Revision 1368
Added by Dietmar almost 14 years ago
| branches/2.8.x/CHANGELOG | ||
|---|---|---|
| 11 | 11 |
! = Update/Change |
| 12 | 12 |
|
| 13 | 13 |
------------------------------------- 2.8.2 ------------------------------------- |
| 14 |
31 Dec-2010 Build 1368 Dietmar Woellbrink (Luisehahne) |
|
| 15 |
- delete class.secureform.php |
|
| 16 |
+ add newest SecureForm |
|
| 17 |
# fixed Call to a member function read() on a non-object in function register_frontend_modfiles |
|
| 14 | 18 |
29 Dec-2010 Build 1367 Dietmar Woellbrink (Luisehahne) |
| 15 | 19 |
# securtiy fix in class.login |
| 16 | 20 |
# see http://www.websitebaker2.org/forum/index.php/topic,20347.msg137554.html#msg137554 |
| branches/2.8.x/wb/admin/interface/version.php | ||
|---|---|---|
| 52 | 52 |
|
| 53 | 53 |
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) |
| 54 | 54 |
if(!defined('VERSION')) define('VERSION', '2.8.2.RC3');
|
| 55 |
if(!defined('REVISION')) define('REVISION', '1367');
|
|
| 55 |
if(!defined('REVISION')) define('REVISION', '1368');
|
|
| 56 | 56 |
|
| 57 | 57 |
?> |
| branches/2.8.x/wb/framework/class.secureform.php | ||
|---|---|---|
| 1 |
<?php |
|
| 2 |
/** |
|
| 3 |
* |
|
| 4 |
* @category security |
|
| 5 |
* @package framework |
|
| 6 |
* @author ISTeam easy-Project |
|
| 7 |
* @copyright 2009-2011, Independend-Software-Team |
|
| 8 |
* @link http://easy.isteam.de/ |
|
| 9 |
* @license http://creativecommons.org/licenses/by-nc-nd/3.0/de/ |
|
| 10 |
* @platform WebsiteBaker 2.8.x |
|
| 11 |
* @requirements PHP 5.2.2 and higher |
|
| 12 |
* @version $Id$ |
|
| 13 |
* @filesource $HeadURL$ |
|
| 14 |
* @lastmodified $Date$ |
|
| 15 |
* |
|
| 16 |
* SecureForm |
|
| 17 |
* Version 0.1 |
|
| 18 |
* |
|
| 19 |
* creates Formular transactionnumbers for unique use |
|
| 20 |
*/ |
|
| 21 |
|
|
| 22 |
class SecureForm {
|
|
| 23 |
|
|
| 24 |
/* insert global vars here... */ |
|
| 25 |
|
|
| 26 |
var $_FTAN = ''; |
|
| 27 |
var $_IDKEYs = ''; |
|
| 28 |
var $_salt = ''; |
|
| 29 |
|
|
| 30 |
function SecureForm() |
|
| 31 |
{
|
|
| 32 |
// $this->__construct(); |
|
| 33 |
$this->_FTAN = ''; |
|
| 34 |
$this->_salt = $this->_generate_salt(); |
|
| 35 |
if(isset($_SESSION['IDKEYS'])) |
|
| 36 |
{
|
|
| 37 |
$this->_IDKEYs = $_SESSION['IDKEYS']; |
|
| 38 |
}else {
|
|
| 39 |
$this->_IDKEYs = array(); |
|
| 40 |
} |
|
| 41 |
} |
|
| 42 |
// function __construct() |
|
| 43 |
// {
|
|
| 44 |
// var $_FTAN = ''; |
|
| 45 |
// if(isset($_SESSION['FTAN'])) { unset($_SESSION['FTAN']); }
|
|
| 46 |
// } |
|
| 47 |
|
|
| 48 |
|
|
| 49 |
function _generate_salt() |
|
| 50 |
{
|
|
| 51 |
// server depending values |
|
| 52 |
$salt = ( isset($_SERVER['SERVER_SIGNATURE']) ) ? $_SERVER['SERVER_SIGNATURE'] : '2'; |
|
| 53 |
$salt .= ( isset($_SERVER['SERVER_SOFTWARE']) ) ? $_SERVER['SERVER_SOFTWARE'] : '3'; |
|
| 54 |
$salt .= ( isset($_SERVER['SERVER_NAME']) ) ? $_SERVER['SERVER_NAME'] : '5'; |
|
| 55 |
$salt .= ( isset($_SERVER['SERVER_ADDR']) ) ? $_SERVER['SERVER_ADDR'] : '7'; |
|
| 56 |
$salt .= ( isset($_SERVER['SERVER_PORT']) ) ? $_SERVER['SERVER_PORT'] : '11'; |
|
| 57 |
$salt .= ( isset($_SERVER['SERVER_ADMIN']) ) ? $_SERVER['SERVER_ADMIN'] : '13'; |
|
| 58 |
$salt .= PHP_VERSION; |
|
| 59 |
// client depending values |
|
| 60 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT']) ) ? $_SERVER['HTTP_ACCEPT'] : '17'; |
