public static function get($name, $decodearray = false) { $val = array_key_exists("WHMCS" . $name, $_COOKIE) ? $_COOKIE["WHMCS" . $name] : ""; if ($decodearray) { $val = json_decode(base64_decode($val), true); $val = is_array($val) ? htmlspecialchars_array($val) : array(); } return $val; }
/** * Classic PHP htmlspecialchars calling recursively on the array. */ function htmlspecialchars_array($array = array()) { if ($array) { foreach ($array as $k => $v) { if (is_array($v)) { $array[$k] = htmlspecialchars_array($v); } else { $array[$k] = htmlspecialchars($v); } } } return $array; }
</p><div> <pre><?php echo '$_GET = ' . print_r(htmlspecialchars_array($_GET), 1); ?> </pre> <pre><?php echo '$_POST = ' . print_r(htmlspecialchars_array($_POST), 1); ?> </pre> <?php $post_data = $_COOKIE; unset($post_data['username']); unset($post_data['password']); ?> <pre><?php echo '$_COOKIE = ' . print_r(htmlspecialchars_array($post_data), 1); ?> </pre> </div></div> <div><p><?php echo $GLOBALS['lang']['msg']['include_file']; ?> </p><div> <table style='width:100%'> <tbody> <?php foreach (get_included_files() as $iInt => $sData) { ?> <tr><td style='width:30px'><?php echo $iInt; ?>
function processPipedTicket($to, $name, $email, $subject, $message, $attachment) { global $whmcs; global $CONFIG; global $supportticketpipe; global $pipenonregisteredreplyonly; $supportticketpipe = true; $decodestring = $subject . "##||-MESSAGESPLIT-||##" . $message; $decodestring = pipeDecodeString($decodestring); $decodestring = explode("##||-MESSAGESPLIT-||##", $decodestring); $subject = $decodestring[0]; $message = $decodestring[1]; $raw_message = $message; $result = select_query("tblticketspamfilters", "", ""); while ($data = mysql_fetch_array($result)) { $id = $data['id']; $type = $data['type']; $content = $data['content']; if ($type == "sender") { if (strtolower($content) == strtolower($email)) { $mailstatus = "Blocked Sender"; } } if ($type == "subject") { if (strpos("x" . strtolower($subject), strtolower($content))) { $mailstatus = "Blocked Subject"; } } if ($type == "phrase") { if (strpos("x" . strtolower($message), strtolower($content))) { $mailstatus = "Blocked Phrase"; } } } run_hook("TicketPiping", array()); if (!$mailstatus) { $pos = strpos($subject, "[Ticket ID: "); if ($pos === false) { } else { $tid = substr($subject, $pos + 12); $tid = substr($tid, 0, strpos($tid, "]")); $result = select_query("tbltickets", "", array("tid" => $tid)); $data = mysql_fetch_array($result); $tid = $data['id']; } $to = trim($to); $toemails = explode(",", $to); $deptid = ""; foreach ($toemails as $toemail) { if (!$deptid) { $result = select_query("tblticketdepartments", "", array("email" => trim(strtolower($toemail)))); $data = mysql_fetch_array($result); $deptid = $data['id']; $to = $data['email']; $deptclientsonly = $data['clientsonly']; $deptpiperepliesonly = $data['piperepliesonly']; continue; } } if (!$deptid) { $result = select_query("tblticketdepartments", "", array("hidden" => ""), "order", "ASC", "1"); $data = mysql_fetch_array($result); $deptid = $data['id']; $to = $data['email']; $deptclientsonly = $data['clientsonly']; $deptpiperepliesonly = $data['piperepliesonly']; } if (!$deptid) { $mailstatus = "Department Not Found"; } else { if ($to == $email) { $mailstatus = "Blocked Potential Email Loop"; } else { $messagebackup = $message; $result = select_query("tblticketbreaklines", "", "", "id", "ASC"); while ($data = mysql_fetch_array($result)) { $breakpos = strpos($message, $data['breakline']); if ($breakpos) { $message = substr($message, 0, $breakpos); } } if (!$message) { $message = $messagebackup; } $message = trim($message); $result = select_query("tbladmins", "id", array("email" => $email)); $data = mysql_fetch_array($result); $adminid = $data['id']; if ($adminid) { if ($tid) { $_SESSION['adminid'] = $adminid; AddReply($tid, "", "", $message, true, $attachment); $_SESSION['adminid'] = ""; $mailstatus = "Ticket Reply Imported Successfully"; } else { $mailstatus = "Ticket ID Not Found"; } } else { $result = select_query("tblclients", "id", array("email" => $email)); $data = mysql_fetch_array($result); $userid = $data['id']; if (!