1 |
<?php
|
2 |
//$Header: /hl/cvsroots/gpl01/gpl01/webprojs/fboprime/sw/phplib/par.inc,v 1.9 2006/08/01 21:51:46 dashley Exp $
|
3 |
//********************************************************************************
|
4 |
//par.inc--FboPrime Parameter and Cookie Processing
|
5 |
//Copyright (C) 2006 David T. Ashley
|
6 |
//
|
7 |
//This program is free software; you can redistribute it and/or
|
8 |
//modify it under the terms of the GNU General Public License
|
9 |
//as published by the Free Software Foundation; either version 2
|
10 |
//of the License, or (at your option) any later version.
|
11 |
//
|
12 |
//This program is distributed in the hope that it will be useful,
|
13 |
//but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14 |
//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15 |
//GNU General Public License for more details.
|
16 |
//
|
17 |
//You should have received a copy of the GNU General Public License
|
18 |
//along with this program; if not, write to the Free Software
|
19 |
//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
20 |
//********************************************************************************
|
21 |
//This file contains functions that carefully control GET/POST input parameters
|
22 |
//and cookies and bring them into the global variable space.
|
23 |
//
|
24 |
//The most conservative approach is to restrict such parameters to a language,
|
25 |
//i.e. to confine the form they may have.
|
26 |
//--------------------------------------------------------------------------------
|
27 |
require_once("strfunc.inc");
|
28 |
//
|
29 |
//--------------------------------------------------------------------------------
|
30 |
//FULL LIST OF COOKIE PARAMETERS
|
31 |
//------------------------------
|
32 |
//Only one cookie is issued by this software, named "fbopsid". This is a session
|
33 |
//identifier as described in the documentation. The cookie is issued on a
|
34 |
//successful login and revoked when a session times out or there is an
|
35 |
//authentication failure.
|
36 |
//
|
37 |
//--------------------------------------------------------------------------------
|
38 |
//FULL LIST OF GET/POST PARAMETERS
|
39 |
//--------------------------------
|
40 |
//This is the list of get/post parameters. They are named uniquely to avoid
|
41 |
//confusion or mistakes. In general, a script will try to import only those
|
42 |
//parameters that it is interested in--others are ignored.
|
43 |
//
|
44 |
//GET and POST parameters are usually treated identically--there is no
|
45 |
//differentiation made. This means in some cases it is possible to modify page
|
46 |
//behavior (for example, page appearance) by adding a string to the URL (i.e. to
|
47 |
//use a URL not directly generated by the software). This allows power-users
|
48 |
//to sometimes work more effectively.
|
49 |
//
|
50 |
//GET parameters are preferentially used, as they allow URLs to be bookmarked
|
51 |
//and e-mailed.
|
52 |
//
|
53 |
//index.php -- Main scheduler day view.
|
54 |
//-------------------------------------
|
55 |
// authuserid
|
56 |
// The login name of the user. For example, "jsmith". Login names
|
57 |
// must begin with a letter, must be 20 characters or less, and may
|
58 |
// contain only letters and numbers. Login names are converted to
|
59 |
// all lower-case, and they are treated as case-insensitive.
|
60 |
//
|
61 |
// Any supplied parameter has blanks and invalid characters removed
|
62 |
// before being assigned to the global variable. In some cases,
|
63 |
// a login name consisting of exclusively blanks or invalid characters
|
64 |
// may be assigned to the global variable as the empty string.
|
65 |
//
|
66 |
// If the login name is not supplied, the corresponding global
|
67 |
// variable is set to FALSE.
|
68 |
//
|
69 |
// authuserpasswd
|
70 |
// The password supplied by the user to authenticate. Passwords
|
71 |
// may contain only certain characters, no spaces at the ends, etc.
|
72 |
//
|
73 |
// Any supplied parameter has blanks and invalid characters removed
|
74 |
// before being assigned to the global variable. In some cases,
|
75 |
// password consisting of exclusively blanks or invalid characters
|
76 |
// may be assigned to the global variable as the empty string.
|
77 |
//
|
78 |
// If the password is not supplied, the corresponding global
|
79 |
// variable is set to FALSE.
