function save_themename() { global $baseurl, $link, $themename, $collection_column; $sql="update collection set " . $collection_column . "='" . getvalescaped("rename","") . "' where " . $collection_column . "='" . escape_check($themename)."'"; sql_query($sql); header("location:".$baseurl. "/pages/" . $link); }
function tile_select($tile_type, $tile_style, $tile, $tile_id, $tile_width, $tile_height) { /* * Preconfigured and the legacy tiles controlled by config. */ if ($tile_type == "conf") { switch ($tile_style) { case "thmsl": global $usertile; tile_config_themeselector($tile, $tile_id, $usertile, $tile_width, $tile_height); exit; case "theme": tile_config_theme($tile, $tile_id, $tile_width, $tile_height); exit; case "mycol": tile_config_mycollection($tile, $tile_id, $tile_width, $tile_height); exit; case "advsr": tile_config_advancedsearch($tile, $tile_id, $tile_width, $tile_height); exit; case "mycnt": tile_config_mycontributions($tile, $tile_id, $tile_width, $tile_height); exit; case "hlpad": tile_config_helpandadvice($tile, $tile_id, $tile_width, $tile_height); exit; case "custm": tile_config_custom($tile, $tile_id, $tile_width, $tile_height); exit; case "pend": tile_config_pending($tile, $tile_id, $tile_width, $tile_height); exit; } } /* * Free Text Tile */ if ($tile_type == "ftxt") { tile_freetext($tile, $tile_id, $tile_width, $tile_height); exit; } /* * Search Type tiles */ if ($tile_type == "srch") { switch ($tile_style) { case "thmbs": $promoted_image = getvalescaped("promimg", false); tile_search_thumbs($tile, $tile_id, $tile_width, $tile_height, $promoted_image); exit; case "multi": tile_search_multi($tile, $tile_id, $tile_width, $tile_height); exit; case "blank": tile_search_blank($tile, $tile_id, $tile_width, $tile_height); exit; } } }
function HookNewsHomeHomebeforepanels() { if (getvalescaped("ajax", false)) { ?> <script>ReloadSearchBar();</script> <?php } }
function save_themename() { global $baseurl, $link, $themename, $collection_column; $sql = "update collection set\t" . $collection_column . "='" . getvalescaped("rename", "") . "' where " . $collection_column . "='" . escape_check($themename) . "'"; sql_query($sql); hook("after_save_themename"); redirect("pages/" . $link); }
function HookFilterboxSearchSearchstringprocessing() { global $search; $refine=trim(getvalescaped("refine_keywords", "")); if ($refine != "") $search .= ",".$refine; $search=refine_searchstring($search); }
/** * Validate the given field. * * If the field validates, this function will store it in the provided conifguration * module and key. * * @param string $fieldname Name of field (provided to the render functions) * @param string $modulename Module name to store the field in. * @param string $modulekey Module key * @param string $type Validation patthern: (bool,safe,float,int,email,regex) * @param string $required Optional required flag. Defaults to true. * @param string $pattern If $type is 'regex' the regex pattern to use. * @return bool Returns true if the field was stored in the config database. */ function validate_field($fieldname, $modulename, $modulekey, $type, $required = true, $pattern = '') { global $errorfields, $lang; $value = getvalescaped($fieldname, ''); if ($value == '' && $required == true) { $errorfields[$fieldname] = $lang['cfg-err-fieldrequired']; return false; } elseif ($value == '' && $required == false) { set_module_config_key($modulename, $modulekey, $value); } else { switch ($type) { case 'safe': if (!preg_match('/^.+$/', $value)) { $errorfields[$fieldname] = $lang['cfg-err-fieldsafe']; return false; } break; case 'float': if (!preg_match('/^[\\d]+(\\.[\\d]*)?$/', $value)) { $errorfields[$fieldname] = $lang['cfg-err-fieldnumeric']; return false; } break; case 'int': if (!preg_match('/^[\\d]+$/', $value)) { $errorfields[$fieldname] = $lang['cfg-err-fieldnumeric']; return false; } break; case 'email': if (!preg_match('/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,4}$/i', $value)) { $errorfields[$fieldname] = $lang['cfg-err-fieldemail']; return false; } break; case 'regex': if (!preg_match($pattern, $value)) { $errorfields[$fieldname] = $lang['cfg-err-fieldsafe']; return false; } break; case 'bool': if (strtolower($value) == 'true') { $value = true; } elseif (strtolower($value) == 'false') { $value = false; } else { $errorfields[$fieldname] = $lang['cfg-err-fieldsafe']; return false; } break; } set_module_config_key($modulename, $modulekey, $value); return true; } }
