function submitUploadForm()
{
global $errors, $menu;
$isWysiwyg = @$_REQUEST['wysiwygForm'];
//
if ($isWysiwyg) {
disableInDemoMode('', 'default/wysiwygUploads.php', false);
} else {
disableInDemoMode('', 'default/uploadForm.php', false);
}
// remove uploads without record numbers that are older than 1 day
removeExpiredUploads();
### process uploads
$errors = '';
$newUploadNums = array();
foreach (array_values($_FILES) as $uploadInfo) {
$errors .= saveUpload($GLOBALS['tableName'], $_REQUEST['fieldName'], @$_REQUEST['num'], @$_REQUEST['preSaveTempId'], $uploadInfo, $newUploadNums);
}
### Error checking
if (!$newUploadNums && !$errors) {
$errors = t("Please select a file to upload.") . "\n";
}
### display errors - errors will automatically be displayed when page is refreshed
if ($errors) {
return;
}
### On Successful Save
$isDetailFields = getUploadInfoFields($_REQUEST['fieldName']);
if ($isWysiwyg) {
//
$errors = "File Uploaded";
} elseif ($isDetailFields) {
// redirect to modify upload details page
$newUploadNumsAsCSV = join(',', $newUploadNums);
$modifyUrl = "?menu={$menu}" . "&action=uploadModify" . "&fieldName=" . @$_REQUEST['fieldName'] . "&num=" . @$_REQUEST['num'] . "&preSaveTempId=" . @$_REQUEST['preSaveTempId'] . "&uploadNums={$newUploadNumsAsCSV}";
print "<script type='text/javascript'>self.parent.reloadIframe('" . @$_REQUEST['fieldName'] . "_iframe')</script>";
// reload uploadlist
print "<script type='text/javascript'>window.location='{$modifyUrl}'</script>";
// go to modify page
exit;
} else {
// reload parent iframe (with upload list)
print "<script type='text/javascript'>self.parent.reloadIframe('" . @$_REQUEST['fieldName'] . "_iframe')</script>";
// reload uploadlist
print "<script type='text/javascript'>self.parent.tb_remove();</script>\n";
// close thickbox
exit;
}
}
function resetPassword()
{
global $CURRENT_USER, $SETTINGS;
$GLOBALS['sentEmail'] = false;
// error checking
if (!@$_REQUEST['userNum']) {
die("No 'userNum' value specified!");
}
if (!@$_REQUEST['resetCode']) {
die("No 'resetCode' value specified!");
}
if (!_isValidPasswordResetCode(@$_REQUEST['userNum'], @$_REQUEST['resetCode'])) {
alert(t("Password reset code has expired or is not valid. Try resetting your password again."));
showInterface('forgotPassword.php', false);
}
// load user
global $user;
$user = mysql_get(accountsTable(), (int) @$_REQUEST['userNum']);
// Lookup username or email
if (@$_REQUEST['submitForm']) {
security_dieUnlessPostForm();
security_dieOnInvalidCsrfToken();
disableInDemoMode('', 'resetPassword.php');
// error checking
$textErrors = getNewPasswordErrors(@$_REQUEST['password'], @$_REQUEST['password:again'], $user['username']);
// v2.52
if ($textErrors) {
alert(nl2br(htmlencode($textErrors)));
showInterface('resetPassword.php');
exit;
}
// update password
$newPassword = getPasswordDigest($_REQUEST['password']);
mysql_update(accountsTable(), $user['num'], null, array('password' => $newPassword));
// show login
alert(t('Password updated!'));
$_REQUEST = array();
showInterface('login.php', false);
exit;
}
//
showInterface('resetPassword.php');
exit;
}
function uploadListReOrder()
{
global $TABLE_PREFIX, $tableName;
security_dieUnlessPostForm();
