コード例 #1
0
function saveUploadDetails()
{
    global $TABLE_PREFIX;
    security_dieUnlessPostForm();
    security_dieUnlessInternalReferer();
    security_dieOnInvalidCsrfToken();
    // update uploads
    if (is_array(@$_REQUEST['uploadNums'])) {
        foreach ($_REQUEST['uploadNums'] as $uploadNum) {
            if (!$uploadNum) {
                die(__FUNCTION__ . ": No upload num specified!");
            }
            $query = "UPDATE `{$TABLE_PREFIX}uploads`\n";
            $query .= "   SET info1 = '" . mysql_escape(@$_REQUEST["{$uploadNum}_info1"]) . "',\n";
            $query .= "       info2 = '" . mysql_escape(@$_REQUEST["{$uploadNum}_info2"]) . "',\n";
            $query .= "       info3 = '" . mysql_escape(@$_REQUEST["{$uploadNum}_info3"]) . "',\n";
            $query .= "       info4 = '" . mysql_escape(@$_REQUEST["{$uploadNum}_info4"]) . "',\n";
            $query .= "       info5 = '" . mysql_escape(@$_REQUEST["{$uploadNum}_info5"]) . "'\n";
            $query .= " WHERE num = '" . mysql_escape($uploadNum) . "' AND ";
            if ($_REQUEST['num']) {
                $query .= "recordNum     = '" . mysql_escape($_REQUEST['num']) . "'";
            } else {
                if ($_REQUEST['preSaveTempId']) {
                    $query .= "preSaveTempId = '" . mysql_escape($_REQUEST['preSaveTempId']) . "'";
                } else {
                    die("No value specified for 'num' or 'preSaveTempId'!");
                }
            }
            mysql_query($query) or die("MySQL Error: " . htmlencode(mysql_error()) . "\n");
        }
    }
    //
    print "<script type='text/javascript'>self.parent.reloadIframe('{$_REQUEST['fieldName']}_iframe')</script>";
    // reload uploadlist
    print "<script type='text/javascript'>self.parent.tb_remove();</script>\n";
    // close thickbox
    exit;
}
コード例 #2
0
function resetPassword()
{
    global $CURRENT_USER, $SETTINGS;
    $GLOBALS['sentEmail'] = false;
    // error checking
    if (!@$_REQUEST['userNum']) {
        die("No 'userNum' value specified!");
    }
    if (!@$_REQUEST['resetCode']) {
        die("No 'resetCode' value specified!");
    }
    if (!_isValidPasswordResetCode(@$_REQUEST['userNum'], @$_REQUEST['resetCode'])) {
        alert(t("Password reset code has expired or is not valid. Try resetting your password again."));
        showInterface('forgotPassword.php', false);
    }
    // load user
    global $user;
    $user = mysql_get(accountsTable(), (int) @$_REQUEST['userNum']);
    // Lookup username or email
    if (@$_REQUEST['submitForm']) {
        security_dieUnlessPostForm();
        security_dieOnInvalidCsrfToken();
        disableInDemoMode('', 'resetPassword.php');
        // error checking
        $textErrors = getNewPasswordErrors(@$_REQUEST['password'], @$_REQUEST['password:again'], $user['username']);
        // v2.52
        if ($textErrors) {
            alert(nl2br(htmlencode($textErrors)));
            showInterface('resetPassword.php');
            exit;
        }
        // update password
        $newPassword = getPasswordDigest($_REQUEST['password']);
        mysql_update(accountsTable(), $user['num'], null, array('password' => $newPassword));
        // show login
        alert(t('Password updated!'));
        $_REQUEST = array();
        showInterface('login.php', false);
        exit;
    }
    //
    showInterface('resetPassword.php');
    exit;
}
コード例 #3
0
function categoryMoveDrag()
{
    global $tableName, $escapedTableName, $isMyAccountMenu;
    if ($isMyAccountMenu) {
        die("Access not permitted for My Account menu!");
    }
    if (!isset($_REQUEST['sourceNum'])) {
