Context Navigation

source: branches/2.1/include/section_init.inc.php @ 6905

Last change on this file since 6905 was 6905, checked in by plg, 14 years ago
bug 1849 fixed: protect $_GET keys against SQL injections before parsing URL.
Property svn:eol-style set to `LF`
File size: 18.5 KB

Line
1	<?php
2	// +-----------------------------------------------------------------------+
3	// \| Piwigo - a PHP based picture gallery \|
4	// +-----------------------------------------------------------------------+
5	// \| Copyright(C) 2008-2010 Piwigo Team http://piwigo.org \|
6	// \| Copyright(C) 2003-2008 PhpWebGallery Team http://phpwebgallery.net \|
7	// \| Copyright(C) 2002-2003 Pierrick LE GALL http://le-gall.net/pierrick \|
8	// +-----------------------------------------------------------------------+
9	// \| This program is free software; you can redistribute it and/or modify \|
10	// \| it under the terms of the GNU General Public License as published by \|
11	// \| the Free Software Foundation \|
12	// \| \|
13	// \| This program is distributed in the hope that it will be useful, but \|
14	// \| WITHOUT ANY WARRANTY; without even the implied warranty of \|
15	// \| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU \|
16	// \| General Public License for more details. \|
17	// \| \|
18	// \| You should have received a copy of the GNU General Public License \|
19	// \| along with this program; if not, write to the Free Software \|
20	// \| Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, \|
21	// \| USA. \|
22	// +-----------------------------------------------------------------------+
23
24	/**
25	* This included page checks section related parameter and provides
26	* following informations:
27	*
28	* - $page['title']
29	*
30	* - $page['items']: ordered list of items to display
31	*
32	*/
33
34	// "index.php?/category/12-foo/start-24" or
35	// "index.php/category/12-foo/start-24"
36	// must return :
37	//
38	// array(
39	// 'section' => 'categories',
40	// 'category' => array('id'=>12, ...),
41	// 'start' => 24
42	// );
43
44	$page['items'] = array();
45
46	// some ISPs set PATH_INFO to empty string or to SCRIPT_FILENAME while in the
47	// default apache implementation it is not set
48	if ( $conf['question_mark_in_urls']==false and
49	isset($_SERVER["PATH_INFO"]) and !empty($_SERVER["PATH_INFO"]) )
50	{
51	$rewritten = $_SERVER["PATH_INFO"];
52	$rewritten = str_replace('//', '/', $rewritten);
53	$path_count = count( explode('/', $rewritten) );
54	$page['root_path'] = PHPWG_ROOT_PATH.str_repeat('../', $path_count-1);
55	}
56	else
57	{
58	$rewritten = '';
59	foreach (array_keys($_GET) as $keynum => $key)
60	{
61	$rewritten = $key;
62	break;
63	}
64
65	// the $_GET keys are not protected in include/common.inc.php, only the values
66	$rewritten = pwg_db_real_escape_string($rewritten);
67
68	$page['root_path'] = PHPWG_ROOT_PATH;
69	}
70
71	// deleting first "/" if displayed
72	$tokens = explode('/', ltrim($rewritten, '/') );
73	// $tokens = array(
74	// 0 => category,
75	// 1 => 12-foo,
76	// 2 => start-24
77	// );
78
79	$next_token = 0;
80	if (script_basename() == 'picture') // basename without file extention
81	{ // the first token must be the identifier for the picture
82	if ( isset($_GET['image_id'])
83	and isset($_GET['cat']) and is_numeric($_GET['cat']) )
84	{// url compatibility with versions below 1.6
85	$url = make_picture_url( array(
86	'section' => 'categories',
87	'category' => get_cat_info($_GET['cat']),
88	'image_id' => $_GET['image_id']
89	) );
90	redirect($url);
91	}
92	$token = $tokens[$next_token];
93	$next_token++;
94	if ( is_numeric($token) )
95	{
96	$page['image_id'] = $token;
97	if ($page['image_id']==0)
98	{
99	bad_request('invalid picture identifier');
100	}
101	}
102	else
103	{
104	preg_match('/^(\d+-)?(.*)?$/', $token, $matches);
105	if (isset($matches[1]) and is_numeric($matches[1]=rtrim($matches[1],'-')) )
106	{
107	$page['image_id'] = $matches[1];
108	if ( !empty($matches[2]) )
109	{
110	$page['image_file'] = $matches[2];
111	}
112	}
113	else
114	{
115	$page['image_id'] = 0; // more work in picture.php
