function anti_injection($user, $pass, $ip)
{
global $db;
// We'll first get rid of any special characters using a simple regex statement.
// After that, we'll get rid of any SQL command words using a string replacment.
$banlist = array("'", "--", "select", "union", "insert", "update", "like", "delete", "distinct", "having", "truncate", "replace", "handler", " as ", "or ", "procedure", "limit", "order by", "group by", "asc", "desc", "1=1", "or", "#", "//", "' or '1'='1'", "'1'='1'");
// ---------------------------------------------
if (preg_match("/[a-zA-Z0-9]+/i", $user)) {
$user = TRIM(STR_REPLACE($banlist, '', STRTOLOWER($user)));
} else {
$user = NULL;
}
// ---------------------------------------------
// Now to make sure the given password is an alphanumerical string
// devoid of any special characters. strtolower() is being used
// because unfortunately, str_ireplace() only works with PHP5.
if (preg_match("/[a-zA-Z0-9]+/i", $pass)) {
$pass = TRIM(STR_REPLACE($banlist, '', STRTOLOWER($pass)));
} else {
$pass = NULL;
}
// ---------------------------------------------
// Now to make an array so we can dump these variables into the SQL query.
// If either user or pass is NULL (because of inclusion of illegal characters),
// the whole script will stop dead in its tracks.
$array = array('user' => $user, 'pass' => $pass);
// ---------------------------------------------
if (!IN_ARRAY(NULL, $array)) {
return $array;
}
}
function ModuleMenuDynamic($module_id, $module_name, $items)
{
$ui = $GLOBALS['ui'];
$dr = $GLOBALS['dr'];
$wb = $GLOBALS['wb'];
$module_id = $GLOBALS['module_id'];
$c = "<table class='plain' width='150'>\n";
$c .= "<tr>\n";
$c .= "<td colspan='3' class='bold'>" . InitCap($module_name) . " Menu</td>\n";
$c .= "</tr>\n";
/* LOOP ALL THE ITEMS IN THE MENU ARRAY */
for ($i = 0; $i < count($items); $i++) {
/* CHECK THE ACL FOR THIS MODULE */
//echo $GLOBALS['wui']->RoleID()."<br>";
//echo $module."<br>";
//echo $arr_menu[$i]."<br>";
$task_img_desc = STRTOLOWER($items[$i]);
$task_img_desc = STR_REPLACE(" ", "_", $task_img_desc);
//echo $task_img_desc."<br>";
if (CheckAccess($GLOBALS['wui']->RoleID(), $module_id, $task_img_desc)) {
$friendly = InitCap($items[$i]);
if (defined('_VALID_MVH_MOBILE_')) {
$c .= "<tr><td colspan='2'>+<a href='index.php?module=" . $module_name . "&task=" . $task_img_desc . "'>" . $friendly . "</a></td></tr>";
} else {
$icon_file = $dr . "modules/" . $module_name . "/images/default/" . $task_img_desc . ".png";
$icon_http = "modules/" . $module_name . "/images/default/" . $task_img_desc . ".png";
//echo $icon."<br>";
if (file_exists($icon_file)) {
$icon_file = $icon_http;
} else {
$icon_file = $wb . "images/nuvola/16x16/actions/view_remove.png";
}
if ($_GET['task'] == $task_img_desc) {
$arrow = "<img src='images/nuvola/16x16/actions/player_play.png'>";
$bgcolor = "#dedede";
} else {
$arrow = "";
$bgcolor = "#ffffff";
}
$c .= "<tr>\n";
$c .= "<td width='16'>" . $arrow . "</td>\n";
$c .= "<td width='16'><img src='" . $icon_file . "'></td>\n";
$c .= "<td bgcolor='" . $bgcolor . "' width='134'><a href='index.php?module=" . $module_name . "&task=" . $task_img_desc . "'>" . $friendly . "</a></td>\n";
$c .= "</tr>\n";
}
}
}
$c .= "</table>\n";
return $c;
}
function anti_injection($user, $pass, $ip)
{
global $db;
// We'll first get rid of any special characters using a simple regex statement.
// After that, we'll get rid of any SQL command words using a string replacment.
$banlist = array("'", "--", "select", "union", "insert", "update", "like", "delete", "distinct", "having", "truncate", "replace", "handler", " as ", "or ", "procedure", "limit", "order by", "group by", "asc", "desc", "1=1", "or", "#", "//", "' or '1'='1'", "'1'='1'");
// ---------------------------------------------
if (preg_match("/[a-zA-Z0-9]+/i", $user)) {
$user = TRIM(STR_REPLACE($banlist, '', STRTOLOWER($user)));
} else {
$user = NULL;
}
// ---------------------------------------------
// Now to make sure the given password is an alphanumerical string
// devoid of any special characters. strtolower() is being used
// because unfortunately, str_ireplace() only works with PHP5.
if (preg_match("/[a-zA-Z0-9]+/i", $pass)) {
$pass = TRIM(STR_REPLACE($banlist, '', STRTOLOWER($pass)));
} else {
$pass = NULL;
}
// ---------------------------------------------
// Now to make an array so we can dump these variables into the SQL query.
// If either user or pass is NULL (because of inclusion of illegal characters),
// the whole script will stop dead in its tracks.
$array = array('user' => $user, 'pass' => $pass);
// ---------------------------------------------
if (IN_ARRAY(NULL, $array)) {
/*
$db->connectdb(DB_NAME,DB_USERNAME,DB_PASSWORD);
$db->add_db(TB_IPBLOCK,array(
"ip"=>"".$ip."",
"post_date"=>"".time().""
));
$db->closedb ();
?>
<BR><BR>
<CENTER><A HREF="?name=index"><IMG SRC="images/dangerous.png" BORDER="0"></A><BR><BR>
<FONT COLOR="#336600"><B><?=_ADMIN_IPBLOCK_MESSAGE_HACK;?> <?=WEB_EMAIL;?></B></FONT><BR><BR>
<A HREF="?name=index"><B><?=_ADMIN_IPBLOCK_MESSAGE_HACK1;?></B></A>
</CENTER>
<?php echo "<meta http-equiv='refresh' content='10; url=?name=index'>" ; ?>
<BR><BR>
<?php */
} else {
return $array;
}
}
<?php
require "../../frame/engine.php";
ENGINE::START("HASH");
$Hash = new PasswordHash(8, true);
$USER = $_POST['usr'];
$USER_CLEAN = STRTOLOWER($USER);
$PASS = $_POST['pas'];
if (empty($USER) && empty($PASS)) {
die('e1437');
} else {
$R = MYSQL::QUERY("SELECT * FROM core_users WHERE username_clean = ? LIMIT 1", array($USER_CLEAN));
if (empty($R)) {
die('e1435');
} else {
if (!$Hash->CheckPassword($PASS, $R['password'])) {
die('e1436');
} else {
$S = MYSQL::QUERY('SELECT * FROM core_stores WHERE s_id = ? LIMIT 1', array($R['store']));
DATE_DEFAULT_TIMEZONE_SET($S['s_timezone']);
USER::LOG("Logged In", $R['user_id']);
$SES_EXP = TIME() + 43200;
$SES_GEN = FORMAT::SES(50);
$params = array($SES_GEN, $R['user_id'], $SES_EXP, $SES_GEN, $SES_EXP);
MYSQL::QUERY('INSERT INTO core_users_sessions (session_key,session_user,session_experation) VALUES (?,?,?) ON DUPLICATE KEY UPDATE session_key=?,session_experation=?', $params);
setcookie("core_u", $params[1], $SES_EXP, '/');
setcookie("core_k", $params[0], $SES_EXP, '/');
echo 's1434';
}
}
}
public static function TEXT($S)
{
$C = array(" ", "1", "2", "3", "4", "5", "6", "7", "8", "9", "0");
return UCFIRST(STRTOLOWER(STR_REPLACE($C, "", $S)));
}
<td nowrap align="right"><span class="label"><?php
echo $lang["lang_front"];
?>
</span><br>
<span class="info"><?php
echo $lang["lang_front_note"];
?>
</span></td>
<td><select name="lang_front" size="1" style="width: 70px;">
<?php
$dp = opendir('../lang/');
while (false !== ($file = readdir($dp))) {
$ext = explode('.', $file);
if ($file != '.' && $file != '..' && $ext[1] == 'php') {
$name = STRTOUPPER($ext[0]);
$value = STRTOLOWER($ext[0]);
$selected = $ext[0] == $langfront ? 'selected' : '';
echo '<option value="' . $value . '" ' . $selected . '>- ' . $name . ' -</option>';
}
}
closedir($dp);
?>
</select><br><br>
</td>
</tr>
<tr valign="top">
<td align="right" valign="top" nowrap><span class="label"><?php
echo $lang["wysiwyg"];
?>
</span><br>
</td>
