function checkFields($aData, $zData = false)
{
// Checks fields before submission of data.
// Mandatory fields.
$this->aCheckMandatory = array('owned_by');
parent::checkFields($aData);
if (!empty($aData['genes']) && is_array($aData['genes'])) {
if (count($aData['genes']) > 15) {
lovd_errorAdd('genes', 'Please select no more than 15 genes. For genome-wide analysis, <B>no</B> genes should be selected.');
}
}
lovd_checkXSS();
}
function checkFields($aData, $zData = false)
{
// Checks fields before submission of data.
global $_SETT;
$this->aCheckMandatory = array('system_title', 'email_address', 'refseq_build');
parent::checkFields($aData);
// Database URL is mandatory, if the option "Include in the global LOVD listing" is selected.
if (!empty($aData['include_in_listing']) && empty($aData['location_url'])) {
lovd_errorAdd('location_url', 'Please fill in an URL in the \'Database URL\' field, if you want this LOVD installation to be included in the global LOVD listing; otherwise disable the \'Include in the global LOVD listing\' setting below.');
}
// Database URL should be an URL.
if (!empty($aData['location_url']) && !lovd_matchURL($aData['location_url'])) {
lovd_errorAdd('location_url', 'Please fill in a correct URL in the \'Database URL\' field.');
}
// Email address.
if (!empty($aData['email_address']) && !lovd_matchEmail($aData['email_address'])) {
lovd_errorAdd('email_address', 'Please fill in a correct email address.');
}
// Refseq build should match the available builds.
if (!empty($aData['refseq_build']) && !array_key_exists($aData['refseq_build'], $_SETT['human_builds'])) {
lovd_errorAdd('refseq_build', 'Please select one of the available Human Builds.');
}
// Proxy server checks (valid hostname, valid port number, try connecting.
if (!empty($aData['proxy_host'])) {
// Pattern taken from lovd_matchURL().
if (!preg_match('/^([0-9]{1,3}(\\.[0-9]{1,3}){3}|(([0-9a-z][-0-9a-z]*[0-9a-z]|[0-9a-z])\\.?)+[a-z]{2,6})$/i', $aData['proxy_host'])) {
lovd_errorAdd('proxy_host', 'Please fill in a correct host name of the proxy server, if you wish to use one.');
} elseif (empty($aData['proxy_port'])) {
lovd_errorAdd('proxy_port', 'Please fill in a correct, numeric, port number of the proxy server, if you wish to use a proxy server.');
} else {
// Alright, let's try and connect.
// First: normal connect, direct, no outside connection requested.
$f = @fsockopen($aData['proxy_host'], $aData['proxy_port'], $nError, $sError, 5);
if ($f === false) {
lovd_errorAdd('proxy_host', 'Could not connect to given proxy server. Please check if the fields are correctly filled in.');
lovd_errorAdd('proxy_port', '');
} else {
$sRequest = 'GET ' . $_SETT['check_location_URL'] . ' HTTP/1.0' . "\r\n" . 'User-Agent: LOVDv.' . $_SETT['system']['version'] . " Proxy Check\r\n" . (empty($_POST['proxy_username']) || empty($_POST['proxy_password']) ? '' : 'Proxy-Authorization: Basic ' . base64_encode($_POST['proxy_username'] . ':' . $_POST['proxy_password']) . "\r\n") . 'Connection: Close' . "\r\n\r\n";
fputs($f, $sRequest);
$s = rtrim(fgets($f));
if (!preg_match('/^HTTP\\/1\\.. [23]/', $s, $aRegs)) {
// Allowing HTTP 2XX and 3XX.
if (preg_match('/^HTTP\\/1\\.. 407/', $s, $aRegs)) {
// Proxy needs username and password.
if (!empty($_POST['proxy_username']) && !empty($_POST['proxy_password'])) {
lovd_errorAdd('proxy_username', 'Invalid username/password combination for this proxy server. Please try again.');
lovd_errorAdd('proxy_password', '');
} else {
lovd_errorAdd('proxy_username', 'This proxy server requires a valid username and password. Please make sure you provide them both.');
lovd_errorAdd('proxy_password', '');
}
} else {
lovd_errorAdd('proxy_host', 'Unexpected answer from proxy when trying to connect upstream: ' . $s);
}
}
}
}
} elseif (!empty($aData['proxy_port'])) {
// We have a port number, but no host name.
lovd_errorAdd('proxy_host', 'Please also fill in a correct host name of the proxy server, if you wish to use one.');
}
// Custom logo must exist.
if (!empty($aData['logo_uri'])) {
// Determine if file can be read and is an image or not.
if (!is_readable(ROOT_PATH . $aData['logo_uri'])) {
lovd_errorAdd('logo_uri', 'Cannot read the custom logo file. Please make sure the path is correct and that the file can be read.');
} else {
$a = @getimagesize(ROOT_PATH . $aData['logo_uri']);
if (!is_array($a)) {
lovd_errorAdd('logo_uri', 'The custom logo file that you selected does not seem to be a picture.');
}
}
} else {
// FIXME; this is probably not the best way of doing this...
$_POST['logo_uri'] = 'gfx/LOVD3_logo145x50.jpg';
}
// FIXME; Like above, not the best solution, but gets the job done for now.
if (empty($aData['mutalyzer_soap_url'])) {
$_POST['mutalyzer_soap_url'] = 'https://mutalyzer.nl/services';
}
// SSL check.
if (!empty($aData['use_ssl']) && !SSL) {
lovd_errorAdd('use_ssl', 'You\'ve selected to force the use of SSL, but SSL is not currently activated for this session. To force SSL, I must be sure it\'s possible to approach LOVD through an SSL connection (use <A href="https://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] . ($_SERVER['QUERY_STRING'] ? '?' . str_replace('&sent=true', '', $_SERVER['QUERY_STRING']) : '') . '" target="_blank">https://</A> instead of http://).');
}
$_POST['api_feed_history'] = 0;
$_POST['allow_count_hidden_entries'] = 0;
$_POST['use_versioning'] = 0;
// XSS attack prevention. Deny input of HTML.
lovd_checkXSS();
}
function checkFields($aData, $zData = false)
{
// Checks fields before submission of data.
global $_DB;
// Mandatory fields.
$this->aCheckMandatory = array('category', 'colid', 'head_column', 'description_legend_short', 'description_legend_full', 'mysql_type', 'form_type', 'width');
if (ACTION == 'edit') {
unset($this->aCheckMandatory['colid']);
} elseif (!empty($aData['active_links']) && !preg_match('/^TEXT|VARCHAR/', $aData['mysql_type'])) {
lovd_errorAdd('active_links', 'Only VARCHAR or TEXT columns can have custom links activated for it!');
}
parent::checkFields($aData);
// Category; not chosen on this form, but we want to make sure it's correct anyways.
if (!empty($aData['category']) && !in_array($aData['category'], array('Individual', 'Phenotype', 'Screening', 'VariantOnGenome', 'VariantOnTranscript'))) {
lovd_errorAdd('category', 'The category is not correct. Please choose one of the following: Individual, Phenotype, Screening, VariantOnGenome or VariantOnTranscript.');
}
// ColID format.
if (!empty($aData['colid']) && !preg_match('/^[A-Za-z0-9_]+(\\/[A-Za-z0-9_]+)*$/', $aData['colid'])) {
lovd_errorAdd('colid', 'The column ID is not of the correct format. It can contain only letters, numbers and underscores. Subcategories must be divided by a slash (/).');
}
// During an import ColID that exist in the database do not give a hard error. Error is handled in import.php
if (lovd_getProjectFile() != '/import.php') {
// ColID must not exist in the database.
if (!empty($aData['category']) && !empty($aData['colid'])) {
if ($_DB->query('SELECT COUNT(*) FROM ' . TABLE_COLS . ' WHERE id = ?', array($aData['category'] . '/' . $aData['colid']))->fetchColumn()) {
lovd_errorAdd('colid', 'There is already a ' . $aData['category'] . ' column with this column ID. Please verify that you\'re not trying to create a column that already exists!');
}
}
}
// Width can not be less than 20 or more than 500.
