[ PHPXref.com ] [ Generated: Sun Jul 20 19:54:47 2008 ] [ phpShop 0.8.0 ]
[ Index ]     [ Variables ]     [ Functions ]     [ Classes ]     [ Constants ]     [ Statistics ]

title

Body

[close]

/htdocs/ -> index.php (source)

   1  <?php
   2  // Copyright (C) 1996-2004 Edikon Corporation. All rights reserved.
   3  //
   4  // This source file is part of phpShop(R).
   5  //
   6  // This file may be distributed and/or modified under the terms of the
   7  // "GNU General Public License" version 2 as published by the Free
   8  // Software Foundation and appearing in the file LICENSE.GPL included in
   9  // the packaging of this file.
  10  //
  11  // This file is provided AS IS with NO WARRANTY OF ANY KIND, INCLUDING
  12  // THE WARRANTY OF DESIGN, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  13  // PURPOSE.
  14  //
  15  // The "GNU General Public License" (GPL) is available at
  16  // http://www.gnu.org/copyleft/gpl.html.
  17  //
  18  // Contact license@edikon.com if any conditions of this licencing isn't clear to
  19  // you.
  20  
  21  // $Id: index.php,v 1.1.1.1 2004/07/27 14:58:07 pablo Exp $
  22  
  23  // EDIT
  24  define('PS_BASE', '/cygwin/home/pablo/htdocs/phpshop/');
  25  
  26  // DO NOT EDIT FROM HERE ON
  27  //**************************************************
  28  
  29  // Set error reporting level
  30  error_reporting(E_ALL ^ E_NOTICE);
  31  
  32  // force register_globals off
  33  ini_set("register_globals", 0);
  34  
  35  // check if magic quotes is enabled, die if not
  36  if (!get_magic_quotes_gpc()) {
  37      die("You must enable magic_quotes_gpc in php.ini in order to run phpShop. Read <a href=\"http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc\"> the docs</a>.");
  38  }
  39  
  40  // Set global path
  41  ini_set("include_path", ".".PATH_SEPARATOR.PS_BASE.PATH_SEPARATOR.PS_BASE."modules"); 
  42  
  43  // define webroot so that image uploads work
  44  define("WEBROOT",dirname($_SERVER['SCRIPT_FILENAME']));
  45  
  46  // left for backwards compatibility
  47  define("MODROOT",PS_BASE."modules/"); 
  48  
  49  // Compatibility patch to be able to leave Register_globals = off
  50  // &&
  51  // XSS fixes
  52  if (function_exists ("import_request_variables") &&
  53    False == ini_get('register_globals')) {
  54    import_request_variables ("CGP","");  // php >=4.1
  55    $HTTP_GET_VARS = $_GET;
  56    $HTTP_POST_VARS = $_POST;
  57    $HTTP_COOKIE_VARS = $_COOKIE;
  58    $PHP_SELF = $_SERVER["PHP_SELF"];
  59    $SERVER_NAME = $_SERVER["SERVER_NAME"];
  60    $REMOTE_ADDR = $_SERVER["REMOTE_ADDR"];
  61    $HTTP_X_FORWARDED_FOR = $_SERVER["HTTP_X_FORWARDED_FOR"];
  62    $HTTP_VIA = $_SERVER["HTTP_VIA"];
  63    foreach($_FILES as $k=>$v) {
  64      $$k = $v['tmp_name'];
  65      $k_name = $k . "_name";
  66      $$k_name = $v['name'];
  67      $k_size = $k . "_size";
  68      $$k_size = $v['size'];
  69    }
  70  } else {
  71    //http://de.php.net/manual/de/function.import-request-variables.php
  72    //if you're stuck using a pre-4.10 version of php
  73    extract($HTTP_GET_VARS, EXTR_PREFIX_ALL, "");
  74    extract($HTTP_POST_VARS, EXTR_PREFIX_ALL, "");
  75  }
  76  
  77  // Load Required Files
  78  require(PS_BASE. "etc/config.php");
  79  require(PS_BASE . "db/db_mysql.inc");
  80  require("admin/lib/ps_main.inc");
  81  require("admin/lib/ps_include.inc");
  82  
  83  // Timer Start
  84  if (DEBUG) {
  85    $start = utime();
  86  }
  87  
  88  // some input validation for offset
  89  if (!empty($_REQUEST['offset'])) {
  90    if (is_string($_REQUEST['offset']) and $_REQUEST['offset'] == (string)(int) $_REQUEST['offset']) {
  91     }
  92     else die('Please provide an permitted value for offset');
  93  }
  94  
  95  // basic SQL inject detection
  96  $my_insecure_array = array('keyword' => $_REQUEST['keyword'],
  97                 'category_id' => $_REQUEST['category_id'],
  98                 'product_id' => $_REQUEST['product_id'],
  99                 'user_id' => $_REQUEST['user_id'],
 100                 'user_info_id' => $_REQUEST['user_info_id'],