function HookDiscount_codePurchase_callbackPayment_complete() { # Find out the discount code applied to this collection. $code = sql_value("select discount_code value from collection_resource where collection='" . getvalescaped("custom", "") . "' limit 1", ""); # Find out the purchasing user # As this is a callback script being called by PayPal, there is no login/authentication and we can't therefore simply use $userref. $user = sql_value("select ref value from user where current_collection='" . getvalescaped("custom", "") . "'", 0); # Insert used discount code row sql_query("insert into discount_code_used (code,user) values ('" . escape_check($code) . "','{$user}')"); }
function HookFilterboxSearchSearchaftersearchcookie() { global $filter_keywords, $perform_filter, $filter_pos, $search; $filter_keywords = getvalescaped("filter_keywords", ""); $filter_pos = getvalescaped("cursorpos", ""); setcookie('filter', $filter_keywords, 0, '', '', false, true); setcookie('filter_pos', $filter_pos, 0, '', '', false, true); setcookie('original_search', $search, 0, '', '', false, true); $perform_filter = true; }
function HookFormat_chooserCollection_downloadReplacedownloadextension($resource, $extension) { global $format_chooser_output_formats; $inputFormat = $resource['file_extension']; if (!supportsInputFormat($inputFormat)) { # Do not replace the extension for this resource return false; } $ext = strtoupper(getvalescaped('ext', getDefaultOutputFormat($inputFormat))); if (!in_array($ext, $format_chooser_output_formats)) { return false; } return strtolower($ext); }
function HookFormat_chooserAllGetdownloadurl($ref, $size, $ext, $page = 1, $alternative = -1) { global $baseurl_short; $profile = getvalescaped('profile', null); if (!empty($profile)) { $profile = '&profile=' . $profile; } else { $path = get_resource_path($ref, true, $size, false, $ext, -1, $page, $size == "scr" && checkperm("w") && $alternative == -1, '', $alternative); if (file_exists($path)) { return false; } } return $baseurl_short . 'plugins/format_chooser/pages/convert.php?ref=' . $ref . '&size=' . $size . '&ext=' . $ext . $profile . '&page=' . $page . '&alt=' . $alternative; }
function HookRefineresultsSearchSearchstringprocessing() { global $search,$k; $refine=trim(getvalescaped("refine_keywords","")); if ($refine!="") { if ($k!="") { # Slightly different behaviour when searching within external shares. There is no search bar, so the provided string is the entirity of the search. $s=explode(" ",$search); $search=$s[0] . " " . $refine; } else { $search.=", " . $refine; } } $search=refine_searchstring($search); }
function get_annotate_file_path($ref, $getfilepath, $extension) { global $storageurl; global $storagedir; global $scramble_key; if (!file_exists($storagedir . "/annotate")) { mkdir($storagedir . "/annotate", 0777); } global $uniqid; // if setting uniqid before manual create_annotated_pdf function use $uniqid = getvalescaped("uniqid", $uniqid); //or if sent through a request if ($uniqid != "") { $uniqfolder = "/" . $uniqid; } else { $uniqfolder = ""; } $tmpfolder = get_temp_dir(!$getfilepath, "annotate{$uniqfolder}"); $file = $tmpfolder . "/{$uniqid}-annotations." . $extension; return $file; }
function HookDiscount_codePurchaseAdjust_item_price($origprice, $resource, $size) { global $discount_error, $discount_applied, $lang; # Discount pipeline support, allow multiple hook calls to modify the price multiple times global $purchase_pipeline_price; if (isset($purchase_pipeline_price[$resource][$size])) { $origprice = $purchase_pipeline_price[$resource][$size]; } $discount_code = trim(strtoupper(getvalescaped("discount_code", ""))); if ($discount_code == "") { return $origprice; } # No code specified # Check that the discount code exists. $discount_info = sql_query("select * from discount_code where upper(code)='{$discount_code}'"); if (count($discount_info) == 0) { $discount_error = $lang["error-invalid-discount-code"]; return false; } else { $discount_info = $discount_info[0]; } # Check that the user has not already used this discount code global $userref; $used = sql_value("select count(*) value from discount_code_used where user='******' and upper(code)='{$discount_code}'", 0); if ($used > 0) { $discount_error = $lang["error-discount-code-already-used"]; return false; } $discount_applied = $discount_info["percent"]; # Update collection with code, so it can be retrieved when we get the callback from PayPal and then insert a row into discount_code_used to mark that the user has used this discount code. global $usercollection; sql_query("update collection_resource set discount_code='" . $discount_code . "' where collection='" . $usercollection . "'"); $return = round((100 - $discount_info["percent"]) / 100 * $origprice, 2); $purchase_pipeline_price[$resource][$size] = $return; # Use this price instead for future hook calls. return $return; }