116	if ( !empty($matches[2]) )
117	{
118	$page['image_file'] = $matches[2];
119	}
120	else
121	{
122	bad_request('picture identifier is missing');
123	}
124	}
125	}
126	}
127
128	$page = array_merge( $page, parse_section_url( $tokens, $next_token) );
129
130	if ( !isset($page['section']) )
131	{
132	$page['section'] = 'categories';
133
134	switch (script_basename())
135	{
136	case 'picture':
137	break;
138	case 'index':
139	{
140	// No section defined, go to selected url
141	if (!empty($conf['random_index_redirect']) and empty($tokens[$next_token]) )
142	{
143	$random_index_redirect = array();
144	foreach ($conf['random_index_redirect'] as $random_url => $random_url_condition)
145	{
146	if (empty($random_url_condition) or eval($random_url_condition))
147	{
148	$random_index_redirect[] = $random_url;
149	}
150	}
151	if (!empty($random_index_redirect))
152	{
153	redirect($random_index_redirect[mt_rand(0, count($random_index_redirect)-1)]);
154	}
155	}
156	break;
157	}
158	default:
159	trigger_error('script_basename "'.script_basename().'" unknown',
160	E_USER_WARNING);
161	}
162	}
163
164	$page = array_merge( $page, parse_well_known_params_url( $tokens, $next_token) );
165	if ( script_basename()=='picture' and 'categories'==$page['section'] and
166	!isset($page['category']) and !isset($page['chronology_field']) )
167	{ //access a picture only by id, file or id-file without given section
168	$page['flat']=true;
169	}
170
171	// $page['nb_image_page'] is the number of picture to display on this page
172	// By default, it is the same as the $user['nb_image_page']
173	$page['nb_image_page'] = $user['nb_image_page'];
174
175	// if flat mode is active, we must consider the image set as a standard set
176	// and not as a category set because we can't use the #image_category.rank :
177	// displayed images are not directly linked to the displayed category
178	if ('categories' == $page['section'] and !isset($page['flat']))
179	{
180	$conf['order_by'] = $conf['order_by_inside_category'];
181	}
182
183	if (pwg_get_session_var('image_order',0) > 0)
184	{
185	$image_order_id = pwg_get_session_var('image_order');
186
187	$orders = get_category_preferred_image_orders();
188
189	// the current session stored image_order might be not compatible with
190	// current image set, for example if the current image_order is the rank
191	// and that we are displaying images related to a tag.
192	//
193	// In case of incompatibility, the session stored image_order is removed.
194	if ($orders[$image_order_id][2])
195	{
196	$conf['order_by'] = str_replace(
197	'ORDER BY ',
198	'ORDER BY '.$orders[$image_order_id][1].',',
199	$conf['order_by']
200	);
201	$page['super_order_by'] = true;
202
203	}
204	else
205	{
206	pwg_unset_session_var('image_order');
207	$page['super_order_by'] = false;
208	}
209	}
210
211	$forbidden = get_sql_condition_FandF(
212	array
213	(
214	'forbidden_categories' => 'category_id',
215	'visible_categories' => 'category_id',
216	'visible_images' => 'id'
217	),
218	'AND'
219	);
220
221	// +-----------------------------------------------------------------------+
222	// \| category \|
223	// +-----------------------------------------------------------------------+
224	if ('categories' == $page['section'])
225	{
226	if (isset($page['category']))
227	{
228	$page = array_merge(
229	$page,
230	array(
231	'comment' =>
232	trigger_event(
233	'render_category_description',
234	$page['category']['comment'],
235	'main_page_category_description'
236	),
237	'title' => get_cat_display_name($page['category']['upper_names'], '', false),
238	)
239	);
240	}
241	else
242	$page['title'] = ''; // will be set later
243
244	if
245	(
246	(!isset($page['chronology_field'])) and
247	(
248	(isset($page['category'])) or
249	(isset($page['flat']))
250	)
251	)
252	{
253	if ( !empty($page['category']['image_order']) and !isset($page['super_order_by']) )
254	{
255	$conf[ 'order_by' ] = ' ORDER BY '.$page['category']['image_order'];
256	}
257
258	if (isset($page['flat']))
259	{// flat categories mode
260	if ( isset($page['category']) )
261	{ // get all allowed sub-categories
262	$query = '
263	SELECT id
264	FROM '.CATEGORIES_TABLE.'
265	WHERE
266	uppercats LIKE \''.$page['category']['uppercats'].',%\' '
267	.get_sql_condition_FandF(
268	array
269	(
270	'forbidden_categories' => 'id',
271	'visible_categories' => 'id',
272	),
273	"\n AND"
274	);
275	$subcat_ids = array_from_query($query, 'id');
276	$subcat_ids[] = $page['category']['id'];
277	$where_sql = 'category_id IN ('.implode(',',$subcat_ids).')';
278	// remove categories from forbidden because just checked above
279	$forbidden = get_sql_condition_FandF(
280	array( 'visible_images' => 'id' ),
281	'AND'
282	);
283	}
284	else
285	{
286	$where_sql = '1=1';
287	}
288	}
289	else
290	{// Normal mode
291	$where_sql = 'category_id = '.$page['category']['id'];
292	}
293
294	// Main query
295	$query = '
296	SELECT DISTINCT(image_id)
297	FROM '.IMAGE_CATEGORY_TABLE.'
298	INNER JOIN '.IMAGES_TABLE.' ON id = image_id
299	WHERE
300	'.$where_sql.'
301	'.$forbidden.'
302	'.$conf['order_by'].'
303	;';
304
305	$page['items'] = array_from_query($query, 'image_id');
306	} //otherwise the calendar will requery all subitems
307	}
308	// special sections
309	else
310	{
311	// +-----------------------------------------------------------------------+
312	// \| tags section \|
313	// +-----------------------------------------------------------------------+
314	if ($page['section'] == 'tags')
315	{
316	$page['tag_ids'] = array();
317	foreach ($page['tags'] as $tag)
318	{
319	array_push($page['tag_ids'], $tag['id']);
320	}
321
322	$items = get_image_ids_for_tags($page['tag_ids']);
323
324	// permissions depends on category, so to only keep images that are
325	// reachable to the connected user, we need to check category
326	// associations
327	if (!empty($items) )
328	{
329	$query = '
330	SELECT DISTINCT image_id
331	FROM '.IMAGE_CATEGORY_TABLE.' INNER JOIN '.IMAGES_TABLE.' ON image_id=id
332	WHERE image_id IN ('.implode(',', $items).')
333	'.$forbidden.
334	$conf['order_by'].'
335	;';
336	$items = array_from_query($query, 'image_id');
337	}
338
339	$page = array_merge(
340	$page,
341	array(
342	'title' => get_tags_content_title(),
343	'items' => $items,
344	)
345	);
346	}
347	// +-----------------------------------------------------------------------+
348	// \| search section \|
349	// +-----------------------------------------------------------------------+
350	if ($page['section'] == 'search')
351	{
352	include_once( PHPWG_ROOT_PATH .'include/functions_search.inc.php' );
353
354	$search_result = get_search_results($page['search'], @$page['super_order_by'] );
355	if ( isset($search_result['qs']) )
356	{//save the details of the query search
357	$page['qsearch_details'] = $search_result['qs'];
358	}
359
360	$page = array_merge(
361	$page,
362	array(
363	'items' => $search_result['items'],
364	'title' => '<a href="'.duplicate_index_url(array('start'=>0)).'">'
365	.l10n('Search results').'</a>',
366	)
367	);
368	}
369	// +-----------------------------------------------------------------------+
370	// \| favorite section \|
371	// +-----------------------------------------------------------------------+
372	else if ($page['section'] == 'favorites')
373	{
374	check_user_favorites();
375
376	$page = array_merge(
377	$page,
378	array(
379	'title' => l10n('Favorites')
380	)
381	);
382
383	if (!empty($_GET['action']) && ($_GET['action'] == 'remove_all_from_favorites'))
384	{
385	$query = '
386	DELETE FROM '.FAVORITES_TABLE.'
387	WHERE user_id = '.$user['id'].'
388	;';
389	pwg_query($query);
390	redirect(make_index_url( array('section'=>'favorites') ));
391	}
392	else
393	{
394	$query = '
395	SELECT image_id
396	FROM '.FAVORITES_TABLE.'
397	INNER JOIN '.IMAGES_TABLE.' ON image_id = id
398	WHERE user_id = '.$user['id'].'
399	'.get_sql_condition_FandF
400	(
401	array
402	(
403	'visible_images' => 'id'
404	),
405	'AND'
406	).'
407	'.$conf['order_by'].'
408	;';
409	$page = array_merge(
410	$page,
411	array(
412	'items' => array_from_query($query, 'image_id'),
413	)
414	);
415
416	if (count($page['items'])>0)
417	{
418	$template->assign(
419	'favorite',
420	array(
421	'FAVORITE_IMG' =>
422	get_root_url().get_themeconf('icon_dir').'/del_all_favorites.png',
423	'U_FAVORITE' => add_url_params(
424	make_index_url( array('section'=>'favorites') ),
425	array('action'=>'remove_all_from_favorites')
426	),
427	)
428	);
429	}
430	}
431	}
432	// +-----------------------------------------------------------------------+
433	// \| recent pictures section \|
434	// +-----------------------------------------------------------------------+
435	else if ($page['section'] == 'recent_pics')
436	{
437	if ( !isset($page['super_order_by']) )
438	{
439	$conf['order_by'] = str_replace(
440	'ORDER BY ',
441	'ORDER BY date_available DESC,',
442	$conf['order_by']
443	);
444	}
445
446	$query = '
447	SELECT DISTINCT(id)
448	FROM '.IMAGES_TABLE.'
449	INNER JOIN '.IMAGE_CATEGORY_TABLE.' AS ic ON id = ic.image_id
450	WHERE
451	date_available >= '.pwg_db_get_recent_period_expression($user['recent_period']).'
452	'.$forbidden.'
453	'.$conf['order_by'].'
454	;';
455
456	$page = array_merge(
457	$page,
458	array(
459	'title' => '<a href="'.duplicate_index_url(array('start'=>0)).'">'
460	.l10n('Recent pictures').'</a>',
461	'items' => array_from_query($query, 'id'),
462	)
463	);
464	}
465	// +-----------------------------------------------------------------------+
466	// \| recently updated categories section \|
467	// +-----------------------------------------------------------------------+
468	else if ($page['section'] == 'recent_cats')
469	{
470	$page = array_merge(
471	$page,
472	array(
473	'title' => l10n('Recent categories'),
474	)
475	);
476	}
477	// +-----------------------------------------------------------------------+
478	// \| most visited section \|
479	// +-----------------------------------------------------------------------+
480	else if ($page['section'] == 'most_visited')
481	{
482	$page['super_order_by'] = true;
483	$conf['order_by'] = ' ORDER BY hit DESC, file ASC';
484	$query = '
485	SELECT DISTINCT(id), hit, file
486	FROM '.IMAGES_TABLE.'
487	INNER JOIN '.IMAGE_CATEGORY_TABLE.' AS ic ON id = ic.image_id
488	WHERE hit > 0
489	'.$forbidden.'
490	'.$conf['order_by'].'
491	LIMIT '.$conf['top_number'].'
492	;';
493
494	$page = array_merge(
495	$page,
496	array(
497	'title' => '<a href="'.duplicate_index_url(array('start'=>0)).'">'
498	.$conf['top_number'].' '.l10n('Most visited').'</a>',
499	'items' => array_from_query($query, 'id'),
500	)
501	);
502	}
503	// +-----------------------------------------------------------------------+
504	// \| best rated section \|
505	// +-----------------------------------------------------------------------+
506	else if ($page['section'] == 'best_rated')
507	{
508	$page['super_order_by'] = true;
509	$conf['order_by'] = ' ORDER BY average_rate DESC, id ASC';
510
511	$query ='
512	SELECT DISTINCT(id), average_rate
513	FROM '.IMAGES_TABLE.'
514	INNER JOIN '.IMAGE_CATEGORY_TABLE.' AS ic ON id = ic.image_id
515	WHERE average_rate IS NOT NULL
516	'.$forbidden.'
517	'.$conf['order_by'].'
518	LIMIT '.$conf['top_number'].'
519	;';
520	$page = array_merge(
521	$page,
522	array(
523	'title' => '<a href="'.duplicate_index_url(array('start'=>0)).'">'
524	.$conf['top_number'].' '.l10n('Best rated').'</a>',
525	'items' => array_from_query($query, 'id'),
526	)
527	);
528	}
529	// +-----------------------------------------------------------------------+
530	// \| list section \|
531	// +-----------------------------------------------------------------------+
532	else if ($page['section'] == 'list')
533	{
534	$query ='
535	SELECT DISTINCT(id)
536	FROM '.IMAGES_TABLE.'
537	INNER JOIN '.IMAGE_CATEGORY_TABLE.' AS ic ON id = ic.image_id
538	WHERE image_id IN ('.implode(',', $page['list']).')
539	'.$forbidden.'
540	'.$conf['order_by'].'
541	;';
542
543	$page = array_merge(
544	$page,
545	array(
546	'title' => '<a href="'.duplicate_index_url(array('start'=>0)).'">'
547	.l10n('Random pictures').'</a>',
548	'items' => array_from_query($query, 'id'),
549	)
550	);
551	}
552	}
553
554	// +-----------------------------------------------------------------------+
555	// \| chronology \|
556	// +-----------------------------------------------------------------------+
557
558	if (isset($page['chronology_field']))
559	{
560	include_once( PHPWG_ROOT_PATH.'include/functions_calendar.inc.php' );
561	initialize_calendar();
562	}
563
564	// title update
565	if (isset($page['title']))
566	{
567	if (!empty($page['title']))
568	{
569	$page['title'] = $conf['level_separator'].$page['title'];
570	}
571	$page['title'] = '<a href="'.get_gallery_home_url().'">'.l10n('Home').'</a>'.$page['title'];
572	}
573
574	// add meta robots noindex, nofollow to avoid unnecesary robot crawls
575	$page['meta_robots']=array();
576	if ( isset($page['chronology_field'])
577	or ( isset($page['flat']) and isset($page['category']) )
578	or 'list'==$page['section'] or 'recent_pics'==$page['section'] )
579	{
580	$page['meta_robots']=array('noindex'=>1, 'nofollow'=>1);
581	}
582	elseif ('tags' == $page['section'])
583	{
584	if ( count($page['tag_ids'])>1 )
585	{
586	$page['meta_robots']=array('noindex'=>1, 'nofollow'=>1);
587	}
588	}
589	elseif ('recent_cats'==$page['section'])
590	{
591	$page['meta_robots']['noindex']=1;
592	}
593	elseif ('search'==$page['section'])
594	{
595	$page['meta_robots']['nofollow']=1;
596	}
597	if ( $filter['enabled'] )
598	{
599	$page['meta_robots']['noindex']=1;
600	}
601
602	// see if we need a redirect because of a permalink
603	if ( 'categories'==$page['section'] and isset($page['category']) )
604	{
605	$need_redirect=false;
606	if ( empty($page['category']['permalink']) )
607	{
608	if ( $conf['category_url_style'] == 'id-name' and
609	@$page['hit_by']['cat_url_name'] !== str2url($page['category']['name']) )
610	{
611	$need_redirect=true;
612	}
613	}
614	else
615	{
616	if ( $page['category']['permalink'] !== @$page['hit_by']['cat_permalink'] )
617	{
618	$need_redirect=true;
619	}
620	}
621
622	if ($need_redirect)
623	{
624	$redirect_url = ( script_basename()=='picture'
625	? duplicate_picture_url()
626	: duplicate_index_url()
627	);
628	if (!headers_sent())
629	{ // this is a permanent redirection
630	set_status_header(301);
631	redirect_http( $redirect_url );
632	}
633	redirect( $redirect_url );
634	}
635	unset( $need_redirect, $page['hit_by'] );
636	}
637
638	trigger_action('loc_end_section_init');
639	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: