= "4.2.0") { if ( ini_get('register_globals') != 1 ) { $supers = array('_REQUEST', '_ENV', '_SERVER', '_POST', '_GET', '_COOKIE', '_SESSION', '_FILES', '_GLOBALS' ); foreach( $supers as $__s) { if ( (isset($$__s) == true) && (is_array( $$__s ) == true) ) extract( $$__s, EXTR_OVERWRITE ); } unset($supers); } } else { if ( ini_get('register_globals') != 1 ) { $supers = array('HTTP_POST_VARS', 'HTTP_GET_VARS', 'HTTP_COOKIE_VARS', 'GLOBALS', 'HTTP_SESSION_VARS', 'HTTP_SERVER_VARS', 'HTTP_ENV_VARS' ); foreach( $supers as $__s) { if ( (isset($$__s) == true) && (is_array( $$__s ) == true) ) extract( $$__s, EXTR_OVERWRITE ); } unset($supers); } } // function renHTML($strTemp) { $strTemp=nl2br(htmlspecialchars($strTemp)); $strTemp=str_replace ( "xred", "", $strTemp); $strTemp=str_replace ( "xblue", "", $strTemp); $strTemp=str_replace ( "xgreen", "", $strTemp); $strTemp=str_replace ( "xnavy", "", $strTemp); $strTemp=str_replace ( "xorange", "", $strTemp); $strTemp=str_replace ( "xmagenta", "", $strTemp); $strTemp=str_replace ( "x800040", "", $strTemp); $strTemp=str_replace ( "xblack", "", $strTemp); $strTemp=str_replace ( "xfont", "", $strTemp); $strTemp=str_replace ( "xbold", "", $strTemp); $strTemp=str_replace ( "ybold", "", $strTemp); $strTemp=str_replace ( "xitalic", "", $strTemp); $strTemp=str_replace ( "yitalic", "", $strTemp); $strTemp=str_replace ( "xunder", "", $strTemp); $strTemp=str_replace ( "yunder", "", $strTemp); return $strTemp; } function renHTMLx($strTemp) { $strTemp=str_replace ( "xred", "", $strTemp); $strTemp=str_replace ( "xblue", "", $strTemp); $strTemp=str_replace ( "xgreen", "", $strTemp); $strTemp=str_replace ( "xnavy", "", $strTemp); $strTemp=str_replace ( "xorange", "", $strTemp); $strTemp=str_replace ( "xmagenta", "", $strTemp); $strTemp=str_replace ( "x800040", "", $strTemp); $strTemp=str_replace ( "xblack", "", $strTemp); $strTemp=str_replace ( "xfont", "", $strTemp); $strTemp=str_replace ( "xbold", "", $strTemp); $strTemp=str_replace ( "ybold", "", $strTemp); $strTemp=str_replace ( "xitalic", "", $strTemp); $strTemp=str_replace ( "yitalic", "", $strTemp); $strTemp=str_replace ( "xunder", "", $strTemp); $strTemp=str_replace ( "yunder", "", $strTemp); return $strTemp; } $thmonth=array("ม.ค.","ก.พ.","มี.ค.","เม.ย.","พ.ค.","มิ.ย.","ก.ค","ส.ค.","ก.ย.","ต.ค.","พ.ย.","ธ.ค."); $thaimonth=array("มกราคม","กุมภาพันธ์","มีนาคม","เมษายน","พฤษภาคม","มิถุนายน","กรกฎาคม","สิงหาคม","กันยายน","ตุลาคม","พฤศจิกายน","ธันวาคม"); $thweek=array("อา","จ","อ","พ","พฤ","ศ","ส"); $thaiweek=array("อาทิตย์","จันทร์","อังคาร","พุธ","พฤหัสบดี","ศุกร์","เสาร์"); function thdate($DCheck,$Chk) { global $thmonth;global $thaimonth;global $thaiweek; if ($Chk==1) { $thdate1=substr(((string) (date("Y",$DCheck)+543)),2,2); $thdate=date("j",$DCheck).$thmonth[date("n",$DCheck)-1].$thdate1; } elseif ($Chk==2) { $thdate=date("j",$DCheck)." ".$thaimonth[date("n",$DCheck)-1]." ".(date("Y",$DCheck)+543); } elseif ($Chk==3) { $thdate="วัน".$thaiweek[date("w",$DCheck)]."ที่ ".date("j",$DCheck)." ".$thaimonth[date("n",$DCheck)-1]." ".(date("Y",$DCheck)+543); } elseif ($Chk==4) { $thdate=$thaimonth[date("n",$DCheck)-1]." ".(date("Y",$DCheck)+543); } return $thdate; } // /** * Initialise *
