1: <?php
  2: 
  3: /**
  4:  * functions common to both the Zenphoto core and setup's basic environment
  5:  *
  6:  * @package core
  7:  */
  8: 
  9: /**
 10:  *
 11:  * Traps errors and insures thy are logged.
 12:  * @param int $errno
 13:  * @param string $errstr
 14:  * @param string $errfile
 15:  * @param string $errline
 16:  * @return void|boolean
 17:  */
 18: function zpErrorHandler($errno, $errstr = '', $errfile = '', $errline = '') {
 19:     // check if function has been called by an exception
 20:     if (func_num_args() == 5) {
 21:         // called by trigger_error()
 22:         list($errno, $errstr, $errfile, $errline) = func_get_args();
 23:     } else {
 24:         // caught exception
 25:         $exc = func_get_arg(0);
 26:         $errno = $exc->getCode();
 27:         $errstr = $exc->getMessage();
 28:         $errfile = $exc->getFile();
 29:         $errline = $exc->getLine();
 30:     }
 31:     // if error has been supressed with an @
 32:     if (error_reporting() == 0 && !in_array($errno, array(E_USER_ERROR, E_USER_WARNING, E_USER_NOTICE))) {
 33:         return;
 34:     }
 35:     $errorType = array(E_ERROR               => gettext('ERROR'),
 36:                     E_WARNING            => gettext('WARNING'),
 37:                     E_NOTICE             => gettext('NOTICE'),
 38:                     E_USER_ERROR     => gettext('USER ERROR'),
 39:                     E_USER_WARNING => gettext('USER WARNING'),
 40:                     E_USER_NOTICE    => gettext('USER NOTICE'),
 41:                     E_STRICT             => gettext('STRICT NOTICE')
 42:     );
 43: 
 44:     // create error message
 45: 
 46:     if (array_key_exists($errno, $errorType)) {
 47:         $err = $errorType[$errno];
 48:     } else {
 49:         $err = gettext("EXCEPTION ($errno)");
 50:         $errno = E_ERROR;
 51:     }
 52:     $msg = sprintf(gettext('%1$s: %2$s in %3$s on line %4$s'), $err, $errstr, $errfile, $errline);
 53:     debugLogBacktrace($msg, 1);
 54:     return false;
 55: }
 56: 
 57: /**
 58:  * Converts a file system filename to UTF-8 for zenphoto internal storage
 59:  *
 60:  * @param string $filename the file name to convert
 61:  * @return string
 62:  */
 63: function filesystemToInternal($filename) {
 64:     global $_zp_UTF8;
 65:     return str_replace('\\', '/', $_zp_UTF8->convert($filename, FILESYSTEM_CHARSET, LOCAL_CHARSET));
 66: }
 67: 
 68: /**
 69:  * Converts a Zenphoto Internal filename string to one compatible with the file system
 70:  *
 71:  * @param string $filename the file name to convert
 72:  * @return string
 73:  */
 74: function internalToFilesystem($filename) {
 75:     global $_zp_UTF8;
 76:     return $_zp_UTF8->convert($filename, LOCAL_CHARSET, FILESYSTEM_CHARSET);
 77: }
 78: 
 79: /**
 80:  * Takes user input meant to be used within a path to a file or folder and
 81:  * removes anything that could be insecure or malicious, or result in duplicate
 82:  * representations for the same physical file.
 83:  *
 84:  * This function is used primarily for album names.
 85:  * NOTE: The initial and trailing slashes are removed!!!
 86:  *
 87:  * Returns the sanitized path
 88:  *
 89:  * @param string $filename is the path text to filter.
 90:  * @return string
 91:  */
 92: function sanitize_path($filename) {
 93:     if (get_magic_quotes_gpc())
 94:         $filename = stripslashes(trim($filename));
 95:     $filename = strip_tags(str_replace('\\', '/', $filename));
 96:     $filename = preg_replace(array('/x00/', '/\/\/+/', '/\/\.\./', '/\/\./', '/:/', '/</', '/>/', '/\?/', '/\*/', '/\"/', '/\|/', '/\/+$/', '/^\/+/'), '', $filename);
 97:     return $filename;
 98: }
 99: 
100: /**
101:  * Checks if the input is numeric, rounds if so, otherwise returns false.