        die('sourceNum not set.');
    }
    if (!isset($_REQUEST['targetNum'])) {
        die('targetNum not set.');
    }
    if (!isset($_REQUEST['position'])) {
        die('position not set.');
    }
    $sourceNum = $_REQUEST['sourceNum'];
    $targetNum = $_REQUEST['targetNum'];
    $position = $_REQUEST['position'];
    if (!is_numeric($sourceNum) || !is_numeric($targetNum)) {
        redirectBrowserToURL("?menu={$tableName}", true);
        exit;
    }
    security_dieUnlessPostForm();
    security_dieUnlessInternalReferer();
    security_dieOnInvalidCsrfToken();
    // load categoriesByNum
    $categoriesByNum = array();
    $query = "SELECT * FROM `{$escapedTableName}` ORDER BY globalOrder";
    $result = mysql_query($query) or die("MySQL Error: " . mysql_error() . "\n");
    while ($row = mysql_fetch_assoc($result)) {
        $categoriesByNum[$row['num']] = $row;
        $categoriesByNum[$row['num']]['oldSiblingOrder'] = $row['siblingOrder'];
    }
    if (is_resource($result)) {
        mysql_free_result($result);
    }
    // update order
    $parentNum = $position == 'child' ? $targetNum : $categoriesByNum[$targetNum]['parentNum'];
    // Source cannot be made a child of its decendent.
    $currParentNum = $categoriesByNum[$targetNum]['parentNum'];
    while ($currParentNum) {
        if ($currParentNum == $sourceNum) {
            redirectBrowserToURL("?menu={$tableName}", true);
            exit;
        }
        $currParentNum = $categoriesByNum[$currParentNum]['parentNum'];
    }
    $categoriesByNum[$sourceNum]['parentNum'] = $parentNum;
    foreach (array_keys($categoriesByNum) as $num) {
        $category =& $categoriesByNum[$num];
        if ($category['parentNum'] != $parentNum) {
            continue;
        }
        // only modify siblings on branch
        $category['siblingOrder'] = 2 + $category['siblingOrder'] * 2;
        // double space entries
        unset($category);
    }
    //showme($categoriesByNum[$sourceNum]);
    //showme($categoriesByNum[$targetNum]);
    if ($position == 'child') {
        $categoriesByNum[$sourceNum]['siblingOrder'] = 1;
        // if adding as child, default to first sibling
    } else {
        if ($position == 'above') {
            $categoriesByNum[$sourceNum]['siblingOrder'] = $categoriesByNum[$targetNum]['siblingOrder'] - 1;
        } else {
            if ($position == 'below') {
                $categoriesByNum[$sourceNum]['siblingOrder'] = $categoriesByNum[$targetNum]['siblingOrder'] + 1;
            }
        }
    }
    //showme($categoriesByNum[$sourceNum]);
    //showme($categoriesByNum[$targetNum]);
    // save new sibling order
    foreach ($categoriesByNum as $num => $category) {
        if ($category['oldSiblingOrder'] == $category['siblingOrder']) {
            continue;
        }
        // skip if order didn't change
        $query = "UPDATE `{$escapedTableName}` SET ";
        $query .= "`siblingOrder` = '" . mysql_escape($category['siblingOrder']) . "' ";
        $query .= "WHERE num = '{$category['num']}'";
        //showme($query);
        mysql_query($query) or die("There was an error updating the category metadata:\n\n" . htmlencode(mysql_error()) . "\n");
    }
    //exit;
    // save new parent
    $query = "UPDATE `{$escapedTableName}` SET ";
    $query .= "`parentNum` = '" . mysql_escape($parentNum) . "' ";
    $query .= "WHERE num = '{$sourceNum}'";
    mysql_query($query) or die("There was an error updating the category metadata:\n\n" . htmlencode(mysql_error()) . "\n");
    // update global order, etc
    updateCategoryMetadataDrag();
    // refresh page
    redirectBrowserToURL("?menu={$tableName}", true);