|
80 |
//
|
81 |
// logout
|
82 |
// If the main scheduling page is invoked with a get or post
|
83 |
// parameter of "logout" defined to _any_ value, this is a cue
|
84 |
// to log out the user. The traditional value is logout=1.
|
85 |
//
|
86 |
// A user is logged out by linking to the main scheduling page
|
87 |
// with the "logout" parameter set.
|
88 |
//
|
89 |
// sddt
|
90 |
// The date whose scheduling information will be displayed.
|
91 |
//
|
92 |
// If no date is supplied, the default is usually the current
|
93 |
// calendar day.
|
94 |
//
|
95 |
// The date is in the format YYYYMMDD, for example,
|
96 |
//
|
97 |
// "20060408".
|
98 |
//
|
99 |
// Any supplied parameter has blanks and invalid characters removed
|
100 |
// before being assigned to the global variable. In some cases,
|
101 |
// a date consisting of exclusively blanks or invalid characters
|
102 |
// may be assigned to the global variable as the empty string.
|
103 |
//
|
104 |
// If the date is not supplied, the corresponding global
|
105 |
// variable is set to FALSE.
|
106 |
//
|
107 |
// sdtim
|
108 |
// The time of day for which scheduling information should be
|
109 |
// displayed.
|
110 |
//
|
111 |
// If no time of day is supplied, the default is usually
|
112 |
// the default panel for scheduling views.
|
113 |
//
|
114 |
// The time is in the format "HHMMSS", for example,
|
115 |
//
|
116 |
// "1519".
|
117 |
//
|
118 |
// The time should range from "0000" through "2359". "2400" is
|
119 |
// illegal, as it would actually correspond to midnight of the
|
120 |
// following day.
|
121 |
//
|
122 |
// Any supplied parameter has blanks and invalid characters removed
|
123 |
// before being assigned to the global variable. In some cases,
|
124 |
// a date consisting of exclusively blanks or invalid characters
|
125 |
// may be assigned to the global variable as the empty string.
|
126 |
//
|
127 |
// If the date is not supplied, the corresponding global
|
128 |
// variable is set to FALSE.
|
129 |
//
|
130 |
// todaynow
|
131 |
// If set to any value (i.e. if it exists), the global variable is
|
132 |
// set to TRUE, otherwise, it is set to FALSE. Signals that current
|
133 |
// server time should be used (all get/post parameters and session
|
134 |
// state should be ignored).
|
135 |
//
|
136 |
// menulvladjst
|
137 |
// If present, indicates to adjust the current menu level (stored in
|
138 |
// the session record of the database) up or down. Parameter values
|
139 |
// allowed:
|
140 |
// "D" (or "d") : Decrement the current menu level (corresponding
|
141 |
// to fewer options displayed).
|
142 |
// "U" (or "u") : Increment the current menu level (corresponding
|
143 |
// to more options displayed).
|
144 |
//
|
145 |
// acklevel
|
146 |
// Used for acknowledgement screens in various contexts, to trigger
|
147 |
// an acknowledgement screen rather than the main action. This should
|
148 |
// be an integer in the range of [0,100] with semantics defined by
|
149 |
// the using page. If the parameter is missing or invalid, $PAR_acklevel
|
150 |
// is assigned FALSE.
|
151 |
//
|
152 |
//--------------------------------------------------------------------------------
|
153 |
//Obtains the FBOPSID cookie parameter and assigns it to a global variable.
|
154 |
//FALSE is assigned if the parameter is not passed. Invalid characters are
|
155 |
//removed, possibly leading to the empty string if the passed entity is empty or
|
156 |
//contains only invalid characters.
|
157 |
//
|
158 |
function PAR_get_fbopsid()
|
159 |
{
|
160 |
global $PAR_fbopsid;
|
161 |
|
162 |
if (! isset($_COOKIE["fbopsid"]))
|
163 |
{
|
164 |
$PAR_fbopsid = FALSE;
|
165 |
return;
|
166 |
}
|
167 |
else
|
168 |
{
|
169 |
$PAR_fbopsid = $_COOKIE["fbopsid"];
|
170 |
}
|
171 |
|
172 |
//Trim the string down to the characters allowed for a session identifier.