// These numbers are also defined in object_shared_columns.php and inc-js-columns.php.
if (isset($aData['width']) && strlen($aData['width']) > 0) {
if ($aData['width'] > 500) {
lovd_errorAdd('width', 'The width can not be more than 500 pixels!');
} elseif ($aData['width'] < 20) {
lovd_errorAdd('width', 'The width can not be less than 20 pixels!');
}
}
// MySQL type format.
if ($aData['mysql_type'] && !preg_match('/^(TEXT|VARCHAR\\([0-9]{1,3}\\)|DATE(TIME)?|((TINY|SMALL|MEDIUM|BIG)?INT\\([0-9]{1,2}\\)|DECIMAL\\([0-9]{1,2}\\,[0-9]{1,2}\\)|FLOAT)( UNSIGNED)?)( DEFAULT ([0-9]+|"[^"]+"))?$/i', $aData['mysql_type'])) {
lovd_errorAdd('mysql_type', 'The MySQL data type is not recognized. Please use the data type wizard to generate a proper MySQL data type.');
}
// Form type.
if ($aData['form_type'] && !preg_match('/^[^|]+\\|[^|]*\\|(checkbox|text\\|[0-9]+|textarea\\|[0-9]+\\|[0-9]+|select\\|[0-9]+\\|[^|]*\\|(false|true)\\|(false|true))$/i', $aData['form_type'])) {
lovd_errorAdd('form_type', 'The form type is not recognized. Please use the data type wizard to generate a proper form type.');
}
// XSS attack prevention. Deny input of HTML.
// Ignore some fields that are allowed to contain HTML, or that might cause false positives.
unset($aData['description_form'], $aData['preg_pattern'], $aData['description_legend_short'], $aData['description_legend_full']);
lovd_checkXSS($aData);
}
}
if (!$bCurator) {
lovd_errorAdd('', 'Please select at least one curator that is allowed to edit <I>and</I> is shown on the gene home page!');
}
}
// Mandatory fields.
if (empty($_POST['password'])) {
lovd_errorAdd('password', 'Please fill in the \'Enter your password for authorization\' field.');
} elseif ($_POST['password'] && !lovd_verifyPassword($_POST['password'], $_AUTH['password'])) {
// User had to enter his/her password for authorization.
lovd_errorAdd('password', 'Please enter your correct password for authorization.');
}
} else {
// MUST select at least one visible curator!
if (empty($_POST['curators']) || empty($_POST['shown'])) {
lovd_errorAdd('', 'Please select at least one curator to be shown on the gene home page!');
}
}
if (!lovd_error()) {
// What's by far the most efficient code-wise is just insert/update all we've got and delete everything else.
// Prepare log for changes.
// (depends on current database status, so we create the log message before
// the changes are committed, but log the actual message afterwards).
$sLogMessage = lovd_prepareCuratorLogMessage($sID, $_POST['curators'], $_POST['allow_edit'], $_POST['shown']);
$_DB->beginTransaction();
foreach ($_POST['curators'] as $nOrder => $nUserID) {
$nOrder++;
// Since 0 is the first key in the array.
// FIXME; Managers are authorized to add other managers or higher as curators, but should not be able to restrict other manager's editing rights, or hide these users as curators.
// Implementing this check on this level means we need to query the database to get all user levels again, defeating this optimalisation below.
// Taking away the editing rights/visibility of managers or the admin by a manager is restricted in the interface, so it's not critical to solve now.
function checkFields($aData, $zData = false)
{
// Checks fields before submission of data.
// Mandatory fields.
$this->aCheckMandatory = array('description_legend_short', 'description_legend_full', 'width');
parent::checkFields($aData);
// Width can not be less than 20 or more than 500.
// These numbers are also defined in object_columns.php and inc-js-columns.php.
if (isset($aData['width']) && strlen($aData['width']) > 0) {
if ($aData['width'] > 500) {
lovd_errorAdd('width', 'The width can not be more than 500 pixels!');
} elseif ($aData['width'] < 20) {
lovd_errorAdd('width', 'The width can not be less than 20 pixels!');
}
}
// XSS attack prevention. Deny input of HTML.
// Ignore some fields that are allowed to contain HTML, or that might cause false positives.
unset($aData['description_form'], $aData['description_legend_short'], $aData['description_legend_full']);
lovd_checkXSS($aData);
}
/**
* lovd_setEmptyCheckboxFields checks for all fields in the import file if it is a checkbox type
* and if it has a valid value (0 or 1). When the field has no value ('') it is set to 0.
* When it has an invalid value (>1) an error is set.
**/
function lovd_setEmptyCheckboxFields($aForm)
{
global $aLine;
foreach ($aForm as $aField) {
if (!is_array($aField)) {
// 'skip', 'hr', etc...
continue;
}
@(list($sHeader, , $sType, $sName) = $aField);
if ($sType == 'checkbox') {
// If a checkbox field is left empty in the import file, it is filled with 0.
// If it does not exist in the import file it should not be added here.
// Because during update we want to ignore fields that are not available, and during insert it will generate an error when mandatory.
if (isset($aLine[$sName]) && $aLine[$sName] === '') {
// All data in $aLine is handled as a string, therefor we set the checkbox variable as string.
$aLine[$sName] = '0';
}
if (isset($aLine[$sName]) && !in_array($aLine[$sName], array('0', '1'))) {
lovd_errorAdd($sName, 'The field \'' . $sHeader . '\' must contain either a \'0\' or a \'1\'.');
}
}
}
}
function checkFields($aData, $zData = false)
{
// Checks fields before submission of data.
global $_DB;
// Mandatory fields.
$this->aCheckMandatory = array('name', 'pattern_text', 'replace_text', 'description');
parent::checkFields($aData);
// Link name must be unique.
if (!empty($aData['name'])) {
// Enforced in the table, but we want to handle this gracefully.
$sSQL = 'SELECT COUNT(*) FROM ' . TABLE_LINKS . ' WHERE name = ?';
$aSQL = array($aData['name']);
if (ACTION == 'edit') {
$sSQL .= ' AND id != ?';
$aSQL[] = $zData['id'];
}
if ($_DB->query($sSQL, $aSQL)->fetchColumn()) {
lovd_errorAdd('name', 'There is already a custom link with this link name. Please choose another one.');
}
}
if (!isset($aData['active_columns'])) {
$_POST['active_columns'] = array();
} elseif (!empty($aData['active_columns'])) {
// Check if columns are text columns, since others cannot even hold the custom link's pattern text.
$aColumns = $_DB->query('SELECT id FROM ' . TABLE_COLS . ' WHERE mysql_type LIKE \'VARCHAR%\' OR mysql_type LIKE \'TEXT%\'')->fetchAllColumn();
foreach ($aData['active_columns'] as $sCol) {
if (substr_count($sCol, '/') && !in_array($sCol, $aColumns)) {
// Columns without slashes are the category headers, that could be selected.
lovd_errorAdd('active_columns', 'Please select a valid custom column from the \'Active for columns\' selection box.');
}
}
}
// On the pattern text.
if (!empty($aData['pattern_text'])) {
// Pattern text must be unique.