* Carries out a number of initialisation tasks to get PostNuke up and * running. * @returns void */ function PPP_Init($rootpath="") { // Start session if (!PPP_SessionSetup()) { die('Session setup failed'); } if (!PPP_SessionInit()) { die('Session initialisation failed'); } // See if a language update is required $newlang = PPP_VarCleanFromInput('newlang'); if (!empty($newlang)) { $lang = $newlang; PPP_SessionSetVar('lang', $newlang); } else { $lang = PPP_SessionGetVar('lang'); } // Load global language defines if (isset ($lang) ) { $currentlang = $lang; } else { $currentlang = "th"; PPP_SessionSetVar('lang', $currentlang); } // PPP_ThemeLoad($pppconfig['theme']); // some syntax checking against injected javascript PPP_SecureInput(); return true; } function PPP_DBInit() { global $pppconfig,$rootpath; // Database handler if($pppconfig['dbtype'] == "MySQL") { include $rootpath.'includes/DB/mysql.inc.php'; } else if($pppconfig['dbtype'] == "PostgreSQL") { include $rootpath.'includes/DB/postgresql.inc.php'; } else if($pppconfig['dbtype'] == "Oracle") { include $rootpath.'includes/DB/oracle.inc.php'; } else if($pppconfig['dbtype'] == "MSSQL") { include $rootpath.'includes/DB/mssql.inc.php'; } else { die("Database type not defined."); } // Get database parameters global $pppconfig; if($pppconfig['dbtype'] == "MySQL") { $dbtype = $pppconfig['dbtype']; $dbhost = $pppconfig['dbhost'].":".$pppconfig['dbport']; $dbname = $pppconfig['dbname']; $dbuname = $pppconfig['dbuname']; $dbpass = $pppconfig['dbpass']; // Database connection is a global (for now) global $dbconn; // Start connection $dbconn = mysql_connect($dbhost,$dbuname,$dbpass); mysql_select_db($dbname,$dbconn); $cs1 = "SET character_set_results=utf8"; // mysql_query($cs1) or die('Error query: ' . mysql_error()); $cs2 = "SET character_set_client = utf8"; // mysql_query($cs2) or die('Error query: ' . mysql_error()); $cs3 = "SET character_set_connection = utf8"; // mysql_query($cs3) or die('Error query: ' . mysql_error()); mysql_query("SET NAMES UTF8"); // mysql_query("update fw.fw_users set user_email='ทดสอบ2' where user_login='admin'"); // mysql_query("SET character set=utf8"); if (!$dbconn) { $dbpass = ""; die("failed to connect to database : " . mysql_error()); } } return true; } /** * get a list of database connections * @returns array * @return array of database connections */ function PPP_DBGetConn() { global $dbconn; return $dbconn; } /** * clean user input *
* Gets a global variable, cleaning it up to try to ensure that * hack attacks don't work * @param var name of variable to get * @param ... * @returns string/array * @return prepared variable if only one variable passed * in, otherwise an array of prepared variables */ function PPP_VarCleanFromInput() { $search = array('||si', '||si', '||si', '||si', '||si', '||si', '||si', '|STYLE\s*=\s*"[^"]*"|si'); $replace = array(''); $resarray = array(); foreach (func_get_args() as $var) { // Get var global $$var; if (empty($var)) { return; } $ourvar = $$var; if (!isset($ourvar)) { array_push($resarray, NULL); continue; } if (empty($ourvar)) { array_push($resarray, $ourvar); continue; } // Clean var if (get_magic_quotes_gpc()) { PPP_Stripslashes($ourvar); } // Add to result array array_push($resarray, $ourvar); } // Return vars if (func_num_args() == 1) { return $resarray[0]; } else { return $resarray; } } /** * strip slashes * * stripslashes on multidimensional arrays. * Used in conjunction with pnVarCleanFromInput * @access private * @param any variables or arrays to be stripslashed */ function PPP_Stripslashes (&$value) { if(!is_array($value)) { $value = stripslashes($value); } else { array_walk($value,'pnStripslashes'); } } /** * ready user output *
* Gets a variable, cleaning it up such that the text is * shown exactly as expected * @param var variable to prepare * @param ... * @returns string/array * @return prepared variable if only one variable passed * in, otherwise an array of prepared variables */ function PPP_VarPrepForDisplay() { // This search and replace finds the text 'x@y' and replaces // it with HTML entities, this provides protection against // email harvesters static $search = array('/(.)@(.)/se'); static $replace = array('"&#" . sprintf("%03d", ord("\\1")) . ";@&#" . sprintf("%03d", ord("\\2")) . ";";'); $resarray = array(); foreach (func_get_args() as $ourvar) { // Prepare var $ourvar = htmlspecialchars($ourvar); $ourvar = preg_replace($search, $replace, $ourvar); // Add to array array_push($resarray, $ourvar); } // Return vars if (func_num_args() == 1) { return $resarray[0]; } else { return $resarray; } } /** * ready databse output *
* Gets a variable, cleaning it up such that the text is * stored in a database exactly as expected * @param var variable to prepare * @param ... * @returns string/array * @return prepared variable if only one variable passed * in, otherwise an array of prepared variables */ function PPP_VarPrepForStore() { $resarray = array(); foreach (func_get_args() as $ourvar) { // Prepare var if (!get_magic_quotes_runtime()) { $ourvar = addslashes($ourvar); } // Add to array array_push($resarray, $ourvar); } // Return vars if (func_num_args() == 1) { return $resarray[0]; } else { return $resarray; } } /** * ready operating system output *
* Gets a variable, cleaning it up such that any attempts * to access files outside of the scope of the PostNuke * system is not allowed * @param var variable to prepare * @param ... * @returns string/array * @return prepared variable if only one variable passed * in, otherwise an array of prepared variables */ function PPP_VarPrepForOS() { static $search = array('!\.\./!si', // .. (directory traversal) '!^.*://!si', // .*:// (start of URL) '!/!si', // Forward slash (directory traversal) '!\\\\!si'); // Backslash (directory traversal) static $replace = array('', '', '_', '_'); $resarray = array(); foreach (func_get_args() as $ourvar) { // Parse out bad things $ourvar = preg_replace($search, $replace, $ourvar); // Prepare var if (!get_magic_quotes_runtime()) { $ourvar = addslashes($ourvar); } // Add to array array_push($resarray, $ourvar); } // Return vars if (func_num_args() == 1) { return $resarray[0]; } else { return $resarray; } } /** * validate a user variable * @access public * @author Damien Bonvillain * @author Gregor J. Rothfuss * @since 1.23 - 2002/02/01 * @param var the variable to validate * @param type the type of the validation to perform * @param args optional array with validation-specific settings * @returns bool * @return true if the validation was successful, false otherwise */ function PPP_VarValidate($var, $type, $args=0) { switch ($type) { case 'email': // all characters must be 7 bit ascii $length = strlen($var); $idx = 0; while($length--) { $c = $var[$idx++]; if(ord($c) > 127){ return false; } } $regexp = '/^(?:[^\s\000-\037\177\(\)<>@,;:\\"\[\]]\.?)+@(?:[^\s\000-\037\177\(\)<>@,;:\\\"\[\]]\.?)+\.[a-z]{2,6}$/Ui'; if(preg_match($regexp,$var)) { return true; } else { return false; } break; case 'url': // all characters must be 7 bit ascii $length = strlen($var); $idx = 0; while($length--) { $c = $var[$idx++]; if(ord($c) > 127){ return false; } } $regexp = '/^([!\$\046-\073=\077-\132_\141-\172~]|(?:%[a-f0-9]{2}))+$/i'; if(!preg_match($regexp, $var)) { return false; } $url_array = @parse_url($var); if(empty($url_array)) { return false; } else { return !empty($url_array['scheme']); } break; } } function PPP_ThemeLoad($thistheme) { static $loaded = 0; if ($loaded) { return true; } // Lots of nasty globals for back-compatability with older themes global $bgcolor1; global $bgcolor2; global $bgcolor3; global $bgcolor4; global $bgcolor5; global $sepcolor; global $textcolor1; global $textcolor2; global $postnuke_theme; global $thename; global $rootpath; if (@file(WHERE_IS_PERSO.