function _getInputValidationErrors($mySqlColsAndTypes, $newRecordValues) { global $schema, $tableName, $escapedTableName, $CURRENT_USER, $isMyAccountMenu; $errors = ''; $recordNum = @$_REQUEST['num']; // load schema columns foreach ($schema as $fieldname => $fieldSchema) { if (!is_array($fieldSchema)) { continue; } // fields are stored as arrays, other entries are table metadata if (!userHasFieldAccess($fieldSchema)) { continue; } // skip fields that the user has no access to if ($tableName == 'accounts' && $fieldname == 'isAdmin' && !$CURRENT_USER['isAdmin']) { continue; } // skip admin only fields if ($isMyAccountMenu && @(!$fieldSchema['myAccountField'])) { continue; } // skip validation on fields that aren't displayed $isMyAccountPasswordField = $isMyAccountMenu && $fieldname == 'password'; $value = @$newRecordValues[$fieldname]; $labelOrName = @$fieldSchema['label'] != '' ? $fieldSchema['label'] : $fieldname; // date fields - check if required suffixes are missing $missingDateSubfields = 0; $partialDateEntered = false; if (@$fieldSchema['type'] == 'date') { $requiredDateSuffixes = array('mon', 'day', 'year'); if ($fieldSchema['showTime']) { if ($fieldSchema['use24HourFormat']) { array_push($requiredDateSuffixes, 'hour24', 'min'); } else { array_push($requiredDateSuffixes, 'hour12', 'min', 'isPM'); } if ($fieldSchema['showSeconds']) { array_push($requiredDateSuffixes, 'sec'); } } $subFieldCount = 0; foreach ($requiredDateSuffixes as $suffix) { if (@$_REQUEST["{$fieldname}:{$suffix}"] == '') { $missingDateSubfields++; } } $partialDateEntered = $missingDateSubfields && count($requiredDateSuffixes) > $missingDateSubfields; // if some but not all date subfields entered then require all of them } // check required fields $checkRequired = @$fieldSchema['isRequired'] && !$isMyAccountPasswordField || $partialDateEntered; if ($checkRequired) { if ($fieldSchema['type'] == 'upload') { if (!getUploadCount($tableName, $fieldname, @$_REQUEST['num'], @$_REQUEST['preSaveTempId'])) { $errors .= sprintf(t("'%s' is required! You must upload a file!"), $labelOrName) . "\n"; } } elseif ($fieldSchema['type'] == 'date') { if ($partialDateEntered) { $errors .= sprintf(t("Please fill out all '%s' fields!"), $labelOrName) . "\n"; } elseif ($missingDateSubfields) { $errors .= sprintf(t("'%s' is required!"), $labelOrName) . "\n"; } } elseif ($value == '') { $errors .= sprintf(t("'%s' is required!"), $labelOrName) . "\n"; } } // check for unique fields if (@$fieldSchema['isUnique'] && $value != '') { // unique allows blank fields (use required to require value) $errors .= __getUniqueFieldErrors($labelOrName, $fieldname, $value, $recordNum); } // get length of content if (@$fieldSchema['type'] == 'wysiwyg') { $textOnlyValue = strip_tags($value); $textOnlyValue = preg_replace('/\\s+/', ' ', $textOnlyValue); $textLength = mb_strlen($textOnlyValue); } elseif (@$fieldSchema['type'] == 'textbox' && @$fieldSchema['autoFormat']) { $textOnlyValue = str_replace("<br/>\n", "\n", $value); $textLength = mb_strlen($textOnlyValue); } else { $textLength = mb_strlen($value); } // check min/max length of content if ($value != '' && @$fieldSchema['minLength'] && $textLength < $fieldSchema['minLength']) { $errors .= sprintf(t('\'%1$s\' must be at least %2$s characters! (currently %3$s characters)'), $labelOrName, $fieldSchema['minLength'], $textLength) . "\n"; } if ($value != '' && @$fieldSchema['maxLength'] && $textLength > $fieldSchema['maxLength']) { $errors .= sprintf(t('\'%1$s\' cannot be longer than %2$s characters! (currently %3$s characters)'), $labelOrName, $fieldSchema['maxLength'], $textLength) . "\n"; } // check allowed/disallowed characters (skip if $fieldSchema['charset'] is blank to avoid: "Warning: preg_match(): Compilation failed: missing terminating ]") if (strlen(@$fieldSchema['charset']) > 0) { $allowRegexp = '/[^' . preg_quote(@$fieldSchema['charset'], '/') . ']/'; $disallowRegexp = '/[' . preg_quote(@$fieldSchema['charset'], '/') . ']/'; if (@$fieldSchema['charsetRule'] == 'allow' && preg_match($allowRegexp, $value)) { $errors .= sprintf(t('\'%1$s\' only allows the following characters (%2$s)'), $labelOrName, $fieldSchema['charset']) . "\n"; } if (@$fieldSchema['charsetRule'] == 'disallow' && preg_match($disallowRegexp, $value)) { $errors .= sprintf(t('\'%1$s\' doesn\'t allow the following characters (%2$s)'), $labelOrName, $fieldSchema['charset']) . "\n"; } } // custom field error checking if (@$schema['menuType'] == 'category' && $fieldname == 'parentNum') { // load parent category $escapedNum = mysql_escape($value); $query = "SELECT num, name, lineage FROM `{$escapedTableName}` WHERE num = '{$escapedNum}' LIMIT 1"; $result = mysql_query($query) or die("MySQL Error: " . mysql_error() . "\n"); $parentCategory = mysql_fetch_assoc($result); if (is_resource($result)) { mysql_free_result($result); } // error checking if (preg_match("/:{$recordNum}:/", $parentCategory['lineage'])) { $errors .= sprintf(t('\'%s\' can\'t select the current category or any categories under the current category!'), $labelOrName) . "\n"; } } // my account - password changing $newPasswordEntered = @$_REQUEST['password:old'] || @$_REQUEST['password'] || @$_REQUEST['password:again']; if ($isMyAccountPasswordField && $newPasswordEntered && !$errors) { $_REQUEST['password:old'] = preg_replace("/^\\s+|\\s+\$/s", '', @$_REQUEST['password:old']); // v2.52 remove leading and trailing whitespace $oldPasswordHash = getPasswordDigest(@$_REQUEST['password:old']); if (!@$_REQUEST['password:old']) { $errors .= t("Please specify your current password!") . "\n"; } else { if ($oldPasswordHash != getPasswordDigest($CURRENT_USER['password'])) { $errors .= t("Current password is not correct!") . "\n"; } } // v2.51 works when comparing hashed and unhashed passwords the same $errors .= getNewPasswordErrors(@$_REQUEST['password'], @$_REQUEST['password:again'], $CURRENT_USER['username']); // v2.52 } // accounts - password changing (usually done by admin) v2.52 if (!$isMyAccountMenu && $tableName == 'accounts' && $fieldname == 'password' && !$errors) { $errors .= getNewPasswordErrors(@$_REQUEST['password'], null, @$newRecordValues['username']); // v2.52 } // user accounts - don't allow disabling of own account if ($tableName == 'accounts' && $fieldname == 'disabled') { if ($recordNum == $CURRENT_USER['num'] && !empty($_REQUEST['disabled'])) { $errors .= t("You cannot disable your own account!") . "\n"; } } } // return $errors; }
function getUploadLimits($tablename, $fieldname, $num, $preSaveTempId) { $schema = loadSchema($tablename); $fieldSchema = $schema[$fieldname]; $isUploadLimit = @$fieldSchema['checkMaxUploads']; $maxUploads = (int) $fieldSchema['maxUploads']; $uploadCount = getUploadCount($tablename, $fieldname, $num, $preSaveTempId); $remainingUploads = max($maxUploads - $uploadCount, 0); return array($isUploadLimit, $maxUploads, $remainingUploads); }