$userid) { $result = select_query("tblcontacts", "id,userid", array("email" => $email)); $data = mysql_fetch_array($result); $userid = $data['userid']; $contactid = $data['id']; if ($userid) { $ccemail = $email; } } if ($deptclientsonly == "on" && !$userid) { $mailstatus = "Unregistered Email Address"; $result = select_query("tblticketdepartments", "", array("id" => $deptid)); $data = mysql_fetch_array($result); $noautoresponder = $data['noautoresponder']; if (!$noautoresponder) { sendMessage("Bounce Message", "", array($name, $email)); } } else { if ($userid == "") { $from['name'] = $name; $from['email'] = $email; } $filterdate = date("YmdHis", mktime(date("H"), date("i") - 15, date("s"), date("m"), date("d"), date("Y"))); $query = "SELECT count(*) FROM tbltickets WHERE date>'" . $filterdate . "' AND (email='" . mysql_real_escape_string($email) . "'"; if ($userid) { $query .= " OR userid=" . (int) $userid; } $query .= ")"; $result = full_query($query); $data = mysql_fetch_array($result); $numtickets = $data[0]; if (10 < $numtickets) { $mailstatus = "Exceeded Limit of 10 Tickets within 15 Minutes"; } else { run_hook("TransliterateTicketText", array("subject" => $subject, "message" => $message)); if ($tid) { AddReply($tid, $userid, $contactid, htmlspecialchars_array($message), "", $attachment, htmlspecialchars_array($from)); $mailstatus = "Ticket Reply Imported Successfully"; } else { if ($pipenonregisteredreplyonly && !$userid) { $mailstatus = "Blocked Ticket Opening from Unregistered User"; } else { if ($deptpiperepliesonly) { $mailstatus = "Only Replies Allowed by Email"; } else { openNewTicket(htmlspecialchars_array($userid), htmlspecialchars_array($contactid), htmlspecialchars_array($deptid), htmlspecialchars_array($subject), htmlspecialchars_array($message), "Medium", $attachment, htmlspecialchars_array($from), "", htmlspecialchars_array($ccemail)); $mailstatus = "Ticket Imported Successfully"; } } } } } } } } } else { if ($attachment) { global $attachments_dir; $attachment = explode("|", $attachment); foreach ($attachment as $file) { deleteFile($attachments_dir, $file); } } } if ($mailstatus == "") { $mailstatus = "Ticket Import Failed"; } $table = "tblticketmaillog"; $array = ""; $array = array("date" => "now()", "to" => $to, "name" => $name, "email" => $email, "subject" => $subject, "message" => $message, "status" => $mailstatus); insert_query($table, htmlspecialchars_array($array)); }
} public static function instance() { if (self::$instance == NULL) { try { self::$instance = new PDO('sqlite:' . DATABASE_FILE); } catch (Exception $e) { error($e); } } return self::$instance; } } $_POST = htmlspecialchars_array($_POST); $_GET = htmlspecialchars_array($_GET); $_SERVER = htmlspecialchars_array($_SERVER); $_ERRORS = array(); if (!isset($_GET['action'])) { $_GET['action'] = ''; } if (isset($_GET['id']) && !is_numeric($_GET['id'])) { exit('Possible SQL Injection attack. Exiting.'); } if (false === file_exists(DATABASE_FILE)) { try { DB::instance()->beginTransaction(); DB::instance()->exec(' CREATE TABLE streams( id INTEGER PRIMARY KEY, name TEXT, priority INTEGER
/** * 对数组内的字符串进行htmlspecialchars * @param array $array 待过滤字符串 * @return array * @since 1.4 */ function htmlspecialchars_array($array) { foreach ($array as $key => &$value) { if (is_array($value)) { $value = htmlspecialchars_array($value); } else { if (is_string($value)) { $value = htmlspecialchars($value); } } } return $array; }
function htmlspecialchars_array($array) { if (!is_array($array)) { return htmlspecialchars($array, ENT_QUOTES); } foreach ($array as $k => $val) { $array[$k] = htmlspecialchars_array($val); } return $array; }
