X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=mod%2Fdfrn_request.php;h=16a2da55607cca309f96959d8134ceefa1658e29;hb=d7d685ad6b06c398873e4e530f3d99b988319e5b;hp=fdb1a42ee292ac1810ba2b215b0ac7b91b86d86c;hpb=8a46c786f37550160d81e7b7ecbcacb4c9fff493;p=friendica.git diff --git a/mod/dfrn_request.php b/mod/dfrn_request.php index fdb1a42ee2..16a2da5560 100644 --- a/mod/dfrn_request.php +++ b/mod/dfrn_request.php @@ -28,6 +28,7 @@ use Friendica\Module\Login; use Friendica\Network\Probe; use Friendica\Util\DateTimeFormat; use Friendica\Util\Network; +use Friendica\Util\Strings; require_once 'include/enotify.php'; @@ -63,7 +64,7 @@ function dfrn_request_post(App $a) return; } - if (x($_POST, 'cancel')) { + if (!empty($_POST['cancel'])) { $a->internalRedirect(); } @@ -72,22 +73,22 @@ function dfrn_request_post(App $a) * to confirm the request, and then we've clicked submit (perhaps after logging in). * That brings us here: */ - if ((x($_POST, 'localconfirm')) && ($_POST['localconfirm'] == 1)) { + if (!empty($_POST['localconfirm']) && ($_POST['localconfirm'] == 1)) { // Ensure this is a valid request - if (local_user() && ($a->user['nickname'] == $a->argv[1]) && (x($_POST, 'dfrn_url'))) { - $dfrn_url = notags(trim($_POST['dfrn_url'])); - $aes_allow = (((x($_POST, 'aes_allow')) && ($_POST['aes_allow'] == 1)) ? 1 : 0); - $confirm_key = ((x($_POST, 'confirm_key')) ? $_POST['confirm_key'] : ""); - $hidden = ((x($_POST, 'hidden-contact')) ? intval($_POST['hidden-contact']) : 0); + if (local_user() && ($a->user['nickname'] == $a->argv[1]) && !empty($_POST['dfrn_url'])) { + $dfrn_url = Strings::escapeTags(trim($_POST['dfrn_url'])); + $aes_allow = !empty($_POST['aes_allow']); + $confirm_key = defaults($_POST, 'confirm_key', ""); + $hidden = (!empty($_POST['hidden-contact']) ? intval($_POST['hidden-contact']) : 0); $contact_record = null; - $blocked = 1; - $pending = 1; + $blocked = 1; + $pending = 1; - if (x($dfrn_url)) { + if (!empty($dfrn_url)) { // Lookup the contact based on their URL (which is the only unique thing we have at the moment) $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `nurl` = '%s' AND NOT `self` LIMIT 1", intval(local_user()), - DBA::escape(normalise_link($dfrn_url)) + DBA::escape(Strings::normaliseLink($dfrn_url)) ); if (DBA::isResult($r)) { @@ -114,10 +115,10 @@ function dfrn_request_post(App $a) notice(L10n::t('Profile location is not valid or does not contain profile information.') . EOL); return; } else { - if (!x($parms, 'fn')) { + if (empty($parms['fn'])) { notice(L10n::t('Warning: profile location has no identifiable owner name.') . EOL); } - if (!x($parms, 'photo')) { + if (empty($parms['photo'])) { notice(L10n::t('Warning: profile location has no profile photo.') . EOL); } $invalid = Probe::validDfrn($parms); @@ -141,7 +142,7 @@ function dfrn_request_post(App $a) intval(local_user()), DateTimeFormat::utcNow(), DBA::escape($dfrn_url), - DBA::escape(normalise_link($dfrn_url)), + DBA::escape(Strings::normaliseLink($dfrn_url)), $parms['addr'], $parms['fn'], $parms['nick'], @@ -237,7 +238,7 @@ function dfrn_request_post(App $a) $blocked = 1; $pending = 1; - if (x($_POST, 'dfrn_url')) { + if (!empty($_POST['dfrn_url'])) { // Block friend request spam if ($maxreq) { $r = q("SELECT * FROM `intro` WHERE `datetime` > '%s' AND `uid` = %d", @@ -269,7 +270,7 @@ function dfrn_request_post(App $a) } } - $real_name = x($_POST, 'realname') ? notags(trim($_POST['realname'])) : ''; + $real_name = !empty($_POST['realname']) ? Strings::escapeTags(trim($_POST['realname'])) : ''; $url = trim($_POST['dfrn_url']); if (!strlen($url)) { @@ -320,7 +321,7 @@ function dfrn_request_post(App $a) } } - $issued_id = random_string(); + $issued_id = Strings::getRandomHex(); if (is_array($contact_record)) { // There