search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
(a little test for later merges)
[phpbb.git] / phpBB / includes / session.php
blobbf41fea7dec33769457a82c6ba78227c6c966fc5
1 <?php
2 /**
3 *
4 * @package phpBB3
5 * @version $Id$
6 * @copyright (c) 2005 phpBB Group
7 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
8 *
9 */
10
11 /**
12 * @ignore
13 */
14 if (!defined('IN_PHPBB'))
15 {
16 exit;
17 }
18
19 /**
20 * Session class
21 * @package phpBB3
22 */
23 class session
24 {
25 var $cookie_data = array();
26 var $page = array();
27 var $data = array();
28 var $browser = '';
29 var $forwarded_for = '';
30 var $host = '';
31 var $session_id = '';
32 var $ip = '';
33 var $load = 0;
34 var $time_now = 0;
35 var $update_session_page = true;
36
37 /**
38 * Extract current session page
39 *
40 * @param string $root_path current root path (phpbb_root_path)
41 */
42 function extract_current_page($root_path)
43 {
44 $page_array = array();
45
46 // First of all, get the request uri...
47 $script_name = (!empty($_SERVER['PHP_SELF'])) ? $_SERVER['PHP_SELF'] : getenv('PHP_SELF');
48 $args = (!empty($_SERVER['QUERY_STRING'])) ? explode('&', $_SERVER['QUERY_STRING']) : explode('&', getenv('QUERY_STRING'));
49
50 // If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
51 if (!$script_name)
52 {
53 $script_name = (!empty($_SERVER['REQUEST_URI'])) ? $_SERVER['REQUEST_URI'] : getenv('REQUEST_URI');
54 $script_name = (($pos = strpos($script_name, '?')) !== false) ? substr($script_name, 0, $pos) : $script_name;
55 $page_array['failover'] = 1;
56 }
57
58 // Replace backslashes and doubled slashes (could happen on some proxy setups)
59 $script_name = str_replace(array('\\', '//'), '/', $script_name);
60
61 // Now, remove the sid and let us get a clean query string...
62 $use_args = array();
63
64 // Since some browser do not encode correctly we need to do this with some "special" characters...
65 // " -> %22, ' => %27, < -> %3C, > -> %3E
66 $find = array('"', "'", '<', '>');
67 $replace = array('%22', '%27', '%3C', '%3E');
68
69 foreach ($args as $key => $argument)
70 {
71 if (strpos($argument, 'sid=') === 0)
72 {
73 continue;
74 }
75
76 $use_args[] = str_replace($find, $replace, $argument);
77 }
78 unset($args);
79
80 // The following examples given are for an request uri of {path to the phpbb directory}/adm/index.php?i=10&b=2
81
82 // The current query string
83 $query_string = trim(implode('&', $use_args));
84
85 // basenamed page name (for example: index.php)
86 $page_name = basename($script_name);
87 $page_name = urlencode(htmlspecialchars($page_name));
88
89 // current directory within the phpBB root (for example: adm)
90 $root_dirs = explode('/', str_replace('\\', '/', phpbb_realpath($root_path)));
91 $page_dirs = explode('/', str_replace('\\', '/', phpbb_realpath('./')));
92 $intersection = array_intersect_assoc($root_dirs, $page_dirs);
93
94 $root_dirs = array_diff_assoc($root_dirs, $intersection);
95 $page_dirs = array_diff_assoc($page_dirs, $intersection);
96
97 $page_dir = str_repeat('../', sizeof($root_dirs)) . implode('/', $page_dirs);
98
99 if ($page_dir && substr($page_dir, -1, 1) == '/')
100 {
101 $page_dir = substr($page_dir, 0, -1);
102 }
103
104 // Current page from phpBB root (for example: adm/index.php?i=10&b=2)
105 $page = (($page_dir) ? $page_dir . '/' : '') . $page_name . (($query_string) ? "?$query_string" : '');
106
107 // The script path from the webroot to the current directory (for example: /phpBB3/adm/) : always prefixed with / and ends in /
108 $script_path = trim(str_replace('\\', '/', dirname($script_name)));
109
110 // The script path from the webroot to the phpBB root (for example: /phpBB3/)
111 $script_dirs = explode('/', $script_path);
112 array_splice($script_dirs, -sizeof($page_dirs));
113 $root_script_path = implode('/', $script_dirs) . (sizeof($root_dirs) ? '/' . implode('/', $root_dirs) : '');
114
115 // We are on the base level (phpBB root == webroot), lets adjust the variables a bit...
116 if (!$root_script_path)
117 {
118 $root_script_path = ($page_dir) ? str_replace($page_dir, '', $script_path) : $script_path;
119 }
120
121 $script_path .= (substr($script_path, -1, 1) == '/') ? '' : '/';
122 $root_script_path .= (substr($root_script_path, -1, 1) == '/') ? '' : '/';
123
124 $page_array += array(
125 'page_name' => $page_name,
126 'page_dir' => $page_dir,
127
128 'query_string' => $query_string,
129 'script_path' => str_replace(' ', '%20', htmlspecialchars($script_path)),
130 'root_script_path' => str_replace(' ', '%20', htmlspecialchars($root_script_path)),
131
132 'page' => $page,
133 'forum' => (isset($_REQUEST['f']) && $_REQUEST['f'] > 0) ? (int) $_REQUEST['f'] : 0,
134 );
135
136 return $page_array;
137 }
138
139 /**
140 * Get valid hostname/port. HTTP_HOST is used, SERVER_NAME if HTTP_HOST not present.
141 */
142 function extract_current_hostname()
143 {
144 global $config;
145
146 // Get hostname
147 $host = (!empty($_SERVER['HTTP_HOST'])) ? $_SERVER['HTTP_HOST'] : ((!empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : getenv('SERVER_NAME'));
148
149 // Should be a string and lowered
150 $host = (string) strtolower($host);
151
152 // If host is equal the cookie domain or the server name (if config is set), then we assume it is valid
153 if ((isset($config['cookie_domain']) && $host === $config['cookie_domain']) || (isset($config['server_name']) && $host === $config['server_name']))
154 {
155 return $host;
156 }
157
158 // Is the host actually a IP? If so, we use the IP... (IPv4)
159 if (long2ip(ip2long($host)) === $host)
160 {
161 return $host;
162 }
163
164 // Now return the hostname (this also removes any port definition). The http:// is prepended to construct a valid URL, hosts never have a scheme assigned
165 $host = @parse_url('http://' . $host);
166 $host = (!empty($host['host'])) ? $host['host'] : '';
167
168 // Remove any portions not removed by parse_url (#)
169 $host = str_replace('#', '', $host);
170
171 // If, by any means, the host is now empty, we will use a "best approach" way to guess one
172 if (empty($host))
173 {
174 if (!empty($config['server_name']))
175 {
176 $host = $config['server_name'];
177 }
178 else if (!empty($config['cookie_domain']))
179 {
180 $host = (strpos($config['cookie_domain'], '.') === 0) ? substr($config['cookie_domain'], 1) : $config['cookie_domain'];
181 }
182 else
183 {
184 // Set to OS hostname or localhost
185 $host = (function_exists('php_uname')) ? php_uname('n') : 'localhost';
186 }
187 }
188
189 // It may be still no valid host, but for sure only a hostname (we may further expand on the cookie domain... if set)
190 return $host;
191 }
192
193 /**
194 * Start session management
195 *
196 * This is where all session activity begins. We gather various pieces of
197 * information from the client and server. We test to see if a session already
198 * exists. If it does, fine and dandy. If it doesn't we'll go on to create a
199 * new one ... pretty logical heh? We also examine the system load (if we're
200 * running on a system which makes such information readily available) and
201 * halt if it's above an admin definable limit.
202 *
203 * @param bool $update_session_page if true the session page gets updated.
204 * This can be set to circumvent certain scripts to update the users last visited page.
205 */
206 function session_begin($update_session_page = true)
207 {
208 global $phpEx, $SID, $_SID, $_EXTRA_URL, $db, $config, $phpbb_root_path;
209
210 // Give us some basic information
211 $this->time_now = time();
212 $this->cookie_data = array('u' => 0, 'k' => '');
213 $this->update_session_page = $update_session_page;
214 $this->browser = (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : '';
215 $this->referer = (!empty($_SERVER['HTTP_REFERER'])) ? htmlspecialchars((string) $_SERVER['HTTP_REFERER']) : '';
216 $this->forwarded_for = (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? htmlspecialchars((string) $_SERVER['HTTP_X_FORWARDED_FOR']) : '';
217
218 $this->host = $this->extract_current_hostname();
219 $this->page = $this->extract_current_page($phpbb_root_path);
220
221 // if the forwarded for header shall be checked we have to validate its contents
222 if ($config['forwarded_for_check'])
223 {
224 $this->forwarded_for = preg_replace('#[ ]{2,}#', ' ', str_replace(array(',', ' '), ' ', $this->forwarded_for));
225
226 // split the list of IPs
227 $ips = explode(' ', $this->forwarded_for);
228 foreach ($ips as $ip)
229 {
230 // check IPv4 first, the IPv6 is hopefully only going to be used very seldomly
231 if (!empty($ip) && !preg_match(get_preg_expression('ipv4'), $ip) && !preg_match(get_preg_expression('ipv6'), $ip))
232 {
233 // contains invalid data, don't use the forwarded for header
234 $this->forwarded_for = '';
235 break;
236 }
237 }
238 }
239 else
240 {
241 $this->forwarded_for = '';
242 }
243
244 if (isset($_COOKIE[$config['cookie_name'] . '_sid']) || isset($_COOKIE[$config['cookie_name'] . '_u']))
245 {
246 $this->cookie_data['u'] = request_var($config['cookie_name'] . '_u', 0, false, true);
247 $this->cookie_data['k'] = request_var($config['cookie_name'] . '_k', '', false, true);
248 $this->session_id = request_var($config['cookie_name'] . '_sid', '', false, true);
249
250 $SID = (defined('NEED_SID')) ? '?sid=' . $this->session_id : '?sid=';
251 $_SID = (defined('NEED_SID')) ? $this->session_id : '';
252
253 if (empty($this->session_id))
254 {
255 $this->session_id = $_SID = request_var('sid', '');
256 $SID = '?sid=' . $this->session_id;
257 $this->cookie_data = array('u' => 0, 'k' => '');
258 }
259 }
260 else
261 {
262 $this->session_id = $_SID = request_var('sid', '');
263 $SID = '?sid=' . $this->session_id;
264 }
265
266 $_EXTRA_URL = array();
267
268 // Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
269 // it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.
270 $this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars((string) $_SERVER['REMOTE_ADDR']) : '';
271 $this->ip = preg_replace('#[ ]{2,}#', ' ', str_replace(array(',', ' '), ' ', $this->ip));
272
273 // split the list of IPs
274 $ips = explode(' ', $this->ip);
275
276 // Default IP if REMOTE_ADDR is invalid
277 $this->ip = '127.0.0.1';
278
279 foreach ($ips as $ip)
280 {
281 // check IPv4 first, the IPv6 is hopefully only going to be used very seldomly
282 if (!empty($ip) && !preg_match(get_preg_expression('ipv4'), $ip) && !preg_match(get_preg_expression('ipv6'), $ip))
283 {
284 // Just break
285 break;
286 }
287
288 // Use the last in chain
289 $this->ip = $ip;
290 }
291
292 $this->load = false;
293
294 // Load limit check (if applicable)
295 if ($config['limit_load'] || $config['limit_search_load'])
296 {
297 if ((function_exists('sys_getloadavg') && $load = sys_getloadavg()) || ($load = explode(' ', @file_get_contents('/proc/loadavg'))))
298 {
299 $this->load = array_slice($load, 0, 1);
300 $this->load = floatval($this->load[0]);
301 }
302 else
303 {
304 set_config('limit_load', '0');
305 set_config('limit_search_load', '0');
306 }
307 }
308
309 // Is session_id is set or session_id is set and matches the url param if required
310 if (!empty($this->session_id) && (!defined('NEED_SID') || (isset($_GET['sid']) && $this->session_id === $_GET['sid'])))
311 {
312 $sql = 'SELECT u.*, s.*
313 FROM ' . SESSIONS_TABLE . ' s, ' . USERS_TABLE . " u
314 WHERE s.session_id = '" . $db->sql_escape($this->session_id) . "'
315 AND u.user_id = s.session_user_id";
316 $result = $db->sql_query($sql);
317 $this->data = $db->sql_fetchrow($result);
318 $db->sql_freeresult($result);
319
320 // Did the session exist in the DB?
321 if (isset($this->data['user_id']))
322 {
323 // Validate IP length according to admin ... enforces an IP
324 // check on bots if admin requires this
325 // $quadcheck = ($config['ip_check_bot'] && $this->data['user_type'] & USER_BOT) ? 4 : $config['ip_check'];
326
327 if (strpos($this->ip, ':') !== false && strpos($this->data['session_ip'], ':') !== false)
328 {
329 $s_ip = short_ipv6($this->data['session_ip'], $config['ip_check']);
330 $u_ip = short_ipv6($this->ip, $config['ip_check']);
331 }
332 else
333 {
334 $s_ip = implode('.', array_slice(explode('.', $this->data['session_ip']), 0, $config['ip_check']));
335 $u_ip = implode('.', array_slice(explode('.', $this->ip), 0, $config['ip_check']));
336 }
337
338 $s_browser = ($config['browser_check']) ? trim(strtolower(substr($this->data['session_browser'], 0, 149))) : '';
339 $u_browser = ($config['browser_check']) ? trim(strtolower(substr($this->browser, 0, 149))) : '';
340
341 $s_forwarded_for = ($config['forwarded_for_check']) ? substr($this->data['session_forwarded_for'], 0, 254) : '';
342 $u_forwarded_for = ($config['forwarded_for_check']) ? substr($this->forwarded_for, 0, 254) : '';
343
344 // referer checks
345 // The @ before $config['referer_validation'] suppresses notices present while running the updater
346 $check_referer_path = (@$config['referer_validation'] == REFERER_VALIDATE_PATH);
347 $referer_valid = true;
348
349 // we assume HEAD and TRACE to be foul play and thus only whitelist GET
350 if (@$config['referer_validation'] && isset($_SERVER['REQUEST_METHOD']) && strtolower($_SERVER['REQUEST_METHOD']) !== 'get')
351 {
352 $referer_valid = $this->validate_referer($check_referer_path);
353 }
354
355 if ($u_ip === $s_ip && $s_browser === $u_browser && $s_forwarded_for === $u_forwarded_for && $referer_valid)
356 {
357 $session_expired = false;
358
359 // Check whether the session is still valid if we have one
360 $method = basename(trim($config['auth_method']));
361 include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx);
362
363 $method = 'validate_session_' . $method;
364 if (function_exists($method))
365 {
366 if (!$method($this->data))
367 {
368 $session_expired = true;
369 }
370 }
371
372 if (!$session_expired)
373 {
374 // Check the session length timeframe if autologin is not enabled.
375 // Else check the autologin length... and also removing those having autologin enabled but no longer allowed board-wide.
376 if (!$this->data['session_autologin'])
377 {
378 if ($this->data['session_time'] < $this->time_now - ($config['session_length'] + 60))
379 {
380 $session_expired = true;
381 }
382 }
383 else if (!$config['allow_autologin'] || ($config['max_autologin_time'] && $this->data['session_time'] < $this->time_now - (86400 * (int) $config['max_autologin_time']) + 60))
384 {
385 $session_expired = true;
386 }
387 }
388
389 if (!$session_expired)
390 {
391 // Only update session DB a minute or so after last update or if page changes
392 if ($this->time_now - $this->data['session_time'] > 60 || ($this->update_session_page && $this->data['session_page'] != $this->page['page']))
393 {
394 $sql_ary = array('session_time' => $this->time_now);
395
396 if ($this->update_session_page)
397 {
398 $sql_ary['session_page'] = substr($this->page['page'], 0, 199);
399 $sql_ary['session_forum_id'] = $this->page['forum'];
400 }
401
402 $db->sql_return_on_error(true);
403
404 $sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . "
405 WHERE session_id = '" . $db->sql_escape($this->session_id) . "'";
406 $result = $db->sql_query($sql);
407
408 $db->sql_return_on_error(false);
409
410 // If the database is not yet updated, there will be an error due to the session_forum_id
411 // @todo REMOVE for 3.0.2
412 if ($result === false)
413 {
414 unset($sql_ary['session_forum_id']);
415
416 $sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . "
417 WHERE session_id = '" . $db->sql_escape($this->session_id) . "'";
418 $db->sql_query($sql);
419 }
420
421 if ($this->data['user_id'] != ANONYMOUS && !empty($config['new_member_post_limit']) && $this->data['user_new'] && $config['new_member_post_limit'] <= $this->data['user_posts'])
422 {
423 $this->leave_newly_registered();
424 }
425 }
426
427 $this->data['is_registered'] = ($this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false;
428 $this->data['is_bot'] = (!$this->data['is_registered'] && $this->data['user_id'] != ANONYMOUS) ? true : false;
429 $this->data['user_lang'] = basename($this->data['user_lang']);
430
431 return true;
432 }
433 }
434 else
435 {
436 // Added logging temporarly to help debug bugs...
437 if (defined('DEBUG_EXTRA') && $this->data['user_id'] != ANONYMOUS)
438 {
439 if ($referer_valid)
440 {
441 add_log('critical', 'LOG_IP_BROWSER_FORWARDED_CHECK', $u_ip, $s_ip, $u_browser, $s_browser, htmlspecialchars($u_forwarded_for), htmlspecialchars($s_forwarded_for));
442 }
443 else
444 {
445 add_log('critical', 'LOG_REFERER_INVALID', $this->referer);
446 }
447 }
448 }
449 }
450 }
451
452 // If we reach here then no (valid) session exists. So we'll create a new one
453 return $this->session_create();
454 }
455
456 /**
457 * Create a new session
458 *
459 * If upon trying to start a session we discover there is nothing existing we
460 * jump here. Additionally this method is called directly during login to regenerate
461 * the session for the specific user. In this method we carry out a number of tasks;
462 * garbage collection, (search)bot checking, banned user comparison. Basically
463 * though this method will result in a new session for a specific user.
464 */
465 function session_create($user_id = false, $set_admin = false, $persist_login = false, $viewonline = true)
466 {
467 global $SID, $_SID, $db, $config, $cache, $phpbb_root_path, $phpEx;
468
469 $this->data = array();
470
471 /* Garbage collection ... remove old sessions updating user information
472 // if necessary. It means (potentially) 11 queries but only infrequently
473 if ($this->time_now > $config['session_last_gc'] + $config['session_gc'])
474 {
475 $this->session_gc();
476 }*/
477
478 // Do we allow autologin on this board? No? Then override anything
479 // that may be requested here
480 if (!$config['allow_autologin'])
481 {
482 $this->cookie_data['k'] = $persist_login = false;
483 }
484
485 /**
486 * Here we do a bot check, oh er saucy! No, not that kind of bot
487 * check. We loop through the list of bots defined by the admin and
488 * see if we have any useragent and/or IP matches. If we do, this is a
489 * bot, act accordingly
490 */
491 $bot = false;
492 $active_bots = $cache->obtain_bots();
493
494 foreach ($active_bots as $row)
495 {
496 if ($row['bot_agent'] && preg_match('#' . str_replace('\*', '.*?', preg_quote($row['bot_agent'], '#')) . '#i', $this->browser))
497 {
498 $bot = $row['user_id'];
499 }
500
501 // If ip is supplied, we will make sure the ip is matching too...
502 if ($row['bot_ip'] && ($bot || !$row['bot_agent']))
503 {
504 // Set bot to false, then we only have to set it to true if it is matching
505 $bot = false;
506
507 foreach (explode(',', $row['bot_ip']) as $bot_ip)
508 {
509 $bot_ip = trim($bot_ip);
510
511 if (!$bot_ip)
512 {
513 continue;
514 }
515
516 if (strpos($this->ip, $bot_ip) === 0)
517 {
518 $bot = (int) $row['user_id'];
519 break;
520 }
521 }
522 }
523
524 if ($bot)
525 {
526 break;
527 }
528 }
529
530 $method = basename(trim($config['auth_method']));
531 include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx);
532
533 $method = 'autologin_' . $method;
534 if (function_exists($method))
535 {
536 $this->data = $method();
537
538 if (sizeof($this->data))
539 {
540 $this->cookie_data['k'] = '';
541 $this->cookie_data['u'] = $this->data['user_id'];
542 }
543 }
544
545 // If we're presented with an autologin key we'll join against it.
546 // Else if we've been passed a user_id we'll grab data based on that
547 if (isset($this->cookie_data['k']) && $this->cookie_data['k'] && $this->cookie_data['u'] && !sizeof($this->data))
548 {
549 $sql = 'SELECT u.*
550 FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k
551 WHERE u.user_id = ' . (int) $this->cookie_data['u'] . '
552 AND u.user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ")
553 AND k.user_id = u.user_id
554 AND k.key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'";
555 $result = $db->sql_query($sql);
556 $this->data = $db->sql_fetchrow($result);
557 $db->sql_freeresult($result);
558 $bot = false;
559 }
560 else if ($user_id !== false && !sizeof($this->data))
561 {
562 $this->cookie_data['k'] = '';
563 $this->cookie_data['u'] = $user_id;
564
565 $sql = 'SELECT *
566 FROM ' . USERS_TABLE . '
567 WHERE user_id = ' . (int) $this->cookie_data['u'] . '
568 AND user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ')';
569 $result = $db->sql_query($sql);
570 $this->data = $db->sql_fetchrow($result);
571 $db->sql_freeresult($result);
572 $bot = false;
573 }
574
575 // If no data was returned one or more of the following occurred:
576 // Key didn't match one in the DB
577 // User does not exist
578 // User is inactive
579 // User is bot
580 if (!sizeof($this->data) || !is_array($this->data))
581 {
582 $this->cookie_data['k'] = '';
583 $this->cookie_data['u'] = ($bot) ? $bot : ANONYMOUS;
584
585 if (!$bot)
586 {
587 $sql = 'SELECT *
588 FROM ' . USERS_TABLE . '
589 WHERE user_id = ' . (int) $this->cookie_data['u'];
590 }
591 else
592 {
593 // We give bots always the same session if it is not yet expired.