/** * htmlspecialchars_array * * @text array */ function htmlspecialchars_array(&$array) { reset($array); while (list($key, $val) = each($array)) { if (is_array($val)) { $array[$key] = htmlspecialchars_array($val); } elseif (is_string($val)) { $array[$key] = htmlspecialchars($val); } } return $array; }
function store($p_admin, $p_user_id=null) { require_once 'HTML/QuickForm.php'; $mask = $this->_getFormMask($p_admin); $form = new html_QuickForm('blog_entry', 'post', '', null, null, true); FormProcessor::parseArr2Form($form, $mask); if ($form->validate() && SecurityToken::isValid()){ $data = $form->getSubmitValues(true); foreach ($data['BlogEntry'] as $k => $v) { // clean user input if (!in_array($k, self::$m_html_allowed_fields)) { $data['BlogEntry'][$k] = htmlspecialchars_array($v); } } if ($data['f_entry_id']) { foreach ($data['BlogEntry'] as $k => $v) { if (is_array($v)) { foreach($v as $key => $value) { if ($value) { $string .= "$key, "; } } $v = substr($string, 0, -2); unset ($string); } $this->setProperty($k, $v); } if ($data['BlogEntry_Image_remove']) { BlogImageHelper::RemoveImageDerivates('entry', $data['f_entry_id']); } if ($data['BlogEntry_Image']) { BlogImageHelper::StoreImageDerivates('entry', $data['f_entry_id'], $data['BlogEntry_Image']); } Blog::TriggerCounters(self::GetBlogId($data['f_entry_id'])); return true; } elseif ($this->create( $data['f_blog_id'], $p_user_id, $data['BlogEntry']['title'], $data['BlogEntry']['content'], $data['f_mood_id'])) { // admin and owner can override status setting if ($data['BlogEntry']['status']) { $this->setProperty('status', $data['BlogEntry']['status']); } if ($p_admin && $data['BlogEntry']['admin_status']) { $this->setProperty('admin_status', $data['BlogEntry']['admin_status']); } if ($data['BlogEntry_Image']) { BlogImageHelper::StoreImageDerivates('entry', $this->getProperty('entry_id'), $data['BlogEntry_Image']); } Blog::TriggerCounters($this->getProperty('fk_blog_id')); return true; } } return false; }
/** * Applies htmlspecialchars to an array of data * * @deprec sanitize_tags * @param $data * @return array */ function htmlspecialchars_array($data) { if (is_array($data)) { foreach ($data as $k => $v) { $data[$k] = is_array($v) ? htmlspecialchars_array($v) : htmlspecialchars($v); } } return $data; }
function store($p_admin, $p_user_id=null) { require_once 'HTML/QuickForm.php'; $mask = $this->getFormMask($p_admin); $form = new html_QuickForm('blog', 'post', '', null, null, true); FormProcessor::parseArr2Form($form, $mask); if ($form->validate() && SecurityToken::isValid()){ $data = $form->getSubmitValues(true); foreach ($data['Blog'] as $k => $v) { // clean user input if (!in_array($k, self::$m_html_allowed_fields)) { $data['Blog'][$k] = htmlspecialchars_array($v); } } if ($data['f_blog_id']) { foreach ($data['Blog'] as $k => $v) { $this->setProperty($k, $v); } if ($data['Blog_Image_remove']) { BlogImageHelper::RemoveImageDerivates('blog', $data['f_blog_id']); } if ($data['Blog_Image']) { BlogImageHelper::StoreImageDerivates('blog', $data['f_blog_id'], $data['Blog_Image']); } return true; } elseif ($this->create( isset($p_user_id) ? $p_user_id : $data['Blog']['fk_user_id'], $data['Blog']['fk_language_id'], $data['Blog']['title'], $data['Blog']['info'], $data['Blog']['request_text'], $data['Blog']['feature'])) { if ($data['Blog']['status']) { $this->setProperty('status', $data['Blog']['status']); } if ($p_admin && $data['Blog']['admin_status']) { $this->setProperty('admin_status', $data['Blog']['admin_status']); } if ($p_admin && $data['Blog']['admin_remark']) { $this->setProperty('admin_remark', $data['Blog']['admin_remark']); } if ($data['Blog_Image']) { BlogImageHelper::StoreImageDerivates('blog', $this->getProperty('blog_id'), $data['BlogEntry_Image']); } return true; } } return false; }