|
| 61 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT_CHARSET']) ) ? $_SERVER['HTTP_ACCEPT_CHARSET'] : '19'; |
|
| 62 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT_ENCODING']) ) ? $_SERVER['HTTP_ACCEPT_ENCODING'] : '23'; |
|
| 63 |
$salt .= ( isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : '29'; |
|
| 64 |
$salt .= ( isset($_SERVER['HTTP_CONNECTION']) ) ? $_SERVER['HTTP_CONNECTION'] : '31'; |
|
| 65 |
$salt .= ( isset($_SERVER['HTTP_USER_AGENT']) ) ? $_SERVER['HTTP_USER_AGENT'] : '37'; |
|
| 66 |
return $salt; |
|
| 67 |
} |
|
| 68 |
/* |
|
| 69 |
* creates Formular transactionnumbers for unique use |
|
| 70 |
* @access public |
|
| 71 |
* @param bool $asTAG: true returns a complete prepared, hidden HTML-Input-Tag (default) |
|
| 72 |
* false returns an array including FTAN0 and FTAN1 |
|
| 73 |
* @return mixed: array or string |
|
| 74 |
* |
|
| 75 |
* requirements: an active session must be available |
|
| 76 |
*/ |
|
| 77 |
function getFTAN( $as_tag = true) |
|
| 78 |
{
|
|
| 79 |
if( $this->_FTAN == '') |
|
| 80 |
{
|
|
| 81 |
if(function_exists('microtime'))
|
|
| 82 |
{
|
|
| 83 |
list($usec, $sec) = explode(" ", microtime());
|
|
| 84 |
$time = (string)((float)$usec + (float)$sec); |
|
| 85 |
}else{
|
|
| 86 |
$time = (string)time(); |
|
| 87 |
} |
|
| 88 |
$this->_FTAN = md5($time.$this->_salt); |
|
| 89 |
$_SESSION['FTAN'] = $this->_FTAN; |
|
| 90 |
|
|
| 91 |
} |
|
| 92 |
$ftan0 = 'a'.substr($this->_FTAN, -(10 + hexdec(substr($this->_FTAN, 1))), 10); |
|
| 93 |
$ftan1 = 'a'.substr($this->_FTAN, hexdec(substr($this->_FTAN, -1)), 10); |
|
| 94 |
if($as_tag == true) |
|
| 95 |
{
|
|
| 96 |
return '<input type="hidden" name="'.$ftan0.'" value="'.$ftan1.'" title="" />'; |
|
| 97 |
}else{
|
|
| 98 |
return array('FTAN0' => $ftan0, 'FTAN1' => $ftan1);
|
|
| 99 |
} |
|
| 100 |
} |
|
| 101 |
|
|
| 102 |
/* |
|
| 103 |
* checks received form-transactionnumbers against session-stored one |
|
| 104 |
* @access public |
|
| 105 |
* @param string $mode: requestmethode POST(default) or GET |
|
| 106 |
* @return bool: true if numbers matches against stored ones |
|
| 107 |
* |
|
| 108 |
* requirements: an active session must be available |
|
| 109 |
* this check will prevent from multiple sending a form. history.back() also will never work |
|
| 110 |
*/ |
|
| 111 |
function checkFTAN( $mode = 'POST') |
|
| 112 |
{
|
|
| 113 |
$retval = false; |
|
| 114 |
if(isset($_SESSION['FTAN']) && strlen($_SESSION['FTAN']) == strlen(md5('dummy')))
|
|
| 115 |
{
|
|
| 116 |
$ftan = $_SESSION['FTAN']; |
|
| 117 |
$ftan0 = 'a'.substr($ftan, -(10 + hexdec(substr($ftan, 1))), 10); |
|
| 118 |
$ftan1 = 'a'.substr($ftan, hexdec(substr($ftan, -1)), 10); |
|
| 119 |
unset($_SESSION['FTAN']); |
|
| 120 |
if(strtoupper($mode) == 'POST') |
|
| 121 |
{
|
|
| 122 |
$retval = (isset($_POST[$ftan0]) && $_POST[$ftan0] == ($ftan1)); |
|
| 123 |
$_POST[$ftan0] = ''; |
|
| 124 |
}else{
|
|
| 125 |
$retval = (isset($_GET[$ftan0]) && $_GET[$ftan0] == ($ftan1)); |
|
| 126 |
$_GET[$ftan0] = ''; |
|
| 127 |
} |
|
| 128 |
} |
|
| 129 |
return $retval; |
|
| 130 |
} |
|
| 131 |
|
|
| 132 |
/* |
|
| 133 |
* save values in session and returns a ID-key |
|
| 134 |
* @access public |
|
| 135 |
* @param mixed $value: the value for witch a key shall generated and memorized |
|
| 136 |
* @return string: a MD5-Key to use instead of the real value |
|
| 137 |
* |
|
| 138 |
* requirements: an active session must be available |
|
| 139 |
*/ |
|
| 140 |
function getIDKEY($value) |
|
| 141 |
{
|
|
| 142 |
$isarray = is_array($value); |
|
| 143 |
if( $isarray ) { $value = serialize($value); }
|
|
| 144 |
$key = md5($this->_salt.(string)$value); |
|
| 145 |
if( $isarray ) { $key[5] = 'h'; }
|
|
| 146 |
$added = false; |
|
| 147 |
while(!$added) |
|
| 148 |
{
|
|
| 149 |
if( !array_key_exists($key, $this->_IDKEYs) ) |
|
| 150 |
{
|
|
| 151 |
$this->_IDKEYs[$key] = $value; |
|
| 152 |
$added = true; |
|
| 153 |
}else {
|
|
| 154 |
// if key already exist, increment the last four digits until the key is unique |
|
| 155 |
$key = substr($key, -4).dechex(('0x'.substr($key0, -4)) + 1);
|
|
| 156 |
} |
|
| 157 |
} |
|
| 158 |
$_SESSION['IDKEYS'] = $this->_IDKEYs; |
|
| 159 |
return $key; |
|
| 160 |
} |
|
| 161 |
|
|
| 162 |
/* |
|
| 163 |
* search for key in session and returns the original value |
|
| 164 |
* @access public |
|
| 165 |
* @param string $key: the alias-key from the original value |
|
| 166 |
* @return mixed: the original value (string, numeric, array) or NULL if request fails |
|
| 167 |
* |
|
| 168 |
* requirements: an active session must be available |
|
| 169 |
*/ |
|
| 170 |
function checkIDKEY( $key ) |
|
| 171 |
{
|
|
| 172 |
$value = null; |
|
| 173 |
if( array_key_exists($key, $this->_IDKEYs)) |
|
| 174 |
{
|
|
| 175 |
$value = $this->_IDKEYs[$key]; |
|
| 176 |
unset($this->_IDKEYs[$key]); |
|
| 177 |
$_SESSION['IDKEYS'] = $this->_IDKEYs; |
|
| 178 |
if($value[5] == 'h') { $value = unserialize($value); }
|
|
| 179 |
} |
|
| 180 |
return $value; |
|
| 181 |
} |
|
| 182 |
//put your code here |
|
| 183 |
} |
|
| 184 |
?> |
|
| 185 | 0 | |
| branches/2.8.x/wb/framework/SecureForm.php | ||
|---|---|---|
| 1 |
<?php |
|
| 2 |
/** |
|
| 3 |
* |
|
| 4 |
* @category framework |
|
| 5 |
* @package SecureForm |
|
| 6 |
* @author Independend-Software-Team |
|
| 7 |
* @author WebsiteBaker Project |
|
| 8 |
* @copyright 2004-2009, Ryan Djurovich |
|
| 9 |
* @copyright 2009-2010, Website Baker Org. e.V. |
|
| 10 |
* @link http://www.websitebaker2.org/ |
|
| 11 |
* @license http://www.gnu.org/licenses/gpl.html |
|
| 12 |
* @platform WebsiteBaker 2.8.x |
|
| 13 |
* @requirements PHP 4.3.4 and higher |
|
| 14 |
* @version $Id$ |
|
| 15 |
* @filesource $HeadURL$ |
|
| 16 |
* @lastmodified $Date$ |
|
| 17 |
* @description definition of all core constants. |
|
| 18 |
*/ |
|
| 19 |
|
|
| 20 |
/** |
|
| 21 |
* Description of class |
|
| 22 |
* |
|
| 23 |
* @author wkl |
|
| 24 |
*/ |
|
| 25 |
class SecureForm {
|
|
| 26 |
|
|
| 27 |
private $_FTAN = ''; |
|
| 28 |
private $_IDKEYs = array('0'=>'0');
|
|
| 29 |
private $_ftan_name = ''; |
|
| 30 |
private $_idkey_name = ''; |
|
| 31 |
private $_salt = ''; |
|
| 32 |
private $_fingerprint = ''; |
|
| 33 |
|
|
| 34 |
/* Construtor */ |
|
| 35 |
protected function __construct() |
|
| 36 |
{
|
|
| 37 |
$this->_FTAN = ''; |
|
| 38 |
$this->_salt = $this->_generate_salt(); |
|
| 39 |
$this->_fingerprint = $this->_generate_fingerprint(); |
|
| 40 |
// generate names for session variables |
|
| 41 |
$this->_ftan_name = substr($this->_fingerprint, -(16 + hexdec($this->_fingerprint[0])), 16); |
|
| 42 |
// make sure there is a alpha-letter at first position |
|
| 43 |
$this->_ftan_name[0] = dechex(10 + (hexdec($this->_ftan_name[0]) % 5)); |
|
| 44 |
$this->_idkey_name = substr($this->_fingerprint, hexdec($this->_fingerprint[strlen($this->_fingerprint)-1]), 16); |
|
| 45 |
// make sure there is a alpha-letter at first position |
|
| 46 |
$this->_idkey_name[0] = dechex(10 + (hexdec($this->_idkey_name[0]) % 5)); |
|
| 47 |
// takeover id_keys from session if available |
|
| 48 |
if(isset($_SESSION[$this->_idkey_name]) && is_array($_SESSION[$this->_idkey_name])) |
|
| 49 |
{
|
|
| 50 |
$this->_IDKEYs = $_SESSION[$this->_idkey_name]; |
|
| 51 |
}else{
|
|
| 52 |
$this->_IDKEYs = array('0'=>'0');
|
|
| 53 |
$_SESSION[$this->_idkey_name] = $this->_IDKEYs; |
|
| 54 |
} |
|
| 55 |
} |
|
| 56 |
|
|
| 57 |
private function _generate_salt() |
|
| 58 |
{
|
|
| 59 |
if(function_exists('microtime'))
|
|
| 60 |
{
|
|
| 61 |
list($usec, $sec) = explode(" ", microtime());
|
|
| 62 |
$salt = (string)((float)$usec + (float)$sec); |
|
| 63 |
}else{
|
|
| 64 |
$salt = (string)time(); |
|
| 65 |
} |
|
| 66 |
$salt = (string)rand(10000, 99999) . $salt . (string)rand(10000, 99999); |
|
| 67 |
return md5($salt); |
|
| 68 |
} |
|
| 69 |
|
|
| 70 |
private function _generate_fingerprint() |
|
| 71 |
{
|
|
| 72 |
// server depending values |
|
| 73 |
$fingerprint = ( isset($_SERVER['SERVER_SIGNATURE']) ) ? $_SERVER['SERVER_SIGNATURE'] : '2'; |
|
| 74 |
$fingerprint .= ( isset($_SERVER['SERVER_SOFTWARE']) ) ? $_SERVER['SERVER_SOFTWARE'] : '3'; |
|
| 75 |
$fingerprint .= ( isset($_SERVER['SERVER_NAME']) ) ? $_SERVER['SERVER_NAME'] : '5'; |
|
| 76 |
$fingerprint .= ( isset($_SERVER['SERVER_ADDR']) ) ? $_SERVER['SERVER_ADDR'] : '7'; |
|
| 77 |
$fingerprint .= ( isset($_SERVER['SERVER_PORT']) ) ? $_SERVER['SERVER_PORT'] : '11'; |
|
| 78 |
$fingerprint .= ( isset($_SERVER['SERVER_ADMIN']) ) ? $_SERVER['SERVER_ADMIN'] : '13'; |
|
| 79 |
$fingerprint .= PHP_VERSION; |
|
| 80 |
// client depending values |
|
| 81 |
$fingerprint .= ( isset($_SERVER['HTTP_ACCEPT']) ) ? $_SERVER['HTTP_ACCEPT'] : '17'; |
|
| 82 |
$fingerprint .= ( isset($_SERVER['HTTP_ACCEPT_CHARSET']) ) ? $_SERVER['HTTP_ACCEPT_CHARSET'] : '19'; |
|
| 83 |
$fingerprint .= ( isset($_SERVER['HTTP_ACCEPT_ENCODING']) ) ? $_SERVER['HTTP_ACCEPT_ENCODING'] : '23'; |
|
| 84 |
$fingerprint .= ( isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : '29'; |
|
| 85 |
$fingerprint .= ( isset($_SERVER['HTTP_CONNECTION']) ) ? $_SERVER['HTTP_CONNECTION'] : '31'; |
|
| 86 |
$fingerprint .= ( isset($_SERVER['HTTP_USER_AGENT']) ) ? $_SERVER['HTTP_USER_AGENT'] : '37'; |
|
| 87 |
$fingerprint .= ( isset($_SERVER['REMOTE_ADDR']) ) ? $_SERVER['REMOTE_ADDR'] : '41'; |
|
| 88 |
return md5($fingerprint); |
|
| 89 |
} |
|
| 90 |
|
|
| 91 |
private function _calcFtan($tanPart) |
|
| 92 |
{
|
|
| 93 |
$ftan = md5($tanPart . $this->_fingerprint); |
|
| 94 |
$name = substr($ftan, -(16 + hexdec($ftan[0])), 16); |
|
| 95 |
$name[0] = dechex(10 + (hexdec($name[0]) % 5)); |
|
| 96 |
$value = substr($ftan, hexdec($ftan[strlen($ftan)-1]), 16); |
|
| 97 |
return array( $name, $value); |
|
| 98 |
} |
|
| 99 |
/* |
|
| 100 |
* creates Formular transactionnumbers for unique use |
|
| 101 |
* @access public |
|
| 102 |
* @param bool $asTAG: true returns a complete prepared, hidden HTML-Input-Tag (default) |
|
| 103 |
* false returns an array including FTAN0 and FTAN1 |
|
| 104 |
* @return mixed: array or string |
|
| 105 |
* |
|
| 106 |
* requirements: an active session must be available |
|
| 107 |
*/ |
|
| 108 |
final public function getFTAN( $as_tag = true) |
|
| 109 |
{
|
|
| 110 |
if( $this->_FTAN == '') |
|
| 111 |
{ // if no FTAN exists, create new one from time and salt
|
|
| 112 |
$this->_FTAN = md5($this->_fingerprint.$this->_salt); |
|
| 113 |
$_SESSION[$this->_ftan_name] = $this->_FTAN; // store FTAN into session |
|
| 114 |
} |
|
| 115 |
$ftan = $this->_calcFtan($this->_FTAN); |
|
| 116 |
if($as_tag == true) |
|
| 117 |
{ // by default return a complete, hidden <input>-tag
|
|
| 118 |
return '<input type="hidden" name="'.$ftan[0].'" value="'.$ftan[1].'" title="" alt="" />'; |
|
| 119 |
}else{ // return an array with raw FTAN0 and FTAN1
|
|
| 120 |
return array('FTAN0' => $ftan[0], 'FTAN1'=>$ftan[1]);
|
|
| 121 |
} |
|
| 122 |
} |
|
| 123 |
|
|
| 124 |
/* |
|
| 125 |
* checks received form-transactionnumbers against session-stored one |
|
| 126 |
* @access public |
|
| 127 |
* @param string $mode: requestmethode POST(default) or GET |
|
| 128 |
* @return bool: true if numbers matches against stored ones |
|
| 129 |
* |
|
| 130 |
* requirements: an active session must be available |
|
| 131 |
* this check will prevent from multiple sending a form. history.back() also will never work |
|
| 132 |
*/ |
|
| 133 |
final public function checkFTAN( $mode = 'POST') |
|
| 134 |
{
|
|
| 135 |
$retval = false; |
|
| 136 |
if(isset($_SESSION[$this->_ftan_name]) && |
|
| 137 |
(strlen($_SESSION[$this->_ftan_name]) == strlen(md5('dummy'))))
|
|
| 138 |
{
|
|
| 139 |
$ftan = $this->_calcFtan($_SESSION[$this->_ftan_name]); |
|
| 140 |
unset($_SESSION[$this->_ftan_name]); |
|
| 141 |
$mode = (strtoupper($mode) != 'POST' ? '_GET' : '_POST'); |
|
| 142 |
if( isset($GLOBALS[$mode][$ftan[0]])) |
|
| 143 |
{
|
|
| 144 |
$retval = ($GLOBALS[$mode][$ftan[0]] == $ftan[1]); |
|
| 145 |
unset($GLOBALS[$mode][$ftan[0]]); |
|
| 146 |
} |
|
| 147 |
} |
|
| 148 |
return $retval; |
|
| 149 |
} |
|
| 150 |
|
|
| 151 |
/* |
|
| 152 |
* save values in session and returns a ID-key |
|
| 153 |
* @access public |
|
| 154 |
* @param mixed $value: the value for witch a key shall be generated and memorized |
|
| 155 |
* @return string: a MD5-Key to use instead of the real value |
|
| 156 |
* |
|
| 157 |
* @requirements: an active session must be available |
|
| 158 |
* @description: IDKEY can handle string/numeric/array - vars. Each key is a |
|
| 159 |
*/ |
|
| 160 |
final public function getIDKEY($value) |
|
| 161 |
{
|
|
| 162 |
if( is_array($value) == true ) |
|
| 163 |
{ // serialize value, if it's an array
|
|
| 164 |
$value = serialize($value); |
|
| 165 |
} |
|
| 166 |
// crypt value with salt into md5-hash |
|
| 167 |
// and return a 16-digit block from random start position |
|
| 168 |
$key = substr( md5($this->_salt.(string)$value), rand(0,15), 16); |
|
| 169 |
do{ // loop while key/value isn't added
|
|
| 170 |
if( !array_key_exists($key, $this->_IDKEYs) ) |
|
| 171 |
{ // the key is unique, so store it in list
|
|
| 172 |
$this->_IDKEYs[$key] = $value; |
|
| 173 |
break; |
|
| 174 |
}else {
|
|
| 175 |
// if key already exist, increment the last five digits until the key is unique |
|
| 176 |
$key = substr($key, 0, -5).dechex(('0x'.substr($key, -5)) + 1);
|
|
| 177 |
} |
|
| 178 |
}while(0); |
|
| 179 |
// store key/value-pairs into session |
|
| 180 |
$_SESSION[$this->_idkey_name] = $this->_IDKEYs; |
|
| 181 |
return $key; |
|
| 182 |
} |
|
| 183 |
|
|
| 184 |
/* |
|
| 185 |
* search for key in session and returns the original value |
|
| 186 |
* @access public |
|
| 187 |
* @param string $fieldname: name of the POST/GET-Field containing the key or hex-key itself |
|
| 188 |
* @param mixed $default: returnvalue if key not exist (default 0) |
|
| 189 |
* @param string $request: requestmethode can be POST or GET or '' (default POST) |
|
| 190 |
* @return mixed: the original value (string, numeric, array) or DEFAULT if request fails |
|
| 191 |
* |
|
| 192 |
* @requirements: an active session must be available |
|
| 193 |
* @description: each IDKEY can be checked only once. Unused Keys stay in list until the |
|
| 194 |
* session is destroyed. |
|
| 195 |
*/ |
|
| 196 |
final public function checkIDKEY( $fieldname, $default = 0, $request = 'POST' ) |
|
| 197 |
{
|
|
| 198 |
$return_value = $default; // set returnvalue to default |
|
| 199 |
switch( strtoupper($request) ) |
|
| 200 |
{
|
|
| 201 |
case 'POST': |
|
| 202 |
$key = isset($_POST[$fieldname]) ? $_POST[$fieldname] : $fieldname; |
|
| 203 |
break; |
|
| 204 |
case 'GET': |
|
| 205 |
$key = isset($_GET[$fieldname]) ? $_GET[$fieldname] : $fieldname; |
|
| 206 |
break; |
|
| 207 |
default: |
|
| 208 |
$key = $fieldname; |
|
| 209 |
} |
|
| 210 |
if( preg_match('/[0-9a-f]{16}$/', $key) )
|
|
| 211 |
{ // key must be a 16-digit hexvalue
|
|
| 212 |
if( array_key_exists($key, $this->_IDKEYs)) |
|
| 213 |
{ // check if key is stored in IDKEYs-list
|
|
| 214 |
$return_value = $this->_IDKEYs[$key]; // get stored value |
|
| 215 |
unset($this->_IDKEYs[$key]); // remove from list to prevent multiuse |
|
| 216 |
$_SESSION[$this->_idkey_name] = $this->_IDKEYs; // save modified list into session again |
|
| 217 |
if( preg_match('/.*(?<!\{).*(\d:\{.*;\}).*(?!\}).*/', $return_value) )
|
|
| 218 |
{ // if value is a serialized array, then deserialize it
|
|
| 219 |
$return_value = unserialize($return_value); |
|
| 220 |
} |
|
| 221 |
} |
|
| 222 |
} |
|
| 223 |
return $return_value; |
|
| 224 |
} |
|
| 225 |
|
|
| 226 |
/* @access public |
|
| 227 |
* @return void |
|
| 228 |
* |
|
| 229 |
* @requirements: an active session must be available |
|
| 230 |
* @description: remove all entries from IDKEY-Array |
|
| 231 |
* |
|
| 232 |
*/ |
|
| 233 |
final public function clearIDKEY() |
|
| 234 |
{
|
|
| 235 |
$this->_IDKEYs = array('0'=>'0');
|
|
| 236 |
} |
|
| 237 |
} |
|
| 0 | 238 | |
| branches/2.8.x/wb/framework/class.wb.php | ||
|---|---|---|
| 24 | 24 |
// Include new wbmailer class (subclass of PHPmailer) |
| 25 | 25 |
require_once(WB_PATH."/framework/class.wbmailer.php"); |
| 26 | 26 |
|
| 27 |
require_once(WB_PATH."/framework/class.secureform.php");
|
|
| 27 |
require_once(WB_PATH."/framework/SecureForm.php");
|
|
| 28 | 28 |
|
| 29 | 29 |
class wb extends SecureForm |
| 30 | 30 |
{
|
| ... | ... | |
| 331 | 331 |
/* |
| 332 | 332 |
// Validate supplied email address |
| 333 | 333 |
function validate_email($email) {
|
| 334 |
if(function_exists('idn_to_ascii')){ // use pear if available
|
|
| 334 |
if(function_exists('idn_to_ascii')){ // use pear if available
