PageRenderTime 49ms CodeModel.GetById 19ms RepoModel.GetById 0ms app.codeStats 0ms

/phpshop1/index.php

http://phpshop.googlecode.com/
PHP | 370 lines | 249 code | 46 blank | 75 comment | 57 complexity | 41938244f686c7065d94e93b1bbceac7 MD5 | raw file
Possible License(s): GPL-2.0, LGPL-2.1
  1. <?php
  2. // Copyright (C) 1996-2004 Edikon Corporation. All rights reserved.
  3. //
  4. // This source file is part of phpShop(R).
  5. //
  6. // This file may be distributed and/or modified under the terms of the
  7. // "GNU General Public License" version 2 as published by the Free
  8. // Software Foundation and appearing in the file LICENSE.GPL included in
  9. // the packaging of this file.
  10. //
  11. // This file is provided AS IS with NO WARRANTY OF ANY KIND, INCLUDING
  12. // THE WARRANTY OF DESIGN, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  13. // PURPOSE.
  14. //
  15. // The "GNU General Public License" (GPL) is available at
  16. // http://www.gnu.org/copyleft/gpl.html.
  17. //
  18. // Contact license@edikon.com if any conditions of this licencing isn't clear to
  19. // you.
  20. // $Id: index.php,v 1.1.1.1 2004/07/27 14:58:07 pablo Exp $
  21. // EDIT
  22. define('PS_BASE', './WEB-INF/');
  23. // DO NOT EDIT FROM HERE ON
  24. //**************************************************
  25. // Set error reporting level
  26. error_reporting(E_ALL ^ E_NOTICE);
  27. // force register_globals off
  28. ini_set("register_globals", 0);
  29. // check if magic quotes is enabled, die if not
  30. /*
  31. if (!get_magic_quotes_gpc()) {
  32. die("You must enable magic_quotes_gpc in php.ini in order to run phpShop. Read <a href=\"http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc\"> the docs</a>.");
  33. }
  34. */
  35. // Set global path
  36. ini_set("include_path", ".".PATH_SEPARATOR.PS_BASE.PATH_SEPARATOR.PS_BASE."modules");
  37. // define webroot so that image uploads work
  38. define("WEBROOT",dirname($_SERVER['SCRIPT_FILENAME']));
  39. // left for backwards compatibility
  40. define("MODROOT",PS_BASE."modules/");
  41. // Compatibility patch to be able to leave Register_globals = off
  42. // &&
  43. // XSS fixes
  44. if (function_exists ("import_request_variables") &&
  45. False == ini_get('register_globals')) {
  46. import_request_variables ("CGP",""); // php >=4.1
  47. $HTTP_GET_VARS = $_GET;
  48. $HTTP_POST_VARS = $_POST;
  49. $HTTP_COOKIE_VARS = $_COOKIE;
  50. $PHP_SELF = $_SERVER["PHP_SELF"];
  51. $SERVER_NAME = $_SERVER["SERVER_NAME"];
  52. $REMOTE_ADDR = $_SERVER["REMOTE_ADDR"];
  53. $HTTP_X_FORWARDED_FOR = $_SERVER["HTTP_X_FORWARDED_FOR"];
  54. $HTTP_VIA = $_SERVER["HTTP_VIA"];
  55. foreach($_FILES as $k=>$v) {
  56. $$k = $v['tmp_name'];
  57. $k_name = $k . "_name";
  58. $$k_name = $v['name'];
  59. $k_size = $k . "_size";
  60. $$k_size = $v['size'];
  61. }
  62. } else {
  63. //http://de.php.net/manual/de/function.import-request-variables.php
  64. //if you're stuck using a pre-4.10 version of php
  65. extract($HTTP_GET_VARS, EXTR_PREFIX_ALL, "");
  66. extract($HTTP_POST_VARS, EXTR_PREFIX_ALL, "");
  67. }
  68. // Load Required Files
  69. require(PS_BASE. "etc/config.php");
  70. require(PS_BASE . "db/db_mysql.inc");
  71. require("admin/lib/ps_main.inc");
  72. require("admin/lib/ps_include.inc");
  73. // Timer Start
  74. if (DEBUG) {
  75. $start = utime();
  76. }
  77. // some input validation for offset
  78. if (!empty($_REQUEST['offset'])) {
  79. if (is_string($_REQUEST['offset']) and $_REQUEST['offset'] == (string)(int) $_REQUEST['offset']) {
  80. }
  81. else die('Please provide an permitted value for offset');
  82. }
  83. // basic SQL inject detection
  84. $my_insecure_array = array('keyword' => $_REQUEST['keyword'],
  85. 'category_id' => $_REQUEST['category_id'],
  86. 'product_id' => $_REQUEST['product_id'],
  87. 'user_id' => $_REQUEST['user_id'],
  88. 'user_info_id' => $_REQUEST['user_info_id'],
  89. 'page' => $_REQUEST['page'],
  90. 'func' => $_REQUEST['func']);
  91. while(list($key,$value)=each($my_insecure_array)) {
  92. if (stristr($value,'FROM ') ||
  93. stristr($value,'UPDATE ') ||
  94. stristr($value,'WHERE ') ||
  95. stristr($value,'ALTER ') ||
  96. stristr($value,'SELECT ') ||
  97. stristr($value,'SHUTDOWN ') ||
  98. stristr($value,'CREATE ') ||
  99. stristr($value,'DROP ') ||
  100. stristr($value,'DELETE FROM') ||
  101. stristr($value,'script') ||
  102. stristr($value,'<>') ||
  103. stristr($value,'=') ||
  104. stristr($value,'SET '))
  105. die('Please provide a permitted value for '.$key);
  106. }
  107. // Load module definitions
  108. $module = array();
  109. $label = array();
  110. // Instantiate db and session class
  111. $db = new ps_DB;
  112. $sess = new ps_session;
  113. $perm = new ps_perm;
  114. $vars = array();
  115. // In case someone tries to be sneaky
  116. $run_dir=0;
  117. $run_func=0;
  118. // Set default language as specified in phpshop.cfg
  119. if (!isset($lang)) {
  120. $lang = LANGUAGE;
  121. $sess->register("lang");
  122. }
  123. // Save current page call
  124. $this_page=$page;
  125. // Register previous page
  126. if (!isset($last_page)) {
  127. $sess->register("last_page");
  128. }
  129. // Register the cart
  130. if (!isset($cart)) {
  131. $cart = array();
  132. $cart["idx"] = 0;
  133. $sess->register("cart");
  134. }
  135. // Register the auth array
  136. if (!isset($auth)) {
  137. $auth = array();
  138. $sess->register("auth");
  139. }
  140. // This is what we work with.
  141. $vars = $_REQUEST;
  142. /* start fixing security hole */
  143. function harden_parse($vars){
  144. $vars2=trim($vars);
  145. $vars2=strip_tags($vars2);
  146. $vars2=str_replace("#","&#35;",$vars2);
  147. $vars2=str_replace("(","&#40;",$vars2);
  148. $vars2=str_replace(")","&#41;",$vars2);
  149. $vars2=str_replace("[","&#91;",$vars2);
  150. $vars2=str_replace("]","&#93;",$vars2);
  151. $vars2=str_replace("%","&#37;",$vars2);
  152. return $vars2;
  153. }
  154. if (count($vars) && $auth["perms"]!="admin" && $auth["perms"]!="storeadmin"){
  155. while (list($key, $value) = each ($vars)) {
  156. if (is_array($value)){
  157. while (list($keyA, $valueA) = each ($value)) {
  158. $varsA[$keyA]=harden_parse($valueA);
  159. } $vars2[$key] = $varsA; unset ($varsA);
  160. }
  161. else { $vars2[$key]=harden_parse($value); }
  162. if ($HTTP_POST_VARS[$key]){ $HTTP_POST_VARS[$key]=$vars2[$key]; }
  163. if ($HTTP_GET_VARS[$key]){ $HTTP_GET_VARS[$key]=$vars2[$key]; }
  164. $$key = harden_parse($vars2[$key]);
  165. }
  166. $vars = $vars2;
  167. $QUERY_STRING = harden_parse($QUERY_STRING);
  168. }
  169. if ($page=="shop/flypage" and !$product_id){ $page="shop/browse"; }
  170. unset($vars2);
  171. /* end fixing security hole */
  172. // Get Function Permissions
  173. // Sets $run_func if func is registered and have permission
  174. // Displays error if function is not registered
  175. if ($func) {
  176. $func_list = $ps_function->get_function($func);
  177. if ($func_list) {
  178. if ($perm->check($func_list["perms"])) {
  179. $run_func = 1;
  180. $func_perms = $func_list["perms"];
  181. $func_class = $func_list["class"];
  182. $func_method = $func_list["method"];
  183. }
  184. else {
  185. $error_type = "Insufficient Access Rights";
  186. $error = "You do not have permission to execute $func.";
  187. $page = ERRORPAGE;
  188. $run_func = 0;
  189. }
  190. }
  191. else {
  192. $error_type = "Function Not Registered";
  193. $error = "$func is not a valid phpShop function.";
  194. $page = ERRORPAGE;
  195. $run_func = 0;
  196. }
  197. }
  198. // Get Page/Directory Permissions
  199. // Sets $run_dir if we can run it
  200. // Displays error if directory is not registered,
  201. // no permission, or file does not exist
  202. if (!$page) {
  203. $page = HOMEPAGE;
  204. }
  205. $modulename = dirname("$page");
  206. $pagename = basename("$page");
  207. if (empty($modulename)) {
  208. $modulename=dirname(HOMEPAGE);
  209. $pagename = basename(HOMEPAGE);
  210. }
  211. $dir_list = $ps_module->get_dir($modulename);
  212. if ($dir_list) {
  213. if ($perm->check($dir_list["perms"])) {
  214. if (!file_exists(PS_BASE."modules/$modulename/html/$pagename.ihtml")) {
  215. $error_type = "Page Does Not Exist";
  216. $error = "Given filename does not exist. Cannot find file:<BR>";
  217. $error .= $modulename."/html/".$pagename.".ihtml";
  218. $page = ERRORPAGE;
  219. }
  220. }
  221. else {
  222. if ($func != "userLogin") {
  223. unset($error);
  224. $page = $last_page;
  225. $vars["login"]=1;
  226. }
  227. }
  228. // Load MODULE
  229. $module = load_module($modulename);
  230. require("$modulename/lib/ps_include.inc");
  231. $label = load_labels($modulename);
  232. }
  233. else {
  234. $error_type = "Module Not Registered";
  235. $error = "$modulename is not a valid phpShop module.";
  236. $page = ERRORPAGE;
  237. }
  238. // Run the function if we have permission
  239. if ($run_func) {
  240. $q = "SELECT module.module_name FROM module,function WHERE ";
  241. $q .= "module.module_id=function.module_id AND ";
  242. $q .= "function.function_method='$func_method' AND ";
  243. $q .= "function.function_class='$func_class'";
  244. $db->query($q);
  245. $db->next_record();
  246. // Load class definition file and run function
  247. require_once($db->f("module_name")."/lib/$func_class.inc");
  248. $$func_class = new $func_class;
  249. $ok = $$func_class->{$func_method}($vars);
  250. // for debug
  251. $cmd = $func_class.'->'.$func_method.'()';
  252. if (!$ok) {
  253. if ($vars["login"] == "1") {
  254. $error = $vars["error"];
  255. $vars["login"]=1;
  256. }
  257. else {
  258. $no_last=1;
  259. $page = $last_page;
  260. $error = $vars["error"];
  261. }
  262. }
  263. else {
  264. $no_last = 0;
  265. unset($error);
  266. $page = $vars["page"];
  267. }
  268. }
  269. // LOAD PAGE
  270. // If this is a login, then load the approprate module information based on wher
  271. // the login page is.
  272. if ($vars["login"] == "1" || $page==LOGINPAGE || !$perm->check($dir_list["perms"])) {
  273. $last_page = $this_page;
  274. $page = LOGINPAGE;
  275. $modulename = dirname($page);
  276. $module = load_module($modulename);
  277. require("$modulename/lib/ps_include.inc");
  278. $label = load_labels($modulename);
  279. }
  280. if (!$no_last) {
  281. $last_page = $this_page;
  282. }
  283. if (!$page) {
  284. $page = HOMEPAGE;
  285. }
  286. // Show the page!
  287. $modulename = dirname($page);
  288. $pagename = basename($page) . ".ihtml";
  289. // Load global file
  290. require("templates/global.inc");
  291. // Load language file for this module
  292. if (file_exists(MODROOT."$modulename/lib/lang_$lang.inc")) {
  293. include(MODROOT."$modulename/lib/lang_$lang.inc");
  294. }
  295. elseif(file_exists(MODROOT."$modulename/lib/lang_eng.inc")) {
  296. include(MODROOT."$modulename/lib/lang_eng.inc");
  297. }
  298. if (is_file(PS_BASE . "languages/lang_$lang.inc") && file_exists(PS_BASE . "languages/lang_$lang.inc")) {
  299. include(PS_BASE . "languages/lang_$lang.inc");
  300. }
  301. else{
  302. include(PS_BASE . "languages/lang_eng.inc");
  303. }
  304. // Load Header
  305. if ($module[$modulename]["module_header"] && $print!="1") {
  306. include("templates/".$module[$modulename]["module_header"]);
  307. }
  308. // Load PAGE
  309. include("$modulename/html/$pagename");
  310. // Load footer
  311. if ($module[$modulename]["module_footer"] && $print!="1") {
  312. include("templates/".$module[$modulename]["module_footer"]);
  313. }
  314. // Save the session variables for the next run
  315. $sess->save();
  316. // Set debug option on/off
  317. if (DEBUG) {
  318. $end = utime();
  319. $runtime = $end - $start;
  320. $messages = dirname(DEBUGPAGE);
  321. $pagename = basename(DEBUGPAGE) . ".ihtml";
  322. include("$messages/html/$pagename");
  323. }
  324. ?>