function HookUser_preferencesuser_preferencesSaveadditionaluserpreferences() { global $user_preferences_change_username, $user_preferences_change_email, $user_preferences_change_name, $userref, $useremail, $username, $userfullname, $lang; $newUsername = trim(safe_file_name(getvalescaped('username', $username))); $newEmail = getvalescaped('email', $userfullname); $newFullname = getvalescaped('fullname', $userfullname); # Check if a user with that username already exists if ($user_preferences_change_username && $username != $newUsername) { $existing = sql_query('select ref from user where username=\'' . escape_check($newUsername) . '\''); if (!empty($existing)) { $GLOBALS['errorUsername'] = $lang['useralreadyexists']; return false; } } # Check if a user with that email already exists if ($user_preferences_change_email && $useremail != $newEmail) { $existing = sql_query('select ref from user where email=\'' . escape_check($newEmail) . '\''); if (!empty($existing)) { $GLOBALS['errorEmail'] = $lang['useremailalreadyexists']; return false; } } # Store changed values in DB, and update the global variables as header.php is included next if ($user_preferences_change_username && $username != $newUsername) { sql_query("update user set username='******' where ref='" . $userref . "'"); $username = $newUsername; } if ($user_preferences_change_email && $useremail != $newEmail) { sql_query("update user set email='" . escape_check($newEmail) . "' where ref='" . $userref . "'"); $useremail = $newEmail; } if ($user_preferences_change_name && $userfullname != $newFullname) { sql_query("update user set fullname='" . escape_check($newFullname) . "' where ref='" . $userref . "'"); $userfullname = $newFullname; } return getvalescaped('currentpassword', '') == '' || getvalescaped('password', '') == '' && getvalescaped('password2', '') == ''; }
<?php include "../include/db.php"; include "../include/general.php"; include "../include/authenticate.php"; include_once "../include/collections_functions.php"; $offset=getvalescaped("offset",0); $ref=getvalescaped("ref","",true); # Check access if (!collection_readable($ref)) {exit($lang["no_access_to_collection"]);} # pager $per_page=getvalescaped("per_page_list_log",15);setcookie("per_page_list_log",$per_page, 0, '', '', false, true); include "../include/header.php"; $log=get_collection_log($ref, $offset+$per_page); $results=count($log); $totalpages=ceil($results/$per_page); $curpage=floor($offset/$per_page)+1; $url=$baseurl . "/pages/collection_log.php?ref=" . $ref; $jumpcount=1; ?> <?php # Fetch and translate collection name $colinfo = get_collection($ref); $colname = i18n_get_collection_name($colinfo); if (!checkperm("b"))
include '../../../include/db.php'; //include '../../../include/authenticate.php'; if ( ! checkperm('u')) exit('Permission denied.'); include '../../../include/general.php'; // Stupid function to provide default values function val($val, $default = NULL) { return empty($val) ? $default : $val; } // Get posted values $referrer = base64_decode(getvalescaped('referrer', base64_encode('../../../index.php'))); $ref = (int) getvalescaped('ref', -999); $time = time(); $status = getvalescaped('status', 'approved'); $name = getvalescaped('name', NULL); $signature = getvalescaped('signature', NULL); $comment = getvalescaped('comment', NULL); // Validate $valid = TRUE; if (empty($name) or empty($signature) or !in_array($status, array('approved', 'minor', 'major'))) { $valid = FALSE; } // If no $_POST or this resource doesn't exist then redirect back to resource if (empty($_POST) or !$valid or $ref === -999 or (int) sql_value("SELECT COUNT(*) AS value FROM resource WHERE ref = {$ref}", 0) < 1) { redirect($referrer); } // Insert a new history item sql_query("INSERT INTO approval (ref, posted, comment, name, signature, status) VALUES ({$ref}, NOW(), '{$comment}', '{$name}', '{$signature}', '{$status}')"); // Update resource approval field sql_query("UPDATE resource SET approval_status = '{$status}' WHERE ref = {$ref}"); // Get approval plugin settings $settings = get_plugin_config('approval');
<?php include "../../../include/db.php"; include "../../../include/general.php"; include "../../../include/authenticate.php"; if (!checkperm("u")) { exit("Permission denied."); } if (!isset($magictouch_account_id)) { $magictouch_account_id = ""; } if (!isset($magictouch_secure)) { $magictouch_secure = "http"; } if (getval("submit", "") != "") { $resourcetype = getvalescaped("resourcetype", ""); $f = fopen("../config/config.php", "w"); fwrite($f, "<?php \$embedvideo_resourcetype='{$resourcetype}'; ?>"); fclose($f); redirect("pages/team/team_home.php"); } $resource_types = get_resource_types(); include "../../../include/header.php"; ?> <div class="BasicsBox"> <h2> </h2> <h1><?php echo $lang["embed_video_configuration"]; ?> </h1>
<?php include "../../include/db.php"; include "../../include/authenticate.php"; include "../../include/general.php"; if (!in_array("api_core", $plugins)) { die("no access"); } include "../../include/header.php"; ?> <div class="BasicsBox"> <p><a onClick="return CentralSpaceLoad(this,true);" href="<?php if (getvalescaped("back", "") != "") { echo $baseurl_short . getvalescaped("back", ""); } else { echo $baseurl_short . "pages/change_password.php"; } ?> ">< <?php echo $lang["back"]; ?> </a></p><h1><?php echo $lang["apiaccess"]; ?> </h1> </div> <?php if (!$enable_remote_apis || $api_scramble_key == "abcdef123") { echo $lang["remoteapisnotavailable"]; exit;
function perform_login() { global $api, $scramble_key, $enable_remote_apis, $lang, $max_login_attempts_wait_minutes, $max_login_attempts_per_ip, $max_login_attempts_per_username, $global_cookies, $username, $password, $password_hash; if (!$api && (strlen($password) == 32 || strlen($password) == 64) && getval("userkey", "") != md5($username . $scramble_key)) { exit("Invalid password."); # Prevent MD5s being entered directly while still supporting direct entry of plain text passwords (for systems that were set up prior to MD5 password encryption was added). If a special key is sent, which is the md5 hash of the username and the secret scramble key, then allow a login using the MD5 password hash as the password. This is for the 'log in as this user' feature. } if (strlen($password) != 64) { # Provided password is not a hash, so generate a hash. //$password_hash=md5("RS" . $username . $password); $password_hash = hash('sha256', md5("RS" . $username . $password)); } else { $password_hash = $password; } // ------- Automatic migration of md5 hashed or plain text passwords to SHA256 hashed passwords ------------ // This is necessary because older systems being upgraded may still have passwords stored using md5 hashes or even possibly stored in plain text. // Updated March 2015 - select password_reset_hash to force dbstruct that will update password column varchar(100) if not already $accountstoupdate = sql_query("select username, password, password_reset_hash from user where length(password)<>64"); foreach ($accountstoupdate as $account) { $oldpassword = $account["password"]; if (strlen($oldpassword) != 32) { $oldpassword = md5("RS" . $account["username"] . $oldpassword); } // Needed if we have a really old password, or if password has been manually reset in db for some reason $new_password_hash = hash('sha256', $oldpassword); sql_query("update user set password='******' where username='******'"); } $ip = get_ip(); # This may change the $username, $password, and $password_hash $externalresult = hook("externalauth", "", array($username, $password)); #Attempt external auth if configured # Generate a new session hash. $session_hash = generate_session_hash($password_hash); # Check the provided credentials $valid = sql_query("select ref,usergroup,account_expires from user where username='******' and password='******'"); # Prepare result array $result = array(); $result['valid'] = false; if (count($valid) >= 1) { # Account expiry $userref = $valid[0]["ref"]; $usergroup = $valid[0]["usergroup"]; $expires = $valid[0]["account_expires"]; if ($expires != "" && $expires != "0000-00-00 00:00:00" && strtotime($expires) <= time()) { $result['error'] = $lang["accountexpired"]; return $result; } $result['valid'] = true; $result['session_hash'] = $session_hash; $result['password_hash'] = $password_hash; $result['ref'] = $userref; # Update the user record. # Omit updating session has if using an API, because we don't want API usage to log users out, and there is no 'session' to remember in such a case. if ($api) { $session_hash_sql = ""; } else { $session_hash_sql = "session='" . escape_check($session_hash) . "',"; } sql_query("update user set {$session_hash_sql} last_active=now(),login_tries=0,lang='" . getvalescaped("language", "") . "' where ref='{$userref}'"); # Log this daily_stat("User session", $userref); if (!