source: branches/1.7/include/common.inc.php @ 7528

Last change on this file since 7528 was 2483, checked in by rvelices, 16 years ago
  • security fix : when confquestion_mark_in_urls=true , $_SERVERPATH_INFO was not sanitized against sql injection
  • mysql errors are now dumped using trigger_error instead of echo and die -> allow admins to see later on if someone tries funny stuff
  • Property svn:eol-style set to LF
  • Property svn:keywords set to Author Date Id Revision
File size: 7.5 KB
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | PhpWebGallery - a PHP based picture gallery                           |
4// | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net |
5// | Copyright (C) 2003-2008 PhpWebGallery Team - http://phpwebgallery.net |
6// +-----------------------------------------------------------------------+
7// | branch        : BSF (Best So Far)
8// | file          : $Id: common.inc.php 2483 2008-08-23 01:15:33Z rvelices $
9// | last update   : $Date: 2008-08-23 01:15:33 +0000 (Sat, 23 Aug 2008) $
10// | last modifier : $Author: rvelices $
11// | revision      : $Revision: 2483 $
12// +-----------------------------------------------------------------------+
13// | This program is free software; you can redistribute it and/or modify  |
14// | it under the terms of the GNU General Public License as published by  |
15// | the Free Software Foundation                                          |
16// |                                                                       |
17// | This program is distributed in the hope that it will be useful, but   |
18// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
19// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
20// | General Public License for more details.                              |
21// |                                                                       |
22// | You should have received a copy of the GNU General Public License     |
23// | along with this program; if not, write to the Free Software           |
24// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
25// | USA.                                                                  |
26// +-----------------------------------------------------------------------+
27
28if (!defined('PHPWG_ROOT_PATH'))
29{
30  die('Hacking attempt!');
31}
32// determine the initial instant to indicate the generation time of this page
33$t1 = explode( ' ', microtime() );
34$t2 = explode( '.', $t1[0] );
35$t2 = $t1[1].'.'.$t2[1];
36
37set_magic_quotes_runtime(0); // Disable magic_quotes_runtime
38
39//
40// addslashes to vars if magic_quotes_gpc is off this is a security
41// precaution to prevent someone trying to break out of a SQL statement.
42//
43if( !get_magic_quotes_gpc() )
44{
45  if( is_array( $_GET ) )
46  {
47    while( list($k, $v) = each($_GET) )
48    {
49      if( is_array($_GET[$k]) )
50      {
51        while( list($k2, $v2) = each($_GET[$k]) )
52        {
53          $_GET[$k][$k2] = addslashes($v2);
54        }
55        @reset($_GET[$k]);
56      }
57      else
58      {
59        $_GET[$k] = addslashes($v);
60      }
61    }
62    @reset($_GET);
63  }
64
65  if( is_array($_POST) )
66  {
67    while( list($k, $v) = each($_POST) )
68    {
69      if( is_array($_POST[$k]) )
70      {
71        while( list($k2, $v2) = each($_POST[$k]) )
72        {
73          $_POST[$k][$k2] = addslashes($v2);
74        }
75        @reset($_POST[$k]);
76      }
77      else
78      {
79        $_POST[$k] = addslashes($v);
80      }
81    }
82    @reset($_POST);
83  }
84
85  if( is_array($_COOKIE) )
86  {
87    while( list($k, $v) = each($_COOKIE) )
88    {
89      if( is_array($_COOKIE[$k]) )
90      {
91        while( list($k2, $v2) = each($_COOKIE[$k]) )
92        {
93          $_COOKIE[$k][$k2] = addslashes($v2);
94        }
95        @reset($_COOKIE[$k]);
96      }
97      else
98      {
99        $_COOKIE[$k] = addslashes($v);
100      }
101    }
102    @reset($_COOKIE);
103  }
104}
105if ( !empty($_SERVER["PATH_INFO"]) )
106{
107  $_SERVER["PATH_INFO"] = addslashes($_SERVER["PATH_INFO"]);
108}
109
110//
111// Define some basic configuration arrays this also prevents malicious
112// rewriting of language and otherarray values via URI params
113//
114$conf = array();
115$page = array();
116$user = array();
117$lang = array();
118$header_msgs = array();
119$header_notes = array();
120$filter = array();
121
122@include(PHPWG_ROOT_PATH .'include/mysql.inc.php');
123if (!defined('PHPWG_INSTALLED'))