594 $sql = 'SELECT u.*, s.*
595 FROM ' . USERS_TABLE . ' u
596 LEFT JOIN ' . SESSIONS_TABLE . ' s ON (s.session_user_id = u.user_id)
597 WHERE u.user_id = ' . (int) $bot;
598 }
599
600 $result = $db->sql_query($sql);
601 $this->data = $db->sql_fetchrow($result);
602 $db->sql_freeresult($result);
603 }
604
605 if ($this->data['user_id'] != ANONYMOUS && !$bot)
606 {
607 $this->data['session_last_visit'] = (isset($this->data['session_time']) && $this->data['session_time']) ? $this->data['session_time'] : (($this->data['user_lastvisit']) ? $this->data['user_lastvisit'] : time());
608 }
609 else
610 {
611 $this->data['session_last_visit'] = $this->time_now;
612 }
613
614 // Force user id to be integer...
615 $this->data['user_id'] = (int) $this->data['user_id'];
616
617 // At this stage we should have a filled data array, defined cookie u and k data.
618 // data array should contain recent session info if we're a real user and a recent
619 // session exists in which case session_id will also be set
620
621 // Is user banned? Are they excluded? Won't return on ban, exists within method
622 if ($this->data['user_type'] != USER_FOUNDER)
623 {
624 if (!$config['forwarded_for_check'])
625 {
626 $this->check_ban($this->data['user_id'], $this->ip);
627 }
628 else
629 {
630 $ips = explode(' ', $this->forwarded_for);
631 $ips[] = $this->ip;
632 $this->check_ban($this->data['user_id'], $ips);
633 }
634 }
635
636 $this->data['is_registered'] = (!$bot && $this->data['user_id'] != ANONYMOUS && ($this->data['user_type'] == USER_NORMAL || $this->data['user_type'] == USER_FOUNDER)) ? true : false;
637 $this->data['is_bot'] = ($bot) ? true : false;
638
639 // If our friend is a bot, we re-assign a previously assigned session
640 if ($this->data['is_bot'] && $bot == $this->data['user_id'] && $this->data['session_id'])
641 {
642 // Only assign the current session if the ip, browser and forwarded_for match...
643 if (strpos($this->ip, ':') !== false && strpos($this->data['session_ip'], ':') !== false)
644 {
645 $s_ip = short_ipv6($this->data['session_ip'], $config['ip_check']);
646 $u_ip = short_ipv6($this->ip, $config['ip_check']);
647 }
648 else
649 {
650 $s_ip = implode('.', array_slice(explode('.', $this->data['session_ip']), 0, $config['ip_check']));
651 $u_ip = implode('.', array_slice(explode('.', $this->ip), 0, $config['ip_check']));
652 }
653
654 $s_browser = ($config['browser_check']) ? trim(strtolower(substr($this->data['session_browser'], 0, 149))) : '';
655 $u_browser = ($config['browser_check']) ? trim(strtolower(substr($this->browser, 0, 149))) : '';
656
657 $s_forwarded_for = ($config['forwarded_for_check']) ? substr($this->data['session_forwarded_for'], 0, 254) : '';
658 $u_forwarded_for = ($config['forwarded_for_check']) ? substr($this->forwarded_for, 0, 254) : '';
659
660 if ($u_ip === $s_ip && $s_browser === $u_browser && $s_forwarded_for === $u_forwarded_for)
661 {
662 $this->session_id = $this->data['session_id'];
663
664 // Only update session DB a minute or so after last update or if page changes
665 if ($this->time_now - $this->data['session_time'] > 60 || ($this->update_session_page && $this->data['session_page'] != $this->page['page']))
666 {
667 $this->data['session_time'] = $this->data['session_last_visit'] = $this->time_now;
668
669 $sql_ary = array('session_time' => $this->time_now, 'session_last_visit' => $this->time_now, 'session_admin' => 0);
670
671 if ($this->update_session_page)
672 {
673 $sql_ary['session_page'] = substr($this->page['page'], 0, 199);
674 $sql_ary['session_forum_id'] = $this->page['forum'];
675 }
676
677 $sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . "
678 WHERE session_id = '" . $db->sql_escape($this->session_id) . "'";
679 $db->sql_query($sql);
680
681 // Update the last visit time
682 $sql = 'UPDATE ' . USERS_TABLE . '
683 SET user_lastvisit = ' . (int) $this->data['session_time'] . '
684 WHERE user_id = ' . (int) $this->data['user_id'];
685 $db->sql_query($sql);
686 }
687
688 $SID = '?sid=';
689 $_SID = '';
690 return true;
691 }
692 else
693 {
694 // If the ip and browser does not match make sure we only have one bot assigned to one session
695 $db->sql_query('DELETE FROM ' . SESSIONS_TABLE . ' WHERE session_user_id = ' . $this->data['user_id']);
696 }
697 }
698
699 $session_autologin = (($this->cookie_data['k'] || $persist_login) && $this->data['is_registered']) ? true : false;
700 $set_admin = ($set_admin && $this->data['is_registered']) ? true : false;
701
702 // Create or update the session
703 $sql_ary = array(
704 'session_user_id' => (int) $this->data['user_id'],
705 'session_start' => (int) $this->time_now,
706 'session_last_visit' => (int) $this->data['session_last_visit'],
707 'session_time' => (int) $this->time_now,
708 'session_browser' => (string) trim(substr($this->browser, 0, 149)),
709 'session_forwarded_for' => (string) $this->forwarded_for,
710 'session_ip' => (string) $this->ip,
711 'session_autologin' => ($session_autologin) ? 1 : 0,
712 'session_admin' => ($set_admin) ? 1 : 0,
713 'session_viewonline' => ($viewonline) ? 1 : 0,
714 );
715
716 if ($this->update_session_page)
717 {
718 $sql_ary['session_page'] = (string) substr($this->page['page'], 0, 199);
719 $sql_ary['session_forum_id'] = $this->page['forum'];
720 }
721
722 $db->sql_return_on_error(true);
723
724 $sql = 'DELETE
725 FROM ' . SESSIONS_TABLE . '
726 WHERE session_id = \'' . $db->sql_escape($this->session_id) . '\'
727 AND session_user_id = ' . ANONYMOUS;
728
729 if (!defined('IN_ERROR_HANDLER') && (!$this->session_id || !$db->sql_query($sql) || !$db->sql_affectedrows()))
730 {
731 // Limit new sessions in 1 minute period (if required)
732 if (empty($this->data['session_time']) && $config['active_sessions'])
733 {
734 // $db->sql_return_on_error(false);
735
736 $sql = 'SELECT COUNT(session_id) AS sessions
737 FROM ' . SESSIONS_TABLE . '
738 WHERE session_time >= ' . ($this->time_now - 60);
739 $result = $db->sql_query($sql);
740 $row = $db->sql_fetchrow($result);
741 $db->sql_freeresult($result);
742
743 if ((int) $row['sessions'] > (int) $config['active_sessions'])
744 {
745 header('HTTP/1.1 503 Service Unavailable');
746 trigger_error('BOARD_UNAVAILABLE');
747 }
748 }
749 }
750
751 // Since we re-create the session id here, the inserted row must be unique. Therefore, we display potential errors.
752 // Commented out because it will not allow forums to update correctly
753 // $db->sql_return_on_error(false);
754
755 // Something quite important: session_page always holds the *last* page visited, except for the *first* visit.
756 // We are not able to simply have an empty session_page btw, therefore we need to tell phpBB how to detect this special case.
757 // If the session id is empty, we have a completely new one and will set an "identifier" here. This identifier is able to be checked later.
758 if (empty($this->data['session_id']))
759 {
760 // This is a temporary variable, only set for the very first visit
761 $this->data['session_created'] = true;
762 }
763
764 $this->session_id = $this->data['session_id'] = md5(unique_id());
765
766 $sql_ary['session_id'] = (string) $this->session_id;
767 $sql_ary['session_page'] = (string) substr($this->page['page'], 0, 199);
768 $sql_ary['session_forum_id'] = $this->page['forum'];
769
770 $sql = 'INSERT INTO ' . SESSIONS_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary);
771 $db->sql_query($sql);
772
773 $db->sql_return_on_error(false);
774
775 // Regenerate autologin/persistent login key
776 if ($session_autologin)
777 {
778 $this->set_login_key();
779 }
780
781 // refresh data
782 $SID = '?sid=' . $this->session_id;
783 $_SID = $this->session_id;
784 $this->data = array_merge($this->data, $sql_ary);
785
786 if (!$bot)
787 {
788 $cookie_expire = $this->time_now + (($config['max_autologin_time']) ? 86400 * (int) $config['max_autologin_time'] : 31536000);
789
790 $this->set_cookie('u', $this->cookie_data['u'], $cookie_expire);
791 $this->set_cookie('k', $this->cookie_data['k'], $cookie_expire);
792 $this->set_cookie('sid', $this->session_id, $cookie_expire);
793
794 unset($cookie_expire);
795
796 $sql = 'SELECT COUNT(session_id) AS sessions
797 FROM ' . SESSIONS_TABLE . '
798 WHERE session_user_id = ' . (int) $this->data['user_id'] . '
799 AND session_time >= ' . (int) ($this->time_now - (max($config['session_length'], $config['form_token_lifetime'])));
800 $result = $db->sql_query($sql);
801 $row = $db->sql_fetchrow($result);
802 $db->sql_freeresult($result);
803
804 if ((int) $row['sessions'] <= 1 || empty($this->data['user_form_salt']))
805 {
806 $this->data['user_form_salt'] = unique_id();
807 // Update the form key
808 $sql = 'UPDATE ' . USERS_TABLE . '
809 SET user_form_salt = \'' . $db->sql_escape($this->data['user_form_salt']) . '\'
810 WHERE user_id = ' . (int) $this->data['user_id'];
811 $db->sql_query($sql);
812 }
813 }
814 else
815 {
816 $this->data['session_time'] = $this->data['session_last_visit'] = $this->time_now;
817
818 // Update the last visit time
819 $sql = 'UPDATE ' . USERS_TABLE . '
820 SET user_lastvisit = ' . (int) $this->data['session_time'] . '
821 WHERE user_id = ' . (int) $this->data['user_id'];
822 $db->sql_query($sql);
823
824 $SID = '?sid=';
825 $_SID = '';
826 }
827
828 return true;
829 }
830
831 /**
832 * Kills a session
833 *
834 * This method does what it says on the tin. It will delete a pre-existing session.
835 * It resets cookie information (destroying any autologin key within that cookie data)
836 * and update the users information from the relevant session data. It will then
837 * grab guest user information.