$api) { sql_query("insert into resource_log(date,user,resource,type) values (now()," . ($userref != "" ? "'{$userref}'" : "null") . ",0,'l')"); } # Blank the IP address lockout counter for this IP sql_query("delete from ip_lockout where ip='" . escape_check($ip) . "'"); return $result; } # Invalid login if (isset($externalresult["error"])) { $result['error'] = $externalresult["error"]; } else { $result['error'] = $lang["loginincorrect"]; } hook("loginincorrect"); # Add / increment a lockout value for this IP $lockouts = sql_value("select count(*) value from ip_lockout where ip='" . escape_check($ip) . "' and tries<'" . $max_login_attempts_per_ip . "'", ""); if ($lockouts > 0) { # Existing row with room to move $tries = sql_value("select tries value from ip_lockout where ip='" . escape_check($ip) . "'", 0); $tries++; if ($tries == $max_login_attempts_per_ip) { # Show locked out message. $result['error'] = str_replace("?", $max_login_attempts_wait_minutes, $lang["max_login_attempts_exceeded"]); } # Increment sql_query("update ip_lockout set last_try=now(),tries=tries+1 where ip='" . escape_check($ip) . "'"); } else { # New row sql_query("delete from ip_lockout where ip='" . escape_check($ip) . "'"); sql_query("insert into ip_lockout (ip,tries,last_try) values ('" . escape_check($ip) . "',1,now())"); } # Increment a lockout value for any matching username. $ulocks = sql_query("select ref,login_tries,login_last_try from user where username='******'"); if (count($ulocks) > 0) { $tries = $ulocks[0]["login_tries"]; if ($tries == "") { $tries = 1; } else { $tries++; } if ($tries > $max_login_attempts_per_username) { $tries = 1; } if ($tries == $max_login_attempts_per_username) { # Show locked out message. $result['error'] = str_replace("?", $max_login_attempts_wait_minutes, $lang["max_login_attempts_exceeded"]); } sql_query("update user set login_tries='{$tries}',login_last_try=now() where username='******'"); } return $result; }
* @package ResourceSpace * @subpackage Pages_Team */ include dirname(__FILE__) . "/../../../include/db.php"; include dirname(__FILE__) . "/../../../include/general.php"; include dirname(__FILE__) . "/../../../include/authenticate.php"; if (!checkperm("o")) { exit("Permission denied."); } include_once dirname(__FILE__) . "/../inc/news_functions.php"; $ref = getvalescaped("ref", "", true); $offset = getvalescaped("offset", 0); $findtext = getvalescaped("findtext", ""); $date = getval("date", date("Y-m-d H:i:s")); $title = getvalescaped("title", 0); $body = getvalescaped("body", 0); # get ref value from database, unless it is set to new if (getval("ref", "") == "new") { $createnews = true; } else { $news = get_news($ref, "", ""); $createnews = false; } if (getval("save", "") != "") { # Save news if ($createnews) { add_news($date, $title, $body); } else { update_news($ref, $date, $title, $body); } redirect("plugins/news/pages/news_edit.php?findtext=" . $findtext . "&offset=" . $offset);
# External access support (authenticate only if no key provided, or if invalid access key provided) $k = getvalescaped("k", ""); if ($k == "" || !check_access_key(getvalescaped("ref", "", true), $k)) { include "../include/authenticate.php"; } } $ref = getvalescaped("ref", "", true); $size = getvalescaped("size", ""); $ext = getvalescaped("ext", ""); if (!preg_match('/^[a-zA-Z0-9]+$/', $ext)) { $ext = "jpg"; } $alternative = getvalescaped("alternative", -1); $page = getvalescaped("page", 1); $usage = getvalescaped("usage", "-1"); $usagecomment = getvalescaped("usagecomment", ""); $resource_data = get_resource_data($ref); if ($direct_download_noauth && $direct) { # if this is a direct download and direct downloads w/o authentication are enabled, allow regardless of permissions $allowed = true; } else { # Permissions check $allowed = resource_download_allowed($ref, $size, $resource_data["resource_type"], $alternative); } if (!$allowed) { # This download is not allowed. How did the user get here? exit("Permission denied"); } # additional access check, as the resource download may be allowed, but access restriction should force watermark. $access = get_resource_access($ref); $use_watermark = check_use_watermark($ref);
<?php for ($n = 1; $n <= 150; $n++) { $date = time() + 60 * 60 * 24 * $n; ?> <option <?php $d = date("D", $date); if ($d == "Sun" || $d == "Sat") { ?> style="background-color:#cccccc"<?php } ?> value="<?php echo date("Y-m-d", $date); ?> " <?php if (substr(getvalescaped("editexpiration", ""), 0, 10) == date("Y-m-d", $date)) { echo "selected"; } ?> ><?php echo nicedate(date("Y-m-d", $date), false, true); ?> </option> <?php } ?> </select> <div class="clearerleft"> </div> </div> <div class="QuestionSubmit" style="padding-top:0;margin-top:0;">
