$may_upgrade = !empty($_SESSION['variables']['may_upgrade']) && $_SESSION['variables']['may_upgrade'] != false;
$do_upgrade = !empty($_SESSION['variables']['do_upgrade']) && $_SESSION['variables']['do_upgrade'] != false;
/**
*
* Per step processing of input
*
**/
// Step two
if ($nextstep == '2' && checkAuth()) {
//
// Installation actions
// - Environmental variables
//
$dir = getPOSTparam4FullFilePath('rootdir');
$rootdir = array('rootdir' => substr($dir, -1) !== '/' ? $dir . '/' : $dir);
$sitename = array('sitename' => getPOSTparam4HumanName('sitename'));
$language = array('language' => getPOSTparam4IdOrNumber('language'));
// Add new data to variable session
$_SESSION['variables'] = array_merge($_SESSION['variables'], $rootdir, $sitename, $language);
if ($cfg['IN_DEVELOPMENT_ENVIRONMENT']) {
echo 'WRITE_CFG_FILES_TO_DISK: ' . 1 * WRITE_CFG_FILES_TO_DISK . '<br>';
echo 'EXECUTE_QUERIES: ' . 1 * EXECUTE_QUERIES . '<br>';
echo 'DUMP_QUERIES_N_STUFF_IN_DEVMODE: ' . 1 * DUMP_QUERIES_N_STUFF_IN_DEVMODE . '<br>';
}
?>
<legend class="installMsg">Step 2 - Setting your preferences</legend>
<label for="userPass"><span class="ss_sprite_16 ss_lock"> </span>Administrator password
<br/>
<a class="ss_has_sprite small" onclick="randomPassword(8); return false;"><span class="ss_sprite_16 ss_arrow_refresh"> </span>Auto generate a safe password</a>
</label>
<input type="text" class="alt title" name="userPass" onkeyup="passwordStrength(this.value)" value="" id="userPass" />
}
} catch (CcmsAjaxFbException $e) {
$e->croak();
}
}
/**
*
* Edit user details as posted by an authorized user
*
*/
if ($do_action == 'edit-user-details' && $_SERVER['REQUEST_METHOD'] == 'POST' && checkAuth()) {
FbX::SetFeedbackLocation('user-management.Manage.php');
try {
$userID = getPOSTparam4Number('userID');
$userFirst = getPOSTparam4HumanName('first');
$userLast = getPOSTparam4HumanName('last');
$userEmail = getPOSTparam4Email('email');
// Only if current user has the rights
if ($perm->is_level_okay('manageUsers', $_SESSION['ccms_userLevel']) || $_SESSION['ccms_userID'] == $userID) {
// Check length of values
if (strlen($userFirst) >= 1 && strlen($userLast) >= 1 && strlen($userEmail) > 6) {
$values = array();
// [i_a] make sure $values is an empty array to start with here
$values['userFirst'] = MySQL::SQLValue($userFirst, MySQL::SQLVALUE_TEXT);
$values['userLast'] = MySQL::SQLValue($userLast, MySQL::SQLVALUE_TEXT);
$values['userEmail'] = MySQL::SQLValue($userEmail, MySQL::SQLVALUE_TEXT);
if ($db->UpdateRow($cfg['db_prefix'] . 'users', $values, array("userID" => MySQL::SQLValue($userID, MySQL::SQLVALUE_NUMBER)))) {
if ($userID == $_SESSION['ccms_userID']) {
$_SESSION['ccms_userFirst'] = $userFirst;
// getPOSTparam4HumanName already does the htmlentities() encoding, so we're safe to use & display these values as they are now.
$_SESSION['ccms_userLast'] = $userLast;
from email spammers (robotic form abusers).
Of course both anti-spam approaches may be used simultaneously in order to
improve our chances of rejecting spam.
No matter what, the POSTed values are all filtered before we access them, so
the only remaining 'risk' is that someone pre-fills the form for a user, who
then needs to enter the captcha or at least hit the submit button.
Thanks to the filtering, the POSTed content won't be able to aid in XSS attacks,
no matter what is happening.
*/
$subject = getPOSTparam4EmailSubjectLine('subject');
$message = getPOSTparam4EmailBody('message');
$sender = getPOSTparam4HumanName('name');
$emailaddress = getPOSTparam4Email('abcdef');
// If the action type is equal to send, then continue
if ($action_type == 'send' && $_SERVER['REQUEST_METHOD'] == 'POST') {
$is_form_post = true;
// make sure it's a valid action:
if ((USE_CAPTCHA_AGAINST_SPAM ? POST2str('verification', 'x') == SESSION2str('ccms_captcha', 'y') : true) && (USE_HONEYTRAP_AGAINST_SPAM ? POST2str('email', '') == '' && POST2str('darling_jar', 'x') == SESSION2str('ccms_contactform_honeypot', 'y') : true)) {
if (empty($emailaddress) || strcspn($emailaddress, '<"\'') != strlen($emailaddress)) {
// email filter allows quoted prefix before the '<' ; we DO NOT as we have both parts separated here...
$error = 'You specified an invalid email address';
} else {
if (empty($sender) || strpos($sender, '"') !== false) {
// ... nor do we allow a double-quote inside the 'human name' preceeding part of the address.
$error = 'You specified an invalid email sender name';
} else {
if (!empty($sender) && !empty($emailaddress) && !empty($subject) && !empty($message)) {