    exit;
}
コード例 #4
0
function submitFormViaAjax()
{
    global $schema;
    //
    security_dieUnlessPostForm();
    security_dieUnlessInternalReferer();
    security_dieOnInvalidCsrfToken();
    //
    disableInDemoMode('', 'ajax');
    // auto-assign separator and relatedRecords fieldnames
    if ($_REQUEST['type'] == 'separator' || $_REQUEST['type'] == 'relatedRecords') {
        if ($_REQUEST['fieldname'] == '') {
            // new field
            $newFieldname = '';
            $count = '001';
            while (!$newFieldname || array_key_exists($newFieldname, $schema)) {
                $newFieldname = "__{$_REQUEST['type']}{$count}__";
                $count = str_pad(++$count, 3, '0', STR_PAD_LEFT);
            }
            $_REQUEST['newFieldname'] = $newFieldname;
        } else {
            $_REQUEST['newFieldname'] = $_REQUEST['fieldname'];
        }
    }
    // support MySQL Column Type dropdown supplying a value
    if (@$_REQUEST['customColumnType-select'] !== '_customColumnType_') {
        $_REQUEST['customColumnType'] = @$_REQUEST['customColumnType-select'];
    }
    // Separator - Use label for header
    if ($_REQUEST['type'] == 'separator' && @$_REQUEST['label'] != '') {
        $_REQUEST['separatorType'] = 'header bar';
        $_REQUEST['separatorHeader'] = $_REQUEST['label'];
        $_REQUEST['label'] = '';
        // blank out label so we don't save it
    }
    // Note: 'order' is a MySQL keyword that causes errors if not escaped, that's why it's reserved
    $reservedFieldnames = "menu menuName menuType menuOrder menuHidden tableHidden listPageFields listPageOrder listPageSearchFields length order action page";
    // _fields aren't allow by default
    $fieldnameChanged = $_REQUEST['fieldname'] && $_REQUEST['fieldname'] != $_REQUEST['newFieldname'];
    $isFieldnameReserved = preg_match("/\\b\\Q{$_REQUEST['newFieldname']}\\E\\b/i", $reservedFieldnames);
    $typeNoneFields = array('num', 'createdDate', 'createdByUserNum', 'updatedDate', 'updatedByUserNum', 'dragSortOrder');
    $typeDateFields = array('publishDate', 'removeDate');
    $typeCheckboxFields = array('neverRemove', 'hidden');
    // error checking
    $errors = '';
    if (@$_REQUEST['tableName'] == '') {
        $errors .= "no 'tableName' specified!\n";
    }
    if (@$_REQUEST['type'] == '') {
        $errors .= "no field 'type' specified!\n";
    }
    if (!$_REQUEST['type']) {
        $errors .= "You must enter a value for 'Field Type'\n";
    }
    if (!@$_REQUEST['newFieldname']) {
        $errors .= "You must enter a value for 'Field Name'\n";
    } elseif (preg_match('/[^a-z0-9\\_\\-]/i', $_REQUEST['newFieldname'])) {
        $errors .= "'Field Name' can only contain the following characters (a-z, A-Z, 0-9, - and _)\n";
    } elseif (preg_match('/^_/i', $_REQUEST['newFieldname']) && $_REQUEST['type'] != 'separator' && $_REQUEST['type'] != 'relatedRecords') {
        $errors .= "'Field Name' cannot start with an underscore\n";
    } elseif ($isFieldnameReserved) {
        $errors .= "Selected fieldname is reserved, please choose another.\n";
    } elseif ($fieldnameChanged && @$schema[$_REQUEST['newFieldname']]) {
        $errors .= "Selected fieldname is already in use, please choose another.\n";
    }
    if (@$_REQUEST['useCustomUploadDir']) {
        #    if (!preg_match('/\/$/', $_REQUEST['customUploadDir']))          { $errors .= "Upload Directory Path must end with a slash! (eg: products/ or /www/htdocs/uploads/products/)\n"; }
        #    if (!preg_match('/\/$/', $_REQUEST['customUploadUrl']))          { $errors .= "Upload Folder Url must end with a slash! (eg: products/ or /www/htdocs/uploads/products/)\n"; }
