Improved reading of POST and GET values
| | |
| | | AddDefaultCharset UTF-8 |
| | | # AddDefaultCharset UTF-8 |
| | | php_flag display_errors On |
| | | php_value upload_max_filesize 2m |
| | | |
| | |
| | | // PEAR::setErrorHandling(PEAR_ERROR_TRIGGER, E_USER_NOTICE); |
| | | |
| | | |
| | | // strip magic quotes from Superglobals... |
| | | if ((bool)get_magic_quotes_gpc()) // by "php Pest" |
| | | { |
| | | // Really EGPCSR - Environment $_ENV, GET $_GET , POST $_POST, Cookie $_COOKIE, Server $_SERVER |
| | | // and their HTTP_*_VARS cousins (separate arrays, not references) and $_REQUEST |
| | | $fnStripMagicQuotes = create_function( |
| | | '&$mData, $fnSelf', |
| | | 'if (is_array($mData)) { foreach ($mData as $mKey=>$mValue) $fnSelf($mData[$mKey], $fnSelf); return; } '. |
| | | '$mData = stripslashes($mData);' |
| | | ); |
| | | |
| | | // do each set of EGPCSR as you find necessary |
| | | $fnStripMagicQuotes($_POST, $fnStripMagicQuotes); |
| | | $fnStripMagicQuotes($_GET, $fnStripMagicQuotes); |
| | | } |
| | | |
| | | |
| | | // catch some url/post parameters |
| | | $_auth = !empty($_POST['_auth']) ? $_POST['_auth'] : $_GET['_auth']; |
| | | $_task = !empty($_POST['_task']) ? $_POST['_task'] : (!empty($_GET['_task']) ? $_GET['_task'] : 'mail'); |
| | |
| | | { |
| | | show_message("cookiesdisabled", 'warning'); |
| | | } |
| | | else if (isset($_POST['_user']) && isset($_POST['_pass']) && rcmail_login($_POST['_user'], $_POST['_pass'], $host)) |
| | | else if (isset($_POST['_user']) && isset($_POST['_pass']) && |
| | | rcmail_login(get_input_value('_user', RCUBE_INPUT_POST), |
| | | get_input_value('_pass', RCUBE_INPUT_POST), |
| | | $host)) |
| | | { |
| | | // send redirect |
| | | header("Location: $COMM_PATH"); |
| | |
| | | require_once('lib/utf8.class.php'); |
| | | |
| | | |
| | | // define constannts for input reading |
| | | define('RCUBE_INPUT_GET', 0x0101); |
| | | define('RCUBE_INPUT_POST', 0x0102); |
| | | define('RCUBE_INPUT_GPC', 0x0103); |
| | | |
| | | |
| | | // register session and connect to server |
| | | function rcmail_startup($task='mail') |
| | | { |
| | |
| | | $imap_ssl = (isset($a_host['scheme']) && in_array($a_host['scheme'], array('ssl','imaps','tls'))) ? TRUE : FALSE; |
| | | $imap_port = isset($a_host['port']) ? $a_host['port'] : ($imap_ssl ? 993 : $CONFIG['default_port']); |
| | | } |
| | | else |
| | | $imap_port = $CONFIG['default_port']; |
| | | |
| | | // query if user already registered |
| | | $sql_result = $DB->query("SELECT user_id, username, language, preferences |
| | |
| | | // no encoding given -> return original string |
| | | return $str; |
| | | } |
| | | |
| | | |
| | | /** |
| | | * Read input value and convert it for internal use |
| | | * Performs stripslashes() and charset conversion if necessary |
| | | * |
| | | * @param string Field name to read |
| | | * @param int Source to get value from (GPC) |
| | | * @param boolean Allow HTML tags in field value |
| | | * @param string Charset to convert into |
| | | * @return string Field value or NULL if not available |
| | | */ |
| | | function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL) |
| | | { |
| | | global $OUTPUT; |
| | | $value = NULL; |
| | | |
| | | if ($source==RCUBE_INPUT_GET && isset($_GET[$fname])) |
| | | $value = $_GET[$fname]; |
| | | else if ($source==RCUBE_INPUT_POST && isset($_POST[$fname])) |
| | | $value = $_POST[$fname]; |
| | | else if ($source==RCUBE_INPUT_GPC) |
| | | { |
| | | if (isset($_GET[$fname])) |
| | | $value = $_GET[$fname]; |
| | | else if (isset($_POST[$fname])) |
| | | $value = $_POST[$fname]; |
| | | else if (isset($_COOKIE[$fname])) |
| | | $value = $_COOKIE[$fname]; |
| | | } |
| | | |
| | | // strip slashes if magic_quotes enabled |
| | | if ((bool)get_magic_quotes_gpc()) |
| | | $value = stripslashes($value); |
| | | |
| | | // remove HTML tags if not allowed |
| | | if (!$allow_html) |
| | | $value = strip_tags($value); |
