Project

General

Profile

« Previous | Next » 

Revision 1777

Added by Dietmar about 12 years ago

+ add methode StripCodeFromText in class.wb to clean injection
! rebranding the admin/settings and security fixes
! a few new styling in backend wb_theme
! beginning aa lot of account changes like correction of $_SESSION indexe, security fixes
+ add head.load.min.js and head.min.js to /include/jquery/ to style HTML5 templates

View differences:

save_signup.php
16 16
 */
17 17

  
18 18
/* -------------------------------------------------------- */
19
if(defined('WB_PATH') == false)
20
{
21
	// Stop this file being access directly
22
		die('<h2 style="color:red;margin:3em auto;text-align:center;">Cannot access this file directly</h2>');
19
// Must include code to stop this file being accessed directly
20
if(!defined('WB_PATH')) {
21
	require_once(dirname(dirname(__FILE__)).'/framework/globalExceptionHandler.php');
22
	throw new IllegalFileException();
23 23
}
24 24
/* -------------------------------------------------------- */
25 25
$bDebugSignup = false;
......
36 36
if (!function_exists('emailAdmin')) {
37 37
	function emailAdmin() {
38 38
		global $database,$admin;
39
        $retval = $admin->get_email();
40
        if($admin->get_user_id()!='1') {
41
			$sql  = 'SELECT `email` FROM `'.TABLE_PREFIX.'users` ';
42
			$sql .= 'WHERE `user_id`=\'1\' ';
43
	        $retval = $database->get_one($sql);
39
        $retval = false;
40
		$sql  = 'SELECT `email` FROM `'.TABLE_PREFIX.'users` ';
41
		$sql .= 'WHERE `user_id`=\'1\' ';
42
        if(!($retval = $database->get_one($sql))){
43
            $retval = false;
44 44
        }
45 45
		return $retval;
46 46
	}
......
67 67
	}
68 68
}
69 69

  
70
//$_SESSION['username'] = '';
71
//$_SESSION['DISPLAY_NAME'] = '';
72
//$_SESSION['email'] = '';
73
//$_SESSION['display_form'] = true;
74

  
75
if(isset($_POST['action']) && $_POST['action']=='send')
70
//if(isset($_POST['action']) && $_POST['action']=='send')
71
if($wb->StripCodeFromText($wb->get_post('action'))=='send')
76 72
{
77 73
	$database = WbDatabase::getInstance();
78 74

  
......
96 92
		msgQueue::add($database->get_error());
97 93
	}
98 94

  
99
	$_SESSION['username'] = strtolower(strip_tags($wb->get_post_escaped('login_name')));
100
	$_SESSION['DISPLAY_NAME'] = strip_tags($wb->get_post_escaped('display_name'));
101
	$_SESSION['email'] = $wb->get_post('email');
102
	$_SESSION['language'] = $wb->get_post('language');
103

  
95
	$_SESSION['USERNAME'] = strtolower($wb->StripCodeFromText($wb->get_post('login_name')));
96
	$_SESSION['DISPLAY_NAME'] = strip_tags($wb->StripCodeFromText($wb->get_post('display_name')));
97
	$_SESSION['EMAIL'] = strip_tags($wb->StripCodeFromText($wb->get_post('email')));
98
	$_SESSION['LANGUAGE'] = strip_tags($wb->StripCodeFromText($wb->get_post('language')));
104 99
//	$aErrorMsg = array();
105 100

