diff options
Diffstat (limited to 'phpBB/includes/ucp')
-rw-r--r-- | phpBB/includes/ucp/ucp_groups.php | 6 | ||||
-rw-r--r-- | phpBB/includes/ucp/ucp_main.php | 130 | ||||
-rw-r--r-- | phpBB/includes/ucp/ucp_pm_compose.php | 5 | ||||
-rw-r--r-- | phpBB/includes/ucp/ucp_pm_options.php | 227 | ||||
-rw-r--r-- | phpBB/includes/ucp/ucp_prefs.php | 47 | ||||
-rw-r--r-- | phpBB/includes/ucp/ucp_profile.php | 43 | ||||
-rw-r--r-- | phpBB/includes/ucp/ucp_register.php | 11 | ||||
-rw-r--r-- | phpBB/includes/ucp/ucp_resend.php | 7 |
8 files changed, 301 insertions, 175 deletions
diff --git a/phpBB/includes/ucp/ucp_groups.php b/phpBB/includes/ucp/ucp_groups.php index 6e93f64acb..d8d4a285d4 100644 --- a/phpBB/includes/ucp/ucp_groups.php +++ b/phpBB/includes/ucp/ucp_groups.php @@ -393,6 +393,7 @@ class ucp_groups $this->page_title = 'UCP_USERGROUPS_MANAGE'; $action = (isset($_POST['addusers'])) ? 'addusers' : request_var('action', ''); $group_id = request_var('g', 0); + add_form_key('ucp_groups'); if ($group_id) { @@ -552,6 +553,11 @@ class ucp_groups } } + if (!check_form_key('ucp_groups')) + { + $error[] = $user->lang['FORM_INVALID']; + } + if (!sizeof($error)) { // Only set the rank, colour, etc. if it's changed or if we're adding a new diff --git a/phpBB/includes/ucp/ucp_main.php b/phpBB/includes/ucp/ucp_main.php index ba40397a55..6f0db86bf6 100644 --- a/phpBB/includes/ucp/ucp_main.php +++ b/phpBB/includes/ucp/ucp_main.php @@ -194,41 +194,51 @@ class ucp_main $user->add_lang('viewforum'); + add_form_key('ucp_front_subscribed'); + $unwatch = (isset($_POST['unwatch'])) ? true : false; if ($unwatch) { - $forums = array_keys(request_var('f', array(0 => 0))); - $topics = array_keys(request_var('t', array(0 => 0))); - - if (sizeof($forums) || sizeof($topics)) + if(check_form_key('ucp_front_subscribed')) { - $l_unwatch = ''; - if (sizeof($forums)) - { - $sql = 'DELETE FROM ' . FORUMS_WATCH_TABLE . ' - WHERE ' . $db->sql_in_set('forum_id', $forums) . ' - AND user_id = ' . $user->data['user_id']; - $db->sql_query($sql); + $forums = array_keys(request_var('f', array(0 => 0))); + $topics = array_keys(request_var('t', array(0 => 0))); + $msg = ''; - $l_unwatch .= '_FORUMS'; - } - - if (sizeof($topics)) + if (sizeof($forums) || sizeof($topics)) { - $sql = 'DELETE FROM ' . TOPICS_WATCH_TABLE . ' - WHERE ' . $db->sql_in_set('topic_id', $topics) . ' - AND user_id = ' . $user->data['user_id']; - $db->sql_query($sql); + $l_unwatch = ''; + if (sizeof($forums)) + { + $sql = 'DELETE FROM ' . FORUMS_WATCH_TABLE . ' + WHERE ' . $db->sql_in_set('forum_id', $forums) . ' + AND user_id = ' . $user->data['user_id']; + $db->sql_query($sql); + + $l_unwatch .= '_FORUMS'; + } + + if (sizeof($topics)) + { + $sql = 'DELETE FROM ' . TOPICS_WATCH_TABLE . ' + WHERE ' . $db->sql_in_set('topic_id', $topics) . ' + AND user_id = ' . $user->data['user_id']; + $db->sql_query($sql); + + $l_unwatch .= '_TOPICS'; + } + $msg = $user->lang['UNWATCHED' . $l_unwatch]; - $l_unwatch .= '_TOPICS'; } - - $message = $user->lang['UNWATCHED' . $l_unwatch] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . append_sid("{$phpbb_root_path}ucp.$phpEx", "i=$id&mode=subscribed") . '">', '</a>'); - - meta_refresh(3, append_sid("{$phpbb_root_path}ucp.$phpEx", "i=$id&mode=subscribed")); - trigger_error($message); } + else + { + $msg = $user->lang['FORM_INVALID']; + } + $message = $msg . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . append_sid("{$phpbb_root_path}ucp.$phpEx", "i=$id&mode=subscribed") . '">', '</a>'); + meta_refresh(3, append_sid("{$phpbb_root_path}ucp.$phpEx", "i=$id&mode=subscribed")); + trigger_error($message); } $forbidden_forums = array(); @@ -418,53 +428,65 @@ class ucp_main $s_hidden_fields = ($edit) ? '<input type="hidden" name="edit" value="' . $draft_id . '" />' : ''; $draft_subject = $draft_message = ''; + add_form_key('ucp_draft'); if ($delete) { - $drafts = array_keys(request_var('d', array(0 => 0))); - - if (sizeof($drafts)) + if (check_form_key('ucp_draft')) { - $sql = 'DELETE FROM ' . DRAFTS_TABLE . ' - WHERE ' . $db->sql_in_set('draft_id', $drafts) . ' - AND user_id = ' . $user->data['user_id']; - $db->sql_query($sql); + $drafts = array_keys(request_var('d', array(0 => 0))); - $message = $user->lang['DRAFTS_DELETED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>'); - - meta_refresh(3, $this->u_action); - trigger_error($message); + if (sizeof($drafts)) + { + $sql = 'DELETE FROM ' . DRAFTS_TABLE . ' + WHERE ' . $db->sql_in_set('draft_id', $drafts) . ' + AND user_id = ' . $user->data['user_id']; + $db->sql_query($sql); + } + $msg = $user->lang['DRAFTS_DELETED']; + unset($drafts); } - - unset($drafts); + else + { + $msg = $user->lang['FORM_INVALID']; + } + $message = $msg . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>'); + meta_refresh(3, $this->u_action); + trigger_error($message); } if ($submit && $edit) { $draft_subject = utf8_normalize_nfc(request_var('subject', '', true)); $draft_message = utf8_normalize_nfc(request_var('message', '', true)); - - if ($draft_message && $draft_subject) + if (check_form_key('ucp_draft')) { - $draft_row = array( - 'draft_subject' => $draft_subject, - 'draft_message' => $draft_message - ); - - $sql = 'UPDATE ' . DRAFTS_TABLE . ' - SET ' . $db->sql_build_array('UPDATE', $draft_row) . " - WHERE draft_id = $draft_id - AND user_id = " . $user->data['user_id']; - $db->sql_query($sql); + if ($draft_message && $draft_subject) + { + $draft_row = array( + 'draft_subject' => $draft_subject, + 'draft_message' => $draft_message + ); + + $sql = 'UPDATE ' . DRAFTS_TABLE . ' + SET ' . $db->sql_build_array('UPDATE', $draft_row) . " + WHERE draft_id = $draft_id + AND user_id = " . $user->data['user_id']; + $db->sql_query($sql); - $message = $user->lang['DRAFT_UPDATED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>'); + $message = $user->lang['DRAFT_UPDATED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>'); - meta_refresh(3, $this->u_action); - trigger_error($message); + meta_refresh(3, $this->u_action); + trigger_error($message); + } + else + { + $template->assign_var('ERROR', ($draft_message == '') ? $user->lang['EMPTY_DRAFT'] : (($draft_subject == '') ? $user->lang['EMPTY_DRAFT_TITLE'] : '')); + } } else { - $template->assign_var('ERROR', ($draft_message == '') ? $user->lang['EMPTY_DRAFT'] : (($draft_subject == '') ? $user->lang['EMPTY_DRAFT_TITLE'] : '')); + $template->assign_var('ERROR', $user->lang['FORM_INVALID']); } } diff --git a/phpBB/includes/ucp/ucp_pm_compose.php b/phpBB/includes/ucp/ucp_pm_compose.php index ae2e367795..a22fc57761 100644 --- a/phpBB/includes/ucp/ucp_pm_compose.php +++ b/phpBB/includes/ucp/ucp_pm_compose.php @@ -25,6 +25,7 @@ function compose_pm($id, $mode, $action) { $action = 'post'; } + add_form_key('ucp_pm_compose'); // Grab only parameters needed here $to_user_id = request_var('u', 0); @@ -532,6 +533,10 @@ function compose_pm($id, $mode, $action) if ($submit || $preview || $refresh) { + if (!check_form_key('ucp_pm_compose')) + { + $error[] = $user->lang['FORM_INVALID']; + } $subject = utf8_normalize_nfc(request_var('subject', '', true)); $message_parser->message = utf8_normalize_nfc(request_var('message', '', true)); diff --git a/phpBB/includes/ucp/ucp_pm_options.php b/phpBB/includes/ucp/ucp_pm_options.php index e4d067115d..429c9e0caa 100644 --- a/phpBB/includes/ucp/ucp_pm_options.php +++ b/phpBB/includes/ucp/ucp_pm_options.php @@ -17,9 +17,11 @@ function message_options($id, $mode, $global_privmsgs_rules, $global_rule_condit $redirect_url = append_sid("{$phpbb_root_path}ucp.$phpEx", "i=pm&mode=options"); + add_form_key('ucp_pm_options'); // Change "full folder" setting - what to do if folder is full if (isset($_POST['fullfolder'])) { + check_form_key('ucp_pm_options', $config['form_token_lifetime'], $redirect_url); $full_action = request_var('full_action', 0); $set_folder_id = 0; @@ -60,79 +62,94 @@ function message_options($id, $mode, $global_privmsgs_rules, $global_rule_condit // Add Folder if (isset($_POST['addfolder'])) { - $folder_name = utf8_normalize_nfc(request_var('foldername', '', true)); - - if ($folder_name) + if (check_form_key('ucp_pm_options')) { - $sql = 'SELECT folder_name - FROM ' . PRIVMSGS_FOLDER_TABLE . " - WHERE folder_name = '" . $db->sql_escape($folder_name) . "' - AND user_id = " . $user->data['user_id']; - $result = $db->sql_query_limit($sql, 1); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); + $folder_name = utf8_normalize_nfc(request_var('foldername', '', true)); + $msg = ''; - if ($row) + if ($folder_name) { - trigger_error(sprintf($user->lang['FOLDER_NAME_EXIST'], $folder_name)); - } + $sql = 'SELECT folder_name + FROM ' . PRIVMSGS_FOLDER_TABLE . " + WHERE folder_name = '" . $db->sql_escape($folder_name) . "' + AND user_id = " . $user->data['user_id']; + $result = $db->sql_query_limit($sql, 1); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); - $sql = 'SELECT COUNT(folder_id) as num_folder - FROM ' . PRIVMSGS_FOLDER_TABLE . ' - WHERE user_id = ' . $user->data['user_id']; - $result = $db->sql_query($sql); - $num_folder = (int) $db->sql_fetchfield('num_folder'); - $db->sql_freeresult($result); + if ($row) + { + trigger_error(sprintf($user->lang['FOLDER_NAME_EXIST'], $folder_name)); + } - if ($num_folder >= $config['pm_max_boxes']) - { - trigger_error('MAX_FOLDER_REACHED'); - } + $sql = 'SELECT COUNT(folder_id) as num_folder + FROM ' . PRIVMSGS_FOLDER_TABLE . ' + WHERE user_id = ' . $user->data['user_id']; + $result = $db->sql_query($sql); + $num_folder = (int) $db->sql_fetchfield('num_folder'); + $db->sql_freeresult($result); - $sql = 'INSERT INTO ' . PRIVMSGS_FOLDER_TABLE . ' ' . $db->sql_build_array('INSERT', array( - 'user_id' => (int) $user->data['user_id'], - 'folder_name' => $folder_name) - ); - $db->sql_query($sql); + if ($num_folder >= $config['pm_max_boxes']) + { + trigger_error('MAX_FOLDER_REACHED'); + } - $message = $user->lang['FOLDER_ADDED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $redirect_url . '">', '</a>'); - meta_refresh(3, $redirect_url); - trigger_error($message); + $sql = 'INSERT INTO ' . PRIVMSGS_FOLDER_TABLE . ' ' . $db->sql_build_array('INSERT', array( + 'user_id' => (int) $user->data['user_id'], + 'folder_name' => $folder_name) + ); + $db->sql_query($sql); + $msg = $user->lang['FOLDER_ADDED']; + } + } + else + { + $msg = $user->lang['FORM_INVALID']; } + $message = $msg . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $redirect_url . '">', '</a>'); + meta_refresh(3, $redirect_url); + trigger_error($message); } // Rename folder if (isset($_POST['rename_folder'])) { - $new_folder_name = utf8_normalize_nfc(request_var('new_folder_name', '', true)); - $rename_folder_id= request_var('rename_folder_id', 0); - - if (!$new_folder_name) + if (check_form_key('ucp_pm_options')) { - trigger_error('NO_NEW_FOLDER_NAME'); - } + $new_folder_name = utf8_normalize_nfc(request_var('new_folder_name', '', true)); + $rename_folder_id= request_var('rename_folder_id', 0); - // Select custom folder - $sql = 'SELECT folder_name, pm_count - FROM ' . PRIVMSGS_FOLDER_TABLE . " - WHERE user_id = {$user->data['user_id']} - AND folder_id = $rename_folder_id"; - $result = $db->sql_query_limit($sql, 1); - $folder_row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); + if (!$new_folder_name) + { + trigger_error('NO_NEW_FOLDER_NAME'); + } - if (!$folder_row) - { - trigger_error('CANNOT_RENAME_FOLDER'); - } + // Select custom folder + $sql = 'SELECT folder_name, pm_count + FROM ' . PRIVMSGS_FOLDER_TABLE . " + WHERE user_id = {$user->data['user_id']} + AND folder_id = $rename_folder_id"; + $result = $db->sql_query_limit($sql, 1); + $folder_row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); - $sql = 'UPDATE ' . PRIVMSGS_FOLDER_TABLE . " - SET folder_name = '" . $db->sql_escape($new_folder_name) . "' - WHERE folder_id = $rename_folder_id - AND user_id = {$user->data['user_id']}"; - $db->sql_query($sql); + if (!$folder_row) + { + trigger_error('CANNOT_RENAME_FOLDER'); + } - $message = $user->lang['FOLDER_RENAMED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $redirect_url . '">', '</a>'); + $sql = 'UPDATE ' . PRIVMSGS_FOLDER_TABLE . " + SET folder_name = '" . $db->sql_escape($new_folder_name) . "' + WHERE folder_id = $rename_folder_id + AND user_id = {$user->data['user_id']}"; + $db->sql_query($sql); + $msg = $user->lang['FOLDER_RENAMED']; + } + else + { + $msg = $user->lang['FORM_INVALID']; + } + $message = $msg . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $redirect_url . '">', '</a>'); meta_refresh(3, $redirect_url); trigger_error($message); } @@ -251,60 +268,68 @@ function message_options($id, $mode, $global_privmsgs_rules, $global_rule_condit // Add Rule if (isset($_POST['add_rule'])) { - $check_option = request_var('check_option', 0); - $rule_option = request_var('rule_option', 0); - $cond_option = request_var('cond_option', ''); - $action_option = explode('|', request_var('action_option', '')); - $rule_string = ($cond_option != 'none') ? utf8_normalize_nfc(request_var('rule_string', '', true)) : ''; - $rule_user_id = ($cond_option != 'none') ? request_var('rule_user_id', 0) : 0; - $rule_group_id = ($cond_option != 'none') ? request_var('rule_group_id', 0) : 0; - - $action = (int) $action_option[0]; - $folder_id = (int) $action_option[1]; - - if (!$action || !$check_option || !$rule_option || !$cond_option || ($cond_option != 'none' && !