    }
    if (in_array($_REQUEST['newFieldname'], $typeNoneFields) && $_REQUEST['type'] != 'none') {
        $errors .= "Field '{$_REQUEST['newFieldname']}' must be set to type 'none'\n";
    }
    if (in_array($_REQUEST['newFieldname'], $typeDateFields) && $_REQUEST['type'] != 'date') {
        $errors .= "Field '{$_REQUEST['newFieldname']}' must be set to type 'date'\n";
    }
    if (in_array($_REQUEST['newFieldname'], $typeCheckboxFields) && $_REQUEST['type'] != 'checkbox') {
        $errors .= "Field '{$_REQUEST['newFieldname']}' must be set to type 'checkbox'\n";
    }
    if ($_REQUEST['type'] == 'textfield' && @$_REQUEST['charsetRule'] && preg_match("/\\-./", @$_REQUEST['charset'])) {
        $errors .= "Allowed Content: If character list contains a dash it must be the last character!\n";
    }
    if ($_REQUEST['type'] == 'upload' || $_REQUEST['type'] == 'wysiwyg') {
        if (@$_REQUEST['resizeOversizedImages']) {
            if ($_REQUEST['maxImageHeight'] == '') {
                $errors .= "Resize images: Please specify a value for Max Image Height!\n";
            }
            if (preg_match('/[^0-9\\_]/i', $_REQUEST['maxImageHeight'])) {
                $errors .= "Resize images: Max Image Height must be a numeric value!\n";
            }
            if ($_REQUEST['maxImageWidth'] == '') {
                $errors .= "Resize images: Please specify a value for Max Image Width!\n";
            }
            if (preg_match('/[^0-9\\_]/i', $_REQUEST['maxImageWidth'])) {
                $errors .= "Resize images: Max Image Width must be a numeric value!\n";
            }
        }
        foreach (array('', 2, 3, 4) as $num) {
            if (@$_REQUEST["createThumbnails{$num}"]) {
                $fieldLabel = "Create thumbnail" . ($num ? "({$num})" : '');
                if ($_REQUEST["maxThumbnailHeight{$num}"] == '') {
                    $errors .= "{$fieldLabel}: Please specify a value for Max Image Height!\n";
                }
                if (preg_match('/[^0-9\\_]/i', $_REQUEST["maxThumbnailHeight{$num}"])) {
                    $errors .= "{$fieldLabel}: Max Image Height must be a numeric value!\n";
                }
                if ($_REQUEST["maxThumbnailWidth{$num}"] == '') {
                    $errors .= "{$fieldLabel}: Please specify a value for Max Image Width!\n";
                }
                if (preg_match('/[^0-9\\_]/i', $_REQUEST["maxThumbnailWidth{$num}"])) {
                    $errors .= "{$fieldLabel}: Max Image Width must be a numeric value!\n";
                }
            }
        }
    }
    if ($errors) {
        print $errors;
        exit;
    }
    // update mysql first to get any MySQL errors before updating schema
    _updateMySQL();
    //
    _updateSchema($schema);
}
コード例 #5
0
<?php

global $tableName, $schema, $escapedTableName, $isMyAccountMenu;
// Check if old record exists and load it
$query = mysql_escapef("SELECT * FROM `{$escapedTableName}` WHERE num = ? LIMIT 1", @$_REQUEST['num']);
$oldRecord = mysql_get_query($query);
$recordExists = $oldRecord;
$isNewRecord = !$oldRecord;
//
doAction('record_presave', $tableName, $isNewRecord, $oldRecord);
//
$mySqlColsAndTypes = getMySqlColsAndType($escapedTableName);
$newRecordValues = _getRecordValuesFromFormInput();
### Security Checks
security_dieUnlessPostForm();
security_dieUnlessInternalReferer();
security_dieOnInvalidCsrfToken();
### error checking
$inputErrors = '';
$maxRecordError = $recordExists ? '' : showMaxRecordsError('returnText');
if ($maxRecordError) {
    $inputErrors = $maxRecordError;