$permission = trim($permission); if ($permission == "") { continue; } if (isset($sql_permision_filter)) { $sql_permision_filter .= " and "; } else { $sql_permision_filter = "("; } $permission = preg_replace('(\\W+)', '\\\\\\\\$0', $permission); // we need to pass two "\" before the escaped char for regex to take it literally (doubled here as sql_query() will convert most of them) $sql_permision_filter .= "usergroup.permissions regexp binary '^{$permission}|,{$permission},|,{$permission}\$|^{$permission}\$'"; } $sql_permision_filter .= ")"; } $offset = getvalescaped("offset", 0); $order_by = getval("orderby", "name"); $groups = sql_query("\n\tselect \n\t\tusergroup.ref as ref,\n\t\tusergroup.name as name,\n\t\tcount(user.ref) as users,\n\t\tparentusergroup.ref as pref,\n\t\tif (usergroup.parent is not null and usergroup.parent<>'' and usergroup.parent<>'0' and (parentusergroup.name is null or parentusergroup.name=''),usergroup.ref,parentusergroup.ref) as pref,\n\t\tif (usergroup.parent is not null and usergroup.parent<>'' and usergroup.parent<>'0' and (parentusergroup.name is null or parentusergroup.name=''),'orphaned',parentusergroup.name) as pname,\n\t\t(usergroup.parent is not null and usergroup.parent<>'' and usergroup.parent<>'0' and (parentusergroup.name is null or parentusergroup.name='')) as orphaned\n\tfrom\n\t\tusergroup \n\tleft outer join usergroup parentusergroup\n\ton \t\n\t\tusergroup.parent=parentusergroup.ref\n\tleft outer join user\n\ton\n\t\tusergroup.ref=user.usergroup where true" . ($find == "" ? "" : " and (usergroup.ref like '%{$find}%' or usergroup.name like '%{$find}%' or parentusergroup.name like '%{$find}%')") . ($filter_by_parent == "" ? "" : " and parentusergroup.ref={$filter_by_parent}") . ($filter_by_permissions == "" ? "" : " and {$sql_permision_filter}") . " group by\n\t\tusergroup.ref\n\torder by {$order_by}"); # pager $per_page = 15; $results = count($groups); $totalpages = ceil($results / $per_page); $curpage = floor($offset / $per_page) + 1; $url = "admin_group_management.php?" . ($order_by ? "orderby={$order_by}" : ""); function addColumnHeader($orderName, $labelKey) { global $baseurl, $order_by, $filter_by_parent, $filter_by_permissions, $find, $lang; if ($order_by == $orderName) { $image = '<span class="ASC"></span>'; } else { if ($order_by == $orderName . ' desc') {
function save_site_text($page, $name, $language, $group) { # Saves the submitted site text changes to the database. if ($group == "") { $g = "null"; $gc = "is"; } else { $g = "'" . $group . "'"; $gc = "="; } global $custom, $newcustom, $defaultlanguage; if ($newcustom) { $test = sql_query("select * from site_text where page='{$page}' and name='{$name}'"); if (count($test) > 0) { return true; } } if ($custom == "") { $custom = 0; } if (getval("deletecustom", "") != "") { sql_query("delete from site_text where page='{$page}' and name='{$name}'"); } elseif (getval("deleteme", "") != "") { sql_query("delete from site_text where page='{$page}' and name='{$name}' and specific_to_group {$gc} {$g}"); } elseif (getval("copyme", "") != "") { sql_query("insert into site_text(page,name,text,language,specific_to_group,custom) values ('{$page}','{$name}','" . getvalescaped("text", "") . "','{$language}',{$g},'{$custom}')"); } elseif (getval("newhelp", "") != "") { global $newhelp; $check = sql_query("select * from site_text where page = 'help' and name='{$newhelp}'"); if (!isset($check[0])) { sql_query("insert into site_text(page,name,text,language,specific_to_group) values ('{$page}','{$newhelp}','','{$language}',{$g})"); } } else { $text = sql_query("select * from site_text where page='{$page}' and name='{$name}' and language='{$language}' and specific_to_group {$gc} {$g}"); if (count($text) == 0) { # Insert a new row for this language/group. sql_query("insert into site_text(page,name,language,specific_to_group,text,custom) values ('{$page}','{$name}','{$language}',{$g},'" . getvalescaped("text", "") . "','{$custom}')"); } else { # Update existing row sql_query("update site_text set text='" . getvalescaped("text", "") . "' where page='{$page}' and name='{$name}' and language='{$language}' and specific_to_group {$gc} {$g}"); } # Language clean up - remove all entries that are exactly the same as the default text. $defaulttext = sql_value("select text value from site_text where page='{$page}' and name='{$name}' and language='{$defaultlanguage}' and specific_to_group {$gc} {$g}", ""); sql_query("delete from site_text where page='{$page}' and name='{$name}' and language!='{$defaultlanguage}' and trim(text)='" . trim(escape_check($defaulttext)) . "'"); } }
# Fetch collection data $cinfo = get_collection($collection); if ($cinfo === false) { exit("Collection not found."); } $commentdata = get_collection_resource_comment($ref, $collection); $comment = $commentdata["comment"]; $rating = $commentdata["rating"]; # Check access if (!collection_readable($collection)) { exit("Access denied."); } if (getval("submitted", "") != "") { # Save comment $comment = trim(getvalescaped("comment", "")); $rating = trim(getvalescaped("rating", "")); save_collection_resource_comment($ref, $collection, $comment, $rating); if ($k == "") { redirect($baseurl_short . "pages/search.php?refreshcollectionframe=true&search=!collection" . $collection); } else { # Stay on this page for external access users (no access to search) refresh_collection_frame(); } } include "../include/header.php"; ?