|
173 |
$PAR_fbopsid = STRFUNC_force_into_subset($PAR_fbopsid, "SGIABCDEF0123456789");
|
174 |
|
175 |
//The total string may be no longer than 66 characters long.
|
176 |
if (strlen($PAR_fbopsid) > 66)
|
177 |
{
|
178 |
$PAR_fbopsid = SubStr($PAR_fbopsid, 0, 66);
|
179 |
}
|
180 |
}
|
181 |
//
|
182 |
//
|
183 |
//--------------------------------------------------------------------------------
|
184 |
//Obtains the AUTHUSERID and assigns it into a global variable. FALSE is
|
185 |
//assigned if the parameter is not passed. Invalid characters are removed,
|
186 |
//possibly leading to the empty string if the passed entity is empty or
|
187 |
//contains only invalid characters.
|
188 |
//
|
189 |
//Unit-tested on 20060408.
|
190 |
//
|
191 |
function PAR_get_authuserid()
|
192 |
{
|
193 |
global $PAR_authuserid;
|
194 |
|
195 |
if ((! isset($_GET["authuserid"])) && (! isset($_POST["authuserid"])))
|
196 |
{
|
197 |
$PAR_authuserid = FALSE;
|
198 |
return;
|
199 |
}
|
200 |
else if (isset($_POST["authuserid"]))
|
201 |
{
|
202 |
$starting_point = $_POST["authuserid"];
|
203 |
}
|
204 |
else if (isset($_GET["authuserid"]))
|
205 |
{
|
206 |
$starting_point = $_GET["authuserid"];
|
207 |
}
|
208 |
|
209 |
//Trim all disallowed characters.
|
210 |
$starting_point
|
211 |
= STRFUNC_force_into_subset($starting_point,
|
212 |
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
|
213 |
|
214 |
//Force the string to be all lower case.
|
215 |
$starting_point = StrToLower($starting_point);
|
216 |
|
217 |
//If the string is now of zero length, treat this parameter
|
218 |
//as not existing.
|
219 |
if (strlen($starting_point) == 0)
|
220 |
{
|
221 |
$PAR_authuserid = FALSE;
|
222 |
return;
|
223 |
}
|
224 |
|
225 |
//And assign to the global, which we may be just newly creating.
|
226 |
$PAR_authuserid = $starting_point;
|
227 |
}
|
228 |
//
|
229 |
//
|
230 |
//--------------------------------------------------------------------------------
|
231 |
//Obtains the AUTHUSERPASSWD and assigns it into a global variable. FALSE is
|
232 |
//assigned if the parameter is not passed. Invalid characters are removed,
|
233 |
//possibly leading to the empty string if the passed entity is empty or
|
234 |
//contains only invalid characters.
|
235 |
//
|
236 |
//Passwords are not trimmed here. The password is never displayed (so HTML
|
237 |
//encoded scripting attacks, etc. shouldn't be possible), and it is better
|
238 |
//if downstream software can parse it and potentially display error
|
239 |
//messages.
|
240 |
//
|
241 |
//Passwords will only be accepted as a POST parameter (they should not be
|
242 |
//on the command line.
|
243 |
//
|
244 |
function PAR_get_authuserpasswd()
|
245 |
{
|
246 |
global $PAR_authuserpasswd;
|
247 |
|
248 |
if (! isset($_POST["authuserpasswd"]))
|
249 |
{
|
250 |
$PAR_authuserpasswd = FALSE;
|
251 |
return;
|
252 |
}
|
253 |
|
254 |
$PAR_authuserpasswd = $_POST["authuserpasswd"];
|
255 |
}
|
256 |
//
|
257 |
//
|
258 |
//--------------------------------------------------------------------------------
|
259 |
//Obtains the SDDT and assigns it into a global variable. FALSE is
|
260 |
//assigned if the parameter is not passed. Invalid characters are removed,
|
261 |
//possibly leading to the empty string if the passed entity is empty or
|
262 |
//contains only invalid characters.