838 */
839 function session_kill($new_session = true)
840 {
841 global $SID, $_SID, $db, $config, $phpbb_root_path, $phpEx;
842
843 $sql = 'DELETE FROM ' . SESSIONS_TABLE . "
844 WHERE session_id = '" . $db->sql_escape($this->session_id) . "'
845 AND session_user_id = " . (int) $this->data['user_id'];
846 $db->sql_query($sql);
847
848 // Allow connecting logout with external auth method logout
849 $method = basename(trim($config['auth_method']));
850 include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx);
851
852 $method = 'logout_' . $method;
853 if (function_exists($method))
854 {
855 $method($this->data, $new_session);
856 }
857
858 if ($this->data['user_id'] != ANONYMOUS)
859 {
860 // Delete existing session, update last visit info first!
861 if (!isset($this->data['session_time']))
862 {
863 $this->data['session_time'] = time();
864 }
865
866 $sql = 'UPDATE ' . USERS_TABLE . '
867 SET user_lastvisit = ' . (int) $this->data['session_time'] . '
868 WHERE user_id = ' . (int) $this->data['user_id'];
869 $db->sql_query($sql);
870
871 if ($this->cookie_data['k'])
872 {
873 $sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
874 WHERE user_id = ' . (int) $this->data['user_id'] . "
875 AND key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'";
876 $db->sql_query($sql);
877 }
878
879 // Reset the data array
880 $this->data = array();
881
882 $sql = 'SELECT *
883 FROM ' . USERS_TABLE . '
884 WHERE user_id = ' . ANONYMOUS;
885 $result = $db->sql_query($sql);
886 $this->data = $db->sql_fetchrow($result);
887 $db->sql_freeresult($result);
888 }
889
890 $cookie_expire = $this->time_now - 31536000;
891 $this->set_cookie('u', '', $cookie_expire);
892 $this->set_cookie('k', '', $cookie_expire);
893 $this->set_cookie('sid', '', $cookie_expire);
894 unset($cookie_expire);
895
896 $SID = '?sid=';
897 $this->session_id = $_SID = '';
898
899 // To make sure a valid session is created we create one for the anonymous user
900 if ($new_session)
901 {
902 $this->session_create(ANONYMOUS);
903 }
904
905 return true;
906 }
907
908 /**
909 * Session garbage collection
910 *
911 * This looks a lot more complex than it really is. Effectively we are
912 * deleting any sessions older than an admin definable limit. Due to the
913 * way in which we maintain session data we have to ensure we update user
914 * data before those sessions are destroyed. In addition this method
915 * removes autologin key information that is older than an admin defined
916 * limit.
917 */
918 function session_gc()
919 {
920 global $db, $config, $phpbb_root_path, $phpEx;
921
922 $batch_size = 10;
923
924 if (!$this->time_now)
925 {
926 $this->time_now = time();
927 }
928
929 // Firstly, delete guest sessions
930 $sql = 'DELETE FROM ' . SESSIONS_TABLE . '
931 WHERE session_user_id = ' . ANONYMOUS . '
932 AND session_time < ' . (int) ($this->time_now - $config['session_length']);
933 $db->sql_query($sql);
934
935 // Get expired sessions, only most recent for each user
936 $sql = 'SELECT session_user_id, session_page, MAX(session_time) AS recent_time
937 FROM ' . SESSIONS_TABLE . '
938 WHERE session_time < ' . ($this->time_now - $config['session_length']) . '
939 GROUP BY session_user_id, session_page';
940 $result = $db->sql_query_limit($sql, $batch_size);
941
942 $del_user_id = array();
943 $del_sessions = 0;
944
945 while ($row = $db->sql_fetchrow($result))
946 {
947 $sql = 'UPDATE ' . USERS_TABLE . '
948 SET user_lastvisit = ' . (int) $row['recent_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
949 WHERE user_id = " . (int) $row['session_user_id'];
950 $db->sql_query($sql);
951
952 $del_user_id[] = (int) $row['session_user_id'];
953 $del_sessions++;
954 }
955 $db->sql_freeresult($result);
956
957 if (sizeof($del_user_id))
958 {
959 // Delete expired sessions
960 $sql = 'DELETE FROM ' . SESSIONS_TABLE . '
961 WHERE ' . $db->sql_in_set('session_user_id', $del_user_id) . '
962 AND session_time < ' . ($this->time_now - $config['session_length']);
963 $db->sql_query($sql);
964 }
965
966 if ($del_sessions < $batch_size)
967 {
968 // Less than 10 users, update gc timer ... else we want gc
969 // called again to delete other sessions
970 set_config('session_last_gc', $this->time_now, true);
971
972 if ($config['max_autologin_time'])
973 {
974 $sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
975 WHERE last_login < ' . (time() - (86400 * (int) $config['max_autologin_time']));
976 $db->sql_query($sql);
977 }
978
979 // only called from CRON; should be a safe workaround until the infrastructure gets going
980 if (!class_exists('captcha_factory'))
981 {
982 include($phpbb_root_path . "includes/captcha/captcha_factory." . $phpEx);
983 }
984 phpbb_captcha_factory::garbage_collect($config['captcha_plugin']);
985 }
986
987 return;
988 }
989
990 /**
991 * Sets a cookie
992 *
993 * Sets a cookie of the given name with the specified data for the given length of time. If no time is specified, a session cookie will be set.
994 *
995 * @param string $name Name of the cookie, will be automatically prefixed with the phpBB cookie name. track becomes [cookie_name]_track then.
996 * @param string $cookiedata The data to hold within the cookie
997 * @param int $cookietime The expiration time as UNIX timestamp. If 0 is provided, a session cookie is set.
998 */
999 function set_cookie($name, $cookiedata, $cookietime)
1000 {
1001 global $config;
1002
1003 $name_data = rawurlencode($config['cookie_name'] . '_' . $name) . '=' . rawurlencode($cookiedata);
1004 $expire = gmdate('D, d-M-Y H:i:s \\G\\M\\T', $cookietime);
1005 $domain = (!$config['cookie_domain'] || $config['cookie_domain'] == 'localhost' || $config['cookie_domain'] == '127.0.0.1') ? '' : '; domain=' . $config['cookie_domain'];
1006
1007 header('Set-Cookie: ' . $name_data . (($cookietime) ? '; expires=' . $expire : '') . '; path=' . $config['cookie_path'] . $domain . ((!$config['cookie_secure']) ? '' : '; secure') . '; HttpOnly', false);
1008 }
1009
1010 /**
1011 * Check for banned user
1012 *
1013 * Checks whether the supplied user is banned by id, ip or email. If no parameters
1014 * are passed to the method pre-existing session data is used. If $return is false
1015 * this routine does not return on finding a banned user, it outputs a relevant
1016 * message and stops execution.
1017 *
1018 * @param string|array $user_ips Can contain a string with one IP or an array of multiple IPs
1019 */
1020 function check_ban($user_id = false, $user_ips = false, $user_email = false, $return = false)
1021 {
1022 global $config, $db;
1023
1024 if (defined('IN_CHECK_BAN'))
1025 {
1026 return;
1027 }
1028
1029 $banned = false;
1030 $cache_ttl = 3600;
1031 $where_sql = array();
1032
1033 $sql = 'SELECT ban_ip, ban_userid, ban_email, ban_exclude, ban_give_reason, ban_end
1034 FROM ' . BANLIST_TABLE . '
1035 WHERE ';
1036
1037 // Determine which entries to check, only return those
1038 if ($user_email === false)
1039 {
1040 $where_sql[] = "ban_email = ''";
1041 }
1042
1043 if ($user_ips === false)
1044 {
1045 $where_sql[] = "(ban_ip = '' OR ban_exclude = 1)";
1046 }
1047
1048 if ($user_id === false)
1049 {
1050 $where_sql[] = '(ban_userid = 0 OR ban_exclude = 1)';
1051 }
1052 else
1053 {
1054 $cache_ttl = ($user_id == ANONYMOUS) ? 3600 : 0;
1055 $_sql = '(ban_userid = ' . $user_id;
1056
1057 if ($user_email !== false)
1058 {
1059 $_sql .= " OR ban_email <> ''";
1060 }
1061
1062 if ($user_ips !== false)
1063 {
1064 $_sql .= " OR ban_ip <> ''";
1065 }
1066
1067 $_sql .= ')';
1068
1069 $where_sql[] = $_sql;
1070 }
1071
1072 $sql .= (sizeof($where_sql)) ? implode(' AND ', $where_sql) : '';
1073 $result = $db->sql_query($sql, $cache_ttl);
1074
1075 $ban_triggered_by = 'user';
1076 while ($row = $db->sql_fetchrow($result))
1077 {
1078 if ($row['ban_end'] && $row['ban_end'] < time())
1079 {
1080 continue;
1081 }
1082
1083 $ip_banned = false;
1084 if (!empty($row['ban_ip']))
1085 {
1086 if (!is_array($user_ips))
1087 {
1088 $ip_banned = preg_match('#^' . str_replace('\*', '.*?', preg_quote($row['ban_ip'], '#')) . '$#i', $user_ips);
1089 }
1090 else
1091 {
1092 foreach ($user_ips as $user_ip)
1093 {
1094 if (preg_match('#^' . str_replace('\*', '.*?', preg_quote($row['ban_ip'], '#')) . '$#i', $user_ip))
1095 {
1096 $ip_banned = true;
1097 break;
1098 }
1099 }
1100 }
1101 }
1102
1103 if ((!empty($row['ban_userid']) && intval($row['ban_userid']) == $user_id) ||
1104 $ip_banned ||
1105 (!empty($row['ban_email']) && preg_match('#^' . str_replace('\*', '.*?', preg_quote($row['ban_email'], '#')) . '$#i', $user_email)))
1106 {
1107 if (!empty($row['ban_exclude']))
1108 {
1109 $banned = false;
1110 break;
1111 }
1112 else
1113 {
1114 $banned = true;
1115 $ban_row = $row;
1116
1117 if (!empty($row['ban_userid']) && intval($row['ban_userid']) == $user_id)
1118 {
1119 $ban_triggered_by = 'user';
1120 }
1121 else if ($ip_banned)
1122 {
1123 $ban_triggered_by = 'ip';
1124 }
1125 else
1126 {
1127 $ban_triggered_by = 'email';
1128 }
1129
1130 // Don't break. Check if there is an exclude rule for this user
1131 }
1132 }
1133 }
1134 $db->sql_freeresult($result);
1135
1136 if ($banned && !$return)
1137 {
1138 global $template;
1139
1140 // If the session is empty we need to create a valid one...
1141 if (empty($this->session_id))
1142 {
1143 // This seems to be no longer needed? - #14971
1144 // $this->session_create(ANONYMOUS);
1145 }
1146
1147 // Initiate environment ... since it won't be set at this stage
1148 $this->setup();
1149
1150 // Logout the user, banned users are unable to use the normal 'logout' link
1151 if ($this->data['user_id'] != ANONYMOUS)
1152 {
1153 $this->session_kill();
1154 }
1155
1156 // We show a login box here to allow founders accessing the board if banned by IP
1157 if (defined('IN_LOGIN') && $this->data['user_id'] == ANONYMOUS)
1158 {
1159 global $phpEx;
1160
1161 $this->setup('ucp');
1162 $this->data['is_registered'] = $this->data['is_bot'] = false;
1163
1164 // Set as a precaution to allow login_box() handling this case correctly as well as this function not being executed again.
1165 define('IN_CHECK_BAN', 1);
1166
1167 login_box("index.$phpEx");
1168
1169 // The false here is needed, else the user is able to circumvent the ban.
1170 $this->session_kill(false);
1171 }
1172
1173 // Ok, we catch the case of an empty session id for the anonymous user...
1174 // This can happen if the user is logging in, banned by username and the login_box() being called "again".
1175 if (empty($this->session_id) && defined('IN_CHECK_BAN'))
1176 {
1177 $this->session_create(ANONYMOUS);
1178 }
1179
1180
1181 // Determine which message to output
1182 $till_date = ($ban_row['ban_end']) ? $this->format_date($ban_row['ban_end']) : '';
1183 $message = ($ban_row['ban_end']) ? 'BOARD_BAN_TIME' : 'BOARD_BAN_PERM';
1184
1185 $message = sprintf($this->lang[$message], $till_date, '<a href="mailto:' . $config['board_contact'] . '">', '</a>');
1186 $message .= ($ban_row['ban_give_reason']) ? '<br /><br />' . sprintf($this->lang['BOARD_BAN_REASON'], $ban_row['ban_give_reason']) : '';
1187 $message .= '<br /><br /><em>' . $this->lang['BAN_TRIGGERED_BY_' . strtoupper($ban_triggered_by)] . '</em>';
1188
1189 // To circumvent session_begin returning a valid value and the check_ban() not called on second page view, we kill the session again
1190 $this->session_kill(false);
1191
1192 // A very special case... we are within the cron script which is not supposed to print out the ban message... show blank page
1193 if (defined('IN_CRON'))
1194 {
1195 garbage_collection();
1196 exit_handler();
1197 exit;
1198 }
1199
1200 trigger_error($message);
1201 }
1202
1203 return ($banned && $ban_row['ban_give_reason']) ? $ban_row['ban_give_reason'] : $banned;
1204 }
1205
1206 /**
1207 * Check if ip is blacklisted
1208 * This should be called only where absolutly necessary
1209 *
1210 * Only IPv4 (rbldns does not support AAAA records/IPv6 lookups)
1211 *
1212 * @author satmd (from the php manual)
1213 * @param string $mode register/post - spamcop for example is ommitted for posting
1214 * @return false if ip is not blacklisted, else an array([checked server], [lookup])
1215 */
1216 function check_dnsbl($mode, $ip = false)
1217 {
1218 if ($ip === false)
1219 {
1220 $ip = $this->ip;
1221 }
1222
1223 $dnsbl_check = array(
1224 'sbl.spamhaus.org' => 'http://www.spamhaus.org/query/bl?ip=',
1225 );
1226
1227 if ($mode == 'register')
1228 {
1229 $dnsbl_check['bl.spamcop.net'] = 'http://spamcop.net/bl.shtml?';
1230 }
1231
1232 if ($ip)
1233 {
1234 $quads = explode('.', $ip);
1235 $reverse_ip = $quads[3] . '.' . $quads[2] . '.' . $quads[1] . '.' . $quads[0];
1236
1237 // Need to be listed on all servers...
1238 $listed = true;
1239 $info = array();
1240
1241 foreach ($dnsbl_check as $dnsbl => $lookup)
1242 {
1243 if (phpbb_checkdnsrr($reverse_ip . '.' . $dnsbl . '.', 'A') === true)
1244 {
1245 $info = array($dnsbl, $lookup . $ip);
1246 }
1247 else
1248 {
1249 $listed = false;
1250 }
1251 }
1252
1253 if ($listed)
1254 {
1255 return $info;
1256 }
1257 }
1258
1259 return false;
1260 }
1261
1262 /**
1263 * Check if URI is blacklisted
1264 * This should be called only where absolutly necessary, for example on the submitted website field
1265 * This function is not in use at the moment and is only included for testing purposes, it may not work at all!
1266 * This means it is untested at the moment and therefore commented out
1267 *
1268 * @param string $uri URI to check
1269 * @return true if uri is on blacklist, else false. Only blacklist is checked (~zero FP), no grey lists
1270 function check_uribl($uri)
1271 {
1272 // Normally parse_url() is not intended to parse uris
1273 // We need to get the top-level domain name anyway... change.
1274 $uri = parse_url($uri);
1275
1276 if ($uri === false || empty($uri['host']))
1277 {
1278 return false;
1279 }
1280
1281 $uri = trim($uri['host']);
1282
1283 if ($uri)
1284 {
1285 // One problem here... the return parameter for the "windows" method is different from what
1286 // we expect... this may render this check useless...
1287 if (phpbb_checkdnsrr($uri . '.multi.uribl.com.', 'A') === true)
1288 {
1289 return true;
1290 }
1291 }
1292
1293 return false;
1294 }
1295 */
1296
1297 /**
1298 * Set/Update a persistent login key
1299 *
1300 * This method creates or updates a persistent session key. When a user makes
1301 * use of persistent (formerly auto-) logins a key is generated and stored in the
1302 * DB. When they revisit with the same key it's automatically updated in both the
1303 * DB and cookie. Multiple keys may exist for each user representing different
1304 * browsers or locations. As with _any_ non-secure-socket no passphrase login this
1305 * remains vulnerable to exploit.
1306 */
1307 function set_login_key($user_id = false, $key = false, $user_ip = false)
1308 {
1309 global $config, $db;
1310
1311 $user_id = ($user_id === false) ? $this->data['user_id'] : $user_id;
1312 $user_ip = ($user_ip === false) ? $this->ip : $user_ip;
1313 $key = ($key === false) ? (($this->cookie_data['k']) ? $this->cookie_data['k'] : false) : $key;
1314
1315 $key_id = unique_id(hexdec(substr($this->session_id, 0, 8)));
1316
1317 $sql_ary = array(
1318 'key_id' => (string) md5($key_id),
1319 'last_ip' => (string) $this->ip,
1320 'last_login' => (int) time()
1321 );
1322
1323 if (!$key)
1324 {
1325 $sql_ary += array(
1326 'user_id' => (int) $user_id
1327 );
1328 }
1329
1330 if ($key)
1331 {
1332 $sql = 'UPDATE ' . SESSIONS_KEYS_TABLE . '
1333 SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
1334 WHERE user_id = ' . (int) $user_id . "
1335 AND key_id = '" . $db->sql_escape(md5($key)) . "'";
1336 }
1337 else
1338 {
1339 $sql = 'INSERT INTO ' . SESSIONS_KEYS_TABLE . ' ' . $db->sql_build_array('INSERT', $sql_ary);
1340 }
1341 $db->sql_query($sql);
1342
1343 $this->cookie_data['k'] = $key_id;
1344
1345 return false;
1346 }
1347
1348 /**
1349 * Reset all login keys for the specified user
1350 *
1351 * This method removes all current login keys for a specified (or the current)
1352 * user. It will be called on password change to render old keys unusable
1353 */
1354 function reset_login_keys($user_id = false)
1355 {
1356 global $config, $db;
1357
1358 $user_id = ($user_id === false) ? $this->data['user_id'] : $user_id;
1359
1360 $sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
1361 WHERE user_id = ' . (int) $user_id;
1362 $db->sql_query($sql);
1363
1364 // Update last visit info first before deleting sessions
1365 $sql = 'SELECT session_time, session_page
1366 FROM ' . SESSIONS_TABLE . '
1367 WHERE session_user_id = ' . (int) $user_id . '
1368 ORDER BY session_time DESC';
1369 $result = $db->sql_query_limit($sql, 1);
1370 $row = $db->sql_fetchrow($result);
1371 $db->sql_freeresult($result);
1372
1373 $sql = 'UPDATE ' . USERS_TABLE . '
1374 SET user_lastvisit = ' . (int) $row['session_time'] . ", user_lastpage = '" . $db->sql_escape($row['session_page']) . "'
1375 WHERE user_id = " . (int) $user_id;
1376 $db->sql_query($sql);
1377
1378 // Let's also clear any current sessions for the specified user_id
1379 // If it's the current user then we'll leave this session intact
1380 $sql_where = 'session_user_id = ' . (int) $user_id;
1381 $sql_where .= ($user_id === $this->data['user_id']) ? " AND session_id <> '" . $db->sql_escape($this->session_id) . "'" : '';
1382
1383 $sql = 'DELETE FROM ' . SESSIONS_TABLE . "
1384 WHERE $sql_where";
1385 $db->sql_query($sql);
1386
1387 // We're changing the password of the current user and they have a key
1388 // Lets regenerate it to be safe
1389 if ($user_id === $this->data['user_id'] && $this->cookie_data['k'])
1390 {
1391 $this->set_login_key($user_id);
1392 }
1393 }
1394
1395
1396 /**
1397 * Check if the request originated from the same page.
1398 * @param bool $check_script_path If true, the path will be checked as well
1399 */
1400 function validate_referer($check_script_path = false)
1401 {
1402 global $config;
1403
1404 // no referer - nothing to validate, user's fault for turning it off (we only check on POST; so meta can't be the reason)
1405 if (empty($this->referer) || empty($this->host))
1406 {
1407 return true;
1408 }
1409
1410 $host = htmlspecialchars($this->host);
1411 $ref = substr($this->referer, strpos($this->referer, '://') + 3);
1412
1413 if (!(stripos($ref, $host) === 0) && (!$config['force_server_vars'] || !(stripos($ref, $config['server_name']) === 0)))
1414 {
1415 return false;
1416 }
1417 else if ($check_script_path && rtrim($this->page['root_script_path'], '/') !== '')
1418 {
1419 $ref = substr($ref, strlen($host));
1420 $server_port = (!empty($_SERVER['SERVER_PORT'])) ? (int) $_SERVER['SERVER_PORT'] : (int) getenv('SERVER_PORT');
1421
1422 if ($server_port !== 80 && $server_port !== 443 && stripos($ref, ":$server_port") === 0)
1423 {
1424 $ref = substr($ref, strlen(":$server_port"));
1425 }
1426
1427 if (!(stripos(rtrim($ref, '/'), rtrim($this->page['root_script_path'], '/')) === 0))
1428 {
1429 return false;
1430 }
1431 }
1432
1433 return true;
1434 }
1435
1436
1437 function unset_admin()
1438 {
1439 global $db;
1440 $sql = 'UPDATE ' . SESSIONS_TABLE . '
1441 SET session_admin = 0
1442 WHERE session_id = \'' . $db->sql_escape($this->session_id) . '\'';
1443 $db->sql_query($sql);
1444 }
1445 }
1446
1447
1448 /**
1449 * Base user class
1450 *
1451 * This is the overarching class which contains (through session extend)
1452 * all methods utilised for user functionality during a session.
