/** * cleanup values that are passed by GET, POST or COOKIE * * the php "feature" magic_quotes automatically escapes values passed from the * user to write them into the database. unfortunately it uses the wrong funtion * ({@link addslashes() addslashes()} instead of * {@link mysql_real_string_escape() mysql_real_string_escape()}) is used * and often, one does not write these infos to * the database. this function checks, whether magic_quotes is turned on or not * and strips the slashes if necessary. this function also handles cleaning of * arrays by cleaning them recursively. it should be called on every string passed * by GET, POST or COOKIE that is used. * @static * @param string|array $val string/array to clean up * @param boolean $htmlAllowed is html allowed in the strings? * @return string cleaned string */ function cleanGPC($val, $htmlAllowed = true) { if (is_array($val)) { $tmp = array(); foreach ($val as $k => $v) { $tmp[is_numeric($k) ? $k : stripslashes($k)] = StringHelper::cleanGPC($v, $htmlAllowed); } return $tmp; } if (get_magic_quotes_gpc()) { $val = stripslashes($val); } if ($htmlAllowed) { return $val; } return htmlentities($val, ENT_QUOTES, 'UTF-8'); }
/** * Returns true on success false on errors (contact NOT saved -> check errorHandler then) */ function saveContactFromPost(&$contact, &$post, $pictureFile = null, $adminsave = false) { $this->contact =& $contact; // force by reference $post['URLtoMugshot'] = $pictureFile; return $this->contact->saveContactFromArray(StringHelper::cleanGPC($post), $adminsave); }
* Map PLUGIN for THE ADDRESS BOOK ************************************************************* * @package plugins * @author Thomas Katzlberger */ chdir('../../'); require_once 'lib/init.php'; require_once 'Contact.class.php'; require_once 'DB.class.php'; require_once 'StringHelper.class.php'; require_once 'ErrorHandler.class.php'; if (isset($_GET['id'])) { $address_id = StringHelper::cleanGPC($_GET['id']); } if (isset($_GET['cid'])) { $contact = Contact::newContact(intval(StringHelper::cleanGPC($_GET['cid']))); } // use for the google-bubble? // search correct address in value group ... not very efficient $adds = $contact->getValueGroup('addresses'); foreach ($adds as $a) { if ($a['refid'] == $address_id) { $add =& $a; break; } } if (!isset($add)) { $errorHandler->error('argVal', 'The address with id=' . $address_id . ' does not exist'); } $errorMessage = 'Unable to map this address. The address may not be included in any geocoder currently available here, or it is simply misspelled. Sorry!'; // Cache Geocode ... currently not available, needs API key
/** * saves the table (has not to be called by user, called by {@link TableEditor} itself) * * this function checks for each row and field, if it may be saved by the user, and * if the value passed by the user is a legal value (for enum types) */ function save() { $fields = array(); $header = null; $this->popFields($fields, $header, TRUE); $allowedIDs = null; if ($this->sql !== null) { // same query as display again before save to verify the primKeys that we sent out? $allowedIDs = array(); $this->db->query($this->sql); while ($r = $this->db->next()) { $allowedIDs[] = $r[$this->primKey]; } } for ($i = 0; isset($_POST[$this->tableName][$i]); $i++) { $cur = StringHelper::cleanGPC($_POST[$this->tableName][$i]); $this->processed++; if (!isset($cur[$this->primKey])) { continue; } if ($allowedIDs !