is a contact record but no issued-id, so this @@ -355,10 +356,10 @@ function dfrn_request_post(App $a) notice(L10n::t('Profile location is not valid or does not contain profile information.') . EOL); $a->internalRedirect($a->cmd); } else { - if (!x($parms, 'fn')) { + if (empty($parms['fn'])) { notice(L10n::t('Warning: profile location has no identifiable owner name.') . EOL); } - if (!x($parms, 'photo')) { + if (empty($parms['photo'])) { notice(L10n::t('Warning: profile location has no profile photo.') . EOL); } $invalid = Probe::validDfrn($parms); @@ -380,7 +381,7 @@ function dfrn_request_post(App $a) intval($uid), DBA::escape(DateTimeFormat::utcNow()), $parms['url'], - DBA::escape(normalise_link($url)), + DBA::escape(Strings::normaliseLink($url)), $parms['addr'], $parms['fn'], $parms['nick'], @@ -415,15 +416,15 @@ function dfrn_request_post(App $a) return; } - $hash = random_string() . (string) time(); // Generate a confirm_key + $hash = Strings::getRandomHex() . (string) time(); // Generate a confirm_key if (is_array($contact_record)) { $ret = q("INSERT INTO `intro` ( `uid`, `contact-id`, `blocked`, `knowyou`, `note`, `hash`, `datetime`) VALUES ( %d, %d, 1, %d, '%s', '%s', '%s' )", intval($uid), intval($contact_record['id']), - ((x($_POST,'knowyou') && ($_POST['knowyou'] == 1)) ? 1 : 0), - DBA::escape(notags(trim(defaults($_POST, 'dfrn-request-message', '')))), + intval(!empty($_POST['knowyou'])), + DBA::escape(Strings::escapeTags(trim(defaults($_POST, 'dfrn-request-message', '')))), DBA::escape($hash), DBA::escape(DateTimeFormat::utcNow()) ); @@ -483,7 +484,7 @@ function dfrn_request_content(App $a) // "Homecoming". Make sure we're logged in to this site as the correct user. Then offer a confirm button // to send us to the post section to record the introduction. - if (x($_GET, 'dfrn_url')) { + if (!empty($_GET['dfrn_url'])) { if (!local_user()) { info(L10n::t("Please login to confirm introduction.") . EOL); /* setup the return URL to come back to this page if they use openid */ @@ -497,12 +498,12 @@ function dfrn_request_content(App $a) return Login::form(); } - $dfrn_url = notags(trim(hex2bin($_GET['dfrn_url']))); - $aes_allow = x($_GET, 'aes_allow') && $_GET['aes_allow'] == 1 ? 1 : 0; - $confirm_key = x($_GET, 'confirm_key') ? $_GET['confirm_key'] : ""; + $dfrn_url = Strings::escapeTags(trim(hex2bin($_GET['dfrn_url']))); + $aes_allow = !empty($_GET['aes_allow']); + $confirm_key = defaults($_GET, 'confirm_key', ""); // Checking fastlane for validity - if (x($_SESSION, "fastlane") && (normalise_link($_SESSION["fastlane"]) == normalise_link($dfrn_url))) { + if (!empty($_SESSION['fastlane']) && (Strings::normaliseLink($_SESSION["fastlane"]) == Strings::normaliseLink($dfrn_url))) { $_POST["dfrn_url"] = $dfrn_url; $_POST["confirm_key"] = $confirm_key; $_POST["localconfirm"] = 1; @@ -530,7 +531,7 @@ function dfrn_request_content(App $a) 'dfrn_rawurl' => $_GET['dfrn_url'] ]); return $o; - } elseif ((x($_GET, 'confirm_key')) && strlen($_GET['confirm_key'])) { + } elseif (!empty($_GET['confirm_key'])) { // we are the requestee and it is now safe to send our user their introduction, // We could just unblock it, but first we have to jump through a few hoops to // send an email, or even to find out if we need to send an email. @@ -606,9 +607,9 @@ function dfrn_request_content(App $a) // Try to auto-fill the profile address // At first look if an address was provided // Otherwise take the local address - if (x($_GET, 'addr') && ($_GET['addr'] != "")) { + if (!empty($_GET['addr'])) { $myaddr = hex2bin($_GET['addr']); - } elseif (x($_GET, 'address') && ($_GET['address'] != "")) { + } elseif (!empty($_GET['address'])) { $myaddr = $_GET['address']; } elseif (local_user()) { if (strlen($a->getURLPath())) {