/frontend/php/include/form.php
PHP | 193 lines | 94 code | 32 blank | 67 comment | 20 complexity | f988500ecf822ae7acec8537d7c9971b MD5 | raw file
Possible License(s): AGPL-3.0
- <?php
- # <one line to give a brief idea of what this does.>
- #
- # Copyright 2004-2006 (c) Mathieu Roy <yeupou--gnu.org>
- #
- # This file is part of Savane.
- #
- # Savane is free software: you can redistribute it and/or modify
- # it under the terms of the GNU Affero General Public License as
- # published by the Free Software Foundation, either version 3 of the
- # License, or (at your option) any later version.
- #
- # Savane is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU Affero General Public License for more details.
- #
- # You should have received a copy of the GNU Affero General Public License
- # along with this program. If not, see <http://www.gnu.org/licenses/>.
- require_once(dirname(__FILE__).'/dnsbl.php');
- require_once(dirname(__FILE__).'/spam.php');
- # To use this form that disallow duplicates:
- # - form_header must be used on the form
- # - form_check must be used before any insert in the db after submission
- # - form_clean must be used after succesful item submission
- #
- # Start the form with unique ID, store it in the database
- function form_header ($action, $form_id=false, $method="post", $extra=false)
- {
- if ($extra)
- { $extra = " $extra"; };
-
- # Keep previous form id, in case of form that are recreated on failure
- if (!$form_id)
- {
- mt_srand((double)microtime()*1000000);
- $form_id=md5(mt_rand(0,1000000));
- }
- $result = db_autoexecute('form',
- array('form_id' => $form_id,
- 'timestamp' => time(),
- 'user_id' => user_getid()),
- DB_AUTOQUERY_INSERT);
- if (db_affected_rows($result) != 1)
- { fb(_("System error while creating the form, report it to admins"), 1); }
-
- return '
- <form action="'.$action.'" method="'.$method.'"'.$extra.'>'.form_input("hidden","form_id",$form_id);
- }
- # Usual input
- function form_input ($type, $name, $value="", $extra=false)
- {
- if ($value != "")
- { $value = 'value="'.$value.'"'; }
- if ($extra)
- { $extra = " $extra"; };
-
- return '
- <input type="'.$type.'" id="'.$name.'" name="'.$name.'" '.$value.$extra.' />';
- }
- # Special input: textarea
- function form_textarea ($name, $value="", $extra=false)
- {
- if ($extra)
- { $extra = " $extra"; };
-
- return '
- <textarea name="'.$name.'"'.$extra.'>'.$value.'</textarea>';
- }
- # Add submit button
- function form_submit($text=false, $submit_name="update", $extra=false)
- {
- if (!$text)
- { $text = _("Submit"); }
- # Add a trap for spammers: a text input that will have to be kept empty.
- # This wont prevent tailored bots to spam, but that should prevent
- # the rest of them, which is good enough (task #4151).
- # Sure, some bots will someday implement CSS support, but the ones that does
- # not will not disappear as soon as this happen.
- $trap = '';
- if (empty($GLOBALS['int_trapisset']) && !user_isloggedin())
- {
- $trap = " ".form_input("text", "website", "http://");
- $GLOBALS['int_trapisset'] = true;
- }
-
-
- return form_input("submit", $submit_name, $text, $extra).$trap;
- }
- # Close the form, with submit button
- function form_footer ($text=false, $submit_name="update")
- {
- return '
- <div class="center">
- '.form_submit($text, $submit_name).'
- </div>
- </form>';
- }
- # Check whether this is a duplicate or not: return true if the form
- # is ok.
- # Exit if we found sql wildcards: forged form, probably.
- # We do need this extra check for anynomous users. Logged in users can forge
- # their id and remove all the form id of their user, if they wish. Its their
- # problem.
- #
- # form_check is also used as a cross-side request forgery (CSRF) protection.
- function form_check ($form_id)
- {
- if (!empty($GLOBALS['sys_debug_noformcheck']))
- return 1;
- # First, check for spambots
- # (will kill the session if necessary)
- form_check_nobot();
- if (user_getid() == 0 &&
- (!preg_match('/^[a-z0-9]*$/', $form_id)))
- {
- fb(_("Unrecognized unique form_id"), 1);
- return 0;
- }
- # See bug #6983
- # We must clean the form id right now. This is not how the form id mechanism
- # was designed.
- #
- # Originally, form id was supposed to be deleted only when we are sure
- # that the form was posted.
- # However, since apache & all are multithreaded, you can end up with the
- # case that the delay between the initial check and the end of the form
- # is long enough to make possible a duplicate.
- #
- # Now, the check will remove the id. If the remove fail, it means that
- # the form id no longer exists and then we exit. We will have only one
- # SQL request, reducing as much as possible delays.
- $success = db_affected_rows(db_execute("DELETE FROM form WHERE user_id=? AND form_id=?",
- array(user_getid(), $form_id)));
- if (!$success)
- {
- fb(_("Duplicate Post: this form was already submitted."),1);
- return 0;
- }
- # Always do a dnsbl check when such form is sent
- # (it will kill the submission if necessary)
- dnsbl_check();
-
- # Also does a check against savane own blacklist
- # (will never forbid post to logged-in users)
- spam_bancheck();
- return 1;
- }
- # Remove form_id from database: the item was posted
- function form_clean ($form_id)
- {
- # Form_id are now directly removed by form_check
- return 1;
- }
- # Check whether the trap field has been filled. If so, refuse the post.
- # This test should probably be made before remove form id, to be
- # dumbuser-compliant
- function form_check_nobot ()
- {
- extract(sane_import('request', array('website')));
- if ($website != "" && $website != "http://")
- {
- # Not much explanation on the reject, since we are hunting spammers
- exit_log("filled the spam trap special field");
- exit_missing_param();
- }
- return 1;
- }