1453 *
1454 * @package phpBB3
1455 */
1456 class user extends session
1457 {
1458 var $lang = array();
1459 var $help = array();
1460 var $theme = array();
1461 var $date_format;
1462 var $timezone;
1463 var $dst;
1464
1465 var $lang_name = false;
1466 var $lang_id = false;
1467 var $lang_path;
1468 var $img_lang;
1469 var $img_array = array();
1470
1471 // Able to add new options (up to id 31)
1472 var $keyoptions = array('viewimg' => 0, 'viewflash' => 1, 'viewsmilies' => 2, 'viewsigs' => 3, 'viewavatars' => 4, 'viewcensors' => 5, 'attachsig' => 6, 'bbcode' => 8, 'smilies' => 9, 'popuppm' => 10, 'sig_bbcode' => 15, 'sig_smilies' => 16, 'sig_links' => 17);
1473 var $keyvalues = array();
1474
1475 /**
1476 * Constructor to set the lang path
1477 */
1478 function user()
1479 {
1480 global $phpbb_root_path;
1481
1482 $this->lang_path = $phpbb_root_path . 'language/';
1483 }
1484
1485 /**
1486 * Function to set custom language path (able to use directory outside of phpBB)
1487 *
1488 * @param string $lang_path New language path used.
1489 * @access public
1490 */
1491 function set_custom_lang_path($lang_path)
1492 {
1493 $this->lang_path = $lang_path;
1494
1495 if (substr($this->lang_path, -1) != '/')
1496 {
1497 $this->lang_path .= '/';
1498 }
1499 }
1500
1501 /**
1502 * Setup basic user-specific items (style, language, ...)
1503 */
1504 function setup($lang_set = false, $style = false)
1505 {
1506 global $db, $template, $config, $auth, $phpEx, $phpbb_root_path, $cache;
1507
1508 if ($this->data['user_id'] != ANONYMOUS)
1509 {
1510 $this->lang_name = (file_exists($this->lang_path . $this->data['user_lang'] . "/common.$phpEx")) ? $this->data['user_lang'] : basename($config['default_lang']);
1511
1512 $this->date_format = $this->data['user_dateformat'];
1513 $this->timezone = $this->data['user_timezone'] * 3600;
1514 $this->dst = $this->data['user_dst'] * 3600;
1515 }
1516 else
1517 {
1518 $this->lang_name = basename($config['default_lang']);
1519 $this->date_format = $config['default_dateformat'];
1520 $this->timezone = $config['board_timezone'] * 3600;
1521 $this->dst = $config['board_dst'] * 3600;
1522
1523 /**
1524 * If a guest user is surfing, we try to guess his/her language first by obtaining the browser language
1525 * If re-enabled we need to make sure only those languages installed are checked
1526 * Commented out so we do not loose the code.
1527
1528 if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE']))
1529 {
1530 $accept_lang_ary = explode(',', $_SERVER['HTTP_ACCEPT_LANGUAGE']);
1531
1532 foreach ($accept_lang_ary as $accept_lang)
1533 {
1534 // Set correct format ... guess full xx_YY form
1535 $accept_lang = substr($accept_lang, 0, 2) . '_' . strtoupper(substr($accept_lang, 3, 2));
1536 $accept_lang = basename($accept_lang);
1537
1538 if (file_exists($this->lang_path . $accept_lang . "/common.$phpEx"))
1539 {
1540 $this->lang_name = $config['default_lang'] = $accept_lang;
1541 break;
1542 }
1543 else
1544 {
1545 // No match on xx_YY so try xx
1546 $accept_lang = substr($accept_lang, 0, 2);
1547 $accept_lang = basename($accept_lang);
1548
1549 if (file_exists($this->lang_path . $accept_lang . "/common.$phpEx"))
1550 {
1551 $this->lang_name = $config['default_lang'] = $accept_lang;
1552 break;
1553 }
1554 }
1555 }
1556 }
1557 */
1558 }
1559
1560 // We include common language file here to not load it every time a custom language file is included
1561 $lang = &$this->lang;
1562
1563 // Do not suppress error if in DEBUG_EXTRA mode
1564 $include_result = (defined('DEBUG_EXTRA')) ? (include $this->lang_path . $this->lang_name . "/common.$phpEx") : (@include $this->lang_path . $this->lang_name . "/common.$phpEx");
1565
1566 if ($include_result === false)
1567 {
1568 die('Language file ' . $this->lang_path . $this->lang_name . "/common.$phpEx" . " couldn't be opened.");
1569 }
1570
1571 $this->add_lang($lang_set);
1572 unset($lang_set);
1573
1574 if (!empty($_GET['style']) && $auth->acl_get('a_styles') && !defined('ADMIN_START'))
1575 {
1576 global $SID, $_EXTRA_URL;
1577
1578 $style = request_var('style', 0);
1579 $SID .= '&amp;style=' . $style;
1580 $_EXTRA_URL = array('style=' . $style);
1581 }
1582 else
1583 {
1584 // Set up style
1585 $style = ($style) ? $style : ((!$config['override_user_style']) ? $this->data['user_style'] : $config['default_style']);
1586 }
1587
1588 $sql = 'SELECT s.style_id, t.template_storedb, t.template_path, t.template_id, t.bbcode_bitfield, t.template_inherits_id, t.template_inherit_path, c.theme_path, c.theme_name, c.theme_storedb, c.theme_id, i.imageset_path, i.imageset_id, i.imageset_name
1589 FROM ' . STYLES_TABLE . ' s, ' . STYLES_TEMPLATE_TABLE . ' t, ' . STYLES_THEME_TABLE . ' c, ' . STYLES_IMAGESET_TABLE . " i
1590 WHERE s.style_id = $style
1591 AND t.template_id = s.template_id
1592 AND c.theme_id = s.theme_id
1593 AND i.imageset_id = s.imageset_id";
1594 $result = $db->sql_query($sql, 3600);
1595 $this->theme = $db->sql_fetchrow($result);
1596 $db->sql_freeresult($result);
1597
1598 // User has wrong style
1599 if (!$this->theme && $style == $this->data['user_style'])
1600 {
1601 $style = $this->data['user_style'] = $config['default_style'];
1602
1603 $sql = 'UPDATE ' . USERS_TABLE . "
1604 SET user_style = $style
1605 WHERE user_id = {$this->data['user_id']}";
1606 $db->sql_query($sql);
1607
1608 $sql = 'SELECT s.style_id, t.template_storedb, t.template_path, t.template_id, t.bbcode_bitfield, c.theme_path, c.theme_name, c.theme_storedb, c.theme_id, i.imageset_path, i.imageset_id, i.imageset_name
1609 FROM ' . STYLES_TABLE . ' s, ' . STYLES_TEMPLATE_TABLE . ' t, ' . STYLES_THEME_TABLE . ' c, ' . STYLES_IMAGESET_TABLE . " i
1610 WHERE s.style_id = $style
1611 AND t.template_id = s.template_id
1612 AND c.theme_id = s.theme_id
1613 AND i.imageset_id = s.imageset_id";
1614 $result = $db->sql_query($sql, 3600);
1615 $this->theme = $db->sql_fetchrow($result);
1616 $db->sql_freeresult($result);
1617 }
1618
1619 if (!$this->theme)
1620 {
1621 trigger_error('Could not get style data', E_USER_ERROR);
1622 }
1623
1624 // Now parse the cfg file and cache it
1625 $parsed_items = $cache->obtain_cfg_items($this->theme);
1626
1627 // We are only interested in the theme configuration for now
1628 $parsed_items = $parsed_items['theme'];
1629
1630 $check_for = array(
1631 'parse_css_file' => (int) 0,
1632 'pagination_sep' => (string) ', '
1633 );
1634
1635 foreach ($check_for as $key => $default_value)
1636 {
1637 $this->theme[$key] = (isset($parsed_items[$key])) ? $parsed_items[$key] : $default_value;
1638 settype($this->theme[$key], gettype($default_value));
1639
1640 if (is_string($default_value))
1641 {
1642 $this->theme[$key] = htmlspecialchars($this->theme[$key]);
1643 }
1644 }
1645
1646 // If the style author specified the theme needs to be cached
1647 // (because of the used paths and variables) than make sure it is the case.
1648 // For example, if the theme uses language-specific images it needs to be stored in db.
1649 if (!$this->theme['theme_storedb'] && $this->theme['parse_css_file'])
1650 {
1651 $this->theme['theme_storedb'] = 1;
1652
1653 $stylesheet = file_get_contents("{$phpbb_root_path}styles/{$this->theme['theme_path']}/theme/stylesheet.css");
1654 // Match CSS imports
1655 $matches = array();
1656 preg_match_all('/@import url\(["\'](.*)["\']\);/i', $stylesheet, $matches);
1657
1658 if (sizeof($matches))
1659 {
1660 $content = '';
1661 foreach ($matches[0] as $idx => $match)
1662 {
1663 if ($content = @file_get_contents("{$phpbb_root_path}styles/{$this->theme['theme_path']}/theme/" . $matches[1][$idx]))
1664 {
1665 $content = trim($content);
1666 }
1667 else
1668 {
1669 $content = '';
1670 }
1671 $stylesheet = str_replace($match, $content, $stylesheet);
1672 }
1673 unset($content);
1674 }
1675
1676 $stylesheet = str_replace('./', 'styles/' . $this->theme['theme_path'] . '/theme/', $stylesheet);
1677
1678 $sql_ary = array(
1679 'theme_data' => $stylesheet,
1680 'theme_mtime' => time(),
1681 'theme_storedb' => 1
1682 );
1683
1684 $sql = 'UPDATE ' . STYLES_THEME_TABLE . '
1685 SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
1686 WHERE theme_id = ' . $this->theme['theme_id'];
1687 $db->sql_query($sql);
1688
1689 unset($sql_ary);
1690 }
1691
1692 $template->set_template();
1693
1694 $this->img_lang = (file_exists($phpbb_root_path . 'styles/' . $this->theme['imageset_path'] . '/imageset/' . $this->lang_name)) ? $this->lang_name : $config['default_lang'];
1695
1696 // Same query in style.php
1697 $sql = 'SELECT *
1698 FROM ' . STYLES_IMAGESET_DATA_TABLE . '
1699 WHERE imageset_id = ' . $this->theme['imageset_id'] . "
1700 AND image_filename <> ''
1701 AND image_lang IN ('" . $db->sql_escape($this->img_lang) . "', '')";
1702 $result = $db->sql_query($sql, 3600);
1703
1704 $localised_images = false;
1705 while ($row = $db->sql_fetchrow($result))
1706 {
1707 if ($row['image_lang'])
1708 {
1709 $localised_images = true;
1710 }
1711
1712 $row['image_filename'] = rawurlencode($row['image_filename']);
1713 $this->img_array[$row['image_name']] = $row;
1714 }
1715 $db->sql_freeresult($result);
1716
1717 // there were no localised images, try to refresh the localised imageset for the user's language
1718 if (!$localised_images)
1719 {
1720 // Attention: this code ignores the image definition list from acp_styles and just takes everything
1721 // that the config file contains
1722 $sql_ary = array();
1723
1724 $db->sql_transaction('begin');
1725
1726 $sql = 'DELETE FROM ' . STYLES_IMAGESET_DATA_TABLE . '
1727 WHERE imageset_id = ' . $this->theme['imageset_id'] . '
1728 AND image_lang = \'' . $db->sql_escape($this->img_lang) . '\'';
1729 $result = $db->sql_query($sql);
1730
1731 if (@file_exists("{$phpbb_root_path}styles/{$this->theme['imageset_path']}/imageset/{$this->img_lang}/imageset.cfg"))
1732 {
1733 $cfg_data_imageset_data = parse_cfg_file("{$phpbb_root_path}styles/{$this->theme['imageset_path']}/imageset/{$this->img_lang}/imageset.cfg");
1734 foreach ($cfg_data_imageset_data as $image_name => $value)
1735 {
1736 if (strpos($value, '*') !== false)
1737 {
1738 if (substr($value, -1, 1) === '*')
1739 {
1740 list($image_filename, $image_height) = explode('*', $value);
1741 $image_width = 0;
1742 }
1743 else
1744 {
1745 list($image_filename, $image_height, $image_width) = explode('*', $value);
1746 }
1747 }
1748 else
1749 {
1750 $image_filename = $value;
1751 $image_height = $image_width = 0;
1752 }
1753
1754 if (strpos($image_name, 'img_') === 0 && $image_filename)
1755 {
1756 $image_name = substr($image_name, 4);
1757 $sql_ary[] = array(
1758 'image_name' => (string) $image_name,
1759 'image_filename' => (string) $image_filename,
1760 'image_height' => (int) $image_height,
1761 'image_width' => (int) $image_width,
1762 'imageset_id' => (int) $this->theme['imageset_id'],
1763 'image_lang' => (string) $this->img_lang,
1764 );
1765 }
1766 }
1767 }
1768
1769 if (sizeof($sql_ary))
1770 {
1771 $db->sql_multi_insert(STYLES_IMAGESET_DATA_TABLE, $sql_ary);
1772 $db->sql_transaction('commit');
1773 $cache->destroy('sql', STYLES_IMAGESET_DATA_TABLE);
1774
1775 add_log('admin', 'LOG_IMAGESET_LANG_REFRESHED', $this->theme['imageset_name'], $this->img_lang);
1776 }
1777 else
1778 {
1779 $db->sql_transaction('commit');
1780 add_log('admin', 'LOG_IMAGESET_LANG_MISSING', $this->theme['imageset_name'], $this->img_lang);
1781 }
1782 }
1783
1784 // Call phpbb_user_session_handler() in case external application want to "bend" some variables or replace classes...
