public function login() { // Sanitize the username and store the password for hashing if (SIV::validate($_POST['username'], SIV::USERNAME) === TRUE) { $username = $_POST['username']; $password = $_POST['password']; } else { return FALSE; } FB::log($username, "Username"); // Load user data that matches the supplied username $userdata = $this->get_user_data($username); FB::log($userdata); // Make sure a user was loaded before continuing if (array_key_exists('email', $userdata) || array_key_exists('password', $userdata) || array_key_exists('username', $userdata) || array_key_exists('display', $userdata) || array_key_exists('clearance', $userdata)) { // Extract password hash $db_pass = $userdata['password']; FB::log($this->createSaltedHash($password, $db_pass), "Password Hash"); FB::log($db_pass === $this->createSaltedHash($password, $db_pass), "Passwords Match"); // Make sure the passwords match if ($db_pass === $this->createSaltedHash($password, $db_pass) && AdminUtilities::check_session()) { // Save the user data in a session variable $_SESSION['user'] = array('name' => $userdata['display'], 'email' => $userdata['email'], 'clearance' => $userdata['clearance']); FB::log($_SESSION, "Session"); // Set a cookie to store the username that expires in 30 days setcookie('username', $username, time() + 2592000, '/'); return TRUE; } else { return FALSE; } } else { return FALSE; } }
public static function read_url() { // Get the document root $root = dirname($_SERVER['SCRIPT_FILENAME']); // Make sure the root has a trailing slash if (substr($root, -1) !== '/') { $root .= '/'; } // Get any subfolders out of the path $sublevels = dirname($_SERVER['SCRIPT_NAME']); // Load the URI $address_bar_uri = $_SERVER['REQUEST_URI']; // Remove any subfolders from consideration as variables if ($sublevels !== '/') { $to_parse = str_replace($sublevels, NULL, $address_bar_uri); } else { $to_parse = $address_bar_uri; } // Separate URI variables from the query string $script_vars = explode('?', $to_parse); // Only store the URI variables $request = $script_vars[0]; // Check for double slashes $absolute_file_path = str_replace('//', '/', $root . $request); // Check if the URI is requesting a valid file and load it if so if (file_exists($absolute_file_path) && $_SERVER['SCRIPT_NAME'] !== $absolute_file_path && $request !== "/") { // To make sure if (substr($absolute_file_path, -1) === '/') { $request .= 'index.php'; } FB::log($absolute_file_path, "Requested File"); require_once $absolute_file_path; exit; } else { $url = SIV::clean_output($request, FALSE, FALSE); $url_array = explode("/", $url); array_shift($url_array); } if (!isset($url_array[0]) || strlen($url_array[0]) < 1) { $url_array[0] = DB_Actions::get_default_page(); } return $url_array; }
protected function get_comment_subscriptions_by_email($email) { $sql = "SELECT\n `" . DB_PREFIX . "comments`.`entry_id`,\n `" . DB_PREFIX . "entries`.`title`\n FROM `" . DB_NAME . "`.`" . DB_PREFIX . "comments`\n LEFT JOIN `" . DB_NAME . "`.`" . DB_PREFIX . "entries`\n USING( `entry_id` )\n WHERE `" . DB_PREFIX . "comments`.`email`=:email\n AND `subscribed`=1\n ORDER BY `title`"; try { // Validate the email if (SIV::validate($email, SIV::EMAIL)) { $stmt = $this->db->prepare($sql); $stmt->bindParam(":email", $email, PDO::PARAM_STR); $stmt->execute(); $entries = $stmt->fetchAll(PDO::FETCH_OBJ); $stmt->closeCursor(); return $entries; } else { ECMS_Error::log_exception(new Exception('Invalid email!')); } } catch (Exception $e) { ECMS_Error::log_exception($e); } }
public function update_menu() { // Clean up the posted data foreach ($_POST as $key => $val) { // if( $key==='page_slug' && SIV::validate($val, SIV::SLUG) ) // { // $$key = $val; // } // else // { //TODO Add error handling and send back to form // } ${$key} = SIV::clean_output($val, FALSE, FALSE); } $sql = 'INSERT INTO `' . DB_NAME . '`.`' . DB_PREFIX . 'pages` ( `page_id`, `page_name`, `page_slug`, `type`, `menu_order`, `show_full`, `hide_in_menu`, `parent_id`, `extra` ) VALUES ( :page_id, :page_name, :page_slug, :type, :menu_order, :show_full, :hide_in_menu, :parent_id, :extra ) ON DUPLICATE KEY UPDATE `page_name`=:page_name, `page_slug`=:page_slug, `type`=:type, `menu_order`=:menu_order, `show_full`=:show_full, `hide_in_menu`=:hide_in_menu, `parent_id`=:parent_id, `extra`=:extra'; try { $stmt = $this->db->prepare($sql); $stmt->bindParam(":page_id", $page_id, PDO::PARAM_INT); $stmt->bindParam(":page_name", $page_name, PDO::PARAM_STR); $stmt->bindParam(":page_slug", $page_slug, PDO::PARAM_STR); $stmt->bindParam(":type", $type, PDO::PARAM_STR); $stmt->bindParam(":menu_order", $menu_order, PDO::PARAM_INT); $stmt->bindParam(":show_full", $show_full, PDO::PARAM_INT); $stmt->bindParam(":hide_in_menu", $hide_in_menu, PDO::PARAM_INT); $stmt->bindParam(":parent_id", $parent_id, PDO::PARAM_INT); $stmt->bindParam(":extra", $extra, PDO::PARAM_STR); $stmt->execute(); $result = $stmt->errorCode() === '00000'; $stmt->closeCursor(); return $result; } catch (Exception $e) { ECMS_Error::log_exception($e); } }
private static function _create_class() { // Make sure the page conforms to the slug format if (SIV::validate($_REQUEST['page'], SIV::SLUG)) { $page = strtolower($_REQUEST['page']); $page_data = DB_Actions::get_page_data_by_slug($page); } else { // Throw an exception and die ECMS_Error::log_exception(new Exception("Page \"{$page}\" isn't valid.")); } // The Admin class is a special case, and needs to be loaded manually if ($page === 'admin') { require_once CMS_PATH . 'core/helper/class.admin.inc.php'; $class = 'Admin'; } else { if ($page === 'menu') { $class = 'Menu'; } else { if ($page === 'comments') { require_once CMS_PATH . 'core/helper/class.comments.inc.php'; $class = 'Comments'; } else { if (is_object($page_data)) { $class = $page_data->type; if (empty($class)) { // Throw an exception and die ECMS_Error::log_exception(new Exception("Page \"{$page}\" doesn't actually exist.")); } } else { // Throw an exception and die ECMS_Error::log_exception(new Exception("Unsupported page type \"{$page}\" supplied.")); } } } } // Create a new instance of the appropriate class return new $class(array($page)); }
public function update_notification_settings() { // Make sure the user clicked the update button, not the cancel button if (array_key_exists('comment-notification-submit', $_POST)) { // Grab the entries for which the user still wants notifications if (array_key_exists('entries', $_POST) && is_array($_POST['entries'])) { foreach ($_POST['entries'] as $entry_id) { if (!isset($where_clause)) { $where_clause = ' `entry_id`<>' . (int) $entry_id; } else { $where_clause .= ' OR `entry_id`<>' . (int) $entry_id; } } } else { $where_clause = 1; } // Extract the email and validate it $decoded_email = Utilities::hextostr($_POST['email']); if (SIV::validate($decoded_email, SIV::EMAIL)) { $email = $decoded_email; } else { ECMS_Error::log_exception(new Exception("Invalid email!")); } // Build the SQL query $sql = "UPDATE `" . DB_NAME . "`.`" . DB_PREFIX . "comments`\n SET `subscribed`=0\n WHERE email = :email\n AND ( {$where_clause} )"; try { $stmt = $this->db->prepare($sql); $stmt->bindParam(":email", $email, PDO::PARAM_STR); $stmt->execute(); $stmt->closeCursor(); return TRUE; } catch (Exception $e) { ECMS_Error::log_exception($e); } } else { header('Location: ' . SITE_URL); exit; } }
public function handle_search() { $search_string = urlencode(SIV::clean_output($_POST['search_string'], FALSE, FALSE)); header('Location: /search/' . $search_string); exit; }