== null && !in_array($cur[$this->primKey], $allowedIDs)) { continue; } $tmp = ''; foreach ($fields as $k => $v) { if ($v == 'visible' || !isset($cur[$k])) { continue; } if (is_array($v) && !isset($v[$cur[$k]])) { continue; } if (is_array($v) && $cur[$k] == 'NULL') { $tmp .= $k . ' = NULL, '; } else { $tmp .= $k . ' = ' . $this->db->escape($cur[$k]) . ', '; } } if (!$tmp) { continue; } $tmp = 'UPDATE ' . $this->tableName . ' SET ' . mb_substr($tmp, 0, -2); $tmp .= ' WHERE ' . $this->primKey . ' = ' . $this->db->escape($cur[$this->primKey]); $this->db->query($tmp); $this->saved++; } }
* *************************************************************/ chdir(".."); require_once 'lib/init.php'; if (!isset($_SESSION['user']) || !$_SESSION['user']->isAtLeast('guest')) { exit; } require_once 'DB.class.php'; require_once 'StringHelper.class.php'; if (isset($_COOKIE["searchtype"])) { $type = StringHelper::cleanGPC($_COOKIE["searchtype"]); } else { $type = "name"; } $admin = intval($_SESSION['user']->isAtLeast('admin')); $p = $db->escape(StringHelper::cleanGPC($_POST['goTo'])); if ($p[0] == "'") { $p = mb_substr($p, 1, -1); } $limit = $options->getOption('autocompleteLimit'); switch ($type) { case 'name': $sel_lname = "SELECT CONCAT(lastname,', ',firstname) AS fullname, '' AS value FROM " . TABLE_CONTACT . " AS contact WHERE "; $sel_fname = "SELECT CONCAT(firstname,' ',lastname) AS fullname, '' AS value FROM " . TABLE_CONTACT . " AS contact WHERE "; $sel_nname = "SELECT CONCAT(lastname,', ',firstname) AS fullname, nickname AS value FROM " . TABLE_CONTACT . " AS contact WHERE "; $where_lname = "(lastname LIKE '{$p}%') AND (hidden = 0 OR {$admin})"; $where_fname = "(firstname LIKE '{$p}%') AND (hidden = 0 OR {$admin})"; $where_nname = "(nickname LIKE '{$p}%') AND (hidden = 0 OR {$admin})"; $sql = "({$sel_lname} {$where_lname}) UNION ({$sel_fname} {$where_fname}) UNION ({$sel_nname} {$where_nname}) ORDER BY fullname ASC LIMIT {$limit}"; break; case 'email':
} // do we have a password? if (!isset($_POST['user_password']) || !$_POST['user_password']) { $errorHandler->error('login', 'Please enter a password'); // fatal // redisplay login page $page = new PageLoginScreen(isset($_GET['redirect']) ? $_GET['redirect'] : ''); echo $page->create(); exit; } // create user class with email $user = new User(StringHelper::cleanGPC($_POST['user_email'])); // was the email correct? if ($user->id !== null) { // was the password correct? if ($user->login(StringHelper::cleanGPC($_POST['user_password']))) { $_SESSION['user'] =& $user; $options = new Options($user); if ($user->getType() == 'register') { if ($user->isConfirmed()) { // New User -> Attach Contact if ($user->attachContact()) { $flag = 'found'; } else { $flag = 'created'; } $page = new PageRegister('confirm', $flag, isset($_GET['redirect']) ? $_GET['redirect'] : ''); echo $page->create(); exit; } else { // User#136 has set an error message; redisplay login page
function postEmail($eUser) { global $errorHandler; if (isset($_POST['email'])) { $eUser->setEmail(StringHelper::cleanGPC($_POST['email'])); if (($err = $errorHandler->getLastError('register')) || ($err = $errorHandler->getLastError('mail'))) { break; } if ($eUser->id == $_SESSION['user']->id) { $_SESSION['user'] = null; header('Location:' . Navigation::mainPageUrl()); } } }
