lovd_showInfoTable('Can\'t uninstall LOVD - Uninstall lock in place.', 'warning'); $_T->printFooter(); exit; } if (!empty($_POST)) { lovd_errorClean(); if (!isset($_GET['confirm'])) { // Check password. if (!lovd_verifyPassword($_POST['password'], $_AUTH['password'])) { lovd_errorAdd('password', 'Please enter your correct password for authorization.'); } } if (!lovd_error()) { if (isset($_GET['confirm'])) { // Check password. if (!lovd_verifyPassword($_POST['password'], $_AUTH['password'])) { lovd_errorAdd('password', 'Please enter your correct password for authorization.'); } if (!lovd_error()) { // OK, uninstall the lot. print ' <B>Uninstalling LOVD...</B><BR>' . "\n" . ' <BR>' . "\n\n"; require ROOT_PATH . 'class/progress_bar.php'; // This already puts the progress bar on the screen. $_BAR = new ProgressBar('', 'Initiating removal of LOVD...'); $_T->printFooter(false); // The false prevents the footer to actually close the <BODY> and <HTML> tags. // Now we're still in the <BODY> so the progress bar can add <SCRIPT> tags as much as it wants. flush(); // The reason to invert the tables is to handle all foreign key constraints nicely. $aTables = array_reverse($_TABLES); $nTables = count($aTables);
function checkFields($aData, $zData = false) { // Checks fields before submission of data. global $_AUTH, $_SETT; $aForm = $this->getForm(); $aFormInfo = array(); if ($aForm) { $aFormInfo = $aForm[0]; if (!in_array($aFormInfo[0], array('GET', 'POST'))) { // We're not working on a full form array, possibly an incomplete VOT form. $aFormInfo = array('POST'); } else { unset($aForm[0]); } } else { // No form information available. $aForm = array(); } if (lovd_getProjectFile() != '/import.php') { // Always mandatory... unless importing. $this->aCheckMandatory[] = 'password'; } $aHeaders = array(); // Validate form by looking at the form itself, and check what's needed. foreach ($aForm as $aField) { if (!is_array($aField)) { // 'skip', 'hr', etc... continue; } @(list($sHeader, $sHelp, $sType, $sName) = $aField); if (lovd_getProjectFile() == '/import.php') { // During import, we don't mention the field names how they appear on screen, but using their IDs which are used in the file. $sHeader = $sName; } $aHeaders[$sName] = $sHeader; // Trim() all fields. We don't want those spaces in the database anyway. if (lovd_getProjectFile() != '/import.php' && isset($aData[$sName]) && !is_array($aData[$sName])) { $GLOBALS['_' . $aFormInfo[0]][$sName] = trim($GLOBALS['_' . $aFormInfo[0]][$sName]); $aData[$sName] = trim($aData[$sName]); } // Mandatory fields, as defined by child object. if (in_array($sName, $this->aCheckMandatory) && (!isset($aData[$sName]) || $aData[$sName] === '')) { lovd_errorAdd($sName, 'Please fill in the \'' . $sHeader . '\' field.'); } if ($sType == 'select') { if (!empty($aField[7])) { // The browser fails to send value if selection list w/ multiple selection options is left empty. // This is causing notices in the code. if (!isset($aData[$sName])) { $GLOBALS['_' . $aFormInfo[0]][$sName] = array(); $aData[$sName] = array(); } } // Simple check on non-custom columns (custom columns have their own function for this) to see if the given value is actually allowed. // 0 is a valid entry for the check for mandatory fields, so we should also check if 0 is a valid entry in the selection list! if (strpos($sName, '/') === false && isset($aData[$sName]) && $aData[$sName] !== '') { $Val = $aData[$sName]; $aOptions = array_keys($aField[5]); if (lovd_getProjectFile() == '/import.php' && !is_array($Val)) { $Val = explode(';', $Val); // Normally the form sends an array, but from the import I need to create an array. } elseif (!is_array($Val)) { $Val = array($Val); } foreach ($Val as $sValue) { $sValue = trim($sValue); // Trim whitespace from $sValue to ensure match independent of whitespace. if (!in_array($sValue, $aOptions)) { if (lovd_getProjectFile() == '/import.php') { lovd_errorAdd($sName, 'Please select a valid entry from the \'' . $sHeader . '\' selection box, \'' . strip_tags($sValue) . '\' is not a valid value. Please choose from these options: \'' . implode('\', \'', $aOptions) . '\'.'); } else { lovd_errorAdd($sName, 'Please select a valid entry from the \'' . $sHeader . '\' selection box, \'' . strip_tags($sValue) . '\' is