From 7989ec603971c0dc8dc35d8be4e72f8098b83baa Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Mon, 23 Feb 2009 22:15:43 +0000 Subject: [PATCH] Functions imported, some dev-scripts added --- inc/db/lib-mysql3.php | 41 ++-- inc/extensions.php | 6 +- inc/functions.php | 254 +++++++++++++++----- inc/header.php | 2 +- inc/libs/wernis_functions.php | 4 +- inc/libs/yoomedia_functions.php | 2 +- inc/loader/load_cache-config.php | 2 +- inc/modules/admin/admin-inc.php | 22 +- inc/modules/admin/overview-inc.php | 11 +- inc/modules/admin/what-list_payouts.php | 2 +- inc/modules/admin/what-list_unconfirmed.php | 2 +- inc/modules/admin/what-usage.php | 2 +- inc/modules/frametester.php | 2 +- inc/modules/loader.php | 2 +- 14 files changed, 243 insertions(+), 111 deletions(-) diff --git a/inc/db/lib-mysql3.php b/inc/db/lib-mysql3.php index b1850f4efa..f90a8f6f9a 100644 --- a/inc/db/lib-mysql3.php +++ b/inc/db/lib-mysql3.php @@ -47,12 +47,12 @@ function SQL_QUERY ($sql_string, $F, $L) { // Remove \t, \n and \r from queries they may confuse some MySQL version I have heard $sql_string = str_replace("\t", " ", str_replace("\n", " ", str_replace("\r", " ", $sql_string))); - // Starting time - $querytimeBefore = array_sum(explode(' ', microtime())); - // Replace {!_MYSQL_PREFIX!} with constant, closes #84. Thanks to profi-concept $sql_string = str_replace("{!_MYSQL_PREFIX!}", constant('_MYSQL_PREFIX'), $sql_string); + // Starting time + $querytimeBefore = array_sum(explode(' ', microtime())); + // Run SQL command //* DEBUG: */ echo $sql_string."
\n"; $result = mysql_query($sql_string, $link) @@ -164,8 +164,8 @@ function SQL_FETCHARRAY($res, $nr=0, $remove_numerical=true) { for ($idx = 0; $idx < ($max / 2); $idx++) { // Remove entry unset($row[$idx]); - } - } + } // END - for + } // END - if // Return row return $row; @@ -180,11 +180,13 @@ function SQL_RESULT ($res, $row, $field) { $result = mysql_result($res, $row, $field); return $result; } + // SQL connect function SQL_CONNECT ($host, $login, $password, $F, $L) { $connect = mysql_connect($host, $login, $password) or addFatalMessage($F." (".$L."):".mysql_error()); return $connect; } + // SQL select database function SQL_SELECT_DB ($dbName, $link, $F, $L) { // Is there still a valid link? If not, skip it. @@ -192,6 +194,7 @@ function SQL_SELECT_DB ($dbName, $link, $F, $L) { return mysql_select_db($dbName, $link) or addFatalMessage($F." (".$L."):".mysql_error()); } + // SQL close link function SQL_CLOSE (&$link, $F, $L) { global $cacheInstance, $cacheArray; @@ -251,7 +254,7 @@ function SQL_QUERY_ESC ($qstring, $data, $file, $line, $run=true, $strip=true) { } else { $eval .= ", ''"; } - } + } // END - foreach $eval .= ");"; // // Debugging @@ -266,16 +269,10 @@ function SQL_QUERY_ESC ($qstring, $data, $file, $line, $run=true, $strip=true) { // Was the eval() command fine? if ($query == "failed") { // Something went wrong? - printf("eval=%s\n
%s
", - htmlentities($eval), - debug_get_printable_backtrace() - ); - - // Abort further code executions - exit; + debug_report_bug("eval={$eval}"); } // END - if - if ($run) { + if ($run === true) { // Run SQL query (default) return SQL_QUERY($query, $file, $line); } else { @@ -302,11 +299,9 @@ function SQL_ESCAPE ($str, $secureString=true,$strip=true) { } // END - if if (!is_resource($link)) { - // Fall-back to addslashes() when there is no link - return addslashes($str); - } // END - if - - if (function_exists('mysql_real_escape_string')) { + // Fall-back to smartAddSlashes() when there is no link + return smartAddSlashes($str); + } elseif (function_exists('mysql_real_escape_string')) { // The new and improved version //* DEBUG: */ print __FUNCTION__."(".__LINE__."):str={$str}
\n"; return mysql_real_escape_string($str, $link); @@ -314,8 +309,8 @@ function SQL_ESCAPE ($str, $secureString=true,$strip=true) { // The obsolete function return mysql_escape_string($str, $link); } else { - // If nothing else works - return addslashes($str); + // If nothing else works, fall back to smartAddSlashes() + return smartAddSlashes($str); } } @@ -345,7 +340,8 @@ function SQL_ALTER_TABLE ($sql, $F, $L) { $result = false; // Determine index/fulltext/unique word - $noIndex = ((eregi("INDEX", $sql) == false) && (eregi("FULLTEXT", $sql) == false) && (eregi("UNIQUE", $sql) == false); + // 12 3 3 2 2 3 3 2 2 3 3 21 + $noIndex = ((eregi("INDEX", $sql) == false) && (eregi("FULLTEXT", $sql) == false) && (eregi("UNIQUE", $sql) == false)); // Shall we add/drop? if (((eregi("ADD", $sql) > 0) || (eregi("DROP", $sql) > 0)) && ($noIndex)) { @@ -374,5 +370,6 @@ function SQL_ALTER_TABLE ($sql, $F, $L) { // Return result return $result; } + // ?> diff --git a/inc/extensions.php b/inc/extensions.php index 8de47c2d42..608cb3234f 100644 --- a/inc/extensions.php +++ b/inc/extensions.php @@ -479,7 +479,7 @@ function EXTENSION_UPDATE ($ext_name, $ext_ver, $dry_run = false) { if (!$dry_run) { // Create task - CREATE_EXTENSION_UPDATE_TASK(GET_CURRENT_ADMIN_ID(), $ext_name, $cacheArray['update_ver'][$ext_name], addslashes($NOTES)); + CREATE_EXTENSION_UPDATE_TASK(GET_CURRENT_ADMIN_ID(), $ext_name, $cacheArray['update_ver'][$ext_name], SQL_ESCAPE($NOTES)); // Update extension's version SQL_QUERY_ESC("UPDATE `{!_MYSQL_PREFIX!}_extensions` SET ext_version='%s' WHERE ext_name='%s' LIMIT 1", @@ -700,7 +700,7 @@ VALUES (%s,0,'NEW','EXTENSION','%s','%s',UNIX_TIMESTAMP())", array( $admin_id, $subject, - addslashes($msg), + SQL_ESCAPE($msg), ), __FILE__, __LINE__, true, false ); } // END - if @@ -718,7 +718,7 @@ function CREATE_EXTENSION_DEACTIVATION_TASK ($ext) { VALUES (0,0,'NEW','EXTENSION_DEACTIVATION','%s','%s',UNIX_TIMESTAMP())", array( $subject, - addslashes(LOAD_TEMPLATE("task_ext_deactivated", true, $ext)), + SQL_ESCAPE(LOAD_TEMPLATE("task_ext_deactivated", true, $ext)), ), __FILE__, __LINE__, true, false ); } // END - if diff --git a/inc/functions.php b/inc/functions.php index c5db673515..ef6cbde532 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -139,7 +139,7 @@ function OUTPUT_HTML ($HTML, $newLine = true) { while (strpos($OUTPUT, '{!') > 0) { // Prepare the content and eval() it... $newContent = ""; - $eval = "\$newContent = \"".COMPILE_CODE(addslashes($OUTPUT))."\";"; + $eval = "\$newContent = \"".COMPILE_CODE(SQL_ESCAPE($OUTPUT))."\";"; @eval($eval); // Was that eval okay? @@ -160,7 +160,7 @@ function OUTPUT_HTML ($HTML, $newLine = true) { // Compile and run finished rendered HTML code while (strpos($OUTPUT, '{!') > 0) { - $eval = "\$OUTPUT = \"".COMPILE_CODE(addslashes($OUTPUT))."\";"; + $eval = "\$OUTPUT = \"".COMPILE_CODE(SQL_ESCAPE($OUTPUT))."\";"; eval($eval); } // END - while @@ -251,7 +251,9 @@ function LOAD_TEMPLATE ($template, $return=false, $content=array()) { // Translate gender $content['gender'] = TRANSLATE_GENDER($content['gender']); } else { - // DEPRECATED: Load data in direct variables + // @DEPRECATED + // @TODO Fine all templates which are using these direct variables and rewrite them. + // @TODO After this step is done, this else-block is history list($gender, $surname, $family, $email) = SQL_FETCHROW($result); // Translate gender @@ -337,7 +339,7 @@ function LOAD_TEMPLATE ($template, $return=false, $content=array()) { $ret = ""; if ((strpos($tmpl_file, "\$") !== false) || (strpos($tmpl_file, '{--') !== false) || (strpos($tmpl_file, '--}') > 0)) { // Okay, compile it! - $tmpl_file = "\$ret=\"".COMPILE_CODE(addslashes($tmpl_file))."\";"; + $tmpl_file = "\$ret=\"".COMPILE_CODE(SQL_ESCAPE($tmpl_file))."\";"; eval($tmpl_file); } else { // Simply return loaded code @@ -383,7 +385,7 @@ function SEND_EMAIL($TO, $SUBJECT, $MSG, $HTML = "N", $FROM = "") { //* DEBUG: */ print __FUNCTION__."(".__LINE__."):TO={$TO},SUBJECT={$SUBJECT}
