1<?php 2/*************************************************************************** 3 * common.php 4 * ------------------- 5 * begin : Saturday, Feb 23, 2001 6 * copyright : (C) 2001 The phpBB Group 7 * email : support@phpbb.com 8 * 9 * $Id: common.php 5970 2006-05-26 17:46:59Z grahamje $ 10 * 11 ***************************************************************************/ 12 13/*************************************************************************** 14 * 15 * This program is free software; you can redistribute it and/or modify 16 * it under the terms of the GNU General Public License as published by 17 * the Free Software Foundation; either version 2 of the License, or 18 * (at your option) any later version. 19 * 20 ***************************************************************************/ 21 22if ( !defined('IN_PHPBB') ) 23{ 24 die("Hacking attempt"); 25} 26 27// 28error_reporting (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables 29set_magic_quotes_runtime(0); // Disable magic_quotes_runtime 30 31// The following code (unsetting globals) 32// Thanks to Matt Kavanagh and Stefan Esser for providing feedback as well as patch files 33 34// PHP5 with register_long_arrays off? 35if (@phpversion() >= '5.0.0' && (!@ini_get('register_long_arrays') || @ini_get('register_long_arrays') == '0' || strtolower(@ini_get('register_long_arrays')) == 'off')) 36{ 37 $HTTP_POST_VARS = $_POST; 38 $HTTP_GET_VARS = $_GET; 39 $HTTP_SERVER_VARS = $_SERVER; 40 $HTTP_COOKIE_VARS = $_COOKIE; 41 $HTTP_ENV_VARS = $_ENV; 42 $HTTP_POST_FILES = $_FILES; 43 44 // _SESSION is the only superglobal which is conditionally set 45 if (isset($_SESSION)) 46 { 47 $HTTP_SESSION_VARS = $_SESSION; 48 } 49} 50 51// Protect against GLOBALS tricks 52if (isset($HTTP_POST_VARS['GLOBALS']) || isset($HTTP_POST_FILES['GLOBALS']) || isset($HTTP_GET_VARS['GLOBALS']) || isset($HTTP_COOKIE_VARS['GLOBALS'])) 53{ 54 die("Hacking attempt"); 55} 56 57// Protect against HTTP_SESSION_VARS tricks 58if (isset($HTTP_SESSION_VARS) && !is_array($HTTP_SESSION_VARS)) 59{ 60 die("Hacking attempt"); 61} 62 63if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_globals')) == 'on') 64{ 65 // PHP4+ path 66 $not_unset = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_SERVER_VARS', 'HTTP_SESSION_VARS', 'HTTP_ENV_VARS', 'HTTP_POST_FILES', 'phpEx', 'phpbb_root_path'); 67 68 // Not only will array_merge give a warning if a parameter 69 // is not an array, it will actually fail. So we check if 70 // HTTP_SESSION_VARS has been initialised. 71 if (!isset($HTTP_SESSION_VARS) || !is_array($HTTP_SESSION_VARS)) 72 { 73 $HTTP_SESSION_VARS = array(); 74 } 75 76 // Merge all into one extremely huge array; unset 77 // this later 78 $input = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES); 79 80 unset($input['input']); 81 unset($input['not_unset']); 82 83 while (list($var,) = @each($input)) 84 { 85 if (in_array($var, $not_unset)) 86 { 87 die('Hacking attempt!'); 88 } 89 unset($$var); 90 } 91 92 unset($input); 93} 94 95// 96// addslashes to vars if magic_quotes_gpc is off 97// this is a security precaution to prevent someone 98// trying to break out of a SQL statement. 99// 100if( !get_magic_quotes_gpc() ) 101{ 102 if( is_array($HTTP_GET_VARS) ) 103 { 104 while( list($k, $v) = each($HTTP_GET_VARS) ) 105 { 106 if( is_array($HTTP_GET_VARS[$k]) ) 107 { 108 while( list($k2, $v2) = each($HTTP_GET_VARS[$k]) ) 109 { 110 $HTTP_GET_VARS[$k][$k2] = addslashes($v2); 111 } 112 @reset($HTTP_GET_VARS[$k]); 113 } 114 else 115 { 116 $HTTP_GET_VARS[$k] = addslashes($v); 117 } 118 } 119 @reset($HTTP_GET_VARS); 120 } 121 122 if( is_array($HTTP_POST_VARS) ) 123 { 124 while( list($k, $v) = each($HTTP_POST_VARS) ) 125 { 126 if( is_array($HTTP_POST_VARS[$k]) ) 127 { 128 while( list($k2, $v2) = each($HTTP_POST_VARS[$k]) ) 129 { 130 $HTTP_POST_VARS[$k][$k2] = addslashes($v2); 131 } 132 @reset($HTTP_POST_VARS[$k]); 133 } 134 else 135 { 136 $HTTP_POST_VARS[$k] = addslashes($v); 137 } 138 } 139 @reset($HTTP_POST_VARS); 140 } 141 142 if( is_array($HTTP_COOKIE_VARS) ) 143 { 144 while( list($k, $v) = each($HTTP_COOKIE_VARS) ) 145 { 146 if( is_array($HTTP_COOKIE_VARS[$k]) ) 147 { 148 while( list($k2, $v2) = each($HTTP_COOKIE_VARS[$k]) ) 149 { 150 $HTTP_COOKIE_VARS[$k][$k2] = addslashes($v2); 151 } 152 @reset($HTTP_COOKIE_VARS[$k]); 153 } 154 else 155 { 156 $HTTP_COOKIE_VARS[$k] = addslashes($v); 157 } 158 } 159 @reset($HTTP_COOKIE_VARS); 160 } 161} 162 163// 164// Define some basic configuration arrays this also prevents 165// malicious rewriting of language and otherarray values via 166// URI params 167// 168$board_config = array(); 169$userdata = array(); 170$theme = array(); 171$images = array(); 172$lang = array(); 173$nav_links = array(); 174$dss_seeded = false; 175$gen_simple_header = FALSE; 176 177include($phpbb_root_path . 'config.'.$phpEx); 178 179if( !defined("PHPBB_INSTALLED") ) 180{ 181 header('Location: ' . $phpbb_root_path . 'install/install.' . $phpEx); 182 exit; 183} 184 185include($phpbb_root_path . 'includes/constants.'.$phpEx); 186include($phpbb_root_path . 'includes/template.'.$phpEx); 187include($phpbb_root_path . 'includes/sessions.'.$phpEx); 188include($phpbb_root_path . 'includes/auth.'.$phpEx); 189include($phpbb_root_path . 'includes/functions.'.$phpEx); 190include($phpbb_root_path . 'includes/db.'.$phpEx); 191 192// We do not need this any longer, unset for safety purposes 193unset($dbpasswd); 194 195// 196// Obtain and encode users IP 197// 198// I'm removing HTTP_X_FORWARDED_FOR ... this may well cause other problems such as 199// private range IP's appearing instead of the guilty routable IP, tough, don't 200// even bother complaining ... go scream and shout at the idiots out there who feel 201// "clever" is doing harm rather than good ... karma is a great thing ... :) 202// 203$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : getenv('REMOTE_ADDR') ); 204$user_ip = encode_ip($client_ip); 205 206// 207// Setup forum wide options, if this fails 208// then we output a CRITICAL_ERROR since 209// basic forum information is not available 210// 211$sql = "SELECT * 212 FROM " . CONFIG_TABLE; 213if( !($result = $db->sql_query($sql)) ) 214{ 215 message_die(CRITICAL_ERROR, "Could not query config information", "", __LINE__, __FILE__, $sql); 216} 217 218while ( $row = $db->sql_fetchrow($result) ) 219{ 220 $board_config[$row['config_name']] = $row['config_value']; 221} 222 223if (file_exists('install') || file_exists('contrib')) 224{ 225 message_die(GENERAL_MESSAGE, 'Please_remove_install_contrib'); 226} 227 228// 229// Show 'Board is disabled' message if needed. 230// 231if( $board_config['board_disable'] && !defined("IN_ADMIN") && !defined("IN_LOGIN") ) 232{ 233 message_die(GENERAL_MESSAGE, 'Board_disable', 'Information'); 234} 235 236?>