if (defined('COT_ADMIN')) { require_once cot_langfile('admin', 'core'); } /* ======== Theme / color scheme ======== */ // Resource control object require_once $cfg['system_dir'] . '/resources.php'; if (empty($cfg['themes_dir'])) { $cfg['themes_dir'] = 'themes'; } $mtheme = "{$cfg['themes_dir']}/{$usr['theme']}/header.tpl"; if (!file_exists($mtheme)) { $out['notices_array'][] = $L['com_themefail']; $usr['theme'] = $cfg['defaulttheme']; $mtheme = "{$cfg['themes_dir']}/{$usr['theme']}/header.tpl"; if (!file_exists($mtheme)) { cot_diefatal($L['com_defthemefail']); } } $usr['def_theme_lang'] = defined('COT_ADMIN') && !empty($cfg['admintheme']) ? "{$cfg['themes_dir']}/admin/{$cfg['admintheme']}/{$cfg['admintheme']}.en.lang.php" : "{$cfg['themes_dir']}/{$usr['theme']}/{$usr['theme']}.en.lang.php"; $usr['theme_lang'] = defined('COT_ADMIN') && !empty($cfg['admintheme']) ? "{$cfg['themes_dir']}/admin/{$cfg['admintheme']}/{$cfg['admintheme']}.{$usr['lang']}.lang.php" : "{$cfg['themes_dir']}/{$usr['theme']}/{$usr['theme']}.{$usr['lang']}.lang.php"; if ($usr['theme_lang'] != $usr['def_theme_lang'] && @file_exists($usr['theme_lang'])) { require_once $usr['theme_lang']; } elseif (@file_exists($usr['def_theme_lang'])) { require_once $usr['def_theme_lang']; } $theme = $usr['theme']; $scheme = $usr['scheme']; // Resource strings require_once $cfg['system_dir'] . '/resources.rc.php'; if (defined('COT_ADMIN')) { require_once cot_incfile('admin', 'module', 'resources');
/** * Imports data from the outer world * * @param string $name Variable name * @param string $source Source type: G/GET, P/POST, C/COOKIE, R/REQUEST, PUT, DELETE or D/DIRECT (variable filtering) * @param string $filter Filter type * @param int $maxlen Length limit * @param bool $dieonerror Die with fatal error on wrong input * @param bool $buffer Try to load from input buffer (previously submitted) if current value is empty * @return mixed */ function cot_import($name, $source, $filter, $maxlen = 0, $dieonerror = false, $buffer = false) { global $cot_import_filters, $_PUT, $_PATCH, $_DELETE; if (isset($_SERVER['REQUEST_METHOD'])) { if ($_SERVER['REQUEST_METHOD'] == 'PUT' && is_null($_PUT)) { parse_str(file_get_contents('php://input'), $_PUT); } elseif ($_SERVER['REQUEST_METHOD'] == 'PATCH' && is_null($_PATCH)) { parse_str(file_get_contents('php://input'), $_PATCH); } elseif ($_SERVER['REQUEST_METHOD'] == 'DELETE' && is_null($_DELETE)) { parse_str(file_get_contents('php://input'), $_DELETE); } } $v = NULL; switch ($source) { case 'G': case 'GET': $v = isset($_GET[$name]) ? $_GET[$name] : NULL; $log = TRUE; break; case 'P': case 'POST': $v = isset($_POST[$name]) ? $_POST[$name] : NULL; $log = TRUE; break; case 'PUT': $v = isset($_PUT[$name]) ? $_PUT[$name] : NULL; $log = TRUE; break; case 'PATCH': $v = isset($_PATCH[$name]) ? $_PATCH[$name] : NULL; $log = TRUE; break; case 'DELETE': $v = isset($_DELETE[$name]) ? $_DELETE[$name] : NULL; $log = TRUE; break; case 'R': case 'REQUEST': $v = isset($_REQUEST[$name]) ? $_REQUEST[$name] : NULL; $log = TRUE; break; case 'C': case 'COOKIE': $v = isset($_COOKIE[$name]) ? $_COOKIE[$name] : NULL; $log = TRUE; break; case 'D': case 'DIRECT': $v = $name; $log = FALSE; break; default: cot_diefatal('Unknown source for a variable : <br />Name = ' . $name . '<br />Source = ' . $source . ' ? (must be G, P, C or D)'); break; } if (is_array($v)) { if ($filter == 'NOC') { $filter = 'ARR'; } if ($filter != 'ARR') { return null; } } else { if ($filter == 'ARR') { return array(); } } if (MQGPC && ($source == 'G' || $source == 'P' || $source == 'C') && $v != NULL && $filter != 'ARR') { $v = stripslashes($v); } if (($v === '' || $v === NULL || $filter == 'ARR') && $buffer) { $v = cot_import_buffered($name, $v, null); return $v; } if ($v === null) { return null; } if ($maxlen > 0) { $v = mb_substr($v, 0, $maxlen); } $pass = FALSE; $defret = NULL; // Custom filter support if (is_array($cot_import_filters[$filter])) { foreach ($cot_import_filters[$filter] as $func) { $v = $func($v, $name); } return $v; } switch ($filter) { case 'INT': if (is_numeric($v) && floor($v) == $v) { $pass = TRUE; $v = (int) $v; } break; case 'NUM': if (is_numeric($v)) { $pass = TRUE; $v = (double) $v; } break; case 'TXT': $v = trim($v); if (mb_strpos($v, '<') === FALSE) { $pass = TRUE; } else { $defret = str_replace('<', '<', $v); } break; case 'ALP': $v = trim($v); $f = cot_alphaonly($v); if ($v == $f) { $pass = TRUE; } else { $defret = $f; } break; case 'PSW': $v = trim($v); $f = preg_replace('#[\'"&<>]#', '', $v); $f = mb_substr($f, 0, 32); if ($v == $f) { $pass = TRUE; } else { $defret = $f; } break; case 'HTM': $v = trim($v); $pass = TRUE; break; case 'ARR': $pass = TRUE; break; case 'BOL': if ($v == '1' || $v == 'on') { $pass = TRUE; $v = TRUE; } elseif ($v == '0' || $v == 'off') { $pass = TRUE; $v = FALSE; } else { $defret = FALSE; } break; case 'NOC': $pass = TRUE; break; default: cot_diefatal('Unknown filter for a variable : <br />Var = ' . $v . '<br />Filter = "' . $filter . '" ?'); break; } if (!$pass || !in_array($filter, array('INT', 'NUM', 'BOL', 'ARR'))) { $v = preg_replace('/(&#\\d+)(?![\\d;])/', '$1;', $v); } if ($pass) { return $v; } else { if ($log) { cot_log_import($source, $filter, $name, $v); } if ($dieonerror) { cot_diefatal('Wrong input.'); } else { return $defret; } } }
} if ($lct_pg == 'com') { $alname = $db->query("SELECT k.page_alias,k.page_cat FROM {$db_pages} k LEFT JOIN {$db_com} c ON (c.com_id = {$fp} AND c.com_area = 'page') WHERE k.page_id = c.com_code LIMIT 1")->fetch(); $alname = $alname['page_alias'] . ":" . $alname['page_cat'] . ":" . urldecode($mod); } // SQL-injection protection $reason = $db->prep($reason); $ts = time(); $sql = $db->query("INSERT cot_karma VALUES ('', '{$recipient}', '{$usr['id']}', '{$value}', '{$reason}', '{$fp}','{$lct_pg}','{$ts}','{$alname}')"); //Update user_karma $sql_injection = $db->query("UPDATE {$db_users} SET user_karma=user_karma + " . $value . " WHERE user_id={$recipient}"); $popup_body .= karma_error('karma_ms_ok', $L['karma_changed_ok'], $cfg['plugin']['karma']['close_win']); break; case 'moderate': if (!cot_auth('plug', 'karma', 'A')) { cot_diefatal($L['low_level']); } $karma_userid = $db->query("SELECT u.user_id,k.karma_value FROM cot_karma k LEFT JOIN {$db_users} u ON (u.user_id = k.karma_recipient) WHERE k.karma_id = {$fp} LIMIT 1 ")->fetch(); $db->query("DELETE FROM cot_karma WHERE karma_id = {$fp} LIMIT 1"); $db->query("UPDATE {$db_users} SET user_karma = user_karma -{$karma_userid['karma_value']} WHERE user_id = {$karma_userid['user_id']}"); $ku = cot_import('ku', 'G', 'INT'); $popup_body .= karma_error('karma_ms_ok', $L['karma_del_ok'], true); break; case 'show': default: list($pg, $kn) = cot_import_pagenav('kn', $cfg['plugin']['karma']['karma_maxpage']); $tmp = $db->query("SELECT COUNT(*),SUM(karma_value) AS karma FROM cot_karma WHERE karma_recipient = {$fp}")->fetch(); $total_p = $tmp['COUNT(*)']; if (cot_plugin_active('comments')) { $sql = $db->query("SELECT u.*, k.*,c.com_code,c.com_id FROM cot_karma k LEFT JOIN {$db_users} u ON (u.user_id=k.karma_rater) LEFT JOIN {$db_com} c ON (c.com_id=k.karma_fp) WHERE k.karma_recipient = {$fp} ORDER BY k.karma_id DESC LIMIT {$kn}, " . $cfg['plugin']['karma']['karma_maxpage'] . ""); } else {
