Пример #1
0
/**
 * For use by programmers to finalize a submission (i.e. make it appear in the client's user
 * interface).
 *
 * @param integer $form_id The unique form ID.
 * @param integer $submission_id A unique submission ID.
 * @return boolean $success True on success, false otherwise.
 */
function ft_finalize_submission($form_id, $submission_id)
{
    global $g_table_prefix;
    // check the form_id is valid
    if (!ft_check_form_exists($form_id)) {
        return false;
    }
    $query = "\n    UPDATE {$g_table_prefix}form_{$form_id}\n    SET    is_finalized = 'yes'\n    WHERE  submission_id = {$submission_id}\n           ";
    $result = mysql_query($query);
    ft_send_emails("on_submission", $form_id, $submission_id);
    return true;
}
Пример #2
0
/**
 * Called by test form submission during form setup procedure. This stores a complete form submission
 * in the database for examination and pruning by the administrator. Error / notification messages are
 * displayed in the language of the currently logged in administrator.
 *
 * It works with both submissions sent through process.php and the API.
 *
 * @param array $form_data a hash of the COMPLETE form data (i.e. all fields)
 */
function ft_initialize_form($form_data)
{
    global $g_table_prefix, $g_root_dir, $g_multi_val_delimiter, $LANG, $g_default_datetime_format;
    $textbox_field_type_id = ft_get_field_type_id_by_identifier("textbox");
    $date_field_type_id = ft_get_field_type_id_by_identifier("date");
    $date_field_type_datetime_setting_id = ft_get_field_type_setting_id_by_identifier($date_field_type_id, "display_format");
    $date_field_type_timezone_setting_id = ft_get_field_type_setting_id_by_identifier($date_field_type_id, "apply_timezone_offset");
    $display_notification_page = isset($form_data["form_tools_display_notification_page"]) ? $form_data["form_tools_display_notification_page"] : true;
    // escape the incoming values
    $form_data = ft_sanitize($form_data);
    $form_id = $form_data["form_tools_form_id"];
    // check the form ID is valid
    if (!ft_check_form_exists($form_id, true)) {
        $page_vars = array("message_type" => "error", "error_code" => 100);
        ft_display_page("error.tpl", $page_vars);
        exit;
    }
    $form_info = ft_get_form($form_id, true);
    // if this form has already been completed, exit with an error message
    if ($form_info["is_complete"] == "yes") {
        $page_vars = array("message_type" => "error", "error_code" => 101);
        ft_display_page("error.tpl", $page_vars);
        exit;
    }
    // since this form is still incomplete, remove any old records from form_fields concerning this form
    $query = mysql_query("\n    DELETE FROM {$g_table_prefix}form_fields\n    WHERE  form_id = {$form_id}\n          ");
    // remove irrelevant key-values
    unset($form_data["form_tools_initialize_form"]);
    unset($form_data["form_tools_submission_id"]);
    unset($form_data["form_tools_form_id"]);
    unset($form_data["form_tools_display_notification_page"]);
    $order = 1;
    // add the submission ID system field ("ID" can be changed by the user via the interface)
    $query = mysql_query("\n    INSERT INTO {$g_table_prefix}form_fields (form_id, field_name, field_test_value, field_type_id, is_system_field,\n        data_type, field_title, col_name, list_order, is_new_sort_group)\n    VALUES ({$form_id}, 'core__submission_id', '', {$textbox_field_type_id}, 'yes', 'number', '{$LANG["word_id"]}',\n        'submission_id', '{$order}', 'yes')\n  ");
    if (!$query) {
        $page_vars = array("message_type" => "error", "error_code" => 102, "error_type" => "system", "debugging" => "<b>" . __FUNCTION__ . ", " . __FILE__ . "</b>, failed query: " . mysql_error());
        ft_display_page("error.tpl", $page_vars);
        exit;
    }
    $order++;
    while (list($key, $value) = each($form_data)) {
        // if the value is an array, it's either a checkbox field or a multi-select field. Just
        // comma-separate them
        if (is_array($value)) {
            $value = join("{$g_multi_val_delimiter}", $value);
        }
        $query = mysql_query("\n      INSERT INTO {$g_table_prefix}form_fields (form_id, field_name, field_type_id, is_system_field,\n        field_test_value, data_type, list_order, is_new_sort_group)\n      VALUES ({$form_id}, '{$key}', 1, 'no', '{$value}', 'string', '{$order}', 'yes')\n                ");