} elseif (@$schema['_disableAdd'] && !$recordExists) {
    $inputErrors = t('Adding records has been disabled for this section!') . "\n";
} elseif (@$schema['_disableModify'] && $recordExists) {
    $inputErrors = t('Modifying records has been disabled for this section!') . "\n";
} else {
    $inputErrors = _getInputValidationErrors($mySqlColsAndTypes, $newRecordValues);
}
if ($inputErrors) {
    die($inputErrors);
コード例 #6
0
function adminLoginMenu()
{
    global $CURRENT_USER;
    // login menu actions
    $action = @$_REQUEST['action'];
    if ($action == 'logoff') {
        user_logoff();
        exit;
    }
    if ($action == 'loginSubmit') {
        security_dieUnlessPostForm();
        security_dieUnlessInternalReferer();
        security_dieOnInvalidCsrfToken();
        foreach (array('username', 'password') as $field) {
            // v2.52 remove leading and trailing whitespace (for usability, users accidentally add whitespace)
            $_REQUEST[$field] = preg_replace("/^\\s+|\\s+\$/s", '', @$_REQUEST[$field]);
        }
        loginCookie_set(@$_REQUEST['username'], getPasswordDigest(@$_REQUEST['password']));
    }
    // load current user
    $CURRENT_USER = getCurrentUser($loginExpired);
    // report any errors
    $errors = '';
    if ($loginExpired) {
        $errors .= t("You've been logged out due to inactivity, please login again to continue.");
    } else {
        if (!$CURRENT_USER && $action == 'loginSubmit') {
            $errors .= t("Invalid username or password");
        } else {
            if (@$CURRENT_USER['disabled']) {
                $errors .= t("Your account has been disabled.");
            } else {
                if (@$CURRENT_USER['isExpired']) {
                    $errors .= t("Your account has expired.");
                }
            }
        }
    }
    if ($errors) {
        alert($errors);
        loginCookie_remove();
        // if data in login cookie is invalid, remove login cookie so we don't keep checking it
        $CURRENT_USER = false;
        // if login is invalid, clear user variable
        usleep(mt_rand(1000000, 3000000));
        // sleep somewhere between 1-3 seconds to delay brute force attacks (random sleep time makes it so attacker can't assume slow response is failed password)
    }
    // if no logged in user
    if (!$CURRENT_USER) {
        // perform login screen maintenance actions - useful place to run common operations
        if (!$action) {
            createMissingSchemaTablesAndFields();
            // create/update missing schemas, etc
            // show helpful messages
            if (!mysql_count('accounts')) {
                alert(t("There are no user accounts in the database."));
            }
        }
        // show login screen if user not logged in
        showInterface('login.php', false);
        exit;
    }
    // if user logged in
    if ($CURRENT_USER) {
        // reset login cookie (to update lastAccess time used to track session expiry)
        loginCookie_set(@$CURRENT_USER['username'], getPasswordDigest(@$CURRENT_USER['password']));
        // redirect to last url - on valid login
        $redirectUrl = @$_REQUEST['redirectUrl'];
        if ($redirectUrl) {
            redirectBrowserToURL($redirectUrl, true);
            exit;
        }
    }
}
コード例 #7
0
function addTable()
{
    global $TABLE_PREFIX, $APP;
    $menuType = @$_REQUEST['menuType'];
    $presetTableName = @$_REQUEST['presetName'];
    $advancedType = @$_REQUEST['advancedType'];
    //
    security_dieUnlessPostForm();
    security_dieUnlessInternalReferer();
    security_dieOnInvalidCsrfToken();
    //
