source: trunk/forum/includes/session.php

Last change on this file was 702, checked in by george, 15 years ago
  • Upraveno: Aktualizace fóra.
File size: 73.1 KB
Line 
1<?php
2/**
3*
4* @package phpBB3
5* @version $Id$
6* @copyright (c) 2005 phpBB Group
7* @license http://opensource.org/licenses/gpl-license.php GNU Public License
8*
9*/
10
11/**
12* @ignore
13*/
14if (!defined('IN_PHPBB'))
15{
16 exit;
17}
18
19/**
20* Session class
21* @package phpBB3
22*/
23class session
24{
25 var $cookie_data = array();
26 var $page = array();
27 var $data = array();
28 var $browser = '';
29 var $forwarded_for = '';
30 var $host = '';
31 var $session_id = '';
32 var $ip = '';
33 var $load = 0;
34 var $time_now = 0;
35 var $update_session_page = true;
36
37 /**
38 * Extract current session page
39 *
40 * @param string $root_path current root path (phpbb_root_path)
41 */
42 function extract_current_page($root_path)
43 {
44 $page_array = array();
45
46 // First of all, get the request uri...
47 $script_name = (!empty($_SERVER['PHP_SELF'])) ? $_SERVER['PHP_SELF'] : getenv('PHP_SELF');
48 $args = (!empty($_SERVER['QUERY_STRING'])) ? explode('&', $_SERVER['QUERY_STRING']) : explode('&', getenv('QUERY_STRING'));
49
50 // If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
51 if (!$script_name)
52 {
53 $script_name = (!empty($_SERVER['REQUEST_URI'])) ? $_SERVER['REQUEST_URI'] : getenv('REQUEST_URI');
54 $script_name = (($pos = strpos($script_name, '?')) !== false) ? substr($script_name, 0, $pos) : $script_name;
55 $page_array['failover'] = 1;
56 }
57
58 // Replace backslashes and doubled slashes (could happen on some proxy setups)
59 $script_name = str_replace(array('\\', '//'), '/', $script_name);
60
61 // Now, remove the sid and let us get a clean query string...
62 $use_args = array();
63
64 // Since some browser do not encode correctly we need to do this with some "special" characters...
65 // " -> %22, ' => %27, < -> %3C, > -> %3E
66 $find = array('"', "'", '<', '>');
67 $replace = array('%22', '%27', '%3C', '%3E');
68
69 foreach ($args as $key => $argument)
70 {
71 if (strpos($argument, 'sid=') === 0)
72 {
73 continue;
74 }
75
76 $use_args[] = str_replace($find, $replace, $argument);
77 }
78 unset($args);
79
80 // The following examples given are for an request uri of {path to the phpbb directory}/adm/index.php?i=10&b=2
81
82 // The current query string
83 $query_string = trim(implode('&', $use_args));
84
85 // basenamed page name (for example: index.php)
86 $page_name = basename($script_name);
87 $page_name = urlencode(htmlspecialchars($page_name));
88
89 // current directory within the phpBB root (for example: adm)
90 $root_dirs = explode('/', str_replace('\\', '/', phpbb_realpath($root_path)));
91 $page_dirs = explode('/', str_replace('\\', '/', phpbb_realpath('./')));
92 $intersection = array_intersect_assoc($root_dirs, $page_dirs);
93
94 $root_dirs = array_diff_assoc($root_dirs, $intersection);
95 $page_dirs = array_diff_assoc($page_dirs, $intersection);
96
97 $page_dir = str_repeat('../', sizeof($root_dirs)) . implode('/', $page_dirs);
98
99 if ($page_dir && substr($page_dir, -1, 1) == '/')
100 {
101 $page_dir = substr($page_dir, 0, -1);
102 }
103
104 // Current page from phpBB root (for example: adm/index.php?i=10&b=2)
105 $page = (($page_dir) ? $page_dir . '/' : '') . $page_name . (($query_string) ? "?$query_string" : '');
106
107 // The script path from the webroot to the current directory (for example: /phpBB3/adm/) : always prefixed with / and ends in /
108 $script_path = trim(str_replace('\\', '/', dirname($script_name)));
109
110 // The script path from the webroot to the phpBB root (for example: /phpBB3/)
111 $script_dirs = explode('/', $script_path);
112 array_splice($script_dirs, -sizeof($page_dirs));
113 $root_script_path = implode('/', $script_dirs) . (sizeof($root_dirs) ? '/' . implode('/', $root_dirs) : '');
114
115 // We are on the base level (phpBB root == webroot), lets adjust the variables a bit...
116 if (!$root_script_path)
117 {
118 $root_script_path = ($page_dir) ? str_replace($page_dir, '', $script_path) : $script_path;
119 }
120
121 $script_path .= (substr($script_path, -1, 1) == '/') ? '' : '/';
122 $root_script_path .= (substr($root_script_path, -1, 1) == '/') ? '' : '/';
123
124 $page_array += array(
125 'page_name' => $page_name,
126 'page_dir' => $page_dir,
127
128 'query_string' => $query_string,
129 'script_path' => str_replace(' ', '%20', htmlspecialchars($script_path)),
130 'root_script_path' => str_replace(' ', '%20', htmlspecialchars($root_script_path)),
131
132 'page' => $page,
133 'forum' => (isset($_REQUEST['f']) && $_REQUEST['f'] > 0) ? (int) $_REQUEST['f'] : 0,
134 );
135
136 return $page_array;
137 }
138
139 /**
140 * Get valid hostname/port. HTTP_HOST is used, SERVER_NAME if HTTP_HOST not present.
141 */
142 function extract_current_hostname()
143 {
144 global $config;
145
146 // Get hostname
147 $host = (!empty($_SERVER['HTTP_HOST'])) ? $_SERVER['HTTP_HOST'] : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME'));
148
149 // Should be a string and lowered
150 $host = (string) strtolower($host);
151
152 // If host is equal the cookie domain or the server name (if config is set), then we assume it is valid
153 if ((isset($config['cookie_domain']) && $host === $config['cookie_domain']) || (isset($config['server_name']) && $host === $config['server_name']))
154 {
155 return $host;
156 }
157
158 // Is the host actually a IP? If so, we use the IP... (IPv4)
159 if (long2ip(ip2long($host)) === $host)
160 {
161 return $host;
162 }
163
164 // Now return the hostname (this also removes any port definition). The http:// is prepended to construct a valid URL, hosts never have a scheme assigned
165 $host = @parse_url('http://' . $host);
166 $host = (!empty($host['host'])) ? $host['host'] : '';
167
168 // Remove any portions not removed by parse_url (#)
169 $host = str_replace('#', '', $host);
170
171 // If, by any means, the host is now empty, we will use a "best approach" way to guess one
172 if (empty($host))
173 {
174 if (!empty($config['server_name']))
175 {
176 $host = $config['server_name'];
177 }
178 else if (!empty($config['cookie_domain']))
179 {
180 $host = (strpos($config['cookie_domain'], '.') === 0) ? substr($config['cookie_domain'], 1) : $config['cookie_domain'];
181 }
182 else
183 {
184 // Set to OS hostname or localhost
185 $host = (function_exists('php_uname')) ? php_uname('n') : 'localhost';
186 }
187 }
188
189 // It may be still no valid host, but for sure only a hostname (we may further expand on the cookie domain... if set)
190 return $host;
191 }
192
193 /**
194 * Start session management
195 *
196 * This is where all session activity begins. We gather various pieces of
197 * information from the client and server. We test to see if a session already
198 * exists. If it does, fine and dandy. If it doesn't we'll go on to create a
199 * new one ... pretty logical heh? We also examine the system load (if we're
200 * running on a system which makes such information readily available) and
201 * halt if it's above an admin definable limit.
202 *
203 * @param bool $update_session_page if true the session page gets updated.
204 * This can be set to circumvent certain scripts to update the users last visited page.
205 */
206 function session_begin($update_session_page = true)
207 {
208 global $phpEx, $SID, $_SID, $_EXTRA_URL, $db, $config, $phpbb_root_path;
209
210 // Give us some basic information
211 $this->time_now = time();
212 $this->cookie_data = array('u' => 0, 'k' => '');
213 $this->update_session_page = $update_session_page;
214 $this->browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : '';
215 $this->referer = (!empty($_SERVER['HTTP_REFERER'])) ? htmlspecialchars((string) $_SERVER['HTTP_REFERER']) : '';
216 $this->forwarded_for = (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? htmlspecialchars((string) $_SERVER['HTTP_X_FORWARDED_FOR']) : '';
217
218 $this->host = $this->extract_current_hostname();
219 $this->page = $this->extract_current_page($phpbb_root_path);
220
221 // if the forwarded for header shall be checked we have to validate its contents
222 if ($config['forwarded_for_check'])
223 {
224 $this->forwarded_for = preg_replace('#[ ]{2,}#', ' ', str_replace(array(',', ' '), ' ', $this->forwarded_for));
225
226 // split the list of IPs
227 $ips = explode(' ', $this->forwarded_for);
228 foreach ($ips as $ip)
229 {
230 // check IPv4 first, the IPv6 is hopefully only going to be used very seldomly
231 if (!empty($ip) && !preg_match(get_preg_expression('ipv4'), $ip) && !preg_match(get_preg_expression('ipv6'), $ip))
232 {
233 // contains invalid data, don't use the forwarded for header
234 $this->forwarded_for = '';
235 break;
236 }
237 }
238 }
239 else
240 {
241 $this->forwarded_for = '';
242 }
243
244 if (isset($_COOKIE[$config['cookie_name'] . '_sid']) || isset($_COOKIE[$config['cookie_name'] . '_u']))
245 {
246 $this->cookie_data['u'] = request_var($config['cookie_name'] . '_u', 0, false, true);
247 $this->cookie_data['k'] = request_var($config['cookie_name'] . '_k', '', false, true);
248 $this->session_id = request_var($config['cookie_name'] . '_sid', '', false, true);
249
250 $SID = (defined('NEED_SID')) ? '?sid=' . $this->session_id : '?sid=';
251 $_SID = (defined('NEED_SID')) ? $this->session_id : '';
252
253 if (empty($this->session_id))
254 {
255 $this->session_id = $_SID = request_var('sid', '');
256 $SID = '?sid=' . $this->session_id;
257 $this->cookie_data = array('u' => 0, 'k' => '');
258 }
259 }
260 else
261 {
262 $this->session_id = $_SID = request_var('sid', '');
263 $SID = '?sid=' . $this->session_id;
264 }
265
266 $_EXTRA_URL = array();
267
268 // Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
269 // it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.
