/components/com_virtuemart/virtuemart_parser.php
PHP | 310 lines | 205 code | 43 blank | 62 comment | 71 complexity | e04923ccfe024d95c85dd5f5a4788b0d MD5 | raw file
Possible License(s): BSD-3-Clause, LGPL-2.1, Apache-2.0
- <?php
- if( !defined( '_VALID_MOS' ) && !defined( '_JEXEC' ) ) die( 'Direct Access to '.basename(__FILE__).' is not allowed.' );
- /**
- * This file prepares the VirtueMart framework
- * It should be included whenever a VirtueMart function is needed
- *
- * @version $Id: virtuemart_parser.php 3105 2011-04-30 13:35:30Z zanardi $
- * @package VirtueMart
- * @subpackage core
- * @copyright Copyright (C) 2004-2008 soeren - All rights reserved.
- * @license http://www.gnu.org/copyleft/gpl.html GNU/GPL, see LICENSE.php
- * VirtueMart is free software. This version may have been modified pursuant
- * to the GNU General Public License, and as distributed it includes or
- * is derivative of works licensed under the GNU General Public License or
- * other free or open source software licenses.
- * See /administrator/components/com_virtuemart/COPYRIGHT.php for copyright notices and details.
- *
- * http://virtuemart.net
- */
- global $my, $db, $perm, $ps_function, $ps_module, $ps_html, $ps_vendor_id, $vendor_image,$vendor_image_url, $keyword,
- $ps_payment_method,$ps_zone,$sess, $page, $func, $pagename, $modulename, $vars, $default, $VM_LANG, $cmd, $ok, $mosConfig_lang,
- $auth, $ps_checkout,$error, $error_type, $func_perms, $func_list, $func_class, $func_method, $func_list, $dir_list, $pagePermissionsOK,
- $vendor_currency_display_style, $vendor_freeshipping, $mm_action_url, $limit, $limitstart, $mainframe, $ps_product, $database;
- include_once( dirname(__FILE__).'/../../administrator/components/com_virtuemart/compat.joomla1.5.php' );
- if( !defined( '_VM_PARSER_LOADED' )) {
- global $my;
-
- // Clean the var PHP_SELF from chars like " or '
- $_SERVER['PHP_SELF'] = htmlspecialchars( $_SERVER['PHP_SELF'], ENT_QUOTES );
-
- if( !empty($_SERVER['QUERY_STRING'])) {
- // Make sure, that the Query String only contains urlencoded values
- $vars = explode( '&', $_SERVER['QUERY_STRING']);
- $new_query_string = array();
- foreach( $vars as $val) {
- $keyvarpair = explode('=', $val);
- if( sizeof( $keyvarpair ) == 1 ) {
- $keyvarpair[1] = 0;
- }
- $new_query_string[] = $keyvarpair[0].'='.urlencode(urldecode($keyvarpair[1]));
-
- }
- $_SERVER['QUERY_STRING'] = implode('&', $new_query_string );
- }
-
- if( !empty($my->id) || !empty($user->id) ) {
- // This is necessary to get the real GID
- if( class_exists( 'jconfig' ) ) {
- $tmpuser = & JFactory::getUser();
- if( !defined( '_JLEGACY' ) ) {
- $GLOBALS['my']->load( $tmpuser->get('id'));
- $GLOBALS['my']->set('gid', $tmpuser->get('gid'));
- } else {
- $GLOBALS['my']->gid = $tmpuser->get('gid');
- }
- } else {
- $my->load( $my->id );
- }
- $vmuser = $my;
- }
- if( !file_exists( $mosConfig_absolute_path. "/administrator/components/com_virtuemart/virtuemart.cfg.php" )) {
- die( "<h3>The configuration file for VirtueMart is missing!</h3>It should be here: <strong>"
- . $mosConfig_absolute_path. "/administrator/components/com_virtuemart/virtuemart.cfg.php</strong>" );
- }
- // the configuration file for the Shop
- require_once( $mosConfig_absolute_path. "/administrator/components/com_virtuemart/virtuemart.cfg.php" );
-
- $GLOBALS['mosConfig_live_site'] = $mosConfig_live_site = substr( URL, 0, strlen(URL)-1);
-
- // the global file for VirtueMart
- require_once( ADMINPATH . 'global.php' );
- if( !vmIsAdminMode() && !is_a($mainframe, 'JAdministrator') && !isset( $_REQUEST['page']) ) {
- // Get the menu parameters, if any
- if( vmIsJoomla( '1.5' ) ) {
- $menuparams = $mainframe->getParams();
- } else {
- $Itemid = (int) vmRequest::getInt( 'Itemid', '' );
- $query = "SELECT params FROM #__menu WHERE id='".$Itemid."'";
- $database->setQuery( $query );
- $itemparams = $database->loadResult();
- $menuparams = new mosParameters( $itemparams );
- }
-
- $tmp_product_id = $menuparams->get( 'product_id' );
- $tmp_category_id = $menuparams->get( 'category_id' );
- $tmp_flypage = $menuparams->get( 'flypage' );
- $tmp_page = $menuparams->get( 'page' );
- if( !empty( $tmp_product_id ) ) {
- vmRequest::setVar( 'product_id', $tmp_product_id );
- vmRequest::setVar( 'page', 'shop.product_details' );
- } elseif( !empty( $tmp_category_id ) ) {
- vmRequest::setVar( 'category_id', $tmp_category_id );
- vmRequest::setVar( 'page', 'shop.browse' );
- }
-
- if( ( !empty( $tmp_product_id ) || !empty( $tmp_category_id ) ) && !empty( $tmp_flypage ) ) {
- vmRequest::setVar( 'flypage', $tmp_flypage );
- }
-
- if( !empty( $tmp_page ) ) {
- vmRequest::setVar( 'page', $tmp_page );
- }
- // Set the default page
- $defaultpage = HOMEPAGE;
- } else {
- $defaultpage = vmget($_SESSION,'last_page');
- }
- $page = vmRequest::getVar('page', $defaultpage );
- $func = vmRequest::getVar('func');
- $ajax_request = strtolower(vmGet($_SERVER,'HTTP_X_REQUESTED_WITH')) == 'xmlhttprequest' || vmGet($_REQUEST,'ajax_request') == '1';
- $option = vmRequest::getVar('option');
- // This makes it possible to use Shared SSL
- $sess->prepare_SSL_Session();
-
- if( $option == "com_virtuemart" ) {
- // Get sure that we have float values with a decimal point!
- @setlocale( LC_NUMERIC, 'en_US', 'en' );
- @setlocale( LC_TIME, $mosConfig_locale );
- $mosConfig_list_limit = isset( $mosConfig_list_limit ) ? $mosConfig_list_limit : SEARCH_ROWS;
- unset( $_REQUEST["error"] );
-
- // Cast all the following fields to INT
- $parseToIntFields = array('user_id','product_id','category_id','manufacturer_id','id','cid','vendor_id','country_id','currency_id', 'limitstart', 'tax_rate_id',
- 'order_id','module_id','function_id','payment_method_id','coupon_id','product_type_id', 'product_price_id', 'shopper_group_id') ;
- foreach( $parseToIntFields as $intField ) {
- if( !empty($_REQUEST[$intField]) && is_array($_REQUEST[$intField]) ) {
- vmArrayToInts( $_REQUEST[$intField] );
- } elseif ( isset($_REQUEST[$intField]) ) {
- $_REQUEST[$intField] = $$intField = vmRequest::getInt($intField);
- }
- }
- $product_id = vmRequest::getInt('product_id');
- $vm_mainframe->setUserState('product_id', $product_id );
- if( vmIsAdminMode() ) {
- $category_id = (int)$vm_mainframe->getUserStateFromRequest( 'category_id', 'category_id' );
- } else {
- $category_id = vmRequest::getInt('category_id');
- }
- $manufacturer_id = vmRequest::getInt('manufacturer_id');
-
- $user_info_id = vmRequest::getVar('user_info_id');
- $myInsecureArray = array(
- 'user_info_id' => $user_info_id,
- 'page' => $page,
- 'func' => $func
- );
- /**
- * This InputFiler Object will help us filter malicious variable contents
- * @global vmInputFiler vmInputFiler
- */
- $GLOBALS['vmInputFilter'] = $vmInputFilter = vmInputFilter::getInstance();
- // prevent SQL injection
- if( $perm->check('admin,storeadmin') ) {
- $myInsecureArray = $vmInputFilter->safeSQL( $myInsecureArray );
- $myInsecureArray = $vmInputFilter->process( $myInsecureArray );
- // Re-insert the escaped strings into $_REQUEST
- foreach( $myInsecureArray as $requestvar => $requestval) {
- $_REQUEST[$requestvar] = $requestval;
- }
- } else {
- // Strip all tags from all input values
- $_REQUEST = $vmInputFilter->process( $_REQUEST );
- $_REQUEST = $vmInputFilter->safeSQL( $_REQUEST );
- }
-
- // Limit the keyword (=search string) length to 50
- $keyword = substr( urldecode( vmGet( $_REQUEST, 'keyword' )), 0, 50 );
-
- $vars = vmRequest::get('', VMREQUEST_ALLOWRAW );
- }
- // The Page will change with every different parameter / argument, so provide this for identification
- // "call" will call the function load_that_shop_page when it is not yet cached with exactly THESE parameters
- // or the caching time range has expired
- $GLOBALS['cache_id'] = vmTemplate::getCacheId();
-
- if( $option == "com_virtuemart" ) {
-
- // Check if we have to run a Shop Function
- // and if the user is allowed to execute it
- $funcParams = $ps_function->getFuncPermissions( $func );
- /**********************************************
- ** Get Page/Directory Permissions
- ** Displays error if directory is not registered,
- ** user has no permission to view it , or file doesn't exist
- ************************************************/
- if (empty($page)) {// default page
- if (defined('_VM_IS_BACKEND')) {
- $page = "store.index";
- }
- else {
- $page = HOMEPAGE;
- }
- }
- // Let's check if the user is allowed to view the page
- // if not, $page is set to ERROR_PAGE
- $pagePermissionsOK = $ps_module->checkModulePermissions( $page );
- $ok = true;
- if ( !empty( $funcParams["method"] ) && vmGet($_REQUEST, 'task') != 'cancel' ) {
- // Protection against Cross-Site Request Forgery
- if( vmIsAdminMode() && !vmSpoofCheck(null, $sess->getSessionId() ) ) {
- return;
- }
- // Get the function parameters: function name and class name
- $q = "SELECT #__{vm}_module.module_name,#__{vm}_function.function_class";
- $q .= " FROM #__{vm}_module,#__{vm}_function WHERE ";
- $q .= "#__{vm}_module.module_id=#__{vm}_function.module_id AND ";
- $q .= "#__{vm}_function.function_method='".$funcParams["method"]."' AND ";
- $q .= "#__{vm}_function.function_class='".$funcParams["class"]."'";
-
- $db->query($q);
- $db->next_record();
- $class = $db->f('function_class');
- if( file_exists( CLASSPATH."$class.php" ) ) {
- if( $ajax_request ) {
- require_once( CLASSPATH . 'connectionTools.class.php' );
- vmConnector::sendHeaderAndContent( 200 );
- }
- // Load class definition file
- require_once( CLASSPATH."$class.php" );
- $classname = str_replace( '.class', '', $funcParams["class"]);
- if( !class_exists(strtolower($classname))) {
- $classname = 'vm'.$classname;
- }
- if( class_exists( $classname )) {
- // create an object
- $$classname = new $classname();
-
- // RUN THE FUNCTION
- // $ok = $class->function( $vars );
- $ok = $$classname->$funcParams["method"]($vars);
- }
- if ($ok == false) {
- $no_last = 1;
- $last_page = vmGet( $_SESSION, 'last_page' );
- if( $last_page != HOMEPAGE && !empty( $last_page ) && empty($_REQUEST['ignore_last_page']) ) {
- $page = $last_page;
- }
- $my_page= explode ( '.', $page );
- $modulename = $my_page[0];
- $pagename = $my_page[1];
- $_REQUEST['keyword']= vmGet($_SESSION['session_userstate'], 'keyword' );
- $_REQUEST['category_id']= vmGet( $_SESSION['session_userstate'], 'category_id' );
- $_REQUEST['product_id']=$product_id = $_SESSION['session_userstate']['product_id'];
- }
- }
- else {
- $vmLogger->debug( "Could not include the class file $class" );
- }
-
- if (!empty($vars["error"])) {
- $error = vmGet( $vars, 'error' );
- }
- if (!empty($error)) {
- echo vmCommonHTML::getErrorField($error);
- }
-
- }
- else {
- $no_last = 0;
- //$error="";
- }
-
- // If this is an asynchronous page load,
- // we clear the output buffer and just send the log messages.
- // the variable named 'ajax_request' has to be set to 1.
- if( $func && $ajax_request) {
- // Send an indicator wether the function call return true or false
- vmCommonHTML::getSuccessIndicator( $ok, $vmDisplayLogger );
- $vm_mainframe->close(true);//die
- }
-
- if ($ok == true && empty($error) && !defined('_DONT_VIEW_PAGE') && !strstr($page, 'ajax') && !$ajax_request && !@$_REQUEST['only_page']) {
- $_SESSION['last_page'] = $page;
- }
- }
- // I don't get it, why Joomla uses masked gid values!
- if( !defined( '_VM_IS_BACKEND' )&& !class_exists('jfactory')) {
- $my = $mainframe->getUser();
- }
-
- if( empty($_REQUEST['only_page']) ) {
- // the Log object holds all error messages
- // here we flush the buffer and print out all messages
- $vmLogger->flush();
-
- // Now we can switch to implicit flushing
- $vmDisplayLogger->_buffering = false;
- }
-
- define( '_VM_PARSER_LOADED', 1 );
- }
- ?>