    disableInDemoMode('', 'ajax');
    // error checking
    $errors = '';
    if (!$menuType) {
        $errors .= "No menu type selected!\n";
    }
    if (!@$_REQUEST['menuName']) {
        $errors .= "No menu name specified!\n";
    }
    $errors .= getTablenameErrors(@$_REQUEST['tableName']);
    $newSchema = null;
    if ($menuType == 'copy') {
        if ($errors) {
            die($errors);
        }
        $sourceSchemaName = @$_REQUEST['copy'];
        if (!in_array($sourceSchemaName, getSchemaTables())) {
            die("Couldn't load source schema");
        }
        $newSchema = loadSchema($sourceSchemaName) or die("Couldn't load source schema");
    } else {
        if ($menuType == 'preset') {
            $schemaPresets = getSchemaPresets();
            $presetFound = array_key_exists(@$_REQUEST['preset'], $schemaPresets);
            if (!@$_REQUEST['preset']) {
                $errors .= "You must select a preset from the pulldown!\n";
            } elseif (!$presetFound) {
                $errors .= "No schema preset file found for '" . htmlencode($presetTableName) . "'\n";
            }
        }
        if ($errors) {
            die($errors);
        }
        // create new schema data
        if ($menuType == 'single') {
            $presetTableName = "customSingle";
        } elseif ($menuType == 'multi') {
            $presetTableName = "customMulti";
        } elseif ($menuType == 'preset') {
            $presetTableName = @$_REQUEST['preset'];
        } elseif ($menuType == 'advanced' && $advancedType == 'category') {
            $presetTableName = "customCategory";
        } elseif ($menuType == 'advanced' && $advancedType == 'textlink') {
            $presetTableName = "customTextLink";
        } elseif ($menuType == 'advanced' && $advancedType == 'menugroup') {
            $presetTableName = "customMenuGroup";
        } else {
            die("Unable to determine preset table name to load!");
        }
        $schemaPresetDir = DATA_DIR . "/schemaPresets/";
        $newSchema = loadSchema($presetTableName, $schemaPresetDir) or die("Couldn't load preset schema");
    }
    $newSchema['menuName'] = @$_REQUEST['menuName'];
    // change menu name
    $newSchema['menuOrder'] = time();
    // use time to sort to bottom
    // create mysql table
    // (this isn't required but done here so we catch get mysql errors creating the table)
    // createMissingSchemaTablesAndFields() creates if this doesn't.
    $tableNameWithPrefix = $TABLE_PREFIX . @$_REQUEST['tableName'];
    $result = mysql_query("CREATE TABLE `" . mysql_escape($tableNameWithPrefix) . "` (\n                                          num int(10) unsigned NOT NULL auto_increment,\n                                          PRIMARY KEY (num)\n                                        ) ENGINE=MyISAM DEFAULT CHARSET=utf8;");
    if (!$result) {
        print "Error creating MySQL table.\n\nMySQL error was: " . htmlencode(mysql_error()) . "\n";
        exit;
    }
    // save new schema
    saveSchema(@$_REQUEST['tableName'], $newSchema);
    // Create schema table and fields in MySQL
    createMissingSchemaTablesAndFields();
    clearAlertsAndNotices();
    // don't display alerts about adding new fields
    exit;
    // this is called with ajax so returning nothing means success - see: addTable_functions.js - initSubmitFormWithAjax
}
コード例 #8
0
function eraseUpload()
{
    global $tableName, $escapedTableName;
    security_dieUnlessPostForm();
    security_dieUnlessInternalReferer();
    security_dieOnInvalidCsrfToken();
    //
    disableInDemoMode('', 'ajax');
    // error checking
    if (!array_key_exists('fieldName', $_REQUEST)) {