\n"; // Compile subject line (for POINTS constant etc.) - $eval = "\$SUBJECT = html_entity_decode(\"".COMPILE_CODE(addslashes($SUBJECT))."\");"; + $eval = "\$SUBJECT = decodeEntities(\"".COMPILE_CODE(SQL_ESCAPE($SUBJECT))."\");"; eval($eval); // Set from header @@ -436,11 +438,11 @@ function SEND_EMAIL($TO, $SUBJECT, $MSG, $HTML = "N", $FROM = "") { } // Compile "TO" - $eval = "\$TO = \"".COMPILE_CODE(addslashes($TO))."\";"; + $eval = "\$TO = \"".COMPILE_CODE(SQL_ESCAPE($TO))."\";"; eval($eval); // Compile "MSG" - $eval = "\$MSG = \"".COMPILE_CODE(addslashes($MSG))."\";"; + $eval = "\$MSG = \"".COMPILE_CODE(SQL_ESCAPE($MSG))."\";"; eval($eval); // Fix HTML parameter (default is no!) @@ -504,7 +506,7 @@ function SEND_RAW_EMAIL ($to, $subject, $msg, $from) { $mail->WordWrap = 70; $mail->IsHTML(true); } else { - $mail->Body = html_entity_decode($msg); + $mail->Body = decodeEntities($msg); } $mail->AddAddress($to, ""); $mail->AddReplyTo(constant('WEBMASTER'), constant('MAIN_TITLE')); @@ -513,7 +515,7 @@ function SEND_RAW_EMAIL ($to, $subject, $msg, $from) { $mail->Send(); } else { // Use legacy mail() command - @mail($to, $subject, html_entity_decode($msg), $from); + @mail($to, $subject, decodeEntities($msg), $from); } } // @@ -624,35 +626,45 @@ function DEREFERER ($URL) { // Don't de-refer our own links! if (substr($URL, 0, strlen(URL)) != URL) { // De-refer this link - $URL = "modules.php?module=loader&url=".urlencode(base64_encode(gzcompress($URL))); + $URL = "modules.php?module=loader&url=".encodeString(compileUriCode($URL)); } // END - if // Return link return $URL; } -// +// Translate Uni*-like gender to human-readable function TRANSLATE_GENDER ($gender) { - switch ($gender) - { - case "M": $ret = GENDER_M; break; - case "F": $ret = GENDER_F; break; - case "C": $ret = GENDER_C; break; - default : $ret = $gender; break; + // Default + $ret = "!{$gender}!"; + + // Male/female or company? + switch ($gender) { + case "M": $ret = getMessage('GENDER_M'); break; + case "F": $ret = getMessage('GENDER_F'); break; + case "C": $ret = getMessage('GENDER_C'); break; + default: + // Log unknown gender + DEBUG_LOG(__FUNCTION__, __LINE__, sprintf("Unknown gender %s detected.", $gender)); + break; } + + // Return translated gender return $ret; } + // -function FRAMETESTER($URL) { +function FRAMETESTER ($URL) { // Prepare frametester URL $frametesterUrl = sprintf("%s/modules.php?module=frametester&url=%s", URL, - urlencode(base64_encode(gzcompress(COMPILE_CODE($URL)))) + encodeString(compileUriCode($URL)) ); return $frametesterUrl; } + // -function SELECTION_COUNT($array) { +function SELECTION_COUNT ($array) { $ret = 0; if (is_array($array)) { foreach ($array as $key => $sel) { @@ -666,31 +678,27 @@ function IMG_CODE ($code, $type, $DATA, $uid) { return "\"Code\""; } // -function TRANSLATE_STATUS($status) { +function TRANSLATE_STATUS ($status) { switch ($status) { case "UNCONFIRMED": - $ret = ACCOUNT_UNCONFIRMED; - break; - case "CONFIRMED": - $ret = ACCOUNT_CONFIRMED; - break; - case "LOCKED": - $ret = ACCOUNT_LOCKED; + $ret = getMessage(sprintf("ACCOUNT_%s", $status)); break; case "": case null: - $ret = ACCOUNT_DELETED; + $ret = getMessage('ACCOUNT_DELETED'); break; default: DEBUG_LOG(__FUNCTION__, __LINE__, sprintf("Unknown status %s detected.", $status)); - $ret = UNKNOWN_STATUS_1.$status.UNKNOWN_STATUS_2; + $ret = sprintf(getMessage('UNKNOWN_STATUS"'), $status); break; } + + // Return it return $ret; } // @@ -770,7 +778,7 @@ function LOAD_EMAIL_TEMPLATE($template, $content=array(), $UID="0") { // Expiration in a nice output format if (getConfig('auto_purge') == 0) { // Will never expire! - $EXPIRATION = MAIL_WILL_NEVER_EXPIRE; + $EXPIRATION = getMessage('MAIL_WILL_NEVER_EXPIRE'); } else { // Create nice date string $EXPIRATION = CREATE_FANCY_TIME(getConfig('auto_purge')); @@ -852,10 +860,10 @@ function LOAD_EMAIL_TEMPLATE($template, $content=array(), $UID="0") { if (FILE_READABLE($file)) { // The local file does exists so we load it. :) $tmpl_file = READ_FILE($file); - $tmpl_file = addslashes($tmpl_file); + $tmpl_file = SQL_ESCAPE($tmpl_file); // Run code - $tmpl_file = "\$newContent = html_entity_decode(\"".COMPILE_CODE($tmpl_file)."\");"; + $tmpl_file = "\$newContent = decodeEntities(\"".COMPILE_CODE($tmpl_file)."\");"; @eval($tmpl_file); } elseif (!empty($template)) { // Template file not found! @@ -903,7 +911,7 @@ function LOAD_URL($URL, $addUrlData=true) { global $CSS, $footer; // Compile out URI codes - $URL = COMPILE_CODE($URL); + $URL = compileUriCode($URL); // Check if http(s):// is there if ((substr($URL, 0, 7) != "http://") && (substr($URL, 0, 8) != "https://")) { @@ -1210,19 +1218,25 @@ function ADD_SELECTION($type, $DEFAULT, $prefix="", $id="0") { // function TRANSLATE_YESNO($yn) { - switch ($yn) - { - case "Y": $yn = YES; break; - case "N": $yn = NO; break; - default : $yn = "??? (".