| | | |
| | | // convert to internal charset |
| | | return rcube_charset_convert($value, $OUTPUT->get_charset(), $charset); |
| | | } |
| | | |
| | | |
| | | |
| | | |
| | |
| | | $input_action = new hiddenfield(array('name' => '_action', 'value' => 'login')); |
| | | |
| | | $fields = array(); |
| | | $fields['user'] = $input_user->show($_POST['_user']); |
| | | $fields['user'] = $input_user->show(get_input_value('_user', RCUBE_INPUT_POST)); |
| | | $fields['pass'] = $input_pass->show(); |
| | | $fields['action'] = $input_action->show(); |
| | | |
| | |
| | | |
| | | // set default page title |
| | | if (!strlen($this->title)) |
| | | $this->title = 'RoundCube|Mail'; |
| | | $this->title = 'RoundCube Mail'; |
| | | |
| | | // replace specialchars in content |
| | | $__page_title = rep_specialchars_output($this->title, 'html', 'show', FALSE); |
| | |
| | | |
| | | // include meta tag with charset |
| | | if (!empty($this->charset)) |
| | | $__page_header = '<meta http-equiv="content-type" content="text/html; charset='.$this->charset.'" />'."\n";; |
| | | { |
| | | header('Content-Type: text/html; charset='.$this->charset); |
| | | $__page_header = '<meta http-equiv="content-type" content="text/html; charset='.$this->charset.'" />'."\n"; |
| | | } |
| | | |
| | | |
| | | // definition of the code to be placed in the document header and footer |
| | |
| | | $hiddenfields = new hiddenfield(array('name' => '_task', 'value' => $GLOBALS['_task'])); |
| | | $hiddenfields->add(array('name' => '_action', 'value' => 'ldappublicsearch')); |
| | | |
| | | if ($_GET['_framed'] || $_POST['_framed']) |
| | | if ($_framed) |
| | | $hiddenfields->add(array('name' => '_framed', 'value' => 1)); |
| | | |
| | | $form_start .= !strlen($attrib['form']) ? '<form name="form" action="./" method="post">' : ''; |
| | |
| | | if ((empty($_POST['_name']) || empty($_POST['_email'])) && empty($_GET['_framed'])) |
| | | { |
| | | show_message('formincomplete', 'warning'); |
| | | rcmail_overwrite_action($_POST['_cid'] ? 'show' : 'add'); |
| | | rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show'); |
| | | return; |
| | | } |
| | | |
| | |
| | | $contacts_table = get_table_name('contacts'); |
| | | |
| | | // update an existing contact |
| | | if ($_POST['_cid']) |
| | | if (!empty($_POST['_cid'])) |
| | | { |
| | | $a_write_sql = array(); |
| | | |
| | |
| | | |
| | | $a_write_sql[] = sprintf("%s=%s", |
| | | $DB->quoteIdentifier($col), |
| | | $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset()))); |
| | | $DB->quote(get_input_value($fname, RCUBE_INPUT_POST))); |
| | | } |
| | | |
| | | if (sizeof($a_write_sql)) |
| | |
| | | $_action = 'show'; |
| | | show_message('successfullysaved', 'confirmation'); |
| | | |
| | | if ($_POST['_framed']) |
| | | if ($_framed) |
| | | { |
| | | // define list of cols to be displayed |
| | | $a_show_cols = array('name', 'email'); |
| | |
| | | if (isset($_GET['_emails']) && isset($_GET['_names'])) |
| | | { |
| | | $sql .= "AND email IN ("; |
| | | $emails = explode(',', $_GET['_emails']); |
| | | $names = explode(',', $_GET['_names']); |
| | | $emails = explode(',', get_input_value('_emails', RCUBE_INPUT_GET)); |
| | | $names = explode(',', get_input_value('_names', RCUBE_INPUT_GET)); |
| | | $count = count($emails); |
| | | $n = 0; |
| | | foreach ($emails as $email) |
| | | { |
| | | $end = (++$n == $count) ? '' : ','; |
| | | $sql .= $DB->quote(strip_tags($email)) . $end; |
| | | $sql .= $DB->quote($email) . $end; |
| | | } |
| | | $sql .= ")"; |
| | | $ldap_form = true; |
| | | } |
| | | else if (isset($_POST['_email'])) |
| | | $sql .= "AND email = " . $DB->quote(strip_tags($_POST['_email'])); |
| | | $sql .= "AND email = " . $DB->quote(get_input_value('_email', RCUBE_INPUT_POST)); |
| | | |
| | | $sql_result = $DB->query($sql); |
| | | |
| | |
| | | foreach ($emails as $email) |
| | | { |
| | | $DB->query("INSERT INTO $contacts_table |