        die("no 'fieldName' value specified!");
    }
    if (!array_key_exists('uploadNum', $_REQUEST)) {
        die("no 'uploadNum' value specified!");
    }
    // create where query
    $where = "";
    if ($_REQUEST['num']) {
        $where .= "recordNum     = '" . mysql_escape($_REQUEST['num']) . "' AND ";
    } else {
        if ($_REQUEST['preSaveTempId']) {
            $where .= "preSaveTempId = '" . mysql_escape($_REQUEST['preSaveTempId']) . "' AND ";
        } else {
            die("No value specified for 'num' or 'preSaveTempId'!");
        }
    }
    $where .= "num       = '" . mysql_escape($_REQUEST['uploadNum']) . "' AND ";
    $where .= "tableName = '" . mysql_escape($tableName) . "' AND ";
    $where .= "fieldName = '" . mysql_escape($_REQUEST['fieldName']) . "'";
    $count = removeUploads($where);
    //
    if ($count == 0) {
        die("Upload not found!");
    }
    // this function is called via ajax, any output will be returns as errors with javascript alert
    exit;
}
コード例 #9
0
function admin_saveSettings($savePagePath)
{
    global $SETTINGS, $APP;
    // error checking
    clearAlertsAndNotices();
    // so previous alerts won't prevent saving of admin options
    // security checks
    security_dieUnlessPostForm();
    security_dieUnlessInternalReferer();
    security_dieOnInvalidCsrfToken();
    //
    disableInDemoMode('settings', $savePagePath);
    # license error checking
    if (array_key_exists('licenseProductId', $_REQUEST)) {
        if (!isValidProductId($_REQUEST['licenseProductId'])) {
            alert("Invalid Product License ID!");
        } else {
            if ($SETTINGS['licenseProductId'] != $_REQUEST['licenseProductId']) {
                $SETTINGS['licenseCompanyName'] = $_REQUEST['licenseCompanyName'];
                // update settings
                $SETTINGS['licenseDomainName'] = $_REQUEST['licenseDomainName'];
                // ...
                $SETTINGS['licenseProductId'] = $_REQUEST['licenseProductId'];
                // ...
                $isValid = register();
                // validate productId (and save new settings)
                if (!$isValid) {
                    redirectBrowserToURL('?menu=admin', true);
                    exit;
                }
            }
        }
    }
    # program url / adminUrl
    if (array_key_exists('adminUrl', $_REQUEST)) {
        if (!preg_match('/^http/i', $_REQUEST['adminUrl'])) {
            alert("Program URL must start with http:// or https://<br/>\n");
        }
        if (preg_match('/\\?/i', $_REQUEST['adminUrl'])) {
            alert("Program URL can not contain a ?<br/>\n");
        }
    }
    # webPrefixUrl - v2.53
    if (@$_REQUEST['webPrefixUrl'] != '') {
        if (!preg_match("|^(\\w+:/)?/|", $_REQUEST['webPrefixUrl'])) {
            alert(t("Website Prefix URL must start with /") . "<br/>\n");
        }
        if (preg_match("|/\$|", $_REQUEST['webPrefixUrl'])) {
            alert(t("Website Prefix URL cannot end with /") . "<br/>\n");
        }
    }
    # upload url/dir
    if (array_key_exists('uploadDir', $_REQUEST)) {
        #    if      (!preg_match('/\/$/',      $_REQUEST['uploadDir'])) { alert("Upload Directory must end with a slash! (eg: /www/htdocs/uploads/)<br/>\n"); }
    }
    if (array_key_exists('uploadUrl', $_REQUEST)) {
        #    if      (preg_match('/^\w+:\/\//', $_REQUEST['uploadUrl'])) { alert("Upload Folder Url must be the web path only without a domain (eg: /uploads/)<br/>\n"); }
        #    else if (!preg_match('/^\//',      $_REQUEST['uploadUrl'])) { alert("Upload Folder Url must start with a slash! (eg: /uploads/)<br/>\n"); }