// Enforced in the table, but we want to handle this gracefully.
$sSQL = 'SELECT COUNT(*) FROM ' . TABLE_LINKS . ' WHERE pattern_text = ?';
$aSQL = array($aData['pattern_text']);
if (ACTION == 'edit') {
$sSQL .= ' AND id != ?';
$aSQL[] = $zData['id'];
}
if ($_DB->query($sSQL, $aSQL)->fetchColumn()) {
lovd_errorAdd('pattern_text', 'There is already a custom link with this pattern. Please choose another one.');
} else {
// Check the pattern of the pattern text.
if (!preg_match('/^\\{([A-Z0-9 :;,_-]|\\[[0-9]\\])+\\}$/i', $aData['pattern_text'])) {
lovd_errorAdd('pattern_text', 'The link pattern is found to be incorrect. It must start with \'{\', end with \'}\' and can contain letters, numbers, spaces, some special characters (:;,_-) and references ([1] to [9]) and must be 3-25 characters long.');
}
// References shouldn't follow each other directly, because LOVD wouldn't know the separation character.
if (preg_match('/(\\[[0-9]\\]){2,}/', $aData['pattern_text'])) {
lovd_errorAdd('pattern_text', 'The link pattern is found to be incorrect. Two or more references directly after each other must be separated by at least one character to keep the two apart.');
}
}
// Check references in the pattern and replacement texts.
if (!empty($aData['replace_text'])) {
// Isolate reference numbers.
$aPattern = explode(']', $aData['pattern_text']);
$aPatternRefs = array();
foreach ($aPattern as $val) {
if (substr_count($val, '[')) {
$aPatternRefs[] = substr(strrchr($val, '['), 1);
}
}
// Isolate reference numbers.
$aReplace = explode(']', $aData['replace_text']);
$aReplaceRefs = array();
foreach ($aReplace as $val) {
if (substr_count($val, '[')) {
$aReplaceRefs[] = substr(strrchr($val, '['), 1);
}
}
// Check for reference order and/or references missing from the replacement text.
reset($aPatternRefs);
for ($i = 1; list(, $nRef) = each($aPatternRefs); $i++) {
if ($nRef != $i) {
lovd_errorAdd('pattern_text', 'The link pattern is found to be incorrect. Expected reference [' . $i . '] ' . ($i == 1 ? 'first' : 'after [' . ($i - 1) . ']') . ', got [' . $nRef . '].');
}
}
foreach ($aReplaceRefs as $nRef) {
if (!in_array($nRef, $aPatternRefs)) {
lovd_errorAdd('replace_text', 'The link replacement text is found to be incorrect. Could not find used reference [' . $nRef . '] in link pattern.');
}
}
foreach ($aPatternRefs as $nPatternRef) {
if (!in_array($nPatternRef, $aReplaceRefs)) {
lovd_errorAdd('replace_text', 'The link replacement text is found to be incorrect. Expected reference [' . $nPatternRef . '] not found in replacement text.');
}
}
}
}
// NO XSS attack prevention, because the replacement NEEDS HTML.
// lovd_checkXSS();
}
function lovd_getGeneInfoFromHgncOld($sHgncId, $aCols, $bRecursion = false)
{
// Downloads gene information from the HGNC website. The specified columns will be retrieved.
// The first argument can be an HGNC accession number, an HGNC approved gene symbol, or boolean true to retrieve ALL genes.
// The results will be returned as an associative array; in case all genes have been loaded an array of arrays is returned with gene symbols as keys.
// If $bRecursion == true, this function automatically handles deprecated HGNC entries.
// On error, this function calls lovd_errorAdd if inc-lib-form.php was included. It always returns false on failure.
// Process columns.
$aColumns = $aCols;
// $aColumns will be extended with more information, whereas $aCols is used for the return value and as such should not be changed.
$sColumns = '';
foreach ($aCols as $sColumn) {
$sColumns .= 'col=' . $sColumn . '&';
}
// Make sure we request the right data.
if ($sHgncId === true) {
// Boolean true; return bulk data.
$sWhere = '';
// Using approved symbols as array keys, so we need to get them from the HGNC.
if (!in_array('gd_app_sym', $aCols)) {
$sColumns .= 'col=gd_app_sym&';
$aColumns[] = 'gd_app_sym';
}
} else {
if (ctype_digit($sHgncId)) {
// HGNC database ID.
$sWhere = 'gd_hgnc_id%3D' . $sHgncId;
} else {
// FIXME; implement proper check on gene symbol.
// Gene symbol; also match SYMBOL~withdrawn to be able to use a deprecated symbol as search key.
$sWhere = rawurlencode('gd_app_sym IN ("' . $sHgncId . '", "' . $sHgncId . '~withdrawn")');
}
// We also surely need gd_app_name to check for and handle withdrawn or deprecated entries.
if (!in_array('gd_app_name', $aCols)) {
$sColumns .= 'col=gd_app_name&';
$aColumns[] = 'gd_app_name';
}
}
$aHgncFile = lovd_php_file('http://www.genenames.org/cgi-bin/download?' . $sColumns . 'status_opt=2&where=' . $sWhere . '&order_by=gd_app_sym_sort&limit=&format=text&submit=submit');
// If the HGNC is having database problems, we get an HTML page.
if (empty($aHgncFile) || stripos(implode($aHgncFile), '<html') !== false) {
if (function_exists('lovd_errorAdd')) {
lovd_errorAdd('', 'Couldn\'t get gene information, probably because the HGNC is having database problems.');
}
return false;
}
if ($sHgncId === true) {
// Got bulk data.
$aHGNCgenes = array();
array_shift($aHgncFile);
foreach ($aHgncFile as $sGene) {
$aGene = array_combine($aColumns, explode("\t", $sGene));
$sSymbol = str_replace('~withdrawn', '', $aGene['gd_app_sym']);
if (!empty($aHGNCgenes[$sSymbol]) && $sSymbol != $aGene['gd_app_sym']) {
// Symbol has been deprecated and then reassigned to another gene, don't overwrite that one.
continue;
}
$aHGNCgenes[$sSymbol] = $aGene;
foreach (array_diff($aColumns, $aCols) as $sUnwantedColumn) {
// Don't return columns the caller hasn't asked for.
unset($aHGNCgenes[$sSymbol][$sUnwantedColumn]);
}
}
return $aHGNCgenes;
}
// Requested single entry.
if (isset($aHgncFile[1])) {
// Looks like we've got valid data here.
$aGene = array_combine($aColumns, explode("\t", $aHgncFile[1]));
// We might encorporate one or more of these locus types excludes later, so that we can throw an error without first calling mutalyzer a number of times.