|
|
| 335 | 335 |
$email = idn_to_ascii($email); |
| 336 | 336 |
}else {
|
| 337 | 337 |
require_once(WB_PATH.'/include/idna_convert/idna_convert.class.php'); |
| branches/2.8.x/wb/framework/frontend.functions.php | ||
|---|---|---|
| 474 | 474 |
|
| 475 | 475 |
// gather information for all models embedded on actual page |
| 476 | 476 |
$page_id = $wb->page_id; |
| 477 |
$query_modules = $database->query("SELECT module FROM " .TABLE_PREFIX ."sections
|
|
| 478 |
WHERE page_id=$page_id AND module<>'wysiwyg'"); |
|
| 477 |
$sql = 'SELECT `module` FROM `'.TABLE_PREFIX.'sections` '; |
|
| 478 |
$sql .= 'WHERE `page_id` = '.(int)$page_id.' AND `module` <> \'wysiwyg\''; |
|
| 479 |
if( ($query_modules = $database->query($sql)) ) |
|
| 480 |
{
|
|
| 481 |
while($row = $query_modules->fetchRow()) |
|
| 482 |
{
|
|
| 483 |
// check if page module directory contains a frontend_body.js file |
|
| 484 |
if(file_exists(WB_PATH ."/modules/" .$row['module'] ."/$base_file")) |
|
| 485 |
{
|
|
| 486 |
// create link with frontend_body.js source for the current module |
|
| 487 |
$tmp_link = str_replace("{MODULE_DIRECTORY}", $row['module'], $base_link);
|
|
| 479 | 488 |
|
| 480 |
while($row = $query_modules->fetchRow()) |
|
| 481 |
{
|
|
| 482 |
// check if page module directory contains a frontend_body.js file |
|
| 483 |
if(file_exists(WB_PATH ."/modules/" .$row['module'] ."/$base_file")) |
|
| 484 |
{
|
|
| 485 |
// create link with frontend_body.js source for the current module |
|
| 486 |
$tmp_link = str_replace("{MODULE_DIRECTORY}", $row['module'], $base_link);
|
|
| 489 |
// define constant indicating that the register_frontent_files_body was invoked |
|
| 490 |
if(!defined('MOD_FRONTEND_BODY_JAVASCRIPT_REGISTERED')) { define('MOD_FRONTEND_BODY_JAVASCRIPT_REGISTERED', true);}
|
|
| 487 | 491 |
|
| 488 |
// define constant indicating that the register_frontent_files_body was invoked |
|
| 489 |
if(!defined('MOD_FRONTEND_BODY_JAVASCRIPT_REGISTERED')) { define('MOD_FRONTEND_BODY_JAVASCRIPT_REGISTERED', true);}
|
|
| 490 |
|
|
| 491 |
// ensure that frontend_body.js is only added once per module type |
|
| 492 |
if(strpos($body_links, $tmp_link) === false) |
|
| 493 |
{
|
|
| 494 |
$body_links .= $tmp_link; |
|
| 495 |
} |
|
| 496 |
} |
|
| 497 |
} |
|
| 492 |
// ensure that frontend_body.js is only added once per module type |
|
| 493 |
if(strpos($body_links, $tmp_link) === false) |
|
| 494 |
{
|
|
| 495 |
$body_links .= $tmp_link; |
|
| 496 |
} |
|
| 497 |
} |
|
| 498 |
} |
|
| 499 |
} |
|
| 498 | 500 |
} |
| 499 | 501 |
|
| 500 | 502 |
print $body_links."\n"; ; |
| ... | ... | |
| 550 | 552 |
{
|
| 551 | 553 |
// gather information for all models embedded on actual page |
| 552 | 554 |
$page_id = $wb->page_id; |
| 553 |
$query_modules = $database->query("SELECT module FROM " .TABLE_PREFIX ."sections
|
|
| 554 |
WHERE page_id=$page_id AND module<>'wysiwyg'"); |
|
| 555 |
$sql = 'SELECT `module` FROM `'.TABLE_PREFIX.'sections` '; |
|
| 556 |
$sql .= 'WHERE `page_id` = '.(int)$page_id.' AND `module` <> \'wysiwyg\''; |
|
| 557 |
if( ($query_modules = $database->query($sql)) ) |
|
| 558 |
{
|
|
| 559 |
while($row = $query_modules->fetchRow()) |
|
| 560 |
{
|
|
| 561 |
// check if page module directory contains a frontend.js or frontend.css file |
|
| 562 |
if(file_exists(WB_PATH ."/modules/" .$row['module'] ."/$base_file")) |
