diff --git a/demo.php b/demo.php index 356924db0e..374f96b5ba 100644 --- a/demo.php +++ b/demo.php @@ -1,6 +1,6 @@ php_library_path . "screen_size_library.php"; require $xerte_toolkits_site->php_library_path . "template_status.php"; @@ -18,7 +18,6 @@ require_once(dirname(__FILE__) . '/modules/xerte/module_functions.php'); /** - * * Function update_access_time * This function updates the time a template was last edited * @param array $row_edit = an array returned from a mysql query @@ -26,11 +25,8 @@ * @version 1.0 * @author Patrick Lockley */ - function update_access_time($row_edit){ - global $xerte_toolkits_site; - return db_query("UPDATE {$xerte_toolkits_site->database_table_prefix}templatedetails SET date_accessed=? WHERE template_id = ?", array(date('Y-m-d'), $row_edit['template_id'])); } diff --git a/example.php b/example.php index 1b9e3cb5a7..e0eab31483 100644 --- a/example.php +++ b/example.php @@ -9,7 +9,7 @@ * @package */ -require_once("config.php"); +require_once(dirname(__FILE__) . "/config.php"); require $xerte_toolkits_site->php_library_path . "screen_size_library.php"; require $xerte_toolkits_site->php_library_path . "template_status.php"; diff --git a/folderproperties.php b/folderproperties.php index ef3399d269..881d6ba9c5 100644 --- a/folderproperties.php +++ b/folderproperties.php @@ -1,7 +1,7 @@ - @@ -44,93 +44,93 @@
-
-
-
-
-
-
-
-
-
-
- - - - -
-
- - - -
-
- - - - -
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+ + + + +
+
+ + + +
+
+ + + + +
+
+
+
+
+
+
+
+
+
- \ No newline at end of file + diff --git a/getfile.php b/getfile.php index 91423c2270..ada7786f96 100644 --- a/getfile.php +++ b/getfile.php @@ -1,19 +1,19 @@ php_library_path . "login_library.php"; require $xerte_toolkits_site->php_library_path . "user_library.php"; require $xerte_toolkits_site->php_library_path . "template_library.php"; require $xerte_toolkits_site->php_library_path . "template_status.php"; -$mysql_id=database_connect("Successful database connect for play queries","Failed database connect for play queries"); - /* * Check the template ID is numeric */ -$safe_file_path = mysql_real_escape_string($_GET['file']); +// for security, the file name should only contain alpha numeric chars or - _ . +// We definitely do not want a file path to contain a directory separator like ../ else this could be open to abuse. +$safe_file_path = preg_replace('/[^a-z0-9\-_\.]/i', '', $_GET['file']); $data_from_file_name = explode("-",$safe_file_path); @@ -53,8 +53,4 @@ echo file_get_contents($xerte_toolkits_site->website_code_path . "error_top") . " Sorry this resource does not exist "; die(); - - } - -?> diff --git a/integration.php b/integration.php index ae61740215..f7ca2a5b71 100644 --- a/integration.php +++ b/integration.php @@ -1,6 +1,6 @@ - - - - - <?PHP echo $xerte_toolkits_site->site_title; ?> - - - - - - - - - -
- - -
-
-
-

- welcome_message; ?> -

-
-
-
- -
-
-
-
-
-
-
- -
-
-
-
-
-

-
- copyright; ?> -

- - - - - - php_library_path . "login_library.php"; +function mgt_page($xerte_toolkits_site, $extra){ + +?> + + + + + <?PHP echo $xerte_toolkits_site->site_title; ?> + + + + + + + + + +
+ + +
+
+
+