102:  *
103:  * @param mixed $num the number to be sanitized
104:  * @return int
105:  */
106: function sanitize_numeric($num) {
107:     if (is_numeric($num)) {
108:         return round($num);
109:     } else {
110:         return false;
111:     }
112: }
113: 
114: /**
115:  * removes script tags
116:  *
117:  * @param string $text
118:  * @return string
119:  */
120: function sanitize_script($text) {
121:     return preg_replace('!<script.*>.*</script>!ixs', '', $text);
122: }
123: 
124: /** Make strings generally clean.  Takes an input string and cleans out
125:  * null-bytes, slashes (if magic_quotes_gpc is on), and optionally use KSES
126:  * library to prevent XSS attacks and other malicious user input.
127:  * @param string $input_string is a string that needs cleaning.
128:  * @param string $sanitize_level is a number between 0 and 3 that describes the
129:  * type of sanitizing to perform on $input_string.
130:  *   0 - Basic sanitation. Only strips null bytes. Not recommended for submitted form data.
131:  *   1 - User specified. (User defined code is allowed. Used for descriptions and comments.)
132:  *   2 - Text style/formatting. (Text style codes allowed. Used for titles.)
133:  *   3 - Full sanitation. (Default. No code allowed. Used for text only fields)
134:  * @return string the sanitized string.
135:  */
136: function sanitize($input_string, $sanitize_level = 3) {
137:     if (is_array($input_string)) {
138:         $output_string = array();
139:         foreach ($input_string as $output_key => $output_value) {
140:             $output_string[$output_key] = sanitize($output_value, $sanitize_level);
141:         }
142:     } else {
143:         $output_string = sanitize_string($input_string, $sanitize_level);
144:     }
145:     return $output_string;
146: }
147: 
148: /**
149:  * Internal "helper" function to apply the tag removal
150:  *
151:  * @param string $input_string
152:  * @param array $allowed_tags
153:  * @return string
154:  */
155: function ksesProcess($input_string, $allowed_tags) {
156:     if (function_exists('kses')) {
157:         return kses($input_string, $allowed_tags);
158:     } else {
159:         return getBare($input_string);
160:     }
161: }
162: 
163: /**
164:  * Cleans tags and some content.
165:  * @param type $content
166:  * @return type
167:  */
168: function getBare($content) {
169:   $content = preg_replace('~<script.*?/script>~is', '', $content);
170:   $content = preg_replace('~<style.*?/style>~is', '', $content);
171:   $content = preg_replace('~<!--.*?-->~is', '', $content);
172:   $content = strip_tags($content);
173:   $content = str_replace('&nbsp;', ' ', $content);
174:   return $content;
175: }
176: 
177: /** returns a sanitized string for the sanitize function
178:  * @param string $input_string
179:  * @param string $sanitize_level See sanitize()
180:  * @return string the sanitized string.
181:  */
182: function sanitize_string($input, $sanitize_level) {
183:     // Strip slashes if get_magic_quotes_gpc is enabled.
184:     if (is_string($input)) {
185:         if (get_magic_quotes_gpc()) {
186:             $input = stripslashes($input);
187:         }
188:         $input = str_replace(chr(0), " ", $input);
189:         switch ($sanitize_level) {
190:             case 0:
191:                 return $input;
192:             case 2:
193:                 // Strips non-style tags.
194:                 $input = sanitize_script($input);
195:                 return ksesProcess($input, getAllowedTags('style_tags'));
196:             case 3:
197:                 // Full sanitation.  Strips all code.
198:                 return getBare($input);
199:  
200:             case 1:
201:                 // Text formatting sanititation.
202:                 $input = sanitize_script($input);
203:                 return ksesProcess($input, getAllowedTags('allowed_tags'));
204:             case 4:
205:             default:
206:                 // for internal use to eliminate security injections
207:                 return sanitize_script($input);
208:         }
209:     }
210:     return $input;
211: }
212: 
213: ///// database helper functions
214: 
215: /**
216:  * Prefix a table name with a user-defined string to avoid conflicts.
217:  * This MUST be used in all database queries.
218:  * @param string $tablename name of the table
219:  * @return prefixed table name
220:  * @since 0.6
221:  */
222: function prefix($tablename = NULL) {
223:     return '`' . DATABASE_PREFIX . $tablename . '`';
224: }
225: 
226: /**
227:  * Constructs a WHERE clause ("WHERE uniqueid1='uniquevalue1' AND uniqueid2='uniquevalue2' ...")
228:  *  from an array (map) of variables and their values which identifies a unique record
229:  *  in the database table.
230:  * @param string $unique_set what to add to the WHERE clause
231:  * @return contructed WHERE cleause
232:  * @since 0.6
233:  */
234: function getWhereClause($unique_set) {
235:     if (empty($unique_set))
236:         return ' ';
237:     $where = ' WHERE';
238:     foreach ($unique_set as $var => $value) {
239:         $where .= ' `' . $var . '` = ' . db_quote($value) . ' AND';
240:     }
241:     return substr($where, 0, -4);
242: }
243: 
244: /**
245:  * Constructs a SET clause ("SET uniqueid1='uniquevalue1', uniqueid2='uniquevalue2' ...")
246:  *  from an array (map) of variables and their values which identifies a unique record
247:  *  in the database table. Used to 'move' records. Note: does not check anything.
248:  * @param string $new_unique_set what to add to the SET clause
249:  * @return contructed SET cleause
250:  * @since 0.6
251:  */
252: function getSetClause($new_unique_set) {
253:     $i = 0;
254:     $set = ' SET';
255:     foreach ($new_unique_set as $var => $value) {
256:         $set .= ' `' . $var . '`=';
257:         if (is_null($value)) {
258:             $set .= 'NULL';
259:         } else {
260:             $set .= db_quote($value) . ',';
261:         }
262:     }
263:     return substr($set, 0, -1);
264: }
265: 
266: /*
267:  * returns the connected database name
268:  */
269: 
270: function db_name() {
271:     global $_zp_conf_vars;
272:     return $_zp_conf_vars['mysql_database'];
273: }
274: 
275: function db_count($table, $clause = NULL, $field = "*") {
276:     $sql = 'SELECT COUNT(' . $field . ') FROM ' . prefix($table) . ' ' . $clause;
277:     $result = query_single_row($sql);
278:     if ($result) {
279:         return array_shift($result);
280:     } else {
281:         return 0;
282:     }
283: }
284: 
285: /**
286:  * triggers an error
287:  *
288:  * @param string $message
289:  * @param int $type the PHP error type to trigger; default to E_USER_ERROR
290:  */
291: function zp_error($message, $fatal = E_USER_ERROR) {
292:     // Print the error message, to be convenient.
293:     printf(html_encode($message));
294:     trigger_error($message, $fatal);
295: }
296: 
297: function html_decode($string) {
298:     return html_entity_decode($string, ENT_QUOTES, 'UTF-8');
299: }
300: 
301: /**
302:  * encodes a pre-sanitized string to be used in an HTML text-only field (value, alt, title, etc.)
303:  *
304:  * @param string $str
305:  * @return string
306:  */
307: function html_encode($str) {
308:     return htmlspecialchars($str, ENT_FLAGS, LOCAL_CHARSET);
309: }
310: 
311: /**
312:  * HTML encodes the non-metatag part of the string.
313:  *
314:  * @param string $original string to be encoded
315:  * @param bool $allowScript set to false to prevent pass-through of script tags.
316:  * @return string
317:  */
318: function html_encodeTagged($original, $allowScript = true) {
319:     $tags = array();
320:     $str = $original;
321:     //javascript
322:     if ($allowScript) {
323:         preg_match_all('!<script.*>.*</script>!ixs', $str, $matches);
324:         foreach (array_unique($matches[0]) as $key => $tag) {
325:             $tags[2]['%' . $key . '$j'] = $tag;
326:             $str = str_replace($tag, '%' . $key . '$j', $str);
327:         }
328:     } else {
329:         $str = preg_replace('|<a(.*)href(.*)=(.*)javascript|ixs', '%$x', $str);
330:         $tags[2]['%$x'] = '&lt;a href=<strike>javascript</strike>';
331:         $str = preg_replace('|<(.*)onclick|ixs', '%$c', $str);
332:         $tags[2]['%$c'] = '&lt;<strike>onclick</strike>';
333:     }
334:     //strip html comments
335:     $str = preg_replace('~<!--.*?-->~is', '', $str);
336:     // markup
337:     preg_match_all("/<\/?\w+((\s+(\w|\w[\w-]*\w)(\s*=\s*(?:\".*?\"|'.*?'|[^'\">\s]+))?)+\s*|\s*)\/?>/i", $str, $matches);
338:     foreach (array_unique($matches[0]) as $key => $tag) {
339:         $tags[2]['%' . $key . '$s'] = $tag;
340:         $str = str_replace($tag, '%' . $key . '$s', $str);
341:     }
342:     //entities
343:     preg_match_all('/(&[a-z0-9#]+;)/i', $str, $matches);
344:     foreach (array_unique($matches[0]) as $key => $entity) {
345:         $tags[3]['%' . $key . '$e'] = $entity;
346:         $str = str_replace($entity, '%' . $key . '$e', $str);
347:     } 
348:     $str = htmlspecialchars($str, ENT_FLAGS, LOCAL_CHARSET);
349:     foreach (array_reverse($tags, true) as $taglist) {
350:         $str = strtr($str, $taglist);
351:     }
352:     if ($str != $original) {
353:         $str = zpFunctions::tidyHTML($str);
354:     }
355:     return $str;
356: }
357: 
358: /**
359:  * Makes directory recursively, returns TRUE if exists or was created sucessfuly.
360:  * Note: PHP5 includes a recursive parameter to mkdir, but it apparently does not
361:  *              does not traverse symlinks!
362:  * @param string $pathname The directory path to be created.
363:  * @return boolean TRUE if exists or made or FALSE on failure.
364:  */
365: function mkdir_recursive($pathname, $mode) {
366:     if (!is_dir(dirname($pathname))) {
367:         mkdir_recursive(dirname($pathname), $mode);
368:     }
369:     return is_dir($pathname) || @mkdir($pathname, $mode);
370: }
371: 
372: /**
373:  * Logs the calling stack
374:  *
375:  * @param string $message Message to prefix the backtrace
376:  */
377: function debugLogBacktrace($message, $omit = 0) {
378:     $output = trim($message) . "\n";
379:     // Get a backtrace.
380:     $bt = debug_backtrace();
381:     while ($omit >= 0) {
382:         array_shift($bt); // Get rid of debug_backtrace, callers in the backtrace.
383:         $omit--;
384:     }
385:     $prefix = '  ';
386:     $line = '';
387:     $caller = '';
388:     foreach ($bt as $b) {
389:         $caller = (isset($b['class']) ? $b['class'] : '') . (isset($b['type']) ? $b['type'] : '') . $b['function'];
390:         if (!empty($line)) { // skip first output to match up functions with line where they are used.
