PageRenderTime 83ms CodeModel.GetById 15ms RepoModel.GetById 1ms app.codeStats 0ms

/ festos/core/core.php

http://festos.googlecode.com/
PHP | 405 lines | 262 code | 55 blank | 88 comment | 49 complexity | 616a346ef279f64a109140557566500e MD5 | raw file
Possible License(s): LGPL-2.1, BSD-3-Clause 
    

  1. <?php

    2. 

  2. /* **************************************************

    3. 

  3. Copyright (c) 2008, Skypanther(r) Studios, Inc.

    4. 

  4. Skypanther(r) is a registered trademark of Skypanther Studios, Inc. 

    5. 

  5. ************************************************** */

    6. 

  6. 

    7. 

  7. /*

    8. 

  8. *   DON'T CHANGE ANYTHING IN THIS FILE

    9. 

  9. *   ALL CONFIGURATION IS DONE IN config.php AND lang.PHP

    10. 

  10. */

    11. 

  11. require_once(dirname(dirname(__FILE__)).'/core/config.php');

    12. 

  12. define('THEMEDIR',$config["ABSOLUTE_FILE_PATH"].'themes/'.$config["THEME"]);

    13. 

  13. error_reporting($config['ERRORLEVEL']);

    14. 

  14. 

    15. 

  15. $config["ARTISTS_APPTYPID"] = '1';

    16. 

  16. $config["EXHIBITORS_APPTYPID"] = '2';

    17. 

  17. $config["FOODVENDORS_APPTYPID"] = '3';

    18. 

  18. $config["ENTERTAINERS_APPTYPID"] = '4';

    19. 

  19. $config["VOLUNTEERS_APPTYPID"] = '5';

    20. 

  20. 

    21. 

  21. 

    22. 

  22. /* INCLUDE THE CORE FILES OF THE APPLICATION */

    23. 

  23. require_once($config['ABSOLUTE_FILE_PATH'].'cache/dates.php');

    24. 

  24. require_once($config['ABSOLUTE_FILE_PATH'].'cache/roleinfo.php');

    25. 

  25. require_once($config['ABSOLUTE_FILE_PATH']."cache/lang.php");

    26. 

  26. require_once($config['ABSOLUTE_FILE_PATH']."cache/photolang.php");

    27. 

  27. require_once($config['ABSOLUTE_FILE_PATH']."core/output.php");

    28. 

  28. require_once($config['ABSOLUTE_FILE_PATH']."core/FestOS.php");

    29. 

  29. $festos = new FestOS($config);

    30. 

  30. 

    31. 

  31. 

    32. 

  32. //error_reporting($config['ERRORLEVEL']);

    33. 

  33. 

    34. 

  34. 

    35. 

  35. /* APPLICATION CONSTANTS - DON'T CHANGE THESE!!!! */

    36. 

  36. define('ADMINISTRATOR_ROLE_ID',1);

    37. 

  37. define('VENDOR_ROLE_ID',2);

    38. 

  38. define('USER_ROLE_ID',3);

    39. 

  39. 

    40. 

  40. /* INCLUDE THE MAIL HANDLING FUNCTIONS...OKAY, SO NOT EVERY PAGE WILL NEED THEM

    41. 

  41. 	SO THIS IS A RESOURCE WASTE. I'LL PUT THESE WHERE THEY BELONG SOMEDAY */

    42. 

  42. require_once($config['ABSOLUTE_FILE_PATH'].'core/check_email_address.php');

    43. 

  43. require_once($config['ABSOLUTE_FILE_PATH'].'core/class.phpmailer.php');

    44. 

  44. require_once($config['ABSOLUTE_FILE_PATH'].'core/class.smtp.php');

    45. 

  45. 

    46. 

  46. 

    47. 

  47. /* SOME FUNCTIONS THAT WE'LL USE A LOT, SO THEY'RE INCLUDED EVERYWHERE */

    48. 

  48. ## #####################################################

    49. 

  49. ##  despam()

    50. 

  50. ##  Modifies an email address to make it less spam-scraper-friendly

    51. 

  51. ##  despam($email, $linkText)

    52. 

  52. ##  returns a complete mailto link

    53. 

  53. ## #####################################################

    54. 

  54. function despam($email) {

    55. 

  55. 	$partA = substr($email,0, strpos($email,'@'));

    56. 

  56. 	$partB = substr($email,strpos($email,'@'));

    57. 

  57. 	$linkText = (func_num_args() == 2) ? func_get_arg(1) : $email;

    58. 

  58. 	$linkText = str_replace('@', '<span class="nospam">&#64;</span> ', $linkText);

    59. 

  59. 	return '<a href="#" onClick=\'a="'.$partA.'";this.href="mail"+"to:"+a+"'.$partB.'";\'>'.$linkText.'</a>';

    60. 

  60. }

    61. 

  61. 

    62. 

  62. 

    63. 

  63. ## #####################################################

    64. 

  64. ##  sendEmail()

    65. 

  65. ##  sends an email using mailer values in config.php

    66. 

  66. ##  returns nothing on success, phpMailer error string on failure

    67. 

  67. ## #####################################################

    68. 

  68. 

    69. 

  69. function sendEmail($to, $subject, $message) {

    70. 

  70. 	global $festos, $lang, $config;

    71. 

  71. 		// email address is good, process message

    72. 

  72. 		$mail = new PHPMailer();

    73. 

  73. 		$mail->SetLanguage($config['PHPMAILER_LANGUAGE'], $config['ABSOLUTE_FILE_PATH'].'/core/language');

    74. 

  74. 		$mail->IsSMTP(); // telling the class to use SMTP

    75. 

  75. 		$mail->SMTPAuth = $config['SMTP_AUTH']; // telling the class to use SMTP Auth

    76. 

  76. 		$mail->Username = $config['SMTP_USER'];

    77. 

  77. 		$mail->Password = $config['SMTP_USER_PASSWORD'];

    78. 

  78. 		$mail->Host = $config['SMTP_SERVER'];

    79. 

  79. 		

    80. 

  80. 		$mail->From = (isset($festos->email) && $festos->email!='') ? $festos->email : $config['SMTP_SENDER'];

    81. 

  81. 		$mail->FromName = (isset($festos->nickname) && $festos->nickname!='') ? $festos->nickname : '';

    82. 

  82. 

    83. 

  83. 		if(strpos($to, ',')!==FALSE) {

    84. 

  84. 			// if (substr_count($mystring, "Hello") == 0)

    85. 

  85. 			// passed multiple addresses, so, explode it and add them all

    86. 

  86. 			$toArray = explode(',',$to);

    87. 

  87. 			$cnt=count($toArray);

    88. 

  88. 			for($i=0;$i<$cnt;$i++) {

    89. 

  89. 				$mail->AddAddress($toArray[$i]);

    90. 

  90. 			} // end for()

    91. 

  91. 		} else {

    92. 

  92. 			// passed a single address, add it as the to list

    93. 

  93. 			$mail->AddAddress($to);

    94. 

  94. 		} // end if(strpos...

    95. 

  95. 		

    96. 

  96. 		$mail->Subject = $subject;

    97. 

  97. 		$mail->Body = $message;

    98. 

  98. 		$mail->WordWrap = 70;

    99. 

  99. 		

    100. 

  100. 		if(!$mail->Send()) {

    101. 

  101. 			return $lang['phpmailer_error'] . $mail->ErrorInfo;

    102. 

  102. 		}

    103. 

  103. }

    104. 

  104. 

    105. 

  105. ## #####################################################

    106. 

  106. ##  generatePassword()

    107. 

  107. ##  Generates a random password

    108. 

  108. ##  returns string

    109. 

  109. ## #####################################################

    110. 

  110. function generatePassword ($length = 8) {

    111. 

  111. 

    112. 

  112.   // start with a blank password

    113. 

  113.   $password = "";

    114. 

  114. 

    115. 

  115.   // define possible characters

    116. 

  116.   $possible = "0123456789bcdfghjkmnpqrstvwxyz"; 

    117. 

  117.     

    118. 

  118.   // set up a counter

    119. 

  119.   $i = 0; 

    120. 

  120.     

    121. 

  121.   // add random characters to $password until $length is reached

    122. 

  122.   while ($i < $length) { 

    123. 

  123. 

    124. 

  124.     // pick a random character from the possible ones

    125. 

  125.     $char = substr($possible, mt_rand(0, strlen($possible)-1), 1);

    126. 

  126.         

    127. 

  127.     // we don't want this character if it's already in the password

    128. 

  128.     if (!strstr($password, $char)) { 

    129. 

  129.       $password .= $char;

    130. 

  130.       $i++;

    131. 

  131.     }

    132. 

  132. 

    133. 

  133.   }

    134. 

  134. 

    135. 

  135.   // done!

    136. 

  136.   return $password;

    137. 

  137. 

    138. 

  138. }

    139. 

  139. 

    140. 

  140. ## #####################################################

    141. 

  141. ##  passTheQueryString()

    142. 

  142. ##  Given the $_GET array, build a query string that can be

    143. 

  143. ##	appended to a URL for passing to a page, include, or template

    144. 

  144. ##  returns string

    145. 

  145. ## #####################################################

    146. 

  146. function passTheQueryString($q) {

    147. 

  147. 	// TAKES THE $_GET ARRAY AND BUILDS A NEW QUERY STRING

    148. 

  148. 	// FROM IT, FOR PASSING TO INCLUDED PAGES AND TEMPLATES

    149. 

  149. 	$str = '';

    150. 

  150. 	if(count($q)>0) {

    151. 

  151. 		$str = '?';

    152. 

  152. 		foreach($q as $qskey => $qsval) {

    153. 

  153. 			$str .= ($qskey.'='.$qsval.'&');

    154. 

  154. 		}

    155. 

  155. 	}

    156. 

  156. 	return rtrim($str,'&');

    157. 

  157. }

    158. 

  158. 

    159. 

  159. ## #####################################################

    160. 

  160. ##  ParamTester class

    161. 

  161. ##  Object class for checking a querystring parameter, options

    162. 

  162. ##	include testing for required value, integer value, etc.

    163. 

  163. ##	Use example:

    164. 

  164. ##		$pt = new ParamTester($_GET, 'id','integer','login.php');

    165. 

  165. ##		$pt->go();

    166. 

  166. ##	Above would check that the id was an integer, if not, would redirect to the login.php page

    167. 

  167. ## #####################################################

    168. 

  168. class ParamTester {

    169. 

  169. 	var $coll;

    170. 

  170. 	var $vbl; 

    171. 

  171. 	var $varToTest;

    172. 

  172. 	var $type; 

    173. 

  173. 	var $redir;

    174. 

  174. 	

    175. 

  175. 	function ParamTester ($coll, $vbl, $type = 'integer', $redir = 'index.php') {

    176. 

  176. 		$this->coll = &$coll;	// collection ($_GET or $_POST normally)

    177. 

  177. 		$this->vbl = $vbl;		// var within the collection to actually test

    178. 

  178. 		$this->type = $type;	// data type

    179. 

  179. 		$this->redir = $redir;	// redirection URL

    180. 

  180. 	}

    181. 

  181. 	

    182. 

  182. 	function setColl ($theColl) {

    183. 

  183. 		$this->coll = $theColl;

    184. 

  184. 	}

    185. 

  185. 	function setVarToTest ($theVar) {

    186. 

  186. 		$this->vbl = $theVar;

    187. 

  187. 	}

    188. 

  188. 	function setCheckType ($t) {

    189. 

  189. 		$this->type = $t;

    190. 

  190. 	}

    191. 

  191. 	function setRedirURL ($u) {

    192. 

  192. 		$this->redir = $u;

    193. 

  193. 	}

    194. 

  194. 	function go() {

    195. 

  195. 		if(!isset($this->coll) || !isset($this->vbl) || !isset($this->coll[$this->vbl]) ) {

    196. 

  196. 			// first, handle the cases where variables aren't set or the variable isn't in the collection

    197. 

  197. 			header('Location:'.$this->redir);

    198. 

  198. 			die();

    199. 

  199. 		}

    200. 

  200. 		$this->varToTest = $this->coll[$this->vbl];

    201. 

  201. 		switch($this->type) {

    202. 

  202. 		case 'integer':

    203. 

  203. 			if(!isset($this->varToTest) || ctype_digit($this->varToTest)===FALSE) {

    204. 

  204. 				header('Location:'.$this->redir);

    205. 

  205. 				die();

    206. 

  206. 			}

    207. 

  207. 		break;

    208. 

  208. 		case 'required':

    209. 

  209. 			if(!isset($this->varToTest)) {

    210. 

  210. 				header('Location:'.$this->redir);

    211. 

  211. 				die();

    212. 

  212. 			}

    213. 

  213. 		break;

    214. 

  214. 		case 'string':

    215. 

  215. 			if(!isset($this->varToTest) || ctype_alnum($this->varToTest)===FALSE) {

    216. 

  216. 				header('Location:'.$this->redir);

    217. 

  217. 				die();

    218. 

  218. 			}

    219. 

  219. 		break;

    220. 

  220. 		case 'letters':

    221. 

  221. 			if(!isset($this->varToTest) || ctype_alpha($this->varToTest)===FALSE) {

    222. 

  222. 				header('Location:'.$this->redir);

    223. 

  223. 				die();

    224. 

  224. 			}

    225. 

  225. 		break;

    226. 

  226. 		}

    227. 

  227. 	}

    228. 

  228. } // end ParamTester

    229. 

  229. 

    230. 

  230. 

    231. 

  231. ## #####################################################

    232. 

  232. ##  VarTester class

    233. 

  233. ##  Object class for checking a variable (typically a querystring parameter

    234. 

  234. ##	that could be passed as either a GET or POST param)

    235. 

  235. ##	Essentially a copy of the ParamTester class

    236. 

  236. ##	Use example:

    237. 

  237. ##		$vt = new VarTester($vbl,'integer','login.php');

    238. 

  238. ##		$vt->go();

    239. 

  239. ##	Above would check that $vbl is set, is an integer, and if not, would redirect to the login.php page

    240. 

  240. ## #####################################################

    241. 

  241. class VarTester {

    242. 

  242. 	var $vbl; 

    243. 

  243. 	var $type; 

    244. 

  244. 	var $redir;

    245. 

  245. 	

    246. 

  246. 	function VarTester ( $vbl, $type = 'integer', $redir = 'index.php') {

    247. 

  247. 		$this->vbl = $vbl;		// var within the collection to actually test

    248. 

  248. 		$this->type = $type;	// data type

    249. 

  249. 		$this->redir = $redir;	// redirection URL

    250. 

  250. 	}

    251. 

  251. 	

    252. 

  252. 	function setVarToTest ($theVar) {

    253. 

  253. 		$this->vbl = $theVar;

    254. 

  254. 	}

    255. 

  255. 	function setCheckType ($t) {

    256. 

  256. 		$this->type = $t;

    257. 

  257. 	}

    258. 

  258. 	function setRedirURL ($u) {

    259. 

  259. 		$this->redir = $u;

    260. 

  260. 	}

    261. 

  261. 	function go() {

    262. 

  262. 		switch($this->vbl) {

    263. 

  263. 		case 'integer':

    264. 

  264. 			if(!isset($this->vbl) || ctype_digit($this->vbl)===FALSE) {

    265. 

  265. 				header('Location:'.$this->redir);

    266. 

  266. 				die();

    267. 

  267. 			}

    268. 

  268. 		break;

    269. 

  269. 		case 'required':

    270. 

  270. 			if(!isset($this->vbl)) {

    271. 

  271. 				header('Location:'.$this->redir);

    272. 

  272. 				die();

    273. 

  273. 			}

    274. 

  274. 		break;

    275. 

  275. 		case 'string':

    276. 

  276. 			if(!isset($this->vbl) || ctype_alnum($this->vbl)===FALSE) {

    277. 

  277. 				header('Location:'.$this->redir);

    278. 

  278. 				die();

    279. 

  279. 			}

    280. 

  280. 		break;

    281. 

  281. 		case 'letters':

    282. 

  282. 			if(!isset($this->vbl) || ctype_alpha($this->vbl)===FALSE) {

    283. 

  283. 				header('Location:'.$this->redir);

    284. 

  284. 				die();

    285. 

  285. 			}

    286. 

  286. 		break;

    287. 

  287. 		}

    288. 

  288. 	}

    289. 

  289. } // end VarTester

    290. 

  290. 

    291. 

  291. 

    292. 

  292. /* ************************************************************

    293. 

  293. 	Geocoding function from http://www.hostip.info

    294. 

  294.    ************************************************************ */

    295. 

  295. function hostip_geocode($ip_address){

    296. 

  296. 

    297. 

  297.         $url = "http://api.hostip.info/get_html.php?ip=$ip_address&position=true";

    298. 

  298.         $ch = curl_init();    // initialize curl handle

    299. 

  299.         curl_setopt($ch, CURLOPT_URL,$url); // set url to post to

    300. 

  300.         curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); // return into a variable

    301. 

  301.         curl_setopt($ch, CURLOPT_TIMEOUT, 4); // times out after 4s

    302. 

  302.         curl_setopt($ch, CURLOPT_POSTFIELDS, $XPost); // add POST fields

    303. 

  303.         $result = curl_exec($ch); // run the whole process

    304. 

  304. 

    305. 

  305.         //print $result . "<BR>";

    306. 

  306. 

    307. 

  307.         //print "$url<BR>$result<BR>";

    308. 

  308. 

    309. 

  309.         $find_string = "Country:";

    310. 

  310.         $start = strpos($result,$find_string);

    311. 

  311.         if ($start != false){

    312. 

  312.                 $start = strpos($result,$find_string);

    313. 

  313.                 $line_end = strpos($result,"\n",$start) - strlen($find_string) - $start;

    314. 

  314.                 $geocode['country'] = trim(substr($result,$start + strlen($find_string),$line_end));

    315. 

  315.         }

    316. 

  316. 

    317. 

  317.         $find_string = "City:";

    318. 

  318.         $start = strpos($result,$find_string);

    319. 

  319.         if ($start != false){

    320. 

  320.                 $line_end = strpos($result,"\n",$start) - strlen($find_string) - $start;

    321. 

  321.                 $city_state = trim(substr($result,$start + strlen($find_string),$line_end));

    322. 

  322.                 $geocode['city'] = trim(substr($city_state,0,strpos($city_state,",")));

    323. 

  323.                 $geocode['state'] = trim(substr($city_state,strpos($city_state,",")+1));

    324. 

  324.         }

    325. 

  325. 

    326. 

  326.         $find_string = "Latitude:";

    327. 

  327.         $start = strpos($result,$find_string);

    328. 

  328.         if ($start != false){

    329. 

  329.                 $line_end = strpos($result,"\n",$start) - strlen($find_string) - $start;

    330. 

  330.                 $geocode['latitude'] = trim(substr($result,$start + strlen($find_string),$line_end));

    331. 

  331.         }

    332. 

  332. 

    333. 

  333.         $find_string = "Longitude:";

    334. 

  334.         $start = strpos($result,$find_string);

    335. 

  335.         if ($start != false){

    336. 

  336.                 $line_end = strpos($result,"\n",$start) - strlen($find_string) - $start;

    337. 

  337.                 if ($line_end <= 0) $line_end = strlen($result) - $start - strlen($find_string);

    338. 

  338.                 $geocode['longitude'] = trim(substr($result,$start + strlen($find_string),$line_end));

    339. 

  339.         }

    340. 

  340. 

    341. 

  341. 

    342. 

  342.         return $geocode;

    343. 

  343. }

    344. 

  344. 

    345. 

  345. //==== Redirect... Try PHP header redirect, then Java redirect, then try http redirect.:

    346. 

  346. function redirect($url){

    347. 

  347.     if (!headers_sent()){    //If headers not sent yet... then do php redirect

    348. 

  348.         header('Location: '.$url); exit;

    349. 

  349.     }else{                    //If headers are sent... do java redirect... if java disabled, do html redirect.

    350. 

  350.         echo '<script type="text/javascript">';

    351. 

  351.         echo 'window.location.href="'.$url.'";';

    352. 

  352.         echo '</script>';

    353. 

  353.         echo '<noscript>';

    354. 

  354.         echo '<meta http-equiv="refresh" content="0;url='.$url.'" />';

    355. 

  355.         echo '</noscript>'; exit;

    356. 

  356.     }

    357. 

  357. }//==== End -- Redirect

    358. 

  358. 

    359. 

  359. //==== Turn on HTTPS - Detect if HTTPS, if not on, then turn on HTTPS:

    360. 

  360. function SSLon(){

    361. 

  361.     if($_SERVER['HTTPS'] != 'on'){

    362. 

  362.         $url = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];

    363. 

  363.         redirect($url);

    364. 

  364.     }

    365. 

  365. }//==== End -- Turn On HTTPS

    366. 

  366. 

    367. 

  367. //==== Turn Off HTTPS -- Detect if HTTPS, if so, then turn off HTTPS:

    368. 

  368. function SSLoff(){

    369. 

  369.     if($_SERVER['HTTPS'] == 'on'){

    370. 

  370.         $url = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];

    371. 

  371.         redirect($url);

    372. 

  372.     }

    373. 

  373. }//==== End -- Turn Off HTTPS

    374. 

  374. 

    375. 

  375. /* 2009-12-21 skypanther

    376. 

  376.  Exploit: http://www.exploit-db.com/exploits/10552

    377. 

  377.  Reports that you can append one of the config fields to the URL to execute an RFI attack

    378. 

  378.  Doesn't work for me. But, assuming this file is included, I'll at least try to block such attacks by 

    379. 

  379.  	stripping any $config variables out of the $_GET array.

    380. 

  380. */

    381. 

  381. foreach($config as $cfg => $vlu) {

    382. 

  382. 	if(isset($_GET[$cfg])) unset($_GET[$cfg]);

    383. 

  383. }

    384. 

  384. 

    385. 

  385. /*

    386. 

  386. 	INPUT FILTERING

    387. 

  387. 	Abstraction function so that I can replace with a different library in the

    388. 

  388. 	future if desired

    389. 

  389. */

    390. 

  390. require_once($config['ABSOLUTE_FILE_PATH']."core/htmLawed.php");

    391. 

  391. function filterHTML($htext) {

    392. 

  392. 	global $config;

    393. 

  393. 	if(!isset($config['filtertags']) || $config['filtertags'] == '' || $config['filtertags'] == NULL) {

    394. 

  394. 		$config['filtertags'] = '*-applet-embed-iframe-object-script';

    395. 

  395. 	} 

    396. 

  396. 	if(get_magic_quotes_gpc()) {

    397. 

  397. 		return htmLawed(stripslashes($htext), array('comments'=>0, 'cdata'=>0, 'deny_attribute'=>'on*', 'elements'=>$config['filtertags'], 'scheme'=>'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https' ));

    398. 

  398. 		

    399. 

  399. 	} else {

    400. 

  400. 		return htmLawed($htext, array('comments'=>0, 'cdata'=>0, 'deny_attribute'=>'on*', 'elements'=>$config['filtertags'], 'scheme'=>'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https' ));

    401. 

  401. 	}

    402. 

  402. } // end filterHTML

    403. 

  403. 

    404. 

  404. 

    405. 

  405. ?>
    406.