 101                 'page' => $_REQUEST['page'],
 102                 'func' => $_REQUEST['func']);
 103                 
 104  while(list($key,$value)=each($my_insecure_array)) {
 105     if (stristr($value,'FROM ') ||
 106         stristr($value,'UPDATE ') ||
 107         stristr($value,'WHERE ') ||
 108         stristr($value,'ALTER ')  ||
 109         stristr($value,'SELECT ')  ||
 110         stristr($value,'SHUTDOWN ') ||
 111         stristr($value,'CREATE ') ||
 112         stristr($value,'DROP ') ||
 113         stristr($value,'DELETE FROM') ||
 114         stristr($value,'script') ||
 115         stristr($value,'<>') ||
 116         stristr($value,'=') ||
 117         stristr($value,'SET ')) 
 118             die('Please provide a permitted value for '.$key);
 119  }
 120  
 121  // Load module definitions
 122  $module = array();
 123  $label = array();
 124  
 125  // Instantiate db and session class
 126  $db = new ps_DB;
 127  $sess = new ps_session;
 128  $perm = new ps_perm;
 129  $vars = array();
 130  
 131  // In case someone tries to be sneaky
 132  $run_dir=0;
 133  $run_func=0;
 134  
 135  // Set default language as specified in phpshop.cfg
 136  if (!isset($lang)) {
 137    $lang = LANGUAGE;
 138    $sess->register("lang");
 139  }    
 140  
 141  // Save current page call
 142  $this_page=$page;
 143  
 144  // Register previous page
 145  if (!isset($last_page)) {
 146    $sess->register("last_page");
 147  }
 148  // Register the cart
 149  if (!isset($cart)) {
 150    $cart = array();
 151    $cart["idx"] = 0;
 152    $sess->register("cart");
 153  }
 154  // Register the auth array
 155  if (!isset($auth)) {
 156    $auth = array();
 157    $sess->register("auth");
 158  }
 159  
 160  // This is what we work with.
 161  $vars = $_REQUEST;
 162  
 163  /* start fixing security hole */
 164  function harden_parse($vars){
 165    $vars2=trim($vars);
 166    $vars2=strip_tags($vars2);
 167    $vars2=str_replace("#","&#35;",$vars2);
 168    $vars2=str_replace("(","&#40;",$vars2);
 169    $vars2=str_replace(")","&#41;",$vars2);
 170    $vars2=str_replace("%","&#37;",$vars2);
 171    return $vars2;
 172  }
 173  if (count($vars) && $auth["perms"]!="admin" && $auth["perms"]!="storeadmin"){
 174    while (list($key, $value) = each ($vars)) {
 175      if (is_array($value)){
 176        while (list($keyA, $valueA) = each ($value)) {
 177          $varsA[$keyA]=harden_parse($valueA);
 178        } $vars2[$key] = $varsA; unset ($varsA);
 179      }
 180      else { $vars2[$key]=harden_parse($value); }
 181      if ($HTTP_POST_VARS[$key]){ $HTTP_POST_VARS[$key]=$vars2[$key]; }
 182      if ($HTTP_GET_VARS[$key]){ $HTTP_GET_VARS[$key]=$vars2[$key]; }
 183      $$key = $vars2[$key];
 184    }
 185    $vars = $vars2;
 186    $QUERY_STRING = harden_parse($QUERY_STRING);
 187  }
 188  if ($page=="shop/flypage" and !$product_id){ $page="shop/browse"; }
 189  unset($vars2);
 190  /* end fixing security hole */
 191  
 192  // Get Function Permissions
 193  // Sets $run_func if func is registered and have permission
 194  // Displays error if function is not registered
 195  if ($func) {
 196    $func_list = $ps_function->get_function($func);
 197    if ($func_list) {
 198      if ($perm->check($func_list["perms"])) {
 199        $run_func = 1;
 200        $func_perms = $func_list["perms"];
 201        $func_class = $func_list["class"];
 202        $func_method = $func_list["method"];      
 203      }
 204      else {
 205        $error_type = "Insufficient Access Rights";
 206        $error = "You do not have permission to execute $func.";
 207        $page = ERRORPAGE;          
 208        $run_func = 0;
 209      }
 210    }
 211    else {
 212      $error_type = "Function Not Registered";
 213      $error = "$func is not a valid phpShop function.";
 214      $page = ERRORPAGE;    
 215      $run_func = 0;
 216    }
 217  }
 218  
 219  // Get Page/Directory Permissions
 220  // Sets $run_dir if we can run it
 221  // Displays error if directory is not registered, 
 222  // no permission, or file does not exist
 223  if (!$page) {
 224    $page = HOMEPAGE;
 225  }