> <div class="BasicsBox"> <h1><?php echo $lang["collectioncomments"]; ?> </h1>
# Save license data # Construct expiry date $expires = getvalescaped("expires_year", "") . "-" . getvalescaped("expires_month", "") . "-" . getvalescaped("expires_day", ""); # Construct usage $license_usage = ""; if (isset($_POST["license_usage"])) { $license_usage = escape_check(join(", ", $_POST["license_usage"])); } if ($ref == "new") { # New record sql_query("insert into resource_license (resource,outbound,holder,license_usage,description,expires) values ('" . getvalescaped("resource", "") . "', '" . getvalescaped("outbound", "") . "', '" . getvalescaped("holder", "") . "', '{$license_usage}', '" . getvalescaped("description", "") . "', '{$expires}')"); $ref = sql_insert_id(); resource_log($resource, "", "", $lang["new_license"] . " " . $ref); } else { # Existing record sql_query("update resource_license set outbound='" . getvalescaped("outbound", "") . "',holder='" . getvalescaped("holder", "") . "', license_usage='{$license_usage}',description='" . getvalescaped("description", "") . "',expires='{$expires}' where ref='{$ref}' and resource='{$resource}'"); resource_log($resource, "", "", $lang["edit_license"] . " " . $ref); } redirect("pages/view.php?ref=" . $resource); } # Fetch license data if ($ref == "new") { # Set default values for the creation of a new record. $license = array("resource" => $resource, "outbound" => 1, "holder" => "", "license_usage" => "", "description" => "", "expires" => date("Y-m-d")); } else { $license = sql_query("select * from resource_license where ref='{$ref}'"); if (count($license) == 0) { exit("License not found."); } $license = $license[0]; $resource = $license["resource"];
/** * Performs the login using the global $username, and $password. Since the "externalauth" hook * is allowed to change the credentials later on, the $password_hash needs to be global as well. * * @return array Containing the login details ('valid' determines whether or not the login succeeded). */ function perform_login() { global $api, $scramble_key, $enable_remote_apis, $lang, $max_login_attempts_wait_minutes, $max_login_attempts_per_ip, $max_login_attempts_per_username, $global_cookies, $username, $password, $password_hash; if (!$api && strlen($password) == 32 && getval("userkey", "") != md5($username . $scramble_key)) { exit("Invalid password."); # Prevent MD5s being entered directly while still supporting direct entry of plain text passwords (for systems that were set up prior to MD5 password encryption was added). If a special key is sent, which is the md5 hash of the username and the secret scramble key, then allow a login using the MD5 password hash as the password. This is for the 'log in as this user' feature. } if (strlen($password) != 32) { # Provided password is not a hash, so generate a hash. $password_hash = md5("RS" . $username . $password); } else { $password_hash = $password; } $ip = get_ip(); # This may change the $username, $password, and $password_hash hook("externalauth", "", array($username, $password)); #Attempt external auth if configured $session_hash = md5($password_hash . $username . $password . date("Y-m-d")); if ($enable_remote_apis) { $session_hash = md5($password_hash . $username . date("Y-m-d")); } // no longer necessary to omit password in this hash for api support $valid = sql_query("select ref,usergroup from user where lower(username)='" . escape_check($username) . "' and (password='******' or password='******')"); # Prepare result array $result = array(); $result['valid'] = false; if (count($valid) >= 1) { # Account expiry $expires = sql_value("select account_expires value from user where username='******' and password='******'", ""); if ($expires != "" && $expires != "0000-00-00 00:00:00" && strtotime($expires) <= time()) { $result['error'] = $lang["accountexpired"]; return $result; } $result['valid'] = true; $result['session_hash'] = $session_hash; $result['password_hash'] = $password_hash; # Update the user record. Set the password hash again in case a plain text password was provided. sql_query("update user set password='******',session='" . escape_check($session_hash) . "',last_active=now(),login_tries=0,lang='" . getvalescaped("language", "") . "' where lower(username)='" . escape_check($username) . "' and (password='******' or password='******')"); # Log this $userref = $valid[0]["ref"]; $usergroup = $valid[0]["usergroup"]; daily_stat("User session", $userref); sql_query("insert into resource_log(date,user,resource,type) values (now()," . ($userref != "" ? "'{$userref}'" : "null") . ",0,'l')"); # Blank the IP address lockout counter for this