124{
125  header('Location: install.php');
126  exit;
127}
128
129foreach( array(
130  'array_intersect_key', //PHP 5 >= 5.1.0RC1
131  'hash_hmac', //(hash) - enabled by default as of PHP 5.1.2
132  'preg_last_error', // PHP 5 >= 5.2.0
133  ) as $func)
134{
135  if (!function_exists($func))
136  {
137    include_once(PHPWG_ROOT_PATH . 'include/php_compat/'.$func.'.php');
138  }
139}
140
141include(PHPWG_ROOT_PATH . 'include/config_default.inc.php');
142@include(PHPWG_ROOT_PATH. 'include/config_local.inc.php');
143include(PHPWG_ROOT_PATH . 'include/constants.php');
144include(PHPWG_ROOT_PATH . 'include/functions.inc.php');
145include(PHPWG_ROOT_PATH . 'include/template.php');
146
147// Database connection
148@mysql_connect( $cfgHote, $cfgUser, $cfgPassword ) or my_error( 'mysql_connect', true );
149@mysql_select_db( $cfgBase ) or my_error( 'mysql_select_db', true );
150
151//
152// Setup gallery wide options, if this fails then we output a CRITICAL_ERROR
153// since basic gallery information is not available
154//
155load_conf_from_db();
156load_plugins();
157
158include(PHPWG_ROOT_PATH.'include/user.inc.php');
159
160
161// language files
162include_once(get_language_filepath('common.lang.php'));
163if (defined('IN_ADMIN') and IN_ADMIN)
164{
165  include_once(get_language_filepath('admin.lang.php'));
166}
167trigger_action('loading_lang');
168@include_once(get_language_filepath('local.lang.php'));
169
170// only now we can set the localized username of the guest user (and not in
171// include/user.inc.php)
172if ($user['is_the_guest'])
173{
174  $user['username'] = l10n('guest');
175}
176
177// template instance
178if
179  (
180      defined('IN_ADMIN') and IN_ADMIN and
181      isset($user['admin_template']) and
182      isset($user['admin_theme'])
183  )
184{
185  // Admin template
186  $template = new Template(PHPWG_ROOT_PATH.'template/'.$user['admin_template'], $user['admin_theme'] );
187}
188else
189{
190  // Classic template
191  $template = new Template(PHPWG_ROOT_PATH.'template/'.$user['template'], $user['theme'] );
192}
193
194if (isset($user['internal_status']['guest_must_be_guest'])
195    and
196    $user['internal_status']['guest_must_be_guest'] === true)
197{
198  $header_msgs[] = l10n('guest_must_be_guest');
199}
200
201if ($conf['gallery_locked'])
202{
203  $header_msgs[] = l10n('gallery_locked_message');
204
205  if ( script_basename() != 'identification' and !is_admin() )
206  {
207    echo l10n('gallery_locked_message')
208      .'<a href="'.get_absolute_root_url(false).'identification.php">.</a>';
209    exit();
210  }
211}
212
213if ($conf['check_upgrade_feed']
214    and defined('PHPWG_IN_UPGRADE')
215    and PHPWG_IN_UPGRADE)
216{
217
218  // retrieve already applied upgrades
219  $query = '
220SELECT id
221  FROM '.UPGRADE_TABLE.'
222;';
223  $applied = array_from_query($query, 'id');
224
225  // retrieve existing upgrades
226  $existing = get_available_upgrade_ids();
227
228  // which upgrades need to be applied?
229  if (count(array_diff($existing, $applied)) > 0)
230  {
231    $header_msgs[] = 'Some database upgrades are missing, '
232      .'<a href="'.get_absolute_root_url(false).'upgrade_feed.php">upgrade now</a>';
233  }
234}
235
236if (is_adviser())
237{
238  $header_msgs[] = l10n('adviser_mode_enabled');
239}
240
241if (count($header_msgs) > 0)
242{
243  $template->assign_block_vars('header_msgs',array());
244  foreach ($header_msgs as $header_msg)
245  {
246    $template->assign_block_vars('header_msgs.header_msg',
247                                 array('HEADER_MSG'=>$header_msg));
248  }
249}
250
251if (!empty($conf['filter_pages']) and get_filter_page_value('used'))
252{
253  include(PHPWG_ROOT_PATH.'include/functions_filter.inc.php');
254  include(PHPWG_ROOT_PATH.'include/filter.inc.php');
255}
256else
257{
258  $filter['enabled'] = false;
259}
260
261if (isset($conf['header_notes']))
262{
263  $header_notes = array_merge($header_notes, $conf['header_notes']);
264}
265
266// default event handlers
267add_event_handler('render_category_literal_description', 'render_category_literal_description');
268add_event_handler('render_category_description', 'render_category_description');
269add_event_handler('render_comment_content', 'htmlspecialchars');
270add_event_handler('render_comment_content', 'parse_comment_content');
271add_event_handler('render_comment_author', 'strip_tags');
272trigger_action('init');
273?>
Note: See TracBrowser for help on using the repository browser.