not a valid value.'); } } } } } elseif ($sType == 'checkbox') { // The browser fails to send value if checkbox is left empty. // This is causing problems sometimes with MySQL, since INT // columns can't receive an empty string if STRICT is on. if (!isset($aData[$sName])) { $GLOBALS['_' . $aFormInfo[0]][$sName] = 0; $aData[$sName] = 0; } elseif (!in_array($aData[$sName], array('0', '1'))) { lovd_errorAdd($sName, 'The field \'' . $sHeader . '\' must contain either a \'0\' or a \'1\'.'); } } if ($sName == 'password') { // Password is in the form, it must be checked. Assuming here that it is also considered mandatory. if (!empty($aData['password']) && !lovd_verifyPassword($aData['password'], $_AUTH['password'])) { lovd_errorAdd('password', 'Please enter your correct password for authorization.'); } } } // Check all fields that we receive for data type and maximum length. // No longer to this through $aForm, because when importing, // we do have data to check but no $aForm entry linked to it. foreach ($aData as $sFieldname => $sFieldvalue) { if (!is_string($sFieldvalue)) { // Checks below currently do not handle non-string values. continue; } $sNameClean = preg_replace('/^\\d{' . $_SETT['objectid_length']['transcripts'] . '}_/', '', $sFieldname); // Remove prefix (transcriptid) that LOVD_TranscriptVariants puts there. if (isset($aHeaders[$sFieldname])) { $sHeader = $aHeaders[$sFieldname]; } else { $sHeader = $sFieldname; } // Checking free text fields for max length, data types, etc. if ($sMySQLType = lovd_getColumnType(constant($this->sTable), $sNameClean)) { // FIXME; we're assuming here, that $sName equals the database name. Which is true in probably most/every case, but even so... // FIXME; select fields might also benefit from having this check (especially for import). // Check max length. $nMaxLength = lovd_getColumnLength(constant($this->sTable), $sNameClean); if (!empty($sFieldvalue)) { // For numerical columns, maxlength works differently! if (in_array($sMySQLType, array('DECIMAL', 'DECIMAL_UNSIGNED', 'FLOAT', 'FLOAT_UNSIGNED', 'INT', 'INT_UNSIGNED'))) { // SIGNED cols: negative values. if (in_array($sMySQLType, array('DECIMAL', 'INT')) && (int) $sFieldvalue < (int) ('-' . str_repeat('9', $nMaxLength))) { lovd_errorAdd($sFieldname, 'The \'' . $sHeader . '\' field is limited to numbers no lower than -' . str_repeat('9', $nMaxLength) . '.'); } // ALL numerical cols (except floats): positive values. if (substr($sMySQLType, 0, 5) != 'FLOAT' && (int) $sFieldvalue > (int) str_repeat('9', $nMaxLength)) { lovd_errorAdd($sFieldname, 'The \'' . $sHeader . '\' field is limited to numbers no higher than ' . str_repeat('9', $nMaxLength) . '.'); } } elseif (strlen($sFieldvalue) > $nMaxLength) { lovd_errorAdd($sFieldname, 'The \'' . $sHeader . '\' field is limited to ' . $nMaxLength . ' characters, you entered ' . strlen($sFieldvalue) . '.'); } } // Check data type. if (!empty($sFieldvalue)) { switch ($sMySQLType) { case 'DATE': if (!lovd_matchDate($sFieldvalue)) { lovd_errorAdd($sFieldname, 'The field \'' . $sHeader . '\' must contain a date in the format YYYY-MM-DD, "' . htmlspecialchars($sFieldvalue) . '" does not match.'); } break; case 'DATETIME': if (!preg_match('/^[0-9]{4}[.\\/-][0-9]{2}[.\\/-][0-9]{2}( [0-9]{2}\\:[0-9]{2}\\:[0-9]{2})?$/', $sFieldvalue)) { lovd_errorAdd($sFieldname, 'The field \'' . $sHeader . '\' must contain a date, possibly including a time, in the format YYYY-MM-DD HH:MM:SS, "' . htmlspecialchars($sFieldvalue) . '" does not match.'); } break; case 'DECIMAL': case 'DECIMAL_UNSIGNED': case 'FLOAT': case 'FLOAT_UNSIGNED': if (!is_numeric($sFieldvalue) || substr($sMySQLType, -8) == 'UNSIGNED' && $sFieldvalue < 0) { lovd_errorAdd($sFieldname, 'The field \'' . $sHeader . '\' must contain a' . (substr($sMySQLType, -8) != 'UNSIGNED' ? '' : ' positive') . ' number, "' . htmlspecialchars($sFieldvalue) . '" does not match.'); } break; case 'INT': case 'INT_UNSIGNED': if (!preg_match('/^' . ($sMySQLType != 'INT' ? '' : '\\-?') . '[0-9]*$/', $sFieldvalue)) { lovd_errorAdd($sFieldname, 'The field \'' . $sHeader . '\' must contain a' . ($sMySQLType == 'INT' ? 'n' : ' positive') . ' integer, "' . htmlspecialchars($sFieldvalue) . '" does not match.'); } break; } } } } return $aData; }
$_SESSION['password_force_change'] = true; } // Check if referer is given, check it, then forward the user. if (!empty($_POST['referer'])) { // Location is within this LOVD installation. $sLocation = $_POST['referer']; } else { // Redirect to proper location will be done somewhere else in this code. $sLocation = lovd_getInstallURL() . 'login'; } header('Location: ' . $sLocation); exit; } } // The bad logins end up here! if (!$zUser || !lovd_error() && !lovd_verifyPassword($_POST['password'], $zUser['password'])) { lovd_writeLog('Auth', 'AuthError', $_SERVER['REMOTE_ADDR'] . ' (' . gethostbyaddr($_SERVER['REMOTE_ADDR']) . ') tried logging in using ' . $_POST['username'] . '/' . str_repeat('*', strlen($_POST['password']))); lovd_errorAdd('', 'Invalid Username/Password combination.'); // This may not actually update (user misspelled his username) but we can call the query anyway. if ($_CONF['lock_users']) { $_DB->query('UPDATE ' . TABLE_USERS . ' SET login_attempts = login_attempts + 1 WHERE username = ? AND level < ' . LEVEL_ADMIN, array($_POST['username']), false); } // Check if the user is locked, now. if ($zUser && $zUser['login_attempts'] >= 3 - 1) { lovd_errorAdd('password', 'Your account is now locked, since this is the third time a wrong password was provided.'); } // The "Forgot my password" option. if ($_CONF['allow_unlock_accounts']) { lovd_errorAdd('', 'Did you <A href="reset_password">forget your password</A>?'); } }
// Of the selected persons, at least one should be shown AND able to edit! $bCurator = false; foreach ($_POST['curators'] as $nUserID) { if (in_array($nUserID, $_POST['allow_edit']) && in_array($nUserID, $_POST['shown'])) { $bCurator = true; break; } } if (!$bCurator) { lovd_errorAdd('', 'Please select at least one curator that is allowed to edit <I>and</I> is shown on the gene home page!'); } } // Mandatory fields. if (empty($_POST['password'])) { lovd_errorAdd('password', 'Please fill in the \'Enter your password for authorization\' field.'); } elseif ($_POST['password'] && !lovd_verifyPassword($_POST['password'], $_AUTH['password'])) { // User had to enter his/her password for authorization. lovd_errorAdd('password', 'Please enter your correct password for authorization.'); } } else { // MUST select at least one visible curator! if (empty($_POST['curators']) || empty($_POST['shown'])) { lovd_errorAdd('', 'Please select at least one curator to be shown on the gene home page!'); } } if (!lovd_error()) { // What's by far the most efficient code-wise is just insert/update all we've got and delete everything else. // Prepare log for changes. // (depends on current database status, so we create the log message before // the changes are committed, but log the actual message afterwards). $sLogMessage = lovd_prepareCuratorLogMessage($sID, $_POST['curators'], $_POST['allow_edit'], $_POST['shown']);
} } if (FORMAT == 'text/plain' && !defined('FORMAT_ALLOW_TEXTPLAIN')) { die(AJAX_NO_AUTH); } $sFile = ROOT_PATH . 'class/object_' . strtolower($sObject) . 's.php'; if (!file_exists($sFile)) { header('HTTP/1.0 404 Not Found'); exit; } require $sFile; $sObjectClassname = 'LOVD_' . str_replace('_', '', $sObject); $_DATA = new $sObjectClassname($sObjectID, $nID); if (POST && ACTION == 'applyFR') { // Apply find & replace. if ($_AUTH['level'] < LEVEL_CURATOR || !isset($_POST['password']) || !lovd_verifyPassword($_POST['password'], $_AUTH['password'])) { // Not authorized for find & replace. die(AJAX_NO_AUTH); } $aFROptions['sFRMatchType'] = isset($_POST['FRMatchType_' . $sViewListID]) ? $_POST['FRMatchType_' . $sViewListID] : null; $aFROptions['bFRReplaceAll'] = isset($_POST['FRReplaceAll_' . $sViewListID]) ? $_POST['FRReplaceAll_' . $sViewListID] : null; if (!isset($_POST['FRFieldname_' . $sViewListID]) || !isset($_POST['FRSearch_' . $sViewListID]) || !isset($_POST['FRReplace_' . $sViewListID])) { die(AJAX_DATA_ERROR); } // Setup search filters before applying find & replace. list($WHERE, $HAVING, $aArguments, $aBadSyntaxColumns, $aColTypes) = $_DATA->processViewListSearchArgs($_POST); // Update where/having clauses based on search filters (needed for LOVD_Object->buildSQL()). if ($WHERE) { $_DATA->aSQLViewList['WHERE'] .= ($_DATA->aSQLViewList['WHERE'] ? ' AND ' : '') . $WHERE; } if ($HAVING) {