270 $this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars((string) $_SERVER['REMOTE_ADDR']) : '';
271 $this->ip = preg_replace('#[ ]{2,}#', ' ', str_replace(array(',', ' '), ' ', $this->ip));
272
273 // split the list of IPs
274 $ips = explode(' ', $this->ip);
275
276 // Default IP if REMOTE_ADDR is invalid
277 $this->ip = '127.0.0.1';
278
279 foreach ($ips as $ip)
280 {
281 // check IPv4 first, the IPv6 is hopefully only going to be used very seldomly
282 if (!empty($ip) && !preg_match(get_preg_expression('ipv4'), $ip) && !preg_match(get_preg_expression('ipv6'), $ip))
283 {
284 // Just break
285 break;
286 }
287
288 // Use the last in chain
289 $this->ip = $ip;
290 }
291
292 $this->load = false;
293
294 // Load limit check (if applicable)
295 if ($config['limit_load'] || $config['limit_search_load'])
296 {
297 if ((function_exists('sys_getloadavg') && $load = sys_getloadavg()) || ($load = explode(' ', @file_get_contents('/proc/loadavg'))))
298 {
299 $this->load = array_slice($load, 0, 1);
300 $this->load = floatval($this->load[0]);
301 }
302 else
303 {
304 set_config('limit_load', '0');
305 set_config('limit_search_load', '0');
306 }
307 }
308
309 // Is session_id is set or session_id is set and matches the url param if required
310 if (!empty($this->session_id) && (!defined('NEED_SID') || (isset($_GET['sid']) && $this->session_id === $_GET['sid'])))
311 {
312 $sql = 'SELECT u.*, s.*
313 FROM ' . SESSIONS_TABLE . ' s, ' . USERS_TABLE . " u
314 WHERE s.session_id = '" . $db->sql_escape($this->session_id) . "'
315 AND u.user_id = s.session_user_id";
316 $result = $db->sql_query($sql);
317 $this->data = $db->sql_fetchrow($result);
318 $db->sql_freeresult($result);
319
320 // Did the session exist in the DB?
321 if (isset($this->data['user_id']))
322 {
323 // Validate IP length according to admin ... enforces an IP
324 // check on bots if admin requires this
325// $quadcheck = ($config['ip_check_bot'] && $this->data['user_type'] & USER_BOT) ? 4 : $config['ip_check'];
326
327 if (strpos($this->ip, ':') !== false && strpos($this->data['session_ip'], ':') !== false)
328 {
329 $s_ip = short_ipv6($this->data['session_ip'], $config['ip_check']);
330 $u_ip = short_ipv6($this->ip, $config['ip_check']);
331 }
332 else
333 {
334 $s_ip = implode('.', array_slice(explode('.', $this->data['session_ip']), 0, $config['ip_check']));
335 $u_ip = implode('.', array_slice(explode('.', $this->ip), 0, $config['ip_check']));
336 }
337
338 $s_browser = ($config['browser_check']) ? trim(strtolower(substr($this->data['session_browser'], 0, 149))) : '';
339 $u_browser = ($config['browser_check']) ? trim(strtolower(substr($this->browser, 0, 149))) : '';
340
341 $s_forwarded_for = ($config['forwarded_for_check']) ? substr($this->data['session_forwarded_for'], 0, 254) : '';
342 $u_forwarded_for = ($config['forwarded_for_check']) ? substr($this->forwarded_for, 0, 254) : '';
343
344 // referer checks
345 // The @ before $config['referer_validation'] suppresses notices present while running the updater
346 $check_referer_path = (@$config['referer_validation'] == REFERER_VALIDATE_PATH);
347 $referer_valid = true;
348
349 // we assume HEAD and TRACE to be foul play and thus only whitelist GET
350 if (@$config['referer_validation'] && isset($_SERVER['REQUEST_METHOD']) && strtolower($_SERVER['REQUEST_METHOD']) !== 'get')
351 {
352 $referer_valid = $this->validate_referer($check_referer_path);
353 }
354
355 if ($u_ip === $s_ip && $s_browser === $u_browser && $s_forwarded_for === $u_forwarded_for && $referer_valid)
356 {
357 $session_expired = false;
358
359 // Check whether the session is still valid if we have one
360 $method = basename(trim($config['auth_method']));
361 include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx);
362
363 $method = 'validate_session_' . $method;
364 if (function_exists($method))
365 {
366 if (!$method($this->data))
367 {
368 $session_expired = true;
369 }
370 }
371
372 if (!$session_expired)
373 {
374 // Check the session length timeframe if autologin is not enabled.
375 // Else check the autologin length... and also removing those having autologin enabled but no longer allowed board-wide.
376 if (!$this->data['session_autologin'])
377 {
378 if ($this->data['session_time'] < $this->time_now - ($config['session_length'] + 60))
379 {
380 $session_expired = true;
381 }
382 }
383 else if (!$config['allow_autologin'] || ($config['max_autologin_time'] && $this->data['session_time'] < $this->time_now - (86400 * (int) $config['max_autologin_time']) + 60))
384 {
385 $session_expired = true;
386 }
387 }
388
389 if (!$session_expired)
390 {
391 // Only update session DB a minute or so after last update or if page changes
392 if ($this->time_now - $this->data['session_time'] > 60 || ($this->update_session_page && $this->data['session_page'] != $this->page['page']))
393 {
394 $sql_ary = array('session_time' => $this->time_now);
395
396 if ($this->update_session_page)
397 {
398 $sql_ary['session_page'] = substr($this->page['page'], 0, 199);
399 $sql_ary['session_forum_id'] = $this->page['forum'];
400 }
401
402 $db->sql_return_on_error(true);
403
404 $sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . "
405 WHERE session_id = '" . $db->sql_escape($this->session_id) . "'";
406 $result = $db->sql_query($sql);
407
408 $db->sql_return_on_error(false);
409
410 // If the database is not yet updated, there will be an error due to the session_forum_id
411 // @todo REMOVE for 3.0.2
412 if ($result === false)
413 {
414 unset($sql_ary['session_forum_id']);
415
416 $sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . "
417 WHERE session_id = '" . $db->sql_escape($this->session_id) . "'";
418 $db->sql_query($sql);
419 }
420
421 if ($this->data['user_id'] != ANONYMOUS && !empty($config['new_member_post_limit']) && $this->data['user_new'] && $config['new_member_post_limit'] <= $this->data['user_posts'])
422 {
423 $this->leave_newly_registered();
424 }
425 }
426
427 $this->data['is_registered'] = ($this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false;
428 $this->data['is_bot'] = (!$this->data['is_registered'] && $this->data['user_id'] != ANONYMOUS) ? true : false;
429 $this->data['user_lang'] = basename($this->data['user_lang']);
430
431 return true;
432 }
433 }
434 else
435 {
436 // Added logging temporarly to help debug bugs...
437 if (defined('DEBUG_EXTRA') && $this->data['user_id'] != ANONYMOUS)
438 {
439 if ($referer_valid)
440 {
441 add_log('critical', 'LOG_IP_BROWSER_FORWARDED_CHECK', $u_ip, $s_ip, $u_browser, $s_browser, htmlspecialchars($u_forwarded_for), htmlspecialchars($s_forwarded_for));
442 }
443 else
444 {
445 add_log('critical', 'LOG_REFERER_INVALID', $this->referer);
446 }
447 }
448 }
449 }
450 }
451
452 // If we reach here then no (valid) session exists. So we'll create a new one
453 return $this->session_create();
454 }
455
456 /**
457 * Create a new session
458 *
459 * If upon trying to start a session we discover there is nothing existing we
460 * jump here. Additionally this method is called directly during login to regenerate
461 * the session for the specific user. In this method we carry out a number of tasks;
462 * garbage collection, (search)bot checking, banned user comparison. Basically
463 * though this method will result in a new session for a specific user.
464 */
465 function session_create($user_id = false, $set_admin = false, $persist_login = false, $viewonline = true)
466 {
467 global $SID, $_SID, $db, $config, $cache, $phpbb_root_path, $phpEx;
468
469 $this->data = array();
470
471 /* Garbage collection ... remove old sessions updating user information
472 // if necessary. It means (potentially) 11 queries but only infrequently
473 if ($this->time_now > $config['session_last_gc'] + $config['session_gc'])
474 {
475 $this->session_gc();
476 }*/
477
478 // Do we allow autologin on this board? No? Then override anything
479 // that may be requested here
480 if (!$config['allow_autologin'])
481 {
482 $this->cookie_data['k'] = $persist_login = false;
483 }
484
485 /**
486 * Here we do a bot check, oh er saucy! No, not that kind of bot
487 * check. We loop through the list of bots defined by the admin and
488 * see if we have any useragent and/or IP matches. If we do, this is a
489 * bot, act accordingly
490 */
491 $bot = false;
492 $active_bots = $cache->obtain_bots();
493
494 foreach ($active_bots as $row)
495 {
496 if ($row['bot_agent'] && preg_match('#' . str_replace('\*', '.*?', preg_quote($row['bot_agent'], '#')) . '#i', $this->browser))
497 {
498 $bot = $row['user_id'];
499 }
500
501 // If ip is supplied, we will make sure the ip is matching too...
502 if ($row['bot_ip'] && ($bot || !$row['bot_agent']))
503 {
504 // Set bot to false, then we only have to set it to true if it is matching
505 $bot = false;
506
507 foreach (explode(',', $row['bot_ip']) as $bot_ip)
508 {
509 $bot_ip = trim($bot_ip);
510
511 if (!$bot_ip)
512 {
513 continue;
514 }
515
516 if (strpos($this->ip, $bot_ip) === 0)
517 {
518 $bot = (int) $row['user_id'];
519 break;
520 }
521 }
522 }
523
524 if ($bot)
525 {
526 break;
527 }
528 }
529
530 $method = basename(trim($config['auth_method']));
531 include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx);
532
533 $method = 'autologin_' . $method;
534 if (function_exists($method))
535 {
536 $this->data = $method();
537
538 if (sizeof($this->data))
539 {
540 $this->cookie_data['k'] = '';
541 $this->cookie_data['u'] = $this->data['user_id'];
542 }
543 }
544
545 // If we're presented with an autologin key we'll join against it.
546 // Else if we've been passed a user_id we'll grab data based on that
547 if (isset($this->cookie_data['k']) && $this->cookie_data['k'] && $this->cookie_data['u'] && !sizeof($this->data))
548 {
549 $sql = 'SELECT u.*
550 FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k
551 WHERE u.user_id = ' . (int) $this->cookie_data['u'] . '
552 AND u.user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ")
553 AND k.user_id = u.user_id
554 AND k.key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'";
555 $result = $db->sql_query($sql);
556 $this->data = $db->sql_fetchrow($result);
557 $db->sql_freeresult($result);
558 $bot = false;
559 }
560 else if ($user_id !== false && !sizeof($this->data))
561 {
562 $this->cookie_data['k'] = '';
563 $this->cookie_data['u'] = $user_id;
564
565 $sql = 'SELECT *
566 FROM ' . USERS_TABLE . '
567 WHERE user_id = ' . (int) $this->cookie_data['u'] . '
568 AND user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ')';
569 $result = $db->sql_query($sql);
570 $this->data = $db->sql_fetchrow($result);
571 $db->sql_freeresult($result);
572 $bot = false;
573 }
574
575 // If no data was returned one or more of the following occurred:
576 // Key didn't match one in the DB
577 // User does not exist
578 // User is inactive
579 // User is bot
580 if (!sizeof($this->data) || !is_array($this->data))
581 {
582 $this->cookie_data['k'] = '';
583 $this->cookie_data['u'] = ($bot) ? $bot : ANONYMOUS;
584
585 if (!$bot)
586 {
587 $sql = 'SELECT *
588 FROM ' . USERS_TABLE . '
589 WHERE user_id = ' . (int) $this->cookie_data['u'];
590 }
591 else
592 {
593 // We give bots always the same session if it is not yet expired.
594 $sql = 'SELECT u.*, s.*
595 FROM ' . USERS_TABLE . ' u
596 LEFT JOIN ' . SESSIONS_TABLE . ' s ON (s.session_user_id = u.user_id)
597 WHERE u.user_id = ' . (int) $bot;
598 }
599
600 $result = $db->sql_query($sql);
601 $this->data = $db->sql_fetchrow($result);
602 $db->sql_freeresult($result);
603 }
604
605 if ($this->data['user_id'] != ANONYMOUS && !$bot)
606 {
607 $this->data['session_last_visit'] = (isset($this->data['session_time']) && $this->data['session_time']) ? $this->data['session_time'] : (($this->data['user_lastvisit']) ? $this->data['user_lastvisit'] : time());
608 }
609 else
610 {
611 $this->data['session_last_visit'] = $this->time_now;
612 }
613
614 // Force user id to be integer...
615 $this->data['user_id'] = (int) $this->data['user_id'];
616
617 // At this stage we should have a filled data array, defined cookie u and k data.
618 // data array should contain recent session info if we're a real user and a recent
619 // session exists in which case session_id will also be set
620
621 // Is user banned? Are they excluded? Won't return on ban, exists within method
622 if ($this->data['user_type'] != USER_FOUNDER)
623 {
624 if (!$config['forwarded_for_check'])
625 {
626 $this->check_ban($this->data['user_id'], $this->ip);
627 }
628 else
629 {
630 $ips = explode(' ', $this->forwarded_for);
631 $ips[] = $this->ip;
632 $this->check_ban($this->data['user_id'], $ips);
633 }
634 }
635
636 $this->data['is_registered'] = (!$bot && $this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false;
637 $this->data['is_bot'] = ($bot) ? true : false;
638
639 // If our friend is a bot, we re-assign a previously assigned session
640 if ($this->data['is_bot'] && $bot == $this->data['user_id'] && $this->data['session_id'])
641 {
642 // Only assign the current session if the ip, browser and forwarded_for match...
643 if (strpos($this->ip, ':') !== false && strpos($this->data['session_ip'], ':') !== false)
644 {
645 $s_ip = short_ipv6($this->data['session_ip'], $config['ip_check']);
646 $u_ip = short_ipv6($this->ip, $config['ip_check']);
647 }
648 else
649 {
650 $s_ip = implode('.', array_slice(explode('.', $this->data['session_ip']), 0, $config['ip_check']));
651 $u_ip = implode('.', array_slice(explode('.', $this->ip), 0, $config['ip_check']));
652 }
653
654 $s_browser = ($config['browser_check']) ? trim(strtolower(substr($this->data['session_browser'], 0, 149))) : '';
655 $u_browser = ($config['browser_check']) ? trim(strtolower(substr($this->browser, 0, 149))) : '';
656
657 $s_forwarded_for = ($config['forwarded_for_check']) ? substr($this->data['session_forwarded_for'], 0, 254) : '';
658 $u_forwarded_for = ($config['forwarded_for_check']) ? substr($this->forwarded_for, 0, 254) : '';
659
660 if ($u_ip === $s_ip && $s_browser === $u_browser && $s_forwarded_for === $u_forwarded_for)
661 {
662 $this->session_id = $this->data['session_id'];
663
664 // Only update session DB a minute or so after last update or if page changes
665 if ($this->time_now - $this->data['session_time'] > 60 || ($this->update_session_page && $this->data['session_page'] != $this->page['page']))
666 {
667 $this->data['session_time'] = $this->data['session_last_visit'] = $this->time_now;
668
669 $sql_ary = array('session_time' => $this->time_now, 'session_last_visit' => $this->time_now, 'session_admin' => 0);
670
671 if ($this->update_session_page)
672 {
673 $sql_ary['session_page'] = substr($this->page['page'], 0, 199);
674 $sql_ary['session_forum_id'] = $this->page['forum'];
675 }
676
677 $sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . "
678 WHERE session_id = '" . $db->sql_escape($this->session_id) . "'";
679 $db->sql_query($sql);
680
681 // Update the last visit time
682 $sql = 'UPDATE ' . USERS_TABLE . '
683 SET user_lastvisit = ' . (int) $this->data['session_time'] . '
684 WHERE user_id = ' . (int) $this->data['user_id'];
685 $db->sql_query($sql);
686 }
687
688 $SID = '?sid=';
689 $_SID = '';
690 return true;
691 }
692 else
693 {
694 // If the ip and browser does not match make sure we only have one bot assigned to one session
695 $db->sql_query('DELETE FROM ' . SESSIONS_TABLE . ' WHERE session_user_id = ' . $this->data['user_id']);
696 }
697 }
698
699 $session_autologin = (($this->cookie_data['k'] || $persist_login) && $this->data['is_registered']) ? true : false;
700 $set_admin = ($set_admin && $this->data['is_registered']) ? true : false;
701
702 // Create or update the session
703 $sql_ary = array(
704 'session_user_id' => (int) $this->data['user_id'],
705 'session_start' => (int) $this->time_now,
706 'session_last_visit' => (int) $this->data['session_last_visit'],
707 'session_time' => (int) $this->time_now,
708 'session_browser' => (string) trim(substr($this->browser, 0, 149)),
709 'session_forwarded_for' => (string) $this->forwarded_for,
710 'session_ip' => (string) $this->ip,
711 'session_autologin' => ($session_autologin) ? 1 : 0,
712 'session_admin' => ($set_admin) ? 1 : 0,
713 'session_viewonline' => ($viewonline) ? 1 : 0,
714 );
715
716 if ($this->update_session_page)
717 {
718 $sql_ary['session_page'] = (string) substr($this->page['page'], 0, 199);
719 $sql_ary['session_forum_id'] = $this->page['forum'];
720 }
721
722 $db->sql_return_on_error(true);
723
724 $sql = 'DELETE
725 FROM ' . SESSIONS_TABLE . '
726 WHERE session_id = \'' . $db->sql_escape($this->session_id) . '\'
727 AND session_user_id = ' . ANONYMOUS;
728
729 if (!defined('IN_ERROR_HANDLER') && (!$this->session_id || !$db->sql_query($sql) || !$db->sql_affectedrows()))
730 {
731 // Limit new sessions in 1 minute period (if required)
732 if (empty($this->data['session_time']) && $config['active_sessions'])
733 {
734// $db->sql_return_on_error(false);
735
736 $sql = 'SELECT COUNT(session_id) AS sessions
737 FROM ' . SESSIONS_TABLE . '
738 WHERE session_time >= ' . ($this->time_now - 60);
739 $result = $db->sql_query($sql);
740 $row = $db->sql_fetchrow($result);
741 $db->sql_freeresult($result);
742
743 if ((int) $row['sessions'] > (int) $config['active_sessions'])
744 {
745 header('HTTP/1.1 503 Service Unavailable');
746 trigger_error('BOARD_UNAVAILABLE');
747 }
748 }
749 }
750
751 // Since we re-create the session id here, the inserted row must be unique. Therefore, we display potential errors.
752 // Commented out because it will not allow forums to update correctly
753// $db->sql_return_on_error(false);
754
755 // Something quite important: session_page always holds the *last* page visited, except for the *first* visit.
756 // We are not able to simply have an empty session_page btw, therefore we need to tell phpBB how to detect this special case.
757 // If the session id is empty, we have a completely new one and will set an "identifier" here. This identifier is able to be checked later.
758 if (empty($this->data['session_id']))
759 {
760 // This is a temporary variable, only set for the very first visit
761 $this->data['session_created'] = true;
762 }
763
764 $this->session_id = $this->data['session_id'] = md5(unique_id());
765
766 $sql_ary['session_id'] = (string) $this->session_id;
767 $sql_ary['session_page'] = (string) substr($this->page['page'], 0, 199);
768 $sql_ary['session_forum_id'] = $this->page['forum'];
769
770 $sql = 'INSERT INTO ' . SESSIONS_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary);
771 $db->sql_query($sql);
772
773 $db->sql_return_on_error(false);
774
775 // Regenerate autologin/persistent login key
776 if ($session_autologin)
777 {
778 $this->set_login_key();
779 }
780
781 // refresh data
782 $SID = '?sid=' . $this->session_id;
783 $_SID = $this->session_id;
784 $this->data = array_merge($this->data, $sql_ary);
785
786 if (!$bot)
787 {
788 $cookie_expire = $this->time_now + (($config['max_autologin_time']) ? 86400 * (int) $config['max_autologin_time'] : 31536000);
789
790 $this->set_cookie('u', $this->cookie_data['u'], $cookie_expire);
791 $this->set_cookie('k', $this->cookie_data['k'], $cookie_expire);
792 $this->set_cookie('sid', $this->session_id, $cookie_expire);
793
794 unset($cookie_expire);
795
796 $sql = 'SELECT COUNT(session_id) AS sessions
797 FROM ' . SESSIONS_TABLE . '
798 WHERE session_user_id = ' . (int) $this->data['user_id'] . '
799 AND session_time >= ' . (int) ($this->time_now - (max($config['session_length'], $config['form_token_lifetime'])));
800 $result = $db->sql_query($sql);
801 $row = $db->sql_fetchrow($result);
802 $db->sql_freeresult($result);
803
804 if ((int) $row['sessions'] <= 1 || empty($this->data['user_form_salt']))
805 {
806 $this->data['user_form_salt'] = unique_id();
807 // Update the form key
808 $sql = 'UPDATE ' . USERS_TABLE . '
809 SET user_form_salt = \'' . $db->sql_escape($this->data['user_form_salt']) . '\'
810 WHERE user_id = ' . (int) $this->data['user_id'];
811 $db->sql_query($sql);
812 }
813 }
814 else
815 {
816 $this->data['session_time'] = $this->data['session_last_visit'] = $this->time_now;
817
818 // Update the last visit time
819 $sql = 'UPDATE ' . USERS_TABLE . '
820 SET user_lastvisit = ' . (int) $this->data['session_time'] . '
821 WHERE user_id = ' . (int) $this->data['user_id'];
822 $db->sql_query($sql);
823
824 $SID = '?sid=';
825 $_SID = '';
826 }
827
828 return true;
829 }
830
831 /**
832 * Kills a session
833 *
834 * This method does what it says on the tin. It will delete a pre-existing session.
835 * It resets cookie information (destroying any autologin key within that cookie data)
836 * and update the users information from the relevant session data. It will then
837 * grab guest user information.
838 */
839 function session_kill($new_session = true)
840 {
841 global $SID, $_SID, $db, $config, $phpbb_root_path, $phpEx;
842
843 $sql = 'DELETE FROM ' . SESSIONS_TABLE . "
844 WHERE session_id = '" . $db->sql_escape($this->session_id) . "'
845 AND session_user_id = " . (int) $this->data['user_id'];
846 $db->sql_query($sql);
847
848 // Allow connecting logout with external auth method logout
849 $method = basename(trim($config['auth_method']));
850 include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx);
851
852 $method = 'logout_' . $method;
853 if (function_exists($method))
854 {
855 $method($this->data, $new_session);
856 }
857
858 if ($this->data['user_id'] != ANONYMOUS)
859 {
860 // Delete existing session, update last visit info first!
861 if (!isset($this->data['session_time']))
862 {
863 $this->data['session_time'] = time();
864 }
865
866 $sql = 'UPDATE ' . USERS_TABLE . '
867 SET user_lastvisit = ' . (int) $this->data['session_time'] . '
868 WHERE user_id = ' . (int) $this->data['user_id'];
869 $db->sql_query($sql);
870
871 if ($this->cookie_data['k'])
872 {
873 $sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
874 WHERE user_id = ' . (int) $this->data['user_id'] . "
875 AND key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'";
876 $db->sql_query($sql);
877 }
878
879 // Reset the data array
880 $this->data = array();
881
882 $sql = 'SELECT *
883 FROM ' . USERS_TABLE . '
884 WHERE user_id = ' . ANONYMOUS;
885 $result = $db->sql_query($sql);
886 $this->data = $db->sql_fetchrow($result);
887 $db->sql_freeresult($result);
888 }
889
890 $cookie_expire = $this->time_now - 31536000;
891 $this->set_cookie('u', '', $cookie_expire);
892 $this->set_cookie('k', '', $cookie_expire);
893 $this->set_cookie('sid', '', $cookie_expire);
894 unset($cookie_expire);
895
896 $SID = '?sid=';
897 $this->session_id = $_SID = '';
898
899 // To make sure a valid session is created we create one for the anonymous user
900 if ($new_session)
901 {
902 $this->session_create(ANONYMOUS);
903 }
904
905 return true;
906 }
907
908 /**
909 * Session garbage collection
910 *
911 * This looks a lot more complex than it really is. Effectively we are
912 * deleting any sessions older than an admin definable limit. Due to the
913 * way in which we maintain session data we have to ensure we update user
914 * data before those sessions are destroyed. In addition this method
915 * removes autologin key information that is older than an admin defined
916 * limit.
917 */
918 function session_gc()
919 {
920 global $db, $config, $phpbb_root_path, $phpEx;
921
922 $batch_size = 10;
923
924 if (!$this->time_now)
925 {
926 $this->time_now = time();
927 }
928
929 // Firstly, delete guest sessions
930 $sql = 'DELETE FROM ' . SESSIONS_TABLE . '
931 WHERE session_user_id = ' . ANONYMOUS . '
932 AND session_time < ' . (int) ($this->time_now - $config['session_length']);
933 $db->sql_query($sql);
934
935 // Get expired sessions, only most recent for each user
936 $sql = 'SELECT session_user_id, session_page, MAX(session_time) AS recent_time
937 FROM ' . SESSIONS_TABLE . '
938 WHERE session_time < ' . ($this->time_now - $config['session_length']) . '
939 GROUP BY session_user_id, session_page';
940 $result = $db->sql_query_limit($sql, $batch_size);
941
942 $del_user_id = array();
943 $del_sessions = 0;
944
945 while ($row = $db->sql_fetchrow($result))
946 {
947 $sql = 'UPDATE ' . USERS_TABLE . '
948 SET user_lastvisit = ' . (int) $row['recent_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
949 WHERE user_id = " . (int) $row['session_user_id'];
950 $db->sql_query($sql);
951
952 $del_user_id[] = (int) $row['session_user_id'];
953 $del_sessions++;
954 }
955 $db->sql_freeresult($result);
956
957 if (sizeof($del_user_id))
958 {
959 // Delete expired sessions
960 $sql = 'DELETE FROM ' . SESSIONS_TABLE . '
961 WHERE ' . $db->sql_in_set('session_user_id', $del_user_id) . '
962 AND session_time < ' . ($this->time_now - $config['session_length']);
963 $db->sql_query($sql);
964 }
965
966 if ($del_sessions < $batch_size)
967 {
968 // Less than 10 users, update gc timer ... else we want gc
969 // called again to delete other sessions
970 set_config('session_last_gc', $this->time_now, true);
971
972 if ($config['max_autologin_time'])
973 {
974 $sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
975 WHERE last_login < ' . (time() - (86400 * (int) $config['max_autologin_time']));
976 $db->sql_query($sql);
977 }
978
979 // only called from CRON; should be a safe workaround until the infrastructure gets going
980 if (!class_exists('captcha_factory'))
981 {
982 include($phpbb_root_path . "includes/captcha/captcha_factory." . $phpEx);
983 }
984 phpbb_captcha_factory::garbage_collect($config['captcha_plugin']);
985 }
986
987 return;
988 }
989
990 /**
991 * Sets a cookie
992 *
993 * Sets a cookie of the given name with the specified data for the given length of time. If no time is specified, a session cookie will be set.
994 *
995 * @param string $name Name of the cookie, will be automatically prefixed with the phpBB cookie name. track becomes [cookie_name]_track then.
996 * @param string $cookiedata The data to hold within the cookie
997 * @param int $cookietime The expiration time as UNIX timestamp. If 0 is provided, a session cookie is set.
998 */
999 function set_cookie($name, $cookiedata, $cookietime)
1000 {
1001 global $config;
1002
1003 $name_data = rawurlencode($config['cookie_name'] . '_' . $name) . '=' . rawurlencode($cookiedata);
1004 $expire = gmdate('D, d-M-Y H:i:s \\G\\M\\T', $cookietime);
1005 $domain = (!$config['cookie_domain'] || $config['cookie_domain'] == 'localhost' || $config['cookie_domain'] == '127.0.0.1') ? '' : '; domain=' . $config['cookie_domain'];
1006
1007 header('Set-Cookie: ' . $name_data . (($cookietime) ? '; expires=' . $expire : '') . '; path=' . $config['cookie_path'] . $domain . ((!$config['cookie_secure']) ? '' : '; secure') . '; HttpOnly', false);
1008 }
1009
1010 /**
1011 * Check for banned user
1012 *
1013 * Checks whether the supplied user is banned by id, ip or email. If no parameters
1014 * are passed to the method pre-existing session data is used. If $return is false
1015 * this routine does not return on finding a banned user, it outputs a relevant
1016 * message and stops execution.
1017 *
1018 * @param string|array $user_ips Can contain a string with one IP or an array of multiple IPs
1019 */
1020 function check_ban($user_id = false, $user_ips = false, $user_email = false, $return = false)
1021 {
1022 global $config, $db;
1023
1024 if (defined('IN_CHECK_BAN'))
1025 {
1026 return;
1027 }
1028
1029 $banned = false;
1030 $cache_ttl = 3600;
1031 $where_sql = array();
1032
1033 $sql = 'SELECT ban_ip, ban_userid, ban_email, ban_exclude, ban_give_reason, ban_end
1034 FROM ' . BANLIST_TABLE . '
1035 WHERE ';
1036
1037 // Determine which entries to check, only return those
1038 if ($user_email === false)
1039 {
1040 $where_sql[] = "ban_email = ''";
1041 }
1042
1043 if ($user_ips === false)
1044 {
1045 $where_sql[] = "(ban_ip = '' OR ban_exclude = 1)";
1046 }
1047
1048 if ($user_id === false)
1049 {
1050 $where_sql[] = '(ban_userid = 0 OR ban_exclude = 1)';
1051 }
1052 else
1053 {
1054 $cache_ttl = ($user_id == ANONYMOUS) ? 3600 : 0;
1055 $_sql = '(ban_userid = ' . $user_id;
1056
1057 if ($user_email !== false)
1058 {
1059 $_sql .= " OR ban_email <> ''";
1060 }
1061
1062 if ($user_ips !== false)
1063 {
1064 $_sql .= " OR ban_ip <> ''";
1065 }
1066
1067 $_sql .= ')';
1068
1069 $where_sql[] = $_sql;
1070 }
1071
1072 $sql .= (sizeof($where_sql)) ? implode(' AND ', $where_sql) : '';
1073 $result = $db->sql_query($sql, $cache_ttl);
1074
1075 $ban_triggered_by = 'user';
1076 while ($row = $db->sql_fetchrow($result))
1077 {
1078 if ($row['ban_end'] && $row['ban_end'] < time())
1079 {
1080 continue;
1081 }
1082
1083 $ip_banned = false;
1084 if (!empty($row['ban_ip']))
1085 {
1086 if (!is_array($user_ips))
1087 {
1088 $ip_banned = preg_match('#^' . str_replace('\*', '.*?', preg_quote($row['ban_ip'], '#')) . '$#i', $user_ips);
1089 }
1090 else
1091 {
1092 foreach ($user_ips as $user_ip)
1093 {
1094 if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($row['ban_ip'], '#')) . '$#i', $user_ip))
1095 {
1096 $ip_banned = true;
1097 break;
1098 }
1099 }
1100 }
1101 }
1102
1103 if ((!empty($row['ban_userid']) && intval($row['ban_userid']) == $user_id) ||
1104 $ip_banned ||
1105 (!empty($row['ban_email']) && preg_match('#^' . str_replace('\*', '.*?', preg_quote($row['ban_email'], '#')) . '$#i', $user_email)))
1106 {
1107 if (!empty($row['ban_exclude']))
1108 {
1109 $banned = false;
1110 break;
1111 }
1112 else
1113 {
1114 $banned = true;
1115 $ban_row = $row;
1116
1117 if (!empty($row['ban_userid']) && intval($row['ban_userid']) == $user_id)
1118 {
1119 $ban_triggered_by = 'user';
1120 }
1121 else if ($ip_banned)
1122 {
1123 $ban_triggered_by = 'ip';
1124 }
1125 else
1126 {
1127 $ban_triggered_by = 'email';
1128 }
1129
1130 // Don't break. Check if there is an exclude rule for this user
1131 }
1132 }
1133 }
1134 $db->sql_freeresult($result);
1135
1136 if ($banned && !$return)
1137 {
1138 global $template;
1139
1140 // If the session is empty we need to create a valid one...
1141 if (empty($this->session_id))
1142 {
1143 // This seems to be no longer needed? - #14971
1144// $this->session_create(ANONYMOUS);
1145 }
1146
1147 // Initiate environment ... since it won't be set at this stage
1148 $this->setup();
1149
1150 // Logout the user, banned users are unable to use the normal 'logout' link
1151 if ($this->data['user_id'] != ANONYMOUS)
1152 {
1153 $this->session_kill();
1154 }
1155
1156 // We show a login box here to allow founders accessing the board if banned by IP
1157 if (defined('IN_LOGIN') && $this->data['user_id'] == ANONYMOUS)
1158 {
1159 global $phpEx;
1160
1161 $this->setup('ucp');
1162 $this->data['is_registered'] = $this->data['is_bot'] = false;
1163
1164 // Set as a precaution to allow login_box() handling this case correctly as well as this function not being executed again.
1165 define('IN_CHECK_BAN', 1);
1166
1167 login_box("index.$phpEx");
1168
1169 // The false here is needed, else the user is able to circumvent the ban.
1170 $this->session_kill(false);
1171 }
1172
1173 // Ok, we catch the case of an empty session id for the anonymous user...
1174 // This can happen if the user is logging in, banned by username and the login_box() being called "again".
1175 if (empty($this->session_id) && defined('IN_CHECK_BAN'))
1176 {
1177 $this->session_create(ANONYMOUS);
1178 }
1179
1180
1181 // Determine which message to output
1182 $till_date = ($ban_row['ban_end']) ? $this->format_date($ban_row['ban_end']) : '';
1183 $message = ($ban_row['ban_end']) ? 'BOARD_BAN_TIME' : 'BOARD_BAN_PERM';
1184
1185 $message = sprintf($this->lang[$message], $till_date, '<a href="mailto:' . $config['board_contact'] . '">', '</a>');
1186 $message .= ($ban_row['ban_give_reason']) ? '<br /><br />' . sprintf($this->lang['BOARD_BAN_REASON'], $ban_row['ban_give_reason']) : '';
1187 $message .= '<br /><br /><em>' . $this->lang['BAN_TRIGGERED_BY_' . strtoupper($ban_triggered_by)] . '</em>';
1188
1189 // To circumvent session_begin returning a valid value and the check_ban() not called on second page view, we kill the session again
1190 $this->session_kill(false);
1191
1192 // A very special case... we are within the cron script which is not supposed to print out the ban message... show blank page
1193 if (defined('IN_CRON'))
1194 {
1195 garbage_collection();
1196 exit_handler();
1197 exit;
1198 }
1199
1200 trigger_error($message);
1201 }
1202
1203 return ($banned && $ban_row['ban_give_reason']) ? $ban_row['ban_give_reason'] : $banned;
1204 }
1205
1206 /**
1207 * Check if ip is blacklisted
1208 * This should be called only where absolutly necessary
1209 *
1210 * Only IPv4 (rbldns does not support AAAA records/IPv6 lookups)
1211 *
1212 * @author satmd (from the php manual)
1213 * @param string $mode register/post - spamcop for example is ommitted for posting
1214 * @return false if ip is not blacklisted, else an array([checked server], [lookup])
1215 */
1216 function check_dnsbl($mode, $ip = false)
1217 {
1218 if ($ip === false)
1219 {
1220 $ip = $this->ip;
1221 }
1222
1223 $dnsbl_check = array(
1224 'sbl.spamhaus.org' => 'http://www.spamhaus.org/query/bl?ip=',
1225 );
1226
1227 if ($mode == 'register')
1228 {
1229 $dnsbl_check['bl.spamcop.net'] = 'http://spamcop.net/bl.shtml?';
1230 }
1231
1232 if ($ip)
1233 {
1234 $quads = explode('.', $ip);
1235 $reverse_ip = $quads[3] . '.' . $quads[2] . '.' . $quads[1] . '.' . $quads[0];
1236
1237 // Need to be listed on all servers...
1238 $listed = true;
1239 $info = array();
1240
1241 foreach ($dnsbl_check as $dnsbl => $lookup)
1242 {
1243 if (phpbb_checkdnsrr($reverse_ip . '.' . $dnsbl . '.', 'A') === true)
1244 {
1245 $info = array($dnsbl, $lookup . $ip);
1246 }
1247 else
1248 {
1249 $listed = false;
1250 }
1251 }
1252
1253 if ($listed)
1254 {
1255 return $info;
1256 }
1257 }
1258
1259 return false;
1260 }
1261
1262 /**
1263 * Check if URI is blacklisted
1264 * This should be called only where absolutly necessary, for example on the submitted website field
1265 * This function is not in use at the moment and is only included for testing purposes, it may not work at all!
1266 * This means it is untested at the moment and therefore commented out
1267 *
1268 * @param string $uri URI to check
1269 * @return true if uri is on blacklist, else false. Only blacklist is checked (~zero FP), no grey lists
1270 function check_uribl($uri)
1271 {
1272 // Normally parse_url() is not intended to parse uris
1273 // We need to get the top-level domain name anyway... change.
1274 $uri = parse_url($uri);
1275
1276 if ($uri === false || empty($uri['host']))
1277 {
1278 return false;
1279 }
1280
1281 $uri = trim($uri['host']);
1282
1283 if ($uri)
1284 {
1285 // One problem here... the return parameter for the "windows" method is different from what
1286 // we expect... this may render this check useless...
1287 if (phpbb_checkdnsrr($uri . '.multi.uribl.com.', 'A') === true)
1288 {
1289 return true;
1290 }
1291 }
1292
1293 return false;
1294 }
1295 */
1296
1297 /**
1298 * Set/Update a persistent login key
1299 *
1300 * This method creates or updates a persistent session key. When a user makes
1301 * use of persistent (formerly auto-) logins a key is generated and stored in the
1302 * DB. When they revisit with the same key it's automatically updated in both the
1303 * DB and cookie. Multiple keys may exist for each user representing different
1304 * browsers or locations. As with _any_ non-secure-socket no passphrase login this
1305 * remains vulnerable to exploit.
1306 */
1307 function set_login_key($user_id = false, $key = false, $user_ip = false)
1308 {
1309 global $config, $db;
1310
1311 $user_id = ($user_id === false) ? $this->data['user_id'] : $user_id;
1312 $user_ip = ($user_ip === false) ? $this->ip : $user_ip;
1313 $key = ($key === false) ? (($this->cookie_data['k']) ? $this->cookie_data['k'] : false) : $key;
1314
1315 $key_id = unique_id(hexdec(substr($this->session_id, 0, 8)));
1316
1317 $sql_ary = array(
1318 'key_id' => (string) md5($key_id),
1319 'last_ip' => (string) $this->ip,
1320 'last_login' => (int) time()
1321 );
1322
1323 if (!$key)
1324 {
1325 $sql_ary += array(
1326 'user_id' => (int) $user_id
1327 );
1328 }
1329
1330 if ($key)
1331 {
1332 $sql = 'UPDATE ' . SESSIONS_KEYS_TABLE . '
1333 SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
1334 WHERE user_id = ' . (int) $user_id . "
1335 AND key_id = '" . $db->sql_escape(md5($key)) . "'";
1336 }
1337 else
1338 {
1339 $sql = 'INSERT INTO ' . SESSIONS_KEYS_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary);
1340 }
1341 $db->sql_query($sql);
1342
1343 $this->cookie_data['k'] = $key_id;
1344
1345 return false;
1346 }
1347
1348 /**
1349 * Reset all login keys for the specified user
1350 *
1351 * This method removes all current login keys for a specified (or the current)
1352 * user. It will be called on password change to render old keys unusable
1353 */
1354 function reset_login_keys($user_id = false)
1355 {
1356 global $config, $db;
1357
1358 $user_id = ($user_id === false) ? (int) $this->data['user_id'] : (int) $user_id;
1359
1360 $sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
1361 WHERE user_id = ' . (int) $user_id;
1362 $db->sql_query($sql);
1363
1364 // If the user is logged in, update last visit info first before deleting sessions
1365 $sql = 'SELECT session_time, session_page
1366 FROM ' . SESSIONS_TABLE . '
1367 WHERE session_user_id = ' . (int) $user_id . '
1368 ORDER BY session_time DESC';
1369 $result = $db->sql_query_limit($sql, 1);
1370 $row = $db->sql_fetchrow($result);
1371 $db->sql_freeresult($result);
1372
1373 if ($row)
1374 {
1375 $sql = 'UPDATE ' . USERS_TABLE . '
1376 SET user_lastvisit = ' . (int) $row['session_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
1377 WHERE user_id = " . (int) $user_id;
1378 $db->sql_query($sql);
1379 }
1380
1381 // Let's also clear any current sessions for the specified user_id
1382 // If it's the current user then we'll leave this session intact
1383 $sql_where = 'session_user_id = ' . (int) $user_id;
1384 $sql_where .= ($user_id === (int) $this->data['user_id']) ? " AND session_id <> '" . $db->sql_escape($this->session_id) . "'" : '';
1385
1386 $sql = 'DELETE FROM ' . SESSIONS_TABLE . "
1387 WHERE $sql_where";
1388 $db->sql_query($sql);
1389
1390 // We're changing the password of the current user and they have a key
1391 // Lets regenerate it to be safe
1392 if ($user_id === (int) $this->data['user_id'] && $this->cookie_data['k'])
1393 {
1394 $this->set_login_key($user_id);
1395 }
1396 }
1397
1398
1399 /**
1400 * Check if the request originated from the same page.
1401 * @param bool $check_script_path If true, the path will be checked as well
1402 */
1403 function validate_referer($check_script_path = false)
1404 {
1405 global $config;
1406
1407 // no referer - nothing to validate, user's fault for turning it off (we only check on POST; so meta can't be the reason)
1408 if (empty($this->referer) || empty($this->host))
1409 {
1410 return true;
1411 }
1412
1413 $host = htmlspecialchars($this->host);
1414 $ref = substr($this->referer, strpos($this->referer, '://') + 3);
1415
1416 if (!(stripos($ref, $host) === 0) && (!$config['force_server_vars'] || !(stripos($ref, $config['server_name']) === 0)))
1417 {
1418 return false;
1419 }
1420 else if ($check_script_path && rtrim($this->page['root_script_path'], '/') !== '')
1421 {
1422 $ref = substr($ref, strlen($host));
1423 $server_port = (!empty($_SERVER['SERVER_PORT'])) ? (int) $_SERVER['SERVER_PORT'] : (int) getenv('SERVER_PORT');
1424
1425 if ($server_port !== 80 && $server_port !== 443 && stripos($ref, ":$server_port") === 0)
1426 {
1427 $ref = substr($ref, strlen(":$server_port"));
1428 }
1429
1430 if (!(stripos(rtrim($ref, '/'), rtrim($this->page['root_script_path'], '/')) === 0))
1431 {
1432 return false;
1433 }
1434 }
1435
1436 return true;
1437 }
1438
1439
1440 function unset_admin()
1441 {
1442 global $db;
1443 $sql = 'UPDATE ' . SESSIONS_TABLE . '
1444 SET session_admin = 0
1445 WHERE session_id = \'' . $db->sql_escape($this->session_id) . '\'';
1446 $db->sql_query($sql);
1447 }
1448}
1449
1450
1451/**
1452* Base user class
1453*
1454* This is the overarching class which contains (through session extend)
1455* all methods utilised for user functionality during a session.
1456*
1457* @package phpBB3
1458*/
1459class user extends session
1460{
1461 var $lang = array();
1462 var $help = array();
1463 var $theme = array();
1464 var $date_format;
1465 var $timezone;
1466 var $dst;
1467
1468 var $lang_name = false;
1469 var $lang_id = false;
1470 var $lang_path;
1471 var $img_lang;
1472 var $img_array = array();
1473
1474 // Able to add new options (up to id 31)
1475 var $keyoptions = array('viewimg' => 0, 'viewflash' => 1, 'viewsmilies' => 2, 'viewsigs' => 3, 'viewavatars' => 4, 'viewcensors' => 5, 'attachsig' => 6, 'bbcode' => 8, 'smilies' => 9, 'popuppm' => 10, 'sig_bbcode' => 15, 'sig_smilies' => 16, 'sig_links' => 17);
1476 var $keyvalues = array();
1477
1478 /**
1479 * Constructor to set the lang path
1480 */
1481 function user()
1482 {
1483 global $phpbb_root_path;
1484
1485 $this->lang_path = $phpbb_root_path . 'language/';
1486 }
1487
1488 /**
1489 * Function to set custom language path (able to use directory outside of phpBB)
1490 *
1491 * @param string $lang_path New language path used.
1492 * @access public
1493 */
1494 function set_custom_lang_path($lang_path)
1495 {
1496 $this->lang_path = $lang_path;
1497
1498 if (substr($this->lang_path, -1) != '/')
1499 {
1500 $this->lang_path .= '/';
1501 }
1502 }
1503
1504 /**
1505 * Setup basic user-specific items (style, language, ...)
1506 */
1507 function setup($lang_set = false, $style = false)
1508 {
1509 global $db, $template, $config, $auth, $phpEx, $phpbb_root_path, $cache;
1510
1511 if ($this->data['user_id'] != ANONYMOUS)
1512 {
1513 $this->lang_name = (file_exists($this->lang_path . $this->data['user_lang'] . "/common.$phpEx")) ? $this->data['user_lang'] : basename($config['default_lang']);
1514
1515 $this->date_format = $this->data['user_dateformat'];
1516 $this->timezone = $this->data['user_timezone'] * 3600;
1517 $this->dst = $this->data['user_dst'] * 3600;
1518 }
1519 else
1520 {
1521 $this->lang_name = basename($config['default_lang']);
1522 $this->date_format = $config['default_dateformat'];
1523 $this->timezone = $config['board_timezone'] * 3600;
1524 $this->dst = $config['board_dst'] * 3600;
1525
1526 /**
1527 * If a guest user is surfing, we try to guess his/her language first by obtaining the browser language
1528 * If re-enabled we need to make sure only those languages installed are checked
1529 * Commented out so we do not loose the code.
1530
1531 if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE']))
1532 {
1533 $accept_lang_ary = explode(',', $_SERVER['HTTP_ACCEPT_LANGUAGE']);
1534
1535 foreach ($accept_lang_ary as $accept_lang)
1536 {
1537 // Set correct format ... guess full xx_YY form
1538 $accept_lang = substr($accept_lang, 0, 2) . '_' . strtoupper(substr($accept_lang, 3, 2));
1539 $accept_lang = basename($accept_lang);
1540
1541 if (file_exists($this->lang_path . $accept_lang . "/common.$phpEx"))
1542 {
1543 $this->lang_name = $config['default_lang'] = $accept_lang;
1544 break;
1545 }
1546 else
1547 {
1548 // No match on xx_YY so try xx
1549 $accept_lang = substr($accept_lang, 0, 2);
1550 $accept_lang = basename($accept_lang);
1551
1552 if (file_exists($this->lang_path . $accept_lang . "/common.$phpEx"))
1553 {
1554 $this->lang_name = $config['default_lang'] = $accept_lang;
1555 break;
1556 }
1557 }
1558 }
1559 }
1560 */
1561 }
1562
1563 // We include common language file here to not load it every time a custom language file is included
1564 $lang = &$this->lang;
1565
1566 // Do not suppress error if in DEBUG_EXTRA mode
1567 $include_result = (defined('DEBUG_EXTRA')) ? (include $this->lang_path . $this->lang_name . "/common.$phpEx") : (@include $this->lang_path . $this->lang_name . "/common.$phpEx");
1568
1569 if ($include_result === false)
1570 {
1571 die('Language file ' . $this->lang_path . $this->lang_name . "/common.$phpEx" . " couldn't be opened.");
1572 }
1573
1574 $this->add_lang($lang_set);
1575 unset($lang_set);
1576
1577 if (!empty($_GET['style']) && $auth->acl_get('a_styles') && !defined('ADMIN_START'))
1578 {
1579 global $SID, $_EXTRA_URL;
1580
1581 $style = request_var('style', 0);
1582 $SID .= '&amp;style=' . $style;
1583 $_EXTRA_URL = array('style=' . $style);
1584 }
1585 else
1586 {
1587 // Set up style
1588 $style = ($style) ? $style : ((!$config['override_user_style']) ? $this->data['user_style'] : $config['default_style']);
1589 }
1590
1591 $sql = 'SELECT s.style_id, t.template_storedb, t.template_path, t.template_id, t.bbcode_bitfield, t.template_inherits_id, t.template_inherit_path, c.theme_path, c.theme_name, c.theme_storedb, c.theme_id, i.imageset_path, i.imageset_id, i.imageset_name
1592 FROM ' . STYLES_TABLE . ' s, ' . STYLES_TEMPLATE_TABLE . ' t, ' . STYLES_THEME_TABLE . ' c, ' . STYLES_IMAGESET_TABLE . " i
1593 WHERE s.style_id = $style
1594 AND t.template_id = s.template_id
1595 AND c.theme_id = s.theme_id
1596 AND i.imageset_id = s.imageset_id";
1597 $result = $db->sql_query($sql, 3600);
1598 $this->theme = $db->sql_fetchrow($result);
1599 $db->sql_freeresult($result);
1600
1601 // User has wrong style
1602 if (!$this->theme && $style == $this->data['user_style'])
1603 {
1604 $style = $this->data['user_style'] = $config['default_style'];
1605
1606 $sql = 'UPDATE ' . USERS_TABLE . "
1607 SET user_style = $style
1608 WHERE user_id = {$this->data['user_id']}";
1609 $db->sql_query($sql);
1610
1611 $sql = 'SELECT s.style_id, t.template_storedb, t.template_path, t.template_id, t.bbcode_bitfield, c.theme_path, c.theme_name, c.theme_storedb, c.theme_id, i.imageset_path, i.imageset_id, i.imageset_name
1612 FROM ' . STYLES_TABLE . ' s, ' . STYLES_TEMPLATE_TABLE . ' t, ' . STYLES_THEME_TABLE . ' c, ' . STYLES_IMAGESET_TABLE . " i
1613 WHERE s.style_id = $style
1614 AND t.template_id = s.template_id
1615 AND c.theme_id = s.theme_id
1616 AND i.imageset_id = s.imageset_id";
1617 $result = $db->sql_query($sql, 3600);
1618 $this->theme = $db->sql_fetchrow($result);
1619 $db->sql_freeresult($result);
1620 }
1621
1622 if (!$this->theme)
1623 {
1624 trigger_error('Could not get style data', E_USER_ERROR);
1625 }
1626
1627 // Now parse the cfg file and cache it
1628 $parsed_items = $cache->obtain_cfg_items($this->theme);
1629
1630 // We are only interested in the theme configuration for now
1631 $parsed_items = $parsed_items['theme'];
1632
1633 $check_for = array(
1634 'parse_css_file' => (int) 0,
1635 'pagination_sep' => (string) ', '
1636 );
1637
1638 foreach ($check_for as $key => $default_value)
1639 {
1640 $this->theme[$key] = (isset($parsed_items[$key])) ? $parsed_items[$key] : $default_value;
1641 settype($this->theme[$key], gettype($default_value));
1642
1643 if (is_string($default_value))
1644 {
1645 $this->theme[$key] = htmlspecialchars($this->theme[$key]);
1646 }
1647 }
1648
1649 // If the style author specified the theme needs to be cached
1650 // (because of the used paths and variables) than make sure it is the case.
1651 // For example, if the theme uses language-specific images it needs to be stored in db.
1652 if (!$this->theme['theme_storedb'] && $this->theme['parse_css_file'])
1653 {
1654 $this->theme['theme_storedb'] = 1;
1655
1656 $stylesheet = file_get_contents("{$phpbb_root_path}styles/{$this->theme['theme_path']}/theme/stylesheet.css");
1657 // Match CSS imports
1658 $matches = array();
1659 preg_match_all('/@import url\(["\'](.*)["\']\);/i', $stylesheet, $matches);
1660
1661 if (sizeof($matches))
1662 {
1663 $content = '';
1664 foreach ($matches[0] as $idx => $match)
1665 {
1666 if ($content = @file_get_contents("{$phpbb_root_path}styles/{$this->theme['theme_path']}/theme/" . $matches[1][$idx]))
1667 {
1668 $content = trim($content);
1669 }
1670 else
1671 {
1672 $content = '';
1673 }
1674 $stylesheet = str_replace($match, $content, $stylesheet);
1675 }
1676 unset($content);
1677 }
1678
1679 $stylesheet = str_replace('./', 'styles/' . $this->theme['theme_path'] . '/theme/', $stylesheet);
1680
1681 $sql_ary = array(
1682 'theme_data' => $stylesheet,
1683 'theme_mtime' => time(),
1684 'theme_storedb' => 1
1685 );
1686
1687 $sql = 'UPDATE ' . STYLES_THEME_TABLE . '
1688 SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
1689 WHERE theme_id = ' . $this->theme['theme_id'];
1690 $db->sql_query($sql);
1691
1692 unset($sql_ary);
1693 }
1694
1695 $template->set_template();
1696
1697 $this->img_lang = (file_exists($phpbb_root_path . 'styles/' . $this->theme['imageset_path'] . '/imageset/' . $this->lang_name)) ? $this->lang_name : $config['default_lang'];
1698
1699 // Same query in style.php
1700 $sql = 'SELECT *
1701 FROM ' . STYLES_IMAGESET_DATA_TABLE . '
1702 WHERE imageset_id = ' . $this->theme['imageset_id'] . "
1703 AND image_filename <> ''
1704 AND image_lang IN ('" . $db->sql_escape($this->img_lang) . "', '')";
1705 $result = $db->sql_query($sql, 3600);
1706
1707 $localised_images = false;
1708 while ($row = $db->sql_fetchrow($result))
1709 {
1710 if ($row['image_lang'])
1711 {
1712 $localised_images = true;
1713 }
1714
1715 $row['image_filename'] = rawurlencode($row['image_filename']);
1716 $this->img_array[$row['image_name']] = $row;
1717 }
1718 $db->sql_freeresult($result);
1719
1720 // there were no localised images, try to refresh the localised imageset for the user's language
1721 if (!$localised_images)
1722 {
1723 // Attention: this code ignores the image definition list from acp_styles and just takes everything
1724 // that the config file contains
1725 $sql_ary = array();
1726
1727 $db->sql_transaction('begin');
1728
1729 $sql = 'DELETE FROM ' . STYLES_IMAGESET_DATA_TABLE . '
1730 WHERE imageset_id = ' . $this->theme['imageset_id'] . '
1731 AND image_lang = \'' . $db->sql_escape($this->img_lang) . '\'';
1732 $result = $db->sql_query($sql);
1733
1734 if (@file_exists("{$phpbb_root_path}styles/{$this->theme['imageset_path']}/imageset/{$this->img_lang}/imageset.cfg"))
1735 {
1736 $cfg_data_imageset_data = parse_cfg_file("{$phpbb_root_path}styles/{$this->theme['imageset_path']}/imageset/{$this->img_lang}/imageset.cfg");
1737 foreach ($cfg_data_imageset_data as $image_name => $value)
1738 {
1739 if (strpos($value, '*') !== false)
1740 {
1741 if (substr($value, -1, 1) === '*')
1742 {
1743 list($image_filename, $image_height) = explode('*', $value);
1744 $image_width = 0;
1745 }
1746 else
1747 {
1748 list($image_filename, $image_height, $image_width) = explode('*', $value);
1749 }
1750 }
1751 else
1752 {
1753 $image_filename = $value;
1754 $image_height = $image_width = 0;
1755 }
1756
1757 if (strpos($image_name, 'img_') === 0 && $image_filename)
1758 {
1759 $image_name = substr($image_name, 4);
1760 $sql_ary[] = array(
1761 'image_name' => (string) $image_name,
1762 'image_filename' => (string) $image_filename,
1763 'image_height' => (int) $image_height,
1764 'image_width' => (int) $image_width,
1765 'imageset_id' => (int) $this->theme['imageset_id'],
1766 'image_lang' => (string) $this->img_lang,
1767 );
1768 }
1769 }
1770 }
1771
1772 if (sizeof($sql_ary))
1773 {
1774 $db->sql_multi_insert(STYLES_IMAGESET_DATA_TABLE, $sql_ary);
1775 $db->sql_transaction('commit');
1776 $cache->destroy('sql', STYLES_IMAGESET_DATA_TABLE);
1777
1778 add_log('admin', 'LOG_IMAGESET_LANG_REFRESHED', $this->theme['imageset_name'], $this->img_lang);
1779 }
1780 else
1781 {
1782 $db->sql_transaction('commit');
1783 add_log('admin', 'LOG_IMAGESET_LANG_MISSING', $this->theme['imageset_name'], $this->img_lang);
1784 }
1785 }
1786
1787 // Call phpbb_user_session_handler() in case external application want to "bend" some variables or replace classes...
1788 // After calling it we continue script execution...
1789 phpbb_user_session_handler();
1790
1791 // If this function got called from the error handler we are finished here.
1792 if (defined('IN_ERROR_HANDLER'))
1793 {
1794 return;
1795 }
1796
1797 // Disable board if the install/ directory is still present
1798 // For the brave development army we do not care about this, else we need to comment out this everytime we develop locally
1799 if (!defined('DEBUG_EXTRA') && !defined('ADMIN_START') && !defined('IN_INSTALL') && !defined('IN_LOGIN') && file_exists($phpbb_root_path . 'install') && !is_file($phpbb_root_path . 'install'))
1800 {
1801 // Adjust the message slightly according to the permissions
1802 if ($auth->acl_gets('a_', 'm_') || $auth->acl_getf_global('m_'))
1803 {
1804 $message = 'REMOVE_INSTALL';
1805 }
1806 else
1807 {
1808 $message = (!empty($config['board_disable_msg'])) ? $config['board_disable_msg'] : 'BOARD_DISABLE';
1809 }
1810 trigger_error($message);
1811 }
1812
1813 // Is board disabled and user not an admin or moderator?
1814 if ($config['board_disable'] && !defined('IN_LOGIN') && !$auth->acl_gets('a_', 'm_') && !$auth->acl_getf_global('m_'))
1815 {
1816 if ($this->data['is_bot'])
1817 {
1818 header('HTTP/1.1 503 Service Unavailable');
1819 }
1820
1821 $message = (!empty($config['board_disable_msg'])) ? $config['board_disable_msg'] : 'BOARD_DISABLE';
1822 trigger_error($message);
1823 }
1824
1825 // Is load exceeded?
1826 if ($config['limit_load'] && $this->load !== false)
1827 {
1828 if ($this->load > floatval($config['limit_load']) && !defined('IN_LOGIN'))
1829 {
1830 // Set board disabled to true to let the admins/mods get the proper notification
1831 $config['board_disable'] = '1';
1832
1833 if (!$auth->acl_gets('a_', 'm_') && !$auth->acl_getf_global('m_'))
1834 {
1835 if ($this->data['is_bot'])
1836 {
1837 header('HTTP/1.1 503 Service Unavailable');
1838 }
1839 trigger_error('BOARD_UNAVAILABLE');
1840 }
1841 }
1842 }
1843
1844 if (isset($this->data['session_viewonline']))
1845 {
1846 // Make sure the user is able to hide his session
1847 if (!$this->data['session_viewonline'])
1848 {
1849 // Reset online status if not allowed to hide the session...
1850 if (!$auth->acl_get('u_hideonline'))
1851 {
1852 $sql = 'UPDATE ' . SESSIONS_TABLE . '
1853 SET session_viewonline = 1
1854 WHERE session_user_id = ' . $this->data['user_id'];
1855 $db->sql_query($sql);
1856 $this->data['session_viewonline'] = 1;
1857 }
1858 }
1859 else if (!$this->data['user_allow_viewonline'])
1860 {
1861 // the user wants to hide and is allowed to -> cloaking device on.
1862 if ($auth->acl_get('u_hideonline'))
1863 {
1864 $sql = 'UPDATE ' . SESSIONS_TABLE . '
1865 SET session_viewonline = 0
1866 WHERE session_user_id = ' . $this->data['user_id'];
1867 $db->sql_query($sql);
1868 $this->data['session_viewonline'] = 0;
1869 }
1870 }
1871 }
1872
1873
1874 // Does the user need to change their password? If so, redirect to the
1875 // ucp profile reg_details page ... of course do not redirect if we're already in the ucp
1876 if (!defined('IN_ADMIN') && !defined('ADMIN_START') && $config['chg_passforce'] && !empty($this->data['is_registered']) && $auth->acl_get('u_chgpasswd') && $this->data['user_passchg'] < time() - ($config['chg_passforce'] * 86400))
1877 {
1878 if (strpos($this->page['query_string'], 'mode=reg_details') === false && $this->page['page_name'] != "ucp.$phpEx")
1879 {
1880 redirect(append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=profile&amp;mode=reg_details'));
1881 }
1882 }
1883
1884 return;
1885 }
1886
1887 /**
1888 * More advanced language substitution
1889 * Function to mimic sprintf() with the possibility of using phpBB's language system to substitute nullar/singular/plural forms.
1890 * Params are the language key and the parameters to be substituted.
1891 * This function/functionality is inspired by SHS` and Ashe.
1892 *
1893 * Example call: <samp>$user->lang('NUM_POSTS_IN_QUEUE', 1);</samp>
1894 */
1895 function lang()
1896 {
1897 $args = func_get_args();
1898 $key = $args[0];
1899
1900 if (is_array($key))
1901 {
1902 $lang = &$this->lang[array_shift($key)];
1903
1904 foreach ($key as $_key)
1905 {
1906 $lang = &$lang[$_key];
1907 }
1908 }
1909 else
1910 {
1911 $lang = &$this->lang[$key];
1912 }
1913
1914 // Return if language string does not exist
1915 if (!isset($lang) || (!is_string($lang) && !is_array($lang)))
1916 {
1917 return $key;
1918 }
1919
1920 // If the language entry is a string, we simply mimic sprintf() behaviour
1921 if (is_string($lang))
1922 {
1923 if (sizeof($args) == 1)
1924 {
1925 return $lang;
1926 }
1927
1928 // Replace key with language entry and simply pass along...
1929 $args[0] = $lang;
1930 return call_user_func_array('sprintf', $args);
1931 }
1932
1933 // It is an array... now handle different nullar/singular/plural forms
1934 $key_found = false;
1935
1936 // We now get the first number passed and will select the key based upon this number
1937 for ($i = 1, $num_args = sizeof($args); $i < $num_args; $i++)
1938 {
1939 if (is_int($args[$i]))
1940 {
1941 $numbers = array_keys($lang);
1942
1943 foreach ($numbers as $num)
1944 {
1945 if ($num > $args[$i])
1946 {
1947 break;
1948 }
1949
1950 $key_found = $num;
1951 }
1952 }
1953 }
1954
1955 // Ok, let's check if the key was found, else use the last entry (because it is mostly the plural form)
1956 if ($key_found === false)
1957 {
1958 $numbers = array_keys($lang);
1959 $key_found = end($numbers);
1960 }
1961
1962 // Use the language string we determined and pass it to sprintf()
1963 $args[0] = $lang[$key_found];
1964 return call_user_func_array('sprintf', $args);
1965 }
1966
1967 /**
1968 * Add Language Items - use_db and use_help are assigned where needed (only use them to force inclusion)
1969 *
1970 * @param mixed $lang_set specifies the language entries to include
1971 * @param bool $use_db internal variable for recursion, do not use
1972 * @param bool $use_help internal variable for recursion, do not use
1973 *
1974 * Examples:
1975 * <code>
1976 * $lang_set = array('posting', 'help' => 'faq');
1977 * $lang_set = array('posting', 'viewtopic', 'help' => array('bbcode', 'faq'))
1978 * $lang_set = array(array('posting', 'viewtopic'), 'help' => array('bbcode', 'faq'))
1979 * $lang_set = 'posting'
1980 * $lang_set = array('help' => 'faq', 'db' => array('help:faq', 'posting'))
1981 * </code>
1982 */
1983 function add_lang($lang_set, $use_db = false, $use_help = false)
1984 {
1985 global $phpEx;
1986
1987 if (is_array($lang_set))
1988 {
1989 foreach ($lang_set as $key => $lang_file)
1990 {
1991 // Please do not delete this line.
1992 // We have to force the type here, else [array] language inclusion will not work
1993 $key = (string) $key;
1994
1995 if ($key == 'db')
1996 {
1997 $this->add_lang($lang_file, true, $use_help);
1998 }
1999 else if ($key == 'help')
2000 {
2001 $this->add_lang($lang_file, $use_db, true);
2002 }
2003 else if (!is_array($lang_file))
2004 {
2005 $this->set_lang($this->lang, $this->help, $lang_file, $use_db, $use_help);
2006 }
2007 else
2008 {
2009 $this->add_lang($lang_file, $use_db, $use_help);
2010 }
2011 }
2012 unset($lang_set);
2013 }
2014 else if ($lang_set)
2015 {
2016 $this->set_lang($this->lang, $this->help, $lang_set, $use_db, $use_help);
2017 }
2018 }
2019
2020 /**
2021 * Set language entry (called by add_lang)
2022 * @access private
2023 */
2024 function set_lang(&$lang, &$help, $lang_file, $use_db = false, $use_help = false)
2025 {
2026 global $phpEx;
2027
2028 // Make sure the language name is set (if the user setup did not happen it is not set)
2029 if (!$this->lang_name)
2030 {
2031 global $config;
2032 $this->lang_name = basename($config['default_lang']);
2033 }
2034
2035 // $lang == $this->lang
2036 // $help == $this->help
2037 // - add appropriate variables here, name them as they are used within the language file...
2038 if (!$use_db)
2039 {
2040 if ($use_help && strpos($lang_file, '/') !== false)
2041 {
2042 $language_filename = $this->lang_path . $this->lang_name . '/' . substr($lang_file, 0, stripos($lang_file, '/') + 1) . 'help_' . substr($lang_file, stripos($lang_file, '/') + 1) . '.' . $phpEx;
2043 }
2044 else
2045 {
2046 $language_filename = $this->lang_path . $this->lang_name . '/' . (($use_help) ? 'help_' : '') . $lang_file . '.' . $phpEx;
2047 }
2048
2049 if (!file_exists($language_filename))
2050 {
2051 global $config;
2052
2053 if ($this->lang_name == 'en')
2054 {
2055 // The user's selected language is missing the file, the board default's language is missing the file, and the file doesn't exist in /en.
2056 $language_filename = str_replace($this->lang_path . 'en', $this->lang_path . $this->data['user_lang'], $language_filename);
2057 trigger_error('Language file ' . $language_filename . ' couldn\'t be opened.', E_USER_ERROR);
2058 }
2059 else if ($this->lang_name == basename($config['default_lang']))
2060 {
2061 // Fall back to the English Language
2062 $this->lang_name = 'en';
2063 $this->set_lang($lang, $help, $lang_file, $use_db, $use_help);
2064 }
2065 else if ($this->lang_name == $this->data['user_lang'])
2066 {
2067 // Fall back to the board default language
2068 $this->lang_name = basename($config['default_lang']);
2069 $this->set_lang($lang, $help, $lang_file, $use_db, $use_help);
2070 }
2071
2072 // Reset the lang name
2073 $this->lang_name = (file_exists($this->lang_path . $this->data['user_lang'] . "/common.$phpEx")) ? $this->data['user_lang'] : basename($config['default_lang']);
2074 return;
2075 }
2076
2077 // Do not suppress error if in DEBUG_EXTRA mode
2078 $include_result = (defined('DEBUG_EXTRA')) ? (include $language_filename) : (@include $language_filename);
2079
2080 if ($include_result === false)
2081 {
2082 trigger_error('Language file ' . $language_filename . ' couldn\'t be opened.', E_USER_ERROR);
2083 }
2084 }
2085 else if ($use_db)
2086 {
2087 // Get Database Language Strings
2088 // Put them into $lang if nothing is prefixed, put them into $help if help: is prefixed
2089 // For example: help:faq, posting
2090 }
2091 }
2092
2093 /**
2094 * Format user date
2095 *
2096 * @param int $gmepoch unix timestamp
2097 * @param string $format date format in date() notation. | used to indicate relative dates, for example |d m Y|, h:i is translated to Today, h:i.
2098 * @param bool $forcedate force non-relative date format.
2099 *
2100 * @return mixed translated date
2101 */
2102 function format_date($gmepoch, $format = false, $forcedate = false)
2103 {
2104 static $midnight;
2105 static $date_cache;
2106
2107 $format = (!$format) ? $this->date_format : $format;
2108 $now = time();
2109 $delta = $now - $gmepoch;
2110
2111 if (!isset($date_cache[$format]))
2112 {
2113 // Is the user requesting a friendly date format (i.e. 'Today 12:42')?
2114 $date_cache[$format] = array(
2115 'is_short' => strpos($format, '|'),
2116 'format_short' => substr($format, 0, strpos($format, '|')) . '||' . substr(strrchr($format, '|'), 1),
2117 'format_long' => str_replace('|', '', $format),
2118 'lang' => $this->lang['datetime'],
2119 );
2120
2121 // Short representation of month in format? Some languages use different terms for the long and short format of May
2122 if ((strpos($format, '\M') === false && strpos($format, 'M') !== false) || (strpos($format, '\r') === false && strpos($format, 'r') !== false))
2123 {
2124 $date_cache[$format]['lang']['May'] = $this->lang['datetime']['May_short'];
2125 }
2126 }
2127
2128 // Zone offset
2129 $zone_offset = $this->timezone + $this->dst;
2130
2131 // Show date <= 1 hour ago as 'xx min ago'
2132 // A small tolerence is given for times in the future but in the same minute are displayed as '< than a minute ago'
2133 if ($delta <= 3600 && ($delta >= -5 || (($now / 60) % 60) == (($gmepoch / 60) % 60)) && $date_cache[$format]['is_short'] !== false && !$forcedate && isset($this->lang['datetime']['AGO']))
2134 {
2135 return $this->lang(array('datetime', 'AGO'), max(0, (int) floor($delta / 60)));
2136 }
2137
2138 if (!$midnight)
2139 {
2140 list($d, $m, $y) = explode(' ', gmdate('j n Y', time() + $zone_offset));
2141 $midnight = gmmktime(0, 0, 0, $m, $d, $y) - $zone_offset;
2142 }
2143
2144 if ($date_cache[$format]['is_short'] !== false && !$forcedate && !($gmepoch < $midnight - 86400 || $gmepoch > $midnight + 172800))
2145 {
2146 $day = false;
2147
2148 if ($gmepoch > $midnight + 86400)
2149 {
2150 $day = 'TOMORROW';
2151 }
2152 else if ($gmepoch > $midnight)
2153 {
2154 $day = 'TODAY';
2155 }
2156 else if ($gmepoch > $midnight - 86400)
2157 {
2158 $day = 'YESTERDAY';
2159 }
2160
2161 if ($day !== false)
2162 {
2163 return str_replace('||', $this->lang['datetime'][$day], strtr(@gmdate($date_cache[$format]['format_short'], $gmepoch + $zone_offset), $date_cache[$format]['lang']));
2164 }
2165 }
2166
2167 return strtr(@gmdate($date_cache[$format]['format_long'], $gmepoch + $zone_offset), $date_cache[$format]['lang']);
2168 }
2169
2170 /**
2171 * Get language id currently used by the user
2172 */
2173 function get_iso_lang_id()
2174 {
2175 global $config, $db;
2176
2177 if (!empty($this->lang_id))
2178 {
2179 return $this->lang_id;
2180 }
2181
2182 if (!$this->lang_name)
2183 {
2184 $this->lang_name = $config['default_lang'];
2185 }
2186
2187 $sql = 'SELECT lang_id
2188 FROM ' . LANG_TABLE . "
2189 WHERE lang_iso = '" . $db->sql_escape($this->lang_name) . "'";
2190 $result = $db->sql_query($sql);
2191 $this->lang_id = (int) $db->sql_fetchfield('lang_id');
2192 $db->sql_freeresult($result);
2193
2194 return $this->lang_id;
2195 }
2196
2197 /**
2198 * Get users profile fields
2199 */
2200 function get_profile_fields($user_id)
2201 {
2202 global $db;
2203
2204 if (isset($this->profile_fields))
2205 {
2206 return;
2207 }
2208
2209 $sql = 'SELECT *
2210 FROM ' . PROFILE_FIELDS_DATA_TABLE . "
2211 WHERE user_id = $user_id";
2212 $result = $db->sql_query_limit($sql, 1);
2213 $this->profile_fields = (!($row = $db->sql_fetchrow($result))) ? array() : $row;
2214 $db->sql_freeresult($result);
2215 }
2216
2217 /**
2218 * Specify/Get image
2219 * $suffix is no longer used - we know it. ;) It is there for backward compatibility.
2220 */
2221 function img($img, $alt = '', $width = false, $suffix = '', $type = 'full_tag')
2222 {
2223 static $imgs;
2224 global $phpbb_root_path;
2225
2226 $img_data = &$imgs[$img];
2227
2228 if (empty($img_data))
2229 {
2230 if (!isset($this->img_array[$img]))
2231 {
2232 // Do not fill the image to let designers decide what to do if the image is empty
2233 $img_data = '';
2234 return $img_data;
2235 }
2236
2237 // Use URL if told so
2238 $root_path = (defined('PHPBB_USE_BOARD_URL_PATH') && PHPBB_USE_BOARD_URL_PATH) ? generate_board_url() . '/' : $phpbb_root_path;
2239
2240 $img_data['src'] = $root_path . 'styles/' . rawurlencode($this->theme['imageset_path']) . '/imageset/' . ($this->img_array[$img]['image_lang'] ? $this->img_array[$img]['image_lang'] .'/' : '') . $this->img_array[$img]['image_filename'];
2241 $img_data['width'] = $this->img_array[$img]['image_width'];
2242 $img_data['height'] = $this->img_array[$img]['image_height'];
2243 }
2244
2245 $alt = (!empty($this->lang[$alt])) ? $this->lang[$alt] : $alt;
2246
2247 switch ($type)
2248 {
2249 case 'src':
2250 return $img_data['src'];
2251 break;
2252
2253 case 'width':
2254 return ($width === false) ? $img_data['width'] : $width;
2255 break;
2256
2257 case 'height':
2258 return $img_data['height'];
2259 break;
2260
2261 default:
2262 $use_width = ($width === false) ? $img_data['width'] : $width;
2263
2264 return '<img src="' . $img_data['src'] . '"' . (($use_width) ? ' width="' . $use_width . '"' : '') . (($img_data['height']) ? ' height="' . $img_data['height'] . '"' : '') . ' alt="' . $alt . '" title="' . $alt . '" />';
2265 break;
2266 }
2267 }
2268
2269 /**
2270 * Get option bit field from user options
2271 */
2272 function optionget($key, $data = false)
2273 {
2274 if (!isset($this->keyvalues[$key]))
2275 {
2276 $var = ($data) ? $data : $this->data['user_options'];
2277 $this->keyvalues[$key] = ($var & 1 << $this->keyoptions[$key]) ? true : false;
2278 }
2279
2280 return $this->keyvalues[$key];
2281 }
2282
2283 /**
2284 * Set option bit field for user options
2285 */
2286 function optionset($key, $value, $data = false)
2287 {
2288 $var = ($data) ? $data : $this->data['user_options'];
2289
2290 if ($value && !($var & 1 << $this->keyoptions[$key]))
2291 {
2292 $var += 1 << $this->keyoptions[$key];
2293 }
2294 else if (!$value && ($var & 1 << $this->keyoptions[$key]))
2295 {
2296 $var -= 1 << $this->keyoptions[$key];
2297 }
2298 else
2299 {
2300 return ($data) ? $var : false;
2301 }
2302
2303 if (!$data)
2304 {
2305 $this->data['user_options'] = $var;
2306 return true;
2307 }
2308 else
2309 {
2310 return $var;
2311 }
2312 }
2313
2314 /**
2315 * Funtion to make the user leave the NEWLY_REGISTERED system group.
2316 * @access public
2317 */
2318 function leave_newly_registered()
2319 {
2320 global $db;
2321
2322 if (empty($this->data['user_new']))
2323 {
2324 return false;
2325 }
2326
2327 if (!function_exists('remove_newly_registered'))
2328 {
2329 global $phpbb_root_path, $phpEx;
2330
2331 include($phpbb_root_path . 'includes/functions_user.' . $phpEx);
2332 }
2333 if ($group = remove_newly_registered($this->data['user_id'], $this->data))
2334 {
2335 $this->data['group_id'] = $group;
2336
2337 }
2338 $this->data['user_permissions'] = '';
2339 $this->data['user_new'] = 0;
2340
2341 return true;
2342 }
2343}
2344
2345?>
Note: See TracBrowser for help on using the repository browser.