1785 // After calling it we continue script execution...
1786 phpbb_user_session_handler();
1787
1788 // If this function got called from the error handler we are finished here.
1789 if (defined('IN_ERROR_HANDLER'))
1790 {
1791 return;
1792 }
1793
1794 // Disable board if the install/ directory is still present
1795 // For the brave development army we do not care about this, else we need to comment out this everytime we develop locally
1796 if (!defined('DEBUG_EXTRA') && !defined('ADMIN_START') && !defined('IN_INSTALL') && !defined('IN_LOGIN') && file_exists($phpbb_root_path . 'install') && !is_file($phpbb_root_path . 'install'))
1797 {
1798 // Adjust the message slightly according to the permissions
1799 if ($auth->acl_gets('a_', 'm_') || $auth->acl_getf_global('m_'))
1800 {
1801 $message = 'REMOVE_INSTALL';
1802 }
1803 else
1804 {
1805 $message = (!empty($config['board_disable_msg'])) ? $config['board_disable_msg'] : 'BOARD_DISABLE';
1806 }
1807 trigger_error($message);
1808 }
1809
1810 // Is board disabled and user not an admin or moderator?
1811 if ($config['board_disable'] && !defined('IN_LOGIN') && !$auth->acl_gets('a_', 'm_') && !$auth->acl_getf_global('m_'))
1812 {
1813 if ($this->data['is_bot'])
1814 {
1815 header('HTTP/1.1 503 Service Unavailable');
1816 }
1817
1818 $message = (!empty($config['board_disable_msg'])) ? $config['board_disable_msg'] : 'BOARD_DISABLE';
1819 trigger_error($message);
1820 }
1821
1822 // Is load exceeded?
1823 if ($config['limit_load'] && $this->load !== false)
1824 {
1825 if ($this->load > floatval($config['limit_load']) && !defined('IN_LOGIN'))
1826 {
1827 // Set board disabled to true to let the admins/mods get the proper notification
1828 $config['board_disable'] = '1';
1829
1830 if (!$auth->acl_gets('a_', 'm_') && !$auth->acl_getf_global('m_'))
1831 {
1832 if ($this->data['is_bot'])
1833 {
1834 header('HTTP/1.1 503 Service Unavailable');
1835 }
1836 trigger_error('BOARD_UNAVAILABLE');
1837 }
1838 }
1839 }
1840
1841 if (isset($this->data['session_viewonline']))
1842 {
1843 // Make sure the user is able to hide his session
1844 if (!$this->data['session_viewonline'])
1845 {
1846 // Reset online status if not allowed to hide the session...
1847 if (!$auth->acl_get('u_hideonline'))
1848 {
1849 $sql = 'UPDATE ' . SESSIONS_TABLE . '
1850 SET session_viewonline = 1
1851 WHERE session_user_id = ' . $this->data['user_id'];
1852 $db->sql_query($sql);
1853 $this->data['session_viewonline'] = 1;
1854 }
1855 }
1856 else if (!$this->data['user_allow_viewonline'])
1857 {
1858 // the user wants to hide and is allowed to -> cloaking device on.
1859 if ($auth->acl_get('u_hideonline'))
1860 {
1861 $sql = 'UPDATE ' . SESSIONS_TABLE . '
1862 SET session_viewonline = 0
1863 WHERE session_user_id = ' . $this->data['user_id'];
1864 $db->sql_query($sql);
1865 $this->data['session_viewonline'] = 0;
1866 }
1867 }
1868 }
1869
1870
1871 // Does the user need to change their password? If so, redirect to the
1872 // ucp profile reg_details page ... of course do not redirect if we're already in the ucp
1873 if (!defined('IN_ADMIN') && !defined('ADMIN_START') && $config['chg_passforce'] && !empty($this->data['is_registered']) && $auth->acl_get('u_chgpasswd') && $this->data['user_passchg'] < time() - ($config['chg_passforce'] * 86400))
1874 {
1875 if (strpos($this->page['query_string'], 'mode=reg_details') === false && $this->page['page_name'] != "ucp.$phpEx")
1876 {
1877 redirect(append_sid("{$phpbb_root_path}ucp.$phpEx", 'i=profile&amp;mode=reg_details'));
1878 }
1879 }
1880
1881 return;
1882 }
1883
1884 /**
1885 * More advanced language substitution
1886 * Function to mimic sprintf() with the possibility of using phpBB's language system to substitute nullar/singular/plural forms.
1887 * Params are the language key and the parameters to be substituted.
1888 * This function/functionality is inspired by SHS` and Ashe.
1889 *
1890 * Example call: <samp>$user->lang('NUM_POSTS_IN_QUEUE', 1);</samp>
1891 */
1892 function lang()
1893 {
1894 $args = func_get_args();
1895 $key = $args[0];
1896
1897 if (is_array($key))
1898 {
1899 $lang = &$this->lang[array_shift($key)];
1900
1901 foreach ($key as $_key)
1902 {
1903 $lang = &$lang[$_key];
1904 }
1905 }
1906 else
1907 {
1908 $lang = &$this->lang[$key];
1909 }
1910
1911 // Return if language string does not exist
1912 if (!isset($lang) || (!is_string($lang) && !is_array($lang)))
1913 {
1914 return $key;
1915 }
1916
1917 // If the language entry is a string, we simply mimic sprintf() behaviour
1918 if (is_string($lang))
1919 {
1920 if (sizeof($args) == 1)
1921 {
1922 return $lang;
1923 }
1924
1925 // Replace key with language entry and simply pass along...
1926 $args[0] = $lang;
1927 return call_user_func_array('sprintf', $args);
1928 }
1929
1930 // It is an array... now handle different nullar/singular/plural forms
1931 $key_found = false;
1932
1933 // We now get the first number passed and will select the key based upon this number
1934 for ($i = 1, $num_args = sizeof($args); $i < $num_args; $i++)
1935 {
1936 if (is_int($args[$i]))
1937 {
1938 $numbers = array_keys($lang);
1939
1940 foreach ($numbers as $num)
1941 {
1942 if ($num > $args[$i])
1943 {
1944 break;
1945 }
1946
1947 $key_found = $num;
1948 }
1949 }
1950 }
1951
1952 // Ok, let's check if the key was found, else use the last entry (because it is mostly the plural form)
1953 if ($key_found === false)
1954 {
1955 $numbers = array_keys($lang);
1956 $key_found = end($numbers);
1957 }
1958
1959 // Use the language string we determined and pass it to sprintf()
1960 $args[0] = $lang[$key_found];
1961 return call_user_func_array('sprintf', $args);
1962 }
1963
1964 /**
1965 * Add Language Items - use_db and use_help are assigned where needed (only use them to force inclusion)
1966 *
1967 * @param mixed $lang_set specifies the language entries to include
1968 * @param bool $use_db internal variable for recursion, do not use
1969 * @param bool $use_help internal variable for recursion, do not use
1970 *
1971 * Examples:
1972 * <code>
1973 * $lang_set = array('posting', 'help' => 'faq');
1974 * $lang_set = array('posting', 'viewtopic', 'help' => array('bbcode', 'faq'))
1975 * $lang_set = array(array('posting', 'viewtopic'), 'help' => array('bbcode', 'faq'))
1976 * $lang_set = 'posting'
1977 * $lang_set = array('help' => 'faq', 'db' => array('help:faq', 'posting'))
1978 * </code>
1979 */
1980 function add_lang($lang_set, $use_db = false, $use_help = false)
1981 {
1982 global $phpEx;
1983
1984 if (is_array($lang_set))
1985 {
1986 foreach ($lang_set as $key => $lang_file)
1987 {
1988 // Please do not delete this line.
1989 // We have to force the type here, else [array] language inclusion will not work
1990 $key = (string) $key;
1991
1992 if ($key == 'db')
1993 {
1994 $this->add_lang($lang_file, true, $use_help);
1995 }
1996 else if ($key == 'help')
1997 {
1998 $this->add_lang($lang_file, $use_db, true);
1999 }
2000 else if (!is_array($lang_file))
2001 {
2002 $this->set_lang($this->lang, $this->help, $lang_file, $use_db, $use_help);
2003 }
2004 else
2005 {
2006 $this->add_lang($lang_file, $use_db, $use_help);
2007 }
2008 }
2009 unset($lang_set);
2010 }
2011 else if ($lang_set)
2012 {
2013 $this->set_lang($this->lang, $this->help, $lang_set, $use_db, $use_help);
2014 }
2015 }
2016
2017 /**
2018 * Set language entry (called by add_lang)
2019 * @access private
2020 */
2021 function set_lang(&$lang, &$help, $lang_file, $use_db = false, $use_help = false)
2022 {
2023 global $phpEx;
2024
2025 // Make sure the language name is set (if the user setup did not happen it is not set)
2026 if (!$this->lang_name)
2027 {
2028 global $config;
2029 $this->lang_name = basename($config['default_lang']);
2030 }
2031
2032 // $lang == $this->lang
2033 // $help == $this->help
2034 // - add appropriate variables here, name them as they are used within the language file...