require_once 'ErrorHandler.class.php'; require_once 'StringHelper.class.php'; require_once 'PageSearchResult.class.php'; require_once 'PageContact.class.php'; // Is a user logged in? if (!isset($_SESSION['user']) || !$_SESSION['user']->isAtLeast('guest')) { $errorHandler->standardError('NOT_LOGGED_IN', basename($_SERVER['SCRIPT_NAME'])); } // Do we have something from the text field?? if (isset($_POST['goTo'])) { if ($_POST['goTo'] == 'whoami' && isset($_SESSION['user']->contact['id'])) { header("Location: " . $CONFIG_TAB_ROOT . 'contact/contact.php?id=' . $_SESSION['user']->contact['id']); exit; } // Remove single quotes which come from $db->escape $goTo = mb_substr($db->escape(StringHelper::cleanGPC($_POST['goTo'])), 1, -1); // Search the database $cList = new ContactList('SELECT * FROM ' . TABLE_CONTACT . ' AS contact WHERE ( CONCAT(firstname,\' \', lastname) LIKE \'%' . $goTo . '%\' OR CONCAT(firstname,\' \', middlename,\' \', lastname) LIKE \'%' . $goTo . '%\' OR nickname LIKE \'%' . $goTo . '%\' OR CONCAT(lastname,\', \',firstname) LIKE \'%' . $goTo . '%\' ) AND (hidden = 0 OR ' . $db->escape($_SESSION['user']->isAtLeast('admin')) . ') ORDER BY lastname ASC, firstname ASC'); // if theres only one contact, show it if (count($cList->getContacts()) == 1) { // redirect to the page to have a valid URL in the window
* contact/searchlist.php * Lists address book entries from a query in the same format as the main list. * Has a mailing-list function. * *************************************************************/ chdir('..'); require_once 'lib/init.php'; require_once 'PageSearchList.class.php'; require_once 'StringHelper.class.php'; require_once 'HTMLBeautifier.class.php'; require_once 'ErrorHandler.class.php'; // Is someone logged in? Terminate if not if (!isset($_SESSION['user']) || !$_SESSION['user']->isAtLeast('guest')) { $errorHandler->standardError('NOT_LOGGED_IN', basename($_SERVER['SCRIPT_NAME'])); } if (!isset($_GET['group']) || $_GET['group'] == 'hidden' && !$_SESSION['user']->isAtLeast('admin')) { $_GET['group'] = ''; } if (!isset($_GET['search'])) { $_GET['search'] = ''; } if (!isset($_GET['type'])) { $_GET['type'] = ''; } if (!isset($_GET['expand'])) { $_GET['expand'] = 0; } // contact/searchlist.php?search=string&type=[name|www|chat|...] $page = Page::newPage('PageSearchList', StringHelper::cleanGPC($_GET['search']), StringHelper::cleanGPC($_GET['type']), StringHelper::cleanGPC($_GET['expand'])); echo $page->create(); exit;
AND certState != ' . $db->escape('revoked')); $revokeContacts = new ContactList('SELECT * FROM ' . TABLE_CONTACT . ' AS contact WHERE TO_DAYS(certModifiedAt) = TO_DAYS(' . $date . ') AND certState = ' . $db->escape('revoked')); break; case 'expired-list': // Generate a page that list passwords by group/company $page = new PageExpiredList(); echo $page->create(); exit; case 'utrack': if (!isset($_POST['mails'])) { break; } $lines = explode("\n", StringHelper::cleanGPC($_POST['mails'])); $undone = ''; foreach ($lines as $l) { $l = trim($l); if (!$l) { continue; } $sql = 'UPDATE ' . TABLE_CONTACT . ' AS contact, ' . TABLE_PROPERTIES . ' AS properties SET certLastUsed = NOW(), certState = "used" WHERE contact.id = properties.id AND properties.type = "email" AND properties.value = ' . $db->escape($l) . ' AND ' . VALID_CERT; $db->query($sql); if ($db->rowsAffected() <= 0) { $undone .= $l . ',<br>';
