inc/base.php (bc2c260) - webinterface.git

base.php

<?php

require_once('inc/db_connect.php');

function maybe_null($value)
{
  if (strlen( (string) $value ) > 0)
    return "'".mysql_real_escape_string($value)."'";
  else
    return 'NULL';
}

function logger($scriptname, $scope, $message)
{
  $user = 'NULL';
  if ($_SESSION['role'] & ROLE_SYSTEMUSER)
    $user = "'{$_SESSION['userinfo']['username']}'";
  elseif ($_SESSION['role'] & ROLE_CUSTOMER)
    $user = "'{$_SESSION['customerinfo']['customerno']}'";
  
  $remote = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);

$scriptname = mysql_real_escape_string($scriptname);
  $scope = mysql_real_escape_string($scope);
  $message = mysql_real_escape_string($message);

db_query("INSERT INTO misc.scriptlog (remote, user,scriptname,scope,message) VALUES ('{$remote}', {$user}, '{$scriptname}', '{$scope}', '{$message}');");
}

function output($arg)
{
  global $output;
  $output .= $arg;
}

function random_string($nc, $a='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') {
    $l=strlen($a)-1; $r='';
    while($nc-->0) $r.=$a{mt_rand(0,$l)};
    return $r;
 }

function user_is_sure()
{
  if (isset($_POST['really']))
  {
    if ($_POST['random_token'] == $_SESSION['are_you_sure_token'])
      return true;
    else
      system_failure("Possible Cross-site-request-forgery detected!");
  }
  elseif (isset($_POST['not_really']))
    return false;
  else
    return NULL;
}

function generate_form_token($form_id)
{
  require_once("inc/debug.php");
  $sessid = session_id();
  if ($sessid == "") 
  {
    DEBUG("Uh? Session not running? Wtf?");
    system_failure("Internal error!");
  }
  if (! isset($_SESSION['session_token']))
    $_SESSION['session_token'] = random_string(10);
  $formtoken = hash('sha256', $sessid.$form_id.$_SESSION['session_token']);
  return '<p style="display: none;"><input type="hidden" name="formtoken" value="'.$formtoken.'" /></p>'."\n";
}

function check_form_token($form_id)
{
  $formtoken = $_POST['formtoken'];
  $sessid = session_id();
  if ($sessid == "") 
  {
    DEBUG("Uh? Session not running? Wtf?");
    system_failure("Internal error!");
  }

$correct_formtoken = hash('sha256', $sessid.$form_id.$_SESSION['session_token']);

if (! ($formtoken == $correct_formtoken))
    system_failure("Possible cross-site-request-forgery!");
}

function internal_link($file, $label, $querystring = '')
{
  $debugstr = '';
  global $debugmode;
  if ($debugmode)
    $debugstr = 'debug&amp;';
  $querystring = str_replace('&', '&amp;', $querystring);

return "<a href=\"{$file}?{$debugstr}${querystring}\">{$label}</a>";
}

function html_form($form_id, $scriptname, $querystring, $content)
{
  $debugstr = '';
  global $debugmode;
  if ($debugmode)
    $debugstr = 'debug&amp;';
  $querystring = str_replace('&', '&amp;', $querystring);
  $ret = '';
  $ret .= '<form action="'.$scriptname.'?'.$debugstr.$querystring.'" method="post">'."\n";
  $ret .= generate_form_token($form_id);
  $ret .= $content;
  $ret .= '</form>';
  return $ret;  
}

webinterface.git

Sonst validiert das HTML nicht