|
263 |
//
|
264 |
//Unit-tested on 20060408.
|
265 |
//
|
266 |
function PAR_get_sddt()
|
267 |
{
|
268 |
global $PAR_sddt;
|
269 |
|
270 |
if ((! isset($_GET["sddt"])) && (! isset($_POST["sddt"])))
|
271 |
{
|
272 |
$PAR_sddt = FALSE;
|
273 |
return;
|
274 |
}
|
275 |
else if (isset($_POST["sddt"]))
|
276 |
{
|
277 |
$starting_point = $_POST["sddt"];
|
278 |
}
|
279 |
else if (isset($_GET["sddt"]))
|
280 |
{
|
281 |
$starting_point = $_GET["sddt"];
|
282 |
}
|
283 |
|
284 |
//Trim all disallowed characters.
|
285 |
$starting_point
|
286 |
= STRFUNC_force_into_subset($starting_point,
|
287 |
"0123456789");
|
288 |
|
289 |
//And assign to the global, which we may be just newly creating.
|
290 |
$PAR_sddt = $starting_point;
|
291 |
}
|
292 |
//
|
293 |
//
|
294 |
//--------------------------------------------------------------------------------
|
295 |
//Obtains the SDTIM and assigns it into a global variable. FALSE is
|
296 |
//assigned if the parameter is not passed. Invalid characters are removed,
|
297 |
//possibly leading to the empty string if the passed entity is empty or
|
298 |
//contains only invalid characters.
|
299 |
//
|
300 |
//Unit-tested on 20060408.
|
301 |
//
|
302 |
function PAR_get_sdtim()
|
303 |
{
|
304 |
global $PAR_sdtim;
|
305 |
|
306 |
if ((! isset($_GET["sdtim"])) && (! isset($_POST["sdtim"])))
|
307 |
{
|
308 |
$PAR_sdtim = FALSE;
|
309 |
return;
|
310 |
}
|
311 |
else if (isset($_POST["sdtim"]))
|
312 |
{
|
313 |
$starting_point = $_POST["sdtim"];
|
314 |
}
|
315 |
else if (isset($_GET["sdtim"]))
|
316 |
{
|
317 |
$starting_point = $_GET["sdtim"];
|
318 |
}
|
319 |
|
320 |
//Trim all disallowed characters.
|
321 |
$starting_point
|
322 |
= STRFUNC_force_into_subset($starting_point,
|
323 |
"0123456789");
|
324 |
|
325 |
//And assign to the global, which we may be just newly creating.
|
326 |
$PAR_sdtim = $starting_point;
|
327 |
}
|
328 |
//
|
329 |
//
|
330 |
//--------------------------------------------------------------------------------
|
331 |
//Obtains the TODAYNOW and assigns it into a global variable. TRUE is assigned
|
332 |
//if ANY value is present for the variable, or FALSE otherwise.
|
333 |
//
|
334 |
function PAR_get_todaynow()
|
335 |
{
|
336 |
global $PAR_todaynow;
|
337 |
|
338 |
if ((isset($_GET["todaynow"])) || (isset($_POST["todaynow"])))
|
339 |
{
|
340 |
$PAR_todaynow = TRUE;
|
341 |
}
|
342 |
else
|
343 |
{
|
344 |
$PAR_todaynow = FALSE;
|
345 |
}
|
346 |
}
|
347 |
//
|
348 |
//
|
349 |
//--------------------------------------------------------------------------------
|
350 |
//Obtains the MENULVLADJST and assigns it into a global variable as either:
|
351 |
// FALSE if the parameter is not passed.
|
352 |
// -1 if the menu level is to be decremented.
|
353 |
// 1 if the menu level is to be incremented.
|
354 |
//
|
355 |
function PAR_get_menulvladjst()
|
356 |
{
|
357 |
global $PAR_menulvladjst;
|
358 |
|
359 |
if ((! isset($_GET["menulvladjst"])) && (! isset($_POST["menulvladjst"])))
|
360 |
{
|
361 |
$PAR_menulvladjst = FALSE;
|
362 |
return;
|
363 |
}
|
364 |
else if (isset($_POST["menulvladjst"]))
|
365 |
{
|
366 |
$starting_point = $_POST["menulvladjst"];
|
367 |
}
|
368 |
else if (isset($_GET["menulvladjst"]))
|
369 |
{
|
370 |
$starting_point = $_GET["menulvladjst"];
|
371 |
}
|
372 |
|
373 |
//Trim all disallowed characters.