        #    if      (!preg_match('/\/$/',      $_REQUEST['uploadUrl'])) { alert("Upload Folder Url must end with a slash! (eg: /uploads/)<br/>\n"); }
        $_REQUEST['uploadUrl'] = chop($_REQUEST['uploadUrl'], '\\\\/');
        // remove trailing slashes
    }
    # admin email
    if (array_key_exists('adminEmail', $_REQUEST) && !isValidEmail($_REQUEST['adminEmail'])) {
        alert("Admin Email must be a valid email (example: user@example.com)<br/>\n");
    }
    // error checking - require HTTPS
    if (@$_REQUEST['requireHTTPS'] && !isHTTPS()) {
        alert("Require HTTPS: You must be logged in with a secure HTTPS url to set this option!<br/>\n");
    }
    // error checking - require HTTPS
    if (@$_REQUEST['restrictByIP'] && !isIpAllowed(true, @$_REQUEST['restrictByIP_allowed'])) {
        alert(t("Restrict IP Access: You current IP address must be in the allowed IP list!") . "<br/>\n");
    }
    // error checking - session values
    $sessionErrors = getCustomSessionErrors(@$_REQUEST['session_cookie_domain'], @$_REQUEST['session_save_path']);
    if ($sessionErrors) {
        alert($sessionErrors);
    }
    # show errors
    if (alert()) {
        showInterface('admin/general.php');
        exit;
    }
    ### update global settings
    $globalSettings =& $SETTINGS;
    foreach (array_keys($globalSettings) as $key) {
        if (array_key_exists($key, $_REQUEST)) {
            $globalSettings[$key] = $_REQUEST[$key];
        }
    }
    # update subsection settings
    $subsections = array('advanced', 'wysiwyg');
    foreach ($subsections as $subsection) {
        $sectionSettings =& $SETTINGS[$subsection];
        foreach (array_keys($sectionSettings) as $key) {
            if (array_key_exists($key, $_REQUEST)) {
                $sectionSettings[$key] = $_REQUEST[$key];
            }
        }
    }
    # save to file
    saveSettings();
    # return to admin home
    notice('Settings have been saved.');
    showInterface($savePagePath);
}
コード例 #10
0
function eraseField()
{
    global $TABLE_PREFIX, $schema;
    //
    security_dieUnlessPostForm();
    security_dieUnlessInternalReferer();
    security_dieOnInvalidCsrfToken();
    //
    disableInDemoMode('', 'ajax');
    $tableName = $_REQUEST['tableName'];
    $fieldname = $_REQUEST['fieldname'];
    if (!$tableName) {
        die("no tableName specified!\n");
    }
    if (!$fieldname) {
        die("no tableName specified!\n");
    }
    // erase from schema
    unset($schema[$fieldname]);
    saveSchema($tableName, $schema);
    // erase from mySQL
    $columnType = getMysqlColumnType($tableName, $fieldname);
    if ($columnType != '') {
        $result = mysql_query("ALTER TABLE `" . mysql_escape($tableName) . "`\n                              DROP COLUMN `" . mysql_escape($fieldname) . "`") or die("There was an error removing the MySQL Column, the error was:\n\n" . htmlencode(mysql_error()) . "\n");
    }
    // expire uploads (mark files for erasing by blanking out fieldname - they get erased when upload form is submitted)
    $tableNameWithoutPrefix = getTableNameWithoutPrefix($tableName);
    $query = "UPDATE `{$TABLE_PREFIX}uploads`";
    $query .= "   SET fieldName = ''";
    $query .= " WHERE fieldName = '" . mysql_escape($fieldname) . "' AND";
    $query .= "       tableName = '" . mysql_escape($tableNameWithoutPrefix) . "'";
    mysql_query($query) or die("There was an error erasing old uploads:\n\n" . htmlencode(mysql_error()) . "\n");
    // this function is called via ajax.  Output is returned as errors via javascript alert.  Output nothing on success.
    exit;
}