenticator) { login_with_auth($authenticator, $next_url, $perm); exit; } $email_addr = strtolower(sanitize_tags(post_str("email_addr", true))); $passwd = post_str("passwd", true); if ($email_addr && $passwd) { if (LDAP_HOST && !is_valid_email_addr($email_addr)) { login_with_ldap($email_addr, $passwd, $next_url, $perm); } else { login_with_email($email_addr, $passwd, $next_url, $perm); } exit; } error_page("You must supply an email address and password");
function edit_action($forum) { $title = sanitize_tags(post_str('title')); $title = BoincDb::escape_string($title); $description = sanitize_tags(post_str('description')); $description = BoincDb::escape_string($description); $post_min_interval = post_int('post_min_interval'); $post_min_total_credit = post_int('post_min_total_credit'); $post_min_expavg_credit = post_int('post_min_expavg_credit'); $ret = $forum->update("title='{$title}', description='{$description}', post_min_interval={$post_min_interval}, post_min_total_credit={$post_min_total_credit}, post_min_expavg_credit={$post_min_expavg_credit}"); if ($ret) { page_head(tra("Team Message Board Updated")); echo tra("Update successful"); page_tail(); } else { error_page(tra("Update failed")); } }
if ($format == 'xml') { echo "<teams>\n"; $total = 0; foreach ($teams as $team) { show_team_xml($team); $total++; if ($total == 100) { break; } } echo "</teams>\n"; exit; } page_head(tra("Search Results")); if (count($teams)) { echo "<h2>" . tra("Search results for '%1'", sanitize_tags($team_name)) . "</h2>"; echo "<p>"; echo tra("You may view these teams' members, statistics, and information."); echo "<ul>"; foreach ($teams as $team) { echo "<li>"; echo "<a href=team_display.php?teamid={$team->id}>"; echo "{$team->name}</a></li>"; } echo "</ul>"; if (count($teams) == 100) { echo tra("More than 100 teams match your search. The first 100 are shown.") . "<br>\n "; } } echo tra("End of results. %1 If you cannot find the team you are looking for, you may %2create a team%3 yourself.", "<br>", "<a href=team_create_form.php>", "</a>"); page_tail();
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. // See the GNU Lesser General Public License for more details. // // You should have received a copy of the GNU Lesser General Public License // along with BOINC. If not, see <http://www.gnu.org/licenses/>. require_once "../inc/util.inc"; require_once "../inc/translation.inc"; check_get_args(array("set_lang")); $languages = get_supported_languages(); if (!is_array($languages)) { error_page("Language selection not enabled. Project admins must run the update_translations.php script."); } $prefs = ""; if (isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])) { $prefs = $_SERVER["HTTP_ACCEPT_LANGUAGE"]; $prefs = sanitize_tags($prefs); } $set_lang = get_str("set_lang", true); if ($set_lang) { if (!in_array($set_lang, $languages) && $set_lang != "auto") { error_page("Language not supported"); } else { send_cookie('lang', $set_lang, true); header("Location: index.php"); exit; } } page_head(tra("Language selection")); function language_name($code) { if ($code == 'en') {