  
106
	if($_SESSION['username'] != "")
107
	{
101
	if($wb->get_session('USERNAME') != "") {
108 102
		// Check if username already exists
109
		$sql = 'SELECT `user_id` FROM `'.TABLE_PREFIX.'users` WHERE `username` = \''.$_SESSION['username'].'\'';
103
		$sql = 'SELECT `user_id` FROM `'.TABLE_PREFIX.'users` WHERE `username` = \''.$_SESSION['USERNAME'].'\'';
110 104
		if($database->get_one($sql)){
111 105
//			$aErrorMsg[] = $MESSAGE['USERS_USERNAME_TAKEN'];
112 106
			msgQueue::add($MESSAGE['USERS_USERNAME_TAKEN']);
113
			$_SESSION['username'] = '';
107
			$_SESSION['USERNAME'] = '';
114 108
		} else {
115
			if(preg_match('/^[a-z]{1}[a-z0-9_-]{3,}$/i', $_SESSION['username'])==false) {
109
			if(preg_match('/^[a-z]{1}[a-z0-9_-]{3,}$/i', $_SESSION['USERNAME'])==false) {
116 110
//				$aErrorMsg[] = $MESSAGE['USERS_NAME_INVALID_CHARS'];
117 111
				msgQueue::add($MESSAGE['USERS_NAME_INVALID_CHARS']);
118
				$_SESSION['username'] = '';
112
				$_SESSION['USERNAME'] = '';
119 113
		 	}
120 114
		}
121 115
	} else {
......
123 117
		msgQueue::add($MESSAGE['LOGIN_USERNAME_BLANK']);
124 118
	}
125 119

  
126
	if($_SESSION['DISPLAY_NAME'] == "") {
120
	if($wb->get_session('DISPLAY_NAME') != "") {
127 121
//		$aErrorMsg[] = $MESSAGE['GENERIC_FILL_IN_ALL'];
128 122
		msgQueue::add($MESSAGE['GENERIC_FILL_IN_ALL']);
129 123
	}
130 124

  
131
	if($_SESSION['email'] != "") {
125
	if($wb->get_session('EMAIL') != "") {
132 126
		// Check if the email already exists
133
		$sql = 'SELECT `user_id` FROM `'.TABLE_PREFIX.'users` WHERE `email` = \''.mysql_escape_string($_SESSION['email']).'\'';
127
		$sql = 'SELECT `user_id` FROM `'.TABLE_PREFIX.'users` WHERE `email` = \''.$_SESSION['EMAIL'].'\'';
134 128
		if($database->get_one($sql)){
135
//			$aErrorMsg[] = $MESSAGE['USERS_EMAIL_TAKEN'];
136 129
			msgQueue::add($MESSAGE['USERS_EMAIL_TAKEN']);
137
			$_SESSION['email'] = '';
130
			$_SESSION['EMAIL'] = '';
138 131
		} else {
139
			if(!$wb->validate_email($_SESSION['email'])){
140
//				$aErrorMsg[] = $MESSAGE['USERS_INVALID_EMAIL'];
132
			if(!$wb->validate_email($_SESSION['EMAIL'])){
141 133
				msgQueue::add($MESSAGE['USERS_INVALID_EMAIL']);
142
				$_SESSION['email'] = '';
134
				$_SESSION['EMAIL'] = '';
143 135
			}
144 136
		}
145 137
	} else {
146
//		$aErrorMsg[] = $MESSAGE['SIGNUP_NO_EMAIL'];
147 138
		msgQueue::add($MESSAGE['SIGNUP_NO_EMAIL']);
148 139
	}
149 140

