From 0e899620c7a065952d6787c236fb2b33ae337d6a Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Fri, 22 Feb 2008 23:00:19 +0000 Subject: [PATCH] reading and checking for session variables rewritten --- inc/doubler_send.php | 2 +- inc/extensions.php | 2 +- inc/extensions/ext-admins.php | 2 +- inc/functions.php | 77 +++++++++++---------- inc/gen_sql_patches.php | 4 +- inc/libs/admins_functions.php | 20 +++--- inc/libs/output_functions.php | 4 +- inc/libs/security_functions.php | 14 ++-- inc/libs/task_functions.php | 6 +- inc/load_extensions.php | 11 +-- inc/modules/admin.php | 16 ++--- inc/modules/admin/admin-inc.php | 10 +-- inc/modules/admin/overview-inc.php | 16 ++--- inc/modules/admin/what-add_rallye.php | 2 +- inc/modules/admin/what-extensions.php | 2 +- inc/modules/admin/what-list_task.php | 10 +-- inc/modules/admin/what-theme_edit.php | 7 +- inc/modules/chk_login.php | 4 +- inc/modules/guest/what-confirm.php | 2 - inc/modules/guest/what-login.php | 96 ++++++++------------------- inc/modules/member/what-logout.php | 4 +- inc/modules/member/what-mydata.php | 60 ++++++++--------- inc/modules/member/what-themes.php | 3 +- inc/mysql-connect.php | 5 +- inc/mysql-manager.php | 66 ++++++++---------- inc/session.php | 6 +- inc/theme-manager.php | 12 ++-- index.php | 4 +- lead-confirm.php | 6 +- 29 files changed, 207 insertions(+), 266 deletions(-) diff --git a/inc/doubler_send.php b/inc/doubler_send.php index fd72454f9a..e7ad280fcb 100644 --- a/inc/doubler_send.php +++ b/inc/doubler_send.php @@ -52,7 +52,7 @@ if ($DOUBLER_POINTS == 0) // If not currently doubled set it to zero unset($_GET['DOUBLER_UID']); unset($_POST['DOUBLER_UID']); -unset($_SESSION['DOUBLER_UID']); +set_session('DOUBLER_UID', ""); if (empty($DOUBLER_UID)) $DOUBLER_UID = "0"; // Check for doubles which we can pay out diff --git a/inc/extensions.php b/inc/extensions.php index 3e301719a8..ddb3cb813e 100644 --- a/inc/extensions.php +++ b/inc/extensions.php @@ -433,7 +433,7 @@ function EXTENSION_UPDATE($file, $ext, $EXT_VER, $dry_run=false) { // Task not created so it's a brand-new extension which we need to register and create a task for! $result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_task_system (assigned_admin, userid, status, task_type, subject, text, task_created) VALUES ('%s', '0', 'NEW', 'EXTENSION_UPDATE', '%s', '%s', UNIX_TIMESTAMP())", - array(GET_ADMIN_ID(SQL_ESCAPE($_SESSION['admin_login'])), $ext_subj, addslashes($NOTES)), __FILE__, __LINE__); + array(GET_ADMIN_ID(SQL_ESCAPE(get_session('admin_login'))), $ext_subj, addslashes($NOTES)), __FILE__, __LINE__); } // Free memory diff --git a/inc/extensions/ext-admins.php b/inc/extensions/ext-admins.php index ba5b7225b2..3588605375 100644 --- a/inc/extensions/ext-admins.php +++ b/inc/extensions/ext-admins.php @@ -96,7 +96,7 @@ case "update": // Update an extension $SQLs[] = "ALTER TABLE "._MYSQL_PREFIX."_admins ADD default_acl enum('deny', 'allow') not null default 'deny'"; // But allow current admin everything (THIS SHALL BE YOU!) - $SQLs[] = "UPDATE "._MYSQL_PREFIX."_admins SET default_acl='allow' WHERE login='".$_SESSION['admin_login']."' LIMIT 1"; + $SQLs[] = "UPDATE "._MYSQL_PREFIX."_admins SET default_acl='allow' WHERE login='".get_session('admin_login')."' LIMIT 1"; $SQLs[] = "DROP TABLE IF EXISTS "._MYSQL_PREFIX."_admins_acls"; $SQLs[] = "CREATE TABLE "._MYSQL_PREFIX."_admins_acls ( id bigint(20) not null auto_increment, diff --git a/inc/functions.php b/inc/functions.php index 30106b2973..f6fbbb1cc6 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -638,15 +638,11 @@ function TRANSLATE_STATUS($status) return $ret; } // -function GET_LANGUAGE() -{ - if (!empty($_GET['mx_lang'])) - { +function GET_LANGUAGE() { + if (!empty($_GET['mx_lang'])) { // Accept only first 2 chars $lang = substr($_GET['mx_lang'], 0, 2); - } - else - { + } else { // Do nothing $lang = ""; } @@ -655,25 +651,20 @@ function GET_LANGUAGE() $ret = DEFAULT_LANG; // Check GET variable and cookie - if (!empty($lang)) - { + if (!empty($lang)) { // Check if main language file does exist - if (file_exists(PATH."inc/language/".$lang.".php")) - { + if (file_exists(PATH."inc/language/".$lang.".php")) { // Okay found, so let's update cookies SET_LANGUAGE($lang); } - } - elseif (!empty($_SESSION['mx_lang'])) - { + } elseif (!isSessionVariableSet('mx_lang')) { // Return stored value from cookie - $ret = $_SESSION['mx_lang']; + $ret = get_session('mx_lang'); } return $ret; } // -function SET_LANGUAGE($lang) -{ +function SET_LANGUAGE($lang) { global $_CONFIG; // Accept only first 2 chars! @@ -681,9 +672,6 @@ function SET_LANGUAGE($lang) // Set cookie set_session("mx_lang", $lang); - - // Set array - $_SESSION['mx_lang'] = $lang; } // function LOAD_EMAIL_TEMPLATE($template, $content="", $UID="0") @@ -699,11 +687,10 @@ function LOAD_EMAIL_TEMPLATE($template, $content="", $UID="0") $HTTP_USER_AGENT = getenv('HTTP_USER_AGENT'); $ADMIN = MAIN_TITLE; - if (!empty($_SESSION['admin_login'])) - { + if (isSessionVariableSet('admin_login')) { // Load Admin data $result = SQL_QUERY_ESC("SELECT email FROM "._MYSQL_PREFIX."_admins WHERE login='%s' LIMIT 1", - array(SQL_ESCAPE($_SESSION['admin_login'])), __FILE__, __LINE__); + array(SQL_ESCAPE(get_session('admin_login'))), __FILE__, __LINE__); list($ADMIN) = SQL_FETCHROW($result); SQL_FREERESULT($result); } @@ -1221,12 +1208,12 @@ function GEN_RANDOM_CODE($length, $code, $uid, $DATA="") $data = $code.":".$uid.":".$DATA; // Add more additional data - if (isset($_SESSION['u_hash'])) $data .= ":".$_SESSION['u_hash']; - if (isset($GLOBALS['userid'])) $data .= ":".$GLOBALS['userid']; - if (isset($_SESSION['lifetime'])) $data .= ":".$_SESSION['lifetime']; - if (isset($_SESSION['mxchange_theme'])) $data .= ":".$_SESSION['mxchange_theme']; - if (isset($_SESSION['mx_lang'])) $data .= ":".$_SESSION['mx_lang']; - if (isset($GLOBALS['refid'])) $data .= ":".$GLOBALS['refid']; + if (isSessionVariableSet('u_hash')) $data .= ":".get_session('u_hash'); + if (isset($GLOBALS['userid'])) $data .= ":".$GLOBALS['userid']; + if (isSessionVariableSet('lifetime')) $data .= ":".get_session('lifetime'); + if (isSessionVariableSet('mxchange_theme')) $data .= ":".get_session('mxchange_theme'); + if (isSessionVariableSet('mx_lang')) $data .= ":".GET_LANGUAGE(); + if (isset($GLOBALS['refid'])) $data .= ":".$GLOBALS['refid']; // Calculate number for generating the code $a = $code + _ADD - 1; @@ -2036,8 +2023,8 @@ function FIX_DELETED_COOKIES ($cookies) { // Then check all cookies if they are marked as deleted! foreach ($cookies as $cookieName) { // Is the cookie set to "deleted"? - if ((isset($_SESSION[$cookieName])) && ($_SESSION[$cookieName] == "deleted")) { - unset($_SESSION[$cookieName]); + if (get_session($cookieName) == "deleted") { + set_session($cookieName, ""); } } } @@ -2095,12 +2082,12 @@ function set_session ($var, $value) { $var = trim(SQL_ESCAPE($var)); $value = trim($value); // Is the session variable set? - if (("".$value."" == "") && (isset($_SESSION[$var]))) { + if (("".$value."" == "") && (isSessionVariableSet($var))) { // Remove the session - //* DEBUG: */ echo "UNSET:".$var."=".$_SESSION[$var]."