        if (!$query) {
            $page_vars = array("message_type" => "error", "error_code" => 103, "error_type" => "system", "debugging" => "<b>" . __FUNCTION__ . ", " . __FILE__ . "</b>, failed query: " . mysql_error());
            ft_display_page("error.tpl", $page_vars);
            exit;
        }
        $order++;
    }
    // now see if any files were uploaded, too. ** don't actually upload the file, just allocate a
    // spot for the filename string in the database. The user will have to configure the field settings
    // later
    while (list($key, $fileinfo) = each($_FILES)) {
        $query = mysql_query("\n      INSERT INTO {$g_table_prefix}form_fields (form_id, field_name, field_type_id, is_system_field,\n        field_test_value, data_type, list_order)\n      VALUES ({$form_id}, '{$key}', 8, 'no', '{$LANG["word_file_b_uc"]}', 'string', '{$order}')\n                ");
        if (!$query) {
            $page_vars = array("message_type" => "error", "error_code" => 104, "error_type" => "system", "debugging" => "<b>" . __FUNCTION__ . ", " . __FILE__ . "</b>, failed query: " . mysql_error());
            ft_display_page("error.tpl", $page_vars);
            exit;
        }
        $order++;
    }
    // add the Submission Date, Last Modified Date and IP Address system fields. For the date fields, we also
    // add in a custom formatting to display the full datetime. This is because the default date formatting is date only -
    // I think that's probably going to be more useful as a default than a datetime - hence the extra work here
    // submission date
    $order1 = $order;
    $query = mysql_query("\n    INSERT INTO {$g_table_prefix}form_fields (form_id, field_name, field_test_value, field_type_id, is_system_field,\n      field_title, data_type, col_name, list_order)\n    VALUES ({$form_id}, 'core__submission_date', '', {$date_field_type_id}, 'yes', '{$LANG["word_date"]}',\n      'date', 'submission_date', '{$order1}')\n      ");
    $submission_date_field_id = mysql_insert_id();
    mysql_query("\n    INSERT INTO {$g_table_prefix}field_settings (field_id, setting_id, setting_value)\n    VALUES ({$submission_date_field_id}, {$date_field_type_datetime_setting_id}, '{$g_default_datetime_format}')\n      ");
    mysql_query("\n    INSERT INTO {$g_table_prefix}field_settings (field_id, setting_id, setting_value)\n    VALUES ({$submission_date_field_id}, {$date_field_type_timezone_setting_id}, 'yes')\n      ");
    // last modified date
    $order2 = $order + 1;
    $query = mysql_query("\n    INSERT INTO {$g_table_prefix}form_fields (form_id, field_name, field_test_value, field_type_id, is_system_field,\n      field_title, data_type, col_name, list_order)\n    VALUES ({$form_id}, 'core__last_modified', '', {$date_field_type_id}, 'yes', '{$LANG["phrase_last_modified"]}',\n      'date', 'last_modified_date', '{$order2}')\n      ");
    $last_modified_date_field_id = mysql_insert_id();
    mysql_query("\n    INSERT INTO {$g_table_prefix}field_settings (field_id, setting_id, setting_value)\n    VALUES ({$last_modified_date_field_id}, {$date_field_type_datetime_setting_id}, '{$g_default_datetime_format}')\n      ");
    mysql_query("\n    INSERT INTO {$g_table_prefix}field_settings (field_id, setting_id, setting_value)\n    VALUES ({$last_modified_date_field_id}, {$date_field_type_timezone_setting_id}, 'yes')\n      ");
    // ip address
    $order3 = $order + 2;
    $query = mysql_query("\n    INSERT INTO {$g_table_prefix}form_fields (form_id, field_name, field_test_value, field_type_id, is_system_field,\n      field_title, data_type, col_name, list_order)\n    VALUES ({$form_id}, 'core__ip_address', '', {$textbox_field_type_id}, 'yes', '{$LANG["phrase_ip_address"]}',\n      'number', 'ip_address', '{$order3}')\n      ");
    if (!$query) {
        $page_vars = array("message_type" => "error", "error_code" => 105, "error_type" => "system", "debugging" => "<b>" . __FUNCTION__ . ", " . __FILE__ . "</b>, failed query: " . mysql_error());
        ft_display_page("error.tpl", $page_vars);
        exit;
    }
    // finally, set this form's "is_initialized" value to "yes", so the administrator can proceed to
    // the next step of the Add Form process.
    mysql_query("\n    UPDATE  {$g_table_prefix}forms\n    SET     is_initialized = 'yes'\n    WHERE   form_id = {$form_id}\n              ");
    // alert a "test submission complete" message. The only time this wouldn't be outputted would be
    // if this function is being called programmatically, like with the blank_form module
    if ($display_notification_page) {
        $page_vars = array();
        $page_vars["message"] = $LANG["processing_init_complete"];
        $page_vars["message_type"] = "notify";
        $page_vars["title"] = $LANG["phrase_test_submission_received"];
        ft_display_page("error.tpl", $page_vars);
        exit;
    }
}
Пример #3
0
<?php

require "../../global/session_start.php";
ft_check_permission("admin");
$request = array_merge($_POST, $_GET);
$form_id = ft_load_field("form_id", "form_id", "");
if (!ft_check_form_exists($form_id)) {
    header("location: index.php");
    exit;
}
// store the current selected tab in memory - except for pages which require additional
// query string info. For those, use the parent page
if (isset($request["page"]) && !empty($request["page"])) {
    $remember_page = $request["page"];
    switch ($remember_page) {
        case "field_options":
        case "files":
            $remember_page = "fields";
            break;
        case "edit_email":
            $remember_page = "emails";
            break;
    }
    $_SESSION["ft"]["form_{$form_id}_tab"] = $remember_page;
    $page = $request["page"];
} else {
    $page = ft_load_field("page", "form_{$form_id}_tab", "edit_form_main");
}
if (isset($request['edit_email_user_settings'])) {
    header("Location: edit.php?page=email_settings");
    exit;
Пример #4
0
/**
 * Returns all information about a submission. N.B. Would have been nice to have made this just a
 * wrapper for ft_get_submission_info, but that function contains hooks. Need to revise all core
 * code to allow external calls to optionally avoid any hook calls.
 *
 * @param integer $form_id
 * @param integer $submission_id
 */
function ft_api_get_submission($form_id, $submission_id)
{
    global $g_table_prefix, $g_api_debug;
    // confirm the form is valid
    if (!ft_check_form_exists($form_id)) {
        if ($g_api_debug) {
            $page_vars = array("message_type" => "error", "error_code" => 405, "error_type" => "user");
            ft_display_page("error.tpl", $page_vars);
            exit;
        } else {
            return array(false, 405);
        }
    }
    if (!is_numeric($submission_id)) {
        if ($g_api_debug) {
            $page_vars = array("message_type" => "error", "error_code" => 406, "error_type" => "user");
            ft_display_page("error.tpl", $page_vars);
            exit;
        } else {
            return array(false, 406);
        }
    }
    // get the form submission info
    $submission_info = mysql_query("\n     SELECT *\n     FROM   {$g_table_prefix}form_{$form_id}\n     WHERE  submission_id = {$submission_id}\n              ");
    $submission = mysql_fetch_assoc($submission_info);
    return $submission;
}
Пример #5
0
/**
 * This function processes the form submissions, after the form has been set up in the database.
 */
function ft_process_form($form_data)
{
    global $g_table_prefix, $g_multi_val_delimiter, $g_query_str_multi_val_separator, $g_root_dir, $LANG, $g_api_version, $g_api_recaptcha_private_key;
    // ensure the incoming values are escaped
    $form_data = ft_sanitize($form_data);
    $form_id = $form_data["form_tools_form_id"];
    $form_info = ft_get_form($form_id);
    // do we have a form for this id?
    if (!ft_check_form_exists($form_id)) {
        $page_vars = array("message_type" => "error", "message" => $LANG["processing_invalid_form_id"]);
        ft_display_page("error.tpl", $page_vars);
        exit;
    }
    extract(ft_process_hook_calls("start", compact("form_info", "form_id", "form_data"), array("form_data")), EXTR_OVERWRITE);
    // check to see if this form has been completely set up
    if ($form_info["is_complete"] == "no") {
        $page_vars = array("message_type" => "error", "message" => $LANG["processing_form_incomplete"]);
        ft_display_page("error.tpl", $page_vars);
        exit;
    }
    // check to see if this form has been disabled
    if ($form_info["is_active"] == "no") {
        if (isset($form_data["form_tools_inactive_form_redirect_url"])) {
            header("location: {$form_data["form_tools_inactive_form_redirect_url"]}");
            exit;
        }
        $page_vars = array("message_type" => "error", "message" => $LANG["processing_form_disabled"]);
        ft_display_page("error.tpl", $page_vars);
        exit;
    }
    // do we have a form for this id?