  
150 141
	if(CONFIRMED_REGISTRATION) {
151 142
		$iMinPassLength = 6;
152 143
// receive password vars and calculate needed action
153
		$sNewPassword = $wb->get_post('new_password_1');
144
//		$sNewPassword = $wb->get_post('new_password_1');
145
    	$sNewPassword = ($wb->StripCodeFromText($wb->get_post('new_password_1')));
154 146
		$sNewPassword = (is_null($sNewPassword) ? '' : $sNewPassword);
155
		$sNewPasswordRetyped = $wb->get_post('new_password_2');
147
//		$sNewPasswordRetyped = $wb->get_post('new_password_2');
148
    	$sNewPasswordRetyped = ($wb->StripCodeFromText($wb->get_post('new_password_2')));
156 149
		$sNewPasswordRetyped= (is_null($sNewPasswordRetyped) ? '' : $sNewPasswordRetyped);
157 150
// validate new password
158 151
		$sPwHashNew = false;
159 152
		if($sNewPassword != '') {
160 153
			if(strlen($sNewPassword) < $iMinPassLength) {
161
//				$err_msg[] = $MESSAGE['USERS_PASSWORD_TOO_SHORT'];
162 154
				msgQueue::add($MESSAGE['USERS_PASSWORD_TOO_SHORT']);
163 155
			} else {
164 156
				if($sNewPassword != $sNewPasswordRetyped) {
165
//					$err_msg[] = $MESSAGE['USERS_PASSWORD_MISMATCH'];
166 157
					msgQueue::add($MESSAGE['USERS_PASSWORD_MISMATCH']);
167 158
				} else {
168 159
					$pattern = '/[^'.$admin->password_chars.']/';
169 160
					if (preg_match($pattern, $sNewPassword)) {
170
//						$err_msg[] = $MESSAGE['PREFERENCES_INVALID_CHARS'];
171 161
						msgQueue::add($MESSAGE['PREFERENCES_INVALID_CHARS']);
172 162
					}else {
173 163
						$sPwHashNew = md5($sNewPassword);
......
181 171
	} else {
182 172
		// Captcha
183 173
		if(ENABLED_CAPTCHA) {
184
			if(isset($_POST['captcha']) AND $_POST['captcha'] != '')
174
//			if(isset($_POST['captcha']) AND $_POST['captcha'] != '')
175
			if($wb->StripCodeFromText($wb->get_post('captcha')) != '')
185 176
			{
186 177
				// Check for a mismatch get email user_id
187 178
				if(!isset($_POST['captcha']) OR !isset($_SESSION['captcha']) OR $_POST['captcha'] != $_SESSION['captcha']) {
188
					$replace = array('SERVER_EMAIL' => emailAdmin() );
179
					$replace = array('webmaster_email' => emailAdmin() );
189 180
	//				$aErrorMsg[] = replace_vars($MESSAGE['MOD_FORM_INCORRECT_CAPTCHA'], $replace);
190 181
					msgQueue::add(replace_vars($MESSAGE['INCORRECT_CAPTCHA'], $replace));
191 182
				}
192 183
			} else {
193
				$replace = array('SERVER_EMAIL'=>emailAdmin() );
184
				$replace = array('webmaster_email'=> emailAdmin() );
194 185
	//			$aErrorMsg[] = replace_vars($MESSAGE['MOD_FORM_INCORRECT_CAPTCHA'],$replace );
195 186
				msgQueue::add(replace_vars($MESSAGE['INCORRECT_CAPTCHA'],$replace ));
196 187
			}
......
215 206
	} else {
216 207
		$get_ip = ObfuscateIp();
217 208
		$get_ts = time();
218
		$sLoginName = $_SESSION['username'];
209
		$sLoginName = $_SESSION['USERNAME'];
219 210
//		$sDisplayName = $_SESSION['DISPLAY_NAME'];
220 211
		$sDisplayName = $wb->add_slashes($_SESSION['DISPLAY_NAME']);
221 212
		$groups_id = FRONTEND_SIGNUP;
......
248 239
		$sql .= '`confirm_timeout` = \''.$sTimeOut.'\', ';
249 240
		$sql .= '`display_name` = \''.$sDisplayName.'\', ';
250 241
		$sql .= '`email` = \''.$email_to.'\', ';
251
		$sql .= '`language` = \''.$_SESSION['language'].'\', ';
242
		$sql .= '`language` = \''.$_SESSION['LANGUAGE'].'\', ';
252 243
		$sql .= '`login_when` = \''.$get_ts.'\', ';
253 244
		$sql .= '`login_ip` = \''.$get_ip.'\' ';
254 245

  
......
257 248
// cancel and break script
258 249
			$bSaveRegistration = false;
259 250
			$_SESSION['display_form'] = false;
260
			unset($_SESSION['username']);
251
			unset($_SESSION['USERNAME']);
261 252
			unset($_SESSION['DISPLAY_NAME']);
262
			unset($_SESSION['email']);
253
			unset($_SESSION['EMAIL']);
254
			unset($_SESSION['TIMEZONE']);
255
			unset($_SESSION['LANGUAGE']);
263 256
			unset($_POST);
264 257
			if($database->set_error()){
265 258
				msgQueue::add($database->get_error());

Also available in: Unified diff