/**
* For use by programmers to finalize a submission (i.e. make it appear in the client's user
* interface).
*
* @param integer $form_id The unique form ID.
* @param integer $submission_id A unique submission ID.
* @return boolean $success True on success, false otherwise.
*/
function ft_finalize_submission($form_id, $submission_id)
{
global $g_table_prefix;
// check the form_id is valid
if (!ft_check_form_exists($form_id)) {
return false;
}
$query = "\n UPDATE {$g_table_prefix}form_{$form_id}\n SET is_finalized = 'yes'\n WHERE submission_id = {$submission_id}\n ";
$result = mysql_query($query);
ft_send_emails("on_submission", $form_id, $submission_id);
return true;
}
/**
* Called by test form submission during form setup procedure. This stores a complete form submission
* in the database for examination and pruning by the administrator. Error / notification messages are
* displayed in the language of the currently logged in administrator.
*
* It works with both submissions sent through process.php and the API.
*
* @param array $form_data a hash of the COMPLETE form data (i.e. all fields)
*/
function ft_initialize_form($form_data)
{
global $g_table_prefix, $g_root_dir, $g_multi_val_delimiter, $LANG, $g_default_datetime_format;
$textbox_field_type_id = ft_get_field_type_id_by_identifier("textbox");
$date_field_type_id = ft_get_field_type_id_by_identifier("date");
$date_field_type_datetime_setting_id = ft_get_field_type_setting_id_by_identifier($date_field_type_id, "display_format");
$date_field_type_timezone_setting_id = ft_get_field_type_setting_id_by_identifier($date_field_type_id, "apply_timezone_offset");
$display_notification_page = isset($form_data["form_tools_display_notification_page"]) ? $form_data["form_tools_display_notification_page"] : true;
// escape the incoming values
$form_data = ft_sanitize($form_data);
$form_id = $form_data["form_tools_form_id"];
// check the form ID is valid
if (!ft_check_form_exists($form_id, true)) {
$page_vars = array("message_type" => "error", "error_code" => 100);
ft_display_page("error.tpl", $page_vars);
exit;
}
$form_info = ft_get_form($form_id, true);
// if this form has already been completed, exit with an error message
if ($form_info["is_complete"] == "yes") {
$page_vars = array("message_type" => "error", "error_code" => 101);
ft_display_page("error.tpl", $page_vars);
exit;
}
// since this form is still incomplete, remove any old records from form_fields concerning this form
$query = mysql_query("\n DELETE FROM {$g_table_prefix}form_fields\n WHERE form_id = {$form_id}\n ");
// remove irrelevant key-values
unset($form_data["form_tools_initialize_form"]);
unset($form_data["form_tools_submission_id"]);
unset($form_data["form_tools_form_id"]);
unset($form_data["form_tools_display_notification_page"]);
$order = 1;
// add the submission ID system field ("ID" can be changed by the user via the interface)
$query = mysql_query("\n INSERT INTO {$g_table_prefix}form_fields (form_id, field_name, field_test_value, field_type_id, is_system_field,\n data_type, field_title, col_name, list_order, is_new_sort_group)\n VALUES ({$form_id}, 'core__submission_id', '', {$textbox_field_type_id}, 'yes', 'number', '{$LANG["word_id"]}',\n 'submission_id', '{$order}', 'yes')\n ");
if (!$query) {
$page_vars = array("message_type" => "error", "error_code" => 102, "error_type" => "system", "debugging" => "<b>" . __FUNCTION__ . ", " . __FILE__ . "</b>, failed query: " . mysql_error());
ft_display_page("error.tpl", $page_vars);
exit;
}
$order++;
while (list($key, $value) = each($form_data)) {
// if the value is an array, it's either a checkbox field or a multi-select field. Just
// comma-separate them
if (is_array($value)) {
$value = join("{$g_multi_val_delimiter}", $value);
}
$query = mysql_query("\n INSERT INTO {$g_table_prefix}form_fields (form_id, field_name, field_type_id, is_system_field,\n field_test_value, data_type, list_order, is_new_sort_group)\n VALUES ({$form_id}, '{$key}', 1, 'no', '{$value}', 'string', '{$order}', 'yes')\n ");
