claunia/qemudb
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2025-05-24. You can view files and clone it, but cannot push or open issues or pull requests.
Files
ac5b4b0a95382a3cc19c81089a4e9ca5ff291704
qemudb/include/incl.php
Chris Morgan ac5b4b0a95 Warn if magic quotes is enabled and explain a bit about why we require that magic quotes 
be disabled.  Also remove all of the conditional code that was working around cases where
we had magic quotes enabled.  We were only working around a small portion of cases where magic
quotes was affecting the appdb.
2006-06-26 00:44:44 +00:00

276 lines
7.2 KiB
PHP
Raw Blame History

<?php
/*************************************************/
/* Main Include Library for Application Database */
/*************************************************/
// get modules
ini_set("memory_limit","64M");
require(BASE."include/config.php");
require(BASE."include/util.php");
require(BASE."include/user.php");
require(BASE."include/session.php");
require(BASE."include/menu.php");
require(BASE."include/html.php");
require(BASE."include/db.php");
/* if magic quotes are enabled make sure the user disables them */
/* otherwise they will see all kinds of odd effects that are difficult */
/* to track down */
if(get_magic_quotes_gpc())
{
echo "<b>Please disable the magic quotes GPC PHP setting. See <a href=\"http://us2.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc\"> this page</a> for more information</b><br/><br/>";
echo "AppDB php code assumes magic quotes are disabled.<br/><br/>";
echo "Magic quotes are a bad idea for a few reasons.<br/><br/>";
echo "First is that php calls <b>addslashes()</b> on all \$_POST, \$_REQUEST and cookie variables ";
echo "if magic quotes is enabled. ";
echo "Ooooooh you say.<br/>";
echo "<i>\"Aren't magic quotes a convienent way to protect my php code from sql injection attacks?\"</i><br/><br/>";
echo "No! <b>addslashes()</b> isn't adequate. You should use <b>mysql_real_escape_string()</b> or some other function";
echo " that will handle multi-byte characters. See <a href=\"http://shiflett.org/archive/184\">this article</a>";
echo " for a way to exploit <b>addslash()</b>ed parameters.<br/><br/>";
echo "A second reason is that with magic quotes enabled, due to the use of <b>mysql_real_escape_string()</b> to";
echo " protect from sql injection attacks we'll end up with variables that have been addslash()ed and";
echo " <b>mysql_real_escape_string()</b>ed. So you end up having to call stripslashes() on EVERY variable. ";
exit;
}
// create arrays
$sidebar_func_list = array();
$help_list = array();
function apidb_help_add($desc, $id)
{
global $help_list;
$help_list[] = array($desc, $id);
}
// return url with docroot prepended
function apidb_url($path)
{
return BASE.$path;
}
// return FULL url with docroot prepended
function apidb_fullurl($path = "")
{
return BASE.$path;
}
function appdb_fullpath($path)
{
/* IE: we know this file is in /yyy/xxx/include, we want to get the /yyy/xxx
/* so we call dirname on this file path twice */
$fullpath = dirname(dirname(__FILE__))."//".$path;
/* get rid of potential double slashes due to string concat */
return str_replace("//", "/", $fullpath);
}
/*
* output the common apidb header
*/
function apidb_header($title = 0)
{
$realname = $_SESSION['current']->sRealname;
// Set Page Title
$page_title = $title;
if ($title)
$title = " - $title";
// Display Header
include(BASE."include/header.php");
// Display Sidebar
echo "<table width='100%' border=0 cellspacing=0 cellpadding=0>\n";
echo "<tr valign='top'>\n";
echo "<td width=150>\n";
apidb_sidebar();
echo "</td>\n";
echo "<td width='100%'>\n";
echo html_frame_start($page_title, '100%');
// Display Status Messages
dumpmsgbuffer();
}
/*
* output the common apidb footer
*/
function apidb_footer()
{
echo html_frame_end();
//Close Sidebar and Content Well
echo "<br></td></tr></table>\n";
// Display Footer
if(!isset($header_disabled))
include(BASE."include/"."footer.php");
}
/*
* output the sidebar, calls all functions registered with apidb_sidebar_add
*/
function apidb_sidebar()
{
global $sidebar_func_list;
//TURN on GLOBAL ADMIN MENU
if ($_SESSION['current']->hasPriv("admin"))
{
include(BASE."include/sidebar_admin.php");
apidb_sidebar_add("global_admin_menu");
} else if($_SESSION['current']->isMaintainer()) /* if the user maintains anything, add their menus */
{
include(BASE."include/sidebar_maintainer_admin.php");
apidb_sidebar_add("global_maintainer_admin_menu");
}
// Login Menu
include(BASE."include/sidebar_login.php");
apidb_sidebar_add("global_sidebar_login");
// Main Menu
include(BASE."include/sidebar.php");
apidb_sidebar_add("global_sidebar_menu");
//LOOP and display menus
for($i = 0; $i < sizeof($sidebar_func_list); $i++)
{
$func = $sidebar_func_list[$i];
$func();
}
}
/**
* register a sidebar menu function
* the supplied function is called when the sidebar is built
*/
function apidb_sidebar_add($funcname)
{
global $sidebar_func_list;
array_unshift($sidebar_func_list, $funcname);
}
function apidb_image($name)
{
return BASE."images/$name";
}
/**
* display an error page
*/
function errorpage($text = null, $message = null)
{
if (!$text) {
$text = "You must be logged in to perform that operation.";
}
header("HTTP/1.0 404 Object not found or user is not logged in");
apidb_header("Oops");
echo "<div align=center><font color=red><b>$text</b></font></div>\n";
echo "<p>$message</p>\n";
apidb_footer();
}
/**
* redirect to $url
*/
function redirect($url)
{
header("Location: ".$url);
exit;
}
/**
* redirect back to referrer, or else to the main page
*/
function redirectref($url = null)
{
if(!$url)
$url = $_SERVER['HTTP_REFERER'];
if(!$url)
$url = apidb_fullurl();
redirect($url);
}
/**
* format a date as required for HTTP by RFC 2068 sec 3.3.1
*/
function fHttpDate($iDate) {
return gmdate("D, d M Y H:i:s",$iDate)." GMT";
}
/**
* parse all the date formats required by HTTP 1.1 into PHP time values
*/
function pHttpDate($sDate) {
$iDate = strtotime($sDate);
if ($iDate != -1) return $iDate;
/* the RFC also requires asctime() format... */
$aTs = strptime($sDate,"%a %b %e %H:%M:%S %Y");
$iDate = gmmktime($aTs[2],$aTs[1],$aTs[0],$aTs[4],$aTs[3],$aTs[5],0);
return $iDate;
}
/**
* msgs will be displayed on the Next page view of the same user
*/
function addmsg($text, $color = "black")
{
global $hAppdbLink;
if($color)
$text = "<font color='$color'> $text </font>\n";
$text = addslashes($text);
$sQuery = "INSERT INTO sessionMessages VALUES (null, null, '".session_id()."', '$text')";
if (!mysql_query($sQuery,$hAppdbLink))
{
echo "An error has occurred in addmsg(): ".mysql_error($hAppdbLink);
echo $text;
}
}
/**
* output msg_buffer and clear it.
*/
function dumpmsgbuffer()
{
$hResult = query_appdb("SELECT * FROM sessionMessages WHERE sessionId = '".session_id()."'");
if(!$hResult)
return;
while($oRow = mysql_fetch_object($hResult))
{
echo html_frame_start("","300","",5);
echo "<div align=center> $oRow->message </div>";
echo html_frame_end("&nbsp;");
echo "<br>\n";
}
query_appdb("DELETE FROM sessionMessages WHERE sessionId = '".session_id()."'");
}
/**
* Init Session (stores user info in session)
*/
$session = new session("whq_appdb");
$session->register("current");
if(!isset($_SESSION['current'])) $_SESSION['current'] = new User();
// if we are debugging we need to see all errors
if($_SESSION['current']->showDebuggingInfos()) error_reporting(E_ALL ^ E_NOTICE);
?>
Reference in New Issue View Git Blame Copy Permalink