//$aBadLocusTypes = array('RNA, cluster', 'RNA, transfer', 'RNA, ribosomal', 'transposable element', 'virus integration site', 'phenotype only', 'unknown', 'region', 'complex locus constituent', 'endogenous retrovirus', 'fragile site', 'T cell receptor gene', 'T cell receptor pseudogene');
$aBadLocusTypes = array('phenotype only');
if ($aGene['gd_app_name'] == 'entry withdrawn') {
if (function_exists('lovd_errorAdd')) {
lovd_errorAdd('hgnc_id', 'Entry ' . htmlspecialchars($sHgncId) . ' no longer exists in the HGNC database.');
}
return false;
} elseif (preg_match('/^symbol withdrawn, see (.+)$/', $aGene['gd_app_name'], $aRegs)) {
if ($bRecursion) {
return lovd_getGeneInfoFromHgncOld($aRegs[1], $aCols);
} elseif (function_exists('lovd_errorAdd')) {
lovd_errorAdd('hgnc_id', 'Entry ' . htmlspecialchars($sHgncId) . ' is deprecated according to the HGNC, please use ' . $aRegs[1] . '.');
}
return false;
} elseif (in_array('gd_pub_chrom_map', $aCols) && $aGene['gd_pub_chrom_map'] == 'reserved') {
if (function_exists('lovd_errorAdd')) {
lovd_errorAdd('hgnc_id', 'Entry ' . htmlspecialchars($sHgncId) . ' does not yet have a public association with a chromosomal location');
}
return false;
} elseif (in_array('gd_locus_type', $aCols) && in_array($aGene['gd_locus_type'], $aBadLocusTypes)) {
if (function_exists('lovd_errorAdd')) {
lovd_errorAdd('hgnc_id', 'LOVD cannot process this type of gene entry ' . htmlspecialchars($sHgncId) . ' (Locus Type: ' . $aGene['gd_locus_type'] . ').');
}
return false;
}
foreach (array_diff($aColumns, $aCols) as $sUnwantedColumn) {
// Don't return columns the caller hasn't asked for.
unset($aGene[$sUnwantedColumn]);
}
// 2016-09-14; 3.0-17; HGNC can return multiple OMIM IDs.
if (isset($aGene['md_mim_id']) && preg_match('/^(\\d+), /', $aGene['md_mim_id'], $aRegs)) {
// Just trim the other(s) off.
$aGene['md_mim_id'] = $aRegs[1];
}
return $aGene;
} elseif (function_exists('lovd_errorAdd')) {
// No math found, start looking for alias. We could have included an OR in the original search, but I am not
// sure if that would maybe have other genes pop up while the official gene is then ignored.
// We only do this search, if we can report if of course (hence the check for lovd_errorAdd()).
// Replace WHERE.
$sWhere = rawurlencode('CONCAT(" ", gd_aliases, ",") LIKE "% ' . $sHgncId . ',%"');
$aHgncFile = lovd_php_file('http://www.genenames.org/cgi-bin/download?' . $sColumns . 'status_opt=2&where=' . $sWhere . '&order_by=gd_app_sym_sort&limit=&format=text&submit=submit');
// Just quick check if we have a match now...
if (!empty($aHgncFile) && stripos(implode($aHgncFile), '<html') === false) {
unset($aHgncFile[0]);
$sSymbolList = '';
foreach ($aHgncFile as $sLine) {
$aGene = array_combine($aColumns, explode("\t", $sLine));
$sSymbolList .= (!$sSymbolList ? '' : ', ') . $aGene['gd_app_sym'];
}
if ($sSymbolList) {
// "Prettify" the output by replacing the last , by an "or".
$sSymbolList = preg_replace('/, ([^ ]+)$/', " or \$1", $sSymbolList);
lovd_errorAdd('hgnc_id', 'Entry ' . htmlspecialchars($sHgncId) . ' was not found, perhaps you are referring to ' . $sSymbolList . '?');
} else {
lovd_errorAdd('hgnc_id', 'Entry ' . htmlspecialchars($sHgncId) . ' was not found in the HGNC database.');
}
}
}
return false;
}
function checkFields($aData, $zData = false)
{
global $_AUTH, $_CONF, $_SETT;
// Mandatory fields.
$this->aCheckMandatory = array('chromosome', 'effect_reported', 'owned_by', 'statusid');
if ($_AUTH['level'] >= LEVEL_CURATOR) {
$this->aCheckMandatory[] = 'effect_concluded';
} elseif (isset($aData['effect_reported']) && $aData['effect_reported'] === '0') {
// Submitters must fill in the variant effect field; '0' is not allowed for them.
unset($aData['effect_reported']);
}
// Do this before running checkFields so that we have time to predict the DBID and fill it in.
if (!empty($aData['VariantOnGenome/DNA']) && isset($this->aColumns['VariantOnGenome/DBID']) && ($this->aColumns['VariantOnGenome/DBID']['public_add'] || $_AUTH['level'] >= LEVEL_CURATOR)) {
// VOGs with at least one VOT, which still have a chr* DBID, will get an error. So we'll empty the DBID field, allowing the new VOT value to be autofilled in.
if (!empty($aData['aTranscripts']) && !empty($aData['VariantOnGenome/DBID']) && strpos($aData['VariantOnGenome/DBID'], 'chr' . $aData['chromosome'] . '_') !== false) {
$aData['VariantOnGenome/DBID'] = '';
}
if (empty($aData['VariantOnGenome/DBID'])) {
if (lovd_getProjectFile() != '/import.php') {
// Only predict an DBID, if we're actually going to use it (which doesn't happen when we're importing).
$aData['VariantOnGenome/DBID'] = $_POST['VariantOnGenome/DBID'] = lovd_fetchDBID($aData);
}
} elseif (!lovd_checkDBID($aData)) {
lovd_errorAdd('VariantOnGenome/DBID', 'Please enter a valid ID in the ' . (lovd_getProjectFile() == '/import.php' ? 'VariantOnGenome/DBID' : '\'ID\'') . ' field or leave it blank and LOVD will predict it. Incorrect ID: "' . htmlspecialchars($aData['VariantOnGenome/DBID']) . '".');
}
}
parent::checkFields($aData);
// Checks fields before submission of data.
if (isset($aData['effect_reported']) && !isset($_SETT['var_effect'][$aData['effect_reported']])) {
lovd_errorAdd('effect_reported', 'Please select a proper functional effect from the \'Affects function (reported)\' selection box.');
}
if (isset($aData['effect_concluded']) && !isset($_SETT['var_effect'][$aData['effect_concluded']])) {
lovd_errorAdd('effect_concluded', 'Please select a proper functional effect from the \'Affects function (concluded)\' selection box.');
}
if (!empty($aData['chromosome']) && !isset($_SETT['human_builds'][$_CONF['refseq_build']]['ncbi_sequences'][$aData['chromosome']])) {
lovd_errorAdd('chromosome', 'Please select a proper chromosome from the \'Chromosome\' selection box.');
}
lovd_checkXSS();
}
function checkFields($aData, $zData = false)
{
global $_DB;
// During import panelid, fatherid and motherid are checked in import.php.
$bImport = lovd_getProjectFile() == '/import.php';
// Mandatory fields.
$this->aCheckMandatory = array('panel_size', 'owned_by', 'statusid');
// Checks fields before submission of data.
parent::checkFields($aData);
foreach (array('fatherid', 'motherid') as $sParentalField) {
// This is not yet implemented correctly. These checks are implemented correctly in import.php in section "Individuals".
if (isset($aData[$sParentalField]) && ctype_digit($aData[$sParentalField]) && !$bImport) {
// FIXME: Also check gender!!! Check if field is available, download value (or '' if not available), then check possible conflicts.
// Partially, the code is already written below.
