00001 <?php 00002 00003 /* 00004 * Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/) 00005 * Copyright (C) 2002-2007 The Nucleus Group 00006 * 00007 * This program is free software; you can redistribute it and/or 00008 * modify it under the terms of the GNU General Public License 00009 * as published by the Free Software Foundation; either version 2 00010 * of the License, or (at your option) any later version. 00011 * (see nucleus/documentation/index.html#license for more info) 00012 */ 00020 // needed if we include globalfunctions from install.php 00021 global $nucleus, $CONF, $DIR_LIBS, $DIR_LANG, $manager, $member; 00022 00023 $nucleus['version'] = 'v3.31SP1'; 00024 $nucleus['codename'] = ''; 00025 00026 checkVars(array('nucleus', 'CONF', 'DIR_LIBS', 'MYSQL_HOST', 'MYSQL_USER', 'MYSQL_PASSWORD', 'MYSQL_DATABASE', 'DIR_LANG', 'DIR_PLUGINS', 'HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_ENV_VARS', 'HTTP_SESSION_VARS', 'HTTP_POST_FILES', 'HTTP_SERVER_VARS', 'GLOBALS', 'argv', 'argc', '_GET', '_POST', '_COOKIE', '_ENV', '_SESSION', '_SERVER', '_FILES')); 00027 00028 $CONF['debug'] = 0; 00029 if ($CONF['debug']) { 00030 error_reporting(E_ALL); // report all errors! 00031 } else { 00032 error_reporting(E_ERROR | E_WARNING | E_PARSE); 00033 } 00034 00035 // Avoid notices 00036 if (!isset($CONF['Self'])) { 00037 $CONF['Self'] = htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES); 00038 } 00039 00040 /* 00041 Indicates when Nucleus should display startup errors. Set to 1 if you want 00042 the error enabled (default), false otherwise 00043 00044 alertOnHeadersSent 00045 Displays an error when visiting a public Nucleus page and headers have 00046 been sent out to early. This usually indicates an error in either a 00047 configuration file or a language file, and could cause Nucleus to 00048 malfunction 00049 alertOnSecurityRisk 00050 Displays an error only when visiting the admin area, and when one or 00051 more of the installation files (install.php, install.sql, upgrades/ 00052 directory) are still on the server. 00053 */ 00054 $CONF['alertOnHeadersSent'] = 1; 00055 $CONF['alertOnSecurityRisk'] = 1; 00056 $CONF['ItemURL'] = $CONF['Self']; 00057 $CONF['ArchiveURL'] = $CONF['Self']; 00058 $CONF['ArchiveListURL'] = $CONF['Self']; 00059 $CONF['MemberURL'] = $CONF['Self']; 00060 $CONF['SearchURL'] = $CONF['Self']; 00061 $CONF['BlogURL'] = $CONF['Self']; 00062 $CONF['CategoryURL'] = $CONF['Self']; 00063 00064 // switch URLMode back to normal when $CONF['Self'] ends in .php 00065 // this avoids urls like index.php/item/13/index.php/item/15 00066 if (!isset($CONF['URLMode']) || (($CONF['URLMode'] == 'pathinfo') && (substr($CONF['Self'], strlen($CONF['Self']) - 4) == '.php'))) { 00067 $CONF['URLMode'] = 'normal'; 00068 } 00069 00070 if (getNucleusPatchLevel() > 0) { 00071 $nucleus['version'] .= '/' . getNucleusPatchLevel(); 00072 } 00073 00074 // Avoid notices 00075 if (!isset($CONF['installscript'])) { 00076 $CONF['installscript'] = 0; 00077 } 00078 00079 // we will use postVar, getVar, ... methods instead of HTTP_GET_VARS or _GET 00080 if ($CONF['installscript'] != 1) { // vars were already included in install.php 00081 if (phpversion() >= '4.1.0') { 00082 include_once($DIR_LIBS . 'vars4.1.0.php'); 00083 } else { 00084 include_once($DIR_LIBS . 'vars4.0.6.php'); 00085 } 00086 } 00087 00088 // sanitize option 00089 $bLoggingSanitizedResult=0; 00090 $bSanitizeAndContinue=0; 00091 00092 $orgRequestURI = serverVar('REQUEST_URI'); 00093 sanitizeParams(); 00094 00095 // get all variables that can come from the request and put them in the global scope 00096 $blogid = requestVar('blogid'); 00097 $itemid = intRequestVar('itemid'); 00098 $catid = intRequestVar('catid'); 00099 $skinid = requestVar('skinid'); 00100 $memberid = requestVar('memberid'); 00101 $archivelist = requestVar('archivelist'); 00102 $imagepopup = requestVar('imagepopup'); 00103 $archive = requestVar('archive'); 00104 $query = requestVar('query'); 00105 $highlight = requestVar('highlight'); 00106 $amount = requestVar('amount'); 00107 $action = requestVar('action'); 00108 $nextaction = requestVar('nextaction'); 00109 $maxresults = requestVar('maxresults'); 00110 $startpos = intRequestVar('startpos'); 00111 $errormessage = ''; 00112 $error = ''; 00113 $virtualpath = ((getVar('virtualpath') != null) ? getVar('virtualpath') : serverVar('PATH_INFO')); 00114 00115 if (!headers_sent() ) { 00116 header('Generator: Nucleus CMS ' . $nucleus['version']); 00117 } 00118 00119 // include core classes that are needed for login & plugin handling 00120 include($DIR_LIBS . 'mysql.php'); 00121 include($DIR_LIBS . 'MEMBER.php'); 00122 include($DIR_LIBS . 'ACTIONLOG.php'); 00123 include($DIR_LIBS . 'MANAGER.php'); 00124 include($DIR_LIBS . 'PLUGIN.php'); 00125 00126 $manager =& MANAGER::instance(); 00127 00128 // make sure there's no unnecessary escaping: 00129 set_magic_quotes_runtime(0); 00130 00131 // Avoid notices 00132 if (!isset($CONF['UsingAdminArea'])) { 00133 $CONF['UsingAdminArea'] = 0; 00134 } 00135 00136 // only needed when updating logs 00137 if ($CONF['UsingAdminArea']) { 00138 include($DIR_LIBS . 'xmlrpc.inc.php'); // XML-RPC client classes 00139 include_once($DIR_LIBS . 'ADMIN.php'); 00140 } 00141 00142 // connect to database 00143 sql_connect(); 00144 $SQLCount = 0; 00145 00146 // logs sanitized result if need 00147 if ($orgRequestURI!==serverVar('REQUEST_URI')) { 00148 $msg = "Sanitized [" . serverVar('REMOTE_ADDR') . "] "; 00149 $msg .= $orgRequestURI . " -> " . serverVar('REQUEST_URI'); 00150 if ($bLoggingSanitizedResult) { 00151 addToLog(WARNING, $msg); 00152 } 00153 if (!$bSanitizeAndContinue) { 00154 die(""); 00155 } 00156 } 00157 00158 // makes sure database connection gets closed on script termination 00159 register_shutdown_function('sql_disconnect'); 00160 00161 // read config 00162 getConfig(); 00163 00164 // automatically use simpler toolbar for mozilla 00165 if (($CONF['DisableJsTools'] == 0) && strstr(serverVar('HTTP_USER_AGENT'), 'Mozilla/5.0') && strstr(serverVar('HTTP_USER_AGENT'), 'Gecko') ) { 00166 $CONF['DisableJsTools'] = 2; 00167 } 00168 00169 // login if cookies set 00170 $member = new MEMBER(); 00171 00172 // secure cookie key settings (either 'none', 0, 8, 16, 24, or 32) 00173 if (!isset($CONF['secureCookieKey'])) $CONF['secureCookieKey']=24; 00174 switch($CONF['secureCookieKey']){ 00175 case 8: 00176 $CONF['secureCookieKeyIP']=preg_replace('/\.[0-9]+\.[0-9]+\.[0-9]+$/','',serverVar('REMOTE_ADDR')); 00177 break; 00178 case 16: 00179 $CONF['secureCookieKeyIP']=preg_replace('/\.[0-9]+\.[0-9]+$/','',serverVar('REMOTE_ADDR')); 00180 break; 00181 case 24: 00182 $CONF['secureCookieKeyIP']=preg_replace('/\.[0-9]+$/','',serverVar('REMOTE_ADDR')); 00183 break; 00184 case 32: 00185 $CONF['secureCookieKeyIP']=serverVar('REMOTE_ADDR'); 00186 break; 00187 default: 00188 $CONF['secureCookieKeyIP']=''; 00189 } 00190 00191 // login/logout when required or renew cookies 00192 if ($action == 'login') { 00193 // Form Authentication 00194 $login = postVar('login'); 00195 $pw = postVar('password'); 00196 $shared = intPostVar('shared'); // shared computer or not 00197 00198 $pw=substr($pw,0,40); // avoid md5 collision by using a long key 00199 00200 if ($member->login($login, $pw) ) { 00201 00202 $member->newCookieKey(); 00203 $member->setCookies($shared); 00204 00205 if ($CONF['secureCookieKey']!=='none') { 00206 // secure cookie key 00207 $member->setCookieKey(md5($member->getCookieKey().$CONF['secureCookieKeyIP'])); 00208 $member->write(); 00209 } 00210 00211 // allows direct access to parts of the admin area after logging in 00212 if ($nextaction) { 00213 $action = $nextaction; 00214 } 00215 00216 $manager->notify('LoginSuccess', array('member' => &$member) ); 00217 $errormessage = ''; 00218 ACTIONLOG::add(INFO, "Login successful for $login (sharedpc=$shared)"); 00219 } else { 00220 // errormessage for [%errordiv%] 00221 $errormessage = 'Login failed for ' . $login; 00222 00223 $manager->notify('LoginFailed', array('username' => $login) ); 00224 ACTIONLOG::add(INFO, $errormessage); 00225 } 00226 /* 00227 00228 Backed out for now: See http://forum.nucleuscms.org/viewtopic.php?t=3684 for details 00229 00230 } elseif (serverVar('PHP_AUTH_USER') && serverVar('PHP_AUTH_PW')) { 00231 // HTTP Authentication 00232 $login = serverVar('PHP_AUTH_USER'); 00233 $pw = serverVar('PHP_AUTH_PW'); 00234 00235 if ($member->login($login, $pw) ) { 00236 $manager->notify('LoginSuccess',array('member' => &$member)); 00237 ACTIONLOG::add(INFO, "HTTP authentication successful for $login"); 00238 } else { 00239 $manager->notify('LoginFailed',array('username' => $login)); 00240 ACTIONLOG::add(INFO, 'HTTP authentication failed for ' . $login); 00241 00242 //Since bad credentials, generate an apropriate error page 00243 header("WWW-Authenticate: Basic realm=\"Nucleus CMS {$nucleus['version']}\""); 00244 header('HTTP/1.0 401 Unauthorized'); 00245 echo 'Invalid username or password'; 00246 exit; 00247 } 00248 */ 00249 00250 } elseif (($action == 'logout') && (!headers_sent() ) && cookieVar($CONF['CookiePrefix'] . 'user') ) { 00251 // remove cookies on logout 00252 setcookie($CONF['CookiePrefix'] . 'user', '', (time() - 2592000), $CONF['CookiePath'], $CONF['CookieDomain'], $CONF['CookieSecure']); 00253 setcookie($CONF['CookiePrefix'] . 'loginkey', '', (time() - 2592000), $CONF['CookiePath'], $CONF['CookieDomain'], $CONF['CookieSecure']); 00254 $manager->notify('Logout', array('username' => cookieVar($CONF['CookiePrefix'] . 'user') ) ); 00255 } elseif (cookieVar($CONF['CookiePrefix'] . 'user') ) { 00256 // Cookie Authentication 00257 $ck=cookieVar($CONF['CookiePrefix'] . 'loginkey'); 00258 // secure cookie key 00259 $ck=substr($ck,0,32); // avoid md5 collision by using a long key 00260 if ($CONF['secureCookieKey']!=='none') $ck=md5($ck.$CONF['secureCookieKeyIP']); 00261 $res = $member->cookielogin(cookieVar($CONF['CookiePrefix'] . 'user'), $ck ); 00262 unset($ck); 00263 00264 // renew cookies when not on a shared computer 00265 if ($res && (cookieVar($CONF['CookiePrefix'] . 'sharedpc') != 1) && (!headers_sent() ) ) { 00266 $member->setCookieKey(cookieVar($CONF['CookiePrefix'] . 'loginkey')); 00267 $member->setCookies(); 00268 } 00269 } 00270 00271 // login completed 00272 $manager->notify('PostAuthentication', array('loggedIn' => $member->isLoggedIn() ) ); 00273 ticketForPlugin(); 00274 00275 // first, let's see if the site is disabled or not. always allow admin area access. 00276 if ($CONF['DisableSite'] && !$member->isAdmin() && !$CONF['UsingAdminArea']) { 00277 redirect($CONF['DisableSiteURL']); 00278 exit; 00279 } 00280 00281 // load other classes 00282 include($DIR_LIBS . 'PARSER.php'); 00283 include($DIR_LIBS . 'SKIN.php'); 00284 include($DIR_LIBS . 'TEMPLATE.php'); 00285 include($DIR_LIBS . 'BLOG.php'); 00286 include($DIR_LIBS . 'BODYACTIONS.php'); 00287 include($DIR_LIBS . 'COMMENTS.php'); 00288 include($DIR_LIBS . 'COMMENT.php'); 00289 //include($DIR_LIBS . 'ITEM.php'); 00290 include($DIR_LIBS . 'NOTIFICATION.php'); 00291 include($DIR_LIBS . 'BAN.php'); 00292 include($DIR_LIBS . 'PAGEFACTORY.php'); 00293 include($DIR_LIBS . 'SEARCH.php'); 00294 include($DIR_LIBS . 'entity.php'); 00295 00296 00297 // set lastVisit cookie (if allowed) 00298 if (!headers_sent() ) { 00299 if ($CONF['LastVisit']) { 00300 setcookie($CONF['CookiePrefix'] . 'lastVisit', time(), time() + 2592000, $CONF['CookiePath'], $CONF['CookieDomain'], $CONF['CookieSecure']); 00301 } else { 00302 setcookie($CONF['CookiePrefix'] . 'lastVisit', '', (time() - 2592000), $CONF['CookiePath'], $CONF['CookieDomain'], $CONF['CookieSecure']); 00303 } 00304 } 00305 00306 // read language file, only after user has been initialized 00307 $language = getLanguageName(); 00308 include($DIR_LANG . ereg_replace( '[\\|/]', '', $language) . '.php'); 00309 00310 /* 00311 Backed out for now: See http://forum.nucleuscms.org/viewtopic.php?t=3684 for details 00312 00313 // To remove after v2.5 is released and language files have been updated. 00314 // Including this makes sure that language files for v2.5beta can still be used for v2.5final 00315 // without having weird _SETTINGS_EXTAUTH string showing up in the admin area. 00316 if (!defined('_MEMBERS_BYPASS')) 00317 { 00318 define('_SETTINGS_EXTAUTH', 'Enable External Authentication'); 00319 define('_WARNING_EXTAUTH', 'Warning: Enable only if needed.'); 00320 define('_MEMBERS_BYPASS', 'Use External Authentication'); 00321 } 00322 00323 */ 00324 00325 // make sure the archivetype skinvar keeps working when _ARCHIVETYPE_XXX not defined 00326 if (!defined('_ARCHIVETYPE_MONTH') ) { 00327 define('_ARCHIVETYPE_DAY', 'day'); 00328 define('_ARCHIVETYPE_MONTH', 'month'); 00329 } 00330 00331 // decode path_info 00332 if ($CONF['URLMode'] == 'pathinfo') { 00333 // initialize keywords if this hasn't been done before 00334 if ($CONF['ItemKey'] == '') { 00335 $CONF['ItemKey'] = 'item'; 00336 } 00337 00338 if ($CONF['ArchiveKey'] == '') { 00339 $CONF['ArchiveKey'] = 'archive'; 00340 } 00341 00342 if ($CONF['ArchivesKey'] == '') { 00343 $CONF['ArchivesKey'] = 'archives'; 00344 } 00345 00346 if ($CONF['MemberKey'] == '') { 00347 $CONF['MemberKey'] = 'member'; 00348 } 00349 00350 if ($CONF['BlogKey'] == '') { 00351 $CONF['BlogKey'] = 'blog'; 00352 } 00353 00354 if ($CONF['CategoryKey'] == '') { 00355 $CONF['CategoryKey'] = 'category'; 00356 } 00357 00358 if ($CONF['SpecialskinKey'] == '') { 00359 $CONF['SpecialskinKey'] = 'special'; 00360 } 00361 00362 $parsed = false; 00363 $manager->notify( 00364 'ParseURL', 00365 array( 00366 'type' => basename(serverVar('SCRIPT_NAME') ), // e.g. item, blog, ... 00367 'info' => $virtualpath, 00368 'complete' => &$parsed 00369 ) 00370 ); 00371 00372 if (!$parsed) { 00373 // default implementation 00374 $data = explode("/", $virtualpath ); 00375 for ($i = 0; $i < sizeof($data); $i++) { 00376 switch ($data[$i]) { 00377 case $CONF['ItemKey']: // item/1 (blogid) 00378 $i++; 00379 00380 if ($i < sizeof($data) ) { 00381 $itemid = intval($data[$i]); 00382 } 00383 break; 00384 00385 case $CONF['ArchivesKey']: // archives/1 (blogid) 00386 $i++; 00387 00388 if ($i < sizeof($data) ) { 00389 $archivelist = intval($data[$i]); 00390 } 00391 break; 00392 00393 case $CONF['ArchiveKey']: // two possibilities: archive/yyyy-mm or archive/1/yyyy-mm (with blogid) 00394 if ((($i + 1) < sizeof($data) ) && (!strstr($data[$i + 1], '-') ) ) { 00395 $blogid = intval($data[++$i]); 00396 } 00397 00398 $i++; 00399 00400 if ($i < sizeof($data) ) { 00401 $archive = $data[$i]; 00402 } 00403 break; 00404 00405 case 'blogid': // blogid/1 00406 case $CONF['BlogKey']: // blog/1 00407 $i++; 00408 00409 if ($i < sizeof($data) ) { 00410 $blogid = intval($data[$i]); 00411 } 00412 break; 00413 00414 case $CONF['CategoryKey']: // category/1 (catid) 00415 case 'catid': 00416 $i++; 00417 00418 if ($i < sizeof($data) ) { 00419 $catid = intval($data[$i]); 00420 } 00421 break; 00422 00423 case $CONF['MemberKey']: 00424 $i++; 00425 00426 if ($i < sizeof($data) ) { 00427 $memberid = intval($data[$i]); 00428 } 00429 break; 00430 00431 case $CONF['SpecialskinKey']: 00432 $i++; 00433 00434 if ($i < sizeof($data) ) { 00435 $_REQUEST['special'] = $data[$i]; 00436 } 00437 break; 00438 00439 default: 00440 // skip... 00441 } 00442 } 00443 } 00444 } 00445 00446 function intPostVar($name) { 00447 return intval(postVar($name) ); 00448 } 00449 00450 function intGetVar($name) { 00451 return intval(getVar($name) ); 00452 } 00453 00454 function intRequestVar($name) { 00455 return intval(requestVar($name) ); 00456 } 00457 00458 function intCookieVar($name) { 00459 return intval(cookieVar($name) ); 00460 } 00461 00465 function getNucleusVersion() { 00466 return 331; 00467 } 00468 00474 function getNucleusPatchLevel() { 00475 return 0; 00476 } 00477 00481 function sql_connect() { 00482 global $MYSQL_HOST, $MYSQL_USER, $MYSQL_PASSWORD, $MYSQL_DATABASE, $MYSQL_CONN; 00483 00484 $MYSQL_CONN = @mysql_connect($MYSQL_HOST, $MYSQL_USER, $MYSQL_PASSWORD) or startUpError('<p>Could not connect to MySQL database.</p>', 'Connect Error'); 00485 mysql_select_db($MYSQL_DATABASE) or startUpError('<p>Could not select database: ' . mysql_error() . '</p>', 'Connect Error'); 00486 00487 return $MYSQL_CONN; 00488 } 00489 00493 function sql_table($name) { 00494 global $MYSQL_PREFIX; 00495 00496 if ($MYSQL_PREFIX) { 00497 return $MYSQL_PREFIX . 'nucleus_' . $name; 00498 } else { 00499 return 'nucleus_' . $name; 00500 } 00501 } 00502 00503 function sendContentType($contenttype, $pagetype = '', $charset = _CHARSET) { 00504 global $manager, $CONF; 00505 00506 if (!headers_sent() ) { 00507 // if content type is application/xhtml+xml, only send it to browsers 00508 // that can handle it (IE6 cannot). Otherwise, send text/html 00509 00510 // v2.5: For admin area pages, keep sending text/html (unless it's a debug version) 00511 // application/xhtml+xml still causes too much problems with the javascript implementations 00512 00513 // v3.3: ($CONF['UsingAdminArea'] && !$CONF['debug']) gets removed, 00514 // application/xhtml+xml seems to be working, so we're going to use it if we can. 00515 // 00516 // Note: reverted the following function in JP version 00517 // 00518 /* 00519 // v3.3 code 00520 if ( 00521 ($contenttype == 'application/xhtml+xml') 00522 && (!stristr(serverVar('HTTP_ACCEPT'), 'application/xhtml+xml') ) 00523 ) { 00524 $contenttype = 'text/html'; 00525 } 00526 */ 00527 // v3.2x code 00528 if ( 00529 ($contenttype == 'application/xhtml+xml') 00530 && (($CONF['UsingAdminArea'] && !$CONF['debug']) || !stristr(serverVar('HTTP_ACCEPT'),'application/xhtml+xml')) 00531 ) 00532 { 00533 $contenttype = 'text/html'; 00534 } 00535 00536 $manager->notify( 00537 'PreSendContentType', 00538 array( 00539 'contentType' => &$contenttype, 00540 'charset' => &$charset, 00541 'pageType' => $pagetype 00542 ) 00543 ); 00544 00545 // strip strange characters 00546 $contenttype = preg_replace('|[^a-z0-9-+./]|i', '', $contenttype); 00547 $charset = preg_replace('|[^a-z0-9-_]|i', '', $charset); 00548 00549 if ($charset != '') { 00550 header('Content-Type: ' . $contenttype . '; charset=' . $charset); 00551 } else { 00552 header('Content-Type: ' . $contenttype); 00553 } 00554 } 00555 } 00556 00560 function startUpError($msg, $title) { 00561 ?> 00562 <html xmlns="http://www.w3.org/1999/xhtml"> 00563 <head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> 00564 <title><?php echo htmlspecialchars($title)?></title></head> 00565 <body> 00566 <h1><?php echo htmlspecialchars($title)?></h1> 00567 <?php echo $msg?> 00568 </body> 00569 </html> 00570 <?php exit; 00571 } 00572 00576 function sql_disconnect() { 00577 @mysql_close(); 00578 } 00579 00583 function sql_query($query) { 00584 global $SQLCount; 00585 $SQLCount++; 00586 $res = mysql_query($query) or print("mySQL error with query $query: " . mysql_error() . '<p />'); 00587 return $res; 00588 } 00589 00590 00602 function highlight($text, $expression, $highlight) { 00603 if (!$highlight || !$expression) { 00604 return $text; 00605 } 00606 00607 if (is_array($expression) && (count($expression) == 0) ) { 00608 return $text; 00609 } 00610 00611 // add a tag in front (is needed for preg_match_all to work correct) 00612 $text = '<!--h-->' . $text; 00613 00614 // split the HTML up so we have HTML tags 00615 // $matches[0][i] = HTML + text 00616 // $matches[1][i] = HTML 00617 // $matches[2][i] = text 00618 preg_match_all('/(<[^>]+>)([^<>]*)/', $text, $matches); 00619 00620 // throw it all together again while applying the highlight to the text pieces 00621 $result = ''; 00622 for ($i = 0; $i < sizeof($matches[2]); $i++) { 00623 if ($i != 0) { 00624 $result .= $matches[1][$i]; 00625 } 00626 00627 if (is_array($expression) ) { 00628 foreach ($expression as $regex) { 00629 if ($regex) { 00630 $matches[2][$i] = @eregi_replace($regex, $highlight, $matches[2][$i]); 00631 } 00632 } 00633 00634 $result .= $matches[2][$i]; 00635 } else { 00636 $result .= @eregi_replace($expression, $highlight, $matches[2][$i]); 00637 } 00638 } 00639 00640 return $result; 00641 } 00642 00646 function parseHighlight($query) { 00647 // TODO: add more intelligent splitting logic 00648 00649 // get rid of quotes 00650 $query = preg_replace('/\'|"/', '', $query); 00651 00652 if (!query) { 00653 return array(); 00654 } 00655 00656 $aHighlight = explode(' ', $query); 00657 00658 for ($i = 0; $i < count($aHighlight); $i++) { 00659 $aHighlight[$i] = trim($aHighlight[$i]); 00660 00661 if (strlen($aHighlight[$i]) < 3) { 00662 unset($aHighlight[$i]); 00663 } 00664 } 00665 00666 if (count($aHighlight) == 1) { 00667 return $aHighlight[0]; 00668 } else { 00669 return $aHighlight; 00670 } 00671 } 00672 00676 function isValidMailAddress($address) { 00677 if (preg_match('/^[a-zA-Z+0-9\._-]+@[a-zA-Z0-9\._-]+\.[A-Za-z]{2,5}$/', $address)) { 00678 return 1; 00679 } else { 00680 return 0; 00681 } 00682 } 00683 00684 00685 // some helper functions 00686 function getBlogIDFromName($name) { 00687 return quickQuery('SELECT bnumber as result FROM ' . sql_table('blog') . ' WHERE bshortname="' . addslashes($name) . '"'); 00688 } 00689 00690 function getBlogNameFromID($id) { 00691 return quickQuery('SELECT bname as result FROM ' . sql_table('blog') . ' WHERE bnumber=' . intval($id) ); 00692 } 00693 00694 function getBlogIDFromItemID($itemid) { 00695 return quickQuery('SELECT iblog as result FROM ' . sql_table('item') . ' WHERE inumber=' . intval($itemid) ); 00696 } 00697 00698 function getBlogIDFromCommentID($commentid) { 00699 return quickQuery('SELECT cblog as result FROM ' . sql_table('comment') . ' WHERE cnumber=' . intval($commentid) ); 00700 } 00701 00702 function getBlogIDFromCatID($catid) { 00703 return quickQuery('SELECT cblog as result FROM ' . sql_table('category') . ' WHERE catid=' . intval($catid) ); 00704 } 00705 00706 function getCatIDFromName($name) { 00707 return quickQuery('SELECT catid as result FROM ' . sql_table('category') . ' WHERE cname="' . addslashes($name) . '"'); 00708 } 00709 00710 function quickQuery($q) { 00711 $res = sql_query($q); 00712 $obj = mysql_fetch_object($res); 00713 return $obj->result; 00714 } 00715 00716 function getPluginNameFromPid($pid) { 00717 $res = sql_query('SELECT pfile FROM ' . sql_table('plugin') . ' WHERE pid=' . intval($pid) ); 00718 $obj = mysql_fetch_object($res); 00719 return $obj->pfile; 00720 } 00721 00722 function selector() { 00723 global $itemid, $blogid, $memberid, $query, $amount, $archivelist, $maxresults; 00724 global $archive, $skinid, $blog, $memberinfo, $CONF, $member; 00725 global $imagepopup, $catid; 00726 global $manager; 00727 00728 $actionNames = array('addcomment', 'sendmessage', 'createaccount', 'forgotpassword', 'votepositive', 'votenegative', 'plugin'); 00729 $action = requestVar('action'); 00730 00731 if (in_array($action, $actionNames) ) { 00732 global $DIR_LIBS, $errormessage; 00733 include_once($DIR_LIBS . 'ACTION.php'); 00734 $a = new ACTION(); 00735 $errorInfo = $a->doAction($action); 00736 00737 if ($errorInfo) { 00738 $errormessage = $errorInfo['message']; 00739 } 00740 } 00741 00742 // show error when headers already sent out 00743 if (headers_sent() && $CONF['alertOnHeadersSent']) { 00744 00745 // try to get line number/filename (extra headers_sent params only exists in PHP 4.3+) 00746 if (function_exists('version_compare') && version_compare('4.3.0', phpversion(), '<=') ) { 00747 headers_sent($hsFile, $hsLine); 00748 $extraInfo = ' in <code>' . $hsFile . '</code> line <code>' . $hsLine . '</code>'; 00749 } else { 00750 $extraInfo = ''; 00751 } 00752 00753 startUpError( 00754 '<p>The page headers have already been sent out' . $extraInfo . '. This could cause Nucleus not to work in the expected way.</p><p>Usually, this is caused by spaces or newlines at the end of the <code>config.php</code> file, at the end of the language file or at the end of a plugin file. Please check this and try again.</p><p>If you don\'t want to see this error message again, without solving the problem, set <code>$CONF[\'alertOnHeadersSent\']</code> in <code>globalfunctions.php</code> to <code>0</code></p>', 00755 'Page headers already sent' 00756 ); 00757 exit; 00758 } 00759 00760 // make is so ?archivelist without blogname or blogid shows the archivelist 00761 // for the default weblog 00762 if (serverVar('QUERY_STRING') == 'archivelist') { 00763 $archivelist = $CONF['DefaultBlog']; 00764 } 00765 00766 // now decide which type of skin we need 00767 if ($itemid) { 00768 // itemid given -> only show that item 00769 $type = 'item'; 00770 00771 if (!$manager->existsItem($itemid,0,0) ) { 00772 doError(_ERROR_NOSUCHITEM); 00773 } 00774 00775 global $itemidprev, $itemidnext, $catid, $itemtitlenext, $itemtitleprev; 00776 00777 // 1. get timestamp, blogid and catid for item 00778 $query = 'SELECT itime, iblog, icat FROM ' . sql_table('item') . ' WHERE inumber=' . intval($itemid); 00779 $res = sql_query($query); 00780 $obj = mysql_fetch_object($res); 00781 00782 // if a different blog id has been set through the request or selectBlog(), 00783 // deny access 00784 // if ($blogid && (intval($blogid) != $obj->iblog) ) { 00785 // doError(_ERROR_NOSUCHITEM); 00786 // } 00787 if ($blogid && (intval($blogid) != $obj->iblog) ) { 00788 if (!headers_sent()) { 00789 $b =& $manager->getBlog($obj->iblog); 00790 $CONF['ItemURL'] = $b->getURL(); 00791 if ($CONF['URLMode'] == 'pathinfo' and substr($CONF['ItemURL'],-1) == '/') 00792 $CONF['ItemURL'] = substr($CONF['ItemURL'], 0, -1); 00793 $correctURL = createItemLink($itemid, ''); 00794 redirect($correctURL); 00795 exit; 00796 } else { 00797 doError(_ERROR_NOSUCHITEM); 00798 } 00799 } 00800 00801 // if a category has been selected which doesn't match the item, ignore the 00802 // category. #85 00803 if (($catid != 0) && ($catid != $obj->icat) ) { 00804 $catid = 0; 00805 } 00806 00807 $blogid = $obj->iblog; 00808 $timestamp = strtotime($obj->itime); 00809 00810 $b =& $manager->getBlog($blogid); 00811 00812 if ($b->isValidCategory($catid) ) { 00813 $catextra = ' and icat=' . $catid; 00814 } 00815 00816 // get previous itemid and title 00817 $query = 'SELECT inumber, ititle FROM ' . sql_table('item') . ' WHERE itime<' . mysqldate($timestamp) . ' and idraft=0 and iblog=' . $blogid . $catextra . ' ORDER BY itime DESC LIMIT 1'; 00818 $res = sql_query($query); 00819 00820 $obj = mysql_fetch_object($res); 00821 00822 if ($obj) { 00823 $itemidprev = $obj->inumber; 00824 $itemtitleprev = $obj->ititle; 00825 } 00826 00827 // get next itemid and title 00828 $query = 'SELECT inumber, ititle FROM ' . sql_table('item') . ' WHERE itime>' . mysqldate($timestamp) . ' and itime <= ' . mysqldate($b->getCorrectTime()) . ' and idraft=0 and iblog=' . $blogid . $catextra . ' ORDER BY itime ASC LIMIT 1'; 00829 $res = sql_query($query); 00830 00831 $obj = mysql_fetch_object($res); 00832 00833 if ($obj) { 00834 $itemidnext = $obj->inumber; 00835 $itemtitlenext = $obj->ititle; 00836 } 00837 00838 } elseif ($archive) { 00839 // show archive 00840 $type = 'archive'; 00841 00842 // get next and prev month links ... 00843 global $archivenext, $archiveprev, $archivetype, $archivenextexists, $archiveprevexists; 00844 00845 // sql queries for the timestamp of the first and the last published item 00846 $query = "SELECT UNIX_TIMESTAMP(itime) as result FROM ".sql_table('item')." WHERE idraft=0 AND iblog=".(int)($blogid ? $blogid : $CONF['DefaultBlog'])." ORDER BY itime ASC"; 00847 $first_timestamp=quickQuery ($query); 00848 $query = "SELECT UNIX_TIMESTAMP(itime) as result FROM ".sql_table('item')." WHERE idraft=0 AND iblog=".(int)($blogid ? $blogid : $CONF['DefaultBlog'])." ORDER BY itime DESC"; 00849 $last_timestamp=quickQuery ($query); 00850 00851 sscanf($archive, '%d-%d-%d', $y, $m, $d); 00852 00853 if ($d != 0) { 00854 $archivetype = _ARCHIVETYPE_DAY; 00855 $t = mktime(0, 0, 0, $m, $d, $y); 00856 // one day has 24 * 60 * 60 = 86400 seconds 00857 $archiveprev = strftime('%Y-%m-%d', $t - 86400 ); 00858 // check for published items 00859 if ($t > $first_timestamp) { 00860 $archiveprevexists = true; 00861 } 00862 else { 00863 $archiveprevexists = false; 00864 } 00865 00866 // one day later 00867 $t += 86400; 00868 $archivenext = strftime('%Y-%m-%d', $t); 00869 if ($t < $last_timestamp) { 00870 $archivenextexists = true; 00871 } 00872 else { 00873 $archivenextexists = false; 00874 } 00875 00876 } else { 00877 $archivetype = _ARCHIVETYPE_MONTH; 00878 $t = mktime(0, 0, 0, $m, 1, $y); 00879 // one day before is in the previous month 00880 $archiveprev = strftime('%Y-%m', $t - 86400); 00881 if ($t > $first_timestamp) { 00882 $archiveprevexists = true; 00883 } 00884 else { 00885 $archiveprevexists = false; 00886 } 00887 00888 // timestamp for the next month 00889 $t = mktime(0, 0, 0, $m+1, 1, $y); 00890 $archivenext = strftime('%Y-%m', $t); 00891 if ($t < $last_timestamp) { 00892 $archivenextexists = true; 00893 } 00894 else { 00895 $archivenextexists = false; 00896 } 00897 } 00898 00899 } elseif ($archivelist) { 00900 $type = 'archivelist'; 00901 00902 if (is_numeric($archivelist)) { 00903 $blogid = intVal($archivelist); 00904 } else { 00905 $blogid = getBlogIDFromName($archivelist); 00906 } 00907 00908 if (!$blogid) { 00909 doError(_ERROR_NOSUCHBLOG); 00910 } 00911 00912 } elseif ($query) { 00913 global $startpos; 00914 $type = 'search'; 00915 $query = stripslashes($query); 00916 if(preg_match("/^(\xA1{2}|\xe3\x80{2}|\x20)+$/",$query)){ 00917 $type = 'index'; 00918 } 00919 $order = (_CHARSET == 'EUC-JP') ? 'EUC-JP, UTF-8,' : 'UTF-8, EUC-JP,'; 00920 $query = mb_convert_encoding($query, _CHARSET, $order.' JIS, SJIS, ASCII'); 00921 if (is_numeric($blogid)) { 00922 $blogid = intVal($blogid); 00923 } else { 00924 $blogid = getBlogIDFromName($blogid); 00925 } 00926 00927 if (!$blogid) { 00928 doError(_ERROR_NOSUCHBLOG); 00929 } 00930 00931 } elseif ($memberid) { 00932 $type = 'member'; 00933 00934 if (!MEMBER::existsID($memberid) ) { 00935 doError(_ERROR_NOSUCHMEMBER); 00936 } 00937 00938 $memberinfo = $manager->getMember($memberid); 00939 00940 } elseif ($imagepopup) { 00941 // media object (images etc.) 00942 $type = 'imagepopup'; 00943 00944 // TODO: check if media-object exists 00945 // TODO: set some vars? 00946 } else { 00947 // show regular index page 00948 global $startpos; 00949 $type = 'index'; 00950 } 00951 00952 // decide which blog should be displayed 00953 if (!$blogid) { 00954 $blogid = $CONF['DefaultBlog']; 00955 } 00956 00957 $b =& $manager->getBlog($blogid); 00958 $blog = $b; // references can't be placed in global variables? 00959 00960 if (!$blog->isValid) { 00961 doError(_ERROR_NOSUCHBLOG); 00962 } 00963 00964 // set catid if necessary 00965 if ($catid) { 00966 $blog->setSelectedCategory($catid); 00967 } 00968 00969 // decide which skin should be used 00970 if ($skinid != '' && ($skinid == 0) ) { 00971 selectSkin($skinid); 00972 } 00973 00974 if (!$skinid) { 00975 $skinid = $blog->getDefaultSkin(); 00976 } 00977 00978 $special = requestVar('special'); 00979 if (!empty($special) && isValidShortName($special)) { 00980 $type = strtolower($special); 00981 } 00982 00983 $skin = new SKIN($skinid); 00984 00985 if (!$skin->isValid) { 00986 doError(_ERROR_NOSUCHSKIN); 00987 } 00988 00989 // parse the skin 00990 $skin->parse($type); 00991 00992 // check to see we should throw JustPosted event 00993 $blog->checkJustPosted(); 00994 } 00995 00999 function doError($msg, $skin = '') { 01000 global $errormessage, $CONF, $skinid, $blogid, $manager; 01001 01002 if ($skin == '') { 01003 01004 if (SKIN::existsID($skinid) ) { 01005 $skin = new SKIN($skinid); 01006 } elseif ($manager->existsBlogID($blogid) ) { 01007 $blog =& $manager->getBlog($blogid); 01008 $skin = new SKIN($blog->getDefaultSkin() ); 01009 } elseif ($CONF['DefaultBlog']) { 01010 $blog =& $manager->getBlog($CONF['DefaultBlog']); 01011 $skin = new SKIN($blog->getDefaultSkin() ); 01012 } else { 01013 // this statement should actually never be executed 01014 $skin = new SKIN($CONF['BaseSkin']); 01015 } 01016 01017 } 01018 01019 $errormessage = $msg; 01020 $skin->parse('error'); 01021 exit; 01022 } 01023 01024 function getConfig() { 01025 global $CONF; 01026 01027 $query = 'SELECT * FROM ' . sql_table('config'); 01028 $res = sql_query($query); 01029 01030 while ($obj = mysql_fetch_object($res) ) { 01031 $CONF[$obj->name] = $obj->value; 01032 } 01033 } 01034 01035 // some checks for names of blogs, categories, templates, members, ... 01036 function isValidShortName($name) { 01037 return eregi('^[a-z0-9]+$', $name); 01038 } 01039 01040 function isValidDisplayName($name) { 01041 return eregi('^[a-z0-9]+[a-z0-9 ]*[a-z0-9]+$', $name); 01042 } 01043 01044 function isValidCategoryName($name) { 01045 return 1; 01046 } 01047 01048 function isValidTemplateName($name) { 01049 return eregi('^[a-z0-9/]+$', $name); 01050 } 01051 01052 function isValidSkinName($name) { 01053 return eregi('^[a-z0-9/]+$', $name); 01054 } 01055 01056 // add and remove linebreaks 01057 function addBreaks($var) { 01058 return nl2br($var); 01059 } 01060 01061 function removeBreaks($var) { 01062 return preg_replace("/<br \/>([\r\n])/", "$1", $var); 01063 } 01064 01065 // shortens a text string to maxlength ($toadd) is what needs to be added 01066 // at the end (end length is <= $maxlength) 01067 function shorten($text, $maxlength, $toadd) { 01068 // 1. remove entities... 01069 // $trans = get_html_translation_table(HTML_ENTITIES); 01070 $trans = get_html_translation_table(HTML_SPECIALCHARS); // for Japanese 01071 $trans = array_flip($trans); 01072 $text = strtr($text, $trans); 01073 01074 // 2. the actual shortening 01075 if (strlen($text) > $maxlength) 01076 $text = mb_strimwidth($text, 0, $maxlength, $toadd, _CHARSET); 01077 return $text; 01078 } 01079 01084 function mysqldate($timestamp) { 01085 return '"' . date('Y-m-d H:i:s', $timestamp) . '"'; 01086 } 01087 01091 function selectBlog($shortname) { 01092 global $blogid, $archivelist; 01093 $blogid = getBlogIDFromName($shortname); 01094 01095 // also force archivelist variable, if it is set 01096 if ($archivelist) { 01097 $archivelist = $blogid; 01098 } 01099 } 01100 01101 function selectSkin($skinname) { 01102 global $skinid; 01103 $skinid = SKIN::getIdFromName($skinname); 01104 } 01105 01110 function selectCategory($cat) { 01111 global $catid; 01112 if (is_numeric($cat) ) { 01113 $catid = intval($cat); 01114 } else { 01115 $catid = getCatIDFromName($cat); 01116 } 01117 } 01118 01119 function selectItem($id) { 01120 global $itemid; 01121 $itemid = intval($id); 01122 } 01123 01124 // force the use of a language file (warning: can cause warnings) 01125 function selectLanguage($language) { 01126 global $DIR_LANG; 01127 include($DIR_LANG . ereg_replace( '[\\|/]', '', $language) . '.php'); 01128 } 01129 01130 function parseFile($filename, $includeMode = 'normal', $includePrefix = '') { 01131 $handler = new ACTIONS('fileparser'); 01132 $parser = new PARSER(SKIN::getAllowedActionsForType('fileparser'), $handler); 01133 $handler->parser =& $parser; 01134 01135 // set IncludeMode properties of parser 01136 PARSER::setProperty('IncludeMode', $includeMode); 01137 PARSER::setProperty('IncludePrefix', $includePrefix); 01138 01139 if (!file_exists($filename) ) { 01140 doError('A file is missing'); 01141 } 01142 01143 $fsize = filesize($filename); 01144 01145 if ($fsize <= 0) { 01146 return; 01147 } 01148 01149 // read file 01150 $fd = fopen ($filename, 'r'); 01151 $contents = fread ($fd, $fsize); 01152 fclose ($fd); 01153 01154 // parse file contents 01155 $parser->parse($contents); 01156 } 01157 01161 function debug($msg) { 01162 echo '<p><b>' . $msg . "</b></p>\n"; 01163 } 01164 01165 // shortcut 01166 function addToLog($level, $msg) { 01167 ACTIONLOG::add($level, $msg); 01168 } 01169 01170 // shows a link to help file 01171 function help($id) { 01172 echo helpHtml($id); 01173 } 01174 01175 function helpHtml($id) { 01176 return helplink($id) . '<img src="documentation/icon-help.gif" width="15" height="15" alt="' . _HELP_TT . '" /></a>'; 01177 } 01178 01179 function helplink($id) { 01180 return '<a href="documentation/help.html#'. $id . '" onclick="if (event && event.preventDefault) event.preventDefault(); return help(this.href);">'; 01181 } 01182 01183 function getMailFooter() { 01184 $message = "\n\n-----------------------------"; 01185 $message .= "\n Powered by Nucleus CMS"; 01186 $message .= "\n(http://www.nucleuscms.org/)"; 01187 return $message; 01188 } 01189 01197 function getLanguageName() { 01198 global $CONF, $member; 01199 01200 if ($member && $member->isLoggedIn() ) { 01201 // try to use members language 01202 $memlang = $member->getLanguage(); 01203 01204 if (($memlang != '') && (checkLanguage($memlang) ) ) { 01205 return $memlang; 01206 } 01207 } 01208 01209 // use default language 01210 if (checkLanguage($CONF['Language']) ) { 01211 return $CONF['Language']; 01212 } else { 01213 return 'english'; 01214 } 01215 } 01216 01220 function includephp($filename) { 01221 // make predefined variables global, so most simple scripts can be used here 01222 01223 // apache (names taken from PHP doc) 01224 global $GATEWAY_INTERFACE, $SERVER_NAME, $SERVER_SOFTWARE, $SERVER_PROTOCOL; 01225 global $REQUEST_METHOD, $QUERY_STRING, $DOCUMENT_ROOT, $HTTP_ACCEPT; 01226 global $HTTP_ACCEPT_CHARSET, $HTTP_ACCEPT_ENCODING, $HTTP_ACCEPT_LANGUAGE; 01227 global $HTTP_CONNECTION, $HTTP_HOST, $HTTP_REFERER, $HTTP_USER_AGENT; 01228 global $REMOTE_ADDR, $REMOTE_PORT, $SCRIPT_FILENAME, $SERVER_ADMIN; 01229 global $SERVER_PORT, $SERVER_SIGNATURE, $PATH_TRANSLATED, $SCRIPT_NAME; 01230 global $REQUEST_URI; 01231 01232 // php (taken from PHP doc) 01233 global $argv, $argc, $PHP_SELF, $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS; 01234 global $HTTP_POST_FILES, $HTTP_ENV_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS; 01235 01236 // other 01237 global $PATH_INFO, $HTTPS, $HTTP_RAW_POST_DATA, $HTTP_X_FORWARDED_FOR; 01238 01239 if (@file_exists($filename) ) { 01240 include($filename); 01241 } 01242 } 01243 01247 function checkLanguage($lang) { 01248 global $DIR_LANG ; 01249 return file_exists($DIR_LANG . ereg_replace( '[\\|/]', '', $lang) . '.php'); 01250 } 01251 01252 function checkPlugin($plug) { 01253 global $DIR_PLUGINS; 01254 return file_exists($DIR_PLUGINS . ereg_replace( '[\\|/]', '', $plug) . '.php'); 01255 } 01256 01260 function createItemLink($itemid, $extra = '') { 01261 return createLink('item', array('itemid' => $itemid, 'extra' => $extra) ); 01262 } 01263 01264 function createMemberLink($memberid, $extra = '') { 01265 return createLink('member', array('memberid' => $memberid, 'extra' => $extra) ); 01266 } 01267 01268 function createCategoryLink($catid, $extra = '') { 01269 return createLink('category', array('catid' => $catid, 'extra' => $extra) ); 01270 } 01271 01272 function createArchiveListLink($blogid = '', $extra = '') { 01273 return createLink('archivelist', array('blogid' => $blogid, 'extra' => $extra) ); 01274 } 01275 01276 function createArchiveLink($blogid, $archive, $extra = '') { 01277 return createLink('archive', array('blogid' => $blogid, 'archive' => $archive, 'extra' => $extra) ); 01278 } 01279 01280 function createBlogidLink($blogid, $params = '') { 01281 return createLink('blog', array('blogid' => $blogid, 'extra' => $params) ); 01282 } 01283 01284 function createLink($type, $params) { 01285 global $manager, $CONF; 01286 01287 $generatedURL = ''; 01288 $usePathInfo = ($CONF['URLMode'] == 'pathinfo'); 01289 01290 // ask plugins first 01291 $created = false; 01292 01293 if ($usePathInfo) { 01294 $manager->notify( 01295 'GenerateURL', 01296 array( 01297 'type' => $type, 01298 'params' => $params, 01299 'completed' => &$created, 01300 'url' => &$url 01301 ) 01302 ); 01303 } 01304 01305 // if a plugin created the URL, return it 01306 if ($created) { 01307 return $url; 01308 } 01309 01310 // default implementation 01311 switch ($type) { 01312 case 'item': 01313 if ($usePathInfo) { 01314 $url = $CONF['ItemURL'] . '/' . $CONF['ItemKey'] . '/' . $params['itemid']; 01315 } else { 01316 $url = $CONF['ItemURL'] . '?itemid=' . $params['itemid']; 01317 } 01318 break; 01319 01320 case 'member': 01321 if ($usePathInfo) { 01322 $url = $CONF['MemberURL'] . '/' . $CONF['MemberKey'] . '/' . $params['memberid']; 01323 } else { 01324 $url = $CONF['MemberURL'] . '?memberid=' . $params['memberid']; 01325 } 01326 break; 01327 01328 case 'category': 01329 if ($usePathInfo) { 01330 $url = $CONF['CategoryURL'] . '/' . $CONF['CategoryKey'] . '/' . $params['catid']; 01331 } else { 01332 $url = $CONF['CategoryURL'] . '?catid=' . $params['catid']; 01333 } 01334 break; 01335 01336 case 'archivelist': 01337 if (!$params['blogid']) { 01338 $params['blogid'] = $CONF['DefaultBlog']; 01339 } 01340 01341 if ($usePathInfo) { 01342 $url = $CONF['ArchiveListURL'] . '/' . $CONF['ArchivesKey'] . '/' . $params['blogid']; 01343 } else { 01344 $url = $CONF['ArchiveListURL'] . '?archivelist=' . $params['blogid']; 01345 } 01346 break; 01347 01348 case 'archive': 01349 if ($usePathInfo) { 01350 $url = $CONF['ArchiveURL'] . '/' . $CONF['ArchiveKey'] . '/'.$params['blogid'].'/' . $params['archive']; 01351 } else { 01352 $url = $CONF['ArchiveURL'] . '?blogid='.$params['blogid'].'&archive=' . $params['archive']; 01353 } 01354 break; 01355 01356 case 'blog': 01357 if ($usePathInfo) { 01358 $url = $CONF['BlogURL'] . '/' . $CONF['BlogKey'] . '/' . $params['blogid']; 01359 } else { 01360 $url = $CONF['BlogURL'] . '?blogid=' . $params['blogid']; 01361 } 01362 break; 01363 } 01364 01365 return addLinkParams($url, (isset($params['extra'])? $params['extra'] : null)); 01366 } 01367 01368 function createBlogLink($url, $params) { 01369 global $CONF; 01370 if ($CONF['URLMode'] == 'normal') { 01371 if (strpos($url, '?') === FALSE && is_array($params)) { 01372 $fParam = reset($params); 01373 $fKey = key($params); 01374 array_shift($params); 01375 $url .= '?' . $fKey . '=' . $fParam; 01376 } 01377 } elseif ($CONF['URLMode'] == 'pathinfo' && substr($url, -1) == '/') { 01378 $url = substr($url, 0, -1); 01379 } 01380 return addLinkParams($url, $params); 01381 } 01382 01383 function addLinkParams($link, $params) { 01384 global $CONF; 01385 01386 if (is_array($params) ) { 01387 01388 if ($CONF['URLMode'] == 'pathinfo') { 01389 01390 foreach ($params as $param => $value) { 01391 $link .= '/' . $param . '/' . urlencode($value); 01392 } 01393 01394 } else { 01395 01396 foreach ($params as $param => $value) { 01397 $link .= '&' . $param . '=' . urlencode($value); 01398 } 01399 01400 } 01401 } 01402 01403 return $link; 01404 } 01405 01416 function alterQueryStr($querystr, $param, $value) { 01417 $vars = explode('&', $querystr); 01418 $set = false; 01419 01420 for ($i = 0; $i < count($vars); $i++) { 01421 $v = explode('=', $vars[$i]); 01422 01423 if ($v[0] == $param) { 01424 $v[1] = $value; 01425 $vars[$i] = implode('=', $v); 01426 $set = true; 01427 break; 01428 } 01429 } 01430 01431 if (!$set) { 01432 $vars[] = $param . '=' . $value; 01433 } 01434 01435 return ltrim(implode('&', $vars), '&'); 01436 } 01437 01438 // passes one variable as hidden input field (multiple fields for arrays) 01439 // @see passRequestVars in varsx.x.x.php 01440 function passVar($key, $value) { 01441 // array ? 01442 if (is_array($value) ) { 01443 for ($i = 0; $i < sizeof($value); $i++) { 01444 passVar($key . '[' . $i . ']', $value[$i]); 01445 } 01446 01447 return; 01448 } 01449 01450 // other values: do stripslashes if needed 01451 ?><input type="hidden" name="<?php echo htmlspecialchars($key)?>" value="<?php echo htmlspecialchars(undoMagic($value) )?>" /><?php 01452 } 01453 01454 /* 01455 Date format functions (to be used from [%date(..)%] skinvars 01456 */ 01457 function formatDate($format, $timestamp, $defaultFormat, &$blog) { 01458 // apply blog offset (#42) 01459 $boffset = $blog ? $blog->getTimeOffset() * 3600 : 0; 01460 $offset = date('Z', $timestamp) + $boffset; 01461 01462 switch ($format) { 01463 case 'rfc822': 01464 if ($offset >= 0) { 01465 $tz = '+'; 01466 } else { 01467 $tz = '-'; 01468 $offset = -$offset; 01469 } 01470 01471 $tz .= sprintf("%02d%02d", floor($offset / 3600), round(($offset % 3600) / 60) ); 01472 return date('D, j M Y H:i:s ', $timestamp) . $tz; 01473 01474 case 'rfc822GMT': 01475 $timestamp -= $offset; 01476 return date('D, j M Y H:i:s ', $timestamp) . 'GMT'; 01477 01478 case 'utc': 01479 $timestamp -= $offset; 01480 return date('Y-m-d\TH:i:s\Z', $timestamp); 01481 01482 case 'iso8601': 01483 if ($offset >= 0) { 01484 $tz = '+'; 01485 } else { 01486 $tz = '-'; 01487 $offset = -$offset; 01488 } 01489 01490 $tz .= sprintf("%02d:%02d", floor($offset / 3600), round(($offset % 3600) / 60) ); 01491 return date('Y-m-d\TH:i:s', $timestamp) . $tz; 01492 01493 default : 01494 return strftime($format ? $format : $defaultFormat, $timestamp); 01495 } 01496 } 01497 01498 function checkVars($aVars) { 01499 global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES, $HTTP_SESSION_VARS; 01500 01501 foreach ($aVars as $varName) { 01502 01503 if (phpversion() >= '4.1.0') { 01504 01505 if ( isset($_GET[$varName]) 01506 || isset($_POST[$varName]) 01507 || isset($_COOKIE[$varName]) 01508 || isset($_ENV[$varName]) 01509 || isset($_SESSION[$varName]) 01510 || isset($_FILES[$varName]) 01511 ) { 01512 die('Sorry. An error occurred.'); 01513 } 01514 01515 } else { 01516 01517 if ( isset($HTTP_GET_VARS[$varName]) 01518 || isset($HTTP_POST_VARS[$varName]) 01519 || isset($HTTP_COOKIE_VARS[$varName]) 01520 || isset($HTTP_ENV_VARS[$varName]) 01521 || isset($HTTP_SESSION_VARS[$varName]) 01522 || isset($HTTP_POST_FILES[$varName]) 01523 ) { 01524 die('Sorry. An error occurred.'); 01525 } 01526 01527 } 01528 } 01529 } 01530 01531 01536 function sanitizeParams() 01537 { 01538 global $HTTP_SERVER_VARS; 01539 01540 $array = array(); 01541 $str = ''; 01542 $frontParam = ''; 01543 01544 // REQUEST_URI of $HTTP_SERVER_VARS 01545 $str =& $HTTP_SERVER_VARS["REQUEST_URI"]; 01546 serverStringToArray($str, $array, $frontParam); 01547 sanitizeArray($array); 01548 arrayToServerString($array, $frontParam, $str); 01549 01550 // QUERY_STRING of $HTTP_SERVER_VARS 01551 $str =& $HTTP_SERVER_VARS["QUERY_STRING"]; 01552 serverStringToArray($str, $array, $frontParam); 01553 sanitizeArray($array); 01554 arrayToServerString($array, $frontParam, $str); 01555 01556 if (phpversion() >= '4.1.0') { 01557 // REQUEST_URI of $_SERVER 01558 $str =& $_SERVER["REQUEST_URI"]; 01559 serverStringToArray($str, $array, $frontParam); 01560 sanitizeArray($array); 01561 arrayToServerString($array, $frontParam, $str); 01562 01563 // QUERY_STRING of $_SERVER 01564 $str =& $_SERVER["QUERY_STRING"]; 01565 serverStringToArray($str, $array, $frontParam); 01566 sanitizeArray($array); 01567 arrayToServerString($array, $frontParam, $str); 01568 } 01569 01570 // $_GET 01571 convArrayForSanitizing($_GET, $array); 01572 sanitizeArray($array); 01573 revertArrayForSanitizing($array, $_GET); 01574 01575 // $_REQUEST (only GET param) 01576 convArrayForSanitizing($_REQUEST, $array); 01577 sanitizeArray($array); 01578 revertArrayForSanitizing($array, $_REQUEST); 01579 } 01580 01586 function ticketForPlugin(){ 01587 global $CONF,$DIR_PLUGINS,$member,$ticketforplugin; 01588 01589 /* initialize */ 01590 $ticketforplugin=array(); 01591 $ticketforplugin['ticket']=false; 01592 01593 /* Check if using plugin's php file. */ 01594 if ($p_translated=serverVar('PATH_TRANSLATED')) { 01595 if (!file_exists($p_translated)) $p_translated=''; 01596 } 01597 if (!$p_translated) { 01598 $p_translated=serverVar('SCRIPT_FILENAME'); 01599 if (!file_exists($p_translated)) { 01600 header("HTTP/1.0 404 Not Found"); 01601 exit(''); 01602 } 01603 } 01604 $p_translated=str_replace('\\','/',$p_translated); 01605 $d_plugins=str_replace('\\','/',$DIR_PLUGINS); 01606 if (strpos($p_translated,$d_plugins)!==0) return;// This isn't plugin php file. 01607 01608 /* Solve the plugin php file or admin directory */ 01609 $phppath=substr($p_translated,strlen($d_plugins)); 01610 $phppath=preg_replace('!^/!','',$phppath);// Remove the first "/" if exists. 01611 $path=preg_replace('/^NP_(.*)\.php$/','$1',$phppath); // Remove the first "NP_" and the last ".php" if exists. 01612 $path=preg_replace('!^([^/]*)/(.*)$!','$1',$path); // Remove the "/" and beyond. 01613 01614 /* Solve the plugin name. */ 01615 $plugins=array(); 01616 $query='SELECT pfile FROM '.sql_table('plugin'); 01617 $res=sql_query($query); 01618 while($row=mysql_fetch_row($res)) { 01619 $name=substr($row[0],3); 01620 $plugins[strtolower($name)]=$name; 01621 } 01622 mysql_free_result($res); 01623 if ($plugins[$path]) $plugin_name=$plugins[$path]; 01624 else if (in_array($path,$plugins)) $plugin_name=$path; 01625 else { 01626 header("HTTP/1.0 404 Not Found"); 01627 exit(''); 01628 } 01629 01630 /* Return if not index.php */ 01631 if ( $phppath!=strtolower($plugin_name).'/' 01632 && $phppath!=strtolower($plugin_name).'/index.php' ) return; 01633 01634 /* Exit if not logged in. */ 01635 if ( !$member->isLoggedIn() ) exit("You aren't logged in."); 01636 01637 global $manager,$DIR_LIBS,$DIR_LANG,$HTTP_GET_VARS,$HTTP_POST_VARS; 01638 01639 /* Check if this feature is needed (ie, if "$manager->checkTicket()" is not included in the script). */ 01640 if (!($p_translated=serverVar('PATH_TRANSLATED'))) $p_translated=serverVar('SCRIPT_FILENAME'); 01641 if ($file=@file($p_translated)) { 01642 $prevline=''; 01643 foreach($file as $line) { 01644 if (preg_match('/[\$]manager([\s]*)[\-]>([\s]*)checkTicket([\s]*)[\(]/i',$prevline.$line)) return; 01645 $prevline=$line; 01646 } 01647 } 01648 01649 /* Show a form if not valid ticket */ 01650 if ( ( strstr(serverVar('REQUEST_URI'),'?') || serverVar('QUERY_STRING') 01651 || strtoupper(serverVar('REQUEST_METHOD'))=='POST' ) 01652 && (!$manager->checkTicket()) ){ 01653 01654 if (!class_exists('PluginAdmin')) { 01655 $language = getLanguageName(); 01656 include($DIR_LANG . ereg_replace( '[\\|/]', '', $language) . '.php'); 01657 include($DIR_LIBS . 'PLUGINADMIN.php'); 01658 } 01659 if (!(function_exists('mb_strimwidth') || extension_loaded('mbstring'))) { 01660 if (file_exists($DIR_LIBS.'mb_emulator/mb-emulator.php')) { 01661 global $mbemu_internals; 01662 include_once($DIR_LIBS.'mb_emulator/mb-emulator.php'); 01663 } 01664 } 01665 $oPluginAdmin = new PluginAdmin($plugin_name); 01666 $oPluginAdmin->start(); 01667 echo '<p>' . _ERROR_BADTICKET . "</p>\n"; 01668 01669 /* Show the form to confirm action */ 01670 // PHP 4.0.x support 01671 $get= (isset($_GET)) ? $_GET : $HTTP_GET_VARS; 01672 $post= (isset($_POST)) ? $_POST : $HTTP_POST_VARS; 01673 // Resolve URI and QUERY_STRING 01674 if ($uri=serverVar('REQUEST_URI')) { 01675 list($uri,$qstring)=explode('?',$uri); 01676 } else { 01677 if ( !($uri=serverVar('PHP_SELF')) ) $uri=serverVar('SCRIPT_NAME'); 01678 $qstring=serverVar('QUERY_STRING'); 01679 } 01680 if ($qstring) $qstring='?'.$qstring; 01681 echo '<p>'._SETTINGS_UPDATE.' : '._QMENU_PLUGINS.' <span style="color:red;">'. 01682 htmlspecialchars($plugin_name)."</span> ?</p>\n"; 01683 switch(strtoupper(serverVar('REQUEST_METHOD'))){ 01684 case 'POST': 01685 echo '<form method="POST" action="'.htmlspecialchars($uri.$qstring).'">'; 01686 $manager->addTicketHidden(); 01687 _addInputTags($post); 01688 break; 01689 case 'GET': 01690 echo '<form method="GET" action="'.htmlspecialchars($uri).'">'; 01691 $manager->addTicketHidden(); 01692 _addInputTags($get); 01693 default: 01694 break; 01695 } 01696 echo '<input type="submit" value="'._YES.'" /> '; 01697 echo '<input type="button" value="'._NO.'" onclick="history.back(); return false;" />'; 01698 echo "</form>\n"; 01699 01700 $oPluginAdmin->end(); 01701 exit; 01702 } 01703 01704 /* Create new ticket */ 01705 $ticket=$manager->addTicketToUrl(''); 01706 $ticketforplugin['ticket']=substr($ticket,strpos($ticket,'ticket=')+7); 01707 } 01708 function _addInputTags(&$keys,$prefix=''){ 01709 foreach($keys as $key=>$value){ 01710 if ($prefix) $key=$prefix.'['.$key.']'; 01711 if (is_array($value)) _addInputTags($value,$key); 01712 else { 01713 if (get_magic_quotes_gpc()) $value=stripslashes($value); 01714 if ($key=='ticket') continue; 01715 echo '<input type="hidden" name="'.htmlspecialchars($key). 01716 '" value="'.htmlspecialchars($value).'" />'."\n"; 01717 } 01718 } 01719 } 01720 01725 function serverStringToArray($str, &$array, &$frontParam) 01726 { 01727 // init param 01728 $array = array(); 01729 $fronParam = ""; 01730 01731 // split front param, e.g. /index.php, and others, e.g. blogid=1&page=2 01732 if (strstr($str, "?")){ 01733 list($frontParam, $args) = preg_split("/\?/", $str, 2); 01734 } 01735 else { 01736 $args = $str; 01737 $frontParam = ""; 01738 } 01739 01740 // If there is no args like blogid=1&page=2, return 01741 if (!strstr($str, "=") && !strlen($frontParam)) { 01742 $frontParam = $str; 01743 return; 01744 } 01745 01746 $array = explode("&", $args); 01747 } 01748 01753 function arrayToServerString($array, $frontParam, &$str) 01754 { 01755 if (strstr($str, "?")) { 01756 $str = $frontParam . "?"; 01757 } else { 01758 $str = $frontParam; 01759 } 01760 if (count($array)) { 01761 $str .= implode("&", $array); 01762 } 01763 } 01764 01771 function sanitizeArray(&$array) 01772 { 01773 $excludeListForSanitization = array('query'); 01774 // $excludeListForSanitization = array(); 01775 01776 foreach ($array as $k => $v) { 01777 01778 // split to key and value 01779 list($key, $val) = preg_split("/=/", $v, 2); 01780 if (!isset($val)) { 01781 continue; 01782 } 01783 01784 // when magic quotes is on, need to use stripslashes, 01785 // and then addslashes 01786 if (get_magic_quotes_gpc()) { 01787 $val = stripslashes($val); 01788 } 01789 $val = addslashes($val); 01790 01791 // if $key is included in exclude list, skip this param 01792 if (!in_array($key, $excludeListForSanitization)) { 01793 01794 // check value 01795 @list($val, $tmp) = explode('\\', $val); 01796 01797 // remove control code etc. 01798 $val = strtr($val, "\0\r\n<>'\"", " "); 01799 01800 // check key 01801 if (preg_match('/\"/i', $key)) { 01802 unset($array[$k]); 01803 continue; 01804 } 01805 01806 // set sanitized info 01807 $array[$k] = sprintf("%s=%s", $key, $val); 01808 } 01809 } 01810 } 01811 01815 function convArrayForSanitizing($src, &$array) 01816 { 01817 $array = array(); 01818 foreach ($src as $key => $val) { 01819 if (key_exists($key, $_GET)) { 01820 array_push($array, sprintf("%s=%s", $key, $val)); 01821 } 01822 } 01823 } 01824 01828 function revertArrayForSanitizing($array, &$dst) 01829 { 01830 foreach ($array as $v) { 01831 list($key, $val) = preg_split("/=/", $v, 2); 01832 $dst[$key] = $val; 01833 } 01834 } 01835 01841 function redirect($url) { 01842 $url = preg_replace('|[^a-z0-9-~+_.?#=&;,/:@%]|i', '', $url); 01843 header('Location: ' . $url); 01844 exit; 01845 } 01846 01853 function stringStripTags ($string) { 01854 $string = preg_replace("/<del[^>]*>.+<\/del[^>]*>/isU", '', $string); 01855 $string = preg_replace("/<script[^>]*>.+<\/script[^>]*>/isU", '', $string); 01856 $string = preg_replace("/<style[^>]*>.+<\/style[^>]*>/isU", '', $string); 01857 $string = str_replace('>', '> ', $string); 01858 $string = str_replace('<', ' <', $string); 01859 $string = strip_tags($string); 01860 $string = preg_replace("/\s+/", " ", $string); 01861 $string = trim($string); 01862 return $string; 01863 } 01864 01869 function stringToAttribute ($string) { 01870 $string = stringStripTags($string); 01871 $string = entity::named_to_numeric($string); 01872 $string = entity::normalize_numeric($string); 01873 01874 if (_CHARSET == 'UTF-8') { 01875 $string = entity::numeric_to_utf8($string); 01876 } 01877 01878 $string = entity::specialchars($string, 'html'); 01879 $string = entity::numeric_to_named($string); 01880 return $string; 01881 } 01882 01888 function stringToXML ($string) { 01889 $string = stringStripTags($string); 01890 $string = entity::named_to_numeric($string); 01891 $string = entity::normalize_numeric($string); 01892 01893 if (_CHARSET == 'UTF-8') { 01894 $string = entity::numeric_to_utf8($string); 01895 } 01896 01897 $string = entity::specialchars($string, 'xml'); 01898 return $string; 01899 } 01900 01901 // START: functions from the end of file BLOG.php 01902 // used for mail notification (html -> text) 01903 function toAscii($html) { 01904 // strip off most tags 01905 $html = strip_tags($html,'<a>'); 01906 $to_replace = "/<a[^>]*href=[\"\']([^\"^']*)[\"\'][^>]*>([^<]*)<\/a>/i"; 01907 _links_init(); 01908 $ascii = preg_replace_callback ($to_replace, '_links_add', $html); 01909 $ascii .= "\n\n" . _links_list(); 01910 return strip_tags($ascii); 01911 } 01912 01913 function _links_init() { 01914 global $tmp_links; 01915 $tmp_links = array(); 01916 } 01917 01918 function _links_add($match) { 01919 global $tmp_links; 01920 array_push($tmp_links, $match[1]); 01921 return $match[2] . ' [' . sizeof($tmp_links) .']'; 01922 } 01923 01924 function _links_list() { 01925 global $tmp_links; 01926 $output = ''; 01927 $i = 1; 01928 foreach ($tmp_links as $current) { 01929 $output .= "[$i] $current\n"; 01930 $i++; 01931 } 01932 return $output; 01933 } 01934 // END: functions from the end of file BLOG.php 01935 01936 // START: functions from the end of file ADMIN.php 01940 function encode_desc(&$data) 01941 { //_$to_entities = get_html_translation_table(HTML_ENTITIES); 01942 $to_entities = get_html_translation_table(HTML_SPECIALCHARS); 01943 $from_entities = array_flip($to_entities); 01944 $data = str_replace('<br />','\n',$data); //hack 01945 $data = strtr($data,$from_entities); 01946 $data = strtr($data,$to_entities); 01947 $data = str_replace('\n','<br />',$data); //hack 01948 return $data; 01949 } 01950 01956 function getBookmarklet($blogid) { 01957 global $CONF; 01958 01959 // normal 01960 $document = 'document'; 01961 $bookmarkletline = "javascript:Q='';x=".$document.";y=window;if(x.selection){Q=x.selection.createRange().text;}else if(y.getSelection){Q=y.getSelection();}else if(x.getSelection){Q=x.getSelection();}wingm=window.open('"; 01962 $bookmarkletline .= $CONF['AdminURL'] . "bookmarklet.php?blogid=$blogid"; 01963 $bookmarkletline .="&logtext='+escape(Q)+'&loglink='+escape(x.location.href)+'&loglinktitle='+escape(x.title),'nucleusbm','scrollbars=yes,width=600,height=550,left=10,top=10,status=yes,resizable=yes');wingm.focus();"; 01964 01965 return $bookmarkletline; 01966 } 01967 // END: functions from the end of file ADMIN.php 01968 01975 function ifset(&$var) { 01976 if (isset($var)) { 01977 return $var; 01978 } 01979 01980 return null; 01981 } 01982 01989 function numberOfEventSubscriber($event) { 01990 $query = 'SELECT COUNT(*) as count FROM ' . sql_table('plugin_event') . ' WHERE event=\'' . $event . '\''; 01991 $res = sql_query($query); 01992 $obj = mysql_fetch_object($res); 01993 return $obj->count; 01994 } 01995 01996 ?>
1.5.5