/** * Create search query * * init {@link $contactList}, and menu * @param search $search partial string to match * @param searchtype $searchtype [name|email|www|chat|phone|custom_?] Custom searches defined in config.php, shared with autocomplete. * @global array custom searchtypes defined in config.php * @global DB used for database access */ function createQuery() { // create an empty default result - any better way to do this $sql = "SELECT * FROM " . TABLE_CONTACT . " AS contact WHERE id=-1"; $db = DB::getSingleton(); $admin = intval($_SESSION['user']->isAtLeast('admin')); $post = StringHelper::cleanGPC($_POST); // projects $props = array(); $tbls = array(); if (!empty($_POST['p-category'])) { $tbls[] = TABLE_PROPERTIES . ' AS p1'; $props[] = 'c.id=p1.id AND p1.type="other" AND (p1.visibility = "visible" AND p1.label="Project Category" AND p1.value LIKE BINARY "%' . substr($db->escape($post['p-category']), 1, -1) . '%" )'; } if (!empty($_POST['p-role'])) { $tbls[] = TABLE_PROPERTIES . ' AS p2'; $props[] = 'c.id=p2.id AND p2.type="other" AND (p2.visibility = "visible" AND p2.label="Contract Role" AND p2.value=' . $db->escape($post['p-role']) . ')'; } if (!empty($_POST['p-company'])) { $tbls[] = TABLE_PROPERTIES . ' AS p3'; $props[] = 'c.id=p3.id AND p3.type="other" AND (p3.visibility = "visible" AND p3.label="Applicant" AND p3.value LIKE "%' . substr($db->escape($post['p-company']), 1, -1) . '%" )'; } if (!empty($_POST['p-value'])) { $tbls[] = TABLE_PROPERTIES . ' AS p4'; $props[] = 'c.id=p4.id AND p4.type="other" AND (p4.visibility = "visible" AND p4.label="SWARCO Value" AND p4.value > ' . $db->escape($post['p-value']) . ')'; } if (!empty($_POST['p-after'])) { $tbls[] = TABLE_DATES . ' AS d'; $props[] = 'c.id=d.id AND (d.label="Completed" AND d.value1 > ' . $db->escape($post['p-after']) . ')'; } $propsel = implode(' AND ', $props); if (!empty($propsel)) { $tables = implode(', ', $tbls); $sel = "SELECT DISTINCT c.* FROM " . TABLE_CONTACT . " AS c, {$tables} WHERE "; $where = "c.xsltDisplayType='project' AND c.hidden=0 AND {$propsel} ORDER BY lastname"; $sql = "{$sel} {$where}"; //echo $sql; return $sql; } // project opportunity $props = array(); $tbls = array(); if (!empty($_POST['o-category'])) { $tbls[] = TABLE_PROPERTIES . ' AS p1'; $props[] = 'c.id=p1.id AND p1.type="other" AND (p1.label="Project Category" AND p1.value LIKE BINARY "%' . substr($db->escape($post['o-category']), 1, -1) . '%" )'; } if (!empty($_POST['o-role'])) { $tbls[] = TABLE_PROPERTIES . ' AS p2'; $props[] = 'c.id=p2.id AND p2.type="other" AND (p2.label="Contract Role" AND p2.value=' . $db->escape($post['o-role']) . ')'; } if (!empty($_POST['o-company'])) { $tbls[] = TABLE_PROPERTIES . ' AS p3'; $props[] = 'c.id=p3.id AND p3.type="other" AND (p3.label="Applicant" AND p3.value LIKE "%' . substr($db->escape($post['o-company']), 1, -1) . '%" )'; } if (!empty($_POST['o-value'])) { $tbls[] = TABLE_PROPERTIES . ' AS p4'; $props[] = 'c.id=p4.id AND p4.type="other" AND (p4.label="SWARCO Value" AND p4.value > ' . $db->escape($post['o-value']) . ')'; } $propsel = implode(' AND ', $props); if (!empty($propsel)) { $tables = implode(', ', $tbls); $sel = "SELECT DISTINCT c.