// // includes include_once "../include/config.php"; include_once "../include/amberphplib/main.php"; // erase any data - gets rid of stale errors and user sessions. $_SESSION["error"] = array(); $_SESSION["user"] = array(); if (user_online()) { // user is already logged in! $_SESSION["error"]["message"][] = "You are already logged in!"; $_SESSION["error"]["username_amberdms_bs"] = "error"; $_SESSION["error"]["password_amberdms_bs"] = "error"; } else { // check & convert input if ($GLOBALS["config"]["instance"] == "hosted") { $instance = security_form_input("/^[0-9a-z]*\$/", "instance_amberdms_bs", 1, "Please provide a valid customer instance ID."); } else { $instance = NULL; } $username = @security_form_input_predefined("any", "username_amberdms_bs", 1, "Please enter a username."); $password = @security_form_input_predefined("any", "password_amberdms_bs", 4, "Please enter a password."); if ($_SESSION["error"]["message"]) { // errors occured header("Location: ../index.php?page=user/login.php"); exit(0); } // call the user functions to authenticate the user and handle blacklisting $result = user_login($instance, $username, $password); if ($result == 1) { // login succeded // if user has been redirected to login from a previous page, lets take them to that page.
include_once "../include/amberphplib/main.php"; if (user_permissions_get("admin")) { /* Load Data */ $data["ACCOUNTS_AP_INVOICENUM"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "ACCOUNTS_AP_INVOICENUM", 1, ""); $data["ACCOUNTS_AR_INVOICENUM"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "ACCOUNTS_AR_INVOICENUM", 1, ""); $data["ACCOUNTS_GL_TRANSNUM"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "ACCOUNTS_GL_TRANSNUM", 1, ""); $data["ACCOUNTS_QUOTES_NUM"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "ACCOUNTS_QUOTES_NUM", 1, ""); $data["ACCOUNTS_CREDIT_NUM"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "ACCOUNTS_CREDIT_NUM", 1, ""); $data["CODE_ACCOUNT"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "CODE_ACCOUNT", 1, ""); $data["CODE_CUSTOMER"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "CODE_CUSTOMER", 1, ""); $data["CODE_VENDOR"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "CODE_VENDOR", 1, ""); $data["CODE_PRODUCT"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "CODE_PRODUCT", 1, ""); $data["CODE_PROJECT"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "CODE_PROJECT", 1, ""); $data["CODE_STAFF"] = @security_form_input("/^[A-Za-z0-9_\\-]*[0-9]*\$/", "CODE_STAFF", 1, ""); $data["ACCOUNTS_SERVICES_ADVANCEBILLING"] = @security_form_input_predefined("int", "ACCOUNTS_SERVICES_ADVANCEBILLING", 1, ""); $data["ACCOUNTS_SERVICES_DATESHIFT"] = @security_form_input_predefined("int", "ACCOUNTS_SERVICES_DATESHIFT", 1, ""); $data["ACCOUNTS_TERMS_DAYS"] = @security_form_input_predefined("int", "ACCOUNTS_TERMS_DAYS", 0, ""); $data["ACCOUNTS_AUTOPAY"] = @security_form_input_predefined("checkbox", "ACCOUNTS_AUTOPAY", 0, ""); $data["ACCOUNTS_EMAIL_ADDRESS"] = @security_form_input_predefined("email", "ACCOUNTS_EMAIL_ADDRESS", 1, ""); $data["ACCOUNTS_EMAIL_AUTOBCC"] = @security_form_input_predefined("checkbox", "ACCOUNTS_EMAIL_AUTOBCC", 1, ""); $data["ACCOUNTS_INVOICE_AUTOEMAIL"] = @security_form_input_predefined("checkbox", "ACCOUNTS_INVOICE_AUTOEMAIL", 0, ""); $data["ACCOUNTS_INVOICE_BATCHREPORT"] = @security_form_input_predefined("checkbox", "ACCOUNTS_INVOICE_BATCHREPORT", 0, ""); $data["SERVICES_USAGEALERTS_ENABLE"] = @security_form_input_predefined("checkbox", "SERVICES_USAGEALERTS_ENABLE", 0, ""); $data["ORDERS_BILL_ONSERVICE"] = @security_form_input_predefined("checkbox", "ORDERS_BILL_ONSERVICE", 0, ""); $data["ORDERS_BILL_ENDOFMONTH"] = @security_form_input_predefined("checkbox", "ORDERS_BILL_ENDOFMONTH", 0, ""); $data["TIMESHEET_BOOKTOFUTURE"] = @security_form_input_predefined("any", "TIMESHEET_BOOKTOFUTURE", 0, ""); $data["ACCOUNTS_INVOICE_LOCK"] = @security_form_input_predefined("int", "ACCOUNTS_INVOICE_LOCK", 0, ""); $data["ACCOUNTS_GL_LOCK"] = @security_form_input_predefined("int", "ACCOUNTS_GL_LOCK", 0, ""); $data["JOURNAL_LOCK"] = @security_form_input_predefined("int", "JOURNAL_LOCK", 0, "");