security_dieUnlessInternalReferer();
security_dieOnInvalidCsrfToken();
//
disableInDemoMode('', 'ajax');
# error checking
if (!array_key_exists('num', $_REQUEST)) {
die(__FUNCTION__ . ": no record 'num' specified!");
}
if (!array_key_exists('preSaveTempId', $_REQUEST)) {
die(__FUNCTION__ . ": no record 'preSaveTempId' specified!");
}
if (!@$_REQUEST['fieldName']) {
die(__FUNCTION__ . ": no 'fieldName' specified!");
}
if (!$_REQUEST['uploadNums']) {
$errors .= "No 'uploadNums' specified!\n";
}
if (preg_match("/[^\\d\\,]/", $_REQUEST['uploadNums'])) {
$errors .= "'uploadNums' contains invalid chars! ('" . htmlencode($_REQUEST['uploadNums']) . "')\n";
}
# re-order uploads
$orderedUploadNums = preg_split("/\\,/", $_REQUEST['uploadNums']);
// new record order
$newOrder = 0;
foreach ($orderedUploadNums as $uploadNumber) {
$query = "UPDATE `{$TABLE_PREFIX}uploads`\n";
$query .= " SET `order`='" . mysql_escape(++$newOrder) . "'\n";
$query .= " WHERE num = '{$uploadNumber}' AND\n";
$query .= " tableName = '" . mysql_escape($tableName) . "' AND\n";
$query .= " fieldName = '" . mysql_escape($_REQUEST['fieldName']) . "' AND\n";
if ($_REQUEST['num']) {
$query .= "recordNum = '" . mysql_escape($_REQUEST['num']) . "'";
} else {
if ($_REQUEST['preSaveTempId']) {
$query .= "preSaveTempId = '" . mysql_escape($_REQUEST['preSaveTempId']) . "'";
} else {
die("No value specified for 'num' or 'preSaveTempId'!");
}
}
mysql_query($query) or die("MySQL Error: " . htmlencode(mysql_error()) . "\n");
}
}
function submitFormViaAjax()
{
global $schema;
//
security_dieUnlessPostForm();
security_dieUnlessInternalReferer();
security_dieOnInvalidCsrfToken();
//
disableInDemoMode('', 'ajax');
// auto-assign separator and relatedRecords fieldnames
if ($_REQUEST['type'] == 'separator' || $_REQUEST['type'] == 'relatedRecords') {
if ($_REQUEST['fieldname'] == '') {
// new field
$newFieldname = '';
$count = '001';
while (!$newFieldname || array_key_exists($newFieldname, $schema)) {
$newFieldname = "__{$_REQUEST['type']}{$count}__";
$count = str_pad(++$count, 3, '0', STR_PAD_LEFT);
}
$_REQUEST['newFieldname'] = $newFieldname;
} else {
$_REQUEST['newFieldname'] = $_REQUEST['fieldname'];
}
}
// support MySQL Column Type dropdown supplying a value
if (@$_REQUEST['customColumnType-select'] !== '_customColumnType_') {
$_REQUEST['customColumnType'] = @$_REQUEST['customColumnType-select'];
}
// Separator - Use label for header
if ($_REQUEST['type'] == 'separator' && @$_REQUEST['label'] != '') {
$_REQUEST['separatorType'] = 'header bar';
$_REQUEST['separatorHeader'] = $_REQUEST['label'];
$_REQUEST['label'] = '';
// blank out label so we don't save it
}
// Note: 'order' is a MySQL keyword that causes errors if not escaped, that's why it's reserved
$reservedFieldnames = "menu menuName menuType menuOrder menuHidden tableHidden listPageFields listPageOrder listPageSearchFields length order action page";
// _fields aren't allow by default
$fieldnameChanged = $_REQUEST['fieldname'] && $_REQUEST['fieldname'] != $_REQUEST['newFieldname'];
$isFieldnameReserved = preg_match("/\\b\\Q{$_REQUEST['newFieldname']}\\E\\b/i", $reservedFieldnames);