\n"; + //* DEBUG: */ echo "UNSET:".$var."=".get_session($var)."
\n"; unset($_SESSION[$var]); return session_unregister($var); - } elseif (("".$value."" != "") && (!isset($_SESSION[$var]))) { + } elseif (("".$value."" != "") && (!isSessionVariableSet($var))) { // Set session //* DEBUG: */ echo "SET:".$var."=".$value."
\n"; $_SESSION[$var] = $value; @@ -2120,6 +2107,28 @@ function isBooleanConstantAndTrue($constname) { // : Boolean return($res); } +// Check wether a session variable is set +function isSessionVariableSet($var) { + return (isset($_SESSION[$var])); +} + +// Returns wether the value of the session variable or NULL if not set +function get_session($var) { + if (!isset($_SESSION)) session_start(); + + // Default is not found! ;-) + $value = null; + + // Is the variable there? + if (isSessionVariableSet($var)) { + // Then get it secured! + $value = SQL_ESCAPE($_SESSION[$var]); + } + + // Return the value + return $value; +} + // ////////////////////////////////////////////// // // diff --git a/inc/gen_sql_patches.php b/inc/gen_sql_patches.php index dd6aace8f9..1e402e0fa2 100644 --- a/inc/gen_sql_patches.php +++ b/inc/gen_sql_patches.php @@ -96,9 +96,9 @@ if (empty($_CONFIG['file_hash'])) @chmod($file, 0644); //* DEBUG: */ unlink($file); - //* DEBUG: */ $test = hexdec($_SESSION['u_hash']) / hexdec($secretKey); + //* DEBUG: */ $test = hexdec(get_session('u_hash')) / hexdec($secretKey); //* DEBUG: */ $test = generateHash(str_replace('.', '', $test)); - //* DEBUG: */ die("Secret-Key: ".$secretKey."
Cookie: ".$_SESSION['u_hash']."
Test: ".$test); + //* DEBUG: */ die("Secret-Key: ".$secretKey."
Cookie: ".get_session('u_hash')."
Test: ".$test); // Write $file_hash to database $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_config SET file_hash='%s' WHERE config=0 LIMIT 1", diff --git a/inc/libs/admins_functions.php b/inc/libs/admins_functions.php index d4ced65b01..b10cd3757c 100644 --- a/inc/libs/admins_functions.php +++ b/inc/libs/admins_functions.php @@ -49,22 +49,22 @@ function ADMINS_CHECK_ACL($act, $wht) { $ret = false; // Get admin's defult access right - if (!empty($cacheArray['admins']['def_acl'][$_SESSION['admin_login']])) { + if (!empty($cacheArray['admins']['def_acl'][get_session('admin_login')])) { // Load from cache - $default = $cacheArray['admins']['def_acl'][$_SESSION['admin_login']]; + $default = $cacheArray['admins']['def_acl'][get_session('admin_login')]; // Count cache hits $_CONFIG['cache_hits']++; } elseif (!is_object($cacheInstance)) { // Load from database $result = SQL_QUERY_ESC("SELECT default_acl FROM "._MYSQL_PREFIX."_admins WHERE login='%s' LIMIT 1", - array($_SESSION['admin_login']), __FILE__, __LINE__); + array(get_session('admin_login')), __FILE__, __LINE__); list($default) = SQL_FETCHROW($result); SQL_FREERESULT($result); } // Get admin's ID - $aid = GET_ADMIN_ID($_SESSION['admin_login']); + $aid = GET_ADMIN_ID(get_session('admin_login')); if (!empty($wht)) { // Check for parent menu: @@ -195,21 +195,21 @@ function ADMINS_CHANGE_ADMIN_ACCOUNT($POST) { if (!empty($POST['pass1'][$id])) $ADD = sprintf(", password='%s'", SQL_ESCAPE($hash)); // Get admin's ID - $salt = substr(GET_ADMIN_HASH($_SESSION['admin_login']), 0, -40); - $aid = GET_ADMIN_ID($_SESSION['admin_login']); + $salt = substr(GET_ADMIN_HASH(get_session('admin_login')), 0, -40); + $aid = GET_ADMIN_ID(get_session('admin_login')); // Rewrite cookie when it's own account if ($aid == $id) { // Set timeout cookie set_session("admin_last", time()); - if ($login != $_SESSION['admin_login']) { + if ($login != get_session('admin_login')) { // Update login cookie set_session("admin_login", $login); // Update password cookie as well? if (!empty($ADD)) set_session("admin_md5", $hash); - } elseif (generateHash($POST['pass1'][$id], $salt) != $_SESSION['admin_md5']) { + } elseif (generateHash($POST['pass1'][$id], $salt) != get_session('admin_md5')) { // Update password cookie set_session("admin_md5", $hash); } @@ -218,7 +218,7 @@ function ADMINS_CHANGE_ADMIN_ACCOUNT($POST) { // Get default ACL from admin to check if we can allow him to change the default ACL $result = SQL_QUERY_ESC("SELECT default_acl FROM "._MYSQL_PREFIX."_admins WHERE login='%s' LIMIT 1", - array($_SESSION['admin_login']), __FILE__, __LINE__); + array(get_session('admin_login')), __FILE__, __LINE__); list($default) = SQL_FETCHROW($result); // Free result @@ -368,7 +368,7 @@ function ADMINS_REMOVE_ADMIN_ACCOUNTS ($POST) { $id = bigintval($id); // Delete only when it's not your own account! - if (($del == 1) && (GET_ADMIN_ID($_SESSION['admin_login']) != $id)) { + if (($del == 1) && (GET_ADMIN_ID(get_session('admin_login')) != $id)) { // Rewrite his tasks to all admins $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_task_system SET assigned_admin='0' WHERE assigned_admin='%s'", array($id), __FILE__, __LINE__); diff --git a/inc/libs/output_functions.php b/inc/libs/output_functions.php index 8d64e7023e..0609279667 100644 --- a/inc/libs/output_functions.php +++ b/inc/libs/output_functions.php @@ -77,12 +77,12 @@ function get_template ($template, $return=false, $content="") { // Add more variables which you want to use in your template files global $DATA, $ACTION, $WHAT; - $REFID = bigintval($_SESSION['refid']); + $REFID = bigintval(get_session('refid')); if ($template == "member_support_form") { // Support request of a member - $ID = bigintval($_SESSION['userid']); + $ID = bigintval($GLOBALS['userid']); $result = SQL_QUERY_ESC("SELECT sex, surname, family FROM "._MYSQL_PREFIX."_user_data WHERE userid='%s' LIMIT 1", array($ID), __FILE__, __LINE__); list($sex, $surname, $family) = SQL_FETCHROW($result); SQL_FREERESULT($result); diff --git a/inc/libs/security_functions.php b/inc/libs/security_functions.php index 8c032b722a..b46309ee92 100644 --- a/inc/libs/security_functions.php +++ b/inc/libs/security_functions.php @@ -76,10 +76,10 @@ if (!isset($_POST)) global $_POST; $_POST = $GLOBALS['_POST']; } -if (!isset($_SESSION)) +if (!isset($_COOKIE)) { - global $_SESSION; - $_SESSION = $GLOBALS['_COOKIE']; + global $_COOKIE; + $_COOKIE = $GLOBALS['_COOKIE']; } // Include IP-Filter here @@ -166,12 +166,12 @@ if (basename($_SERVER['PHP_SELF']) != "install.php") } // ... and finally cookies - foreach ($_SESSION as $seckey=>$secvalue) + foreach ($_COOKIE as $seckey=>$secvalue) { if (is_array($secvalue)) { // Throw arrays away... - unset($_SESSION[$seckey]); + unset($_COOKIE[$seckey]); } else { @@ -179,11 +179,11 @@ if (basename($_SERVER['PHP_SELF']) != "install.php") foreach ($SEC_CHARS['from'] as $key=>$char) { // Pass all through - $_SESSION[$seckey] = str_replace($char , $SEC_CHARS['to'][$key], $_SESSION[$seckey]); + $_COOKIE[$seckey] = str_replace($char , $SEC_CHARS['to'][$key], $_COOKIE[$seckey]); } // Strip all other out - $_SESSION[$seckey] = strip_tags($_SESSION[$seckey]); + $_COOKIE[$seckey] = strip_tags($_COOKIE[$seckey]); } } } diff --git a/inc/libs/task_functions.php b/inc/libs/task_functions.php index 53f8feb9a8..ce4b5f6039 100644 --- a/inc/libs/task_functions.php +++ b/inc/libs/task_functions.php @@ -57,7 +57,7 @@ function OUTPUT_ADVANCED_OVERVIEW (&$result_main) if (!