diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index 001e03b268..91445d8df2 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -14,166 +14,123 @@
//
// User functions
//
-
-function normalise_data(&$data, &$normalise)
+function request_var($var_name, $default)
{
-
- $valid_data = array();
- foreach ($normalise as $var_type => $var_ary)
+ if (!isset($_REQUEST[$var_name]))
{
- foreach ($var_ary as $var_name => $var_limits)
+ return $default;
+ }
+ else
+ {
+ $var = $_REQUEST[$var_name];
+ $type = gettype($default);
+ settype($var, $type);
+
+ // Prevent use of , excess spaces or other html entity forms in profile strings,
+ // not generally applicable elsewhere
+ if ($type == 'string')
{
- $var_name = (is_string($var_name)) ? $var_name : $var_limits;
- $l_prefix = strtoupper($var_name);
+ $var = trim(preg_replace("#\s{2,}#s", ' ', strtr($var, array_flip(get_html_translation_table(HTML_ENTITIES)))));
+ }
- if (isset($data[$var_name]))
+ return $var;
+ }
+}
+
+function validate_data($data, $val_ary)
+{
+ $error = array();
+
+ foreach ($val_ary as $var => $val_seq)
+ {
+ if (!is_array($val_seq[0]))
+ {
+ $val_seq = array($val_seq);
+ }
+
+ foreach ($val_seq as $validate)
+ {
+ $function = array_shift($validate);
+ array_unshift($validate, $data[$var]);
+
+ if ($result = call_user_func_array('validate_' . $function, $validate))
{
- switch ($var_type)
- {
- case 'i':
- $valid_data[$var_name] = (int) $data[$var_name];
- break;
-
- case 'f':
- $valid_data[$var_name] = (double) $data[$var_name];
- break;
-
- case 'b':
- $valid_data[$var_name] = ($data[$var_name] <= 0) ? 0 : 1;
- break;
-
- case 's':
- // Cleanup data, remove excess spaces, convert entity forms
- $valid_data[$var_name] = trim(preg_replace('#\s{2,}#s', ' ', strtr((string) $data[$var_name], array_flip(get_html_translation_table(HTML_ENTITIES)))));
-
- // How should we check this data?
- if (!is_array($var_limits))
- {
- // Is the match a string? If it is, process it further, else we'll
- // assume it's a maximum length
- if (is_string($var_limits))
- {
- if (strstr($var_limits, ','))
- {
- list($min_value, $max_value) = explode(',', $var_limits);
- if (!empty($valid_data[$var_name]) && strlen($valid_data[$var_name]) < $min_value)
- {
- $this->error[] = $l_prefix . '_TOO_SHORT';
- }
-
- if (strlen($valid_data[$var_name]) > $max_value)
- {
- $this->error[] = $l_prefix . '_TOO_LONG';
- }
- }
- }
- else
- {
- if (strlen($valid_data[$var_name]) > $var_limits)
- {
- $this->error[] = $l_prefix . '_TOO_LONG';
- }
- }
- }
- break;
- }
+ $error[] = $result . '_' . strtoupper($var);
}
}
}
- return $valid_data;
+ return $error;
}
-// Validates data subject to supplied requirements, errors appropriately
-function validate_data(&$data, &$validate)
+function validate_string($string, $optional = false, $min = 0, $max = 0)
{
- global $db, $user, $config;
-
- foreach ($validate as $operation => $var_ary)
+ if (empty($string) && $optional)
{
- foreach ($var_ary as $var_name => $compare)
- {
- $l_prefix = strtoupper($var_name);
-
- if (!empty($compare))
- {
- switch ($operation)
- {
- case 'm':
- if (is_array($compare))
- {
- foreach ($compare as $match)
- {
- if (!preg_match($match, $data[$var_name]))
- {
- $this->error[] = $l_prefix . '_WRONG_DATA';
- }
- }
- }
- else if (!preg_match($compare, $data[$var_name]))
- {
- $this->error[] = $l_prefix . '_WRONG_DATA';
- }
- break;
-
- case 'c':
- if (is_array($compare))
- {
- if (!in_array($data[$var_name], $compare))
- {
- $this->error[] = $l_prefix . '_MISMATCH';
- }
- }
- else if ($data[$var_name] != $compare)
- {
- $this->error[] = $l_prefix . '_MISMATCH';
- }
- break;
-
- case 'f':
- if ($result = $compare($data[$var_name]))
- {
- $this->error[] = $result;
- }
-
- break;
-
- case 'r':
- if (!isset($data[$compare]) || (is_string($data[$compare]) && $data[$compare] === ''))
- {
- $this->error[] = strtoupper($compare) . '_MISSING_DATA';
- }
- break;
- }
- }
- }
+ return false;
}
+
+ if ($min && strlen($string) < $min)
+ {
+ return 'TOO_SHORT';
+ }
+ else if ($max && strlen($string) > $max)
+ {
+ return 'TOO_LONG';
+ }
+
+ return false;
}
-// Generates an alphanumeric random string of given length
-function gen_rand_string($num_chars)
+function validate_num($num, $optional = false, $min = 0, $max = 1E99)
{
- $chars = array('A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '1', '2', '3', '4', '5', '6', '7', '8', '9');
-
- list($usec, $sec) = explode(' ', microtime());
- mt_srand($sec * $usec);
-
- $max_chars = count($chars) - 1;
- $rand_str = '';
- for ($i = 0; $i < $num_chars; $i++)
+ if (empty($num) && $optional)
{
- $rand_str .= $chars[mt_rand(0, $max_chars)];
+ return false;
}
- return $rand_str;
-}
+ if ($num < $min)
+ {
+ return 'TOO_SMALL';
+ }
+ else if ($num > $max)
+ {
+ return 'TOO_LARGE';
+ }
+
+ return false;
+}
+
+function validate_match($string, $optional = false, $match)
+{
+ if (empty($string) && $optional)
+ {
+ return false;
+ }
+
+ if (!preg_match($match, $string))
+ {
+ return 'WRONG_DATA';
+ }
+ return false;
+}
// Check to see if the username has been taken, or if it is disallowed.
// Also checks if it includes the " character, which we don't allow in usernames.
// Used for registering, changing names, and posting anonymously with a username
function validate_username($username)
{
- global $db, $user;
+ global $config, $db, $user;
+
+ if (strtolower($user->data['username']) == strtolower($username))
+ {
+ return false;
+ }
+
+ if (!preg_match('#^' . $config['allow_name_chars'] . '$#i', $username))
+ {
+ return 'INVALID_CHARS';
+ }
$sql = 'SELECT username
FROM ' . USERS_TABLE . "
@@ -231,39 +188,44 @@ function validate_email($email)
{
global $config, $db, $user;
- if (preg_match('#^[a-z0-9\.\-_\+]+?@(.*?\.)*?[a-z0-9\-_]+?\.[a-z]{2,4}$#i', $email))
+ if (strtolower($user->data['user_email']) == strtolower($email))
{
- $sql = 'SELECT ban_email
- FROM ' . BANLIST_TABLE;
- $result = $db->sql_query($sql);
-
- while ($row = $db->sql_fetchrow($result))
- {
- if (preg_match('#^' . str_replace('*', '.*?', $row['ban_email']) . '$#i', $email))
- {
- return 'EMAIL_BANNED';
- }
- }
- $db->sql_freeresult($result);
-
- if (!$config['allow_emailreuse'])
- {
- $sql = 'SELECT user_email
- FROM ' . USERS_TABLE . "
- WHERE user_email = '" . $db->sql_escape($email) . "'";
- $result = $db->sql_query($sql);
-
- if ($row = $db->sql_fetchrow($result))
- {
- return 'EMAIL_TAKEN';
- }
- $db->sql_freeresult($result);
- }
-
return false;
}
- return 'EMAIL_INVALID';
+ if (!preg_match('#^[a-z0-9\.\-_\+]+?@(.*?\.)*?[a-z0-9\-_]+?\.[a-z]{2,4}$#i', $email))
+ {
+ return 'EMAIL_INVALID';
+ }
+
+ $sql = 'SELECT ban_email
+ FROM ' . BANLIST_TABLE;
+ $result = $db->sql_query($sql);
+
+ while ($row = $db->sql_fetchrow($result))
+ {
+ if (preg_match('#^' . str_replace('*', '.*?', $row['ban_email']) . '$#i', $email))
+ {
+ return 'EMAIL_BANNED';
+ }
+ }
+ $db->sql_freeresult($result);
+
+ if (!$config['allow_emailreuse'])
+ {
+ $sql = 'SELECT user_email
+ FROM ' . USERS_TABLE . "
+ WHERE user_email = '" . $db->sql_escape($email) . "'";
+ $result = $db->sql_query($sql);
+
+ if ($row = $db->sql_fetchrow($result))
+ {
+ return 'EMAIL_TAKEN';
+ }
+ $db->sql_freeresult($result);
+ }
+
+ return false;
}
function update_username($old_name, $new_name)
@@ -464,6 +426,25 @@ function avatar_upload(&$data)
return false;
}
+// Generates an alphanumeric random string of given length
+function gen_rand_string($num_chars)
+{
+ $chars = array('A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '1', '2', '3', '4', '5', '6', '7', '8', '9');
+
+ list($usec, $sec) = explode(' ', microtime());
+ mt_srand($sec * $usec);
+
+ $max_chars = count($chars) - 1;
+ $rand_str = '';
+ for ($i = 0; $i < $num_chars; $i++)
+ {
+ $rand_str .= $chars[mt_rand(0, $max_chars)];
+ }
+
+ return $rand_str;
+}
+
+
//
// Usergroup functions
//
diff --git a/phpBB/includes/ucp/ucp_activate.php b/phpBB/includes/ucp/ucp_activate.php
index 3c0a3fe698..9198a1c06e 100644
--- a/phpBB/includes/ucp/ucp_activate.php
+++ b/phpBB/includes/ucp/ucp_activate.php
@@ -1,23 +1,15 @@
sql_query($sql);
if ($row = $db->sql_fetchrow($result))
@@ -40,7 +34,7 @@ class ucp_activate extends ucp
else if ($row['user_actkey'] == $_GET['k'])
{
$sql_update_pass = ($row['user_newpasswd'] != '') ? ", user_password = '" . $db->sql_escape($row['user_newpasswd']) . "', user_newpasswd = ''" : '';
-z
+
$sql = "UPDATE " . USERS_TABLE . "
SET user_active = 1, user_actkey = ''" . $sql_update_pass . "
WHERE user_id = " . $row['user_id'];
@@ -84,7 +78,7 @@ z
}
else
{
- trigger_error($user->lang['No_such_user']);
+ trigger_error($user->lang['NO_USER']);
}
$db->sql_freeresult($result);
}
diff --git a/phpBB/includes/ucp/ucp_confirm.php b/phpBB/includes/ucp/ucp_confirm.php
index fc51555c9b..11939dfb8e 100644
--- a/phpBB/includes/ucp/ucp_confirm.php
+++ b/phpBB/includes/ucp/ucp_confirm.php
@@ -1,23 +1,15 @@
data['session_id'] . "'
- AND confirm_id = '$confirm_id'";
+ $sql = 'SELECT code
+ FROM ' . CONFIRM_TABLE . "
+ WHERE session_id = '" . $db->sql_escape($user->data['session_id']) . "'
+ AND confirm_id = '" . $db->sql_escape($confirm_id) . "'";
$result = $db->sql_query($sql);
// If we have a row then grab data else create a new id
diff --git a/phpBB/includes/ucp/ucp_prefs.php b/phpBB/includes/ucp/ucp_prefs.php
index 78fc12c06e..61ca31a31c 100644
--- a/phpBB/includes/ucp/ucp_prefs.php
+++ b/phpBB/includes/ucp/ucp_prefs.php
@@ -1,23 +1,15 @@
array(
- 'dateformat'=> '3,15',
- 'lang' => '2,5',
- ),
- 'i' => array('dst', 'style'),
- 'f' => array('tz'),
- 'b' => array('viewemail', 'massemail', 'hideonline', 'notifypm', 'popuppm')
+ $var_ary = array(
+ 'dateformat' => (string) $config['default_dateformat'],
+ 'lang' => (string) $config['default_lang'],
+ 'tz' => (float) $config['board_timezone'],
+ 'style' => (int) $config['default_style'],
+ 'dst' => (bool) $config['board_dst'],
+ 'viewemail' => false,
+ 'massemail' => true,
+ 'hideonline' => false,
+ 'notifypm' => true,
+ 'popuppm' => false,
);
- $data = normalise_data($_POST, $normalise);
- $validate = array(
- 'r' => array('lang', 'tz', 'dateformat', 'style'),
- 'm' => array(
- 'lang' => ($data['lang']) ? '#^[a-z_]+$#i' : '',
- ),
+ foreach ($var_ary as $var => $default)
+ {
+ $data[$var] = request_var($var, $default);
+ }
+
+ $var_ary = array(
+ 'dateformat' => array('string', false, 3, 15),
+ 'lang' => array('match', false, '#^[a-z_]{2,}$#i'),
+ 'tz' => array('num', false, -13, 13),
);
- validate_data($data, $validate);
- if (!sizeof($this->error))
+ $error = validate_data($data, $var_ary);
+ extract($data);
+ unset($data);
+
+ if (!sizeof($error))
{
$sql_ary = array(
- 'user_allow_viewemail' => $data['viewemail'],
- 'user_allow_massemail' => $data['massemail'],
- 'user_allow_viewonline' => ($auth->acl_get('u_hideonline')) ? !$data['hideonline'] : $user->data['user_allow_viewonline'],
- 'user_notify_pm' => $data['notifypm'],
- 'user_popup_pm' => $data['popuppm'],
- 'user_dst' => $data['dst'],
- 'user_dateformat' => $data['dateformat'],
- 'user_lang' => $data['lang'],
- 'user_timezone' => $data['tz'],
- 'user_style' => $data['style'],
+ 'user_allow_viewemail' => $viewemail,
+ 'user_allow_massemail' => $massemail,
+ 'user_allow_viewonline' => ($auth->acl_get('u_hideonline')) ? !$hideonline : $user->data['user_allow_viewonline'],
+ 'user_notify_pm' => $notifypm,
+ 'user_popup_pm' => $popuppm,
+
+ 'user_dst' => $dst,
+ 'user_dateformat' => $dateformat,
+ 'user_lang' => $lang,
+ 'user_timezone' => $tz,
+ 'user_style' => $style,
);
$sql = 'UPDATE ' . USERS_TABLE . '
@@ -85,10 +88,6 @@ class ucp_prefs extends ucp
$message = $user->lang['PREFERENCES_UPDATED'] . '
' . sprintf($user->lang['RETURN_UCP'], "", '');
trigger_error($message);
}
-
- //
- extract($data);
- unset($data);
}
$viewemail = (isset($viewemail)) ? $viewemail : $user->data['user_allow_viewemail'];
@@ -116,7 +115,7 @@ class ucp_prefs extends ucp
$tz = (isset($tz)) ? $tz : $user->data['user_timezone'];
$template->assign_vars(array(
- 'ERROR' => (sizeof($this->error)) ? implode('
', $this->error) : '',
+ 'ERROR' => (sizeof($error)) ? implode('
', $error) : '',
'VIEW_EMAIL_YES' => $view_email_yes,
'VIEW_EMAIL_NO' => $view_email_no,
@@ -143,32 +142,48 @@ class ucp_prefs extends ucp
case 'view':
- if (isset($_POST['submit']))
+ if ($submit)
{
- $data = array();
- $normalise = array(
- 's' => array(
- 'sk' => '1,1',
- 'sd' => '1,1',
- ),
- 'i' => array('st', 'minkarma'),
- 'b' => array('images', 'flash', 'smilies', 'sigs', 'avatars', 'wordcensor'),
+ $var_ary = array(
+ 'sk' => (string) 't',
+ 'sd' => (string) 'd',
+ 'st' => 0,
+ 'minkarma' => (int) -5,
+ 'images' => true,
+ 'flash' => false,
+ 'smilies' => true,
+ 'sigs' => true,
+ 'avatars' => true,
+ 'wordcensor'=> false,
);
- $data = normalise_data($_POST, $normalise);
- if (!sizeof($this->error))
+ foreach ($var_ary as $var => $default)
+ {
+ $data[$var] = request_var($var, $default);
+ }
+
+ $var_ary = array(
+ 'sk' => array('string', false, 1, 1),
+ 'sd' => array('string', false, 1, 1),
+ );
+
+ $error = validate_data($data, $var_ary);
+ extract($data);
+ unset($data);
+
+ if (!sizeof($error))
{
$sql_ary = array(
- 'user_viewimg' => $data['images'],
- 'user_viewflash' => $data['flash'],
- 'user_viewsmilies' => $data['smilies'],
- 'user_viewsigs' => $data['sigs'],
- 'user_viewavatars' => $data['avatars'],
- 'user_viewcensors' => ($auth->acl_get('u_chgcensors')) ? $data['wordcensor'] : $user->data['user_viewcensors'],
- 'user_sortby_type' => $data['sk'],
- 'user_sortby_dir' => $data['sd'],
- 'user_show_days' => $data['st'],
- 'user_min_karma' => $data['minkarma'],
+ 'user_viewimg' => $images,
+ 'user_viewflash' => $flash,
+ 'user_viewsmilies' => $smilies,
+ 'user_viewsigs' => $sigs,
+ 'user_viewavatars' => $avatars,
+ 'user_viewcensors' => ($auth->acl_get('u_chgcensors')) ? $wordcensor : $user->data['user_viewcensors'],
+ 'user_sortby_type' => $sk,
+ 'user_sortby_dir' => $sd,
+ 'user_show_days' => $st,
+ 'user_min_karma' => $minkarma,
);
$sql = 'UPDATE ' . USERS_TABLE . '
@@ -180,10 +195,6 @@ class ucp_prefs extends ucp
$message = $user->lang['PREFERENCES_UPDATED'] . '
' . sprintf($user->lang['RETURN_UCP'], "", '');
trigger_error($message);
}
-
- //
- extract($data);
- unset($data);
}
$sk = (isset($sk)) ? $sk : ((!empty($user->data['user_sortby_type'])) ? $user->data['user_sortby_type'] : 't');
@@ -227,7 +238,7 @@ class ucp_prefs extends ucp
$wordcensor_no = (!$wordcensor) ? ' checked="checked"' : '';
$template->assign_vars(array(
- 'ERROR' => (sizeof($this->error)) ? implode('
', $this->error) : '',
+ 'ERROR' => (sizeof($error)) ? implode('
', $error) : '',
'VIEW_IMAGES_YES' => $images_yes,
'VIEW_IMAGES_NO' => $images_no,
@@ -253,22 +264,29 @@ class ucp_prefs extends ucp
case 'post':
- if (isset($_POST['submit']))
+ if ($submit)
{
- $data = array();
- $normalise = array(
- 'b' => array('bbcode', 'html', 'smilies', 'sig', 'notify'),
+ $var_ary = array(
+ 'bbcode' => true,
+ 'html' => false,
+ 'smilies' => true,
+ 'sig' => true,
+ 'notify' => false,
);
- $data = normalise_data($_POST, $normalise);
- if (!sizeof($this->error))
+ foreach ($var_ary as $var => $default)
+ {
+ $$var = request_var($var, $default);
+ }
+
+ if (!sizeof($error))
{
$sql_ary = array(
- 'user_allowbbcode' => $data['bbcode'],
- 'user_allowhtml' => $data['html'],
- 'user_allowsmile' => $data['smilies'],
- 'user_attachsig' => $data['sig'],
- 'user_notify' => $data['notify'],
+ 'user_allowbbcode' => $bbcode,
+ 'user_allowhtml' => $html,
+ 'user_allowsmile' => $smilies,
+ 'user_attachsig' => $sig,
+ 'user_notify' => $notify,
);
$sql = 'UPDATE ' . USERS_TABLE . '
@@ -280,10 +298,6 @@ class ucp_prefs extends ucp
$message = $user->lang['PREFERENCES_UPDATED'] . '
' . sprintf($user->lang['RETURN_UCP'], "", '');
trigger_error($message);
}
-
- //
- extract($data);
- unset($data);
}
$bbcode = (isset($bbcode)) ? $bbcode : $user->data['user_allowbbcode'];
@@ -303,7 +317,7 @@ class ucp_prefs extends ucp
$notify_no = (!$notify) ? ' checked="checked"' : '';
$template->assign_vars(array(
- 'ERROR' => (sizeof($this->error)) ? implode('
', $this->error) : '',
+ 'ERROR' => (sizeof($error)) ? implode('
', $error) : '',
'DEFAULT_BBCODE_YES' => $bbcode_yes,
'DEFAULT_BBCODE_NO' => $bbcode_no,
diff --git a/phpBB/includes/ucp/ucp_profile.php b/phpBB/includes/ucp/ucp_profile.php
index 8db52ed593..666fa2ae97 100644
--- a/phpBB/includes/ucp/ucp_profile.php
+++ b/phpBB/includes/ucp/ucp_profile.php
@@ -23,7 +23,8 @@ class ucp_profile extends ucp
$submode = (isset($_GET['mode'])) ? htmlspecialchars($_GET['mode']) : 'reg_details';
$preview = (isset($_POST['preview'])) ? true : false;
$submit = (isset($_POST['submit'])) ? true : false;
- $error = array();
+ $delete = (isset($_POST['delete'])) ? true : false;
+ $error = $data = array();
$submodules['REG_DETAILS'] = "i=$id&mode=reg_details";
$submodules['PROFILE_INFO'] = "i=$id&mode=profile_info";
@@ -39,48 +40,56 @@ class ucp_profile extends ucp
if ($submit)
{
-
-
- $normalise = array(
- 's' => array(
- 'username' => $config['min_name_chars'] . ',' . $config['max_name_chars'],
- 'password_confirm' => $config['min_pass_chars'] . ',' . $config['max_pass_chars'],
- 'new_password' => $config['min_pass_chars'] . ',' . $config['max_pass_chars'],
- 'cur_password' => $config['min_pass_chars'] . ',' . $config['max_pass_chars'],
- 'email' => '7,60',
- 'email_confirm' => '7,60',
- )
+ $var_ary = array(
+ 'username' => $user->data['username'],
+ 'email' => $user->data['user_email'],
+ 'email_confirm' => (string) '',
+ 'new_password' => (string) '',
+ 'cur_password' => (string) '',
+ 'password_confirm' => (string) '',
);
- $data = normalise_data($_POST, $normalise);
- // md5 current password for checking
- $data['cur_password'] = md5($data['cur_password']);
+ foreach ($var_ary as $var => $default)
+ {
+ $data[$var] = request_var($var, $default);
+ }
- $validate = array(
- 'r' => array('username', 'email'),
- 'c' => array(
- 'password_confirm' => ($data['new_password']) ? $data['new_password'] : '',
- 'cur_password' => ($data['new_password'] || $data['email'] != $user->data['user_email'] || $data['username'] != $user->data['username']) ? $user->data['user_password'] : '',
- 'email_confirm' => ($data['email'] != $user->data['user_email']) ? $data['email'] : '',
- ),
- 'm' => array(
- 'username' => ($data['username'] != $user->data['username']) ? '#^' . preg_replace('#/{1}#', '\\', $config['allow_name_chars']) . '$#iu' : '',
- ),
- 'f' => array(
- 'username' => ($data['username'] != $user->data['username']) ? 'validate_username' : '',
- 'email' => ($data['email'] != $user->data['user_email']) ? 'validate_email' : '',
- ),
+ $var_ary = array(
+ 'username' => array(
+ array('string', false, $config['min_name_chars'], $config['max_name_chars']),
+ array('username', $username)),
+ 'password_confirm' => array('string', true, $config['min_pass_chars'], $config['max_pass_chars']),
+ 'new_password' => array('string', true, $config['min_pass_chars'], $config['max_pass_chars']),
+ 'cur_password' => array('string', true, $config['min_pass_chars'], $config['max_pass_chars']),
+ 'email' => array(
+ array('string', false, 6, 60),
+ array('email', $email)),
+ 'email_confirm' => array('string', true, 6, 60),
);
- validate_data($data, $validate);
+ $error = validate_data($data, $var_ary);
+ extract($data);
+ unset($data);
+ if ($auth->acl_get('u_chgpasswd') && $new_password && md5($password_confirm) != $user->data['user_password'])
+ {
+ $error[] = 'NEW_PASSWORD_ERROR';
+ }
+ if ((($auth->acl_get('u_chgemail') && $email != $user->data['user_email']) || ($username != $user->data['username'] && $auth->acl_get('u_chgname') && $config['allow_namechange'])) && md5($cur_password) != $user->data['user_password'])
+ {
+ $error[] = 'CUR_PASSWORD_ERROR';
+ }
+ if ($auth->acl_get('u_chgemail') && $email != $user->data['user_email'] && $email_confirm != $email)
+ {
+ $error[] = 'NEW_EMAIL_ERROR';
+ }
- if (!sizeof($this->error))
+ if (!sizeof($error))
{
$sql_ary = array(
- 'username' => ($auth->acl_get('u_chgname') && $config['allow_namechange']) ? $data['username'] : $user->data['username'],
- 'user_email' => ($auth->acl_get('u_chgemail')) ? $data['email'] : $user->data['user_email'],
- 'user_password' => ($auth->acl_get('u_chgpasswd') && !empty($data['user_password'])) ? md5($data['username']) : $user->data['user_password']
+ 'username' => ($auth->acl_get('u_chgname') && $config['allow_namechange']) ? $username : $user->data['username'],
+ 'user_email' => ($auth->acl_get('u_chgemail')) ? $email : $user->data['user_email'],
+ 'user_password' => ($auth->acl_get('u_chgpasswd')) ? md5($user_password) : $user->data['user_password']
);
$sql = 'UPDATE ' . USERS_TABLE . '
@@ -89,25 +98,21 @@ class ucp_profile extends ucp
$db->sql_query($sql);
// Need to update config, forum, topic, posting, messages, etc.
- if ($data['username'] != $user->data['username'] && $auth->acl_get('u_chgname') & $config['allow_namechange'])
+ if ($username != $user->data['username'] && $auth->acl_get('u_chgname') && $config['allow_namechange'])
{
- update_username($user->data['username'], $data['username']);
+ update_username($user->data['username'], $username);
}
meta_refresh(3, "ucp.$phpEx$SID&i=$id&mode=$submode");
$message = $user->lang['PROFILE_UPDATED'] . '
' . sprintf($user->lang['RETURN_UCP'], "", '');
trigger_error($message);
}
-
- //
- extract($data);
- unset($data);
}
$user_char_ary = array('.*' => 'USERNAME_CHARS_ANY', '[\w]+' => 'USERNAME_ALPHA_ONLY', '[\w_\+\. \-\[\]]+' => 'USERNAME_ALPHA_SPACERS');
$template->assign_vars(array(
- 'ERROR' => (sizeof($this->error)) ? implode('
', $this->error) : '',
+ 'ERROR' => (sizeof($error)) ? implode('
', $error) : '',
'USERNAME' => (isset($username)) ? stripslashes($username) : $user->data['username'],
'EMAIL' => (isset($email)) ? stripslashes($email) : $user->data['user_email'],
@@ -122,51 +127,70 @@ class ucp_profile extends ucp
'S_CHANGE_EMAIL' => ($auth->acl_get('u_chgemail')) ? true : false,
'S_CHANGE_PASSWORD' => ($auth->acl_get('u_chgpasswd')) ? true : false)
);
-
break;
case 'profile_info':
- if (isset($_POST['submit']))
+ if ($submit)
{
- $data = array();
- $normalise = array(
- 's' => array(
- 'icq' => '3,15',
- 'aim' => '5,255',
- 'msn' => '5,255',
- 'yim' => '5,255',
- 'jabber' => '5,255',
- 'website' => '12,255',
- 'location' => '2,100',
- 'occupation'=> '2,500',
- 'interests' => '2,500',
- ),
- 'i' => array('bday_day', 'bday_month', 'bday_year')
+ $var_ary = array(
+ 'icq' => (string) '',
+ 'aim' => (string) '',
+ 'msn' => (string) '',
+ 'yim' => (string) '',
+ 'jabber' => (string) '',
+ 'website' => (string) '',
+ 'location' => (string) '',
+ 'occupation' => (string) '',
+ 'interests' => (string) '',
+ 'bday_day' => 0,
+ 'bday_month' => 0,
+ 'bday_year' => 0,
);
- $data = normalise_data($_POST, $normalise);
- $validate = array(
- 'm' => array(
- 'icq' => ($data['icq']) ? '#^[0-9]+$#i' : '',
- 'website' => ($data['website']) ? '#^http[s]?://(.*?\.)*?[a-z0-9\-]+\.[a-z]{2,4}#i' : '',
- ),
+ foreach ($var_ary as $var => $default)
+ {
+ $data[$var] = request_var($var, $default);
+ }
+
+ $var_ary = array(
+ 'icq' => array(
+ array('string', true, 3, 15),
+ array('match', true, '#^[0-9]+$#i')),
+ 'aim' => array('string', true, 5, 255),
+ 'msn' => array('string', true, 5, 255),
+ 'jabber' => array(
+ array('string', true, 5, 255),
+ array('match', true, '#^[a-z0-9\.\-_\+]+?@(.*?\.)*?[a-z0-9\-_]+?\.[a-z]{2,4}(/.*)?$#i')),
+ 'yim' => array('string', true, 5, 255),
+ 'website' => array(
+ array('string', true, 12, 255),
+ array('match', true, '#^http[s]?://(.*?\.)*?[a-z0-9\-]+\.[a-z]{2,4}#i')),
+ 'location' => array('string', true, 2, 255),
+ 'occupation' => array('string', true, 2, 500),
+ 'interests' => array('string', true, 2, 500),
+ 'bday_day' => array('num', true, 1, 31),
+ 'bday_month' => array('num', true, 1, 12),
+ 'bday_year' => array('num', true, 1901, gmdate('Y', time())),
);
- validate_data($data, $validate);
- if (!sizeof($this->error))
+ $error = validate_data($data, $var_ary);
+ extract($data);
+ unset($data);
+
+ if (!sizeof($error))
{
$sql_ary = array(
- 'user_icq' => $data['icq'],
- 'user_aim' => $data['aim'],
- 'user_msnm' => $data['msn'],
- 'user_yim' => $data['yim'],
- 'user_jabber' => $data['jabber'],
- 'user_website' => $data['website'],
- 'user_from' => $data['location'],
- 'user_occ' => $data['occupation'],
- 'user_interests'=> $data['interests'],
- 'user_birthday' => sprintf('%2d-%2d-%4d', $data['bday_day'], $data['bday_month'], $data['bday_year']),
+ 'user_icq' => $icq,
+ 'user_aim' => $aim,
+ 'user_msnm' => $msn,
+ 'user_yim' => $yim,
+ 'user_jabber' => $jabber,
+ 'user_website' => $website,
+ 'user_from' => $location,
+ 'user_occ' => $occupation,
+ 'user_interests'=> $interests,
+ 'user_birthday' => sprintf('%2d-%2d-%4d', $bday_day, $bday_month, $bday_year),
);
$sql = 'UPDATE ' . USERS_TABLE . '
@@ -178,10 +202,6 @@ class ucp_profile extends ucp
$message = $user->lang['PROFILE_UPDATED'] . '
' . sprintf($user->lang['RETURN_UCP'], "", '');
trigger_error($message);
}
-
- //
- extract($data);
- unset($data);
}
if (!isset($bday_day))
@@ -214,7 +234,7 @@ class ucp_profile extends ucp
unset($now);
$template->assign_vars(array(
- 'ERROR' => (sizeof($this->error)) ? implode('
', $this->error) : '',
+ 'ERROR' => (sizeof($error)) ? implode('
', $error) : '',
'ICQ' => (isset($icq)) ? $icq : $user->data['user_icq'],
'YIM' => (isset($yim)) ? $yim : $user->data['user_yim'],
@@ -349,43 +369,50 @@ class ucp_profile extends ucp
// Can we upload?
$can_upload = ($config['allow_avatar_upload'] && file_exists($phpbb_root_path . $config['avatar_path']) && is_writeable($phpbb_root_path . $config['avatar_path']) && $auth->acl_get('u_chgavatar') && (@ini_get('file_uploads') || @ini_get('file_uploads') == 'On')) ? true : false;
- if (isset($_POST['submit']))
+ if ($submit)
{
- $data = array();
- if (!empty($_FILES['uploadfile']['tmp_name']) && $can_upload)
- {
- $this->error = avatar_upload($data);
- }
- else if (!empty($_POST['uploadurl']) && $can_upload)
- {
- $normalise = array(
- 's' => array(
- 'uploadurl' => '1,255',
- )
- );
- $data = normalise_data($_POST, $normalise);
+ $var_ary = array(
+ 'uploadurl' => (string) '',
+ 'remotelink' => (string) '',
+ 'width' => (string) '',
+ 'height' => (string) '',
+ );
- $this->error = avatar_upload($data);
- }
- else if (!empty($_POST['remotelink']) && $auth->acl_get('u_chgavatar') && $config['allow_avatar_remote'])
+ foreach ($var_ary as $var => $default)
{
- $normalise = array(
- 's' => array(
- 'remotelink' => '1,255',
- 'width' => '1,3',
- 'height' => '1,3',
- )
- );
- $data = normalise_data($_POST, $normalise);
-
- $this->error = avatar_remote($data);
- }
- else if (!empty($_POST['delete']) && $auth->acl_get('u_chgavatar'))
- {
- $data['filename'] = $data['width'] = $data['height'] = '';
+ $data[$var] = request_var($var, $default);
}
- if (!$this->error)
+ $var_ary = array(
+ 'uploadurl' => array('string', false, 5, 255),
+ 'remotelink' => array('string', true, 5, 255),
+ 'width' => array('string', true, 1, 3),
+ 'height' => array('string', true, 1, 3),
+ );
+
+ $error = validate_data($data, $var_ary);
+
+ if (!sizeof($error))
+ {
+ if (!empty($_FILES['uploadfile']['tmp_name']) && $can_upload)
+ {
+ $error = avatar_upload($data);
+ }
+ else if ($data['uploadurl'] && $can_upload)
+ {
+ $error = avatar_upload($uploadurl);
+ }
+ else if ($data['remotelink'] && $auth->acl_get('u_chgavatar') && $config['allow_avatar_remote'])
+ {
+ $error = avatar_remote($data);
+ }
+ else if ($delete && $auth->acl_get('u_chgavatar'))
+ {
+ $data['filename'] = $data['width'] = $data['height'] = '';
+ }
+ }
+
+ if (!sizeof($error))
{
// Do we actually have any data to update?
