0 )
{
$nucleus['version'] .= '/' . getNucleusPatchLevel();
}
/* Avoid notices */
if ( !isset($CONF['installscript']) )
{
$CONF['installscript'] = 0;
}
/* we will use postVar, getVar, ... methods instead of $_GET, $_POST ...*/
if ( $CONF['installscript'] != 1 )
{
/* vars were already included in install.php */
include_once($DIR_LIBS . 'vars4.1.0.php');
}
/* sanitize option */
$bLoggingSanitizedResult=0;
$bSanitizeAndContinue=0;
$orgRequestURI = serverVar('REQUEST_URI');
sanitizeParams();
/* get all variables that can come from the request and put them in the global scope */
$blogid = requestVar('blogid');
$itemid = intRequestVar('itemid');
$catid = intRequestVar('catid');
$skinid = requestVar('skinid');
$memberid = requestVar('memberid');
$archivelist = requestVar('archivelist');
$imagepopup = requestVar('imagepopup');
$archive = requestVar('archive');
$query = requestVar('query');
$highlight = requestVar('highlight');
$amount = requestVar('amount');
$action = requestVar('action');
$nextaction = requestVar('nextaction');
$maxresults = requestVar('maxresults');
$startpos = intRequestVar('startpos');
$errormessage = '';
$error = '';
$special = requestVar('special');
$virtualpath = ((getVar('virtualpath') != null) ? getVar('virtualpath') : serverVar('PATH_INFO'));
if ( !headers_sent() )
{
header('Generator: Nucleus CMS ' . $nucleus['version']);
}
/*
* NOTE: Since 4.0 release, Entity class becomes to be important class
* with some wrapper functions for htmlspechalchars/htmlentity PHP's built-in function
*/
include($DIR_LIBS . 'ENTITY.php');
/* include core classes that are needed for login & plugin handling */
include_once($DIR_LIBS . 'mysql.php');
/* added for 3.5 sql_* wrapper */
global $MYSQL_HANDLER;
if ( !isset($MYSQL_HANDLER) )
{
$MYSQL_HANDLER = array('mysql','');
}
if ( $MYSQL_HANDLER[0] == '' )
{
$MYSQL_HANDLER[0] = 'mysql';
}
include_once($DIR_LIBS . 'sql/'.$MYSQL_HANDLER[0].'.php');
/* end new for 3.5 sql_* wrapper */
include($DIR_LIBS . 'MEMBER.php');
include($DIR_LIBS . 'ACTIONLOG.php');
include($DIR_LIBS . 'MANAGER.php');
include($DIR_LIBS . 'PLUGIN.php');
$manager =& Manager::instance();
/*
* make sure there's no unnecessary escaping:
* set_magic_quotes_runtime(0);
*/
if ( version_compare(PHP_VERSION, '5.3.0', '<') )
{
ini_set('magic_quotes_runtime', '0');
}
/* Avoid notices */
if ( !array_key_exists('UsingAdminArea', $CONF) )
{
$CONF['UsingAdminArea'] = 0;
}
/* only needed when updating logs */
if ( $CONF['UsingAdminArea'] )
{
/* XML-RPC client classes */
include($DIR_LIBS . 'xmlrpc.inc.php');
include_once($DIR_LIBS . 'ADMIN.php');
}
/* connect to database */
sql_connect();
$SQLCount = 0;
/* logs sanitized result if need */
if ( $orgRequestURI!==serverVar('REQUEST_URI') )
{
$msg = "Sanitized [" . serverVar('REMOTE_ADDR') . "] ";
$msg .= $orgRequestURI . " -> " . serverVar('REQUEST_URI');
if ( $bLoggingSanitizedResult )
{
addToLog(WARNING, $msg);
}
if ( !$bSanitizeAndContinue )
{
die("");
}
}
/* makes sure database connection gets closed on script termination */
register_shutdown_function('sql_disconnect');
/* read config */
getConfig();
/*
* FIXME: This is for backward compatibility, should be obsoleted near future.
*/
if ( !preg_match('#^(.+)_(.+)_(.+)$#', $CONF['Locale'])
&& ($CONF['Locale'] = i18n::convert_old_language_file_name_to_locale($CONF['Locale'])) === FALSE )
{
$CONF['Locale'] = 'en_Latn_US';
}
if ( !array_key_exists('Language', $CONF) )
{
$CONF['Language'] = i18n::convert_locale_to_old_language_file_name($CONF['Locale']);
}
$locale = $CONF['Locale'];
/* Properly set $CONF['Self'] and others if it's not set...
* usually when we are access from admin menu
*/
if ( !array_key_exists('Self', $CONF) )
{
$CONF['Self'] = $CONF['IndexURL'];
/* strip trailing */
if ( $CONF['Self'][i18n::strlen($CONF['Self']) -1] == "/" )
{
$CONF['Self'] = i18n::substr($CONF['Self'], 0, i18n::strlen($CONF['Self']) -1);
}
}
$CONF['ItemURL'] = $CONF['Self'];
$CONF['ArchiveURL'] = $CONF['Self'];
$CONF['ArchiveListURL'] = $CONF['Self'];
$CONF['MemberURL'] = $CONF['Self'];
$CONF['SearchURL'] = $CONF['Self'];
$CONF['BlogURL'] = $CONF['Self'];
$CONF['CategoryURL'] = $CONF['Self'];
/*
*switch URLMode back to normal when $CONF['Self'] ends in .php
* this avoids urls like index.php/item/13/index.php/item/15
*/
if ( !array_key_exists('URLMode', $CONF)
|| (($CONF['URLMode'] == 'pathinfo')
&& (i18n::substr($CONF['Self'], i18n::strlen($CONF['Self']) - 4) == '.php')) )
{
$CONF['URLMode'] = 'normal';
}
/* automatically use simpler toolbar for mozilla */
if ( ($CONF['DisableJsTools'] == 0)
&& strstr(serverVar('HTTP_USER_AGENT'), 'Mozilla/5.0')
&& strstr(serverVar('HTTP_USER_AGENT'), 'Gecko') )
{
$CONF['DisableJsTools'] = 2;
}
$member = new Member();
if ( $action == 'login' )
{
$login = postVar('login');
$password = postVar('password');
$shared = intPostVar('shared');
$member->login($login, $password, $shared);
}
elseif ( ($action == 'logout') )
{
$member->logout();
}
else
{
$member->cookielogin();
}
/* NOTE: include translation file and set locale */
if ( $member->isLoggedIn() && $member->getLocale())
{
$locale = $member->getLocale();
}
include_translation($locale);
i18n::set_current_locale($locale);
/* login completed */
$manager->notify('PostAuthentication', array('loggedIn' => $member->isLoggedIn() ) );
/* next action */
if ( $member->isLoggedIn() && $nextaction )
{
$action = $nextaction;
}
/*
* Release ticket for plugin
*/
ticketForPlugin();
/* first, let's see if the site is disabled or not. always allow admin area access. */
if ( $CONF['DisableSite'] && !$member->isAdmin() && !$CONF['UsingAdminArea'] )
{
redirect($CONF['DisableSiteURL']);
exit;
}
/* load other classes */
include($DIR_LIBS . 'PARSER.php');
include($DIR_LIBS . 'SKIN.php');
include($DIR_LIBS . 'TEMPLATE.php');
include($DIR_LIBS . 'BLOG.php');
include($DIR_LIBS . 'BODYACTIONS.php');
include($DIR_LIBS . 'COMMENTS.php');
include($DIR_LIBS . 'COMMENT.php');
/* include($DIR_LIBS . 'ITEM.php'); */
include($DIR_LIBS . 'NOTIFICATION.php');
include($DIR_LIBS . 'BAN.php');
include($DIR_LIBS . 'PAGEFACTORY.php');
include($DIR_LIBS . 'SEARCH.php');
include($DIR_LIBS . 'LINK.php');
/* set lastVisit cookie (if allowed) */
if ( !headers_sent() )
{
if ( $CONF['LastVisit'] )
{
setcookie($CONF['CookiePrefix'] . 'lastVisit', time(), time() + 2592000, $CONF['CookiePath'], $CONF['CookieDomain'], $CONF['CookieSecure']);
}
else
{
setcookie($CONF['CookiePrefix'] . 'lastVisit', '', (time() - 2592000), $CONF['CookiePath'], $CONF['CookieDomain'], $CONF['CookieSecure']);
}
}
if ( !defined('_ARCHIVETYPE_MONTH') )
{
define('_ARCHIVETYPE_DAY', 'day');
define('_ARCHIVETYPE_MONTH', 'month');
define('_ARCHIVETYPE_YEAR', 'year');
}
/* decode path_info */
if ( $CONF['URLMode'] == 'pathinfo' )
{
/* initialize keywords if this hasn't been done before */
if ( !isset($CONF['ItemKey']) || $CONF['ItemKey'] == '' )
{
$CONF['ItemKey'] = 'item';
}
if ( !isset($CONF['ArchiveKey']) || $CONF['ArchiveKey'] == '' )
{
$CONF['ArchiveKey'] = 'archive';
}
if ( !isset($CONF['ArchivesKey']) || $CONF['ArchivesKey'] == '' )
{
$CONF['ArchivesKey'] = 'archives';
}
if ( !isset($CONF['MemberKey']) || $CONF['MemberKey'] == '' )
{
$CONF['MemberKey'] = 'member';
}
if ( !isset($CONF['BlogKey']) || $CONF['BlogKey'] == '' )
{
$CONF['BlogKey'] = 'blog';
}
if ( !isset($CONF['CategoryKey']) || $CONF['CategoryKey'] == '' )
{
$CONF['CategoryKey'] = 'category';
}
if ( !isset($CONF['SpecialskinKey']) || $CONF['SpecialskinKey'] == '' )
{
$CONF['SpecialskinKey'] = 'special';
}
$parsed = false;
$manager->notify(
'ParseURL',
array(
/* e.g. item, blog, ... */
'type' => basename(serverVar('SCRIPT_NAME') ),
'info' => $virtualpath,
'complete' => &$parsed
)
);
if ( !$parsed )
{
/* default implementation */
$data = preg_split("#/#", $virtualpath );
for ( $i = 0; $i < sizeof($data); $i++ )
{
switch ( $data[$i] )
{
/* item/1 (blogid) */
case $CONF['ItemKey']:
$i++;
if ( $i < sizeof($data) )
{
$itemid = intval($data[$i]);
}
break;
/* archives/1 (blogid) */
case $CONF['ArchivesKey']:
$i++;
if ( $i < sizeof($data) )
{
$archivelist = intval($data[$i]);
}
break;
/* two possibilities: archive/yyyy-mm or archive/1/yyyy-mm (with blogid) */
case $CONF['ArchiveKey']:
if ( (($i + 1) < sizeof($data) ) && (!strstr($data[$i + 1], '-') ) )
{
$blogid = intval($data[++$i]);
}
$i++;
if ( $i < sizeof($data) )
{
$archive = $data[$i];
}
break;
/* blogid/1 */
case 'blogid':
/* blog/1 */
case $CONF['BlogKey']:
$i++;
if ( $i < sizeof($data) )
{
$blogid = intval($data[$i]);
}
break;
/* category/1 (catid) */
case $CONF['CategoryKey']:
case 'catid':
$i++;
if ( $i < sizeof($data) )
{
$catid = intval($data[$i]);
}
break;
case $CONF['MemberKey']:
$i++;
if ( $i < sizeof($data) )
{
$memberid = intval($data[$i]);
}
break;
case $CONF['SpecialskinKey']:
$i++;
if ( $i < sizeof($data) )
{
$special = $data[$i];
$_REQUEST['special'] = $special;
}
break;
default:
// skip...
}
}
}
}
/*
* PostParseURL is a place to cleanup any of the path-related global variables before the selector function is run.
* It has 2 values in the data in case the original virtualpath is needed, but most the use will be in tweaking
* global variables to clean up (scrub out catid or add catid) or to set someother global variable based on
* the values of something like catid or itemid
* New in 3.60
*/
$manager->notify(
'PostParseURL',
array(
/* e.g. item, blog, ... */
'type' => basename(serverVar('SCRIPT_NAME') ),
'info' => $virtualpath
)
);
/*
* NOTE: Here is the end of initialization
*/
/**
* This function includes or requires the specified library file
* @param string $file
* @param bool $once use the _once() version
* @param bool $require use require() instead of include()
*/
function include_libs($file, $once = TRUE, $require = TRUE)
{
global $DIR_LIBS;
// begin if: $DIR_LIBS isn't a directory
if ( !is_dir($DIR_LIBS) )
{
exit;
} // end if
$lib_path = $DIR_LIBS . $file;
// begin if:
if ( $once && $require )
{
require_once($lib_path);
}
else if ( $once && !$require )
{
include_once($lib_path);
}
else if ( $require )
{
require($lib_path);
}
else
{
include($lib_path);
} // end if
}
/**
* This function includes or requires the specified plugin file
* @param string $file
* @param bool $once use the _once() version
* @param bool $require use require() instead of include()
*/
function include_plugins($file, $once = TRUE, $require = TRUE)
{
global $DIR_PLUGINS;
// begin if: $DIR_LIBS isn't a directory
if ( !is_dir($DIR_PLUGINS) )
{
exit;
} // end if
$plugin_path = $DIR_PLUGINS . $file;
// begin if:
if ( $once && $require )
{
require_once($plugin_path);
}
else if ( $once && !$require )
{
include_once($plugin_path);
}
elseif ( $require )
{
require($plugin_path);
}
else
{
include($plugin_path);
}
}
/**
* This function decide which locale is used and include translation
* @param string $locale locale name referring to 'language tags' defined in RFC 5646
* @return Void
*/
function include_translation($locale)
{
global $DIR_LOCALES;
$translation_file = $DIR_LOCALES . $locale . '.' . i18n::get_current_charset() . '.php';
if ( !file_exists($translation_file) )
{
$locale = 'en_Latn_US';
$translation_file = $DIR_LOCALES . 'en_Latn_US.ISO-8859-1.php';
}
include($translation_file);
return;
}
/**
* This function returns the integer value of $_POST for the variable $name
* @param string $name field to get the integer value of
* @return int
*/
function intPostVar($name)
{
return intval(postVar($name));
}
/**
* This function returns the integer value of $_GET for the variable $name
* @param string $name field to get the integer value of
* @return int
*/
function intGetVar($name)
{
return intval(getVar($name));
}
/**
* This function returns the integer value of $_REQUEST for the variable $name. Also checks $_GET and $_POST if not found in $_REQUEST
* @param string $name field to get the integer value of
* @return int
*/
function intRequestVar($name)
{
return intval(requestVar($name));
}
/**
* This function returns the integer value of $_COOKIE for the variable $name
* @param string $name field to get the integer value of
* @return int
*/
function intCookieVar($name)
{
return intval(cookieVar($name));
}
/**
* This function returns the current Nucleus version (100 = 1.00, 101 = 1.01, etc...)
* @return int
*/
function getNucleusVersion()
{
return 400;
}
/**
* TODO: Better description of this function.
*
* Power users can install patches in between nucleus releases. These patches
* usually add new functionality in the plugin API and allow those to
* be tested without having to install CVS.
*
* @return int
*/
function getNucleusPatchLevel()
{
return 0;
}
/**
* This function returns the latest Nucleus version available for download from nucleuscms.org or FALSE if unable to attain data
* Format will be major.minor/patachlevel e.g. 3.41 or 3.41/02
* @return string|bool
*/
function getLatestVersion()
{
// begin if: cURL is not available in this PHP installation
if ( !function_exists('curl_init') )
{
return FALSE;
} // end if
$curl = curl_init();
$timeout = 5;
curl_setopt ($curl, CURLOPT_URL, 'http://nucleuscms.org/version_check.php');
curl_setopt ($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($curl, CURLOPT_CONNECTTIMEOUT, $timeout);
$return = curl_exec($curl);
curl_close($curl);
return $return;
}
/**
* This function returns a Nucleus table name with the appropriate prefix
* @param string $name
* @return string
*/
function sql_table($name)
{
global $MYSQL_PREFIX;
// begin if: no MySQL prefix
if ( empty($MYSQL_PREFIX) )
{
return 'nucleus_' . $name;
}
// else: use MySQL prefix
else
{
return $MYSQL_PREFIX . 'nucleus_' . $name;
} // end if
}
/**
* TODO: This function should be changed to send_content_type() per the Coding Guidelines. Ensure this change is compatible with rest of core.
*
* This function sends the Content-Type header if headers have not already been sent
* It also determines if the browser can accept application/xhtml+xml and sends it only to those that can.
* @param string $content_type
* @param string $page_type
* @param string $charset Deprecated. This has no meaning.
*/
function sendContentType($content_type, $page_type = '', $charset = _CHARSET)
{
global $manager, $CONF;
if ( !headers_sent() )
{
// if content type is application/xhtml+xml, only send it to browsers
// that can handle it (IE6 cannot). Otherwise, send text/html
// v2.5: For admin area pages, keep sending text/html (unless it's a debug version)
// application/xhtml+xml still causes too much problems with the javascript implementations
// v3.3: ($CONF['UsingAdminArea'] && !$CONF['debug']) gets removed,
// application/xhtml+xml seems to be working, so we're going to use it if we can.
if ( ($content_type == 'application/xhtml+xml')
&& (!stristr(serverVar('HTTP_ACCEPT'), 'application/xhtml+xml') ) )
{
$content_type = 'text/html';
} // end if
$manager->notify(
'PreSendContentType',
array(
'contentType' => &$content_type,
'charset' => i18n::get_current_charset(),
'pageType' => $page_type
)
);
// strip strange characters
$content_type = preg_replace('|[^a-z0-9-+./]|i', '', $content_type);
header('Content-Type: ' . $content_type . '; charset=' . i18n::get_current_charset());
} // end if
}
/**
* This function parses a query into an array of expressions that can be passed on to the highlight method
* @param string $query
*/
function parseHighlight($query)
{
// TODO: add more intelligent splitting logic
// get rid of quotes
$query = preg_replace('/\'|"/', '', $query);
if ( !$query )
{
return array();
}
$aHighlight = preg_split('# #', $query);
for ( $i = 0; $i < count($aHighlight); $i++ )
{
$aHighlight[$i] = trim($aHighlight[$i]);
if ( i18n::strlen($aHighlight[$i]) < 3 )
{
unset($aHighlight[$i]);
}
}
if ( count($aHighlight) == 1 )
{
return $aHighlight[0];
}
else
{
return $aHighlight;
}
}
/**
* This function gets the blog ID from the blog name
* @param string $name
* @return
*/
function getBlogIDFromName($name)
{
return quickQuery('SELECT bnumber AS result FROM ' . sql_table('blog') . ' WHERE bshortname = "' . sql_real_escape_string($name) . '"');
}
/**
* This function gets the blog name from the blog ID
* @param int $id
* @return object
*/
function getBlogNameFromID($id)
{
return quickQuery('SELECT bname AS result FROM ' . sql_table('blog') . ' WHERE bnumber = ' . intval($id));
}
/**
* This function gets the blog ID from the item ID
* @param int $item_id
* @return object
*/
function getBlogIDFromItemID($item_id)
{
return quickQuery('SELECT iblog AS result FROM ' . sql_table('item') . ' WHERE inumber = ' . intval($item_id));
}
/**
* This function gets the blog ID from the comment ID
* @param int $comment_id
* @return object
*/
function getBlogIDFromCommentID($comment_id)
{
return quickQuery('SELECT cblog AS result FROM ' . sql_table('comment') . ' WHERE cnumber = ' . intval($comment_id));
}
/**
* This function gets the blog ID from the category ID
* @param int $category_id
* @return object
*/
function getBlogIDFromCatID($category_id)
{
return quickQuery('SELECT cblog AS result FROM ' . sql_table('category') . ' WHERE catid = ' . intval($category_id));
}
/**
* This function gets the category ID from the category name
* @param int $name
* @return object
*/
function getCatIDFromName($name)
{
return quickQuery('SELECT catid AS result FROM ' . sql_table('category') . ' WHERE cname = "' . sql_real_escape_string($name) . '"');
}
/**
* This function performs a quick SQL query
* @param string $query
* @return object
*/
function quickQuery($query)
{
$res = sql_query($query);
$obj = sql_fetch_object($res);
return $obj->result;
}
function getPluginNameFromPid($pid) {
$res = sql_query('SELECT pfile FROM ' . sql_table('plugin') . ' WHERE pid=' . intval($pid) );
$obj = sql_fetch_object($res);
return $obj->pfile;
// return isset($obj->pfile) ? $obj->pfile : false;
}
function selector()
{
global $itemid, $blogid, $memberid, $query, $amount, $archivelist, $maxresults;
global $archive, $skinid, $blog, $memberinfo, $CONF, $member;
global $imagepopup, $catid, $special;
global $manager;
$actionNames = array('addcomment', 'sendmessage', 'createaccount', 'forgotpassword', 'votepositive', 'votenegative', 'plugin');
$action = requestVar('action');
if ( in_array($action, $actionNames) )
{
global $DIR_LIBS, $errormessage;
include_once($DIR_LIBS . 'ACTION.php');
$a = new Action();
$errorInfo = $a->doAction($action);
if ( $errorInfo )
{
$errormessage = $errorInfo['message'];
}
}
// show error when headers already sent out
if ( headers_sent() && $CONF['alertOnHeadersSent'] )
{
// try to get line number/filename (extra headers_sent params only exists in PHP 4.3+)
if ( function_exists('version_compare') && version_compare('4.3.0', phpversion(), '<=') )
{
headers_sent($hsFile, $hsLine);
$extraInfo = ' in ' . $hsFile . ' line ' . $hsLine . '';
}
else
{
$extraInfo = '';
}
startUpError(
'
The page headers have already been sent out' . $extraInfo . '. This could cause Nucleus not to work in the expected way.
Usually, this is caused by spaces or newlines at the end of the config.php file, at the end of the translation file or at the end of a plugin file. Please check this and try again.
If you don\'t want to see this error message again, without solving the problem, set $CONF[\'alertOnHeadersSent\'] in globalfunctions.php to 0
',
'Page headers already sent'
);
exit;
}
// make is so ?archivelist without blogname or blogid shows the archivelist
// for the default weblog
if ( serverVar('QUERY_STRING') == 'archivelist' )
{
$archivelist = $CONF['DefaultBlog'];
}
// now decide which type of skin we need
if ( $itemid )
{
// itemid given -> only show that item
$type = 'item';
if ( !$manager->existsItem($itemid,intval($CONF['allowFuture']),intval($CONF['allowDrafts'])) )
{
doError(_ERROR_NOSUCHITEM);
}
global $itemidprev, $itemidnext, $catid, $itemtitlenext, $itemtitleprev;
// 1. get timestamp, blogid and catid for item
$query = 'SELECT itime, iblog, icat FROM %s WHERE inumber=%d';
$query = sprintf($query, sql_table('item'), (integer) $itemid);
$res = sql_query($query);
$obj = sql_fetch_object($res);
// if a different blog id has been set through the request or selectBlog(),
// deny access
if ( $blogid && (intval($blogid) != $obj->iblog) )
{
doError(_ERROR_NOSUCHITEM);
}
// if a category has been selected which doesn't match the item, ignore the
// category. #85
if ( ($catid != 0) && ($catid != $obj->icat) )
{
$catid = 0;
}
$blogid = $obj->iblog;
$timestamp = strtotime($obj->itime);
$b =& $manager->getBlog($blogid);
if ( !$b->isValidCategory($catid) )
{
$query = "SELECT inumber, ititle FROM %s WHERE itime<'%s' AND idraft=0 AND iblog=%d ORDER BY itime DESC LIMIT 1";
$query = sprintf($query, sql_table('item'), i18n::formatted_datetime('mysql', $timestamp), $blogid);
}
else
{
$query = "SELECT inumber, ititle FROM %s WHERE itime<'%s' AND idraft=0 AND iblog=%d AND icat=%d ORDER BY itime DESC LIMIT 1";
$query = sprintf($query, sql_table('item'), i18n::formatted_datetime('mysql', $timestamp), $blogid, $catid);
}
$res = sql_query($query);
$obj = sql_fetch_object($res);
if ( $obj )
{
$itemidprev = $obj->inumber;
$itemtitleprev = $obj->ititle;
}
// get next itemid and title
if ( !$b->isValidCategory($catid) )
{
$query = "SELECT inumber, ititle FROM %s WHERE itime>'%s' AND itime<='%s' AND idraft=0 AND iblog=%d ORDER BY itime ASC LIMIT 1";
$query = sprintf($query, sql_table('item'), i18n::formatted_datetime('mysql', $timestamp), i18n::formatted_datetime('mysql', $b->getCorrectTime()), $blogid);
}
else
{
$query = "SELECT inumber, ititle FROM %s WHERE itime>'%s' AND itime<='%s' AND idraft=0 AND iblog=%d AND icat=%d ORDER BY itime ASC LIMIT 1";
$query = sprintf($query, sql_table('item'), i18n::formatted_datetime('mysql', $timestamp), i18n::formatted_datetime('mysql', $b->getCorrectTime()), $blogid, $catid);
}
$res = sql_query($query);
$obj = sql_fetch_object($res);
if ( $obj )
{
$itemidnext = $obj->inumber;
$itemtitlenext = $obj->ititle;
}
}
elseif ( $archive )
{
// show archive
$type = 'archive';
// get next and prev month links ...
global $archivenext, $archiveprev, $archivetype, $archivenextexists, $archiveprevexists;
// sql queries for the timestamp of the first and the last published item
$query = "SELECT UNIX_TIMESTAMP(itime) as result FROM ".sql_table('item')." WHERE idraft=0 ORDER BY itime ASC";
$first_timestamp=quickQuery ($query);
$query = "SELECT UNIX_TIMESTAMP(itime) as result FROM ".sql_table('item')." WHERE idraft=0 ORDER BY itime DESC";
$last_timestamp=quickQuery ($query);
sscanf($archive, '%d-%d-%d', $y, $m, $d);
if ( $d != 0 )
{
$archivetype = _ARCHIVETYPE_DAY;
$t = mktime(0, 0, 0, $m, $d, $y);
// one day has 24 * 60 * 60 = 86400 seconds
$archiveprev = i18n::formatted_datetime('%Y-%m-%d', $t - 86400 );
// check for published items
if ( $t > $first_timestamp )
{
$archiveprevexists = true;
}
else
{
$archiveprevexists = false;
}
// one day later
$t += 86400;
$archivenext = i18n::formatted_datetime('%Y-%m-%d', $t);
if ( $t < $last_timestamp )
{
$archivenextexists = true;
}
else
{
$archivenextexists = false;
}
}
elseif ( $m == 0 )
{
$archivetype = _ARCHIVETYPE_YEAR;
$t = mktime(0, 0, 0, 12, 31, $y - 1);
// one day before is in the previous year
$archiveprev = i18n::formatted_datetime('%Y', $t);
if ( $t > $first_timestamp )
{
$archiveprevexists = true;
}
else
{
$archiveprevexists = false;
}
// timestamp for the next year
$t = mktime(0, 0, 0, 1, 1, $y + 1);
$archivenext = i18n::formatted_datetime('%Y', $t);
if ( $t < $last_timestamp )
{
$archivenextexists = true;
}
else
{
$archivenextexists = false;
}
}
else
{
$archivetype = _ARCHIVETYPE_MONTH;
$t = mktime(0, 0, 0, $m, 1, $y);
// one day before is in the previous month
$archiveprev = i18n::formatted_datetime('%Y-%m', $t - 86400);
if ( $t > $first_timestamp )
{
$archiveprevexists = true;
}
else
{
$archiveprevexists = false;
}
// timestamp for the next month
$t = mktime(0, 0, 0, $m+1, 1, $y);
$archivenext = i18n::formatted_datetime('%Y-%m', $t);
if ( $t < $last_timestamp )
{
$archivenextexists = true;
}
else
{
$archivenextexists = false;
}
}
}
elseif ( $archivelist )
{
$type = 'archivelist';
if ( is_numeric($archivelist) )
{
$blogid = intVal($archivelist);
}
else
{
$blogid = getBlogIDFromName($archivelist);
}
if ( !$blogid )
{
doError(_ERROR_NOSUCHBLOG);
}
}
elseif ( $query )
{
global $startpos;
$type = 'search';
$query = stripslashes($query);
if ( is_numeric($blogid) )
{
$blogid = intVal($blogid);
}
else
{
$blogid = getBlogIDFromName($blogid);
}
if ( !$blogid )
{
doError(_ERROR_NOSUCHBLOG);
}
}
elseif ( $memberid )
{
$type = 'member';
if ( !Member::existsID($memberid) )
{
doError(_ERROR_NOSUCHMEMBER);
}
$memberinfo = $manager->getMember($memberid);
}
elseif ( $imagepopup )
{
// media object (images etc.)
$type = 'imagepopup';
// TODO: check if media-object exists
// TODO: set some vars?
}
else
{
// show regular index page
global $startpos;
$type = 'index';
}
// any type of skin with catid
if ( $catid && !$blogid )
{
$blogid = getBlogIDFromCatID($catid);
}
// decide which blog should be displayed
if ( !$blogid )
{
$blogid = $CONF['DefaultBlog'];
}
$b =& $manager->getBlog($blogid);
$blog = $b; // references can't be placed in global variables?
if ( !$blog->isValid )
{
doError(_ERROR_NOSUCHBLOG);
}
// set catid if necessary
if ( $catid )
{
// check if the category is valid
if ( !$blog->isValidCategory($catid) )
{
doError(_ERROR_NOSUCHCATEGORY);
}
else
{
$blog->setSelectedCategory($catid);
}
}
// decide which skin should be used
if ( $skinid != '' && ($skinid == 0) )
{
selectSkin($skinid);
}
if ( !$skinid )
{
$skinid = $blog->getDefaultSkin();
}
//$special = requestVar('special'); //get at top of file as global
if ( !empty($special) && isValidShortName($special) )
{
$type = strtolower($special);
}
$skin = new SKIN($skinid);
if ( !$skin->isValid() )
{
doError(_ERROR_NOSUCHSKIN);
}
// set global skinpart variable so can determine quickly what is being parsed from any plugin or phpinclude
global $skinpart;
$skinpart = $type;
// parse the skin
$skin->parse($type);
// check to see we should throw JustPosted event
$blog->checkJustPosted();
return;
}
/**
* Show error skin with given message. An optional skin-object to use can be given
*/
function doError($msg, $skin = '')
{
global $errormessage, $CONF, $skinid, $blogid, $manager;
if ( $skin == '' )
{
if ( Skin::existsID($skinid) )
{
$id = $skinid;
}
elseif ( $manager->existsBlogID($blogid) )
{
$blog =& $manager->getBlog($blogid);
$id = $blog->getDefaultSkin();
}
elseif ($CONF['DefaultBlog'] )
{
$blog =& $manager->getBlog($CONF['DefaultBlog']);
$id = $blog->getDefaultSkin();
}
else
{
// this statement should actually never be executed
$id = $CONF['BaseSkin'];
}
$skin = new Skin($id);
}
$skinid = $skin->getID();
$errormessage = $msg;
$skin->parse('error');
exit;
}
function getConfig() {
global $CONF;
$query = 'SELECT * FROM ' . sql_table('config');
$res = sql_query($query);
while ($obj = sql_fetch_object($res) ) {
$CONF[$obj->name] = $obj->value;
}
}
// some checks for names of blogs, categories, templates, members, ...
function isValidShortName($name) {
# replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0
# original eregi: eregi('^[a-z0-9]+$', $name)
return preg_match('#^[a-z0-9]+$#i', $name);
}
function isValidDisplayName($name) {
# replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0
# original eregi: eregi('^[a-z0-9]+[a-z0-9 ]*[a-z0-9]+$', $name)
return preg_match('#^[a-z0-9]+[a-z0-9 ]*[a-z0-9]+$#i', $name);
}
function isValidCategoryName($name) {
return 1;
}
function isValidTemplateName($name) {
# replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0
# original eregi: eregi('^[a-z0-9/]+$', $name)
// added - and _ to valid characters as of 4.00
return preg_match('#^[a-z0-9/_\-]+$#i', $name);
}
function isValidSkinName($name) {
# replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0
# original eregi: eregi('^[a-z0-9/]+$', $name);
// added - and _ to valid characters as of 4.00
return preg_match('#^[a-z0-9/_\-]+$#i', $name);
}
// add and remove linebreaks
function addBreaks($var) {
return nl2br($var);
}
function removeBreaks($var) {
return preg_replace("/ ([\r\n])/", "$1", $var);
}
/**
* functions for use in index.php
*/
function selectBlog($shortname) {
global $blogid, $archivelist;
$blogid = getBlogIDFromName($shortname);
// also force archivelist variable, if it is set
if ($archivelist) {
$archivelist = $blogid;
}
}
function selectSkin($skinname) {
global $skinid;
$skinid = SKIN::getIdFromName($skinname);
}
/**
* Can take either a category ID or a category name (be aware that
* multiple categories can have the same name)
*/
function selectCategory($cat) {
global $catid;
if (is_numeric($cat) ) {
$catid = intval($cat);
} else {
$catid = getCatIDFromName($cat);
}
}
function selectItem($id) {
global $itemid;
$itemid = intval($id);
}
function parseFile($filename, $includeMode = 'normal', $includePrefix = '')
{
global $skinid;
if ( !$skinid || !existsID($skinid) )
{
$skin = new Skin($CONF['BaseSkin']);
}
else
{
$skin = new Skin($skinid);
}
$oldIncludeMode = Parser::getProperty('IncludeMode');
$oldIncludePrefix = Parser::getProperty('IncludePrefix');
$skin->parse('fileparse', $filename);
Parser::setProperty('IncludeMode', $oldIncludeMode);
Parser::setProperty('IncludePrefix', $oldIncludePrefix);
return;
}
/**
* Outputs a debug message
*/
function debug($msg) {
echo '
';
}
function helplink($id) {
global $CONF;
return '';
}
/**
* Includes a PHP file. This method can be called while parsing templates and skins
*/
function includephp($filename) {
// make predefined variables global, so most simple scripts can be used here
// apache (names taken from PHP doc)
global $GATEWAY_INTERFACE, $SERVER_NAME, $SERVER_SOFTWARE, $SERVER_PROTOCOL;
global $REQUEST_METHOD, $QUERY_STRING, $DOCUMENT_ROOT, $HTTP_ACCEPT;
global $HTTP_ACCEPT_CHARSET, $HTTP_ACCEPT_ENCODING, $HTTP_ACCEPT_LANGUAGE;
global $HTTP_CONNECTION, $HTTP_HOST, $HTTP_REFERER, $HTTP_USER_AGENT;
global $REMOTE_ADDR, $REMOTE_PORT, $SCRIPT_FILENAME, $SERVER_ADMIN;
global $SERVER_PORT, $SERVER_SIGNATURE, $PATH_TRANSLATED, $SCRIPT_NAME;
global $REQUEST_URI;
// php (taken from PHP doc)
global $argv, $argc, $PHP_SELF, $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS;
global $HTTP_POST_FILES, $HTTP_ENV_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS;
// other
global $PATH_INFO, $HTTPS, $HTTP_RAW_POST_DATA, $HTTP_X_FORWARDED_FOR;
if (@file_exists($filename) ) {
include($filename);
}
}
/**
* Checks if a certain plugin exists
* @param string $plug
* @return bool
**/
function checkPlugin($plug) {
global $DIR_PLUGINS;
# replaced ereg_replace() below with preg_replace(). ereg* functions are deprecated in PHP 5.3.0
# original ereg_replace: ereg_replace( '[\\|/]', '', $plug) . '.php')
# important note that '\' must be matched with '\\\\' in preg* expressions
return file_exists($DIR_PLUGINS . preg_replace('#[\\\\|/]#', '', $plug) . '.php');
}
/**
* alterQueryStr()
*
* @param string $querystr querystring to alter (e.g. foo=1&bar=2&x=y)
* @param string $param name of parameter to change (e.g. 'foo')
* @param string $value New value for that parameter (e.g. 3)
* @result string altered query string (for the examples above: foo=3&bar=2&x=y)
*/
function alterQueryStr($querystr, $param, $value)
{
$vars = preg_split('#&#', $querystr);
$set = FALSE;
for ( $i = 0; $i < count($vars); $i++ )
{
$v = preg_split('#=#', $vars[$i]);
if ( $v[0] == $param )
{
$v[1] = $value;
$vars[$i] = implode('=', $v);
$set = true;
break;
}
}
if ( !$set )
{
$vars[] = "{$param}={$value}";
}
return ltrim(implode('&', $vars), '&');
}
// passes one variable as hidden input field (multiple fields for arrays)
// @see passRequestVars in varsx.x.x.php
function passVar($key, $value) {
// array ?
if (is_array($value) ) {
for ($i = 0; $i < sizeof($value); $i++) {
passVar($key . '[' . $i . ']', $value[$i]);
}
return;
}
// other values: do stripslashes if needed
?>= '4.1.0') {
if ( isset($_GET[$varName])
|| isset($_POST[$varName])
|| isset($_COOKIE[$varName])
|| isset($_ENV[$varName])
|| isset($_SESSION[$varName])
|| isset($_FILES[$varName])
) {
die('Sorry. An error occurred.');
}
} else {
if ( isset($HTTP_GET_VARS[$varName])
|| isset($HTTP_POST_VARS[$varName])
|| isset($HTTP_COOKIE_VARS[$varName])
|| isset($HTTP_ENV_VARS[$varName])
|| isset($HTTP_SESSION_VARS[$varName])
|| isset($HTTP_POST_FILES[$varName])
) {
die('Sorry. An error occurred.');
}
}
}
}
/**
* Sanitize parameters such as $_GET and $_SERVER['REQUEST_URI'] etc.
* to avoid XSS
*/
function sanitizeParams()
{
global $HTTP_SERVER_VARS;
$array = array();
$str = '';
$frontParam = '';
// REQUEST_URI of $HTTP_SERVER_VARS
$str =& $HTTP_SERVER_VARS["REQUEST_URI"];
serverStringToArray($str, $array, $frontParam);
sanitizeArray($array);
arrayToServerString($array, $frontParam, $str);
// QUERY_STRING of $HTTP_SERVER_VARS
$str =& $HTTP_SERVER_VARS["QUERY_STRING"];
serverStringToArray($str, $array, $frontParam);
sanitizeArray($array);
arrayToServerString($array, $frontParam, $str);
if (phpversion() >= '4.1.0') {
// REQUEST_URI of $_SERVER
$str =& $_SERVER["REQUEST_URI"];
serverStringToArray($str, $array, $frontParam);
sanitizeArray($array);
arrayToServerString($array, $frontParam, $str);
// QUERY_STRING of $_SERVER
$str =& $_SERVER["QUERY_STRING"];
serverStringToArray($str, $array, $frontParam);
sanitizeArray($array);
arrayToServerString($array, $frontParam, $str);
}
// $_GET
convArrayForSanitizing($_GET, $array);
sanitizeArray($array);
revertArrayForSanitizing($array, $_GET);
// $_REQUEST (only GET param)
convArrayForSanitizing($_REQUEST, $array);
sanitizeArray($array);
revertArrayForSanitizing($array, $_REQUEST);
}
/**
* ticketForPlugin()
*
* Check ticket when not checked in plugin's admin page
* to avoid CSRF.
* Also avoid the access to plugin/index.php by guest user.
*/
function ticketForPlugin()
{
global $CONF, $DIR_PLUGINS, $member, $ticketforplugin;
/* initialize */
$ticketforplugin = array();
$ticketforplugin['ticket'] = FALSE;
/* $_SERVER['PATH_TRANSLATED']
* http://www.php.net/manual/en/reserved.variables.server.php
* Note: As of PHP 4.3.2, PATH_TRANSLATED is no longer set implicitly
* under the Apache 2 SAPI in contrast to the situation in Apache 1,
* where it's set to the same value as the SCRIPT_FILENAME server variable
* when it's not populated by Apache.
* This change was made to comply with the CGI specification
* that PATH_TRANSLATED should only exist if PATH_INFO is defined.
* Apache 2 users may use AcceptPathInfo = On inside httpd.conf to define PATH_INFO.
*/
/* Check if using plugin's php file. */
$p_translated = serverVar('SCRIPT_FILENAME');
if (!file_exists($p_translated) )
{
header("HTTP/1.0 404 Not Found");
exit('');
}
$p_translated = str_replace('\\', '/', $p_translated);
$d_plugins = str_replace('\\', '/', $DIR_PLUGINS);
// This isn't plugin php file.
if ( i18n::strpos($p_translated, $d_plugins) !== 0 )
{
return;
}
// Solve the plugin php file or admin directory
$phppath = i18n::substr($p_translated, i18n::strlen($d_plugins) );
// Remove the first "/" if exists.
$phppath = preg_replace('#^/#', '', $phppath);
// Remove the first "NP_" and the last ".php" if exists.
$path = preg_replace('#^NP_(.*)\.php$#', '$1', $phppath);
// Remove the "/" and beyond.
$path = preg_replace('#^([^/]*)/(.*)$#', '$1', $path);
// Solve the plugin name.
$plugins = array();
$query = 'SELECT pfile FROM '.sql_table('plugin');
$res = sql_query($query);
while($row = sql_fetch_row($res) )
{
$name = i18n::substr($row[0], 3);
$plugins[strtolower($name)] = $name;
}
sql_free_result($res);
if (array_key_exists($path, $plugins))
{
$plugin_name = $plugins[$path];
}
else if (in_array($path, $plugins))
{
$plugin_name = $path;
}
else
{
header("HTTP/1.0 404 Not Found");
exit('');
}
/* Return if not index.php */
if ( ($phppath != strtolower($plugin_name) . '/') && ($phppath != strtolower($plugin_name) . '/index.php') )
{
return;
}
/* Exit if not logged in. */
if ( !$member->isLoggedIn() )
{
exit('You aren\'t logged in.');
}
global $manager, $DIR_LIBS, $DIR_LOCALES, $HTTP_GET_VARS, $HTTP_POST_VARS;
/* Check if this feature is needed (ie, if "$manager->checkTicket()" is not included in the script). */
if (!($p_translated = serverVar('PATH_TRANSLATED') ) )
{
$p_translated = serverVar('SCRIPT_FILENAME');
}
if ($file = @file($p_translated) )
{
$prevline = '';
foreach($file as $line)
{
if (preg_match('/[\$]manager([\s]*)[\-]>([\s]*)checkTicket([\s]*)[\(]/i', $prevline . $line) )
{
return;
}
$prevline = $line;
}
}
/* Show a form if not valid ticket */
if ( ( strstr(serverVar('REQUEST_URI'), '?') || serverVar('QUERY_STRING')
|| strtoupper(serverVar('REQUEST_METHOD') ) == 'POST')
&& (!$manager->checkTicket() ) )
{
$oPluginAdmin = new PluginAdmin($plugin_name);
$oPluginAdmin->start();
echo '