|
| 563 |
{
|
|
| 564 |
// create link with frontend.js or frontend.css source for the current module |
|
| 565 |
$tmp_link = str_replace("{MODULE_DIRECTORY}", $row['module'], $base_link);
|
|
| 555 | 566 |
|
| 556 |
while($row = $query_modules->fetchRow()) |
|
| 557 |
{
|
|
| 558 |
// check if page module directory contains a frontend.js or frontend.css file |
|
| 559 |
if(file_exists(WB_PATH ."/modules/" .$row['module'] ."/$base_file")) |
|
| 560 |
{
|
|
| 561 |
// create link with frontend.js or frontend.css source for the current module |
|
| 562 |
$tmp_link = str_replace("{MODULE_DIRECTORY}", $row['module'], $base_link);
|
|
| 563 |
|
|
| 564 |
// define constant indicating that the register_frontent_files was invoked |
|
| 565 |
if($file_id == 'css') |
|
| 566 |
{
|
|
| 567 |
if(!defined('MOD_FRONTEND_CSS_REGISTERED')) define('MOD_FRONTEND_CSS_REGISTERED', true);
|
|
| 568 |
} else |
|
| 569 |
{
|
|
| 570 |
if(!defined('MOD_FRONTEND_JAVASCRIPT_REGISTERED')) define('MOD_FRONTEND_JAVASCRIPT_REGISTERED', true);
|
|
| 571 |
} |
|
| 572 |
// ensure that frontend.js or frontend.css is only added once per module type |
|
| 573 |
if(strpos($head_links, $tmp_link) === false) |
|
| 574 |
{
|
|
| 575 |
$head_links .= $tmp_link."\n"; |
|
| 576 |
} |
|
| 577 |
}; |
|
| 578 |
} |
|
| 579 |
// include the Javascript email protection function |
|
| 580 |
if( $file_id != 'css' && file_exists(WB_PATH .'/modules/droplets/js/mdcr.js')) |
|
| 581 |
{
|
|
| 582 |
$head_links .= '<script src="'.WB_URL.'/modules/droplets/js/mdcr.js" type="text/javascript"></script>'."\n"; |
|
| 583 |
} |
|
| 584 |
elseif( $file_id != 'css' && file_exists(WB_PATH .'/modules/output_filter/js/mdcr.js')) |
|
| 585 |
{
|
|
| 586 |
$head_links .= '<script src="'.WB_URL.'/modules/output_filter/js/mdcr.js" type="text/javascript"></script>'."\n"; |
|
| 587 |
} |
|
| 567 |
// define constant indicating that the register_frontent_files was invoked |
|
| 568 |
if($file_id == 'css') |
|
| 569 |
{
|
|
| 570 |
if(!defined('MOD_FRONTEND_CSS_REGISTERED')) define('MOD_FRONTEND_CSS_REGISTERED', true);
|
|
| 571 |
} else |
|
| 572 |
{
|
|
| 573 |
if(!defined('MOD_FRONTEND_JAVASCRIPT_REGISTERED')) define('MOD_FRONTEND_JAVASCRIPT_REGISTERED', true);
|
|
| 574 |
} |
|
| 575 |
// ensure that frontend.js or frontend.css is only added once per module type |
|
| 576 |
if(strpos($head_links, $tmp_link) === false) |
|
| 577 |
{
|
|
| 578 |
$head_links .= $tmp_link."\n"; |
|
| 579 |
} |
|
| 580 |
}; |
|
| 581 |
} |
|
| 582 |
} |
|
| 583 |
// include the Javascript email protection function |
|
| 584 |
if( $file_id != 'css' && file_exists(WB_PATH .'/modules/droplets/js/mdcr.js')) |
|
| 585 |
{
|
|
| 586 |
$head_links .= '<script src="'.WB_URL.'/modules/droplets/js/mdcr.js" type="text/javascript"></script>'."\n"; |
|
| 587 |
} |
|
| 588 |
elseif( $file_id != 'css' && file_exists(WB_PATH .'/modules/output_filter/js/mdcr.js')) |
|
| 589 |
{
|
|
| 590 |
$head_links .= '<script src="'.WB_URL.'/modules/output_filter/js/mdcr.js" type="text/javascript"></script>'."\n"; |
|
| 591 |
} |
|
| 588 | 592 |
} |
| 589 | 593 |
print $head_links; |
| 590 | 594 |
} |
Also available in: Unified diff
delete class.secureform.php
add newest SecureForm
fixed Call to a member function read() on a non-object in function register_frontend_modfiles