/** * @package Install * @copyright (c) Cotonti Team * @license https://github.com/Cotonti/Cotonti/blob/master/License.txt */ defined('COT_CODE') or die('Wrong URL'); define('COT_UPDATE', true); cot_sendheaders(); if (!file_exists("./setup/{$branch}")) { cot_diefatal($L['install_dir_not_found']); } // include $file['config']; $mskin = cot_tplfile('install.update'); if (!file_exists($mskin)) { cot_diefatal($L['install_update_template_not_found']); } $t = new XTemplate($mskin); // Check for new config options if (is_writable($file['config']) && file_exists($file['config_sample'])) { list($old_cfg, $old_db) = cot_get_config($file['config']); list($new_cfg, $new_db) = cot_get_config($file['config_sample']); if (count(array_diff($new_cfg, $old_cfg)) > 0 || count(array_diff($new_db, $old_db)) > 0) { // Add new config options $delta = ''; if (count(array_diff($new_cfg, $old_cfg)) > 0) { foreach ($new_cfg as $key => $val) { if (!isset($old_cfg[$key])) { if ($key == 'new_install') { $val = false; } elseif ($key == 'site_id' || $key == 'secret_key') {
/** * Performs SQL UPDATE with simple data array. Array keys must match table keys, optionally you can specify * key prefix as fourth parameter. Strings get quoted and escaped automatically. * Ints and floats must be typecasted. * You can use special values in the array: * - PHP NULL => SQL NULL * - 'NOW()' => SQL NOW() * * @param string $table_name Table name * @param array $data Associative array containing data for update * @param string $condition Body of SQL WHERE clause * @param array $parameters Array of statement input parameters, see http://www.php.net/manual/en/pdostatement.execute.php * @param bool $update_null Nullify cells which have null values in the array. By default they are skipped * @return int The number of affected records or FALSE on error */ public function update($table_name, $data, $condition = '', $parameters = array(), $update_null = false) { if (!is_array($data)) { return 0; } $upd = ''; if (!is_array($parameters)) { $parameters = array($parameters); } if ($this->_prepare_itself && !empty($condition) && count($parameters) > 0) { $condition = $this->_prepare($condition, $parameters); $parameters = array(); } $condition = empty($condition) ? '' : 'WHERE ' . $condition; foreach ($data as $key => $val) { if (is_null($val) && !$update_null) { continue; } $upd .= "`{$key}`="; if (is_null($val)) { $upd .= 'NULL,'; } elseif ($val === 'NOW()') { $upd .= 'NOW(),'; } elseif (is_int($val) || is_float($val)) { $upd .= $val . ','; } else { $upd .= $this->quote($val) . ','; } } if (!empty($upd)) { $upd = mb_substr($upd, 0, -1); $query = "UPDATE `{$table_name}` SET {$upd} {$condition}"; $this->_startTimer(); try { if (count($parameters) > 0) { $stmt = $this->prepare($query); $this->_bindParams($stmt, $parameters); $stmt->execute(); $res = $stmt->rowCount(); } else { $res = $this->exec($query); } } catch (PDOException $err) { if ($this->_parseError($err, $err_code, $err_message)) { cot_diefatal('SQL error ' . $err_code . ': ' . $err_message); } } $this->_stopTimer($query); return $res; } return 0; }