|
374 |
$starting_point = STRFUNC_force_into_subset($starting_point, "uUdD");
|
375 |
|
376 |
//And assign to the global, which we may be just newly creating.
|
377 |
if (($starting_point == "d") || ($starting_point == "D"))
|
378 |
$PAR_menulvladjst = -1;
|
379 |
else if (($starting_point == "u") || ($starting_point == "U"))
|
380 |
$PAR_menulvladjst = 1;
|
381 |
else
|
382 |
$PAR_menulvladjst = FALSE;
|
383 |
}
|
384 |
//
|
385 |
//
|
386 |
//--------------------------------------------------------------------------------
|
387 |
//Obtains the LOGOUT parameter. If this parameter is set to ANY value,
|
388 |
//it is a cue to log out the user.
|
389 |
//
|
390 |
function PAR_get_logout()
|
391 |
{
|
392 |
global $PAR_logout;
|
393 |
|
394 |
if ((! isset($_GET["logout"])) && (! isset($_POST["logout"])))
|
395 |
{
|
396 |
$PAR_logout = FALSE;
|
397 |
}
|
398 |
else
|
399 |
{
|
400 |
$PAR_logout = TRUE;
|
401 |
}
|
402 |
}
|
403 |
//
|
404 |
//
|
405 |
//--------------------------------------------------------------------------------
|
406 |
//Obtains the ACKLEVEL and assigns it into a global variable as an integer.
|
407 |
//FALSE is assigned if the parameter is not passed or if it is passed but is
|
408 |
//invalid.
|
409 |
//
|
410 |
function PAR_get_acklevel()
|
411 |
{
|
412 |
global $PAR_acklevel;
|
413 |
|
414 |
if ((! isset($_GET["acklevel"])) && (! isset($_POST["acklevel"])))
|
415 |
{
|
416 |
$PAR_acklevel = FALSE;
|
417 |
return;
|
418 |
}
|
419 |
else if (isset($_POST["acklevel"]))
|
420 |
{
|
421 |
$starting_point = $_POST["acklevel"];
|
422 |
}
|
423 |
else if (isset($_GET["acklevel"]))
|
424 |
{
|
425 |
$starting_point = $_GET["acklevel"];
|
426 |
}
|
427 |
|
428 |
//Trim all disallowed characters.
|
429 |
$starting_point = STRFUNC_force_into_subset($starting_point, "0123456789");
|
430 |
|
431 |
//Remove any leading zeros.
|
432 |
while ((strlen($starting_point) > 1) && (SubStr($starting_point, 0, 1) == "0"))
|
433 |
$starting_point = SubStr($starting_point, 1);
|
434 |
|
435 |
//At this point, the value can't help but syntactically be an integer or the
|
436 |
//empty string.
|
437 |
if (strlen($starting_point) == 0)
|
438 |
{
|
439 |
$PAR_acklevel = FALSE; //Empty string.
|
440 |
}
|
441 |
else if (strlen($starting_point) > 2)
|
442 |
{
|
443 |
$PAR_acklevel = FALSE; //Too big as an integer.
|
444 |
}
|
445 |
else
|
446 |
{
|
447 |
$starting_point = (int)$starting_point;
|
448 |
if (($starting_point >= 0) && ($starting_point <= 100))
|
449 |
{
|
450 |
$PAR_acklevel = $starting_point;
|
451 |
}
|
452 |
else
|
453 |
{
|
454 |
$PAR_acklevel = FALSE; //Out of range as an integer.
|
455 |
}
|
456 |
}
|
457 |
}
|
458 |
//
|
459 |
//
|
460 |
//--------------------------------------------------------------------------------
|
461 |
//End of $RCSfile: par.inc,v $.
|
462 |
//--------------------------------------------------------------------------------
|
463 |
?>
|