* FROM " . TABLE_CONTACT . " AS c, {$tables} WHERE "; $where = "c.xsltDisplayType='opportunity' AND c.hidden=0 AND {$propsel} ORDER BY lastname"; $sql = "{$sel} {$where}"; //echo $sql; return $sql; } // project candidate $props = array(); if (!empty($_POST['c-position'])) { $props[] = 'd1.label=' . $db->escape($post['c-position']); } if (!empty($_POST['c-experience'])) { $props[] = 'd1.value1 < ' . $db->escape($post['c-experience']); } $propsel = implode(' AND ', $props); if (!empty($propsel)) { $sel = "SELECT DISTINCT c.* FROM " . TABLE_CONTACT . " AS c, " . TABLE_DATES . " AS d1 WHERE "; $where = "c.id=d1.id AND ({$propsel}) AND (d1.visibility = 'visible' OR {$admin}) AND (c.hidden = 0 OR {$admin}) AND c.xsltDisplayType='expertise' ORDER BY lastname"; $sql = "{$sel} {$where}"; //echo $sql; return $sql; } return $sql; }
$classname = StringHelper::cleanGPC($_GET['plugin']); $plugin = new $classname(); $plugin->installPlugin(); $db->query('UPDATE ' . TABLE_PLUGINS . ' SET state = ' . $db->escape('activated') . ' WHERE name = ' . $db->escape(StringHelper::cleanGPC($_GET['plugin']))); } break; case 'upgrade': if (isset($_GET['plugin'])) { $classname = StringHelper::cleanGPC($_GET['plugin']); $db->query('SELECT version FROM ' . TABLE_PLUGINS . ' WHERE name="' . $classname . '"'); // retrieve old version $r = $db->next(); $plugin = new $classname(); $plugin->upgradePlugin($r['version']); } break; case 'uninstall': if (isset($_GET['plugin'])) { $classname = StringHelper::cleanGPC($_GET['plugin']); $plugin = new $classname(); $plugin->uninstallPlugin(); $db->query('UPDATE ' . TABLE_PLUGINS . ' SET state = ' . $db->escape('not installed') . ' WHERE name = ' . $db->escape(StringHelper::cleanGPC($_GET['plugin']))); } break; } // show admin panel $page = new PageAdminPanel(); echo $page->create(); exit;
$user->setType('user'); if (!$user->attachContact() || !$user->contact['id'] == StringHelper::cleanGPC($_GET['id'])) { $errorHandler->error('register', 'This e-mail doesn\'t belong to this contact'); $user->delete(); $flag = 'error'; break; } $flag = 'ok'; break; case 'resend': if (!isset($_GET['email'])) { break; } $user = new User(StringHelper::cleanGPC($_GET['email'])); if ($user->id === null) { $errorHandler->error('register', 'A user with this e-mail does not exist'); $flag = 'error'; break; } if ($user->isConfirmed()) { $errorHandler->error('register', 'This user does not need to be confirmed'); $flag = 'error'; break; } $user->setEmail(StringHelper::cleanGPC($_GET['email'])); $flag = 'ok'; break; } $page = new PageRegister(StringHelper::cleanGPC($_GET['mode']), $flag, isset($_GET['redirect']) ? $_GET['redirect'] : ''); echo $page->create(); exit;
* Lists address book entries. This is the main page that is displazed as default after login. * */ chdir('..'); require_once 'lib/init.php'; require_once 'PageList.class.php'; require_once 'StringHelper.class.php'; require_once 'HTMLBeautifier.class.php'; require_once 'ErrorHandler.class.php'; // Is someone logged in? Terminate if not $rightsManager = RightsManager::getSingleton(); // Allowed to view list if (!$rightsManager->currentUserIsAllowedTo('view-list')) { $errorHandler->standardError('PERMISSION_DENIED', basename($_SERVER['SCRIPT_NAME'])); } if (!isset($_GET['group']) || $_GET['group'] == 'hidden' && !$_SESSION['user']->isAtLeast('admin')) { $_GET['group'] = ''; } if (!isset($_GET['begin'])) { $_GET['begin'] = ''; } if (!isset($_GET['page'])) { $_GET['page'] = 0; } if (!isset($_GET['expand'])) { $_GET['expand'] = 0; } $page = Page::newPage('PageList', StringHelper::cleanGPC($_GET['group']), $_GET['expand'], StringHelper::cleanGPC($_GET['begin']), intval(StringHelper::cleanGPC($_GET['page']))); //echo HTMLBeautifier::beautify($page->create()); echo $page->create(); exit;