$typeNoneFields = array('num', 'createdDate', 'createdByUserNum', 'updatedDate', 'updatedByUserNum', 'dragSortOrder');
$typeDateFields = array('publishDate', 'removeDate');
$typeCheckboxFields = array('neverRemove', 'hidden');
// error checking
$errors = '';
if (@$_REQUEST['tableName'] == '') {
$errors .= "no 'tableName' specified!\n";
}
if (@$_REQUEST['type'] == '') {
$errors .= "no field 'type' specified!\n";
}
if (!$_REQUEST['type']) {
$errors .= "You must enter a value for 'Field Type'\n";
}
if (!@$_REQUEST['newFieldname']) {
$errors .= "You must enter a value for 'Field Name'\n";
} elseif (preg_match('/[^a-z0-9\\_\\-]/i', $_REQUEST['newFieldname'])) {
$errors .= "'Field Name' can only contain the following characters (a-z, A-Z, 0-9, - and _)\n";
} elseif (preg_match('/^_/i', $_REQUEST['newFieldname']) && $_REQUEST['type'] != 'separator' && $_REQUEST['type'] != 'relatedRecords') {
$errors .= "'Field Name' cannot start with an underscore\n";
} elseif ($isFieldnameReserved) {
$errors .= "Selected fieldname is reserved, please choose another.\n";
} elseif ($fieldnameChanged && @$schema[$_REQUEST['newFieldname']]) {
$errors .= "Selected fieldname is already in use, please choose another.\n";
}
if (@$_REQUEST['useCustomUploadDir']) {
# if (!preg_match('/\/$/', $_REQUEST['customUploadDir'])) { $errors .= "Upload Directory Path must end with a slash! (eg: products/ or /www/htdocs/uploads/products/)\n"; }
# if (!preg_match('/\/$/', $_REQUEST['customUploadUrl'])) { $errors .= "Upload Folder Url must end with a slash! (eg: products/ or /www/htdocs/uploads/products/)\n"; }
}
if (in_array($_REQUEST['newFieldname'], $typeNoneFields) && $_REQUEST['type'] != 'none') {
$errors .= "Field '{$_REQUEST['newFieldname']}' must be set to type 'none'\n";
}
if (in_array($_REQUEST['newFieldname'], $typeDateFields) && $_REQUEST['type'] != 'date') {
$errors .= "Field '{$_REQUEST['newFieldname']}' must be set to type 'date'\n";
}
if (in_array($_REQUEST['newFieldname'], $typeCheckboxFields) && $_REQUEST['type'] != 'checkbox') {
$errors .= "Field '{$_REQUEST['newFieldname']}' must be set to type 'checkbox'\n";
}
if ($_REQUEST['type'] == 'textfield' && @$_REQUEST['charsetRule'] && preg_match("/\\-./", @$_REQUEST['charset'])) {
$errors .= "Allowed Content: If character list contains a dash it must be the last character!\n";
}
if ($_REQUEST['type'] == 'upload' || $_REQUEST['type'] == 'wysiwyg') {
if (@$_REQUEST['resizeOversizedImages']) {
if ($_REQUEST['maxImageHeight'] == '') {
$errors .= "Resize images: Please specify a value for Max Image Height!\n";
}
if (preg_match('/[^0-9\\_]/i', $_REQUEST['maxImageHeight'])) {
$errors .= "Resize images: Max Image Height must be a numeric value!\n";
}
if ($_REQUEST['maxImageWidth'] == '') {
$errors .= "Resize images: Please specify a value for Max Image Width!\n";
}
if (preg_match('/[^0-9\\_]/i', $_REQUEST['maxImageWidth'])) {
$errors .= "Resize images: Max Image Width must be a numeric value!\n";
}
}
foreach (array('', 2, 3, 4) as $num) {
if (@$_REQUEST["createThumbnails{$num}"]) {
$fieldLabel = "Create thumbnail" . ($num ? "({$num})" : '');
if ($_REQUEST["maxThumbnailHeight{$num}"] == '') {
$errors .= "{$fieldLabel}: Please specify a value for Max Image Height!\n";
}
if (preg_match('/[^0-9\\_]/i', $_REQUEST["maxThumbnailHeight{$num}"])) {
$errors .= "{$fieldLabel}: Max Image Height must be a numeric value!\n";
}
if ($_REQUEST["maxThumbnailWidth{$num}"] == '') {
$errors .= "{$fieldLabel}: Please specify a value for Max Image Width!\n";
}
if (preg_match('/[^0-9\\_]/i', $_REQUEST["maxThumbnailWidth{$num}"])) {
$errors .= "{$fieldLabel}: Max Image Width must be a numeric value!\n";
}
}
}
}
if ($errors) {
print $errors;
exit;
}
// update mysql first to get any MySQL errors before updating schema
_updateMySQL();
//
_updateSchema($schema);
}
function previewDefaultDate()
{
disableInDemoMode('', 'ajax');
$defaultDate = @$_REQUEST['defaultDate'];
$defaultDateString = @$_REQUEST['defaultDateString'];
$format = "D, M j, Y - g:i:s A";
// show date preview
if (!$defaultDate) {
echo date($format);
} elseif ($defaultDate == 'none') {
echo '';
} elseif ($defaultDate == 'custom') {
$output = @date($format, strtotime($defaultDateString));
if (!$defaultDateString) {
echo '';
} elseif (@$php_errormsg) {
print $php_errormsg;
} else {
print $output;
}
} else {
die("Can't create date preview!");
}
exit;
// this is called with ajax so returning nothing means success - see: addTable_functions.js - initSubmitFormWithAjax
}
function eraseUpload()
{
global $tableName, $escapedTableName;
security_dieUnlessPostForm();
security_dieUnlessInternalReferer();
security_dieOnInvalidCsrfToken();
//
disableInDemoMode('', 'ajax');
// error checking
if (!array_key_exists('fieldName', $_REQUEST)) {
die("no 'fieldName' value specified!");
}
if (!array_key_exists('uploadNum', $_REQUEST)) {
die("no 'uploadNum' value specified!");
}
// create where query
$where = "";
if ($_REQUEST['num']) {
$where .= "recordNum = '" . mysql_escape($_REQUEST['num']) . "' AND ";
} else {
if ($_REQUEST['preSaveTempId']) {
$where .= "preSaveTempId = '" . mysql_escape($_REQUEST['preSaveTempId']) . "' AND ";
} else {
die("No value specified for 'num' or 'preSaveTempId'!");
}
}
$where .= "num = '" . mysql_escape($_REQUEST['uploadNum']) . "' AND ";
$where .= "tableName = '" . mysql_escape($tableName) . "' AND ";
$where .= "fieldName = '" . mysql_escape($_REQUEST['fieldName']) . "'";
$count = removeUploads($where);
//
if ($count == 0) {
die("Upload not found!");
}
// this function is called via ajax, any output will be returns as errors with javascript alert
exit;
}
function admin_saveSettings($savePagePath)
{
global $SETTINGS, $APP;
// error checking
clearAlertsAndNotices();
// so previous alerts won't prevent saving of admin options
// security checks
security_dieUnlessPostForm();
security_dieUnlessInternalReferer();
security_dieOnInvalidCsrfToken();
//
disableInDemoMode('settings', $savePagePath);
# license error checking
if (array_key_exists('licenseProductId', $_REQUEST)) {
if (!isValidProductId($_REQUEST['licenseProductId'])) {
alert("Invalid Product License ID!");
} else {
if ($SETTINGS['licenseProductId'] != $_REQUEST['licenseProductId']) {
$SETTINGS['licenseCompanyName'] = $_REQUEST['licenseCompanyName'];
// update settings
$SETTINGS['licenseDomainName'] = $_REQUEST['licenseDomainName'];
// ...
$SETTINGS['licenseProductId'] = $_REQUEST['licenseProductId'];
// ...
$isValid = register();
// validate productId (and save new settings)
if (!$isValid) {
redirectBrowserToURL('?menu=admin', true);
exit;
}
}
}
}
# program url / adminUrl
if (array_key_exists('adminUrl', $_REQUEST)) {
if (!preg_match('/^http/i', $_REQUEST['adminUrl'])) {
alert("Program URL must start with http:// or https://<br/>\n");
}
if (preg_match('/\\?/i', $_REQUEST['adminUrl'])) {
alert("Program URL can not contain a ?<br/>\n");
}
}
# webPrefixUrl - v2.53
if (@$_REQUEST['webPrefixUrl'] != '') {
if (!preg_match("|^(\\w+:/)?/|", $_REQUEST['webPrefixUrl'])) {
alert(t("Website Prefix URL must start with /") . "<br/>\n");
}
if (preg_match("|/\$|", $_REQUEST['webPrefixUrl'])) {
alert(t("Website Prefix URL cannot end with /") . "<br/>\n");
}
}
# upload url/dir
if (array_key_exists('uploadDir', $_REQUEST)) {
# if (!preg_match('/\/$/', $_REQUEST['uploadDir'])) { alert("Upload Directory must end with a slash! (eg: /www/htdocs/uploads/)<br/>\n"); }
}
if (array_key_exists('uploadUrl', $_REQUEST)) {
# if (preg_match('/^\w+:\/\//', $_REQUEST['uploadUrl'])) { alert("Upload Folder Url must be the web path only without a domain (eg: /uploads/)<br/>\n"); }
# else if (!preg_match('/^\//', $_REQUEST['uploadUrl'])) { alert("Upload Folder Url must start with a slash! (eg: /uploads/)<br/>\n"); }
# if (!preg_match('/\/$/', $_REQUEST['uploadUrl'])) { alert("Upload Folder Url must end with a slash! (eg: /uploads/)<br/>\n"); }
$_REQUEST['uploadUrl'] = chop($_REQUEST['uploadUrl'], '\\\\/');
// remove trailing slashes
}
# admin email
if (array_key_exists('adminEmail', $_REQUEST) && !isValidEmail($_REQUEST['adminEmail'])) {
alert("Admin Email must be a valid email (example: user@example.com)<br/>\n");
}
// error checking - require HTTPS
if (@$_REQUEST['requireHTTPS'] && !isHTTPS()) {
alert("Require HTTPS: You must be logged in with a secure HTTPS url to set this option!<br/>\n");
}
// error checking - require HTTPS
if (@$_REQUEST['restrictByIP'] && !isIpAllowed(true, @$_REQUEST['restrictByIP_allowed'])) {
alert(t("Restrict IP Access: You current IP address must be in the allowed IP list!") . "<br/>\n");
}
// error checking - session values
$sessionErrors = getCustomSessionErrors(@$_REQUEST['session_cookie_domain'], @$_REQUEST['session_save_path']);
if ($sessionErrors) {
alert($sessionErrors);
}
# show errors
if (alert()) {
showInterface('admin/general.php');
exit;
}
### update global settings
$globalSettings =& $SETTINGS;
foreach (array_keys($globalSettings) as $key) {
if (array_key_exists($key, $_REQUEST)) {
$globalSettings[$key] = $_REQUEST[$key];
}
}
# update subsection settings
$subsections = array('advanced', 'wysiwyg');
foreach ($subsections as $subsection) {
$sectionSettings =& $SETTINGS[$subsection];
foreach (array_keys($sectionSettings) as $key) {
if (array_key_exists($key, $_REQUEST)) {
$sectionSettings[$key] = $_REQUEST[$key];
}
}
}
# save to file
saveSettings();
# return to admin home
notice('Settings have been saved.');
showInterface($savePagePath);
}
function eraseField()
{
global $TABLE_PREFIX, $schema;
//
security_dieUnlessPostForm();
security_dieUnlessInternalReferer();
security_dieOnInvalidCsrfToken();
//
disableInDemoMode('', 'ajax');
$tableName = $_REQUEST['tableName'];
$fieldname = $_REQUEST['fieldname'];
if (!$tableName) {
die("no tableName specified!\n");
}
if (!$fieldname) {
die("no tableName specified!\n");
}
// erase from schema
unset($schema[$fieldname]);
saveSchema($tableName, $schema);
// erase from mySQL
$columnType = getMysqlColumnType($tableName, $fieldname);
if ($columnType != '') {
$result = mysql_query("ALTER TABLE `" . mysql_escape($tableName) . "`\n DROP COLUMN `" . mysql_escape($fieldname) . "`") or die("There was an error removing the MySQL Column, the error was:\n\n" . htmlencode(mysql_error()) . "\n");
}
// expire uploads (mark files for erasing by blanking out fieldname - they get erased when upload form is submitted)
$tableNameWithoutPrefix = getTableNameWithoutPrefix($tableName);
$query = "UPDATE `{$TABLE_PREFIX}uploads`";
$query .= " SET fieldName = ''";
$query .= " WHERE fieldName = '" . mysql_escape($fieldname) . "' AND";
$query .= " tableName = '" . mysql_escape($tableNameWithoutPrefix) . "'";
mysql_query($query) or die("There was an error erasing old uploads:\n\n" . htmlencode(mysql_error()) . "\n");
// this function is called via ajax. Output is returned as errors via javascript alert. Output nothing on success.
exit;
}