$nParentID = $_DB->query('SELECT id FROM ' . TABLE_INDIVIDUALS . ' WHERE id = ?', array($aData[$sParentalField]))->fetchColumn();
if (empty($nParentID)) {
// FIXME: Once we have this on the form, replace with form description.
lovd_errorAdd($sParentalField, 'No individual found with this \'' . $sParentalField . '\'.');
} elseif ($sParentalField == 'fatherid' && false) {
lovd_errorAdd($sParentalField, 'The \'' . $sParentalField . '\' you entered does not refer to a male individual.');
} elseif ($sParentalField == 'motherid' && false) {
lovd_errorAdd($sParentalField, 'The \'' . $sParentalField . '\' you entered does not refer to a female individual.');
} elseif ($aData[$sParentalField] == $this->nID) {
lovd_errorAdd($sParentalField, 'The \'' . $sParentalField . '\' can not link to itself; this field is used to indicate which individual in the database is the parent of the given individual.');
}
}
}
// Changes in these checks should also be implemented in import.php in section "Individuals"
if (isset($aData['panelid']) && ctype_digit($aData['panelid']) && !$bImport) {
$nPanel = $_DB->query('SELECT panel_size FROM ' . TABLE_INDIVIDUALS . ' WHERE id = ?', array($aData['panelid']))->fetchColumn();
if (empty($nPanel)) {
lovd_errorAdd('panelid', 'No Panel found with this \'Panel ID\'.');
} elseif ($nPanel == 1) {
lovd_errorAdd('panelid', 'The \'Panel ID\' you entered refers to an individual, not a panel (group of individuals). If you want to configure that individual as a panel, set its \'Panel size\' field to a value higher than 1.');
} elseif ($nPanel <= $aData['panel_size']) {
lovd_errorAdd('panel_size', 'The entered \'Panel size\' must be lower than the \'Panel size\' of the panel you refer to with the entered \'Panel ID\'.');
} elseif ($aData['panelid'] == $this->nID) {
lovd_errorAdd('panel_size', 'The \'Panel ID\' can not link to itself; this field is used to indicate which group of individuals (\'panel\') this entry belongs to.');
}
}
$aDiseases = array_keys($this->aFormData['aDiseases'][5]);
if (!empty($aData['active_diseases'])) {
if (count($aData['active_diseases']) > 1 && in_array('00000', $aData['active_diseases'])) {
lovd_errorAdd('active_diseases', 'You cannot select both "Healthy/Control" and a disease for the same individual entry.');
} else {
foreach ($aData['active_diseases'] as $nDisease) {
if ($nDisease && !in_array($nDisease, $aDiseases)) {
lovd_errorAdd('active_diseases', htmlspecialchars($nDisease) . ' is not a valid disease.');
}
}
}
}
lovd_checkXSS();
}
function checkFields($aData, $zData = false)
{
// Checks fields before submission of data.
global $_AUTH, $_DB;
$bImport = lovd_getProjectFile() == '/import.php';
$bCreate = ACTION && ACTION == 'create' || $bImport && !$zData;
// Mandatory fields.
$this->aCheckMandatory = array('symbol', 'name');
$aData = parent::checkFields($aData);
if (!empty($aData['id_omim']) && !preg_match('/^[1-9]\\d{5}$/', $aData['id_omim'])) {
lovd_errorAdd('id_omim', 'The OMIM ID has to be six digits long and cannot start with a \'0\'.');
}
// Two diseases with the same OMIM ID are not allowed.
if (!empty($aData['id_omim']) && ($bCreate || $aData['id_omim'] != $zData['id_omim'])) {
$bExists = $_DB->query('SELECT id FROM ' . TABLE_DISEASES . ' WHERE id_omim = ?', array($aData['id_omim']))->fetchColumn();
if ($bExists) {
// IMPORTANT: when you change this message, also change the array_search argument in import.php in the Disease section.
lovd_errorAdd('id_omim', 'Another disease already exists with this OMIM ID!');
}
}
// We don't like two diseases with the exact same name, either.
if (!empty($aData['name']) && ($bCreate || $aData['name'] != $zData['name'])) {
$bExists = $_DB->query('SELECT id FROM ' . TABLE_DISEASES . ' WHERE name = ?', array($aData['name']))->fetchColumn();
if ($bExists && ($bCreate || $zData['id'] != $bExists)) {
// IMPORTANT: when you change this message, also change the array_search argument in import.php in the Disease section.
lovd_errorAdd('name', 'Another disease already exists with the same name!');
}
}
if (!$bImport && $_AUTH['level'] < LEVEL_MANAGER && empty($aData['genes'])) {
lovd_errorAdd('genes', 'You should at least select one of the genes you are curator of.');
}
$_POST['genes'] = array();
if (is_array($aData['genes'])) {
foreach ($aData['genes'] as $sGene) {
if (!lovd_isAuthorized('gene', $sGene, false) && $bCreate) {
lovd_errorAdd('genes', 'You are not authorized to add this disease to gene ' . htmlspecialchars($sGene) . '.');
} else {
$_POST['genes'][] = $sGene;
}
}
}
if (!$bCreate) {
if (is_array($aData['genes']) && isset($zData['genes']) && is_array($zData['genes'])) {
foreach ($zData['genes'] as $sGene) {
if ($sGene && !in_array($sGene, $aData['genes']) && !lovd_isAuthorized('gene', $sGene, false)) {
lovd_errorAdd('genes', 'You are not authorized to remove this disease from gene ' . htmlspecialchars($sGene) . '.');
$_POST['genes'][] = $sGene;
}
}
}
}
// XSS attack prevention. Deny input of HTML.
lovd_checkXSS();
}
foreach ($aTranscripts as $sTranscript) {
fputs($fIndex, ' <LI><A href="' . $_POST['symbol'] . '_' . $sTranscript . '_codingDNA.html">' . $sTranscript . ' coding reference sequence</A></LI>' . "\n");
}
$sOut .= ($sOut ? "\n" : '') . 'Successfully wrote index file (<A href="refseq/' . $_POST['symbol'] . '_codingDNA.html" target="_blank">' . $_POST['symbol'] . ' reference sequences</A>)' . "\n";
fputs($fIndex, '</UL>' . "\n" . '<HR>' . "\n" . '<P align="center" style="font-size : 11px;">' . "\n" . ' Powered by <A href="' . $_SETT['upstream_URL'] . $_STAT['tree'] . '/" target="_blank">LOVD v.' . $_STAT['tree'] . '</A> Build ' . $_STAT['build'] . '<BR>' . "\n" . ' ©2004-' . date('Y') . ' <A href="http://www.lumc.nl/" target="_blank">Leiden University Medical Center</A>' . "\n" . '</P>' . "\n" . '<HR>' . "\n\n" . '</BODY>' . "\n" . '</HTML>');
fclose($fIndex);
// When the reference sequence has been created, put the URL in the database.
if ($_CONF['location_url']) {
$sURL = $_CONF['location_url'] . 'refseq/' . $_POST['symbol'] . '_codingDNA.html';
} else {
$sURL = lovd_getInstallURL() . 'refseq/' . $_POST['symbol'] . '_codingDNA.html';
}
$_DB->query('UPDATE ' . TABLE_GENES . ' SET refseq = ?, refseq_url = ? WHERE id = ? AND refseq = "" AND refseq_url= ""', array($_POST['link'] && $bStep2 ? 'g' : 'c', $sURL, $_POST['symbol']));
} else {
// This really shouldn't happen, as we have checked this already...
lovd_errorAdd('file', 'Couldn\'t open file to write to for index of reference sequences');
}
if (!lovd_error()) {
print '<SPAN class="S15"><B>Step 3 - Create coding DNA reference sequence</B></SPAN><BR><BR>' . "\n\n";
print 'Output for this step :<BR>' . "\n" . str_replace("\n", '<BR>' . "\n", $sOut) . '<BR><BR>' . "\n\n" . '<BUTTON onclick="self.close();">Close</BUTTON>' . "\n\n";
$_T->printFooter();
exit;
}
}
} else {
// Standard settings.
if (empty($_POST['exists'])) {
$_POST['exists'] = 'overwrite';
}
$_POST['note'] = '<p>This file was created to facilitate the description of sequence variants' . (empty($_POST['symbol']) ? '' : (empty($_POST['transcript_id']) ? '' : ' on transcript ' . $_POST['transcript_id']) . ' in the ' . $_POST['symbol'] . ' gene') . ' based on a coding DNA reference sequence following <a href="http://www.HGVS.org/mutnomen/">the HGVS recommendations</a>.</p>';
$_POST['legend'] = 1;
function checkFields($aData, $zData = false)
{
// Checks fields before submission of data.
global $_DB;
// No mandatory fields, since all the gene data is in $_SESSION.
if (isset($aData['workID'])) {
unset($aData['workID']);
}
parent::checkFields($aData);
if (ACTION == 'create') {
if ($_DB->query('SELECT COUNT(*) FROM ' . TABLE_GENES . ' WHERE id = ?', array($zData['id']))->fetchColumn()) {
lovd_errorAdd('', 'Unable to add gene. This gene symbol already exists in the database!');
} elseif ($_DB->query('SELECT COUNT(*) FROM ' . TABLE_GENES . ' WHERE id_hgnc = ?', array($zData['id_hgnc']))->fetchColumn()) {
lovd_errorAdd('', 'Unable to add gene. A gene with this HGNC ID already exists in the database!');
}
}
if (lovd_getProjectFile() != '/import.php' && !in_array($aData['refseq_genomic'], $zData['genomic_references'])) {
lovd_errorAdd('refseq_genomic', 'Please select a proper NG, NC, or LRG accession number in the \'NCBI accession number for the genomic reference sequence\' selection box.');
}
if (!empty($aData['refseq']) && empty($aData['refseq_url'])) {
lovd_errorAdd('refseq', 'You have selected that there is a human-readable reference sequence. Please fill in the "Human-readable reference sequence location" field. Otherwise, select \'No\' for the "This gene has a human-readable reference sequence" field.');
}
if ($aData['disclaimer'] == 2 && empty($aData['disclaimer_text'])) {
lovd_errorAdd('disclaimer_text', 'If you wish to use an own disclaimer, please fill in the "Text for own disclaimer" field. Otherwise, select \'No\' for the "Include disclaimer" field.');
}
// Numeric values
$aCheck = array('header_align' => 'Header aligned to', 'footer_align' => 'Footer aligned to');
foreach ($aCheck as $key => $val) {
if ($aData[$key] && !is_numeric($aData[$key])) {
lovd_errorAdd($key, 'The \'' . $val . '\' field has to contain a numeric value.');
}
}
// URL values
if ($aData['url_homepage'] && !lovd_matchURL($aData['url_homepage'])) {
lovd_errorAdd('url_homepage', 'The \'Homepage URL\' field does not seem to contain a correct URL.');
}
if ($aData['refseq_url'] && !lovd_matchURL($aData['refseq_url'], true)) {
lovd_errorAdd('refseq_url', 'The \'Human-readable reference sequence location\' field does not seem to contain a correct URL.');
}
// List of external links.
if ($aData['url_external']) {
$aExternalLinks = explode("\r\n", $aData['url_external']);
foreach ($aExternalLinks as $n => $sLink) {
if (!lovd_matchURL($sLink) && (!preg_match('/^[^<>]+ <([^< >]+)>$/', $sLink, $aRegs) || !lovd_matchURL($aRegs[1]))) {
lovd_errorAdd('url_external', 'External link #' . ($n + 1) . ' (' . htmlspecialchars($sLink) . ') not understood.');
}
}
}
// XSS attack prevention. Deny input of HTML.
// Ignore the 'External links' field.
unset($aData['url_external'], $aData['disclaimer_text'], $aData['header'], $aData['footer'], $aData['note_index'], $aData['note_listing']);
lovd_checkXSS($aData);
}
function lovd_matchIPRange($s, $sField = '')
{
// Matches a string containing an IP address range.
//FIXME; include check on numbers higher than 255; preg_split on [^0-9] and foreach() through the results.
$a = preg_split('/[;,]/', $s);
$b = true;
foreach ($a as $val) {
if (!preg_match('/^(\\*|[0-9]{1,3}\\.(\\*|[0-9]{1,3}(\\-[0-9]{1,3})?\\.(\\*|[0-9]{1,3}(\\-[0-9]{1,3})?\\.(\\*|[0-9]{1,3}(\\-[0-9]{1,3})?))))$/', $val)) {
$b = false;
if ($sField) {
lovd_errorAdd($sField, 'Value "' . $val . '" not understood as a given IP range.');
}
return $b;
}
}
return $b;
}
function checkFields($aData, $zData = false)
{
// Checks fields before submission of data.
global $_AUTH, $_SETT;
$aForm = $this->getForm();
$aFormInfo = array();
if ($aForm) {
$aFormInfo = $aForm[0];
if (!in_array($aFormInfo[0], array('GET', 'POST'))) {
// We're not working on a full form array, possibly an incomplete VOT form.
$aFormInfo = array('POST');
} else {
unset($aForm[0]);
}
} else {
// No form information available.
$aForm = array();
}
if (lovd_getProjectFile() != '/import.php') {
// Always mandatory... unless importing.
$this->aCheckMandatory[] = 'password';
}
$aHeaders = array();
// Validate form by looking at the form itself, and check what's needed.
foreach ($aForm as $aField) {
if (!is_array($aField)) {
// 'skip', 'hr', etc...
continue;
}
@(list($sHeader, $sHelp, $sType, $sName) = $aField);
if (lovd_getProjectFile() == '/import.php') {
// During import, we don't mention the field names how they appear on screen, but using their IDs which are used in the file.
$sHeader = $sName;
}
$aHeaders[$sName] = $sHeader;
// Trim() all fields. We don't want those spaces in the database anyway.
if (lovd_getProjectFile() != '/import.php' && isset($aData[$sName]) && !is_array($aData[$sName])) {
$GLOBALS['_' . $aFormInfo[0]][$sName] = trim($GLOBALS['_' . $aFormInfo[0]][$sName]);
$aData[$sName] = trim($aData[$sName]);
}
// Mandatory fields, as defined by child object.
if (in_array($sName, $this->aCheckMandatory) && (!isset($aData[$sName]) || $aData[$sName] === '')) {
lovd_errorAdd($sName, 'Please fill in the \'' . $sHeader . '\' field.');
}
if ($sType == 'select') {
if (!empty($aField[7])) {
// The browser fails to send value if selection list w/ multiple selection options is left empty.
// This is causing notices in the code.
if (!isset($aData[$sName])) {
$GLOBALS['_' . $aFormInfo[0]][$sName] = array();
$aData[$sName] = array();
}
}
// Simple check on non-custom columns (custom columns have their own function for this) to see if the given value is actually allowed.
// 0 is a valid entry for the check for mandatory fields, so we should also check if 0 is a valid entry in the selection list!
if (strpos($sName, '/') === false && isset($aData[$sName]) && $aData[$sName] !== '') {
$Val = $aData[$sName];
$aOptions = array_keys($aField[5]);
if (lovd_getProjectFile() == '/import.php' && !is_array($Val)) {
$Val = explode(';', $Val);
// Normally the form sends an array, but from the import I need to create an array.
} elseif (!is_array($Val)) {
$Val = array($Val);
}
foreach ($Val as $sValue) {
$sValue = trim($sValue);
// Trim whitespace from $sValue to ensure match independent of whitespace.
if (!in_array($sValue, $aOptions)) {
if (lovd_getProjectFile() == '/import.php') {
lovd_errorAdd($sName, 'Please select a valid entry from the \'' . $sHeader . '\' selection box, \'' . strip_tags($sValue) . '\' is not a valid value. Please choose from these options: \'' . implode('\', \'', $aOptions) . '\'.');
} else {
lovd_errorAdd($sName, 'Please select a valid entry from the \'' . $sHeader . '\' selection box, \'' . strip_tags($sValue) . '\' is not a valid value.');
}
}
}
}
} elseif ($sType == 'checkbox') {
// The browser fails to send value if checkbox is left empty.
// This is causing problems sometimes with MySQL, since INT
// columns can't receive an empty string if STRICT is on.
if (!isset($aData[$sName])) {
$GLOBALS['_' . $aFormInfo[0]][$sName] = 0;
$aData[$sName] = 0;
} elseif (!in_array($aData[$sName], array('0', '1'))) {
lovd_errorAdd($sName, 'The field \'' . $sHeader . '\' must contain either a \'0\' or a \'1\'.');
}
}
if ($sName == 'password') {
// Password is in the form, it must be checked. Assuming here that it is also considered mandatory.
if (!empty($aData['password']) && !lovd_verifyPassword($aData['password'], $_AUTH['password'])) {
lovd_errorAdd('password', 'Please enter your correct password for authorization.');
}
}
}
// Check all fields that we receive for data type and maximum length.
// No longer to this through $aForm, because when importing,
// we do have data to check but no $aForm entry linked to it.
foreach ($aData as $sFieldname => $sFieldvalue) {
if (!is_string($sFieldvalue)) {
// Checks below currently do not handle non-string values.
continue;
}
$sNameClean = preg_replace('/^\\d{' . $_SETT['objectid_length']['transcripts'] . '}_/', '', $sFieldname);
// Remove prefix (transcriptid) that LOVD_TranscriptVariants puts there.
if (isset($aHeaders[$sFieldname])) {
$sHeader = $aHeaders[$sFieldname];
} else {
$sHeader = $sFieldname;
}
// Checking free text fields for max length, data types, etc.
if ($sMySQLType = lovd_getColumnType(constant($this->sTable), $sNameClean)) {
// FIXME; we're assuming here, that $sName equals the database name. Which is true in probably most/every case, but even so...
// FIXME; select fields might also benefit from having this check (especially for import).
// Check max length.
$nMaxLength = lovd_getColumnLength(constant($this->sTable), $sNameClean);
if (!empty($sFieldvalue)) {
// For numerical columns, maxlength works differently!
if (in_array($sMySQLType, array('DECIMAL', 'DECIMAL_UNSIGNED', 'FLOAT', 'FLOAT_UNSIGNED', 'INT', 'INT_UNSIGNED'))) {
// SIGNED cols: negative values.
if (in_array($sMySQLType, array('DECIMAL', 'INT')) && (int) $sFieldvalue < (int) ('-' . str_repeat('9', $nMaxLength))) {
lovd_errorAdd($sFieldname, 'The \'' . $sHeader . '\' field is limited to numbers no lower than -' . str_repeat('9', $nMaxLength) . '.');
}
// ALL numerical cols (except floats): positive values.
if (substr($sMySQLType, 0, 5) != 'FLOAT' && (int) $sFieldvalue > (int) str_repeat('9', $nMaxLength)) {
lovd_errorAdd($sFieldname, 'The \'' . $sHeader . '\' field is limited to numbers no higher than ' . str_repeat('9', $nMaxLength) . '.');
}
} elseif (strlen($sFieldvalue) > $nMaxLength) {
lovd_errorAdd($sFieldname, 'The \'' . $sHeader . '\' field is limited to ' . $nMaxLength . ' characters, you entered ' . strlen($sFieldvalue) . '.');
}
}
// Check data type.
if (!empty($sFieldvalue)) {
switch ($sMySQLType) {
case 'DATE':
if (!lovd_matchDate($sFieldvalue)) {
lovd_errorAdd($sFieldname, 'The field \'' . $sHeader . '\' must contain a date in the format YYYY-MM-DD, "' . htmlspecialchars($sFieldvalue) . '" does not match.');
}
break;
case 'DATETIME':
if (!preg_match('/^[0-9]{4}[.\\/-][0-9]{2}[.\\/-][0-9]{2}( [0-9]{2}\\:[0-9]{2}\\:[0-9]{2})?$/', $sFieldvalue)) {
lovd_errorAdd($sFieldname, 'The field \'' . $sHeader . '\' must contain a date, possibly including a time, in the format YYYY-MM-DD HH:MM:SS, "' . htmlspecialchars($sFieldvalue) . '" does not match.');
}
break;
case 'DECIMAL':
case 'DECIMAL_UNSIGNED':
case 'FLOAT':
case 'FLOAT_UNSIGNED':
if (!is_numeric($sFieldvalue) || substr($sMySQLType, -8) == 'UNSIGNED' && $sFieldvalue < 0) {
lovd_errorAdd($sFieldname, 'The field \'' . $sHeader . '\' must contain a' . (substr($sMySQLType, -8) != 'UNSIGNED' ? '' : ' positive') . ' number, "' . htmlspecialchars($sFieldvalue) . '" does not match.');
}
break;
case 'INT':
case 'INT_UNSIGNED':
if (!preg_match('/^' . ($sMySQLType != 'INT' ? '' : '\\-?') . '[0-9]*$/', $sFieldvalue)) {
lovd_errorAdd($sFieldname, 'The field \'' . $sHeader . '\' must contain a' . ($sMySQLType == 'INT' ? 'n' : ' positive') . ' integer, "' . htmlspecialchars($sFieldvalue) . '" does not match.');
}
break;
}
}
}
}
return $aData;
}
}
// The bad logins end up here!
if (!$zUser || !lovd_error() && !lovd_verifyPassword($_POST['password'], $zUser['password'])) {
lovd_writeLog('Auth', 'AuthError', $_SERVER['REMOTE_ADDR'] . ' (' . gethostbyaddr($_SERVER['REMOTE_ADDR']) . ') tried logging in using ' . $_POST['username'] . '/' . str_repeat('*', strlen($_POST['password'])));
lovd_errorAdd('', 'Invalid Username/Password combination.');
// This may not actually update (user misspelled his username) but we can call the query anyway.
if ($_CONF['lock_users']) {
$_DB->query('UPDATE ' . TABLE_USERS . ' SET login_attempts = login_attempts + 1 WHERE username = ? AND level < ' . LEVEL_ADMIN, array($_POST['username']), false);
}
// Check if the user is locked, now.
if ($zUser && $zUser['login_attempts'] >= 3 - 1) {
lovd_errorAdd('password', 'Your account is now locked, since this is the third time a wrong password was provided.');
}
// The "Forgot my password" option.
if ($_CONF['allow_unlock_accounts']) {
lovd_errorAdd('', 'Did you <A href="reset_password">forget your password</A>?');
}
}
}
}
}
if (!$_AUTH) {
define('PAGE_TITLE', 'Log in');
$_T->printHeader();
$_T->printTitle();
// Security check will be performed when actually logging in.
if (empty($_POST['referer'])) {
// Don't redirect a user to the logout!
if (!empty($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] != lovd_getInstallURL() . 'logout') {
$_POST['referer'] = $_SERVER['HTTP_REFERER'];
} else {
function checkFields($aData, $zData = false)
{
// Checks fields before submission of data.
global $_AUTH, $_DB, $_PE, $_SETT;
// Mandatory fields.
$this->aCheckMandatory = array('name', 'institute', 'address', 'city', 'countryid', 'email', 'username');
// These password fields are only not mandatory when we're editing.
if (ACTION != 'edit') {
$this->aCheckMandatory[] = 'password_1';
$this->aCheckMandatory[] = 'password_2';
}
parent::checkFields($aData);
// Email address.
if (!empty($aData['email'])) {
$aEmail = explode("\r\n", $aData['email']);
foreach ($aEmail as $sEmail) {
if (!lovd_matchEmail($sEmail)) {
lovd_errorAdd('email', 'Email "' . htmlspecialchars($sEmail) . '" is not a correct email address' . ($sEmail && $sEmail == trim($sEmail) ? '' : '. Make sure there are no spaces or empty lines left in the email field') . '.');
}
}
}
if (lovd_getProjectFile() == '/install/index.php' || ACTION == 'create') {
// Check username format.
if ($aData['username'] && !lovd_matchUsername($aData['username'])) {
lovd_errorAdd('username', 'Please fill in a correct username; 4 to 20 characters and starting with a letter followed by letters, numbers, dots, underscores and dashes only.');
}
}
if (in_array(ACTION, array('create', 'register'))) {
// Does the username exist already?
if ($aData['username']) {
if ($_DB->query('SELECT COUNT(*) FROM ' . TABLE_USERS . ' WHERE username = ?', array($aData['username']))->fetchColumn()) {
lovd_errorAdd('username', 'There is already a user with this username. Please choose another one.');
}
}
}
// One of two password fields entered... check 'em.
if ($aData['password_1'] || $aData['password_2']) {
if ($aData['password_1'] && $aData['password_2']) {
// Both entered.
if ($aData['password_1'] != $aData['password_2']) {
lovd_errorAdd('password_2', 'The \'' . (in_array(ACTION, array('edit', 'change_password')) ? 'New p' : 'P') . 'assword\' fields are not equal. Please try again.');
} else {
// Password quality.
if (!lovd_matchPassword($aData['password_1'])) {
lovd_errorAdd('password_1', 'Your password is found too weak. Please fill in a proper password; at least 4 characters long and containing at least one number or special character.');
}
}
} else {
if (in_array(ACTION, array('edit', 'change_password'))) {
lovd_errorAdd('password_2', 'If you want to change the current password, please fill in both \'New password\' fields.');
} else {
lovd_errorAdd('password_2', 'Please fill in both \'Password\' fields.');
}
}
}
// Check given security IP range.
if (!empty($aData['allowed_ip'])) {
// This function will throw an error itself (second argument).
$bIP = lovd_matchIPRange($aData['allowed_ip'], 'allowed_ip');
if (lovd_getProjectFile() == '/install/index.php' || ACTION == 'edit' && $_PE[1] == $_AUTH['id']) {
// Check given security IP range.
if ($bIP && !lovd_validateIP($aData['allowed_ip'], $_SERVER['REMOTE_ADDR'])) {
// This IP range is not allowing the current IP to connect. This ain't right.
// If IP address is actually IPv6, then complain that we can't restrict at all.
// Otherwise, be clear the current setting just doesn't match.
if (strpos($_SERVER['REMOTE_ADDR'], ':') !== false) {
// IPv6...
lovd_errorAdd('allowed_ip', 'Your current IP address is IPv6 (' . $_SERVER['REMOTE_ADDR'] . '), which is not supported by LOVD to restrict access to your account.');
} else {
lovd_errorAdd('allowed_ip', 'Your current IP address is not matched by the given IP range. This would mean you would not be able to get access to LOVD with this IP range.');
}
}
}
} else {
// We're not sure if $aData == $_POST. But we'll just do this. It can't harm I guess.
$_POST['allowed_ip'] = '*';
}
// Level can't be higher or equal than the current user.
if (!empty($aData['level']) && $aData['level'] >= $_AUTH['level']) {
lovd_writeLog('Error', 'HackAttempt', 'Tried to upgrade user ID ' . $_PE[1] . ' to level ' . $_SETT['user_levels'][$aData['level']] . ')');
lovd_errorAdd('level', 'User level is not permitted. Hack attempt.');
}
// XSS attack prevention. Deny input of HTML.
lovd_checkXSS();
}
$_T->printFooter();
exit;
}
if (!empty($_POST)) {
lovd_errorClean();
if (!isset($_GET['confirm'])) {
// Check password.
if (!lovd_verifyPassword($_POST['password'], $_AUTH['password'])) {
lovd_errorAdd('password', 'Please enter your correct password for authorization.');
}
}
if (!lovd_error()) {
if (isset($_GET['confirm'])) {
// Check password.
if (!lovd_verifyPassword($_POST['password'], $_AUTH['password'])) {
lovd_errorAdd('password', 'Please enter your correct password for authorization.');
}
if (!lovd_error()) {
// OK, uninstall the lot.
print ' <B>Uninstalling LOVD...</B><BR>' . "\n" . ' <BR>' . "\n\n";
require ROOT_PATH . 'class/progress_bar.php';
// This already puts the progress bar on the screen.
$_BAR = new ProgressBar('', 'Initiating removal of LOVD...');
$_T->printFooter(false);
// The false prevents the footer to actually close the <BODY> and <HTML> tags.
// Now we're still in the <BODY> so the progress bar can add <SCRIPT> tags as much as it wants.
flush();
// The reason to invert the tables is to handle all foreign key constraints nicely.
$aTables = array_reverse($_TABLES);
$nTables = count($aTables);
$_BAR->setMessage('Removing data tables...');
function checkSelectedInput($sCol, $Val)
{
// Checks if the selected values are indeed from the selection list.
global $_SETT;
$sColClean = preg_replace('/^\\d{' . $_SETT['objectid_length']['transcripts'] . '}_/', '', $sCol);
// Remove prefix (transcriptid) that LOVD_TranscriptVariants puts there.
if ($this->aColumns[$sColClean]['form_type'][2] == 'select' && $this->aColumns[$sColClean]['form_type'][3] >= 1) {
if (!empty($Val)) {
$aOptions = preg_replace('/ *(=.*)?$/', '', $this->aColumns[$sColClean]['select_options']);
// Trim whitespace from the options.
if (lovd_getProjectFile() == '/import.php') {
$Val = explode(';', $Val);
// Normally the form sends an array, but from the import I need to create an array.
} elseif (!is_array($Val)) {
$Val = array($Val);
} elseif (GET) {
// 2013-10-15; 3.0-08; Not importing, $Val is already an array, and we're here using GET.
// When directly publishing an entry, not having filled in a selection list will trigger
// an error when an empty string is not an option in this selection list.
if ($Val === array('') && !in_array('', $aOptions)) {
// Error would be triggered wrongly.
$Val = array();
}
}
foreach ($Val as $sValue) {
$sValue = trim($sValue);
// Trim whitespace from $sValue to ensure match independent of whitespace.
if (!in_array($sValue, $aOptions)) {
if (lovd_getProjectFile() == '/import.php') {
lovd_errorAdd($sCol, 'Please select a valid entry from the \'' . $sColClean . '\' selection box, \'' . strip_tags($sValue) . '\' is not a valid value. Please choose from these options: \'' . implode('\', \'', $aOptions) . '\'.');
} else {
lovd_errorAdd($sCol, 'Please select a valid entry from the \'' . $this->aColumns[$sColClean]['form_type'][0] . '\' selection box, \'' . strip_tags($sValue) . '\' is not a valid value.');
}
break;
}
}
}
}
}