IP sql_query("delete from ip_lockout where ip='" . escape_check($ip) . "'"); return $result; } # Invalid login $result['error'] = $lang["loginincorrect"]; hook("loginincorrect"); # Add / increment a lockout value for this IP $lockouts = sql_value("select count(*) value from ip_lockout where ip='" . escape_check($ip) . "' and tries<'" . $max_login_attempts_per_ip . "'", ""); if ($lockouts > 0) { # Existing row with room to move $tries = sql_value("select tries value from ip_lockout where ip='" . escape_check($ip) . "'", 0); $tries++; if ($tries == $max_login_attempts_per_ip) { # Show locked out message. $result['error'] = str_replace("?", $max_login_attempts_wait_minutes, $lang["max_login_attempts_exceeded"]); } # Increment sql_query("update ip_lockout set last_try=now(),tries=tries+1 where ip='" . escape_check($ip) . "'"); } else { # New row sql_query("delete from ip_lockout where ip='" . escape_check($ip) . "'"); sql_query("insert into ip_lockout (ip,tries,last_try) values ('" . escape_check($ip) . "',1,now())"); } # Increment a lockout value for any matching username. $ulocks = sql_query("select ref,login_tries,login_last_try from user where username='******'"); if (count($ulocks) > 0) { $tries = $ulocks[0]["login_tries"]; if ($tries == "") { $tries = 1; } else { $tries++; } if ($tries > $max_login_attempts_per_username) { $tries = 1; } if ($tries == $max_login_attempts_per_username) { # Show locked out message. $result['error'] = str_replace("?", $max_login_attempts_wait_minutes, $lang["max_login_attempts_exceeded"]); } sql_query("update user set login_tries='{$tries}',login_last_try=now() where username='******'"); } return $result; }
$origsizes = getimagesize($originalpath); $cropwidth = $cropsizes[0]; $cropheight = $cropsizes[1]; $origwidth = $origsizes[0]; $origheight = $origsizes[1]; // if we've been told to do something if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'docrop') { $width = getvalescaped('width', '', true); $height = getvalescaped('height', '', true); $xcoord = getvalescaped('xcoord', '', true); $ycoord = getvalescaped('ycoord', '', true); $description = getvalescaped('description', ''); $cropsize = getvalescaped('cropsize', '', true); $new_width = getvalescaped('new_width', '', true); $new_height = getvalescaped('new_height', '', true); $alt_type = getvalescaped('alt_type', ''); if (isset($_REQUEST['flip']) && $_REQUEST['flip'] == 1 && !$cropperestricted) { $flip = true; } else { $flip = false; } if (isset($_REQUEST['rotation']) && is_numeric($_REQUEST['rotation']) && $_REQUEST['rotation'] > 0 && $_REQUEST['rotation'] < 360 && !$cropperestricted) { $rotation = $_REQUEST['rotation']; } else { $rotation = 0; } if (isset($_REQUEST['filename']) && $cropper_custom_filename) { $filename = $_REQUEST['filename']; } else { $filename = ''; }
$cinfo = get_collection($collection); if ($cinfo === false) { exit("Collection not found."); } # Check access if (!$cinfo["request_feedback"]) { exit("Access denied."); } # Check that comments have been added. $comments = get_collection_comments($collection); if (count($comments) == 0 && $feedback_resource_select == false) { $errors = $lang["feedbacknocomments"]; } if (getval("save", "") != "") { # Save comment $comment = trim(getvalescaped("comment", "")); send_collection_feedback($collection, $comment); # Stay on this page for external access users (no access to search) refresh_collection_frame(); $done = true; } $headerinsert .= "<script src=\"../lib/lightbox/js/jquery.lightbox-0.5.min.js\" type=\"text/javascript\"></script>"; $headerinsert .= "<link type=\"text/css\" href=\"../lib/lightbox/css/jquery.lightbox-0.5.css?css_reload_key=" . $css_reload_key . "\" rel=\"stylesheet\">"; include "../include/header.php"; ?> <script type="text/javascript"> jQuery(document).ready(function(){ jQuery('.lightbox').lightBox(); });
if ($deleted_usercoll && count($c) > 0) { # Select the first collection in the dropdown box. $usercollection = $c[0]["ref"]; set_user_collection($userref, $usercollection); } # User has deleted their last collection? add a new one. if (count($c) == 0) { # No collections to select. Create them a new collection. $name = get_mycollection_name($userref); $usercollection = create_collection($userref, $name); set_user_collection($userref, $usercollection); } refresh_collection_frame($usercollection); } hook('customcollectionmanage'); $removeall = getvalescaped("removeall", ""); if ($removeall != "") { remove_all_resources_from_collection($removeall); refresh_collection_frame($usercollection); } include "../include/header.php"; ?> <div class="BasicsBox"> <h2> </h2> <h1><?php echo $lang["managemycollections"]; ?> </h1> <p class="tight"><?php echo text("introtext"); ?>