if (sizeof($data))
@@ -414,12 +441,10 @@ class ucp_profile extends ucp
trigger_error($message);
}
- //
extract($data);
unset($data);
}
-
// Generate users avatar
$avatar_img = '';
if ($user->data['user_avatar'])
@@ -434,13 +459,11 @@ class ucp_profile extends ucp
break;
}
$avatar_img .= $user->data['user_avatar'];
-
$avatar_img = '
';
}
-
$template->assign_vars(array(
- 'ERROR' => ($this->error) ? $this->error : '',
+ 'ERROR' => ($error) ? $error : '',
'AVATAR' => $avatar_img,
'AVATAR_SIZE' => $config['avatar_filesize'],
diff --git a/phpBB/includes/ucp/ucp_register.php b/phpBB/includes/ucp/ucp_register.php
index de1d619117..e75ed2a750 100644
--- a/phpBB/includes/ucp/ucp_register.php
+++ b/phpBB/includes/ucp/ucp_register.php
@@ -1,23 +1,15 @@
array(
- 'username' => $config['min_name_chars'] . ',' . $config['max_name_chars'],
- 'password_confirm' => $config['min_pass_chars'] . ',' . $config['max_pass_chars'],
- 'new_password' => $config['min_pass_chars'] . ',' . $config['max_pass_chars'],
- 'lang' => '1,50',
- 'confirm_code' => '6,6',
- 'email' => '7,60',
- 'email_confirm' => '7,60',
- ),
- 'f' => array('tz')
+ $var_ary = array(
+ 'username' => (string) '',
+ 'password_confirm' => (string) '',
+ 'new_password' => (string) '',
+ 'cur_password' => (string) '',
+ 'email' => (string) '',
+ 'email_confirm' => (string) '',
+ 'confirm_code' => (string) '',
+ 'lang' => (string) $config['default_lang'],
+ 'tz' => (float) $config['board_timezone'],
);
- $data = normalise_data($_POST, $normalise);
- $validate = array(
- 'r' => array('username', 'email', 'email_confirm', 'new_password', 'password_confirm', 'lang', 'confirm_code', 'tz'),
- 'c' => array(
- 'password_confirm' => $data['new_password'],
- 'email_confirm' => $data['email'],
- ),
- 'm' => array(
- 'username' => '#^' . preg_replace('#/{1}#', '\\', $config['allow_name_chars']) . '$#iu',
- ),
- 'f' => array(
- 'username' => 'validate_username',
- 'email' => 'validate_email',
- ),
+ foreach ($var_ary as $var => $default)
+ {
+ $data[$var] = request_var($var, $default);
+ }
+
+ $var_ary = array(
+ 'username' => array(
+ array('string', false, $config['min_name_chars'], $config['max_name_chars']),
+ array('username', $username)),
+ 'password_confirm' => array('string', false, $config['min_pass_chars'], $config['max_pass_chars']),
+ 'new_password' => array('string', false, $config['min_pass_chars'], $config['max_pass_chars']),
+ 'email' => array(
+ array('string', false, 6, 60),
+ array('email', $email)),
+ 'email_confirm' => array('string', false, 6, 60),
+ 'confirm_code' => array('string', !$config['enable_confirm'], 6, 6),
+ 'dateformat' => array('string', false, 3, 15),
+ 'tz' => array('num', false, -13, 13),
+ 'lang' => array('match', false, '#^[a-z_]{2,}$#i'),
);
- validate_data($data, $validate);
+
+ $error = validate_data($data, $var_ary);
+ extract($data);
+ unset($data);
// Visual Confirmation handling
if ($config['enable_confirm'])
{
- if (empty($_POST['confirm_id']))
+ if (!$confirm_id)
{
- $this->error[] = $user->lang['CONFIRM_CODE_WRONG'];
+ $error[] = $user->lang['CONFIRM_CODE_WRONG'];
}
else
{
$sql = 'SELECT code
FROM ' . CONFIRM_TABLE . "
- WHERE confirm_id = '" . $_POST['confirm_id'] . "'
- AND session_id = '" . $user->data['session_id'] . "'";
+ WHERE confirm_id = '" . $db->sql_escape($confirm_id) . "'
+ AND session_id = '" . $db->sql_escape($user->data['session_id']) . "'";
$result = $db->sql_query($sql);
if ($row = $db->sql_fetchrow($result))
{
if ($row['code'] != $data['confirm_code'])
{
- $this->error[] = $user->lang['CONFIRM_CODE_WRONG'];
+ $error[] = $user->lang['CONFIRM_CODE_WRONG'];
}
else
{
$sql = 'DELETE FROM ' . CONFIRM_TABLE . "
- WHERE confirm_id = '" . $_POST['confirm_id'] . "'
- AND session_id = '" . $user->data['session_id'] . "'";
+ WHERE confirm_id = '" . $db->sql_escape($confirm_id) . "'
+ AND session_id = '" . $db->sql_escape($user->data['session_id']) . "'";
$db->sql_query($sql);
}
}
else
{
- $this->error[] = $user->lang['CONFIRM_CODE_WRONG'];
+ $error[] = $user->lang['CONFIRM_CODE_WRONG'];
}
$db->sql_freeresult($result);
}
}
- if (!sizeof($this->error))
+ if (!sizeof($error))
{
$server_url = generate_board_url();
@@ -162,16 +163,16 @@ class ucp_register extends ucp
$db->sql_transaction();
$sql_ary = array(
- 'user_ip' => $user->ip,
- 'user_regdate' => time(),
- 'username' => $data['username'],
- 'user_password' => md5($data['new_password']),
- 'user_email' => $data['email'],
+ 'username' => $username,
+ 'user_password' => md5($new_password),
+ 'user_email' => $email,
+ 'user_timezone' => (float) $tz,
+ 'user_lang' => $lang,
'user_allow_pm' => 1,
- 'user_timezone' => (float) $data['tz'],
- 'user_lang' => $data['lang'],
'user_active' => $user_active,
'user_actkey' => $user_actkey
+ 'user_ip' => $user->ip,
+ 'user_regdate' => time(),
);
$sql = 'INSERT INTO ' . USERS_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary);
@@ -183,7 +184,7 @@ class ucp_register extends ucp
$group_reg = ($coppa) ? 'REGISTERED_COPPA' : 'REGISTERED';
$group_inactive = ($coppa) ? 'INACTIVE_COPPA' : 'INACTIVE';
$group_name = ($config['require_activation'] == USER_ACTIVATION_NONE) ? $group_reg : $group_inactive;
- $sql = "INSERT INTO " . USER_GROUP_TABLE . " (user_id, group_id, user_pending)
+ $sql = 'INSERT INTO ' . USER_GROUP_TABLE . " (user_id, group_id, user_pending)
SELECT $user_id, group_id, 0
FROM " . GROUPS_TABLE . "
WHERE group_name = '$group_name'
@@ -218,15 +219,15 @@ class ucp_register extends ucp
include($phpbb_root_path . 'includes/emailer.'.$phpEx);
$emailer = new emailer();
- $emailer->template($email_template, $user->data['user_lang']);
+ $emailer->template($email_template, $lang);
$emailer->replyto($config['board_contact']);
- $emailer->to($data['email'], $data['username']);
+ $emailer->to($email, $username);
$emailer->assign_vars(array(
'SITENAME' => $config['sitename'],
'WELCOME_MSG' => sprintf($user->lang['Welcome_subject'], $config['sitename']),
- 'USERNAME' => $data['username'],
- 'PASSWORD' => $data['password_confirm'],
+ 'USERNAME' => $username,
+ 'PASSWORD' => $password_confirm,
'EMAIL_SIG' => str_replace('
', "\n", "-- \n" . $config['board_email_sig']),
'U_ACTIVATE' => "$server_url/ucp.$phpEx?mode=activate&k=$user_actkey")
@@ -235,16 +236,18 @@ class ucp_register extends ucp
if ($coppa)
{
$emailer->assign_vars(array(
- 'FAX_INFO' => $config['coppa_fax'],
- 'MAIL_INFO' => $config['coppa_mail'],
+ 'FAX_INFO' => $config['coppa_fax'],
+ 'MAIL_INFO' => $config['coppa_mail'],
'EMAIL_ADDRESS' => $email,
- 'SITENAME' => $config['sitename'])
+ 'SITENAME' => $config['sitename'])
);
}
$emailer->send();
$emailer->reset();
+ // TODO
+ // Email admins with user management permissions
if ($config['require_activation'] == USER_ACTIVATION_ADMIN)
{
$emailer->use_template('admin_activate', $config['default_lang']);
@@ -252,10 +255,10 @@ class ucp_register extends ucp
$emailer->to($config['board_contact']);
$emailer->assign_vars(array(
- 'USERNAME' => $data['username'],
- 'EMAIL_SIG' => str_replace('
', "\n", "-- \n" . $config['board_email_sig']),
+ 'USERNAME' => $username,
+ 'EMAIL_SIG' => str_replace('
', "\n", "-- \n" . $config['board_email_sig']),
- 'U_ACTIVATE' => generate_board_url() . "/ucp.$phpEx?mode=activate&k=$user_actkey")
+ 'U_ACTIVATE' => generate_board_url() . "/ucp.$phpEx?mode=activate&k=$user_actkey")
);
$emailer->send();
@@ -266,7 +269,7 @@ class ucp_register extends ucp
if ($config['require_activation'] == USER_ACTIVATION_NONE || !$config['email_enable'])
{
set_config('newest_user_id', $user_id);
- set_config('newest_username', $data['username']);
+ set_config('newest_username', $username);
set_config('num_users', $config['num_users'] + 1, TRUE);
}
unset($data);
@@ -358,7 +361,7 @@ class ucp_register extends ucp
'EMAIL' => $email,
'EMAIL_CONFIRM' => $email_confirm,
'CONFIRM_IMG' => $confirm_image,
- 'ERROR' => (sizeof($this->error)) ? implode('
', $this->error) : '',
+ 'ERROR' => (sizeof($error)) ? implode('
', $error) : '',
'L_CONFIRM_EXPLAIN' => sprintf($user->lang['CONFIRM_EXPLAIN'], '', ''),
'L_ITEMS_REQUIRED' => $l_reg_cond,
diff --git a/phpBB/includes/ucp/ucp_remind.php b/phpBB/includes/ucp/ucp_remind.php
index 16101a95c3..90cb3a1cbc 100644
--- a/phpBB/includes/ucp/ucp_remind.php
+++ b/phpBB/includes/ucp/ucp_remind.php
@@ -1,23 +1,15 @@
sql_escape($email) . "'
AND username = '" . . $db->sql_escape($username) . "'";
if ($result = $db->sql_query($sql))
@@ -64,12 +56,12 @@ class ucp_remind extends ucp
$emailer->to($row['user_email']);
$emailer->assign_vars(array(
- 'SITENAME' => $config['sitename'],
- 'USERNAME' => $username,
- 'PASSWORD' => $user_password,
- 'EMAIL_SIG' => str_replace('
', "\n", "-- \n" . $config['board_email_sig']),
+ 'SITENAME' => $config['sitename'],
+ 'USERNAME' => $username,
+ 'PASSWORD' => $user_password,
+ 'EMAIL_SIG' => str_replace('
', "\n", "-- \n" . $config['board_email_sig']),
- 'U_ACTIVATE' => $server_url . "/ucp.$phpEx?mode=activate&k=$user_actkey")
+ 'U_ACTIVATE' => $server_url . "/ucp.$phpEx?mode=activate&k=$user_actkey")
);
$emailer->send();
$emailer->reset();