$rule_string)) + if(check_form_key('ucp_pm_options')) { - trigger_error('RULE_NOT_DEFINED'); - } + $check_option = request_var('check_option', 0); + $rule_option = request_var('rule_option', 0); + $cond_option = request_var('cond_option', ''); + $action_option = explode('|', request_var('action_option', '')); + $rule_string = ($cond_option != 'none') ? utf8_normalize_nfc(request_var('rule_string', '', true)) : ''; + $rule_user_id = ($cond_option != 'none') ? request_var('rule_user_id', 0) : 0; + $rule_group_id = ($cond_option != 'none') ? request_var('rule_group_id', 0) : 0; + + $action = (int) $action_option[0]; + $folder_id = (int) $action_option[1]; + + if (!$action || !$check_option || !$rule_option || !$cond_option || ($cond_option != 'none' && !$rule_string)) + { + trigger_error('RULE_NOT_DEFINED'); + } - if (($cond_option == 'user' && !$rule_user_id) || ($cond_option == 'group' && !$rule_group_id)) - { - trigger_error('RULE_NOT_DEFINED'); - } + if (($cond_option == 'user' && !$rule_user_id) || ($cond_option == 'group' && !$rule_group_id)) + { + trigger_error('RULE_NOT_DEFINED'); + } - $rule_ary = array( - 'user_id' => $user->data['user_id'], - 'rule_check' => $check_option, - 'rule_connection' => $rule_option, - 'rule_string' => $rule_string, - 'rule_user_id' => $rule_user_id, - 'rule_group_id' => $rule_group_id, - 'rule_action' => $action, - 'rule_folder_id' => $folder_id - ); + $rule_ary = array( + 'user_id' => $user->data['user_id'], + 'rule_check' => $check_option, + 'rule_connection' => $rule_option, + 'rule_string' => $rule_string, + 'rule_user_id' => $rule_user_id, + 'rule_group_id' => $rule_group_id, + 'rule_action' => $action, + 'rule_folder_id' => $folder_id + ); - $sql = 'SELECT rule_id - FROM ' . PRIVMSGS_RULES_TABLE . ' - WHERE ' . $db->sql_build_array('SELECT', $rule_ary); - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); + $sql = 'SELECT rule_id + FROM ' . PRIVMSGS_RULES_TABLE . ' + WHERE ' . $db->sql_build_array('SELECT', $rule_ary); + $result = $db->sql_query($sql); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); - if ($row) - { - trigger_error('RULE_ALREADY_DEFINED'); - } + if ($row) + { + trigger_error('RULE_ALREADY_DEFINED'); + } - $sql = 'INSERT INTO ' . PRIVMSGS_RULES_TABLE . ' ' . $db->sql_build_array('INSERT', $rule_ary); - $db->sql_query($sql); + $sql = 'INSERT INTO ' . PRIVMSGS_RULES_TABLE . ' ' . $db->sql_build_array('INSERT', $rule_ary); + $db->sql_query($sql); - // Update users message rules - $sql = 'UPDATE ' . USERS_TABLE . ' - SET user_message_rules = 1 - WHERE user_id = ' . $user->data['user_id']; - $db->sql_query($sql); + // Update users message rules + $sql = 'UPDATE ' . USERS_TABLE . ' + SET user_message_rules = 1 + WHERE user_id = ' . $user->data['user_id']; + $db->sql_query($sql); - $message = $user->lang['RULE_ADDED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $redirect_url . '">', '</a>'); + $msg = $user->lang['RULE_ADDED']; + } + else + { + $msg = $user->lang['FORM_INVALID']; + } + $message = $msg . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $redirect_url . '">', '</a>'); meta_refresh(3, $redirect_url); trigger_error($message); } diff --git a/phpBB/includes/ucp/ucp_prefs.php b/phpBB/includes/ucp/ucp_prefs.php index b0e8f098c2..445000b4dc 100644 --- a/phpBB/includes/ucp/ucp_prefs.php +++ b/phpBB/includes/ucp/ucp_prefs.php @@ -28,7 +28,7 @@ class ucp_prefs switch ($mode) { case 'personal': - + add_form_key('ucp_prefs_personal'); $data = array( 'notifymethod' => request_var('notifymethod', $user->data['user_notify_type']), 'dateformat' => request_var('dateformat', $user->data['user_dateformat'], true), @@ -55,6 +55,11 @@ class ucp_prefs 'tz' => array('num', false, -14, 14), )); + if (!check_form_key('ucp_prefs_personal')) + { + $error[] = 'FORM_INVALID'; + } + if (!sizeof($error)) { $user->optionset('popuppm', $data['popuppm']); @@ -140,6 +145,8 @@ class ucp_prefs case 'view': + add_form_key('ucp_prefs_view'); + $data = array( 'topic_sk' => request_var('topic_sk', (!empty($user->data['user_topic_sortby_type'])) ? $user->data['user_topic_sortby_type'] : 't'), 'topic_sd' => request_var('topic_sd', (!empty($user->data['user_topic_sortby_dir'])) ? $user->data['user_topic_sortby_dir'] : 'd'), @@ -166,6 +173,11 @@ class ucp_prefs 'post_sd' => array('string', false, 1, 1), )); + if (!check_form_key('ucp_prefs_view')) + { + $error[] = 'FORM_INVALID'; + } + if (!sizeof($error)) { $user->optionset('viewimg', $data['images']); @@ -276,25 +288,34 @@ class ucp_prefs 'sig' => request_var('sig', $user->optionget('attachsig')), 'notify' => request_var('notify', $user->data['user_notify']), ); + add_form_key('ucp_prefs_post'); if ($submit) { - $user->optionset('bbcode', $data['bbcode']); - $user->optionset('smilies', $data['smilies']); - $user->optionset('attachsig', $data['sig']); + if (check_form_key('ucp_prefs_post')) + { + $user->optionset('bbcode', $data['bbcode']); + $user->optionset('smilies', $data['smilies']); + $user->optionset('attachsig', $data['sig']); - $sql_ary = array( - 'user_options' => $user->data['user_options'], - 'user_notify' => $data['notify'], - ); + $sql_ary = array( + 'user_options' => $user->data['user_options'], + 'user_notify' => $data['notify'], + ); - $sql = 'UPDATE ' . USERS_TABLE . ' - SET ' . $db->sql_build_array('UPDATE', $sql_ary) . ' - WHERE user_id = ' . $user->data['user_id']; - $db->sql_query($sql); + $sql = 'UPDATE ' . USERS_TABLE . ' + SET ' . $db->sql_build_array('UPDATE', $sql_ary) . ' + WHERE user_id = ' . $user->data['user_id']; + $db->sql_query($sql); + $msg = $user->lang['PREFERENCES_UPDATED']; + } + else + { + $msg = $user->lang['FORM_INVALID']; + } meta_refresh(3, $this->u_action); - $message = $user->lang['PREFERENCES_UPDATED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>'); + $message = $msg . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>'); trigger_error($message); } diff --git a/phpBB/includes/ucp/ucp_profile.php b/phpBB/includes/ucp/ucp_profile.php index 269c3aad44..45461a56d0 100644 --- a/phpBB/includes/ucp/ucp_profile.php +++ b/phpBB/includes/ucp/ucp_profile.php @@ -44,6 +44,8 @@ class ucp_profile 'password_confirm' => request_var('password_confirm', '', true), ); + add_form_key('ucp_reg_details'); + if ($submit) { // Do not check cur_password, it is the old one. @@ -89,6 +91,11 @@ class ucp_profile $error[] = 'NEW_EMAIL_ERROR'; } + if (!check_form_key('ucp_reg_details')) + { + $error[] = 'FORM_INVALID'; + } + if (!sizeof($error)) { $sql_ary = array( @@ -224,7 +231,7 @@ class ucp_profile trigger_error($message); } - + // Replace "error" strings with their real, localised form $error = preg_replace('#^([A-Z_]+)$#e', "(!empty(\$user->lang['\\1'])) ? \$user->lang['\\1'] : '\\1'", $error); } @@ -282,6 +289,8 @@ class ucp_profile $data['bday_year'] = request_var('bday_year', $data['bday_year']); } + add_form_key('ucp_profile_info'); + if ($submit) { $validate_array = array( @@ -321,6 +330,11 @@ class ucp_profile $error = array_merge($error, $cp_error); } + if (!check_form_key('ucp_profile_info')) + { + $error[] = 'FORM_INVALID'; + } + if (!sizeof($error)) { $sql_ary = array( @@ -446,6 +460,8 @@ class ucp_profile $signature = utf8_normalize_nfc(request_var('signature', (string) $user->data['user_sig'], true)); + add_form_key('ucp_sig'); + if ($submit || $preview) { include($phpbb_root_path . 'includes/message_parser.' . $phpEx); @@ -462,6 +478,11 @@ class ucp_profile $error[] = implode('<br />', $message_parser->warn_msg); } + if (!check_form_key('ucp_sig')) + { + $error[] = 'FORM_INVALID'; + } + if (!sizeof($error) && $submit) { $sql_ary = array( @@ -517,7 +538,7 @@ class ucp_profile 'S_BBCODE_FLASH' => ($config['allow_sig_flash']) ? true : false, 'S_LINKS_ALLOWED' => ($config['allow_sig_links']) ? true : false) ); - + // Build custom bbcodes array display_custom_bbcodes(); @@ -533,15 +554,23 @@ class ucp_profile $can_upload = ($config['allow_avatar_upload'] && file_exists($phpbb_root_path . $config['avatar_path']) && @is_writable($phpbb_root_path . $config['avatar_path']) && $auth->acl_get('u_chgavatar') && (@ini_get('file_uploads') || strtolower(@ini_get('file_uploads')) == 'on')) ? true : false; + add_form_key('ucp_avatar'); + if ($submit) { - if (avatar_process_user($error)) + if (check_form_key('ucp_avatar')) { - meta_refresh(3, $this->u_action); - $message = $user->lang['PROFILE_UPDATED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>'); - trigger_error($message); + if (avatar_process_user($error)) + { + meta_refresh(3, $this->u_action); + $message = $user->lang['PROFILE_UPDATED'] . '<br /><br />' . sprintf($user->lang['RETURN_UCP'], '<a href="' . $this->u_action . '">', '</a>'); + trigger_error($message); + } + } + else + { + $error[] = 'FORM_INVALID'; } - // Replace "error" strings with their real, localised form $error = preg_replace('#^([A-Z_]+)$#e', "(!empty(\$user->lang['\\1'])) ? \$user->lang['\\1'] : '\\1'", $error); } diff --git a/phpBB/includes/ucp/ucp_register.php b/phpBB/includes/ucp/ucp_register.php index 6f133a9ed4..f321eb5b25 100644 --- a/phpBB/includes/ucp/ucp_register.php +++ b/phpBB/includes/ucp/ucp_register.php @@ -36,6 +36,16 @@ class ucp_register $change_lang = request_var('change_lang', ''); $user_lang = request_var('lang', $user->lang_name); + add_form_key('ucp_register'); + + // not so fast, buddy + if (($submit && !check_form_key('ucp_register', false, '', false, 5)) + || (!$submit && !check_form_key('ucp_register', false, '', false, 1))) + { + $agreed = false; + } + + if ($change_lang || $user_lang != $config['default_lang']) { $use_lang = ($change_lang) ? basename($change_lang) : basename($user_lang); @@ -122,6 +132,7 @@ class ucp_register return; } + // Try to manually determine the timezone and adjust the dst if the server date/time complies with the default setting +/- 1 $timezone = date('Z') / 3600; $is_dst = date('I'); diff --git a/phpBB/includes/ucp/ucp_resend.php b/phpBB/includes/ucp/ucp_resend.php index 1e424fb7cc..edd372333e 100644 --- a/phpBB/includes/ucp/ucp_resend.php +++ b/phpBB/includes/ucp/ucp_resend.php @@ -26,8 +26,15 @@ class ucp_resend $email = strtolower(request_var('email', '')); $submit = (isset($_POST['submit'])) ? true : false; + add_form_key('ucp_resend'); + if ($submit) { + if (!check_form_key('ucp_resend')) + { + trigger_error('FORM_INVALID'); + } + $sql = 'SELECT user_id, group_id, username, user_email, user_type, user_lang, user_actkey, user_inactive_reason FROM ' . USERS_TABLE . " WHERE user_email = '" . $db->sql_escape($email) . "' |