    if (!ft_check_form_exists($form_id)) {
        $page_vars = array("message_type" => "error", "message" => $LANG["processing_invalid_form_id"]);
        ft_display_page("error.tpl", $page_vars);
        exit;
    }
    // was there a reCAPTCHA response? If so, a recaptcha was just submitted. This generally implies the
    // form page included the API, so check it was entered correctly. If not, return the user to the webpage
    if (isset($g_api_version) && isset($form_data["recaptcha_response_field"])) {
        $passes_captcha = false;
        $recaptcha_challenge_field = $form_data["recaptcha_challenge_field"];
        $recaptcha_response_field = $form_data["recaptcha_response_field"];
        $folder = dirname(__FILE__);
        require_once "{$folder}/global/api/recaptchalib.php";
        $resp = recaptcha_check_answer($g_api_recaptcha_private_key, $_SERVER["REMOTE_ADDR"], $recaptcha_challenge_field, $recaptcha_response_field);
        if ($resp->is_valid) {
            $passes_captcha = true;
        } else {
            // since we need to pass all the info back to the form page we do it by storing the data in sessions. Enable 'em.
            @ft_api_start_sessions();
            $_SESSION["form_tools_form_data"] = $form_data;
            $_SESSION["form_tools_form_data"]["api_recaptcha_error"] = $resp->error;
            // if there's a form_tools_form_url specified, redirect to that
            if (isset($form_data["form_tools_form_url"])) {
                header("location: {$form_data["form_tools_form_url"]}");
                exit;
            } else {
                if (isset($_SERVER["HTTP_REFERER"])) {
                    header("location: {$_SERVER["HTTP_REFERER"]}");
                    exit;
                } else {
                    $page_vars = array("message_type" => "error", "message" => $LANG["processing_no_form_url_for_recaptcha"]);
                    ft_display_page("error.tpl", $page_vars);
                    exit;
                }
            }
        }
    }
    // get a list of the custom form fields (i.e. non-system) for this form
    $form_fields = ft_get_form_fields($form_id, array("include_field_type_info" => true));
    $custom_form_fields = array();
    $file_fields = array();
    foreach ($form_fields as $field_info) {
        $field_id = $field_info["field_id"];
        $is_system_field = $field_info["is_system_field"];
        $field_name = $field_info["field_name"];
        // ignore system fields
        if ($is_system_field == "yes") {
            continue;
        }
        if ($field_info["is_file_field"] == "no") {
            $custom_form_fields[$field_name] = array("field_id" => $field_id, "col_name" => $field_info["col_name"], "field_title" => $field_info["field_title"], "include_on_redirect" => $field_info["include_on_redirect"], "field_type_id" => $field_info["field_type_id"], "is_date_field" => $field_info["is_date_field"]);
        } else {
            $file_fields[] = array("field_id" => $field_id, "field_info" => $field_info);
        }
    }
    // now examine the contents of the POST/GET submission and get a list of those fields
    // which we're going to update
    $valid_form_fields = array();
    while (list($form_field, $value) = each($form_data)) {
        // if this field is included, store the value for adding to DB
        if (array_key_exists($form_field, $custom_form_fields)) {
            $curr_form_field = $custom_form_fields[$form_field];
            $cleaned_value = $value;
            if (is_array($value)) {
                if ($form_info["submission_strip_tags"] == "yes") {
                    for ($i = 0; $i < count($value); $i++) {
                        $value[$i] = strip_tags($value[$i]);
                    }
                }
                $cleaned_value = implode("{$g_multi_val_delimiter}", $value);
            } else {
                if ($form_info["submission_strip_tags"] == "yes") {
                    $cleaned_value = strip_tags($value);
                }
            }
            $valid_form_fields[$curr_form_field["col_name"]] = "'{$cleaned_value}'";
        }
    }
    $now = ft_get_current_datetime();
    $ip_address = $_SERVER["REMOTE_ADDR"];
    $col_names = array_keys($valid_form_fields);
    $col_names_str = join(", ", $col_names);
    if (!empty($col_names_str)) {
        $col_names_str .= ", ";
    }
    $col_values = array_values($valid_form_fields);
    $col_values_str = join(", ", $col_values);
    if (!empty($col_values_str)) {
        $col_values_str .= ", ";
    }
    // build our query
    $query = "\r\n    INSERT INTO {$g_table_prefix}form_{$form_id} ({$col_names_str} submission_date, last_modified_date, ip_address, is_finalized)\r\n    VALUES ({$col_values_str} '{$now}', '{$now}', '{$ip_address}', 'yes')\r\n           ";