if (!$query) {
$page_vars = array("message_type" => "error", "error_code" => 103, "error_type" => "system", "debugging" => "<b>" . __FUNCTION__ . ", " . __FILE__ . "</b>, failed query: " . mysql_error());
ft_display_page("error.tpl", $page_vars);
exit;
}
$order++;
}
// now see if any files were uploaded, too. ** don't actually upload the file, just allocate a
// spot for the filename string in the database. The user will have to configure the field settings
// later
while (list($key, $fileinfo) = each($_FILES)) {
$query = mysql_query("\n INSERT INTO {$g_table_prefix}form_fields (form_id, field_name, field_type_id, is_system_field,\n field_test_value, data_type, list_order)\n VALUES ({$form_id}, '{$key}', 8, 'no', '{$LANG["word_file_b_uc"]}', 'string', '{$order}')\n ");
if (!$query) {
$page_vars = array("message_type" => "error", "error_code" => 104, "error_type" => "system", "debugging" => "<b>" . __FUNCTION__ . ", " . __FILE__ . "</b>, failed query: " . mysql_error());
ft_display_page("error.tpl", $page_vars);
exit;
}
$order++;
}
// add the Submission Date, Last Modified Date and IP Address system fields. For the date fields, we also
// add in a custom formatting to display the full datetime. This is because the default date formatting is date only -
// I think that's probably going to be more useful as a default than a datetime - hence the extra work here
// submission date
$order1 = $order;
$query = mysql_query("\n INSERT INTO {$g_table_prefix}form_fields (form_id, field_name, field_test_value, field_type_id, is_system_field,\n field_title, data_type, col_name, list_order)\n VALUES ({$form_id}, 'core__submission_date', '', {$date_field_type_id}, 'yes', '{$LANG["word_date"]}',\n 'date', 'submission_date', '{$order1}')\n ");
$submission_date_field_id = mysql_insert_id();
mysql_query("\n INSERT INTO {$g_table_prefix}field_settings (field_id, setting_id, setting_value)\n VALUES ({$submission_date_field_id}, {$date_field_type_datetime_setting_id}, '{$g_default_datetime_format}')\n ");
mysql_query("\n INSERT INTO {$g_table_prefix}field_settings (field_id, setting_id, setting_value)\n VALUES ({$submission_date_field_id}, {$date_field_type_timezone_setting_id}, 'yes')\n ");
// last modified date
$order2 = $order + 1;
$query = mysql_query("\n INSERT INTO {$g_table_prefix}form_fields (form_id, field_name, field_test_value, field_type_id, is_system_field,\n field_title, data_type, col_name, list_order)\n VALUES ({$form_id}, 'core__last_modified', '', {$date_field_type_id}, 'yes', '{$LANG["phrase_last_modified"]}',\n 'date', 'last_modified_date', '{$order2}')\n ");
$last_modified_date_field_id = mysql_insert_id();
mysql_query("\n INSERT INTO {$g_table_prefix}field_settings (field_id, setting_id, setting_value)\n VALUES ({$last_modified_date_field_id}, {$date_field_type_datetime_setting_id}, '{$g_default_datetime_format}')\n ");
mysql_query("\n INSERT INTO {$g_table_prefix}field_settings (field_id, setting_id, setting_value)\n VALUES ({$last_modified_date_field_id}, {$date_field_type_timezone_setting_id}, 'yes')\n ");
// ip address
$order3 = $order + 2;
$query = mysql_query("\n INSERT INTO {$g_table_prefix}form_fields (form_id, field_name, field_test_value, field_type_id, is_system_field,\n field_title, data_type, col_name, list_order)\n VALUES ({$form_id}, 'core__ip_address', '', {$textbox_field_type_id}, 'yes', '{$LANG["phrase_ip_address"]}',\n 'number', 'ip_address', '{$order3}')\n ");
if (!$query) {
$page_vars = array("message_type" => "error", "error_code" => 105, "error_type" => "system", "debugging" => "<b>" . __FUNCTION__ . ", " . __FILE__ . "</b>, failed query: " . mysql_error());
ft_display_page("error.tpl", $page_vars);
exit;
}
// finally, set this form's "is_initialized" value to "yes", so the administrator can proceed to
// the next step of the Add Form process.
mysql_query("\n UPDATE {$g_table_prefix}forms\n SET is_initialized = 'yes'\n WHERE form_id = {$form_id}\n ");
// alert a "test submission complete" message. The only time this wouldn't be outputted would be
// if this function is being called programmatically, like with the blank_form module
if ($display_notification_page) {
$page_vars = array();
$page_vars["message"] = $LANG["processing_init_complete"];
$page_vars["message_type"] = "notify";
$page_vars["title"] = $LANG["phrase_test_submission_received"];
ft_display_page("error.tpl", $page_vars);
exit;
}
}
<?php
require "../../global/session_start.php";
ft_check_permission("admin");
$request = array_merge($_POST, $_GET);
$form_id = ft_load_field("form_id", "form_id", "");
if (!ft_check_form_exists($form_id)) {
header("location: index.php");
exit;
}
// store the current selected tab in memory - except for pages which require additional
// query string info. For those, use the parent page
if (isset($request["page"]) && !empty($request["page"])) {
$remember_page = $request["page"];
switch ($remember_page) {
case "field_options":
case "files":
$remember_page = "fields";
break;
case "edit_email":
$remember_page = "emails";
break;
}
$_SESSION["ft"]["form_{$form_id}_tab"] = $remember_page;
$page = $request["page"];
} else {
$page = ft_load_field("page", "form_{$form_id}_tab", "edit_form_main");
}
if (isset($request['edit_email_user_settings'])) {
header("Location: edit.php?page=email_settings");
exit;
/**
* Returns all information about a submission. N.B. Would have been nice to have made this just a
* wrapper for ft_get_submission_info, but that function contains hooks. Need to revise all core
* code to allow external calls to optionally avoid any hook calls.
*
* @param integer $form_id
* @param integer $submission_id
*/
function ft_api_get_submission($form_id, $submission_id)
{
global $g_table_prefix, $g_api_debug;
// confirm the form is valid
if (!ft_check_form_exists($form_id)) {
if ($g_api_debug) {
$page_vars = array("message_type" => "error", "error_code" => 405, "error_type" => "user");
ft_display_page("error.tpl", $page_vars);
exit;
} else {
return array(false, 405);
}
}
if (!is_numeric($submission_id)) {
if ($g_api_debug) {
$page_vars = array("message_type" => "error", "error_code" => 406, "error_type" => "user");
ft_display_page("error.tpl", $page_vars);
exit;
} else {
return array(false, 406);
}
}
// get the form submission info
$submission_info = mysql_query("\n SELECT *\n FROM {$g_table_prefix}form_{$form_id}\n WHERE submission_id = {$submission_id}\n ");
$submission = mysql_fetch_assoc($submission_info);
return $submission;
}
/**
* This function processes the form submissions, after the form has been set up in the database.
*/
function ft_process_form($form_data)
{
global $g_table_prefix, $g_multi_val_delimiter, $g_query_str_multi_val_separator, $g_root_dir, $LANG, $g_api_version, $g_api_recaptcha_private_key;
// ensure the incoming values are escaped
$form_data = ft_sanitize($form_data);
$form_id = $form_data["form_tools_form_id"];
$form_info = ft_get_form($form_id);
// do we have a form for this id?
if (!ft_check_form_exists($form_id)) {
$page_vars = array("message_type" => "error", "message" => $LANG["processing_invalid_form_id"]);
ft_display_page("error.tpl", $page_vars);
exit;
}
extract(ft_process_hook_calls("start", compact("form_info", "form_id", "form_data"), array("form_data")), EXTR_OVERWRITE);
// check to see if this form has been completely set up
if ($form_info["is_complete"] == "no") {
$page_vars = array("message_type" => "error", "message" => $LANG["processing_form_incomplete"]);
ft_display_page("error.tpl", $page_vars);
exit;
}
// check to see if this form has been disabled
if ($form_info["is_active"] == "no") {
if (isset($form_data["form_tools_inactive_form_redirect_url"])) {
header("location: {$form_data["form_tools_inactive_form_redirect_url"]}");
exit;
}
$page_vars = array("message_type" => "error", "message" => $LANG["processing_form_disabled"]);
ft_display_page("error.tpl", $page_vars);
exit;
}
// do we have a form for this id?
if (!ft_check_form_exists($form_id)) {
$page_vars = array("message_type" => "error", "message" => $LANG["processing_invalid_form_id"]);
ft_display_page("error.tpl", $page_vars);
exit;
}
// was there a reCAPTCHA response? If so, a recaptcha was just submitted. This generally implies the
// form page included the API, so check it was entered correctly. If not, return the user to the webpage
if (isset($g_api_version) && isset($form_data["recaptcha_response_field"])) {
$passes_captcha = false;
$recaptcha_challenge_field = $form_data["recaptcha_challenge_field"];
$recaptcha_response_field = $form_data["recaptcha_response_field"];
$folder = dirname(__FILE__);
require_once "{$folder}/global/api/recaptchalib.php";
$resp = recaptcha_check_answer($g_api_recaptcha_private_key, $_SERVER["REMOTE_ADDR"], $recaptcha_challenge_field, $recaptcha_response_field);
if ($resp->is_valid) {
$passes_captcha = true;
} else {
// since we need to pass all the info back to the form page we do it by storing the data in sessions. Enable 'em.
@ft_api_start_sessions();
$_SESSION["form_tools_form_data"] = $form_data;
$_SESSION["form_tools_form_data"]["api_recaptcha_error"] = $resp->error;
// if there's a form_tools_form_url specified, redirect to that
if (isset($form_data["form_tools_form_url"])) {
header("location: {$form_data["form_tools_form_url"]}");
exit;
} else {
if (isset($_SERVER["HTTP_REFERER"])) {
header("location: {$_SERVER["HTTP_REFERER"]}");
exit;
} else {
$page_vars = array("message_type" => "error", "message" => $LANG["processing_no_form_url_for_recaptcha"]);
ft_display_page("error.tpl", $page_vars);
exit;
}
}
}
}
// get a list of the custom form fields (i.e. non-system) for this form
$form_fields = ft_get_form_fields($form_id, array("include_field_type_info" => true));
$custom_form_fields = array();
$file_fields = array();
foreach ($form_fields as $field_info) {
$field_id = $field_info["field_id"];
$is_system_field = $field_info["is_system_field"];
$field_name = $field_info["field_name"];
// ignore system fields
if ($is_system_field == "yes") {
continue;
}
if ($field_info["is_file_field"] == "no") {
$custom_form_fields[$field_name] = array("field_id" => $field_id, "col_name" => $field_info["col_name"], "field_title" => $field_info["field_title"], "include_on_redirect" => $field_info["include_on_redirect"], "field_type_id" => $field_info["field_type_id"], "is_date_field" => $field_info["is_date_field"]);
} else {
$file_fields[] = array("field_id" => $field_id, "field_info" => $field_info);
}
}
// now examine the contents of the POST/GET submission and get a list of those fields
// which we're going to update
$valid_form_fields = array();
while (list($form_field, $value) = each($form_data)) {
// if this field is included, store the value for adding to DB
if (array_key_exists($form_field, $custom_form_fields)) {
$curr_form_field = $custom_form_fields[$form_field];
$cleaned_value = $value;
if (is_array($value)) {
if ($form_info["submission_strip_tags"] == "yes") {
for ($i = 0; $i < count($value); $i++) {
$value[$i] = strip_tags($value[$i]);
}
}
$cleaned_value = implode("{$g_multi_val_delimiter}", $value);
} else {
if ($form_info["submission_strip_tags"] == "yes") {
$cleaned_value = strip_tags($value);
}
}
$valid_form_fields[$curr_form_field["col_name"]] = "'{$cleaned_value}'";
}
}
$now = ft_get_current_datetime();
$ip_address = $_SERVER["REMOTE_ADDR"];
$col_names = array_keys($valid_form_fields);
$col_names_str = join(", ", $col_names);
if (!empty($col_names_str)) {
$col_names_str .= ", ";
}
$col_values = array_values($valid_form_fields);
$col_values_str = join(", ", $col_values);
if (!empty($col_values_str)) {
$col_values_str .= ", ";
}
// build our query
$query = "\r\n INSERT INTO {$g_table_prefix}form_{$form_id} ({$col_names_str} submission_date, last_modified_date, ip_address, is_finalized)\r\n VALUES ({$col_values_str} '{$now}', '{$now}', '{$ip_address}', 'yes')\r\n ";
// add the submission to the database (if form_tools_ignore_submission key isn't set by either the form or a module)
$submission_id = "";
if (!isset($form_data["form_tools_ignore_submission"])) {
$result = mysql_query($query);
if (!$result) {
$page_vars = array("message_type" => "error", "error_code" => 304, "error_type" => "system", "debugging" => "Failed query in <b>" . __FUNCTION__ . ", " . __FILE__ . "</b>, line " . __LINE__ . ": <i>" . nl2br($query) . "</i>", mysql_error());
ft_display_page("error.tpl", $page_vars);
exit;
}
$submission_id = mysql_insert_id();
extract(ft_process_hook_calls("end", compact("form_id", "submission_id"), array()), EXTR_OVERWRITE);
}
$redirect_query_params = array();
// build the redirect query parameter array
foreach ($form_fields as $field_info) {
if ($field_info["include_on_redirect"] == "no" || $field_info["is_file_field"] == "yes") {
continue;
}
switch ($field_info["col_name"]) {
case "submission_id":
$redirect_query_params[] = "submission_id={$submission_id}";
break;
case "submission_date":
$settings = ft_get_settings();
$submission_date_formatted = ft_get_date($settings["default_timezone_offset"], $now, $settings["default_date_format"]);
$redirect_query_params[] = "submission_date=" . rawurlencode($submission_date_formatted);
break;
case "last_modified_date":
$settings = ft_get_settings();
$submission_date_formatted = ft_get_date($settings["default_timezone_offset"], $now, $settings["default_date_format"]);
$redirect_query_params[] = "last_modified_date=" . rawurlencode($submission_date_formatted);
break;
case "ip_address":
$redirect_query_params[] = "ip_address={$ip_address}";
break;
default:
$field_name = $field_info["field_name"];
// if $value is an array, convert it to a string, separated by $g_query_str_multi_val_separator
if (isset($form_data[$field_name])) {
if (is_array($form_data[$field_name])) {
$value_str = join($g_query_str_multi_val_separator, $form_data[$field_name]);
$redirect_query_params[] = "{$field_name}=" . rawurlencode($value_str);
} else {
$redirect_query_params[] = "{$field_name}=" . rawurlencode($form_data[$field_name]);
}
}
break;
}
}
// only upload files & send emails if we're not ignoring the submission
if (!isset($form_data["form_tools_ignore_submission"])) {
// now process any file fields. This is placed after the redirect query param code block above to allow whatever file upload
// module to append the filename to the query string, if needed
extract(ft_process_hook_calls("manage_files", compact("form_id", "submission_id", "file_fields", "redirect_query_params"), array("success", "message", "redirect_query_params")), EXTR_OVERWRITE);
// send any emails
ft_send_emails("on_submission", $form_id, $submission_id);
}
// if the redirect URL has been specified either in the database or as part of the form
// submission, redirect the user [form submission form_tools_redirect_url value overrides
// database value]
if (!empty($form_info["redirect_url"]) || !empty($form_data["form_tools_redirect_url"])) {
// build redirect query string
$redirect_url = isset($form_data["form_tools_redirect_url"]) && !empty($form_data["form_tools_redirect_url"]) ? $form_data["form_tools_redirect_url"] : $form_info["redirect_url"];
$query_str = "";
if (!empty($redirect_query_params)) {
$query_str = join("&", $redirect_query_params);
}
if (!empty($query_str)) {
// only include the ? if it's not already there
if (strpos($redirect_url, "?")) {
$redirect_url .= "&" . $query_str;
} else {
$redirect_url .= "?" . $query_str;
}
}
header("Location: " . $redirect_url);
exit;
}
// the user should never get here! This means that the no redirect URL has been specified
$page_vars = array("message_type" => "error", "message" => $LANG["processing_no_redirect_url"]);
ft_display_page("error.tpl", $page_vars);
exit;
}