Changeset 253 for trunk/client
- Timestamp:
- Mar 12, 2018, 8:53:21 PM (7 years ago)
- Location:
- trunk/client
- Files:
-
- 1 added
- 9 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/client/inc/csrf-magic/csrf-magic.php
r153 r253 54 54 */ 55 55 $GLOBALS['csrf']['secret'] = ''; 56 // nota bene: library code should use csrf_get_secret() and not access 57 // this global directly 56 58 57 59 /** … … 130 132 131 133 // Don't edit this! 132 $GLOBALS['csrf']['version'] = '1.0. 1';134 $GLOBALS['csrf']['version'] = '1.0.4'; 133 135 134 136 /** … … 152 154 $name = $GLOBALS['csrf']['input-name']; 153 155 $endslash = $GLOBALS['csrf']['xhtml'] ? ' /' : ''; 154 $input = " \n<div><input type='hidden' name='$name' value=\"$tokens\"$endslash></div>";156 $input = "<input type='hidden' name='$name' value=\"$tokens\"$endslash>"; 155 157 $buffer = preg_replace('#(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . $input, $buffer); 156 158 if ($GLOBALS['csrf']['frame-breaker']) { … … 216 218 if (!$has_cookies && $secret) { 217 219 // :TODO: Harden this against proxy-spoofing attacks 218 $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']); 220 $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']); 221 $ip = ';ip:' . csrf_hash($IP_ADDRESS); 219 222 } else { 220 223 $ip = ''; … … 241 244 } 242 245 246 function csrf_flattenpost($data) { 247 $ret = array(); 248 foreach($data as $n => $v) { 249 $ret = array_merge($ret, csrf_flattenpost2(1, $n, $v)); 250 } 251 return $ret; 252 } 253 function csrf_flattenpost2($level, $key, $data) { 254 if(!is_array($data)) return array($key => $data); 255 $ret = array(); 256 foreach($data as $n => $v) { 257 $nk = $level >= 1 ? $key."[$n]" : "[$n]"; 258 $ret = array_merge($ret, csrf_flattenpost2($level+1, $nk, $v)); 259 } 260 return $ret; 261 } 262 243 263 /** 244 264 * @param $tokens is safe for HTML consumption 245 265 */ 246 266 function csrf_callback($tokens) { 267 // (yes, $tokens is safe to echo without escaping) 247 268 header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); 248 echo "<html><head><title>CSRF check failed</title></head><body>CSRF check failed. Please enable cookies.<br />Debug: ".$tokens."</body></html> 269 $data = ''; 270 foreach (csrf_flattenpost($_POST) as $key => $value) { 271 if ($key == $GLOBALS['csrf']['input-name']) continue; 272 $data .= '<input type="hidden" name="'.htmlspecialchars($key).'" value="'.htmlspecialchars($value).'" />'; 273 } 274 echo "<html><head><title>CSRF check failed</title></head> 275 <body> 276 <p>CSRF check failed. Your form session may have expired, or you may not have 277 cookies enabled.</p> 278 <form method='post' action=''>$data<input type='submit' value='Try again' /></form> 279 <p>Debug: $tokens</p></body></html> 249 280 "; 250 281 } … … 298 329 if (!empty($_COOKIE)) return false; 299 330 if (!$GLOBALS['csrf']['allow-ip']) return false; 300 return $value === csrf_hash($_SERVER['IP_ADDRESS'], $time); 331 $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']); 332 return $value === csrf_hash($IP_ADDRESS, $time); 301 333 } 302 334 return false; … … 328 360 function csrf_get_secret() { 329 361 if ($GLOBALS['csrf']['secret']) return $GLOBALS['csrf']['secret']; 330 // secret by db l.apolito331 global $prefix,$dbi;332 # crea campo secret nella tabella _config se non esiste333 $campo= mysql_query("SHOW COLUMNS FROM ".$prefix."_config LIKE 'secret' ",$dbi);334 $esiste=mysql_num_rows($campo);335 if ($esiste==0) {336 $result=mysql_query("ALTER TABLE ".$prefix."_config ADD secret VARCHAR(30);",$dbi);337 }338 339 $res_secret = mysql_query("SELECT * FROM ".$prefix."_config" , $dbi);340 $row = mysql_fetch_array($res_secret);341 $secret = $row['secret'];342 if (isset($secret)){ return $secret;343 344 }else{345 $secret = csrf_generate_secret();346 mysql_query("UPDATE ".$prefix."_config SET secret='$secret'" , $dbi);347 return $secret;348 }349 return '';350 351 352 /* nel caso di registrazione del file353 362 $dir = dirname(__FILE__); 354 363 $file = $dir . '/csrf-secret.php'; … … 358 367 return $secret; 359 368 } 360 361 369 if (is_writable($dir)) { 362 370 $secret = csrf_generate_secret(); … … 367 375 } 368 376 return ''; 369 */370 377 } 371 378 … … 375 382 function csrf_generate_secret($len = 32) { 376 383 $r = ''; 377 for ($i = 0; $i < 32; $i++) {384 for ($i = 0; $i < $len; $i++) { 378 385 $r .= chr(mt_rand(0, 255)); 379 386 } … … 388 395 function csrf_hash($value, $time = null) { 389 396 if (!$time) $time = time(); 390 return sha1( $GLOBALS['csrf']['secret']. $value . $time) . ',' . $time;397 return sha1(csrf_get_secret() . $value . $time) . ',' . $time; 391 398 } 392 399 -
trunk/client/modules.php
r241 r253 99 99 100 100 101 102 101 $dbi = new PDO("mysql:host=$dbhost;charset=latin1", $dbuname, $dbpass, array(PDO::ATTR_EMULATE_PREPARES => false, 102 PDO::ATTR_ERRMODE=>PDO::ERRMODE_EXCEPTION)); 103 $sql = "use $dbname"; 104 $dbi->exec($sql); 105 106 /* 103 107 104 108 if(!$dbi = mysql_connect($dbhost, $dbuname, $dbpass)){ … … 110 114 } 111 115 mysql_query("SET NAMES 'utf8'", $dbi); 112 116 */ 113 117 # protezione csrf ottobre 2012 - by l.apolito 114 118 if (file_exists("inc/csrf-magic/csrf-magic.php")) { … … 122 126 123 127 # carica i parametri di default sulla tabella 124 $res = mysql_query("SELECT * FROM ".$prefix."_config" , $dbi); 125 $row = mysql_fetch_array($res); 128 $sql = $dbi->prepare("SELECT * FROM ".$prefix."_config"); 129 $sql->execute(); 130 while($riga = $sql->fetchAll(PDO::FETCH_ASSOC)){$row=$riga[0]; 126 131 $sitename = stripslashes($row['sitename']); 127 132 $siteurl = $row['siteurl']; … … 146 151 $ed_user = $row['ed_user']; 147 152 #tema mobile 148 153 } 149 154 150 155 151 156 152 157 # altre config 153 $res = mysql_query("SELECT * FROM ".$prefix."_ele_comuni where id_comune='$siteistat' ", $dbi); 154 $row = mysql_fetch_array($res); 158 $sql = $dbi->prepare("SELECT * FROM ".$prefix."_ele_comuni where id_comune='$siteistat' "); 159 $sql->execute(); 160 $riga = $sql->fetchAll(PDO::FETCH_ASSOC); 161 $row=$riga[0]; 155 162 $id_cons_pred = intval($row['id_cons']); 156 163 if($id_cons_pred=='0')$id_cons_pred=''; 157 164 if(!isset($id_cons_gen)) $id_cons_gen=$id_cons_pred; 158 165 # carica il metodo d'hontd 159 $res = mysql_query("SELECT * FROM ".$prefix."_ele_cons_comune where id_cons_gen='$id_cons_gen' ", $dbi); 160 $row = mysql_fetch_array($res); 161 162 163 166 ##$sql = $dbi->prepare("SELECT * FROM ".$prefix."_ele_cons_comune where id_cons_gen='$id_cons_gen' "); 167 ##$sql->execute(); 164 168 165 169 $param=strip_tags(strtolower($_SERVER['REQUEST_METHOD'])) == 'get' ? $_GET : $_POST; … … 170 174 $id_cons_bak=intval($param['id_cons_gen']); 171 175 if (isset($param['id_comune'])) $id_combak=intval($param['id_comune']); else $id_combak=$_SESSION['id_comune']; 172 $res = mysql_query("SELECT id_cons,id_conf FROM ".$prefix."_ele_cons_comune where id_cons_gen='$id_cons_bak' and id_comune='$id_combak'" , $dbi); 173 list($id_cons,$hondt) = mysql_fetch_row($res); 176 $sql = $dbi->prepare("SELECT id_cons,id_conf FROM ".$prefix."_ele_cons_comune where id_cons_gen='$id_cons_bak' and id_comune='$id_combak'"); 177 $sql->execute(); 178 $row = $sql->fetchAll(PDO::FETCH_ASSOC); 179 $id_cons=$row[1];$hondt=$row[2]; 174 180 175 181 // incluso in consiglieri.php, ma io carico le vecchie variabili per compatibilit'a all'indietro 176 182 if($hondt>=1){ 177 183 # proiezione consiglio 178 $r es = mysql_query("SELECT * FROM ".$prefix."_ele_conf where id_conf='$hondt'", $dbi);179 $row = mysql_fetch_array($res);184 $row = $dbi->exec("SELECT * FROM ".$prefix."_ele_conf where id_conf='$hondt'"); 185 180 186 $descrizione_consiglio = $row['descrizione']; 181 187 $LIMITE = intval($row['limite']); -
trunk/client/modules/Elezioni/grafici.php
r229 r253 11 11 die ("You can't access this file directly..."); 12 12 } 13 14 include "pdoquery.php"; 15 $res=tipocons(); 16 $descr_cons=$res[1];$tipo_cons=$res[2];$genere=$res[3];$votog=$res[4];$votol=$res[5];$votoc=$res[6];$circo=$res[7]; 17 die("SELECT t1.descrizione, t1.tipo_cons,t2.genere, t2.voto_g, t2.voto_l, t2.voto_c, t2.circo ($descr_cons,$tipo_cons,$genere,$votog,$votol,$votoc,$circo)"); 13 18 14 19 … … 657 662 658 663 function graf_candidato(){ 659 global $ bgcolor1, $bgcolor5,$bgcolor5, $prefix, $dbi, $offset, $min,$descr_cons, $id_cons,$tipo_cons,$copy,$id_comune,$id_istat,$genere,$votog,$votol,$votoc,$circo,$siteistat;664 global $descr_com, $bgcolor1, $bgcolor5,$bgcolor5, $prefix, $dbi, $offset, $min,$descr_cons, $id_cons,$tipo_cons,$copy,$id_comune,$id_istat,$genere,$votog,$votol,$votoc,$circo,$siteistat; 660 665 661 666 $logo=verificasimbolo(); // carica_logo da funzioni.php … … 700 705 while (list($id_lista,$id_cand,$nome,$cognome,$voti) = mysql_fetch_row($res)){ 701 706 $candidato[$i]=$cognome; 702 $pro[$i]=number_format($voti*100/$tot,2);707 if ($tot) $pro[$i]=number_format($voti*100/$tot,2); else $pro[$i]=0; 703 708 // sviluppo tabella dati 704 709 $e=$i+1; -
trunk/client/modules/Elezioni/gruppo.php
r225 r253 638 638 $voticompl=$sevaltot+$senultot+$sebiatot+$secontot+$sevnutot; 639 639 $resvt = mysql_query("SELECT voti from ".$prefix."_ele_voti_$tab15 where id_cons='$id_cons'",$dbi); 640 list($votlt)=mysql_fetch_row($resvt);640 if($resvt) list($votlt)=mysql_fetch_row($resvt); else $votlt=0; 641 641 $temp3=arrayperc($tempar,$sevaltot); 642 642 while (list($key,$voti)= each($temp)) { … … 680 680 }else{ 681 681 $res_lis = mysql_query("SELECT id_gruppo, descrizione,num_gruppo from ".$prefix."_ele_gruppo where id_cons=$id_cons order by num_gruppo",$dbi); 682 $numliste=mysql_num_rows($res_lis);682 if($res_lis) $numliste=mysql_num_rows($res_lis); else $numliste=0; 683 683 684 684 if (!isset($offset)) $offset=10; … … 695 695 echo "<input type=\"hidden\" name=\"id_comune\" value=\"$id_comune\"></input>"; 696 696 echo ""._SCELTA." "._CONSULTAZIONE.": <select name=\"id_gruppo\">"; 697 while(list($id_rif,$descrizione,$num_lis) = mysql_fetch_row($res_lis)) { 697 if($res_lis) 698 while(list($id_rif,$descrizione,$num_lis) = mysql_fetch_row($res_lis)) { 698 699 if (!$id_gruppo) $id_gruppo=$id_rif; 699 700 $sel = ($id_rif == $id_gruppo) ? "selected=\"selected\"" : ""; … … 701 702 for ($j=strlen($num_lis);$j<2;$j++) { echo " ";} 702 703 echo $num_lis.") ".strip_tags(substr($descrizione,0,50))."</option>"; 703 }704 } 704 705 echo "</select>"; 705 706 echo "<br />"._VIS_PERC.": <input type=\"checkbox\" name=\"perc\" value=\"true\""; … … 724 725 order by $tab3, t1.num_gruppo 725 726 ", $dbi); 726 $num_sez=mysql_num_rows($res);727 list($num_gruppo,$descr)= mysql_fetch_row($res_ref);727 if($res) $num_sez=mysql_num_rows($res); else $num_sez=0; 728 if($res_ref) list($num_gruppo,$descr)= mysql_fetch_row($res_ref); else {$num_gruppo=0;$descr='';} 728 729 729 730 if (!$csv){ … … 811 812 $ar[0][5]=_BIANCHI; 812 813 $ar[0][6]=_CONTESTATI; 813 814 while (list($num_gruppo,$desc_ref) = mysql_fetch_row($res_ref)){814 if($res_ref) 815 while (list($num_gruppo,$desc_ref) = mysql_fetch_row($res_ref)){ 815 816 $ar[0][$i++]= $num_gruppo.") ".$desc_ref; 816 817 $ar[1][$y++]= "SI"; 817 818 $ar[1][$y++]= "NO"; 818 }819 } 819 820 $num_sez++; 820 821 $tot_si=0; … … 824 825 $tot_bi=0; 825 826 $tot_co=0; 826 while (list($num_circ,$desc_circ,$num_gruppo,$desc_ref,$simbolo,$si,$no,$validi,$nulli,$bianchi, $contestati) = mysql_fetch_row($res)){ 827 if($res) 828 while (list($num_circ,$desc_circ,$num_gruppo,$desc_ref,$simbolo,$si,$no,$validi,$nulli,$bianchi, $contestati) = mysql_fetch_row($res)){ 827 829 $i=1; 828 830 $votanti=$validi+$nulli+$bianchi+$contestati; … … 852 854 $ar[$num_circ][$i++]= $perc=='true' ? $contestati."<br /><span class=\"red\"><i>0.00%</i></span>":$contestati; 853 855 } 854 }856 } 855 857 $i=1; 856 858 $tot_vo=$tot_va+$tot_nu+$tot_bi+$tot_co; -
trunk/client/modules/Elezioni/index.php
r241 r253 15 15 $_GET : $_POST; 16 16 17 17 include("pdoquery.php"); 18 18 if (isset($param['rss'])) $rss=intval($param['rss']); else $rss='0'; 19 19 if (isset($param['xls'])) $xls=intval($param['xls']); else $xls='0'; … … 24 24 if (isset($param['id_cons_gen'])) $id_cons_gen=intval($param['id_cons_gen']); else 25 25 { 26 $res = mysql_query("SELECT id_cons FROM ".$prefix."_ele_comuni where id_comune='$id_comune' ", $dbi); 27 list($id_cons_pred)=mysql_fetch_row($res); 28 $res = mysql_query("SELECT id_cons_gen FROM ".$prefix."_ele_cons_comune where id_cons='$id_cons_pred' ", $dbi); 29 list($id_cons_gen)=mysql_fetch_row($res); 26 $id_cons_gen=dbpredefinita(); 27 30 28 } 31 29 if (isset($param['op'])) $op=$param['op']; else $op=''; … … 62 60 $ordine=htmlentities($ordine); 63 61 64 $ res = mysql_query("SELECT id_conf FROM ".$prefix."_ele_cons_comune where id_cons_gen='$id_cons_gen' and id_comune='$id_comune'" , $dbi);65 list($hondt) = mysql_fetch_row($res); 66 67 $sql = "SELECT t3.genere,t1.tipo_cons,t1.descrizione,t2.id_cons_gen FROM ".$prefix."_ele_consultazione as t1, ".$prefix."_ele_cons_comune as t2, ".$prefix."_ele_tipo as t3 where t1.tipo_cons=t3.tipo_cons and t2.id_comune=$id_comune and t1.id_cons_gen=t2.id_cons_gen and t2.id_cons_gen='$id_cons_gen' and t2.chiusa!='2' "; 68 $ res = mysql_query("$sql",$dbi);69 $t ot=mysql_num_rows($res);70 if ($tot>0 and $id_cons_gen>0) { 71 $sql = "SELECT t3.genere,t1.tipo_cons,t1.descrizione,t2.id_cons_gen FROM ".$prefix."_ele_consultazione as t1, ".$prefix."_ele_cons_comune as t2, ".$prefix."_ele_tipo as t3 where t1.tipo_cons=t3.tipo_cons and t2.id_comune=$id_comune and t1.id_cons_gen=t2.id_cons_gen and t2.id_cons_gen='$id_cons_gen' and t2.chiusa!='2'";72 }else{ 73 $sql = "SELECT t3.genere,t1.tipo_cons,t1.descrizione,t2.id_cons_gen FROM ".$prefix."_ele_consultazione as t1, ".$prefix."_ele_cons_comune as t2, ".$prefix."_ele_tipo as t3 where t1.tipo_cons=t3.tipo_cons and t2.id_comune=$id_comune and t1.id_cons_gen=t2.id_cons_gen and t2.chiusa!='2' order by t1.data_fine desc limit 0,1 "; 74 } 75 $res = mysql_query("$sql",$dbi); 76 if ($res) list($genere,$tipo_cons,$descr_cons,$id_cons_gen) = mysql_fetch_row($res); 62 $hondt = dbvalorehondt(); 63 64 $res=dbselectcons(); 65 66 $genere=$res['genere']; 67 $tipo_cons=$res['tipo_cons']; 68 $descr_cons=$res['descrizione']; 69 $id_cons_gen=$res['id_cons_gen']; 70 echo "descr:$descr_cons"; 71 72 73 74 ########## 77 75 78 76 if ($tipo_cons!=3) $limite=0; -
trunk/client/modules/Elezioni/language/lang-it.php
r230 r253 272 272 //global $tipo_cons; 273 273 switch ($tipo_cons){ 274 case '': 275 define("_CONSULTAZIONE","Consultazione"); 276 break; 274 277 case 1: 275 278 define("_SCELTA_CIR","Scegli la Circoscrizione"); -
trunk/client/temi/Futura2/config.php
r249 r253 6 6 # devisualizz errori 7 7 ini_set('display_errors','0'); 8 8 if(isset($_POST['rss'])) {$rss=intval($_POST['rss']);} 9 9 # verifica cambiamento colore 10 10 # usata variabile rss gia esistente … … 14 14 elseif($rss==4){$colortheme="d";$_SESSION['colortheme']=$colortheme;} 15 15 elseif($rss==5){$colortheme="e";$_SESSION['colortheme']=$colortheme;} 16 elseif($rss==6){$colortheme="f";$_SESSION['colortheme']=$colortheme;} 16 elseif($rss==6) {$colortheme="f";$_SESSION['colortheme']=$colortheme;} 17 18 $defcolortheme='f'; 19 if (isset($_SESSION['colortheme'])) $colortheme=$_SESSION['colortheme']; else $colortheme=$defcolortheme; 20 #elseif($rss==6){$colortheme="f";$_SESSION['colortheme']=$colortheme;} 21 22 #colori 23 #f=arancio;e=azzurro-grigio;d=verde;c=rosso;b=azzurro;a=grigio 17 24 18 25 # verifica se arriva dalle app iphone e android -
trunk/client/temi/Futura2/index.php
r251 r253 12 12 13 13 # colore tema mobile 14 15 14 16 include("temi/$tema/config.php"); 15 $colortheme=$_SESSION['colortheme']; 16 if($colortheme=='')$colortheme="c";17 18 #if($colortheme=='')$colortheme="c"; 17 19 # descrizione comune 18 20 if(!$id_comune or $id_comune=='') $id_comune=$siteistat; -
trunk/client/versione.php
r252 r253 1 1 <?php 2 2 3 $versione = "2.0 rev 25 2";3 $versione = "2.0 rev 253"; 4 4 $version_number = $versione; 5 $version = "Eleonline $version_number (<i>Data Release: 1 6 aprile 2016</i>)";5 $version = "Eleonline $version_number (<i>Data Release: 15 aprile 2017</i>)"; 6 6 7 7
Note:
See TracChangeset
for help on using the changeset viewer.