+ welcome_message; ?> +

+
+
+
+ +
+
+
+
+
+
+
+ +
+
+
+
+
+

+
+ copyright; ?> +

+ + + + + +php_library_path . "login_library.php"; require $xerte_toolkits_site->php_library_path . "login_library.php"; - /* - * As with index.php, check for posts and similar - */ - - - if((!isset($_POST["login"]))&&(!isset($_POST["password"]))){ +/* + * As with index.php, check for posts and similar + */ - mgt_page($xerte_toolkits_site, MANAGEMENT_USERNAME_AND_PASSWORD_EMPTY); + +if((!isset($_POST["login"]))&&(!isset($_POST["password"]))){ + + mgt_page($xerte_toolkits_site, MANAGEMENT_USERNAME_AND_PASSWORD_EMPTY); $buffer .= login_page_format_bottom(file_get_contents($xerte_toolkits_site->root_file_path . $xerte_toolkits_site->website_code_path . "login_bottom")); @@ -125,32 +125,32 @@ function mgt_page($xerte_toolkits_site, $extra){ } - if(($_POST["login"]=="")&&($_POST["password"]=="")){ - - mgt_page($xerte_toolkits_site, MANAGEMENT_USERNAME_AND_PASSWORD_EMPTY); - - $buffer = login_page_format_top(file_get_contents($xerte_toolkits_site->root_file_path . $xerte_toolkits_site->website_code_path . "mgt_top")); - - mgt_page($xerte_toolkits_site, MANAGEMENT_USERNAME_EMPTY); - - /* - * Password left empty - */ - - }else if($_POST["password"]==""){ - - mgt_page($xerte_toolkits_site, MANAGEMENT_PASSWORD_EMPTY); - - - /* - * Password and username provided, so try to authenticate - */ - - }else{ - - if(($_POST["login"]==$xerte_toolkits_site->admin_username)&&($_POST["password"]==$xerte_toolkits_site->admin_password)){ - - $_SESSION['toolkits_logon_id'] = "site_administrator"; +if(($_POST["login"]=="")&&($_POST["password"]=="")){ + + mgt_page($xerte_toolkits_site, MANAGEMENT_USERNAME_AND_PASSWORD_EMPTY); + + $buffer = login_page_format_top(file_get_contents($xerte_toolkits_site->root_file_path . $xerte_toolkits_site->website_code_path . "mgt_top")); + + mgt_page($xerte_toolkits_site, MANAGEMENT_USERNAME_EMPTY); + + /* + * Password left empty + */ + +}else if($_POST["password"]==""){ + + mgt_page($xerte_toolkits_site, MANAGEMENT_PASSWORD_EMPTY); + + + /* + * Password and username provided, so try to authenticate + */ + +}else{ + + if(($_POST["login"]==$xerte_toolkits_site->admin_username)&&($_POST["password"]==$xerte_toolkits_site->admin_password)){ + + $_SESSION['toolkits_logon_id'] = "site_administrator"; echo $buffer; @@ -159,31 +159,31 @@ function mgt_page($xerte_toolkits_site, $extra){ * Password left empty */ - $mysql_id=database_connect("management.php database connect success","management.php database connect fail"); - - /* - * Check the user is set as an admin in the usertype record in the logindetails table, and display the page - */ - - ?> + $mysql_id=database_connect("management.php database connect success","management.php database connect fail"); - + HTML to use to set up the template management page - - Welcome to Xerte Web Toolkits + Version 1.0 - - - echo " - +?> + + @@ -222,110 +222,110 @@ function mgt_page($xerte_toolkits_site, $extra){ Folder popup is the div that appears when creating a new folder --> -
-
-

-
- -
- - - -
- -
-
- -
- -
-
- - - -
- - - - - - - - - -
-
- -
-
- - - website_code_path . "admin_headers"); - - echo ""; - - echo admin_page_format_top(file_get_contents($xerte_toolkits_site->website_code_path . "admin_top")); - - echo file_get_contents($xerte_toolkits_site->website_code_path . "admin_middle"); - - - }else{ - - /* - * Wrong password message - */ - - $buffer = login_page_format_top(file_get_contents($xerte_toolkits_site->root_file_path . $xerte_toolkits_site->website_code_path . "login_top")); - - $buffer .= "

Sorry that password combination was not correct

"; - - $buffer .= login_page_format_bottom(file_get_contents($xerte_toolkits_site->root_file_path . $xerte_toolkits_site->website_code_path . "login_bottom")); - echo $buffer; - - } +
+
+

+
+ +
+ + + +
+ +
+
+ +
+ +
+
+ + + +
+ + + + + + + + + +
+
+ +
+
+ + +website_code_path . "admin_headers"); + + echo ""; + + echo admin_page_format_top(file_get_contents($xerte_toolkits_site->website_code_path . "admin_top")); + + echo file_get_contents($xerte_toolkits_site->website_code_path . "admin_middle"); + + + }else{ + + /* + * Wrong password message + */ + + $buffer = login_page_format_top(file_get_contents($xerte_toolkits_site->root_file_path . $xerte_toolkits_site->website_code_path . "login_top")); + + $buffer .= "

Sorry that password combination was not correct

"; + + $buffer .= login_page_format_bottom(file_get_contents($xerte_toolkits_site->root_file_path . $xerte_toolkits_site->website_code_path . "login_bottom")); + echo $buffer; } } +} + ?> diff --git a/peer.php b/peer.php index 711bcc61b8..542ddd30ce 100644 --- a/peer.php +++ b/peer.php @@ -9,7 +9,7 @@ * @package */ -require_once("config.php"); +require_once(dirname(__FILE__) . "/config.php"); _load_language_file("/peer.inc"); diff --git a/play.php b/play.php index b355812826..964b95e4d1 100644 --- a/play.php +++ b/play.php @@ -8,6 +8,14 @@ * @copyright Copyright (c) 2008,2009 University of Nottingham * @package */ +require_once(dirname(__FILE__) . "/config.php"); + +_load_language_file("/play.inc"); + +require $xerte_toolkits_site->php_library_path . "login_library.php"; +require $xerte_toolkits_site->php_library_path . "display_library.php"; +require $xerte_toolkits_site->php_library_path . "template_library.php"; + /** * @@ -161,13 +169,6 @@ function check_security_type($security_setting){ } -require_once("config.php"); - -_load_language_file("/play.inc"); - -require $xerte_toolkits_site->php_library_path . "login_library.php"; -require $xerte_toolkits_site->php_library_path . "display_library.php"; -require $xerte_toolkits_site->php_library_path . "template_library.php"; if(!isset($_GET['template_id']) || !is_numeric($_GET['template_id'])) { diff --git a/preview.php b/preview.php index 8ef4317358..69fa7ff399 100644 --- a/preview.php +++ b/preview.php @@ -9,7 +9,7 @@ * @package */ -require_once("config.php"); +require_once(dirname(__FILE__) . "/config.php"); _load_language_file("/preview.inc"); diff --git a/properties.php b/properties.php index a83fa8f3d8..ad313a7c8d 100644 --- a/properties.php +++ b/properties.php @@ -1,8 +1,8 @@ - @@ -65,162 +65,162 @@
-
-
-
-
-
-
-
-
-
-
- - - - -
-
- - - -
-
- - - - -
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+ + + + +
+
+ + + +
+
+ + + + +
+
+
+
+
+
+
+
+
+
- \ No newline at end of file + diff --git a/publishproperties.php b/publishproperties.php index 9458883258..3b0ebbcbaf 100644 --- a/publishproperties.php +++ b/publishproperties.php @@ -1,7 +1,7 @@ - @@ -64,101 +64,101 @@
-
-
-
-
-
-
-
-
-
-
- - - - -
-
- - - -
-
- - - - -
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+ + + + +
+
+ + + +
+
+ + + + +
+
+
+
+
+
+
+
+
+
- \ No newline at end of file + diff --git a/rss.php b/rss.php index 439beb1e95..729103eec9 100644 --- a/rss.php +++ b/rss.php @@ -2,7 +2,7 @@ header("Content-Type: application/xml; charset=ISO-8859-1"); -require_once "config.php"; +require_once(dirname(__FILE__) . "/config.php"); _load_language_file("/rss.inc"); include $xerte_toolkits_site->php_library_path . "url_library.php"; diff --git a/rss_proxy.php b/rss_proxy.php index f7ef7aef0c..02ea60fc3b 100644 --- a/rss_proxy.php +++ b/rss_proxy.php @@ -7,7 +7,7 @@ // Version 1.0 University of Nottingham include 'Snoopy.class.php'; -require_once('config.php'); +require_once(dirname(__FILE__) . "/config.php"); $snoopy = new Snoopy; diff --git a/session.php b/session.php index 4dc51d6faf..89e991fbfe 100644 --- a/session.php +++ b/session.php @@ -9,5 +9,4 @@ * @package */ -require_once("config.php"); - +require_once(dirname(__FILE__) . "/config.php"); diff --git a/switch.txt b/switch.txt index eacc96cb7d..c41be8c806 100644 --- a/switch.txt +++ b/switch.txt @@ -3,7 +3,7 @@ // This file could be used instead of index.php to perform authentication. // The list of usernames/passwords are hard coded below. (search for 'sarah') -require("config.php"); +require_once(dirname(__FILE__) . "/config.php"); /** * diff --git a/syndicate.php b/syndicate.php index ffd1b206ae..a9f6e34c28 100644 --- a/syndicate.php +++ b/syndicate.php @@ -1,7 +1,7 @@