$rootpath."themes/$thistheme/theme.php")) { include WHERE_IS_PERSO.$rootpath."themes/$thistheme/theme.php"; } else { include $rootpath."themes/$thistheme/theme.php"; } $loaded = 1; return true; } /** * get base URI * @returns string * @return base URI */ function PPP_GetBaseURI() { global $HTTP_SERVER_VARS; // Get the name of this URI // Start of with REQUEST_URI if (isset($HTTP_SERVER_VARS['REQUEST_URI'])) { $path = $HTTP_SERVER_VARS['REQUEST_URI']; } else { $path = getenv('REQUEST_URI'); } if ((empty($path)) || (substr($path, -1, 1) == '/')) { // REQUEST_URI was empty or pointed to a path // Try looking at PATH_INFO $path = getenv('PATH_INFO'); if (empty($path)) { // No luck there either // Try SCRIPT_NAME if (isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) { $path = $HTTP_SERVER_VARS['SCRIPT_NAME']; } else { $path = getenv('SCRIPT_NAME'); } } } $path = preg_replace('/[#\?].*/', '', $path); $path = dirname($path); if (preg_match('!^[/\\\]*$!', $path)) { $path = ''; } return $path; } /** * get base URL * @returns string * @return base URL */ function PPP_GetBaseURL() { global $HTTP_SERVER_VARS; if (empty($HTTP_SERVER_VARS['HTTP_HOST'])) { $server = getenv('HTTP_HOST'); } else { $server = $HTTP_SERVER_VARS['HTTP_HOST']; } // IIS sets HTTPS=off if (isset($HTTP_SERVER_VARS['HTTPS']) && $HTTP_SERVER_VARS['HTTPS'] != 'off') { $proto = 'https://'; } else { $proto = 'http://'; } $path = PPP_GetBaseURI(); return "$proto$server$path/"; } /** * Carry out a redirect * @param the URL to redirect to * @returns void */ function PPP_Redirect($redirecturl) { // Always close session before redirect if (function_exists('session_write_close')) { session_write_close(); } if (preg_match('!^http!', $redirecturl)) { // Absolute URL - simple redirect Header("Location: $redirecturl"); return; } else { // Removing leading slashes from redirect url $redirecturl = preg_replace('!^/*!', '', $redirecturl); // Get base URL $baseurl = PPP_GetBaseURL(); Header("Location: $baseurl$redirecturl"); } } function PPP_JSRedirect($redirecturl) { echo " "; exit; } /** * check to see if this is a local referral * @returns bool * @return true if locally referred, false if not */ function PPP_LocalReferer() { global $HTTP_SERVER_VARS; if (empty($HTTP_SERVER_VARS['HTTP_HOST'])) { $server = getenv('HTTP_HOST'); } else { $server = $HTTP_SERVER_VARS['HTTP_HOST']; } if (empty($HTTP_SERVER_VARS['HTTP_REFERER'])) { $referer = getenv('HTTP_REFERER'); } else { $referer = $HTTP_SERVER_VARS['HTTP_REFERER']; } if (empty($referer) || preg_match("!^http://$server/!", $referer)) { return true; } else { return false; } } function PPP_SecureInput() { /* Lets validate the current php version and set globals accordingly. Do not change this value unless you know what you are doing you have been warned! */ //require('includes/htmlfilter.inc'); if ( phpversion() >= "4.2.0" ) { $HTTP_GET_VARS = $_GET; $HTTP_POST_VARS = $_POST; $HTTP_COOKIE_VARS = $_COOKIE; } else { global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS; } // Cross-Site Scripting attack defense - Sent by larsneo // some syntax checking against injected javascript // extended by Neo if (count($HTTP_GET_VARS) > 0) { /* Lets now sanitize the GET vars */ foreach ($HTTP_GET_VARS as $secvalue) { if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) || (eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", $secvalue)) || (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*alert*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*cookie*\"?