public static function read_url() { // Get the document root $root = dirname($_SERVER['SCRIPT_FILENAME']); // Make sure the root has a trailing slash if (substr($root, -1) !== '/') { $root .= '/'; } // Get any subfolders out of the path $sublevels = dirname($_SERVER['SCRIPT_NAME']); // Load the URI $address_bar_uri = $_SERVER['REQUEST_URI']; // Remove any subfolders from consideration as variables if ($sublevels !== '/') { $to_parse = str_replace($sublevels, NULL, $address_bar_uri); } else { $to_parse = $address_bar_uri; } // Separate URI variables from the query string $script_vars = explode('?', $to_parse); // Only store the URI variables $request = $script_vars[0]; // Check for double slashes $absolute_file_path = str_replace('//', '/', $root . $request); // Check if the URI is requesting a valid file and load it if so if (file_exists($absolute_file_path) && $_SERVER['SCRIPT_NAME'] !== $absolute_file_path && $request !== "/") { // To make sure if (substr($absolute_file_path, -1) === '/') { $request .= 'index.php'; } FB::log($absolute_file_path, "Requested File"); require_once $absolute_file_path; exit; } else { $url = SIV::clean_output($request, FALSE, FALSE); $url_array = explode("/", $url); array_shift($url_array); } if (!isset($url_array[0]) || strlen($url_array[0]) < 1) { $url_array[0] = DB_Actions::get_default_page(); } return $url_array; }
private function _store_post_data() { // Clean up the POST data and store it temporarily foreach ($_POST as $key => $val) { // Skip password fields for security if ($key === 'password' || $key === 'verify-password') { continue; } // Otherwise, store clean data in the session $this->_sdata->temp->{$key} = SIV::clean_output($val, FALSE, FALSE); } }
/** * Writes data to the database; either updates or creates an entry * * @return bool Returns true on success or false on error */ public function save_entry() { // Initialize all variables to prevent any notices $entry_id = ''; $page_id = ''; $title = NULL; $entry = NULL; $excerpt = NULL; $slug = ""; $tags = NULL; $extra = array(); $var_names = array('entry_id', 'page_id', 'title', 'entry', 'excerpt', 'slug', 'tags', 'author', 'created'); // Loop through the POST array and define all variables foreach ($_POST as $key => $val) { if (!in_array($key, array('page', 'action', 'token', 'form-submit')) && !in_array($key, $var_names)) { $extra[$key] = $val; } else { if ($key === "entry" || $key === "excerpt") { ${$key} = $val; } else { // If it's not the body of the entry, escape all entities ${$key} = htmlentities($val, ENT_QUOTES, 'UTF-8', FALSE); } } } foreach ($_FILES as $key => $val) { // If a file was uploaded, handle it here if (is_array($_FILES[$key]) && $_FILES[$key]['error'] === 0) { // First, see if the file is an image ${$key} = ImageControl::check_image($_FILES[$key]); // If not, just save the file if (!${$key}) { ${$key} = Utilities::store_uploaded_file($_FILES[$key]); } $extra[$key] = ${$key}; } else { if (!empty($_POST[$key . '-value'])) { $extra[$key] = SIV::clean_output($_POST[$key . '-value'], FALSE, FALSE); } } } // If a slug wasn't set, save a URL version of the title $slug = empty($slug) ? Utilities::make_url($title) : $slug; // Make sure an order value exists $order = !empty($order) ? $order : 0; // If an excerpt wasn't set, create a text preview $excerpt = empty($excerpt) ? strip_tags(Utilities::text_preview($entry)) : $excerpt; // Store the author's name and a timestamp $author = $_SESSION['user']['name']; $created = time(); // Set up the query to insert or update the entry $sql = "INSERT INTO `" . DB_NAME . "`.`" . DB_PREFIX . "entries`\n (" . self::ENTRY_FIELDS . "\n )\n VALUES\n (\n :entry_id,\n (\n SELECT `page_id`\n FROM `" . DB_NAME . "`.`" . DB_PREFIX . "pages`\n WHERE `page_slug`=:page_slug\n LIMIT 1\n ), :title, :entry, :excerpt, :slug, :tags,\n :order, :extra, :author, :created\n )\n ON DUPLICATE KEY UPDATE\n `title`=:title,\n `entry`=:entry,\n `excerpt`=:excerpt,\n `slug`=:slug,\n `tags`=:tags,\n `order`=:order,\n `extra`=:extra;"; try { $stmt = $this->db->prepare($sql); $stmt->bindParam(":entry_id", $entry_id, PDO::PARAM_INT); $stmt->bindParam(":page_slug", $page, PDO::PARAM_INT); $stmt->bindParam(":title", $title, PDO::PARAM_STR); $stmt->bindParam(":entry", $entry, PDO::PARAM_STR); $stmt->bindParam(":excerpt", $excerpt, PDO::PARAM_STR); $stmt->bindParam(":slug", $slug, PDO::PARAM_STR); $stmt->bindParam(":order", $order, PDO::PARAM_INT); $stmt->bindParam(":tags", $tags, PDO::PARAM_STR); $stmt->bindParam(":extra", serialize($extra), PDO::PARAM_STR); $stmt->bindParam(":author", $author, PDO::PARAM_STR); $stmt->bindParam(":created", $created, PDO::PARAM_STR); $stmt->execute(); if ($stmt->errorCode() !== '00000') { $err = $stmt->errorInfo(); ECMS_Error::log_exception(new Exception($err[2])); } $stmt->closeCursor(); return TRUE; } catch (Exception $e) { $this->_log_exception($e); } }
public function update_menu() { // Clean up the posted data foreach ($_POST as $key => $val) { // if( $key==='page_slug' && SIV::validate($val, SIV::SLUG) ) // { // $$key = $val; // } // else // { //TODO Add error handling and send back to form // } ${$key} = SIV::clean_output($val, FALSE, FALSE); } $sql = 'INSERT INTO `' . DB_NAME . '`.`' . DB_PREFIX . 'pages` ( `page_id`, `page_name`, `page_slug`, `type`, `menu_order`, `show_full`, `hide_in_menu`, `parent_id`, `extra` ) VALUES ( :page_id, :page_name, :page_slug, :type, :menu_order, :show_full, :hide_in_menu, :parent_id, :extra ) ON DUPLICATE KEY UPDATE `page_name`=:page_name, `page_slug`=:page_slug, `type`=:type, `menu_order`=:menu_order, `show_full`=:show_full, `hide_in_menu`=:hide_in_menu, `parent_id`=:parent_id, `extra`=:extra'; try { $stmt = $this->db->prepare($sql); $stmt->bindParam(":page_id", $page_id, PDO::PARAM_INT); $stmt->bindParam(":page_name", $page_name, PDO::PARAM_STR); $stmt->bindParam(":page_slug", $page_slug, PDO::PARAM_STR); $stmt->bindParam(":type", $type, PDO::PARAM_STR); $stmt->bindParam(":menu_order", $menu_order, PDO::PARAM_INT); $stmt->bindParam(":show_full", $show_full, PDO::PARAM_INT); $stmt->bindParam(":hide_in_menu", $hide_in_menu, PDO::PARAM_INT); $stmt->bindParam(":parent_id", $parent_id, PDO::PARAM_INT); $stmt->bindParam(":extra", $extra, PDO::PARAM_STR); $stmt->execute(); $result = $stmt->errorCode() === '00000'; $stmt->closeCursor(); return $result; } catch (Exception $e) { ECMS_Error::log_exception($e); } }
private function _store_comment_data() { // Create an object containing sanitized comment data $comment = new stdClass(); $comment->comment_id = (int) $_POST['comment_id']; $comment->entry_id = (int) $_POST['entry_id']; $comment->name = SIV::clean_output($_POST['name'], FALSE, FALSE); $comment->email = SIV::clean_output($_POST['email'], FALSE, FALSE); $comment->url = SIV::clean_output($_POST['url'], FALSE, FALSE); $comment->comment = SIV::clean_output($_POST['comment'], FALSE); $comment->subscribed = (int) $_POST['subscribe']; $comment->thread_id = (int) $_POST['thread_id']; $comment->remote_address = $_SERVER['REMOTE_ADDR']; $comment->created = time(); // Put the comment data in the session temporarily $this->_sdata->temp = $comment; // Store user info in cookies to make posting easier in the future $expires = time() + 2592000; // Cookies to expire in 30 days setcookie('ecms-comment:name', $comment->name, $expires, '/'); setcookie('ecms-comment:email', $comment->email, $expires, '/'); setcookie('ecms-comment:url', $comment->url, $expires, '/'); return $comment; }
public function handle_search() { $search_string = urlencode(SIV::clean_output($_POST['search_string'], FALSE, FALSE)); header('Location: /search/' . $search_string); exit; }