| | | (user_id, name, email) |
| | | VALUES ({$_SESSION['user_id']}," . $DB->quote(strip_tags($names[$n++])) . "," . |
| | | $DB->quote(strip_tags($email)) . ")"); |
| | | (user_id, name, email |
| | | VALUES ({$_SESSION['user_id']}," . $DB->quote($names[$n++]) . "," . |
| | | $DB->quote($email) . ")"); |
| | | $insert_id[] = $DB->insert_id(); |
| | | } |
| | | } |
| | |
| | | continue; |
| | | |
| | | $a_insert_cols[] = $col; |
| | | $a_insert_values[] = $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset())); |
| | | $a_insert_values[] = $DB->quote(get_input_value($fname, RCUBE_INPUT_POST)); |
| | | } |
| | | |
| | | if (sizeof($a_insert_cols)) |
| | |
| | | $_action = 'show'; |
| | | $_GET['_cid'] = $insert_id; |
| | | |
| | | if ($_POST['_framed']) |
| | | if ($_framed) |
| | | { |
| | | // add contact row or jump to the page where it should appear |
| | | $commands = sprintf("if(parent.%s)parent.", $JS_OBJECT_NAME); |
| | |
| | | |
| | | $REMOTE_REQUEST = TRUE; |
| | | |
| | | if ($_GET['_address']) |
| | | if (!empty($_GET['_address'])) |
| | | { |
| | | $contact_arr = $IMAP->decode_address_list($_GET['_address']); |
| | | $contact_arr = $IMAP->decode_address_list(get_input_value('_address', RCUBE_INPUT_GET)); |
| | | if (sizeof($contact_arr)) |
| | | { |
| | | $contact = $contact_arr[1]; |
| | |
| | | |
| | | |
| | | if ($fname && !empty($_POST[$fname])) |
| | | $fvalue = $_POST[$fname]; |
| | | $fvalue = get_input_value($fname, RCUBE_INPUT_POST); |
| | | else if ($header && is_object($REPLY_MESSAGE['headers'])) |
| | | { |
| | | // get recipent address(es) out of the message headers |
| | |
| | | |
| | | // use posted message body |
| | | if (!empty($_POST['_message'])) |
| | | $body = stripslashes($_POST['_message']); |
| | | $body = get_input_value('_message', RCUBE_INPUT_POST, TRUE); |
| | | |
| | | // compose reply-body |
| | | else if (is_array($REPLY_MESSAGE['parts'])) |
| | |
| | | |
| | | // use subject from post |
| | | if (isset($_POST['_subject'])) |
| | | $subject = stripslashes($_POST['_subject']); |
| | | $subject = get_input_value('_subject', RCUBE_INPUT_POST); |
| | | |
| | | // create a reply-subject |
| | | else if (isset($REPLY_MESSAGE['subject'])) |
| | |
| | | $mailto_replace = array(', ', ', ', ''); |
| | | |
| | | // repalce new lines and strip ending ', ' |
| | | $mailto = preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_to'])); |
| | | $mailto = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_to', RCUBE_INPUT_POST, TRUE, $message_charset)); |
| | | |
| | | // decode address strings |
| | | $to_address_arr = $IMAP->decode_address_list($mailto); |
| | |
| | | 'To' => rcube_charset_convert($mailto, $input_charset, $message_charset)); |
| | | |
| | | // additional recipients |
| | | if ($_POST['_cc']) |
| | | $headers['Cc'] = rcube_charset_convert(preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_cc'])), $input_charset, $message_charset); |
| | | if (!empty($_POST['_cc'])) |
| | | $headers['Cc'] = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_cc', RCUBE_INPUT_POST, TRUE, $message_charset)); |
| | | |
| | | if ($_POST['_bcc']) |
| | | $headers['Bcc'] = rcube_charset_convert(preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_bcc'])), $input_charset, $message_charset); |
| | | if (!empty($_POST['_bcc'])) |
| | | $headers['Bcc'] = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_bcc', RCUBE_INPUT_POST, TRUE, $message_charset)); |
| | | |
| | | if (strlen($identity_arr['bcc'])) |
| | | if (!empty($identity_arr['bcc'])) |
| | | $headers['Bcc'] = ($headers['Bcc'] ? $headers['Bcc'].', ' : '') . $identity_arr['bcc']; |
| | | |
| | | // add subject |
| | | $headers['Subject'] = rcube_charset_convert(trim($_POST['_subject']), $input_charset, $message_charset); |
| | | $headers['Subject'] = trim(get_input_value('_subject', RCUBE_INPUT_POST, FALSE, $message_charset)); |
| | | |
| | | if (strlen($identity_arr['organization'])) |