2035 if (!$use_db)
2036 {
2037 if ($use_help && strpos($lang_file, '/') !== false)
2038 {
2039 $language_filename = $this->lang_path . $this->lang_name . '/' . substr($lang_file, 0, stripos($lang_file, '/') + 1) . 'help_' . substr($lang_file, stripos($lang_file, '/') + 1) . '.' . $phpEx;
2040 }
2041 else
2042 {
2043 $language_filename = $this->lang_path . $this->lang_name . '/' . (($use_help) ? 'help_' : '') . $lang_file . '.' . $phpEx;
2044 }
2045
2046 if (!file_exists($language_filename))
2047 {
2048 global $config;
2049
2050 if ($this->lang_name == 'en')
2051 {
2052 // The user's selected language is missing the file, the board default's language is missing the file, and the file doesn't exist in /en.
2053 $language_filename = str_replace($this->lang_path . 'en', $this->lang_path . $this->data['user_lang'], $language_filename);
2054 trigger_error('Language file ' . $language_filename . ' couldn\'t be opened.', E_USER_ERROR);
2055 }
2056 else if ($this->lang_name == basename($config['default_lang']))
2057 {
2058 // Fall back to the English Language
2059 $this->lang_name = 'en';
2060 $this->set_lang($lang, $help, $lang_file, $use_db, $use_help);
2061 }
2062 else if ($this->lang_name == $this->data['user_lang'])
2063 {
2064 // Fall back to the board default language
2065 $this->lang_name = basename($config['default_lang']);
2066 $this->set_lang($lang, $help, $lang_file, $use_db, $use_help);
2067 }
2068
2069 // Reset the lang name
2070 $this->lang_name = (file_exists($this->lang_path . $this->data['user_lang'] . "/common.$phpEx")) ? $this->data['user_lang'] : basename($config['default_lang']);
2071 return;
2072 }
2073
2074 // Do not suppress error if in DEBUG_EXTRA mode
2075 $include_result = (defined('DEBUG_EXTRA')) ? (include $language_filename) : (@include $language_filename);
2076
2077 if ($include_result === false)
2078 {
2079 trigger_error('Language file ' . $language_filename . ' couldn\'t be opened.', E_USER_ERROR);
2080 }
2081 }
2082 else if ($use_db)
2083 {
2084 // Get Database Language Strings
2085 // Put them into $lang if nothing is prefixed, put them into $help if help: is prefixed
2086 // For example: help:faq, posting
2087 }
2088 }
2089
2090 /**
2091 * Format user date
2092 *
2093 * @param int $gmepoch unix timestamp
2094 * @param string $format date format in date() notation. | used to indicate relative dates, for example |d m Y|, h:i is translated to Today, h:i.
2095 * @param bool $forcedate force non-relative date format.
2096 *
2097 * @return mixed translated date
2098 */
2099 function format_date($gmepoch, $format = false, $forcedate = false)
2100 {
2101 static $midnight;
2102 static $date_cache;
2103
2104 $format = (!$format) ? $this->date_format : $format;
2105 $now = time();
2106 $delta = $now - $gmepoch;
2107
2108 if (!isset($date_cache[$format]))
2109 {
2110 // Is the user requesting a friendly date format (i.e. 'Today 12:42')?
2111 $date_cache[$format] = array(
2112 'is_short' => strpos($format, '|'),
2113 'format_short' => substr($format, 0, strpos($format, '|')) . '||' . substr(strrchr($format, '|'), 1),
2114 'format_long' => str_replace('|', '', $format),
2115 'lang' => $this->lang['datetime'],
2116 );
2117
2118 // Short representation of month in format? Some languages use different terms for the long and short format of May
2119 if ((strpos($format, '\M') === false && strpos($format, 'M') !== false) || (strpos($format, '\r') === false && strpos($format, 'r') !== false))
2120 {
2121 $date_cache[$format]['lang']['May'] = $this->lang['datetime']['May_short'];
2122 }
2123 }
2124
2125 // Zone offset
2126 $zone_offset = $this->timezone + $this->dst;
2127
2128 // Show date <= 1 hour ago as 'xx min ago'
2129 // A small tolerence is given for times in the future but in the same minute are displayed as '< than a minute ago'
2130 if ($delta <= 3600 && ($delta >= -5 || (($now / 60) % 60) == (($gmepoch / 60) % 60)) && $date_cache[$format]['is_short'] !== false && !$forcedate && isset($this->lang['datetime']['AGO']))
2131 {
2132 return $this->lang(array('datetime', 'AGO'), max(0, (int) floor($delta / 60)));
2133 }
2134
2135 if (!$midnight)
2136 {
2137 list($d, $m, $y) = explode(' ', gmdate('j n Y', time() + $zone_offset));
2138 $midnight = gmmktime(0, 0, 0, $m, $d, $y) - $zone_offset;
2139 }
2140
2141 if ($date_cache[$format]['is_short'] !== false && !$forcedate && !($gmepoch < $midnight - 86400 || $gmepoch > $midnight + 172800))
2142 {
2143 $day = false;
2144
2145 if ($gmepoch > $midnight + 86400)
2146 {
2147 $day = 'TOMORROW';
2148 }
2149 else if ($gmepoch > $midnight)
2150 {
2151 $day = 'TODAY';
2152 }
2153 else if ($gmepoch > $midnight - 86400)
2154 {
2155 $day = 'YESTERDAY';
2156 }
2157
2158 if ($day !== false)
2159 {
2160 return str_replace('||', $this->lang['datetime'][$day], strtr(@gmdate($date_cache[$format]['format_short'], $gmepoch + $zone_offset), $date_cache[$format]['lang']));
2161 }
2162 }
2163
2164 return strtr(@gmdate($date_cache[$format]['format_long'], $gmepoch + $zone_offset), $date_cache[$format]['lang']);
2165 }
2166
2167 /**
2168 * Get language id currently used by the user
2169 */
2170 function get_iso_lang_id()
2171 {
2172 global $config, $db;
2173
2174 if (!empty($this->lang_id))
2175 {
2176 return $this->lang_id;
2177 }
2178
2179 if (!$this->lang_name)
2180 {
2181 $this->lang_name = $config['default_lang'];
2182 }
2183
2184 $sql = 'SELECT lang_id
2185 FROM ' . LANG_TABLE . "
2186 WHERE lang_iso = '" . $db->sql_escape($this->lang_name) . "'";
2187 $result = $db->sql_query($sql);
2188 $this->lang_id = (int) $db->sql_fetchfield('lang_id');
2189 $db->sql_freeresult($result);
2190
2191 return $this->lang_id;
2192 }
2193
2194 /**
2195 * Get users profile fields
2196 */
2197 function get_profile_fields($user_id)
2198 {
2199 global $db;
2200
2201 if (isset($this->profile_fields))
2202 {
2203 return;
2204 }
2205
2206 $sql = 'SELECT *
2207 FROM ' . PROFILE_FIELDS_DATA_TABLE . "
2208 WHERE user_id = $user_id";
2209 $result = $db->sql_query_limit($sql, 1);
2210 $this->profile_fields = (!($row = $db->sql_fetchrow($result))) ? array() : $row;
2211 $db->sql_freeresult($result);
2212 }
2213
2214 /**
2215 * Specify/Get image
2216 * $suffix is no longer used - we know it. ;) It is there for backward compatibility.
2217 */
2218 function img($img, $alt = '', $width = false, $suffix = '', $type = 'full_tag')
2219 {
2220 static $imgs;
2221 global $phpbb_root_path;
2222
2223 $img_data = &$imgs[$img];
2224
2225 if (empty($img_data))
2226 {
2227 if (!isset($this->img_array[$img]))
2228 {
2229 // Do not fill the image to let designers decide what to do if the image is empty
2230 $img_data = '';
2231 return $img_data;
2232 }
2233
2234 // Use URL if told so
2235 $root_path = (defined('PHPBB_USE_BOARD_URL_PATH') && PHPBB_USE_BOARD_URL_PATH) ? generate_board_url() . '/' : $phpbb_root_path;
2236
2237 $img_data['src'] = $root_path . 'styles/' . rawurlencode($this->theme['imageset_path']) . '/imageset/' . ($this->img_array[$img]['image_lang'] ? $this->img_array[$img]['image_lang'] .'/' : '') . $this->img_array[$img]['image_filename'];
2238 $img_data['width'] = $this->img_array[$img]['image_width'];
2239 $img_data['height'] = $this->img_array[$img]['image_height'];
2240 }
2241
2242 $alt = (!empty($this->lang[$alt])) ? $this->lang[$alt] : $alt;
2243
2244 switch ($type)
2245 {
2246 case 'src':
2247 return $img_data['src'];
2248 break;
2249
2250 case 'width':
2251 return ($width === false) ? $img_data['width'] : $width;
2252 break;
2253
2254 case 'height':
2255 return $img_data['height'];
2256 break;
2257
2258 default:
2259 $use_width = ($width === false) ? $img_data['width'] : $width;
2260
2261 return '<img src="' . $img_data['src'] . '"' . (($use_width) ? ' width="' . $use_width . '"' : '') . (($img_data['height']) ? ' height="' . $img_data['height'] . '"' : '') . ' alt="' . $alt . '" title="' . $alt . '" />';
2262 break;
2263 }
2264 }
2265
2266 /**
2267 * Get option bit field from user options
2268 */
2269 function optionget($key, $data = false)
2270 {
2271 if (!isset($this->keyvalues[$key]))
2272 {
2273 $var = ($data) ? $data : $this->data['user_options'];
2274 $this->keyvalues[$key] = ($var & 1 << $this->keyoptions[$key]) ? true : false;
2275 }
2276
2277 return $this->keyvalues[$key];
2278 }
2279
2280 /**
2281 * Set option bit field for user options
2282 */
2283 function optionset($key, $value, $data = false)
2284 {
2285 $var = ($data) ? $data : $this->data['user_options'];
2286
2287 if ($value && !($var & 1 << $this->keyoptions[$key]))
2288 {
2289 $var += 1 << $this->keyoptions[$key];
2290 }
2291 else if (!$value && ($var & 1 << $this->keyoptions[$key]))
2292 {
2293 $var -= 1 << $this->keyoptions[$key];
2294 }
2295 else
2296 {
2297 return ($data) ? $var : false;
2298 }
2299
2300 if (!$data)
2301 {
2302 $this->data['user_options'] = $var;
2303 return true;
2304 }
2305 else
2306 {
2307 return $var;
2308 }
2309 }
2310
2311 /**
2312 * Funtion to make the user leave the NEWLY_REGISTERED system group.
2313 * @access public
2314 */
2315 function leave_newly_registered()
2316 {
2317 global $db;
2318
2319 if (empty($this->data['user_new']))
2320 {
2321 return false;
2322 }
2323
2324 if (!function_exists('remove_newly_registered'))
2325 {
2326 global $phpbb_root_path, $phpEx;
2327
2328 include($phpbb_root_path . 'includes/functions_user.' . $phpEx);
2329 }
2330 if ($group = remove_newly_registered($this->data['user_id'], $this->data))
2331 {
2332 $this->data['group_id'] = $group;
2333
2334 }
2335 $this->data['user_permissions'] = '';
2336 $this->data['user_new'] = 0;
2337
2338 return true;
2339 }
2340 }
2341
2342 ?>
phpbb is a php-based BBS (buletin board system)