diff options
Diffstat (limited to 'phpBB/includes/session.php')
| -rw-r--r-- | phpBB/includes/session.php | 65 |
1 files changed, 47 insertions, 18 deletions
diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 7ef6e02a8d..9e1aefa309 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -39,7 +39,7 @@ class session * * @param string $root_path current root path (phpbb_root_path) */ - function extract_current_page($root_path) + static function extract_current_page($root_path) { $page_array = array(); @@ -130,7 +130,7 @@ class session 'root_script_path' => str_replace(' ', '%20', htmlspecialchars($root_script_path)), 'page' => $page, - 'forum' => (isset($_REQUEST['f']) && $_REQUEST['f'] > 0) ? (int) $_REQUEST['f'] : 0, + 'forum' => request_var('f', 0), ); return $page_array; @@ -206,6 +206,7 @@ class session function session_begin($update_session_page = true) { global $phpEx, $SID, $_SID, $_EXTRA_URL, $db, $config, $phpbb_root_path; + global $request; // Give us some basic information $this->time_now = time(); @@ -241,7 +242,7 @@ class session $this->forwarded_for = ''; } - if (isset($_COOKIE[$config['cookie_name'] . '_sid']) || isset($_COOKIE[$config['cookie_name'] . '_u'])) + if ($request->is_set($config['cookie_name'] . '_sid', phpbb_request_interface::COOKIE) || $request->is_set($config['cookie_name'] . '_u', phpbb_request_interface::COOKIE)) { $this->cookie_data['u'] = request_var($config['cookie_name'] . '_u', 0, false, true); $this->cookie_data['k'] = request_var($config['cookie_name'] . '_k', '', false, true); @@ -278,6 +279,24 @@ class session foreach ($ips as $ip) { + if (function_exists('phpbb_ip_normalise')) + { + // Normalise IP address + $ip = phpbb_ip_normalise($ip); + + if (empty($ip)) + { + // IP address is invalid. + break; + } + + // IP address is valid. + $this->ip = $ip; + + // Skip legacy code. + continue; + } + if (preg_match(get_preg_expression('ipv4'), $ip)) { $this->ip = $ip; @@ -323,7 +342,7 @@ class session } // Is session_id is set or session_id is set and matches the url param if required - if (!empty($this->session_id) && (!defined('NEED_SID') || (isset($_GET['sid']) && $this->session_id === $_GET['sid']))) + if (!empty($this->session_id) && (!defined('NEED_SID') || (isset($_GET['sid']) && $this->session_id === request_var('sid', '')))) { $sql = 'SELECT u.*, s.* FROM ' . SESSIONS_TABLE . ' s, ' . USERS_TABLE . " u @@ -417,9 +436,7 @@ class session $db->sql_return_on_error(true); - $sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . " - WHERE session_id = '" . $db->sql_escape($this->session_id) . "'"; - $result = $db->sql_query($sql); + $this->update_session($sql_ary); $db->sql_return_on_error(false); @@ -429,9 +446,7 @@ class session { unset($sql_ary['session_forum_id']); - $sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . " - WHERE session_id = '" . $db->sql_escape($this->session_id) . "'"; - $db->sql_query($sql); + $this->update_session($sql_ary); } if ($this->data['user_id'] != ANONYMOUS && !empty($config['new_member_post_limit']) && $this->data['user_new'] && $config['new_member_post_limit'] <= $this->data['user_posts']) @@ -698,9 +713,7 @@ class session $sql_ary['session_forum_id'] = $this->page['forum']; } - $sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . " - WHERE session_id = '" . $db->sql_escape($this->session_id) . "'"; - $db->sql_query($sql); + $this->update_session($sql_ary); // Update the last visit time $sql = 'UPDATE ' . USERS_TABLE . ' @@ -1001,7 +1014,7 @@ class session } // only called from CRON; should be a safe workaround until the infrastructure gets going - if (!class_exists('phpbb_captcha_factory')) + if (!class_exists('phpbb_captcha_factory', false)) { include($phpbb_root_path . "includes/captcha/captcha_factory." . $phpEx); } @@ -1479,6 +1492,23 @@ class session WHERE session_id = \'' . $db->sql_escape($this->session_id) . '\''; $db->sql_query($sql); } + + /** + * Update the session data + * + * @param array $session_data associative array of session keys to be updated + * @param string $session_id optional session_id, defaults to current user's session_id + */ + public function update_session($session_data, $session_id = null) + { + global $db; + + $session_id = ($session_id) ? $session_id : $this->session_id; + + $sql = 'UPDATE ' . SESSIONS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $session_data) . " + WHERE session_id = '" . $db->sql_escape($session_id) . "'"; + $db->sql_query($sql); + } } @@ -1608,11 +1638,12 @@ class user extends session $this->add_lang($lang_set); unset($lang_set); - if (!empty($_GET['style']) && $auth->acl_get('a_styles') && !defined('ADMIN_START')) + $style_request = request_var('style', 0); + if ($style_request && $auth->acl_get('a_styles') && !defined('ADMIN_START')) { global $SID, $_EXTRA_URL; - $style = request_var('style', 0); + $style = $style_request; $SID .= '&style=' . $style; $_EXTRA_URL = array('style=' . $style); } @@ -2376,5 +2407,3 @@ class user extends session return true; } } - -?>
\ No newline at end of file |