$JOBS_DONE) { // New extensions or updates found $result = SQL_QUERY_ESC("SELECT id FROM "._MYSQL_PREFIX."_task_system WHERE assigned_admin='%s' AND status='NEW' AND task_type='EXTENSION_UPDATE'", - array(GET_ADMIN_ID($_SESSION['admin_login'])), __FILE__, __LINE__); + array(GET_ADMIN_ID(get_session('admin_login'))), __FILE__, __LINE__); $value = SQL_NUMROWS($result); SQL_FREERESULT($result); @@ -150,7 +150,7 @@ function OUTPUT_ADVANCED_OVERVIEW (&$result_main) // Solved tasks // $result = SQL_QUERY_ESC("SELECT id FROM "._MYSQL_PREFIX."_task_system WHERE status = 'SOLVED' AND assigned_admin='%s'", - array(GET_ADMIN_ID($_SESSION['admin_login'])), __FILE__, __LINE__); + array(GET_ADMIN_ID(get_session('admin_login'))), __FILE__, __LINE__); $value = SQL_NUMROWS($result); SQL_FREERESULT($result); @@ -164,7 +164,7 @@ function OUTPUT_ADVANCED_OVERVIEW (&$result_main) // Your tasks // $result = SQL_QUERY_ESC("SELECT id FROM "._MYSQL_PREFIX."_task_system WHERE assigned_admin='%s' AND status = 'NEW' AND task_type != 'EXTENSION_UPDATE'", - array(GET_ADMIN_ID($_SESSION['admin_login'])), __FILE__, __LINE__); + array(GET_ADMIN_ID(get_session('admin_login'))), __FILE__, __LINE__); $value = SQL_NUMROWS($result); SQL_FREERESULT($result); diff --git a/inc/load_extensions.php b/inc/load_extensions.php index b7499dae51..e2f44a0fab 100644 --- a/inc/load_extensions.php +++ b/inc/load_extensions.php @@ -46,15 +46,12 @@ $ADD = ""; if ((!isBooleanConstantAndTrue('mxchange_installed')) || (isBooleanConstantAndTrue('mxchange_installing'))) return; // Load default sql_patches extension if present -if (file_exists(PATH."inc/extensions/ext-sql_patches.php") && is_readable(PATH."inc/extensions/ext-sql_patches.php")) -{ +if (file_exists(PATH."inc/extensions/ext-sql_patches.php") && is_readable(PATH."inc/extensions/ext-sql_patches.php")) { // Load it... $EXT_LOAD_MODE = ""; require_once(PATH."inc/extensions/ext-sql_patches.php"); $cacheArray['active_extensions'] = array('sql_patches' => 'Y'); // KEEP THIS ALWAYS ACTIVE! -} - else -{ +} else { // Initialize array for "always keep active extensions" $cacheArray['active_extensions'] = array(); } @@ -79,9 +76,7 @@ if (EXT_IS_ACTIVE("cache")) // Load language if ($cacheMode == "load") include(PATH."inc/language/cache_".GET_LANGUAGE().".php"); -} - else -{ +} else { $cacheMode = "no"; } diff --git a/inc/modules/admin.php b/inc/modules/admin.php index 083009f303..e7aabd542d 100644 --- a/inc/modules/admin.php +++ b/inc/modules/admin.php @@ -137,9 +137,9 @@ if (!isBooleanConstantAndTrue('admin_registered')) { // Load register template LOAD_TEMPLATE("admin_reg_form"); } -} elseif ((empty($_SESSION['admin_login'])) || (empty($_SESSION['admin_md5'])) || (empty($_SESSION['admin_last'])) || (empty($_SESSION['admin_to'])) || (($_SESSION['admin_last'] + bigintval($_SESSION['admin_to']) * 3600 * 24) < time())) { +} elseif ((!isSessionVariableSet('admin_login')) || (!isSessionVariableSet('admin_md5')) || (!isSessionVariableSet('admin_last')) || (!isSessionVariableSet('admin_to')) || ((get_session('admin_last') + bigintval(get_session('admin_to')) * 3600 * 24) < time())) { // At leat one administrator account was created - if ((!empty($_SESSION['admin_login'])) && (!empty($_SESSION['admin_md5'])) && (!empty($_SESSION['admin_last'])) && (!empty($_SESSION['admin_to']))) { + if ((isSessionVariableSet('admin_login')) && (isSessionVariableSet('admin_md5')) && (isSessionVariableSet('admin_last')) && (isSessionVariableSet('admin_to'))) { // Timeout for last login, we have to logout first! $URL = URL."/modules.php?module=admin&action=login&logout=1"; LOAD_URL($URL); @@ -257,10 +257,10 @@ if (!isBooleanConstantAndTrue('admin_registered')) { // Only try to remove cookies if (set_session("admin_login", "") && set_session("admin_md5", "") && set_session("admin_last", "") && set_session("admin_to", "")) { // Also remove array elements - unset($_SESSION['admin_login']); - unset($_SESSION['admin_md5']); - unset($_SESSION['admin_last']); - unset($_SESSION['admin_to']); + set_session('admin_login' , ""); + set_session('admin_md5' , ""); + set_session('admin_last' , ""); + set_session('admin_to' , ""); // Destroy session @session_destroy(); @@ -276,11 +276,11 @@ if (!isBooleanConstantAndTrue('admin_registered')) { } } else { // Maybe an Admin want's to login? - $ret = CHECK_ADMIN_COOKIES(SQL_ESCAPE($_SESSION['admin_login']), SQL_ESCAPE($_SESSION['admin_md5'])); + $ret = CHECK_ADMIN_COOKIES(SQL_ESCAPE(get_session('admin_login')), SQL_ESCAPE(get_session('admin_md5'))); switch ($ret) { case "done": // Cookie-Data accepted - if ((set_session("admin_md5", SQL_ESCAPE($_SESSION['admin_md5']))) && (set_session("admin_login", SQL_ESCAPE($_SESSION['admin_login']))) && (set_session("admin_last", time())) && (set_session("admin_to", bigintval($_SESSION['admin_to'])))) { + if ((set_session("admin_md5", SQL_ESCAPE(get_session('admin_md5')))) && (set_session("admin_login", SQL_ESCAPE(get_session('admin_login')))) && (set_session("admin_last", time())) && (set_session("admin_to", bigintval(get_session('admin_to'))))) { // Ok, Cookie-Update done if ((EXT_IS_ACTIVE("admins")) && (GET_EXT_VERSION("admins") > "0.2")) { // Check if action GET variable was set diff --git a/inc/modules/admin/admin-inc.php b/inc/modules/admin/admin-inc.php index 3d31335d5f..385f7375d9 100644 --- a/inc/modules/admin/admin-inc.php +++ b/inc/modules/admin/admin-inc.php @@ -245,8 +245,8 @@ function ADMIN_DO_ACTION($wht) $act = GET_ACTION($GLOBALS['module'], $wht); // Define admin login name and ID number - define('__ADMIN_LOGIN', SQL_ESCAPE($_SESSION['admin_login'])); - define('__ADMIN_ID' , GET_ADMIN_ID($_SESSION['admin_login'])); + define('__ADMIN_LOGIN', SQL_ESCAPE(get_session('admin_login'))); + define('__ADMIN_ID' , GET_ADMIN_ID(get_session('admin_login'))); // Preload templates if (EXT_IS_ACTIVE("admins")) { @@ -680,17 +680,17 @@ function ADMIN_CHECK_MENU_MODE() $MODE = $_CONFIG['admin_menu']; $ADMIN = $MODE; // Check individual settings of current admin - if (isset($cacheArray['admins']['la_mode'][$_SESSION['admin_login']])) + if (isset($cacheArray['admins']['la_mode'][get_session('admin_login')])) { // Load from cache - $ADMIN = $cacheArray['admins']['la_mode'][$_SESSION['admin_login']]; + $ADMIN = $cacheArray['admins']['la_mode'][get_session('admin_login')]; $_CONFIG['cache_hits']++; } elseif (GET_EXT_VERSION("admins") >= "0.6.7") { // Load from database when version of "admins" is enough $result = SQL_QUERY_ESC("SELECT la_mode FROM "._MYSQL_PREFIX."_admins WHERE login='%s' LIMIT 1", - array($_SESSION['admin_login']), __FILE__, __LINE__); + array(get_session('admin_login')), __FILE__, __LINE__); if (SQL_NUMROWS($result) == 1) { // Load data diff --git a/inc/modules/admin/overview-inc.php b/inc/modules/admin/overview-inc.php index f9314a45c5..4ba25cae16 100644 --- a/inc/modules/admin/overview-inc.php +++ b/inc/modules/admin/overview-inc.php @@ -44,7 +44,7 @@ function OUTPUT_STANDARD_OVERVIEW(&$result_tasks) // First check for solved and not assigned tasks and assign them to current admin $result_task = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_task_system SET assigned_admin='%s' WHERE assigned_admin < 1 AND status != 'NEW'", - array(GET_ADMIN_ID($_SESSION['admin_login'])), __FILE__, __LINE__); + array(GET_ADMIN_ID(get_session('admin_login'))), __FILE__, __LINE__); // We currently don't want to install an extension so let's find out if we need... $EXT_LOAD_MODE = "register"; $JOBS_DONE = true; @@ -111,7 +111,7 @@ function OUTPUT_STANDARD_OVERVIEW(&$result_tasks) $result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_task_system (assigned_admin, userid, status, task_type, subject, text, task_created) VALUES ('%s', '0', 'NEW', 'EXTENSION', '%s', '%s', UNIX_TIMESTAMP())", array( - GET_ADMIN_ID($_SESSION['admin_login']), + GET_ADMIN_ID(get_session('admin_login')), $ext_subj, addslashes($MSG), ), __FILE__, __LINE__, true, false); @@ -158,7 +158,7 @@ VALUES ('%s', '0', 'NEW', 'EXTENSION', '%s', '%s', UNIX_TIMESTAMP())", FROM "._MYSQL_PREFIX."_task_system WHERE assigned_admin='%s' OR (assigned_admin='0' AND status='NEW') ORDER BY userid DESC, task_type DESC, subject, task_created DESC", - array(GET_ADMIN_ID($_SESSION['admin_login'])), __FILE__, __LINE__); + array(GET_ADMIN_ID(get_session('admin_login'))), __FILE__, __LINE__); if (SQL_NUMROWS($result_tasks) > 0) { // New jobs found! @@ -178,7 +178,7 @@ function OUTPUT_SELECTED_TASKS($_POST, $result_tasks) foreach ($_POST['task'] as $id=>$sel) { $result_task = SQL_QUERY_ESC("SELECT id, userid, task_type, subject, text, task_created, status, assigned_admin FROM "._MYSQL_PREFIX."_task_system WHERE id=%d AND (assigned_admin='%s' OR (assigned_admin='0' AND status='NEW')) LIMIT 1", - array(bigintval($id), GET_ADMIN_ID($_SESSION['admin_login'])), __FILE__, __LINE__); + array(bigintval($id), GET_ADMIN_ID(get_session('admin_login'))), __FILE__, __LINE__); if (SQL_NUMROWS($result_task) == 1) { // Task is valid... @@ -188,7 +188,7 @@ function OUTPUT_SELECTED_TASKS($_POST, $result_tasks) { // Assgin current admin to unassgigned task $result_assign = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_task_system SET assigned_admin='%s' WHERE id=%d LIMIT 1", - array(GET_ADMIN_ID($_SESSION['admin_login']), bigintval($tid)), __FILE__, __LINE__); + array(GET_ADMIN_ID(get_session('admin_login')), bigintval($tid)), __FILE__, __LINE__); } $ADD = ""; if ($type == "SUPPORT_MEMBER") @@ -449,7 +449,7 @@ function OUTPUT_SELECTED_TASKS($_POST, $result_tasks) foreach ($_POST['task'] as $id=>$sel) { $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_task_system SET assigned_admin='0' WHERE id=%d AND assigned_admin='%s' LIMIT 1", - array(bigintval($id), GET_ADMIN_ID($_SESSION['admin_login'])), __FILE__, __LINE__); + array(bigintval($id), GET_ADMIN_ID(get_session('admin_login'))), __FILE__, __LINE__); } } elseif (isset($_POST['del'])) @@ -458,13 +458,13 @@ function OUTPUT_SELECTED_TASKS($_POST, $result_tasks) foreach ($_POST['task'] as $id=>$sel) { $result = SQL_QUERY_ESC("DELETE LOW_PRIORITY FROM "._MYSQL_PREFIX."_task_system WHERE id=%d AND (assigned_admin='%s' OR assigned_admin='0') LIMIT 1", - array(bigintval($id), GET_ADMIN_ID($_SESSION['admin_login'])), __FILE__, __LINE__); + array(bigintval($id), GET_ADMIN_ID(get_session('admin_login'))), __FILE__, __LINE__); } } // Update query $result_tasks = SQL_QUERY_ESC("SELECT id, assigned_admin, userid, task_type, subject, text, task_created FROM "._MYSQL_PREFIX."_task_system WHERE assigned_admin='%s' OR (assigned_admin='0' AND status='NEW') ORDER BY task_created DESC", - array(GET_ADMIN_ID($_SESSION['admin_login'])), __FILE__, __LINE__); + array(GET_ADMIN_ID(get_session('admin_login'))), __FILE__, __LINE__); } // There are uncompleted jobs! diff --git a/inc/modules/admin/what-add_rallye.php b/inc/modules/admin/what-add_rallye.php index a3b5f799c1..d2ee8c934d 100644 --- a/inc/modules/admin/what-add_rallye.php +++ b/inc/modules/admin/what-add_rallye.php @@ -56,7 +56,7 @@ if (isset($_POST['ok'])) $result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_rallye_data (admin_id, title, descr, template, start_time, end_time, auto_add_new_user, is_active, send_notify) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')", array( - GET_ADMIN_ID($_SESSION['admin_login']), + GET_ADMIN_ID(get_session('admin_login')), $_POST['title'], $_POST['descr'], $_POST['template'], diff --git a/inc/modules/admin/what-extensions.php b/inc/modules/admin/what-extensions.php index 4bb2f5481b..fb0f2f2c26 100644 --- a/inc/modules/admin/what-extensions.php +++ b/inc/modules/admin/what-extensions.php @@ -282,7 +282,7 @@ case "overview": // List all registered extensions case "register": // Register new extension $result = SQL_QUERY_ESC("SELECT id FROM "._MYSQL_PREFIX."_task_system WHERE assigned_admin='%s' AND task_type='EXTENSION' LIMIT 1", - array(bigintval(GET_ADMIN_ID($_SESSION['admin_login']))), __FILE__, __LINE__); + array(bigintval(GET_ADMIN_ID(get_session('admin_login')))), __FILE__, __LINE__); $task_found = SQL_NUMROWS($result); // Free result diff --git a/inc/modules/admin/what-list_task.php b/inc/modules/admin/what-list_task.php index eeb86ea837..7587438b11 100644 --- a/inc/modules/admin/what-list_task.php +++ b/inc/modules/admin/what-list_task.php @@ -46,15 +46,15 @@ if (empty($_GET['type'])) $_GET['type'] = "your"; switch ($_GET['type']) { case "your": // List only your own open (new) tasks - $whereStatement = "assigned_admin='".GET_ADMIN_ID($_SESSION['admin_login'])."' AND status='NEW' AND task_type != 'EXTENSION_UPDATE'"; + $whereStatement = "assigned_admin='".GET_ADMIN_ID(get_session('admin_login'))."' AND status='NEW' AND task_type != 'EXTENSION_UPDATE'"; break; case "updates": // List only updates assigned to you - $whereStatement = "assigned_admin='".GET_ADMIN_ID($_SESSION['admin_login'])."' AND status='NEW' AND task_type = 'EXTENSION_UPDATE'"; + $whereStatement = "assigned_admin='".GET_ADMIN_ID(get_session('admin_login'))."' AND status='NEW' AND task_type = 'EXTENSION_UPDATE'"; break; case "solved": // List only solved tasks assigned to you - $whereStatement = "assigned_admin='".GET_ADMIN_ID($_SESSION['admin_login'])."' AND status='SOLVED'"; + $whereStatement = "assigned_admin='".GET_ADMIN_ID(get_session('admin_login'))."' AND status='SOLVED'"; break; case "unassigned": // List unassigned (but not deleted) tasks @@ -66,7 +66,7 @@ case "deleted": // List all deleted break; case "closed": // List all closed - $whereStatement = "assigned_admin='".GET_ADMIN_ID($_SESSION['admin_login'])."' AND status='CLOSED'"; + $whereStatement = "assigned_admin='".GET_ADMIN_ID(get_session('admin_login'))."' AND status='CLOSED'"; break; default: // Unknown type @@ -101,7 +101,7 @@ ORDER BY userid DESC, task_type DESC, subject, task_created DESC", __FILE__, __L foreach ($_POST['task'] as $id=>$sel) { $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_task_system SET assigned_admin='0' WHERE id=%d AND assigned_admin='%s' LIMIT 1", - array(bigintval($id), GET_ADMIN_ID($_SESSION['admin_login'])), __FILE__, __LINE__); + array(bigintval($id), GET_ADMIN_ID(get_session('admin_login'))), __FILE__, __LINE__); } } elseif (isset($_POST['del'])) diff --git a/inc/modules/admin/what-theme_edit.php b/inc/modules/admin/what-theme_edit.php index cf103df5d2..15418d191c 100644 --- a/inc/modules/admin/what-theme_edit.php +++ b/inc/modules/admin/what-theme_edit.php @@ -78,13 +78,10 @@ if ($SEL > 0) // Output generated? if (empty($OUT)) ADMIN_THEME_NO_OUTPUT; -} - elseif (!empty($_GET['default_theme'])) -{ +} elseif (!empty($_GET['default_theme'])) { // Save theme - $POST['default_theme'] = $_GET['default_theme']; + $POST['default_theme'] = SQL_ESCAPE($_GET['default_theme']); set_session("mxchange_theme", $POST['default_theme'], (time() + 60*60*24*365), COOKIE_PATH); - $_SESSION['mxchange_theme'] = $POST['default_theme']; ADMIN_SAVE_SETTINGS($POST); } diff --git a/inc/modules/chk_login.php b/inc/modules/chk_login.php index e64ac5ab9e..745fc31efd 100644 --- a/inc/modules/chk_login.php +++ b/inc/modules/chk_login.php @@ -42,8 +42,7 @@ OPEN_TABLE("500", "guest_login_header dashed", "center"); OUTPUT_HTML("
".VALIDATING_LOGIN."
"); -if (!empty($GLOBALS['userid']) && !empty($_SESSION['u_hash']) && !empty($_SESSION['lifetime'])) -{ +if (!empty($GLOBALS['userid']) && (isSessionVariableSet('u_hash')) && (isSessionVariableSet('lifetime'))) { // Get theme from profile $result = SQL_QUERY_ESC("SELECT curr_theme FROM "._MYSQL_PREFIX."_user_data WHERE userid=%d LIMIT 1", array($GLOBALS['userid']), __FILE__, __LINE__); @@ -52,7 +51,6 @@ if (!empty($GLOBALS['userid']) && !empty($_SESSION['u_hash']) && !empty($_SESSIO // Change to new theme set_session("mxchange_theme", $NewTheme, (time() + 60*60*24*365), COOKIE_PATH); - $_SESSION['mxchange_theme'] = $NewTheme; $bonus = false; if ((GET_EXT_VERSION("sql_patches") >= "0.2.8") && (GET_EXT_VERSION("bonus") >= "0.2.1") && ($_CONFIG['bonus_login_yn'] == 'N') && ($_CONFIG['bonus_login_yn'] == 'Y')) { diff --git a/inc/modules/guest/what-confirm.php b/inc/modules/guest/what-confirm.php index 3b34f5197a..40a1c513d5 100644 --- a/inc/modules/guest/what-confirm.php +++ b/inc/modules/guest/what-confirm.php @@ -116,7 +116,6 @@ if (!empty($_GET['hash'])) if (defined('LEAD_CODE_ENABLED') && defined('LEAD_EXPIRY_TIME')) { // Set special lead cookie set_session("lead_uid", bigintval($uid), (time() + LEAD_EXPIRY_TIME), COOKIE_PATH); - $_SESSION['lead_uid'] = bigintval($uid); // Lead-Code mode enabled LOAD_URL("lead-confirm.php"); @@ -128,7 +127,6 @@ if (!empty($_GET['hash'])) } elseif (defined('LEAD_CODE_ENABLED') && defined('LEAD_EXPIRY_TIME')) { // Set special lead cookie set_session("lead_uid", bigintval($uid), (time() + LEAD_EXPIRY_TIME), COOKIE_PATH); - $_SESSION['lead_uid'] = bigintval($uid); // Lead-Code mode enabled LOAD_URL("lead-confirm.php"); diff --git a/inc/modules/guest/what-login.php b/inc/modules/guest/what-login.php index 93fc1bd2cf..9aea8f972b 100644 --- a/inc/modules/guest/what-login.php +++ b/inc/modules/guest/what-login.php @@ -49,34 +49,26 @@ global $DATA, $FATAL; $probe_nickname = false; $UID = false; $hash = ""; unset($login); unset($online); -if ((!empty($GLOBALS['userid'])) && (!empty($_SESSION['u_hash']))) +if ((!empty($GLOBALS['userid'])) && (isSessionVariableSet('u_hash'))) { // Already logged in? $UID = $GLOBALS['userid']; -} - elseif ((!empty($_POST['id'])) && (!empty($_POST['password'])) && (isset($_POST['ok']))) -{ +} elseif ((!empty($_POST['id'])) && (!empty($_POST['password'])) && (isset($_POST['ok']))) { // Set userid and crypt password when login data was submitted $probe_nickname = ((EXT_IS_ACTIVE("nickname")) && (("".round($_POST['id'])."") != $_POST['id'])); if ($probe_nickname) { // Nickname entered $UID = SQL_ESCAPE($_POST['id']); - } - else - { + } else { // Direct userid entered $UID = bigintval($_POST['id']); } -} - elseif (!empty($_POST['new_pass'])) -{ +} elseif (!empty($_POST['new_pass'])) { // New password requested $UID = "0"; if (!empty($_POST['id'])) $UID = $_POST['id']; -} - else -{ +} else { // Not logged in $UID = "0"; $hash = ""; } @@ -86,59 +78,46 @@ $URL = ""; $ADD = ""; if (empty($_POST['new_pass'])) $_POST['new_pass'] = ""; if (empty($_GET['login'])) $_GET['login'] = ""; -if (IS_LOGGED_IN()) -{ +if (IS_LOGGED_IN()) { // Login immidiately... $URL = URL."/modules.php?module=login"; -} - elseif (isset($_POST['ok'])) -{ +} elseif (isset($_POST['ok'])) { // Add last_login if available $LAST = ""; - if (GET_EXT_VERSION("sql_patches") >= "0.2.8") - { + if (GET_EXT_VERSION("sql_patches") >= "0.2.8") { $LAST = ", last_login"; } // Check login data $password = ""; - if ($probe_nickname) - { + if ($probe_nickname) { // Nickname entered $result = SQL_QUERY_ESC("SELECT userid, password, last_online".$LAST." FROM "._MYSQL_PREFIX."_user_data WHERE nickname='%s' AND status='CONFIRMED' LIMIT 1", array($UID), __FILE__, __LINE__); list($UID2, $password, $online, $login) = SQL_FETCHROW($result); if (!empty($UID2)) $UID = $UID2; - } - else - { + } else { // Direct userid entered $result = SQL_QUERY_ESC("SELECT userid, password, last_online".$LAST." FROM "._MYSQL_PREFIX."_user_data WHERE userid=%d AND status='CONFIRMED' LIMIT 1", array(bigintval($UID), $hash), __FILE__, __LINE__); list($dmy, $password, $online, $login) = SQL_FETCHROW($result); } - if (SQL_NUMROWS($result) == 1) - { + if (SQL_NUMROWS($result) == 1) { // Valid data found so let's load the last login data - if (isset($_POST['ok'])) - { + if (isset($_POST['ok'])) { // By default the hash is empty $hash = ""; // Check for old MD5 passwords - if ((strlen($password) == 32) && (md5($_POST['password']) == $password)) - { + if ((strlen($password) == 32) && (md5($_POST['password']) == $password)) { // Just set the hash to the password from DB... :) $hash = $password; - } - else - { + } else { // Encrypt hash for comparsion $hash = generateHash($_POST['password'], substr($password, 0, -40)); } - if ($hash == $password) - { + if ($hash == $password) { // New hashed password found so let's generate a new one $hash = generateHash($_POST['password']); @@ -152,8 +131,7 @@ if (IS_LOGGED_IN()) // Probe for last online timemark $probe = time() - $online; if (!empty($login)) $probe = time() - $login; - if ((GET_EXT_VERSION("bonus") >= "0.2.2") && ($probe >= $_CONFIG['login_timeout'])) - { + if ((GET_EXT_VERSION("bonus") >= "0.2.2") && ($probe >= $_CONFIG['login_timeout'])) { // Add login bonus to user's account $ADD = ", login_bonus=login_bonus+'".$_CONFIG['login_bonus']."'"; $BONUS = true; @@ -166,8 +144,7 @@ if (IS_LOGGED_IN()) // Secure lifetime from input form $l = bigintval($_POST['lifetime']); $life = "-1"; - if ($l > 0) - { + if ($l > 0) { // Calculate lifetime of cookies $life = time() + $l; @@ -181,60 +158,41 @@ if (IS_LOGGED_IN()) // Update global array $GLOBALS['userid'] = $UID; - $_SESSION['u_hash'] = $hash; - $_SESSION['lifetime'] = $l; - } - else - { + } else { // Check for login data $login = IS_LOGGED_IN(); } - if ($login) - { + if ($login) { // Update database records $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET total_logins=total_logins+1".$ADD." WHERE userid=%d LIMIT 1", array(bigintval($UID)), __FILE__, __LINE__); - if (SQL_AFFECTEDROWS($link) == 1) - { + if (SQL_AFFECTEDROWS($link) == 1) { // Procedure to checking for login data - if (($BONUS) && (EXT_IS_ACTIVE("bonus"))) - { + if (($BONUS) && (EXT_IS_ACTIVE("bonus"))) { // Bonus added (just displaying!) $URL = URL."/modules.php?module=chk_login&mode=bonus"; - } - else - { + } else { // Bonus not added $URL = URL."/modules.php?module=chk_login&mode=login"; } - } - else - { + } else { // Cannot update counter! $URL = URL."/modules.php?module=".$GLOBALS['module']."&what=login&login=".CODE_CNTR_FAILED; } - } - else - { + } else { // Cookies not setable! $URL = URL."/modules.php?module=".$GLOBALS['module']."&what=login&login=".CODE_NO_COOKIES; } - } - else - { + } else { // Wrong password! $ERROR = CODE_WRONG_PASS; } - } - else - { + } else { // Fatal error! $ERROR = CODE_LOGIN_FAILED; } - } - else - { + } else { // Other account status? $result = SQL_QUERY_ESC("SELECT status FROM "._MYSQL_PREFIX."_user_data WHERE userid=%d LIMIT 1", array(bigintval($UID)), __FILE__, __LINE__); diff --git a/inc/modules/member/what-logout.php b/inc/modules/member/what-logout.php index 797f8e262d..6c7926ac2a 100644 --- a/inc/modules/member/what-logout.php +++ b/inc/modules/member/what-logout.php @@ -50,10 +50,10 @@ $URL = URL."/modules.php?module=index"; // NEW: Fixed the Set of Cookies, you mus add right TimeSet, if you changed it in What_login.php! (eg. time()- cookieTime -if (set_session("userid", "", time() - 3600, COOKIE_PATH) && set_session("u_hash", "", time() - 3600, COOKIE_PATH) && set_session("lifetime", "", time() - 3600, COOKIE_PATH)) +if (set_session("userid", "") && set_session("u_hash", "") && set_session("lifetime", "")) { // Remove theme cookie as well - set_session("mxchange_theme", "", time() - 3600, COOKIE_PATH); + set_session("mxchange_theme", ""); // Logout completed $URL .= "&msg=".CODE_LOGOUT_DONE; diff --git a/inc/modules/member/what-mydata.php b/inc/modules/member/what-mydata.php index 2a13fa112e..ee8c3d9715 100644 --- a/inc/modules/member/what-mydata.php +++ b/inc/modules/member/what-mydata.php @@ -261,21 +261,21 @@ last_update=UNIX_TIMESTAMP()".$AND.", notified='N', last_profile_sent=UNIX_TIMESTAMP() WHERE userid=%d AND password='%s' LIMIT 1", - array( - $_POST['sex'], - $_POST['surname'], - $_POST['family_name'], - $_POST['street_nr'], - bigintval($_POST['country_code']), - bigintval($_POST['zip']), - $_POST['city'], - $_POST['addy'], - bigintval($_POST['day']), - bigintval($_POST['month']), - bigintval($_POST['year']), - bigintval($_POST['max_mails']), - UID_VALUE, - $_SESSION['u_hash'] +array( + $_POST['sex'], + $_POST['surname'], + $_POST['family_name'], + $_POST['street_nr'], + bigintval($_POST['country_code']), + bigintval($_POST['zip']), + $_POST['city'], + $_POST['addy'], + bigintval($_POST['day']), + bigintval($_POST['month']), + bigintval($_POST['year']), + bigintval($_POST['max_mails']), + UID_VALUE, + get_session('u_hash') ), __FILE__, __LINE__); } else @@ -292,21 +292,21 @@ last_update=UNIX_TIMESTAMP()".$AND.", notified='N', last_profile_sent=UNIX_TIMESTAMP() WHERE userid=%d AND password='%s' LIMIT 1", - array( - $_POST['sex'], - $_POST['surname'], - $_POST['family_name'], - $_POST['street_nr'], - $_POST['cntry'], - bigintval($_POST['zip']), - $_POST['city'], - $_POST['addy'], - bigintval($_POST['day']), - bigintval($_POST['month']), - bigintval($_POST['year']), - bigintval($_POST['max_mails']), - UID_VALUE, - $_SESSION['u_hash'] +array( + $_POST['sex'], + $_POST['surname'], + $_POST['family_name'], + $_POST['street_nr'], + $_POST['cntry'], + bigintval($_POST['zip']), + $_POST['city'], + $_POST['addy'], + bigintval($_POST['day']), + bigintval($_POST['month']), + bigintval($_POST['year']), + bigintval($_POST['max_mails']), + UID_VALUE, + get_session('u_hash') ), __FILE__, __LINE__); } diff --git a/inc/modules/member/what-themes.php b/inc/modules/member/what-themes.php index 0e25541d34..8778538010 100644 --- a/inc/modules/member/what-themes.php +++ b/inc/modules/member/what-themes.php @@ -56,7 +56,6 @@ if (!empty($_POST['member_theme'])) // Change to new theme set_session("mxchange_theme", $NewTheme, (time() + 60*60*24*365), COOKIE_PATH); - $_SESSION['mxchange_theme'] = $NewTheme; // Theme saved! LOAD_TEMPLATE("admin_settings_saved", false, MEMBER_THEME_SAVED); @@ -110,7 +109,7 @@ $OUT = ""; $SW = 2; foreach ($THEMES['theme_unix'] as $key=>$unix) { $default = ""; - if ($_SESSION['mxchange_theme'] == $unix) $default = " checked selected"; + if (get_session('mxchange_theme') == $unix) $default = " checked selected"; // Add row $OUT .= " diff --git a/inc/mysql-connect.php b/inc/mysql-connect.php index c4aca483a4..e01516610f 100644 --- a/inc/mysql-connect.php +++ b/inc/mysql-connect.php @@ -161,11 +161,8 @@ LIMIT 1", __FILE__, __LINE__); // Secure and validate user ID from cookie UPDATE_LOGIN_DATA(); - // Get session ID - if (empty($_SESSION['PHPSESSID'])) $_SESSION['PHPSESSID'] = session_id(); - // Update online list - UPDATE_ONLINE_LIST($_SESSION['PHPSESSID'], $GLOBALS['module'], $GLOBALS['action'], $GLOBALS['what']); + UPDATE_ONLINE_LIST(get_session('PHPSESSID'), $GLOBALS['module'], $GLOBALS['action'], $GLOBALS['what']); // Load theme name $CurrTheme = GET_CURR_THEME(); diff --git a/inc/mysql-manager.php b/inc/mysql-manager.php index f8b4da5cde..46154a4108 100644 --- a/inc/mysql-manager.php +++ b/inc/mysql-manager.php @@ -388,8 +388,8 @@ function IS_ADMIN($admin="") //* DEBUG: */ echo __LINE__."ADMIN:".$admin."
"; // If admin login is not given take current from cookies... - if ((empty($admin)) && (!empty($_SESSION['admin_login'])) && (!empty($_SESSION['admin_md5']))) { - $admin = SQL_ESCAPE($_SESSION['admin_login']); $passCookie = $_SESSION['admin_md5']; + if ((empty($admin)) && (isSessionVariableSet('admin_login')) && (isSessionVariableSet('admin_md5'))) { + $admin = SQL_ESCAPE(get_session('admin_login')); $passCookie = get_session('admin_md5'); } //* DEBUG: */ echo __LINE__."ADMIN:".$admin."/".$passCookie."
"; @@ -534,7 +534,7 @@ function IS_LOGGED_IN() FIX_DELETED_COOKIES(array('userid', 'u_hash', 'lifetime')); // Are cookies set? - if ((!empty($GLOBALS['userid'])) && (!empty($_SESSION['u_hash'])) && (!empty($_SESSION['lifetime'])) && (defined('COOKIE_PATH'))) + if ((!empty($GLOBALS['userid'])) && (isSessionVariableSet('u_hash')) && (isSessionVariableSet('lifetime')) && (defined('COOKIE_PATH'))) { // Cookies are set with values, but are they valid? $result = SQL_QUERY_ESC("SELECT password, status, last_module, last_online FROM "._MYSQL_PREFIX."_user_data WHERE userid=%d LIMIT 1", @@ -551,31 +551,26 @@ function IS_LOGGED_IN() if ((!empty($mod)) && (empty($LAST['module']))) { $LAST['module'] = $mod; $LAST['online'] = $onl; } // So did we now have valid data and an unlocked user? - //* DEBUG: */ echo $valPass."
".$_SESSION['u_hash']."
"; - if (($status == "CONFIRMED") && ($valPass == $_SESSION['u_hash'])) - { + //* DEBUG: */ echo $valPass."
".get_session('u_hash')."
"; + if (($status == "CONFIRMED") && ($valPass == get_session('u_hash'))) { // Account is confirmed and all cookie data is valid so he is definely logged in! :-) $ret = true; - } - else - { + } else { // Maybe got locked etc. //* DEBUG: */ echo __LINE__."!!!
"; - set_session("userid", "", time() - 3600, COOKIE_PATH); - set_session("u_hash", "", time() - 3600, COOKIE_PATH); - set_session("lifetime", "", time() - 3600, COOKIE_PATH); + set_session("userid", ""); + set_session("u_hash", ""); + set_session("lifetime", ""); // Remove array elements to prevent errors unset($GLOBALS['userid']); } - } - else - { + } else { // Cookie data is invalid! //* DEBUG: */ echo __LINE__."***
"; - set_session("userid", "", time() - 3600, COOKIE_PATH); - set_session("u_hash", "", time() - 3600, COOKIE_PATH); - set_session("lifetime", "", time() - 3600, COOKIE_PATH); + set_session("userid", ""); + set_session("u_hash", ""); + set_session("lifetime", ""); // Remove array elements to prevent errors unset($GLOBALS['userid']); @@ -588,9 +583,9 @@ function IS_LOGGED_IN() { // Cookie data is invalid! //* DEBUG: */ echo __LINE__."///
"; - set_session("userid", "", time() - 3600, COOKIE_PATH); - set_session("u_hash", "", time() - 3600, COOKIE_PATH); - set_session("lifetime", "", time() - 3600, COOKIE_PATH); + set_session("userid", ""); + set_session("u_hash", ""); + set_session("lifetime", ""); // Remove array elements to prevent errors unset($GLOBALS['userid']); @@ -603,16 +598,16 @@ function UPDATE_LOGIN_DATA ($UPDATE=true) { if (!is_array($LAST)) $LAST = array(); // Are the required cookies set? - if ((!isset($GLOBALS['userid'])) || (!isset($_SESSION['u_hash'])) || (!isset($_SESSION['lifetime']))) { + if ((!isset($GLOBALS['userid'])) || (!isSessionVariableSet('u_hash')) || (!isSessionVariableSet('lifetime'))) { // Nope, then return here to caller function return false; } else { // Secure user ID - $GLOBALS['userid'] = bigintval($_SESSION['userid']); + $GLOBALS['userid'] = bigintval(get_session('userid')); } // Extract last online time (life) and how long is auto-login valid (time) - $newl = time() + bigintval($_SESSION['lifetime']); + $newl = time() + bigintval(get_session('lifetime')); // Recheck if logged in if (!IS_LOGGED_IN()) return false; @@ -627,7 +622,7 @@ function UPDATE_LOGIN_DATA ($UPDATE=true) { // Maybe first login time? if (empty($mod)) $mod = "login"; - if (set_session("userid", $GLOBALS['userid'], $newl, COOKIE_PATH) && set_session("u_hash", SQL_ESCAPE($_SESSION['u_hash']), $newl, COOKIE_PATH) && set_session("lifetime", bigintval($_SESSION['lifetime']), $newl, COOKIE_PATH)) { + if (set_session("userid", $GLOBALS['userid'], $newl, COOKIE_PATH) && set_session("u_hash", SQL_ESCAPE(get_session('u_hash')), $newl, COOKIE_PATH) && set_session("lifetime", bigintval(get_session('lifetime')), $newl, COOKIE_PATH)) { // This will be displayed on welcome page! :-) if (empty($LAST['module'])) { $LAST['module'] = $mod; $LAST['online'] = $onl; @@ -640,13 +635,11 @@ function UPDATE_LOGIN_DATA ($UPDATE=true) { $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_user_data SET last_module='%s', last_online=UNIX_TIMESTAMP() WHERE userid=%d LIMIT 1", array($GLOBALS['what'], $GLOBALS['userid']), __FILE__, __LINE__); } - } - else - { + } else { // Destroy session, we cannot update! - set_session("userid", "", time() - 3600, COOKIE_PATH); - set_session("u_hash", "", time() - 3600, COOKIE_PATH); - set_session("lifetime", "", time() - 3600, COOKIE_PATH); + set_session("userid", ""); + set_session("u_hash", ""); + set_session("lifetime", ""); } } // @@ -724,11 +717,11 @@ function SEND_MODE_MAILS($mod, $modes) list($hashDB) = SQL_FETCHROW($result_main); // Extract salt from cookie - $salt = substr($_SESSION['u_hash'], 0, -40); + $salt = substr(get_session('u_hash'), 0, -40); // Now let's compare passwords $hash = generatePassString($hashDB); - if (($hash == $_SESSION['u_hash']) || ($_POST['pass1'] == $_POST['pass2'])) { + if (($hash == get_session('u_hash')) || ($_POST['pass1'] == $_POST['pass2'])) { // Load user's data $result = SQL_QUERY_ESC("SELECT sex, surname, family, street_nr, country, zip, city, email FROM "._MYSQL_PREFIX."_user_data WHERE userid=%d AND password='%s' LIMIT 1", array($GLOBALS['userid'], $hashDB), __FILE__, __LINE__); @@ -1178,10 +1171,9 @@ function UPDATE_ONLINE_LIST($SID, $mod, $act, $wht) // Is administrator $ADMIN = 'Y'; } - if (!empty($_SESSION['refid'])) - { + if (isSessionVariableSet('refid')) { // Check cookie - if ($_SESSION['refid'] > 0) $rid = $GLOBALS['refid']; + if (get_session('refid') > 0) $rid = $GLOBALS['refid']; } // Now Read data @@ -1496,7 +1488,7 @@ function SUB_JACKPOT($points) } // function IS_DEMO() { - return ((EXT_IS_ACTIVE("demo")) && ($_SESSION['admin_login'] == "demo")); + return ((EXT_IS_ACTIVE("demo")) && (get_session('admin_login') == "demo")); } // function LOAD_CONFIG($no="0") diff --git a/inc/session.php b/inc/session.php index b0420aa12d..306fd1cbf7 100644 --- a/inc/session.php +++ b/inc/session.php @@ -67,9 +67,9 @@ if (!empty($_POST['refid'])) { } elseif (!empty($_GET['ref'])) { // Set refid=ref (the referral link uses such variable) $GLOBALS['refid'] = SQL_ESCAPE(strip_tags($_GET['ref'])); -} elseif (!empty($_SESSION['refid'])) { +} elseif (isSessionVariableSet('refid')) { // Set session refid als global - $GLOBALS['refid'] = bigintval($_SESSION['refid']); + $GLOBALS['refid'] = bigintval(get_session('refid')); } elseif (GET_EXT_VERSION("sql_patches") != "") { // Set default refid as refid in URL $GLOBALS['refid'] = bigintval($_CONFIG['def_refid']); @@ -79,7 +79,7 @@ if (!empty($_POST['refid'])) { } // Set cookie when default refid > 0 -if (empty($_SESSION['refid']) || (!empty($GLOBALS['refid'])) || (($_SESSION['refid'] == "0") && ($_CONFIG['def_refid'] > 0))) { +if (!isSessionVariableSet('refid') || (!empty($GLOBALS['refid'])) || ((get_session('refid') == "0") && ($_CONFIG['def_refid'] > 0))) { // Set cookie set_session("refid", $GLOBALS['refid']); } diff --git a/inc/theme-manager.php b/inc/theme-manager.php index d591bbbfcd..f463d23233 100644 --- a/inc/theme-manager.php +++ b/inc/theme-manager.php @@ -48,15 +48,15 @@ function GET_CURR_THEME() { // Load default theme if not empty from configuration if (!empty($_CONFIG['default_theme'])) $ret = $_CONFIG['default_theme']; - if (empty($_SESSION['mxchange_theme'])) { + if (!isSessionVariableSet('mxchange_theme')) { // Set default theme set_session("mxchange_theme", $ret, (time() + 60*60*24*365), COOKIE_PATH); - } elseif ((!empty($_SESSION['mxchange_theme'])) && (GET_EXT_VERSION("sql_patches") >= "0.1.4")) { + } elseif ((isSessionVariableSet('mxchange_theme')) && (GET_EXT_VERSION("sql_patches") >= "0.1.4")) { // Get theme from cookie - $result = SQL_QUERY_ESC("SELECT id FROM "._MYSQL_PREFIX."_themes WHERE theme_path='%s' LIMIT 1", array($_SESSION['mxchange_theme']), __FILE__, __LINE__); + $result = SQL_QUERY_ESC("SELECT id FROM "._MYSQL_PREFIX."_themes WHERE theme_path='%s' LIMIT 1", array(get_session('mxchange_theme')), __FILE__, __LINE__); if (SQL_NUMROWS($result) == 1) { // Design is valid! - $ret = $_SESSION['mxchange_theme']; + $ret = get_session('mxchange_theme'); } // Free memory @@ -69,15 +69,13 @@ function GET_CURR_THEME() { if ((!empty($_GET['theme'])) && (file_exists($theme)) && (is_readable($theme))) { // Set cookie from URL data set_session("mxchange_theme", $_GET['theme'], (time() + 60*60*24*365), COOKIE_PATH); - $_SESSION['mxchange_theme'] = $_GET['theme']; } elseif (file_exists(PATH."theme/".$_POST['theme']."/theme.php")) { // Set cookie from posted data set_session("mxchange_theme", $_POST['theme'], (time() + 60*60*24*365), COOKIE_PATH); - $_SESSION['mxchange_theme'] = $_POST['theme']; } // Set return value - $ret = $_SESSION['mxchange_theme']; + $ret = get_session('mxchange_theme'); } else { // Invalid design, reset cookie set_session("mxchange_theme", $ret, (time() + 60*60*24*365), COOKIE_PATH); diff --git a/index.php b/index.php index 0eb9d8dcc6..7f9ea32350 100644 --- a/index.php +++ b/index.php @@ -55,12 +55,12 @@ if (defined('mxchange_installed') && (isBooleanConstantAndTrue('mxchange_install if (!isset($_CONFIG['index_cookie'])) $_CONFIG['index_cookie'] = 0; // Check for cookies - if ((empty($_SESSION['visited'])) || ($_CONFIG['index_delay'] == 0) || ($_CONFIG['index_cookie'] == 0)) { + if ((isSessionVariableSet('visited')) || ($_CONFIG['index_delay'] == 0) || ($_CONFIG['index_cookie'] == 0)) { // Is the index page configured for redirect pr not? if ($_CONFIG['index_cookie'] > 0) { // Set cookie and remeber it for specified time set_session("visited", "true", (time() + $_CONFIG['index_cookie']), COOKIE_PATH); - } elseif (!empty($_SESSION['visited'])) { + } elseif (isSessionVariableSet('visited')) { // Remove cookie when admin set 0 in setup set_session("visited", ""); } diff --git a/lead-confirm.php b/lead-confirm.php index 382b4070e4..bb4112b0f9 100644 --- a/lead-confirm.php +++ b/lead-confirm.php @@ -57,13 +57,13 @@ if (defined('mxchange_installed') && (isBooleanConstantAndTrue('mxchange_install ); // Is the cookie set? - if (isset($_SESSION['lead_uid'])) { + if (isSessionVariableSet('lead_uid')) { // Is the user-account unlocked and valid? $result = SQL_QUERY_ESC("SELECT email FROM "._MYSQL_PREFIX."_user_data WHERE userid=%d AND status='CONFIRMED' LIMIT 1", - array(bigintval($_SESSION['lead_uid'])), __FILE__, __LINE__); + array(bigintval(get_session('lead_uid'))), __FILE__, __LINE__); if (SQL_NUMROWS($result) == 1) { // Secure the ID number - $content['lead_uid'] = bigintval($_SESSION['lead_uid']); + $content['lead_uid'] = bigintval(get_session('lead_uid')); // Load the email address list($content['lead_email']) = COMPILE_CODE(SQL_FETCHROW($result)); -- 2.39.5