$yn.")"; break; + // Default + $yn = "??? (".$yn.")"; + switch ($yn) { + case "Y": $yn = getMessage('YES'); break; + case "N": $yn = getMessage('NO'); break; + default: + // Log unknown value + DEBUG_LOG(__FUNCTION__, __LINE__, sprintf("Unknown value %s. Expected Y/N!", $yn)); + break; } + + // Return it return $yn; } // // Deprecated : $length // Optional : $DATA // -function GEN_RANDOM_CODE($length, $code, $uid, $DATA="") { +function GEN_RANDOM_CODE ($length, $code, $uid, $DATA="") { // Fix missing _MAX constant if (!defined('_MAX')) define('_MAX', 15235); @@ -1230,7 +1244,7 @@ function GEN_RANDOM_CODE($length, $code, $uid, $DATA="") { $server = $_SERVER['PHP_SELF'].":".GET_USER_AGENT().":".getenv('SERVER_SOFTWARE').":".GET_REMOTE_ADDR().":".":".filemtime(constant('PATH')."inc/databases.php"); // Build key string - $keys = SITE_KEY.":".DATE_KEY; + $keys = constant('SITE_KEY').":".constant('DATE_KEY'); if (getConfig('secret_key') != null) $keys .= ":".getConfig('secret_key'); if (getConfig('file_hash') != null) $keys .= ":".getConfig('file_hash'); $keys .= ":".date("d-m-Y (l-F-T)", bigintval(getConfig('patch_ctime'))); @@ -1254,13 +1268,13 @@ function GEN_RANDOM_CODE($length, $code, $uid, $DATA="") { $saltedHash = generateHash(($a % constant('_PRIME')).":".$server.":".$keys.":".$data.":".date("d-m-Y (l-F-T)", time()).":".$a, getConfig('master_salt')); // Create number from hash - $rcode = hexdec(substr($saltedHash, strlen(getConfig('master_salt')), 9)) / abs(_MAX - $a + sqrt(_ADD)) / pi(); + $rcode = hexdec(substr($saltedHash, strlen(getConfig('master_salt')), 9)) / abs(constant('_MAX') - $a + sqrt(constant('_ADD'))) / pi(); } else { // Generate hash with "hash of site key" from modula of number with the prime number and other data $saltedHash = generateHash(($a % constant('_PRIME')).":".$server.":".$keys.":".$data.":".date("d-m-Y (l-F-T)", time()).":".$a, substr(sha1(SITE_KEY), 0, 8)); // Create number from hash - $rcode = hexdec(substr($saltedHash, 8, 9)) / abs(_MAX - $a + sqrt(_ADD)) / pi(); + $rcode = hexdec(substr($saltedHash, 8, 9)) / abs(constant('_MAX') - $a + sqrt(constant('_ADD'))) / pi(); } // At least 10 numbers shall be secure enought! @@ -1274,6 +1288,7 @@ function GEN_RANDOM_CODE($length, $code, $uid, $DATA="") { // Done building code return $return; } + // Does only allow numbers function bigintval($num, $castValue = true) { // Filter all numbers out @@ -1286,20 +1301,21 @@ function bigintval($num, $castValue = true) { // @TODO Remove this if() block if all is working fine if ("".$ret."" != "".$num."") { // Log the values - debug_report_bug(); + debug_report_bug("{$ret}<>{$num}"); } // END - if // Return result return $ret; } + // Insert the code in $img_code into jpeg or PNG image -function GENERATE_IMAGE($img_code, $header=true) { +function GENERATE_IMAGE ($img_code, $header=true) { if ((strlen($img_code) > 6) || (empty($img_code)) || (getConfig('code_length') == 0)) { // Stop execution of function here because of over-sized code length return; } elseif (!$header) { // Return in an HTML code code - return "\n"; + return "\"Image\"\n"; } // Load image @@ -1320,6 +1336,7 @@ function GENERATE_IMAGE($img_code, $header=true) { } } else { // Exit function here + DEBUG_LOG(__FUNCTION__, __LINE__, sprintf("File for image type %s not found.", getConfig('img_type'))); return; } @@ -1635,7 +1652,7 @@ function CREATE_FANCY_TIME ($stamp) { foreach($data as $k => $v) { if ($v > 0) { // Value is greater than 0 "eval" data to return string - $eval = "\$ret .= \", \".\$v.\" \"._".strtoupper($k).";"; + $eval = "\$ret .= \", \".\$v.\" {--_".strtoupper($k)."--}\";"; eval($eval); break; } // END - if @@ -1647,7 +1664,7 @@ function CREATE_FANCY_TIME ($stamp) { $ret = substr($ret, 2); } else { // Zero seconds - $ret = "0 "._SECONDS; + $ret = "0 {--_SECONDS--}"; } // Return fancy time string @@ -1713,7 +1730,7 @@ function ADD_EMAIL_NAV($PAGES, $offset, $show_form, $colspan, $return=false) { // Extract host from script name function EXTRACT_HOST (&$script) { // Use default SERVER_URL by default... ;) So? - $url = SERVER_URL; + $url = constant('SERVER_URL'); // Is this URL valid? if (substr($script, 0, 7) == "http://") { @@ -1756,8 +1773,8 @@ function GET_URL ($script) { // Generate GET request header $request = "GET /" . trim($script) . " HTTP/1.1\r\n"; $request .