[^>]*>", $secvalue)) || (eregi("\"", $secvalue))) { // pnMailHackAttempt(__FILE__,__LINE__,'pnSecurity Alert','Intrusion detection.'); Header("Location: index.php"); } } } /* Lets now sanitize the POST vars */ if ( count($HTTP_POST_VARS) > 0) { foreach ($HTTP_POST_VARS as $secvalue) { if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*alert*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*cookie*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ) { // pnMailHackAttempt(__FILE__,__LINE__,'pnSecurity Alert','Intrusion detection.'); Header("Location: index.php"); } } } /* Lets now sanitize the COOKIE vars */ if ( count($HTTP_COOKIE_VARS) > 0) { foreach ($HTTP_COOKIE_VARS as $secvalue) { if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) || (eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", $secvalue)) || (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*alert*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*cookie*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ) { // pnMailHackAttempt(__FILE__,__LINE__,'pnSecurity Alert','Intrusion detection.'); Header("Location: index.php"); } } } } # End of secure Input /* Function that compares the current php version on the system with the target one */ // Deprecate function reverting to php detecion function function PPP_PhpVersionCheck($vercheck) { $minver = str_replace(".","", $vercheck); $curver = str_replace(".","", phpversion()); if($curver >= $minver){ return true; } else { return false; } } function GetDBName() { Global $pppconfig; return $pppconfig['dbname']; } function GetDBPrefix() { Global $pppconfig; return $pppconfig['dbprefix']; } function encode_JSONjqGrid($in) { return json_encode($in); } function decodeJSONjqGrid($in) { } function encodeXMLjqGrid($in) { } function decodeXMLjqGrid($in) { } function encodeJSON($in) { return json_encode($in); } function decodeJSON($in) { } if (!function_exists('json_encode')) { function json_encode($a=false) { if (is_null($a)) return 'null'; if ($a === false) return 'false'; if ($a === true) return 'true'; if (is_scalar($a)) { if (is_float($a)) { // Always use "." for floats. return floatval(str_replace(",", ".", strval($a))); } if (is_string($a)) { static $jsonReplaces = array(array("\\", "/", "\n", "\t", "\r", "\b", "\f", '"'), array('\\\\', '\\/', '\\n', '\\t', '\\r', '\\b', '\\f', '\"')); return '"' . str_replace($jsonReplaces[0], $jsonReplaces[1], $a) . '"'; } else return $a; } $isList = true; for ($i = 0, reset($a); $i < count($a); $i++, next($a)) { if (key($a) !== $i) { $isList = false; break; } } $result = array(); if ($isList) { foreach ($a as $v) $result[] = json_encode($v); return '[' . join(',', $result) . ']'; } else { foreach ($a as $k => $v) $result[] = json_encode($k).':'.json_encode($v); return '{' . join(',', $result) . '}'; } } } /* { total: "xxx", page: "yyy", records: "zzz", rows : [ {id:"1", cell:["cell11", "cell12", "cell13"]}, {id:"2", cell:["cell21", "cell22", "cell23"]}, ... ] } */ if ( !function_exists('json_decode') ){ function json_decode($json) { // Author: walidator.info 2009 $comment = false; $out = '$x='; for ($i=0; $i",">",$in); $in = str_replace('"',""",$in); $in = str_replace("'",''',$in); $in = str_replace("&","&",$in); return $in; } function decodeChars($in) { // return html_entity_decode($in,ENT_QUOTES); // $in = str_replace("<","<",$in); // $in = str_replace(">",">",$in); // $in = str_replace(""",'"',$in); // $in = str_replace("'",'"',$in); $in = str_replace("&","&",$in); return $in; } function decodeCharsTinyMCE($in) { // return html_entity_decode($in,ENT_QUOTES); $in = str_replace("&","&",$in); $in = str_replace("<","<",$in); $in = str_replace(">",">",$in); $in = str_replace(""",'\"',$in); $in = str_replace("'","'",$in); $in = str_replace("\r\n","\\r\\n",$in); return $in; } if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } ?>