echo $return; ?> " name="return" /> <br/> <input type="submit" value="<?php echo $VM_LANG->_('BUTTON_LOGIN'); ?> " class="button" name="Login" /> <?php if (vmIsJoomla(1.5)) { $validate = JUtility::getToken(); } elseif (function_exists('josspoofvalue')) { $validate = josSpoofValue(1); } else { // used for spoof hardening $validate = vmSpoofValue(1); } ?> <input type="hidden" name="<?php echo $validate; ?> " value="1" /> </form> </td> </tr> <tr> <td colspan="2"> <a href="<?php echo $reset; ?> ">
echo '<form action="' . $_SERVER['SCRIPT_NAME'] . '" method="post" name="adminForm">'; $clean_products = array(); for ($i = 0; $i < $count; $i++) { $clean_products[$i] = intval($products[$i]); echo '<input type="hidden" name="product_id[]" value="' . $clean_products[$i] . '" />'; } $products = $clean_products; $db->query('SELECT `product_name` FROM `#__{vm}_product` WHERE `product_id` IN(' . implode(',', $products) . ') ORDER BY `product_name`'); echo "\n<h1 class=\"header\">" . $VM_LANG->_('VM_PRODUCTS_MOVE_LBL') . "</h1>\n"; echo '<table class="adminform"><tr>'; echo '<th>' . $VM_LANG->_('VM_PRODUCTS_MOVE_TO_CATEGORY') . "</th>\n"; echo '<th>' . sprintf($VM_LANG->_('VM_PRODUCTS_MOVE_LIST'), $count) . "</th>\n"; echo '</tr><tr>'; echo '<td valign="top">'; $ps_product_category->list_all('category_id', 0, array(), 10, false, false, array($category_id)); echo "</td>\n"; echo "<td>\n"; echo '<ul style="text-align:left;height:250px;max-height:300px;overflow:auto;">'; while ($db->next_record()) { echo '<li>' . $db->f('product_name') . "</li>\n"; } echo "</ul>\n"; echo '</td></tr></table>'; echo '<input type="hidden" name="page" value="product.product_list" /> <input type="hidden" name="func" value="moveProduct" /> <input type="hidden" name="vmtoken" value="' . vmSpoofValue($sess->getSessionId()) . '" /> <input type="hidden" name="task" value="" /> <input type="hidden" name="pshop_mode" value="admin" /> <input type="hidden" name="option" value="' . $option . '" /> <input type="hidden" name="old_category_id" value="' . $category_id . '" /> </form>';
/** * Equivalent to Joomla's josSpoofCheck function * @author Joomla core team * * @param boolean $header * @param unknown_type $alt */ function vmSpoofCheck($header = NULL, $alt = NULL) { global $vm_mainframe; if (!empty($_GET['vmtoken']) || !empty($_POST['vmtoken'])) { $validate_hash = vmGet($_REQUEST, 'vmtoken', null); $validate = vmSpoofValue($alt) == $validate_hash; } else { $validate = vmGet($_REQUEST, vmSpoofValue($alt), 0); } // probably a spoofing attack if (!$validate) { header('HTTP/1.0 403 Forbidden'); $vm_mainframe->errorAlert('Sorry, but we could not verify your Security Token.\\nGo back and try again please.'); return false; } // First, make sure the form was posted from a browser. // For basic web-forms, we don't care about anything // other than requests from a browser: if (!isset($_SERVER['HTTP_USER_AGENT'])) { header('HTTP/1.0 403 Forbidden'); $vm_mainframe->errorAlert('Sorry, but we could not identify your web browser.\\nBut this is necessary for using this web page.'); return false; } /* //NOTE: this is not really necessary, because GET request should also be allowed. // Make sure the request was done using "POST" if (!$_SERVER['REQUEST_METHOD'] == 'POST' ) { header( 'HTTP/1.0 403 Forbidden' ); $vm_mainframe->errorAlert( $VM_LANG->_('NOT_AUTH') ); return false; } */ if ($header) { // Attempt to defend against header injections: $badStrings = array('Content-Type:', 'MIME-Version:', 'Content-Transfer-Encoding:', 'bcc:', 'cc:'); // Loop through each POST'ed value and test if it contains // one of the $badStrings: foreach ($_POST as $k => $v) { foreach ($badStrings as $v2) { if (strpos($v, $v2) !== false) { header("HTTP/1.0 403 Forbidden"); $vm_mainframe->errorAlert('We are sorry, but using E-Mail Headers in Fields is not allowed.'); return false; } } } // Made it past spammer test, free up some memory // and continue rest of script: unset($k, $v, $v2, $badStrings); } return true; }
/** * Writes necessary hidden input fields * and closes the form */ function finishForm($func, $page = '') { $no_menu = vmRequest::getInt('no_menu'); $html = ' <input type="hidden" name="vmtoken" value="' . vmSpoofValue($GLOBALS['sess']->getSessionId()) . '" /> <input type="hidden" name="func" value="' . $func . '" /> <input type="hidden" name="page" value="' . $page . '" /> <input type="hidden" name="task" value="" /> <input type="hidden" name="option" value="' . VM_COMPONENT_NAME . '" />'; if ($no_menu) { $html .= '<input type="hidden" name="ajax_request" value="1" />'; } else { $html .= '<input type="hidden" name="ajax_request" value="0" />'; } $html .= '<input type="hidden" name="no_menu" value="' . $no_menu . '" />'; $html .= '<input type="hidden" name="no_toolbar" value="' . vmGet($_REQUEST, 'no_toolbar', 0) . '" />'; $html .= '<input type="hidden" name="only_page" value="' . vmGet($_REQUEST, 'only_page', 0) . '" />'; if (defined("_VM_IS_BACKEND") || @$_REQUEST['pshop_mode'] == "admin") { $html .= '<input type="hidden" name="pshop_admin" value="admin" />'; } $html .= ' </form> '; echo $html; }
<form action="<?php echo $_SERVER['PHP_SELF']; ?> " method="post"> <?php echo "<strong>" . $VM_LANG->_('PHPSHOP_ORDER_PRINT_PO_STATUS') . ": </strong>"; $ps_order_status->list_order_status($dbt->f("order_status")); ?> <input type="submit" class="button" name="Submit" value="<?php echo $VM_LANG->_('PHPSHOP_UPDATE'); ?> " /> <input type="hidden" name="page" value="order.order_print" /> <input type="hidden" name="func" value="orderStatusSet" /> <input type="hidden" name="vmtoken" value="<?php echo vmSpoofValue($sess->getSessionId()); ?> " /> <input type="hidden" name="option" value="com_virtuemart" /> <input type="hidden" name="current_order_status" value="<?php $dbt->p("order_status"); ?> " /> <input type="hidden" name="order_id" value="<?php echo $order_id; ?> " /> <input type="hidden" name="order_item_id" value="<?php $dbt->p("order_item_id"); ?> " />
require_once CLASSPATH . "htmlTools.class.php"; $missing = vmGet($_REQUEST, "missing", ""); if (!empty($missing)) { echo "<script type=\"text/javascript\">alert('" . $VM_LANG->_('CONTACT_FORM_NC', false) . "'); </script>\n"; } // If not using NO_REGISTRATION, redirect with a warning when Joomla doesn't allow user registration if ($mosConfig_allowUserRegistration == "0" && VM_REGISTRATION_TYPE != 'NO_REGISTRATION') { $msg = 'User registration is disabled, it must be enabled in order to proceed.'; vmRedirect($sess->url('index.php?page=' . HOMEPAGE, true, false), $msg); return; } if (vmIsJoomla('1.5')) { // Set the validation value $validate = JUtility::getToken(); } else { $validate = function_exists('josspoofvalue') ? josSpoofValue(1) : vmSpoofValue(1); } $fields = ps_userfield::getUserFields('registration', false, '', false); // Read-only fields on registration don't make sense. foreach ($fields as $field) { $field->readonly = 0; } $skip_fields = array(); if ($my->id > 0 || VM_REGISTRATION_TYPE != 'NORMAL_REGISTRATION' && VM_REGISTRATION_TYPE != 'OPTIONAL_REGISTRATION' && ($page == 'checkout.index' || $page == 'shop.registration')) { // A listing of fields that are NOT shown $skip_fields = array('username', 'password', 'password2'); if ($my->id) { $skip_fields[] = 'email'; } } // This is the part that prints out ALL registration fields!
" /> <?php } else { ?> <input type="hidden" name="func" value="userAddressAdd" /> <?php } if ($vmLayout == 'extended') { ?> <input type="hidden" name="ajax_request" value="1" /> <?php } ?> <input type="hidden" name="vmtoken" value="<?php echo vmSpoofValue($GLOBALS['sess']->getSessionId()); ?> " /> <input type="hidden" name="address_type" value="ST"> <input type="hidden" name="page" value="<?php echo $modulename; ?> .user_form" /> <input type="hidden" name="cache" value="0" /> <input type="hidden" name="task" value="" /> <input type="hidden" name="user_id" value="<?php echo $user_id; ?> " /> <input type="hidden" name="cid[0]" value="<?php echo $user_id;
/** * This creates a header above the list table, containing a search box * @param The Label for the list (will be used as list heading!) * @param The core module name (e.g. "product") * @param The page name (e.g. "product_list" ) * @param Additional varaibles to include as hidden input fields */ function writeSearchHeader($title, $image = "", $modulename, $pagename) { global $sess, $keyword, $VM_LANG; if (!empty($keyword)) { $keyword = urldecode($keyword); } else { $keyword = ""; } $search_date = JRequest::getVar('search_date', null); //vmGet( $_REQUEST, 'search_date', null); $show = JRequest::getVar('show', ''); //( $_REQUEST, "show", "" ); $header = '<a name="listheader"></a>'; $header .= '<form name="adminForm" action="' . $_SERVER['PHP_SELF'] . '" method="post"> <input type="hidden" name="option" value="' . VM_COMPONENT_NAME . '" /> <input type="hidden" name="page" value="' . $modulename . '.' . $pagename . '" /> <input type="hidden" name="task" value="" /> <input type="hidden" name="func" value="" /> <input type="hidden" name="vmtoken" value="' . vmSpoofValue($sess->getSessionId()) . '" /> <input type="hidden" name="no_menu" value="' . vmRequest::getInt('no_menu') . '" /> <input type="hidden" name="no_toolbar" value="' . vmRequest::getInt('no_toolbar') . '" /> <input type="hidden" name="only_page" value="' . vmRequest::getInt('only_page') . '" /> <input type="hidden" name="boxchecked" />'; if (defined("_VM_IS_BACKEND") || @$_REQUEST['pshop_mode'] == "admin") { $header .= "<input type=\"hidden\" name=\"pshop_mode\" value=\"admin\" />\n"; } if ($title != "" || !empty($pagename)) { $header .= '<table><tr>'; if ($title != "") { $style = $image != '' ? 'style="background:url(' . $image . ') no-repeat;text-indent: 30px;line-height: 50px;"' : ''; $header .= '<td><div class="header" ' . $style . '><h2 style="margin: 0px;">' . $title . '</h2></div></td>' . "\n"; $GLOBALS['vm_mainframe']->setPageTitle($title); } if (!empty($pagename)) { $header .= '<td width="20%"> <input class="inputbox" type="text" size="25" name="keyword" value="' . shopMakeHtmlSafe($keyword) . '" /> <input class="button" type="submit" name="search" value="' . $VM_LANG->_('PHPSHOP_SEARCH_TITLE') . '" /> </td>'; } $header .= "\n</tr></table><br style=\"clear:both;\" />\n"; } if (!empty($search_date)) { // Changed search by date $header .= '<input type="hidden" name="search_date" value="' . $search_date . '" />'; } if (!empty($show)) { $header .= "<input type=\"hidden\" name=\"show\" value=\"{$show}\" />\n"; } echo $header; }
/** * This reformats an URL, appends "option=com_virtuemart" and "Itemid=XX" * where XX is the Id of an entry in the table mos_menu with "link: option=com_virtuemart" * It also calls sefRelToAbs to apply SEF formatting * * @param string $text THE URL * @param boolean False: Create a URI like /joomla/index.php?....; True: Create a URI like http://www.domain.com/index.php?.... * @return string The reformatted URL */ function url($text, $createAbsoluteURI = false, $encodeAmpersands = true, $ignoreSEF = false) { global $mm_action_url, $page, $mainframe; if (!defined('_VM_IS_BACKEND')) { $Itemid = "&Itemid=" . $this->getShopItemid(); } else { $Itemid = ''; } switch ($text) { case SECUREURL: $text = SECUREURL . basename($_SERVER['SCRIPT_NAME']) . "?" . $this->component_name . $Itemid; break; case URL: $text = URL . basename($_SERVER['SCRIPT_NAME']) . "?" . $this->component_name . $Itemid; break; default: $limiter = strpos($text, '?'); if (!stristr($text, $_SERVER['SCRIPT_NAME']) && $limiter === false) { $text = '?' . $text; } $appendix = ""; // now append "&option=com_virtuemart&Itemid=XX" if (!strstr($text, "option=")) { $appendix .= "&" . $this->component_name; } $appendix .= $Itemid; $script = basename(substr($text, 0, $limiter)); if ($script == '') { $script = basename($_SERVER['SCRIPT_NAME']); } if (!defined('_VM_IS_BACKEND')) { if ($script == 'index3.php') { $script = 'index2.php'; // index3.php is not available in the frontend! } $appendix = $script . substr($text, $limiter, strlen($text)) . $appendix; if (class_exists('JRoute') && !$ignoreSEF && $mainframe->getCfg('sef')) { $appendix = JRoute::_(str_replace($script . '&', $script . '?', $appendix)); } else { if (function_exists('sefRelToAbs') && !$ignoreSEF && !defined('_JLEGACY')) { $appendix = sefRelToAbs(str_replace($script . '&', $script . '?', $appendix)); } } if ($createAbsoluteURI && substr($appendix, 0, 4) != 'http' && ($ignoreSEF || !$mainframe->getCfg('sef'))) { $appendix = URL . $appendix; } } elseif ($_SERVER['SERVER_PORT'] == 443) { //$script = strstr($_SERVER['PHP_SELF'], 'index2.php') ? 'index2.php' : 'index3.php'; $appendix = SECUREURL . "administrator/{$script}" . substr($text, $limiter, strlen($text) - 1) . $appendix; } else { //$script = strstr($_SERVER['PHP_SELF'], 'index2.php') ? 'index2.php' : 'index3.php'; $appendix = URL . "administrator/{$script}" . substr($text, $limiter, strlen($text) - 1) . $appendix; } if (vmIsAdminMode() && strstr($text, 'func') !== false) { $appendix .= '&vmtoken=' . vmSpoofValue($this->getSessionId()); } if (stristr($text, SECUREURL)) { $appendix = str_replace(URL, SECUREURL, $appendix); } elseif (stristr($text, URL) && $createAbsoluteURI) { $appendix = str_replace(SECUREURL, URL, $appendix); } $text = $appendix; break; } if ($encodeAmpersands) { $text = vmAmpReplace($text); } else { $text = str_replace('&', '&', $text); } return $text; }
/** * This reformats an URL, appends "option=com_virtuemart" and "Itemid=XX" * where XX is the Id of an entry in the table mos_menu with "link: option=com_virtuemart" * It also calls sefRelToAbs to apply SEF formatting * * @param string $text THE URL * @param boolean False: Create a URI like /joomla/index.php?....; True: Create a URI like http://www.domain.com/index.php?.... * @return string The reformatted URL */ function url($text, $createAbsoluteURI = false, $encodeAmpersands = true, $ignoreSEF = false) { global $mm_action_url, $page, $mainframe; if (!defined('_VM_IS_BACKEND')) { // Strip the parameters from the $text variable and parse to a temporary array $tmp_text = str_replace('amp;', '', substr($text, strpos($text, '?'))); if (substr($tmp_text, 0, 1) == '?') { $tmp_text = substr($tmp_text, 1); } parse_str($tmp_text, $ii_arr); // Init the temp. Itemid $tmp_Itemid = ''; $db = new ps_DB(); // Check if there is a menuitem for a product_id (highest priority) if (!empty($ii_arr['product_id'])) { if ($ii_product_id = intval($ii_arr['product_id'])) { $db->query("SELECT id FROM #__menu WHERE link='index.php?option=com_virtuemart' AND params like '%product_id={$ii_product_id}%' AND published=1"); if ($db->next_record()) { $tmp_Itemid = $db->f("id"); } } } // Check if there is a menuitem for a category_id // This only checks for the exact category ID, it might be good to check for parents also. But at the moment, this would produce a lot of queries if (!empty($ii_arr['category_id'])) { $ii_cat_id = intval($ii_arr['category_id']); if ($ii_cat_id && $tmp_Itemid == '') { $db->query("SELECT id FROM #__menu WHERE link='index.php?option=com_virtuemart' AND params like '%category_id={$ii_cat_id}%' AND published=1"); if ($db->next_record()) { $tmp_Itemid = $db->f("id"); } } } // Check if there is a menuitem for a flypage if (!empty($ii_arr['flypage'])) { $ii_flypage = $db->getEscaped(vmget($ii_arr, 'flypage')); if ($ii_flypage && $tmp_Itemid == '') { $db->query("SELECT id FROM #__menu WHERE link='index.php?option=com_virtuemart' AND params like '%flypage={$ii_flypage}%' AND published=1"); if ($db->next_record()) { $tmp_Itemid = $db->f("id"); } } } // Check if there is a menuitem for a page if (!empty($ii_arr['page'])) { $ii_page = $db->getEscaped(vmget($ii_arr, 'page')); if ($ii_page && $tmp_Itemid == '') { $db->query("SELECT id FROM #__menu WHERE link='index.php?option=com_virtuemart' AND params like '%page={$ii_page}%' AND published=1"); if ($db->next_record()) { $tmp_Itemid = $db->f("id"); } } } // If we haven't found an Itemid, use the standard VM-Itemid $Itemid = "&Itemid=" . ($tmp_Itemid ? $tmp_Itemid : $this->getShopItemid()); } else { $Itemid = NULL; } // split url into base ? path $limiter = strpos($text, '?'); if ($limiter === false) { if (!strstr($text, "=")) { // $text recognized to be parameter-list (bug?) $base = NULL; $params = $text; } else { // text recognized to be url without parameters $base = $mm_action_url; $params = $text; } } else { // base?params $base = substr($text, 0, $limiter); $params = substr($text, $limiter + 1); } // normalize base (cut off multislashes) $base = str_replace("//", "/", $base); $base = str_replace(":/", "://", $base); // add script name to naked base url // TODO: Improve if ($base == URL || $base == SECUREURL) { $base .= basename($_SERVER['SCRIPT_NAME']); } if (!basename($base)) { $base .= basename($_SERVER['SCRIPT_NAME']); } // append "&option=com_virtuemart&Itemid=XX" $params .= !strstr($params, $this->component_name) ? ($params ? "&" : NULL) . $this->component_name : NULL; $params .= $Itemid; if (vmIsAdminMode() && strstr($text, 'func') !== false) { $params .= ($params ? "&" : NULL) . 'vmtoken=' . vmSpoofValue($this->getSessionId()); } if (!defined('_VM_IS_BACKEND')) { // index3.php is not available in the frontend! $base = str_replace("index3.php", "index2.php", $base); $url = basename($base) . "?" . $params; // make url absolute if ($createAbsoluteURI && !substr($url, 0, 4) != "http") { $url = (stristr($text, SECUREURL) ? SECUREURL : URL) . substr($url, $url[0] == '/' ? 1 : 0); } if (class_exists('JRoute') && !$ignoreSEF && $mainframe->getCfg('sef')) { $url = JRoute::_($url); } else { if (function_exists('sefRelToAbs') && !$ignoreSEF && !defined('_JLEGACY')) { $url = sefRelToAbs($url); } } } else { // backend $url = ($_SERVER['SERVER_PORT'] == 443 ? SECUREURL : URL) . "administrator/" . basename($base) . "?" . $params; } $url = $encodeAmpersands ? vmAmpReplace($url) : str_replace('&', '&', $url); return $url; }