/** * Returns true on success false on errors (contact NOT saved -> check errorHandler then) */ function saveContactFromPost(&$contact, &$post, $pictureFile = null, $adminsave = false) { // interaction PHP/widgEditor $post['contact']['notes'] = $post['contactNotes']; $this->contact =& $contact; // force by reference $post['URLtoMugshot'] = $pictureFile; $p = StringHelper::cleanGPC($post); return $this->contact->saveContactFromArray($p, $adminsave); }
//Render the frontpage title $pdf->frontpage_title($frontpage_title, $your_domain, 50, $pdf->y - 100, 80, 80, 200); $pdf->selectFont($mainFont); $pdf->ezNewPage(); $pdf->ezStartPageNumbers(560, 25, 10, '', '', 1); $size = 10; $height = $pdf->getFontHeight($size); $textOptions = array('justification' => 'left'); $collecting = 0; $code = ''; $counter = 0; //used to count 8 to a page if (!isset($_GET['group'])) { $_GET['group'] = ''; } $list = new GroupContactList(StringHelper::cleanGPC($_GET['group'])); $conts = $list->getContacts(); foreach ($conts as $c) { $pdf->renderAddress($CONFIG_PDFBOOK_LINE_HEIGHT, $CONFIG_PDFBOOK_FONT_SIZE, createLinesFromContact($c), new ContactImage($c)); } $pdf->ezStopPageNumbers(1, 1); // Debug section............................................................................................... // adding ?d=1 to the url calling this will cause the pdf code itself to ve echoed to the // browser, this is quite useful for debugging purposes. if (!empty($_GET['d'])) { $pdfcode = $pdf->ezOutput(1); $pdfcode = str_replace("\n", "\n<br>", htmlspecialchars($pdfcode)); echo '<html><body>'; echo trim($pdfcode); echo '</body></html>'; } else {
} // delete labels of empty entries to make mandatory entries optional foreach ($_POST['date'] as &$x) { if (empty($x['value1']) && empty($x['value2'])) { $x['label'] = ''; } } if (!empty($_POST['contact']['notes'])) { $_POST['contact']['notes'] = XSLTUtility::arrayToXMLraw($_POST['contact']['notes'], $h = false); } $_POST['URLtoMugshot'] = isset($_FILES['contact']['tmp_name']['pictureData']['file']) ? $_FILES['contact']['tmp_name']['pictureData']['file'] : null; // pic upload error!! if (!empty($_FILES['contact']['name']['pictureData']['file']) && empty($_FILES['contact']['tmp_name']['pictureData']['file'])) { $errorHandler->warning('File upload failed! Error code (6 means tmp directory not writeable): ' . $_FILES['contact']['error']['pictureData']['file'], basename($_SERVER['SCRIPT_NAME'])); } $save = $contact->saveContactFromArray(StringHelper::cleanGPC($_POST)); break; case 'contact_NoMandatoryEntries': if ($_POST['duplicateContact'] == 1) { unset($contact->contact['id']); foreach ($_POST['address'] as &$x) { unset($x['refid']); } } // delete labels of empty entries to make mandatory entries optional if (isset($_POST['www'])) { foreach ($_POST['www'] as &$x) { if (empty($x['value'])) { $x['label'] = ''; } }