391:             $prefix .= '  ';
392:             $output .= 'from ' . $caller . ' (' . $line . ")\n" . $prefix;
393:         } else {
394:             $output .= '  ' . $caller . " called ";
395:         }
396:         $date = false;
397:         if (isset($b['file']) && isset($b['line'])) {
398:             $line = basename($b['file']) . ' [' . $b['line'] . "]";
399:         } else {
400:             $line = 'unknown';
401:         }
402:     }
403:     if (!empty($line)) {
404:         $output .= 'from ' . $line;
405:     }
406:     debugLog($output);
407: }
408: 
409: /**
410:  * Records a Var to the debug log
411:  *
412:  * @param string $message message to insert in log [optional]
413:  * @param mixed $var the variable to record
414:  */
415: function debugLogVar($message) {
416:     $args = func_get_args();
417:     if (count($args) == 1) {
418:         $var = $message;
419:         $message = '';
420:     } else {
421:         $message .= ' ';
422:         $var = $args[1];
423:     }
424:     ob_start();
425:     var_dump($var);
426:     $str = ob_get_contents();
427:     ob_end_clean();
428:     debugLog(trim($message) . "\r" . html_decode(getBare($str)));
429: }
430: 
431: /**
432:  * Returns the value of a cookie from either the cookies or from $_SESSION[]
433:  *
434:  * @param string $name the name of the cookie
435:  */
436: function zp_getCookie($name) {
437:   if (isset($_COOKIE[$name])) {
438:     $cookiev = sanitize($_COOKIE[$name]);
439:   } else {
440:     $cookiev = '';
441:   }
442:   if (DEBUG_LOGIN) {
443:     if (isset($_SESSION[$name])) {
444:       $sessionv = sanitize($_SESSION[$name]);
445:     } else {
446:       $sessionv = '';
447:     }
448:     debugLog(zp_getCookie($name) . '=::' . 'album_session=' . GALLERY_SESSION . "; SESSION[" . session_id() . "]=" . sanitize($sessionv) . ", COOKIE=" . sanitize($cookiev));
449:   }
450:   if (!empty($cookiev) && (defined('GALLERY_SESSION') && !GALLERY_SESSION)) {
451:     return zp_cookieEncode($cookiev);
452:   }
453:   if (isset($_SESSION[$name])) {
454:     return sanitize($_SESSION[$name]);
455:   }
456:   return NULL;
457: }
458: 
459: /**
460:  *
461:  * Encodes a cookie value tying it to the user IP
462:  * @param $value
463:  */
464: function zp_cookieEncode($value) {
465:     if (IP_TIED_COOKIES) {
466:         return rc4(getUserIP() . HASH_SEED, $value);
467:     } else {
468:         return $value;
469:     }
470: }
471: 
472: /**
473:  * Sets a cookie both in the browser cookies and in $_SESSION[]
474:  *
475:  * @param string $name The 'cookie' name
476:  * @param string $value The value to be stored
477:  * @param timestamp $time The time delta until the cookie expires
478:  * @param string $path The path on the server in which the cookie will be available on
479:  * @param bool $secure true if secure cookie
480:  */
481: function zp_setCookie($name, $value, $time = NULL, $path = NULL, $secure = false) {
482:   if (empty($value)) {
483:     $cookiev = '';
484:   } else {
485:     $cookiev = zp_cookieEncode(sanitize($value));
486:   }
487:   if (is_null($time)) {
488:     $time = COOKIE_PESISTENCE;
489:   }
490:   if (is_null($path)) {
491:     $path = WEBPATH;
492:   }
493:   if (substr($path, -1, 1) != '/')
494:     $path .= '/';
495:   if (DEBUG_LOGIN) {
496:     debugLog("zp_setCookie($name, $value, $time, $path)::album_session=" . GALLERY_SESSION . "; SESSION=" . session_id());
497:   }
498:   if (($time < 0) || !GALLERY_SESSION) {
499:     setcookie($name, $cookiev, time() + $time, $path, "", $secure);
500:   }
501:   if ($time < 0) {
502:     if (isset($_SESSION))
503:       unset($_SESSION[$name]);
504:     if (isset($_COOKIE))
505:       unset($_COOKIE[$name]);
506:   } else {
507:     $_SESSION[$name] = sanitize($value);
508:     $_COOKIE[$name] = sanitize($cookiev);
509:   }
510: }
511: 
512: /**
513:  *
514:  * Clears a cookie
515:  * @param string $name
516:  * @param string $path
517:  * @param bool $secure true if secure cookie
518:  */
519: function zp_clearCookie($name, $path = NULl, $secure = false) {
520:     zp_setCookie($name, '', -368000, $path, $secure);
521: }
522: 
523: /**
524:  * if $string is an serialzied array it is unserialized otherwise an appropriate array is returned
525:  *
526:  * @param string $string
527:  *
528:  * @return array
529:  */
530: function getSerializedArray($string) {
531:     if (is_array($string)) {
532:         return $string;
533:     }
534:     if (preg_match('/^a:[0-9]+:{/', $string)) {
535:         $r = @unserialize($string);
536:         if ($r) {
537:             return $r;
538:         } else {
539:             return array();
540:         }
541:     } else if (strlen($string) == 0 && !is_bool($string)) {
542:         return array();
543:     } else {
544:         return array($string);
545:     }
546: }
547: 
548: ?>
549: