Mercurial > hg > fapweb
view msite.inc.php @ 207:e31c42a9b574
Slowly work on input validation.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Sun, 17 Nov 2013 19:26:46 +0200 |
parents | 77d33161f8be |
children | b236b4d8d7a9 |
line wrap: on
line source
<? // // FAPWeb Simple Demoparty System // Generic and miscellaneous site support code // (C) Copyright 2012-2013 Tecnic Software productions (TNSP) // require_once "msitegen.inc.php"; // Define modes of party information display system define("SMODE_ROTATE", 1); define("SMODE_COMPO", 2); // Define sizes of database fields, see createdb.php // and also the places where input is validated. define("SET_LEN_USERNAME", 32); define("SET_LEN_GROUPS", 64); define("SET_LEN_ONELINER", 64); define("SET_LEN_EMAIL", 80); define("SET_LEN_NEWS_TITLE", 128); define("SET_LEN_NEWS_TEXT", 4096); define("SET_LEN_NEWS_AUTHOR", 64); define("SET_LEN_COMPO_NAME", 128); define("SET_LEN_COMPO_DESC", 4096); define("SET_LEN_ENTRY_NAME", 64); define("SET_LEN_ENTRY_AUTHOR", 64); define("SET_LEN_ENTRY_FILENAME", 256); define("SET_LEN_ENTRY_INFO", 256); // // Different voting modes // // VOTE_FREELY - Vote keys are not tied to attendees, and do not need to be activated define("VOTE_FREELY", 0); // VOTE_ACTIVATE - Vote keys are not tied to attendees, but require manual activation. define("VOTE_ACTIVATE", 1); // VOTE_ASSIGN - Keys are tied to attendees, activated by assigning the key to attendee. define("VOTE_ASSIGN", 2); function stReloadDisplayVars() { global $displayVars, $displayVarsChanged; $displayVars = array(); $displayVarsChanged = array(); if (($res = stExecSQL("SELECT * FROM displayVars")) !== FALSE) { foreach ($res as $row) { switch ($row["vtype"]) { case VT_INT: $val = intval($row["vint"]); break; case VT_BOOL: $val = intval($row["vint"]) ? true : false; break; case VT_STR: $val = $row["vstr"]; break; case VT_TEXT: $val = $row["vtext"]; break; } $displayVars[$row["key"]] = $val; } } } function stSaveDisplayVars() { global $db, $displayVars, $displayVarsChanged; foreach (stExecSQL("SELECT * FROM displayVars") as $item) if (isset($displayVarsChanged[$item["key"]])) { $val = $displayVars[$item["key"]]; switch ($item["vtype"]) { case VT_INT: $vsql = stPrepareSQL("vint=%d", $val); break; case VT_BOOL: $vsql = stPrepareSQL("vint=%d", $val ? 1 : 0); break; case VT_STR: $vsql = stPrepareSQL("vstr=%s", $val); break; case VT_TEXT: $vsql = stPrepareSQL("vtext=%s", $val); break; } $sql = "UPDATE displayVars SET ".$vsql." WHERE key=".$db->quote($item["key"]); stExecSQL($sql); } } function stGetDisplayVar($name) { global $displayVars; if (isset($displayVars[$name])) return $displayVars[$name]; else die("No display var for '".$name."'.\n"); } function stSetDisplayVar($name, $value) { global $displayVars, $displayVarsChanged; if (isset($displayVars[$name])) { $displayVars[$name] = $value; $displayVarsChanged[$name] = true; } else die("No display var for '".$name."'.\n"); } function stPrintAttendee($item, $row, $tr, $full, $edit, $eclass = "") { $id = $item["id"]; $prefix = "at"; if ($tr) { echo " <tr class=\"".($row % 2 == 1 ? "rodd" : "reven").$eclass. "\" id=\"attendee".$id."\" ".($full ? "onClick=\"activateAttendee(".$id.")\"" : "").">"; } echo stGetTDEditTextItem($edit, 20, SET_LEN_USERNAME, "name", $id, $prefix, $item["name"]). stGetTDEditTextItem($edit, 20, SET_LEN_GROUPS, "groups", $id, $prefix, $item["groups"]). "<td class=\"regtime\">".date("d.m. H:i", $item["regtime"])."</td>". stGetTDEditTextItem($edit, 30, SET_LEN_ONELINER, "oneliner", $id, $prefix, $item["oneliner"], "autocomplete=\"off\""); if ($full) { echo stGetTDEditTextItem($edit, 20, SET_LEN_EMAIL, "email", $id, $prefix, $item["email"], "autocomplete=\"off\""); if ($edit) { echo "<td>". "<button class=\"button\" id=\"atupd".$id."\" type=\"button\" onclick=\"updateAttendee(".$id.")\"> Upd </button>". "<button class=\"button\" id=\"atdel".$id."\" type=\"button\" onclick=\"deleteAttendee(".$id.")\"> Del </button>". "</td>"; } else echo "<td></td>"; } if ($tr) echo "</tr>\n"; } function stPrintNewsItem($item, $edit = "") { echo "<div class=\"newsitem\" id=\"news".$item["id"]."\">\n". " <h2>".chentities($item["title"])."</h2>\n". " <div class=\"text\">".dhentities($item["text"])."</div>\n". " <div class=\"sig\">-- ".chentities($item["author"])."<br />". date("d M Y / H:i", $item["utime"]). $edit."</div>\n". "</div>\n"; } function stGetCompoList($fvisible, $fvoting = FALSE) { global $compos; // Get entries and competitions into an array structure $sql = "SELECT * FROM compos"; if ($fvisible || $fvoting) { $sql .= " WHERE ".implode(" AND ", array($fvisible ? "visible<>0" : "", $fvoting ? "voting<>0" : "")); } // Get the data foreach (stExecSQL($sql) as $compo) { $id = $compo["id"]; $compos[$compo["id"]] = array( "name" => $compo["name"], "showAuthors" => $compo["showAuthors"], "entries" => array() ); $sql = stPrepareSQL("SELECT * FROM entries WHERE compo_id=%d", $id); foreach (stExecSQL($sql) as $entry) { $compos[$id]["entries"][$entry["id"]] = $entry; } } } function stGenerateUserKey() { global $db; $keyChars = "abdefghjkmnpqrstwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789"; while (TRUE) { // Generate one randomized keycode $key = ""; for ($n = 0; $n < stGetSetting("userKeyLength"); $n++) $key .= $keyChars[rand() % strlen($keyChars)]; // Check if it already exists, to avoid duplicates // We need custom query code here, because stFetchSQLColumn() // won't work due to it returning FALSE in error cases. $sql = stPrepareSQL("SELECT * FROM votekeys WHERE key=%s", $key); if (($res = @$db->query($sql)) !== FALSE) { // Did we get results? if ($res->fetchColumn() === FALSE) { // Nope, return key return $key; } } else { stLogSQLError($sql); return FALSE; } } } function stCheckRegistrationAvailable() { global $maxAttendeesHard, $maxAttendeesSoft, $numAttendees; $maxAttendeesHard = stGetSetting("maxAttendeesHard"); $maxAttendeesSoft = stGetSetting("maxAttendeesSoft"); if (($numAttendees = stFetchSQLColumn("SELECT COUNT(*) FROM attendees")) === FALSE) $numAttendees = 0; return stChkSetting("allowRegister") && ($maxAttendeesHard <= 0 || $numAttendees < $maxAttendeesHard); } function stCheckRequestUserData($admin) { if (!stChkRequestItem("name", $fake, array(CHK_ISGT, VT_STR, 0, "Handle / name not given."), array(CHK_ISLT, VT_STR, SET_LEN_USERNAME, "Handle / name is too long, should be less than ".SET_LEN_USERNAME." characters.") )) return FALSE; if (!stChkRequestItem("groups", $fake, array(CHK_ISLT, VT_STR, SET_LEN_GROUPS, "Groups are too long, should be less than ".SET_LEN_GROUPS." characters.") )) return FALSE; if (!stChkRequestItem("oneliner", $fake, array(CHK_ISLT, VT_STR, SET_LEN_ONELINER, "Oneliner is too long, should be less than ".SET_LEN_ONELINER." characters.") )) return FALSE; $email = stGetRequestItem("email"); if (!$admin && stGetSetting("requireEMail") && strlen($email) < 4) { stError("E-mail address not given, or it is too short."); return FALSE; } if (strlen($email) > 0 && (strpos($email, "@") === FALSE || strpos($email, ".") === FALSE)) { stError("E-mail address not in proper format."); return FALSE; } if (strlen($email) > SET_LEN_EMAIL) { stError("E-mail address too long, max ".SET_LEN_EMAIL." characters."); return FALSE; } return TRUE; } ?>