= "Host: " . $host . "\r\n"; - $request .= "Referer: " . URL . "/admin.php\r\n"; - $request .= "User-Agent: " . TITLE . "/" . FULL_VERSION . "\r\n"; + $request .= "Referer: " . constant('URL') . "/admin.php\r\n"; + $request .= "User-Agent: " . constant('TITLE') . "/" . constant('FULL_VERSION') . "\r\n"; $request .= "Content-Type: text/plain\r\n"; $request .= "Cache-Control: no-cache\r\n"; $request .= "Connection: Close\r\n\r\n"; @@ -1790,8 +1807,8 @@ function POST_URL ($script, $postData) { // Generate POST request header $request = "POST /" . trim($script) . " HTTP/1.1\r\n"; $request .= "Host: " . $host . "\r\n"; - $request .= "Referer: " . URL . "/admin.php\r\n"; - $request .= "User-Agent: " . TITLE . "/" . FULL_VERSION . "\r\n"; + $request .= "Referer: " . constant('URL') . "/admin.php\r\n"; + $request .= "User-Agent: " . constant('TITLE') . "/" . constant('FULL_VERSION') . "\r\n"; $request .= "Content-type: application/x-www-form-urlencoded\r\n"; $request .= "Content-length: " . strlen($data) . "\r\n"; $request .= "Cache-Control: no-cache\r\n"; @@ -1930,6 +1947,7 @@ function VALIDATE_EMAIL($email) { // Return check result return eregi($regex, $email); } + // Function taken from user comments on www.php.net / function eregi() function VALIDATE_URL ($URL, $compile=true) { // Trim URL a little @@ -1937,7 +1955,7 @@ function VALIDATE_URL ($URL, $compile=true) { //* DEBUG: */ echo $URL."
"; // Compile some chars out... - if ($compile) $URL = COMPILE_CODE($URL, false, false, false); + if ($compile) $URL = compileUriCode($URL, false, false, false); //* DEBUG: */ echo $URL."
"; // Check for the extension filter @@ -1948,8 +1966,9 @@ function VALIDATE_URL ($URL, $compile=true) { // If not installed, perform a simple test. Just make it sure there is always a http:// or // https:// in front of the URLs - return (((substr($URL, 0, 7) == "http://") || (substr($URL, 0, 8) == "https://")) && (strlen($URL) >= 12)); + return isUrlValid($URL); } + // function MEMBER_ACTION_LINKS ($uid, $status = "") { // Define all main targets @@ -1986,11 +2005,14 @@ function MEMBER_ACTION_LINKS ($uid, $status = "") { // Return string return $OUT; } + // Function for backward-compatiblity -function ADD_CATEGORY_table ($MODE, $return=false) { +// @TODO Can this function be deprecated? +function ADD_CATEGORY_TABLE ($MODE, $return=false) { // Load it from the register extension - return REGISTER_ADD_CATEGORY_table ($MODE, $return); + return REGISTER_ADD_CATEGORY_TABLE ($MODE, $return); } + // Generate an email link function CREATE_EMAIL_LINK ($email, $table = "admins") { // Default email link (INSECURE! Spammer can read this by harvester programs) @@ -3295,6 +3317,124 @@ function INCLUDE_READABLE ($INC) { return FILE_READABLE($FQFN); } +// Encode strings +// @TODO Implement $compress +function encodeString ($str, $compress=true) { + $str = urlencode(base64_encode(compileUriCode($str))); + return $str; +} + +// Decode strings encoded with encodeString() +// @TODO Implement $decompress +function decodeString ($str, $decompress=true) { + $str = compileUriCode(base64_decode(urldecode(compileUriCode($str)))); + return $str; +} + +// Compile characters which are allowed in URLs +function compileUriCode ($code, $simple=true) { + // Compile constants + if (!$simple) $code = str_replace("{--", '".', str_replace("--}", '."', $code)); + + // Compile QUOT and other non-HTML codes + $code = str_replace("{DOT}", ".", + str_replace("{SLASH}", "/", + str_replace("{QUOT}", "'", + str_replace("{DOLLAR}", "$", + str_replace("{OPEN_ANCHOR}", "(", + str_replace("{CLOSE_ANCHOR}", ")", + str_replace("{OPEN_SQR}", "[", + str_replace("{CLOSE_SQR}", "]", + str_replace("{PER}", "%", + $code + ))))))))); + + // Return compiled code + return $code; +} + +// Function taken from user comments on www.php.net / function eregi() +function isUrlValid ($url) { + // Prepare URL + $url = strip_tags(str_replace("\\", "", compileUriCode(urldecode($url)))); + + // Allows http and https + $http = "(http|https)+(:\/\/)"; + // Test domain + $domain1 = "([[:alnum:]]([-[:alnum:]])*\.)?([[:alnum:]][-[:alnum:]\.]*[[:alnum:]])(\.[[:alpha:]]{2,5})?"; + // Test double-domains (e.g. .de.vu) + $domain2 = "([-[:alnum:]])?(\.[[:alnum:]][-[:alnum:]\.]*[[:alnum:]])(\.[[:alpha:]]{2,5})(\.[[:alpha:]]{2,5})?"; + // Test IP number + $ip = "([[:digit:]]{1,3})\.([[:digit:]]{1,3})\.([[:digit:]]{1,3})\.([[:digit:]]{1,3})"; + // ... directory + $dir = "((/)+([-_\.[:alnum:]])+)*"; + // ... page + $page = "/([-_[:alnum:]][-\._[:alnum:]]*\.[[:alnum:]]{2,5})?"; + // ... and the string after and including question character + $getstring1 = "([\?/]([[:alnum:]][-\._%[:alnum:]]*(=)?([-\@\._:%[:alnum:]])+)(&([[:alnum:]]([-_%[:alnum:]])*(=)?([-\@\[\._:%[:alnum:]])+(\])*))*)?"; + // Pattern for URLs like http://url/dir/doc.html?var=value + $pattern['d1dpg1'] = $http.$domain1.$dir.$page.$getstring1; + $pattern['d2dpg1'] = $http.$domain2.$dir.$page.$getstring1; + $pattern['ipdpg1'] = $http.$ip.$dir.$page.$getstring1; + // Pattern for URLs like http://url/dir/?var=value + $pattern['d1dg1'] = $http.$domain1.$dir."/".$getstring1; + $pattern['d2dg1'] = $http.$domain2.$dir."/".$getstring1; + $pattern['ipdg1'] = $http.$ip.$dir."/".$getstring1; + // Pattern for URLs like http://url/dir/page.ext + $pattern['d1dp'] = $http.$domain1.$dir.$page; + $pattern['d1dp'] = $http.$domain2.$dir.$page; + $pattern['ipdp'] = $http.$ip.$dir.$page; + // Pattern for URLs like http://url/dir + $pattern['d1d'] = $http.$domain1.$dir; + $pattern['d2d'] = $http.$domain2.$dir; + $pattern['ipd'] = $http.$ip.$dir; + // Pattern for URLs like http://url/?var=value + $pattern['d1g1'] = $http.$domain1."/".$getstring1; + $pattern['d2g1'] = $http.$domain2."/".$getstring1; + $pattern['ipg1'] = $http.$ip."/".$getstring1; + // Pattern for URLs like http://url?var=value + $pattern['d1g12'] = $http.$domain1.$getstring1; + $pattern['d2g12'] = $http.$domain2.$getstring1; + $pattern['ipg12'] = $http.$ip.$getstring1; + // Test all patterns + $reg = false; + foreach ($pattern as $key=>$pat) { + // Debug regex? + if (defined('DEBUG_REGEX')) { + $pat = str_replace("[:alnum:]", "0-9a-zA-Z", $pat); + $pat = str_replace("[:alpha:]", "a-zA-Z", $pat); + $pat = str_replace("[:digit:]", "0-9", $pat); + $pat = str_replace(".", "\.", $pat); + $pat = str_replace("@", "\@", $pat); + echo $key."= ".$pat."
"; + } + + // Check if expression matches + $reg = ($reg || preg_match(("^".$pat."^"), $url)); + + // Does it match? + if ($reg === true) break; + } + + // Return true/false + return $reg; +} + +// Smartly adds slashes +function smartAddSlashes ($unquoted) { + $unquoted = str_replace("\\", "", $unquoted); + return addslashes($unquoted); +} + +// Decode entities in a nicer way +function decodeEntities ($str) { + // @TODO We may want to switch over to UTF-8 here! + $decodedString = html_entity_decode($str, ENT_NOQUOTES, "ISO-8859-15"); + + // Return decoded string + return $decodedString; +} + ////////////////////////////////////////////////// // AUTOMATICALLY RE-GENERATED MISSING FUNCTIONS // ////////////////////////////////////////////////// diff --git a/inc/header.php b/inc/header.php index 5d32484a7a..56cafa67ce 100644 --- a/inc/header.php +++ b/inc/header.php @@ -77,7 +77,7 @@ if (($header != "1") && ($header != "2")) { if ((getConfig('enable_title_deco') == "Y") && (getConfig('title_right') != "")) $TITLE .= " ".trim(getConfig('title_right')); // Remember title in constant for the template - define('__PAGE_TITLE', html_entity_decode($TITLE)); + define('__PAGE_TITLE', $TITLE); } elseif ((!isBooleanConstantAndTrue('mxchange_installed')) || (!isBooleanConstantAndTrue('admin_registered'))) { // Load language file because it was missing in installation finalizer step... *sigh* $FQFN = sprintf("inc/language/install_%s.php", diff --git a/inc/libs/wernis_functions.php b/inc/libs/wernis_functions.php index 89adec715d..0cb27530e0 100644 --- a/inc/libs/wernis_functions.php +++ b/inc/libs/wernis_functions.php @@ -234,7 +234,7 @@ function WERNIS_EXECUTE_WITHDRAW ($wdsId, $userMd5, $amount) { 't_md5' => $userMd5, 'r_uid' => getConfig('wernis_refid'), 'amount' => bigintval($amount), - 'purpose' => urlencode(base64_encode($purpose)) + 'purpose' => encodeString($purpose, false) ); // Return the result from the lower functions @@ -275,7 +275,7 @@ function WERNIS_EXECUTE_PAYOUT ($wdsId, $amount) { 't_md5' => getConfig('wernis_pass_md5'), 'r_uid' => bigintval($wdsId), 'amount' => bigintval($amount), - 'purpose' => urlencode(base64_encode($purpose)) + 'purpose' => encodeString($purpose, false) ); // Return the result from the lower functions diff --git a/inc/libs/yoomedia_functions.php b/inc/libs/yoomedia_functions.php index 9307272432..e167b07b95 100644 --- a/inc/libs/yoomedia_functions.php +++ b/inc/libs/yoomedia_functions.php @@ -57,7 +57,7 @@ function YOOMEDIA_TEST_CONFIG ($data) { // Query the API with a test request without couting it // If zero reply comes back the data is invalid! - $response = YOOMEDIA_QUERY_API("out_textmail.php", true); // TODO Ask Yoo!Media for test script + $response = YOOMEDIA_QUERY_API("out_textmail.php", true); // @TODO Ask Yoo!Media for test script // Log the response if failed if (count($response) == 0) { diff --git a/inc/loader/load_cache-config.php b/inc/loader/load_cache-config.php index 72853a24f6..39b032af95 100644 --- a/inc/loader/load_cache-config.php +++ b/inc/loader/load_cache-config.php @@ -46,7 +46,7 @@ if (($cacheInstance->loadCacheFile("config", true)) && ($cacheInstance->extensio global $cacheArray; $cacheArray['config'] = $cacheInstance->getArrayFromCache(); - // TODO: Do we really need to cache the config??? + // @TODO: Do we really need to cache the config??? } elseif ((getConfig('cache_config') == "Y") && ($CSS != "1") && ($CSS != "-1")) { // Create cache file here $cacheInstance->init("CONFIG"); diff --git a/inc/modules/admin/admin-inc.php b/inc/modules/admin/admin-inc.php index c7ed2575c9..7ab5e1283a 100644 --- a/inc/modules/admin/admin-inc.php +++ b/inc/modules/admin/admin-inc.php @@ -412,25 +412,19 @@ function ADD_ADMIN_MENU($act, $wht, $return=false) { // Build main menu $result_main = SQL_QUERY("SELECT action, title, descr FROM `{!_MYSQL_PREFIX!}_admin_menu` WHERE (what='' OR `what` IS NULL) ORDER BY `sort`, id DESC", __FILE__, __LINE__); - if (SQL_NUMROWS($result_main) > 0) - { + if (SQL_NUMROWS($result_main) > 0) { $OUT = "\n"; - while (list($menu, $title, $descr) = SQL_FETCHROW($result_main)) - { - if ((EXT_IS_ACTIVE("admins")) && (GET_EXT_VERSION("admins") > "0.2")) - { + while (list($menu, $title, $descr) = SQL_FETCHROW($result_main)) { + if ((EXT_IS_ACTIVE("admins")) && (GET_EXT_VERSION("admins") > "0.2")) { $ACL = ADMINS_CHECK_ACL($menu, ""); - } - else - { + } else { // ACL is "allow"... hmmm $ACL = true; } - if ($ACL) - { - if (!$SUB) - { + + if ($ACL === true) { + if (!$SUB) { // Insert compiled menu title and description $menuTitle[$menu] = $title; $menuDesription[$menu] = $descr; @@ -537,7 +531,7 @@ function ADD_ADMIN_MENU($act, $wht, $return=false) { // Compile and run the code here. This inserts all constants into the // HTML output. Costs me some time to figure this out... *sigh* Quix0r - $eval = "\$OUT = \"".COMPILE_CODE(addslashes($OUT))."\";"; + $eval = "\$OUT = \"".COMPILE_CODE(SQL_ESCAPE($OUT))."\";"; eval($eval); // Is there a cache instance again? diff --git a/inc/modules/admin/overview-inc.php b/inc/modules/admin/overview-inc.php index 85d37c9740..a9a81337c8 100644 --- a/inc/modules/admin/overview-inc.php +++ b/inc/modules/admin/overview-inc.php @@ -155,14 +155,14 @@ function OUTPUT_SELECTED_TASKS ($POST, $result_tasks) { } // END - if // Decode entities of the text - $text = html_entity_decode($text); + $text = decodeEntities($text); // Compile and insert text from task into table template $text = LOAD_TEMPLATE("admin_extensions_text", true, $text); // Initialize variables (no title for SQL commands by default) $ext_name = ""; - $title = TASK_NO_TITLE; + $title = getMessage('TASK_NO_TITLE'); // Shall I list SQL commands assigned to an extension installation or update task? if (((GET_EXT_VERSION("sql_patches") != '') && (getConfig('verbose_sql') == "Y")) || (!EXT_IS_ACTIVE("sql_patches"))) { @@ -175,7 +175,7 @@ function OUTPUT_SELECTED_TASKS ($POST, $result_tasks) { $text .= $NOTES; // Set title - $title = ADMIN_SQLS_EXECUTED_ON_REGISTER; + $title = getMessage('ADMIN_SQLS_EXECUTED_ON_REGISTER'); } elseif ($type == "EXTENSION_UPDATE") { // Prepare extension name and version $ext_name = substr($ext_name, 7); @@ -191,7 +191,7 @@ function OUTPUT_SELECTED_TASKS ($POST, $result_tasks) { $text .= $NOTES; // Set title - $title = ADMIN_SQLS_EXECUTED_ON_UPDATE; + $title = getMessage('ADMIN_SQLS_EXECUTED_ON_UPDATE'); } else { // Remove extension's name $ext_name = ""; @@ -230,7 +230,7 @@ function OUTPUT_SELECTED_TASKS ($POST, $result_tasks) { case "EXTENSION": // Install new extensions $ext_name = substr($subj, 1, strpos($subj, ":") - 1); $result_lines = SQL_QUERY_ESC("SELECT id FROM `{!_MYSQL_PREFIX!}_extensions` WHERE ext_name='%s' LIMIT 1", - array($ext_name), __FILE__, __LINE__); + array($ext_name), __FILE__, __LINE__); $lines = SQL_NUMROWS($result_lines); SQL_FREERESULT($result_lines); if ($lines == "0") { @@ -263,6 +263,7 @@ function OUTPUT_SELECTED_TASKS ($POST, $result_tasks) { break; case "SUPPORT_MEMBER": // Assign on member's support request + // @TODO This may also be rewritten to include files switch ($mode) { default: // @TODO Unknown support mode diff --git a/inc/modules/admin/what-list_payouts.php b/inc/modules/admin/what-list_payouts.php index d248df10f1..35e3bb7215 100644 --- a/inc/modules/admin/what-list_payouts.php +++ b/inc/modules/admin/what-list_payouts.php @@ -107,7 +107,7 @@ if (!empty($_GET['pid'])) { // Transfer variables... $eval = "\$URL = \"".$eurl."\";"; - $reason = urlencode(base64_encode(PAYOUT_REASON_PAYOUT)); + $reason = encodeString(getMessage('PAYOUT_REASON_PAYOUT'), false); // Run code... eval($eval); diff --git a/inc/modules/admin/what-list_unconfirmed.php b/inc/modules/admin/what-list_unconfirmed.php index 0c46cbe3fc..4fbe78833c 100644 --- a/inc/modules/admin/what-list_unconfirmed.php +++ b/inc/modules/admin/what-list_unconfirmed.php @@ -93,7 +93,7 @@ if ($listed === true) { define('__LIST_UNCON_SENDER' , $sender); define('__LIST_UNCON_SUBJECT', COMPILE_CODE($subj)); define('__LIST_UNCON_TEXT' , COMPILE_CODE($text)); - define('__LIST_UNCON_URL' , urlencode(base64_encode($url))); + define('__LIST_UNCON_URL' , encodeString($url)); define('__LIST_UNCON_STAMP' , MAKE_DATETIME($stamp, "2")); // Load unconfirmed mail links. Hmmm, this select query is pretty cool diff --git a/inc/modules/admin/what-usage.php b/inc/modules/admin/what-usage.php index 1e40c5de2f..09da0a61ee 100644 --- a/inc/modules/admin/what-usage.php +++ b/inc/modules/admin/what-usage.php @@ -82,7 +82,7 @@ if (!empty($_GET['image'])) { if ((!empty($FQFN)) && (FILE_READABLE($FQFN))) { // @TODO This code is double, see LOAD_TEMPLATE and LOAD_EMAIL_TEMPLATE in functions.php $tmpl_file = READ_FILE($FQFN); - $tmpl_file = addslashes($tmpl_file); + $tmpl_file = SQL_ESCAPE($tmpl_file); $tmpl_file = "\$content=\"".$tmpl_file."\";"; eval($tmpl_file); // Until here... diff --git a/inc/modules/frametester.php b/inc/modules/frametester.php index 01dbc053d1..aae2439303 100644 --- a/inc/modules/frametester.php +++ b/inc/modules/frametester.php @@ -74,7 +74,7 @@ if ((!empty($_POST['url'])) || (!empty($_GET['url'])) || (!empty($_GET['frame']) $url = constant('URL'); // Decode URL if set in GET parameters - if (!empty($_GET['url'])) $url = gzuncompress(base64_decode(str_replace(" ", "+", COMPILE_CODE(urldecode($_GET['url']))))); + if (!empty($_GET['url'])) $url = decodeString(str_replace(" ", "+", compileUriCode(urldecode($_GET['url'])))); // Use URL from POST data if set if (!empty($_POST['url'])) $url = $_POST['url']; diff --git a/inc/modules/loader.php b/inc/modules/loader.php index ab8533a79b..4b6a8d1d85 100644 --- a/inc/modules/loader.php +++ b/inc/modules/loader.php @@ -39,7 +39,7 @@ if (!defined('__SECURITY')) { if (!empty($_GET['url'])) { // Decode URL - $url = gzuncompress(base64_decode(str_replace(" ", "+", COMPILE_CODE(urldecode($_GET['url']))))); + $url = decodeString(str_replace(" ", "+", compileUriCode(urldecode($_GET['url'])))); // Validate the URL if (VALIDATE_URL($url)) { -- 2.39.5