 226  
 227  $modulename = dirname("$page");
 228  $pagename = basename("$page");
 229  
 230  if (empty($modulename)) {
 231    $modulename=dirname(HOMEPAGE);    
 232    $pagename = basename(HOMEPAGE);
 233  }
 234  
 235  $dir_list = $ps_module->get_dir($modulename);
 236  if ($dir_list) {
 237    if ($perm->check($dir_list["perms"])) {
 238      if (!file_exists(PS_BASE."modules/$modulename/html/$pagename.ihtml")) {
 239        $error_type = "Page Does Not Exist";
 240        $error =  "Given filename does not exist. Cannot find file:<BR>";
 241        $error .= $modulename."/html/".$pagename.".ihtml";
 242        $page = ERRORPAGE;
 243      }
 244    }
 245    else {
 246      if ($func != "userLogin") {
 247        unset($error);
 248        $page = $last_page;
 249        $vars["login"]=1;
 250      }
 251    }
 252  
 253    // Load MODULE
 254    $module = load_module($modulename);
 255    require("$modulename/lib/ps_include.inc");
 256    $label = load_labels($modulename);  
 257  }
 258  else {
 259    $error_type = "Module Not Registered";
 260    $error = "$modulename is not a valid phpShop module.";
 261    $page = ERRORPAGE;
 262  }
 263  
 264  // Run the function if we have permission
 265  if ($run_func) {
 266  
 267    $q = "SELECT module.module_name FROM module,function WHERE ";
 268    $q .= "module.module_id=function.module_id AND ";
 269    $q .= "function.function_method='$func_method' AND ";
 270    $q .= "function.function_class='$func_class'";
 271    $db->query($q);
 272    $db->next_record();
 273  
 274    // Load class definition file and run function
 275    require_once($db->f("module_name")."/lib/$func_class.inc");
 276    $$func_class = new $func_class;
 277    $ok = $$func_class->{$func_method}($vars);
 278    
 279    // for debug
 280    $cmd = $func_class.'->'.$func_method.'()';
 281    
 282    if (!$ok) {
 283      if ($vars["login"] == "1") {
 284        $error = $vars["error"];
 285        $vars["login"]=1;
 286      }
 287      else {
 288        $no_last=1;
 289        $page = $last_page;
 290        $error = $vars["error"];
 291      }
 292    }
 293    else {
 294      $no_last = 0;
 295      unset($error);
 296      $page = $vars["page"];
 297    }
 298  }
 299  
 300  // LOAD PAGE
 301  
 302  // If this is a login, then load the approprate module information based on wher
 303  // the login page is.
 304  if ($vars["login"] == "1" || $page==LOGINPAGE || !$perm->check($dir_list["perms"])) {
 305    $last_page = $this_page;
 306    $page = LOGINPAGE;
 307    $modulename = dirname($page);
 308    $module = load_module($modulename);
 309    require("$modulename/lib/ps_include.inc");
 310    $label = load_labels($modulename);
 311  }
 312  
 313  if (!$no_last) {
 314    $last_page = $this_page;
 315  }
 316  if (!$page) {
 317    $page = HOMEPAGE;
 318  }
 319  // Show the page!
 320  $modulename = dirname($page);
 321  $pagename = basename($page) . ".ihtml";
 322  
 323  // Load global file
 324  require("templates/global.inc");
 325  
 326  // Load language file for this module
 327  
 328  if (file_exists(PS_BASE."$modulename/lib/lang_$lang.inc")) {
 329    include("$modulename/lib/lang_$lang.inc");
 330  }
 331  else {
 332    //Default to english if not set.
 333    include("$modulename/lib/lang_eng.inc");
 334  }
 335  
 336  // Load Header
 337  if ($module[$modulename]["module_header"] && $print!="1") {
 338    include("templates/".$module[$modulename]["module_header"]);
 339  }
 340  
 341  // Load PAGE
 342  include("$modulename/html/$pagename");
 343  
 344  // Load footer
 345  if ($module[$modulename]["module_footer"] && $print!="1") {
 346    include("templates/".$module[$modulename]["module_footer"]);
 347  }
 348  
 349  // Save the session variables for the next run
 350  $sess->save();
 351  
 352  // Set debug option on/off
 353  if (DEBUG) {
 354    $end = utime();
 355    $runtime = $end - $start;
 356    $messages = dirname(DEBUGPAGE);
 357    $pagename = basename(DEBUGPAGE) . ".ihtml";  
 358    include("$messages/html/$pagename");
 359  }
 360  ?>


[ Powered by PHPXref - Served by Debian GNU/Linux ]