1<?php
2/***************************************************************************
3 *                                common.php
4 *                            -------------------
5 *   begin                : Saturday, Feb 23, 2001
6 *   copyright            : (C) 2001 The phpBB Group
7 *   email                : support@phpbb.com
8 *
9 *   $Id: common.php 5970 2006-05-26 17:46:59Z grahamje $
10 *
11 ***************************************************************************/
12
13/***************************************************************************
14 *
15 *   This program is free software; you can redistribute it and/or modify
16 *   it under the terms of the GNU General Public License as published by
17 *   the Free Software Foundation; either version 2 of the License, or
18 *   (at your option) any later version.
19 *
20 ***************************************************************************/
21
22if ( !defined('IN_PHPBB') )
23{
24	die("Hacking attempt");
25}
26
27//
28error_reporting  (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables
29set_magic_quotes_runtime(0); // Disable magic_quotes_runtime
30
31// The following code (unsetting globals)
32// Thanks to Matt Kavanagh and Stefan Esser for providing feedback as well as patch files
33
34// PHP5 with register_long_arrays off?
35if (@phpversion() >= '5.0.0' && (!@ini_get('register_long_arrays') || @ini_get('register_long_arrays') == '0' || strtolower(@ini_get('register_long_arrays')) == 'off'))
36{
37	$HTTP_POST_VARS = $_POST;
38	$HTTP_GET_VARS = $_GET;
39	$HTTP_SERVER_VARS = $_SERVER;
40	$HTTP_COOKIE_VARS = $_COOKIE;
41	$HTTP_ENV_VARS = $_ENV;
42	$HTTP_POST_FILES = $_FILES;
43
44	// _SESSION is the only superglobal which is conditionally set
45	if (isset($_SESSION))
46	{
47		$HTTP_SESSION_VARS = $_SESSION;
48	}
49}
50
51// Protect against GLOBALS tricks
52if (isset($HTTP_POST_VARS['GLOBALS']) || isset($HTTP_POST_FILES['GLOBALS']) || isset($HTTP_GET_VARS['GLOBALS']) || isset($HTTP_COOKIE_VARS['GLOBALS']))
53{
54	die("Hacking attempt");
55}
56
57// Protect against HTTP_SESSION_VARS tricks
58if (isset($HTTP_SESSION_VARS) && !is_array($HTTP_SESSION_VARS))
59{
60	die("Hacking attempt");
61}
62
63if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_globals')) == 'on')
64{
65	// PHP4+ path
66	$not_unset = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_SERVER_VARS', 'HTTP_SESSION_VARS', 'HTTP_ENV_VARS', 'HTTP_POST_FILES', 'phpEx', 'phpbb_root_path');
67
68	// Not only will array_merge give a warning if a parameter
69	// is not an array, it will actually fail. So we check if
70	// HTTP_SESSION_VARS has been initialised.
71	if (!isset($HTTP_SESSION_VARS) || !is_array($HTTP_SESSION_VARS))
72	{
73		$HTTP_SESSION_VARS = array();
74	}
75
76	// Merge all into one extremely huge array; unset
77	// this later
78	$input = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES);
79
80	unset($input['input']);
81	unset($input['not_unset']);
82
83	while (list($var,) = @each($input))
84	{
85		if (in_array($var, $not_unset))
86		{
87			die('Hacking attempt!');
88		}
89		unset($$var);
90	}
91
92	unset($input);
93}
94
95//
96// addslashes to vars if magic_quotes_gpc is off
97// this is a security precaution to prevent someone
98// trying to break out of a SQL statement.
99//
100if( !get_magic_quotes_gpc() )
101{
102	if( is_array($HTTP_GET_VARS) )
103	{
104		while( list($k, $v) = each($HTTP_GET_VARS) )
105		{
106			if( is_array($HTTP_GET_VARS[$k]) )
107			{
108				while( list($k2, $v2) = each($HTTP_GET_VARS[$k]) )
109				{
110					$HTTP_GET_VARS[$k][$k2] = addslashes($v2);
111				}
112				@reset($HTTP_GET_VARS[$k]);
113			}
114			else
115			{
116				$HTTP_GET_VARS[$k] = addslashes($v);
117			}
118		}
119		@reset($HTTP_GET_VARS);
120	}
121
122	if( is_array($HTTP_POST_VARS) )
123	{
124		while( list($k, $v) = each($HTTP_POST_VARS) )
125		{
126			if( is_array($HTTP_POST_VARS[$k]) )
127			{
128				while( list($k2, $v2) = each($HTTP_POST_VARS[$k]) )
129				{
130					$HTTP_POST_VARS[$k][$k2] = addslashes($v2);
131				}
132				@reset($HTTP_POST_VARS[$k]);
133			}
134			else
135			{
136				$HTTP_POST_VARS[$k] = addslashes($v);
137			}
138		}
139		@reset($HTTP_POST_VARS);
140	}
141
142	if( is_array($HTTP_COOKIE_VARS) )
143	{
144		while( list($k, $v) = each($HTTP_COOKIE_VARS) )
145		{
146			if( is_array($HTTP_COOKIE_VARS[$k]) )
147			{
148				while( list($k2, $v2) = each($HTTP_COOKIE_VARS[$k]) )
149				{
150					$HTTP_COOKIE_VARS[$k][$k2] = addslashes($v2);
151				}
152				@reset($HTTP_COOKIE_VARS[$k]);
153			}
154			else
155			{
156				$HTTP_COOKIE_VARS[$k] = addslashes($v);
157			}
158		}
159		@reset($HTTP_COOKIE_VARS);
160	}
161}
162
163//
164// Define some basic configuration arrays this also prevents
165// malicious rewriting of language and otherarray values via
166// URI params
167//
168$board_config = array();
169$userdata = array();
170$theme = array();
171$images = array();
172$lang = array();
173$nav_links = array();
174$dss_seeded = false;
175$gen_simple_header = FALSE;
176
177include($phpbb_root_path . 'config.'.$phpEx);
178
179if( !defined("PHPBB_INSTALLED") )
180{
181	header('Location: ' . $phpbb_root_path . 'install/install.' . $phpEx);
182	exit;
183}
184
185include($phpbb_root_path . 'includes/constants.'.$phpEx);
186include($phpbb_root_path . 'includes/template.'.$phpEx);
187include($phpbb_root_path . 'includes/sessions.'.$phpEx);
188include($phpbb_root_path . 'includes/auth.'.$phpEx);
189include($phpbb_root_path . 'includes/functions.'.$phpEx);
190include($phpbb_root_path . 'includes/db.'.$phpEx);
191
192// We do not need this any longer, unset for safety purposes
193unset($dbpasswd);
194
195//
196// Obtain and encode users IP
197//
198// I'm removing HTTP_X_FORWARDED_FOR ... this may well cause other problems such as
199// private range IP's appearing instead of the guilty routable IP, tough, don't
200// even bother complaining ... go scream and shout at the idiots out there who feel
201// "clever" is doing harm rather than good ... karma is a great thing ... :)
202//
203$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : getenv('REMOTE_ADDR') );
204$user_ip = encode_ip($client_ip);
205
206//
207// Setup forum wide options, if this fails
208// then we output a CRITICAL_ERROR since
209// basic forum information is not available
210//
211$sql = "SELECT *
212	FROM " . CONFIG_TABLE;
213if( !($result = $db->sql_query($sql)) )
214{
215	message_die(CRITICAL_ERROR, "Could not query config information", "", __LINE__, __FILE__, $sql);
216}
217
218while ( $row = $db->sql_fetchrow($result) )
219{
220	$board_config[$row['config_name']] = $row['config_value'];
221}
222
223if (file_exists('install') || file_exists('contrib'))
224{
225	message_die(GENERAL_MESSAGE, 'Please_remove_install_contrib');
226}
227
228//
229// Show 'Board is disabled' message if needed.
230//
231if( $board_config['board_disable'] && !defined("IN_ADMIN") && !defined("IN_LOGIN") )
232{
233	message_die(GENERAL_MESSAGE, 'Board_disable', 'Information');
234}
235
236?>