    // add the submission to the database (if form_tools_ignore_submission key isn't set by either the form or a module)
    $submission_id = "";
    if (!isset($form_data["form_tools_ignore_submission"])) {
        $result = mysql_query($query);
        if (!$result) {
            $page_vars = array("message_type" => "error", "error_code" => 304, "error_type" => "system", "debugging" => "Failed query in <b>" . __FUNCTION__ . ", " . __FILE__ . "</b>, line " . __LINE__ . ": <i>" . nl2br($query) . "</i>", mysql_error());
            ft_display_page("error.tpl", $page_vars);
            exit;
        }
        $submission_id = mysql_insert_id();
        extract(ft_process_hook_calls("end", compact("form_id", "submission_id"), array()), EXTR_OVERWRITE);
    }
    $redirect_query_params = array();
    // build the redirect query parameter array
    foreach ($form_fields as $field_info) {
        if ($field_info["include_on_redirect"] == "no" || $field_info["is_file_field"] == "yes") {
            continue;
        }
        switch ($field_info["col_name"]) {
            case "submission_id":
                $redirect_query_params[] = "submission_id={$submission_id}";
                break;
            case "submission_date":
                $settings = ft_get_settings();
                $submission_date_formatted = ft_get_date($settings["default_timezone_offset"], $now, $settings["default_date_format"]);
                $redirect_query_params[] = "submission_date=" . rawurlencode($submission_date_formatted);
                break;
            case "last_modified_date":
                $settings = ft_get_settings();
                $submission_date_formatted = ft_get_date($settings["default_timezone_offset"], $now, $settings["default_date_format"]);
                $redirect_query_params[] = "last_modified_date=" . rawurlencode($submission_date_formatted);
                break;
            case "ip_address":
                $redirect_query_params[] = "ip_address={$ip_address}";
                break;
            default:
                $field_name = $field_info["field_name"];
                // if $value is an array, convert it to a string, separated by $g_query_str_multi_val_separator
                if (isset($form_data[$field_name])) {
                    if (is_array($form_data[$field_name])) {
                        $value_str = join($g_query_str_multi_val_separator, $form_data[$field_name]);
                        $redirect_query_params[] = "{$field_name}=" . rawurlencode($value_str);
                    } else {
                        $redirect_query_params[] = "{$field_name}=" . rawurlencode($form_data[$field_name]);
                    }
                }
                break;
        }
    }
    // only upload files & send emails if we're not ignoring the submission
    if (!isset($form_data["form_tools_ignore_submission"])) {
        // now process any file fields. This is placed after the redirect query param code block above to allow whatever file upload
        // module to append the filename to the query string, if needed
        extract(ft_process_hook_calls("manage_files", compact("form_id", "submission_id", "file_fields", "redirect_query_params"), array("success", "message", "redirect_query_params")), EXTR_OVERWRITE);
        // send any emails
        ft_send_emails("on_submission", $form_id, $submission_id);
    }
    // if the redirect URL has been specified either in the database or as part of the form
    // submission, redirect the user [form submission form_tools_redirect_url value overrides
    // database value]
    if (!empty($form_info["redirect_url"]) || !empty($form_data["form_tools_redirect_url"])) {
        // build redirect query string
        $redirect_url = isset($form_data["form_tools_redirect_url"]) && !empty($form_data["form_tools_redirect_url"]) ? $form_data["form_tools_redirect_url"] : $form_info["redirect_url"];
        $query_str = "";
        if (!empty($redirect_query_params)) {
            $query_str = join("&", $redirect_query_params);
        }
        if (!empty($query_str)) {
            // only include the ? if it's not already there
            if (strpos($redirect_url, "?")) {
                $redirect_url .= "&" . $query_str;
            } else {
                $redirect_url .= "?" . $query_str;
            }
        }
        header("Location: " . $redirect_url);
        exit;
    }
    // the user should never get here! This means that the no redirect URL has been specified
    $page_vars = array("message_type" => "error", "message" => $LANG["processing_no_redirect_url"]);
    ft_display_page("error.tpl", $page_vars);
    exit;
}