| | | if (!empty($identity_arr['organization'])) |
| | | $headers['Organization'] = $identity_arr['organization']; |
| | | |
| | | if (strlen($identity_arr['reply-to'])) |
| | | if (!empty($identity_arr['reply-to'])) |
| | | $headers['Reply-To'] = $identity_arr['reply-to']; |
| | | |
| | | if (!empty($_SESSION['compose']['reply_msgid'])) |
| | |
| | | if (!empty($_SESSION['compose']['references'])) |
| | | $headers['References'] = $_SESSION['compose']['references']; |
| | | |
| | | if ($_POST['_priority']) |
| | | if (!empty($_POST['_priority'])) |
| | | { |
| | | $priority = (int)$_POST['_priority']; |
| | | $a_priorities = array(1=>'lowest', 2=>'low', 4=>'high', 5=>'highest'); |
| | |
| | | $headers['Message-ID'] = $message_id; |
| | | $headers['X-Sender'] = $from; |
| | | |
| | | if ($CONFIG['useragent']) |
| | | if (!empty($CONFIG['useragent'])) |
| | | $headers['User-Agent'] = $CONFIG['useragent']; |
| | | |
| | | // fetch message body |
| | | $message_body = rcube_charset_convert($_POST['_message'], $input_charset, $message_charset); |
| | | $message_body = get_input_value('_message', RCUBE_INPUT_POST, TRUE, $message_charset); |
| | | |
| | | // append generic footer to all messages |
| | | if (!empty($CONFIG['generic_message_footer'])) |
| | |
| | | if (strlen($_GET['_mboxes'])) |
| | | $IMAP->subscribe(array($_GET['_mboxes'])); |
| | | |
| | | if ($_GET['_remote']) |
| | | if ($REMOTE_REQUEST) |
| | | rcube_remote_response('// subscribed'); |
| | | } |
| | | |
| | |
| | | if (strlen($_GET['_mboxes'])) |
| | | $IMAP->unsubscribe(array($_GET['_mboxes'])); |
| | | |
| | | if ($_GET['_remote']) |
| | | if ($REMOTE_REQUEST) |
| | | rcube_remote_response('// unsubscribed'); |
| | | } |
| | | |
| | | // create a new mailbox |
| | | else if ($_action=='create-folder') |
| | | { |
| | | if (strlen($_GET['_name'])) |
| | | $create = $IMAP->create_mailbox(rcube_charset_convert(strip_tags(trim($_GET['_name'])), $OUTPUT->get_charset()), TRUE); |
| | | if (!empty($_GET['_name'])) |
| | | $create = $IMAP->create_mailbox(trim(get_input_value('_name', RCUBE_INPUT_GET)), TRUE); |
| | | |
| | | if ($create && $_GET['_remote']) |
| | | if ($create && $REMOTE_REQUEST) |
| | | { |
| | | $commands = sprintf("this.add_folder_row('%s')", rep_specialchars_output($create, 'js')); |
| | | rcube_remote_response($commands); |
| | | } |
| | | else if (!$create && $_GET['_remote']) |
| | | else if (!$create && $REMOTE_REQUEST) |
| | | { |
| | | $commands = show_message('errorsaving', 'error'); |
| | | rcube_remote_response($commands); |
| | |
| | | if (strlen($_GET['_mboxes'])) |
| | | $deleted = $IMAP->delete_mailbox(array($_GET['_mboxes'])); |
| | | |
| | | if ($_GET['_remote'] && $deleted) |
| | | if ($REMOTE_REQUEST && $deleted) |
| | | rcube_remote_response(sprintf("this.remove_folder_row('%s')", rep_specialchars_output($_GET['_mboxes'], 'js'))); |
| | | else if ($_GET['_remote']) |
| | | else if ($REMOTE_REQUEST) |
| | | { |
| | | $commands = show_message('errorsaving', 'error'); |
| | | rcube_remote_response($commands); |
| | |
| | | */ |
| | | |
| | | $a_save_cols = array('name', 'email', 'organization', 'reply-to', 'bcc', 'standard', 'signature'); |
| | | $a_html_cols = array('signature'); |
| | | |
| | | |
| | | // check input |
| | |
| | | |
| | | $a_write_sql[] = sprintf("%s=%s", |
| | | $DB->quoteIdentifier($col), |
| | | $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset()))); |
| | | $DB->quote(get_input_value($fname, RCUBE_INPUT_POST, in_array($col, $a_html_cols)))); |
| | | } |
| | | |
| | | if (sizeof($a_write_sql)) |
| | |
| | | continue; |
| | | |
| | | $a_insert_cols[] = $DB->quoteIdentifier($col); |
| | | $a_insert_values[] = $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset())); |
| | | $a_insert_values[] = $DB->quote(get_input_value($fname, RCUBE_INPUT_POST, in_array($col, $a_html_cols))); |
| | | } |
| | | |
| | | if (sizeof($a_insert_cols)) |