log_debug("start", "ERASED LOGGING AS PART OF USER SESSION CLEANUP"); log_debug("start", ""); } else { $_SESSION["error"] = array(); $_SESSION["user"] = array(); } if (user_online()) { // user is already logged in! $_SESSION["error"]["message"][] = "You are already logged in!"; $_SESSION["error"]["username_namedmanager"] = "error"; $_SESSION["error"]["password_namedmanager"] = "error"; } else { // check & convert input $instance = NULL; $username = security_form_input("/^[A-Za-z0-9.]*\$/", "username_namedmanager", 1, "Please enter a username."); $password = security_form_input("/^\\S*\$/", "password_namedmanager", 1, "Please enter a password."); if ($_SESSION["error"]["message"]) { // errors occured header("Location: ../index.php?page=user/login.php"); exit(0); } // call the user functions to authenticate the user and handle blacklisting $result = user_login($instance, $username, $password); if ($result == 1) { // login succeded // if user has been redirected to login from a previous page, lets take them to that page. if ($_SESSION["login"]["previouspage"]) { header("Location: ../index.php?" . $_SESSION["login"]["previouspage"] . ""); $_SESSION["login"] = array(); exit(0); } else {
function security_form_input_predefined($type, $valuename, $numchar, $errormsg) { $expression = NULL; // run through the actions for each item type switch ($type) { case "any": $expression = "/^[\\S\\s]*\$/"; break; case "date": // TODO: audit the error handling in this function, seems like it's generating // messages which are used for no reason. // if there is no errormsg supplied, set a default one by looking // up the translation of the fieldname and reporting it. if ($errormsg == "") { $translation = language_translate_string($_SESSION["user"]["lang"], $valuename); $errormsg = "Invalid {$translation} supplied, please correct."; } // dates are a special field, since they have to be passed // from the form as 3 different inputs, but we want to re-assemble them // into a single YYYY-MM-DD format $date_dd = intval($_POST[$valuename . "_dd"]); $date_mm = intval($_POST[$valuename . "_mm"]); $date_yyyy = intval($_POST[$valuename . "_yyyy"]); // make sure a date has been provided if ($numchar) { if ($date_dd < 1 || $date_dd > 31) { $errormsg_tmp = "Invalid date input"; } if ($date_mm < 1 || $date_mm > 12) { $errormsg_tmp = "Invalid date input"; } if ($date_yyyy < 1600 || $date_yyyy > 2999) { $errormsg_tmp = "Invalid date input"; } } else { // the date is not a required field, but we need to make sure any input is valid if ($date_dd > 31) { $errormsg_tmp = "Invalid date input"; } if ($date_mm > 12) { $errormsg_tmp = "Invalid date input"; } if ($date_yyyy > 2999) { $errormsg_tmp = "Invalid date input"; } } // make sure user has filled in all 3 date fields if ($date_dd && (!$date_mm || !$date_yyyy)) { $errormsg_tmp = "Invalid date input"; } if ($date_mm && (!$date_dd || !$date_yyyy)) { $errormsg_tmp = "Invalid date input"; } if ($date_yyyy && (!$date_dd || !$date_mm)) { $errormsg_tmp = "Invalid date input"; } // pad dates $date_dd = sprintf("%02d", $date_dd); $date_mm = sprintf("%02d", $date_mm); $date_yyyy = sprintf("%04d", $date_yyyy); // join the dates $date_final = "{$date_yyyy}-{$date_mm}-{$date_dd}"; if ($errormsg_tmp) { // there has been an error - flag the hourmins field as being incorrect input $_SESSION["error"]["message"][] = $errormsg; $_SESSION["error"]["" . $valuename . "-error"] = 1; $_SESSION["error"][$valuename] = 0; } else { // save value incase of errors $_SESSION["error"][$valuename] = $date_final; } // return the value return $date_final; break; case "hourmins": // hourmins is a special field - we want to take // two fields (hours + mins) and add then together // to produce the number of seconds. // if there is no errormsg supplied, set a default one by looking // up the translation of the fieldname and reporting it. if ($errormsg == "") { $translation = language_translate_string($_SESSION["user"]["lang"], $valuename); $errormsg = "Invalid {$translation} supplied, please correct."; } $time_hh = intval($_POST[$valuename . "_hh"]); $time_mm = intval($_POST[$valuename . "_mm"]); // caclulate the time in seconds $timestamp = $time_mm * 60 + $time_hh * 60 * 60; // make sure a value has been provided if ($numchar && $timestamp == 0) { $_SESSION["error"]["message"][] = $errormsg; $_SESSION["error"]["" . $valuename . "-error"] = 1; $_SESSION["error"][$valuename] = 0; } else { $_SESSION["error"][$valuename] = $timestamp; } return $timestamp; break; case "date_string": $expression = "/^[0-9]*-[0-9]*-[0-9]*\$/"; break; case "int": $expression = "/^[0-9]*\$/"; break; case "money": // if there is no errormsg supplied, set a default one by looking // up the translation of the fieldname and reporting it. if ($errormsg == "") { $translation = language_translate_string($_SESSION["user"]["lang"], $valuename); $errormsg = "Invalid {$translation} supplied, please correct."; } // replace configs with standard symbols for processing $config_array = array($GLOBALS["config"]["CURRENCY_DEFAULT_SYMBOL"], $GLOBALS["config"]["CURRENCY_DEFAULT_THOUSANDS_SEPARATOR"], $GLOBALS["config"]["CURRENCY_DEFAULT_DECIMAL_SEPARATOR"]); $default_array = array("", "", "."); $formatted_string = str_replace($config_array, $default_array, $_POST[$valuename]); $_POST[$valuename] = $formatted_string; // verify as a floating point number $expression = "/^[0-9]*.[0-9]*\$/"; $value = security_form_input($expression, $valuename, $numchar, $errormsg); // perform padding if ($value != "error") { $value = sprintf("%0.2f", $value); } // trigger error if value is 0.00 if ($numchar && $value == "0.00") { $_SESSION["error"]["message"][] = $errormsg; $_SESSION["error"]["" . $valuename . "-error"] = 1; $_SESSION["error"][$valuename] = 0; } return $value; break; case "float": // value could be a float, or an integer - we need to check for either if (preg_match("/^[0-9]*\$/", $_POST[$valuename])) { // is an int $expression = "/^[0-9]*\$/"; } else { // either float or invalid - run check for int $expression = "/^[0-9]*.[0-9]*\$/"; } break; case "email": $expression = "/^([A-Za-z0-9._-])+\\@(([A-Za-z0-9-])+\\.)+([A-Za-z0-9])+\$/"; break; case "multiple_email": // Single email address $email_regex = "/^<?(([A-Za-z0-9._-])+\\@(([A-Za-z0-9-])+\\.)+([A-Za-z0-9])+)>?\$/"; // Whole email address string $expression = "/^(([A-Za-z0-9._-])+\\@(([A-Za-z0-9-])+\\.)+([A-Za-z0-9])+,?\\s?)+\$/"; // grab submitted data from $_POST $unsafe_email_addresses = $_POST[$valuename]; // split at spaces and commas $email_address_string_parts = preg_split("/[\\s,]+/", $unsafe_email_addresses); $email_addresses = array(); foreach ($email_address_string_parts as $email_address_string_part) { // check each item against the email address regex, capture the email address preg_match($email_regex, $email_address_string_part, $matches); // if we have an email address, add it to the array if ($matches[1] != '') { $email_addresses[] = $matches[1]; } } // implode the email addresses using a comma and a space $new_email_address_string = implode(", ", $email_addresses); // recheck the string., if it passes, return it preg_match($expression, $new_email_address_string, $matches); if ($matches[0] == $new_email_address_string) { return $matches[0]; } else { return "error"; } break; case "ipv4": $expression = "/^(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)(?:[.](?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)){3}\$/"; break; case "ipv4_cidr": $expression = "/^(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)(?:[.](?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)){3}[\\/]*[1-9]*\$/"; break; case "ipv6": if (filter_var($_POST[$valuename], FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { return $_POST[$valuename]; } else { // there has been an error - flag the hourmins field as being incorrect input $_SESSION["error"]["message"][] = "Provided address is not a valid IPv6 address"; $_SESSION["error"]["" . $valuename . "-error"] = 1; $_SESSION["error"][$valuename] = 0; return "error"; } break; case "ipv6_cidr": list($network, $cidr) = split("/", $_POST[$valuename]); if (filter_var($network, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { return "{$network}/{$cidr}"; } else { // there has been an error - flag the hourmins field as being incorrect input $_SESSION["error"]["message"][] = "Provided address is not a valid IPv6 address"; $_SESSION["error"]["" . $valuename . "-error"] = 1; $_SESSION["error"][$valuename] = 0; return "error"; } break; case "checkbox": if ($_POST[$valuename]) { $_SESSION["error"][$valuename] = 1; return 1; } else { $_SESSION["error"][$valuename] = 0; return 0; } break; default: print "Warning: No such security check for type {$type}<br>"; $expression = "/^[\\S\\s]*\$/"; break; } return security_form_input($expression, $valuename, $numchar, $errormsg); }
/* Form Input */ $obj_name_server_group = new name_server_group(); $obj_name_server_group->id = security_form_input_predefined("int", "id_name_server_group", 0, ""); // are we editing an existing server group or adding a new one? if ($obj_name_server_group->id) { if (!$obj_name_server_group->verify_id()) { log_write("error", "process", "The name server group you have attempted to edit - " . $obj_name_server_group->id . " - does not exist in this system."); } else { // load existing data $obj_name_server_group->load_data(); } } // basic fields $obj_name_server_group->data["group_name"] = security_form_input("/^\\w*\$/", "group_name", 1, "Group name must be a alpha numeric word with optional underscores - no spaces or other symbols."); $obj_name_server_group->data["group_description"] = security_form_input_predefined("any", "group_description", 0, ""); /* Verify Data */ // ensure the group name is unique if (!$obj_name_server_group->verify_group_name()) { log_write("error", "process", "The requested group name already exists, have you checked that the group you're trying to add doesn't already exist?"); error_flag_field("group_name"); } /* Process Data */ if (error_check()) { if ($obj_name_server_group->id) { $_SESSION["error"]["form"]["name_server_group_edit"] = "failed";
$obj_name_server->data["route53_access_key"] = security_form_input_predefined("any", "route53_access_key", 1, ""); $obj_name_server->data["route53_secret_key"] = security_form_input_predefined("any", "route53_secret_key", 0, ""); // we store both credentials in the single api filed as serialized keys if (empty($obj_name_server->data["route53_secret_key"]) && !empty($obj_name_server->data["api_auth_key"])) { // we have existing credetials, unserize the old secret key and pass it back. $keys = unserialize($obj_name_server->data["api_auth_key"]); $obj_name_server->data["route53_secret_key"] = $keys["route53_secret_key"]; } else { // new credentials,generate an array to serialize $keys = array('route53_access_key' => $obj_name_server->data["route53_access_key"], 'route53_secret_key' => $obj_name_server->data["route53_secret_key"]); } $obj_name_server->data["api_auth_key"] = serialize($keys); break; case "api": default: $obj_name_server->data["server_name"] = security_form_input("/^\\S*\$/", "server_name", 1, "Must be a valid hostname."); $obj_name_server->data["server_primary"] = security_form_input_predefined("checkbox", "server_primary", 0, ""); $obj_name_server->data["server_record"] = security_form_input_predefined("checkbox", "server_record", 0, ""); $obj_name_server->data["api_auth_key"] = security_form_input_predefined("any", "api_auth_key", 1, ""); break; } // Other basic fields $obj_name_server->data["server_description"] = security_form_input_predefined("any", "server_description", 0, ""); $obj_name_server->data["id_group"] = security_form_input_predefined("int", "id_group", 1, ""); /* Verify Data */ // ensure the server name is unique if (!$obj_name_server->verify_server_name()) { log_write("error", "process", "The requested server name already exists, have you checked that the server you're trying to add doesn't already exist?"); error_flag_field("server_name");