Changeset 253 for trunk/client

Timestamp:

Mar 12, 2018, 8:53:21 PM (6 years ago)

Author:

roby

Message:

 

Location:

trunk/client

Files:

• inc/csrf-magic/csrf-magic.php (modified) (11 diffs)
• modules.php (modified) (5 diffs)
• modules/Elezioni/grafici.php (modified) (3 diffs)
• modules/Elezioni/gruppo.php (modified) (8 diffs)
• modules/Elezioni/index.php (modified) (3 diffs)
• modules/Elezioni/language/lang-it.php (modified) (1 diff)
• temi/Futura2/config.php (modified) (2 diffs)
• temi/Futura2/index.php (modified) (1 diff)
• temi/Futura2/style.css (added)
• versione.php (modified) (1 diff)

trunk/client/inc/csrf-magic/csrf-magic.php

@@ -54 +54 @@
  */
 $GLOBALS['csrf']['secret'] = '';
+// nota bene: library code should use csrf_get_secret() and not access
+// this global directly
 
 /**
@@ -130 +132 @@
 
 // Don't edit this!
-$GLOBALS['csrf']['version'] = '1.0.1';
+$GLOBALS['csrf']['version'] = '1.0.4';
 
 /**
@@ -152 +154 @@
     $name = $GLOBALS['csrf']['input-name'];
     $endslash = $GLOBALS['csrf']['xhtml'] ? ' /' : '';
-    $input = "\n<div><input type='hidden' name='$name' value=\"$tokens\"$endslash></div>";
+    $input = "<input type='hidden' name='$name' value=\"$tokens\"$endslash>";
     $buffer = preg_replace('#(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . $input, $buffer);
     if ($GLOBALS['csrf']['frame-breaker']) {
@@ -216 +218 @@
     if (!$has_cookies && $secret) {
         // :TODO: Harden this against proxy-spoofing attacks
-        $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']);
+        $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
+        $ip = ';ip:' . csrf_hash($IP_ADDRESS);
     } else {
         $ip = '';
@@ -241 +244 @@
 }
 
+function csrf_flattenpost($data) {
+    $ret = array();
+    foreach($data as $n => $v) {
+        $ret = array_merge($ret, csrf_flattenpost2(1, $n, $v));
+    }
+    return $ret;
+}
+function csrf_flattenpost2($level, $key, $data) {
+    if(!is_array($data)) return array($key => $data);
+    $ret = array();
+    foreach($data as $n => $v) {
+        $nk = $level >= 1 ? $key."[$n]" : "[$n]";
+        $ret = array_merge($ret, csrf_flattenpost2($level+1, $nk, $v));
+    }
+    return $ret;
+}
+
 /**
  * @param $tokens is safe for HTML consumption
  */
 function csrf_callback($tokens) {
+    // (yes, $tokens is safe to echo without escaping)
     header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
-    echo "<html><head><title>CSRF check failed</title></head><body>CSRF check failed. Please enable cookies.<br />Debug: ".$tokens."</body></html>
+    $data = '';
+    foreach (csrf_flattenpost($_POST) as $key => $value) {
+        if ($key == $GLOBALS['csrf']['input-name']) continue;
+        $data .= '<input type="hidden" name="'.htmlspecialchars($key).'" value="'.htmlspecialchars($value).'" />';
+    }
+    echo "<html><head><title>CSRF check failed</title></head>
+        <body>
+        <p>CSRF check failed. Your form session may have expired, or you may not have
+        cookies enabled.</p>
+        <form method='post' action=''>$data<input type='submit' value='Try again' /></form>
+        <p>Debug: $tokens</p></body></html>
 ";
 }
@@ -298 +329 @@
             if (!empty($_COOKIE)) return false;
             if (!$GLOBALS['csrf']['allow-ip']) return false;
-            return $value === csrf_hash($_SERVER['IP_ADDRESS'], $time);
+            $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
+            return $value === csrf_hash($IP_ADDRESS, $time);
     }
     return false;
@@ -328 +360 @@
 function csrf_get_secret() {
     if ($GLOBALS['csrf']['secret']) return $GLOBALS['csrf']['secret'];
-    // secret by db l.apolito
-    global $prefix,$dbi;
-    # crea campo secret nella tabella _config se non esiste             
-    $campo= mysql_query("SHOW COLUMNS FROM ".$prefix."_config LIKE 'secret' ",$dbi);
-    $esiste=mysql_num_rows($campo);
-        if ($esiste==0) {
-                $result=mysql_query("ALTER TABLE ".$prefix."_config ADD secret VARCHAR(30);",$dbi);
-        }
-
-    $res_secret =  mysql_query("SELECT * FROM ".$prefix."_config" , $dbi);
-    $row = mysql_fetch_array($res_secret);
-    $secret = $row['secret'];   
-    if (isset($secret)){ return $secret;
-
-    }else{
-        $secret = csrf_generate_secret();
-        mysql_query("UPDATE ".$prefix."_config SET secret='$secret'" , $dbi);
-        return $secret;
-    }
-         return '';
-
-        
-    /* nel caso di registrazione del file                               
     $dir = dirname(__FILE__);
     $file = $dir . '/csrf-secret.php';
@@ -358 +367 @@
         return $secret;
     }
-        
     if (is_writable($dir)) {
         $secret = csrf_generate_secret();
@@ -367 +375 @@
     }
     return '';
-    */  
 }
 
@@ -375 +382 @@
 function csrf_generate_secret($len = 32) {
     $r = '';
-    for ($i = 0; $i < 32; $i++) {
+    for ($i = 0; $i < $len; $i++) {
         $r .= chr(mt_rand(0, 255));
     }
@@ -388 +395 @@
 function csrf_hash($value, $time = null) {
     if (!$time) $time = time();
-    return sha1($GLOBALS['csrf']['secret'] . $value . $time) . ',' . $time;
+    return sha1(csrf_get_secret() . $value . $time) . ',' . $time;
 }
 

trunk/client/modules.php

@@ -99 +99 @@
 
 
-
-
+$dbi = new PDO("mysql:host=$dbhost;charset=latin1", $dbuname, $dbpass, array(PDO::ATTR_EMULATE_PREPARES => false, 
+                                                                                                PDO::ATTR_ERRMODE=>PDO::ERRMODE_EXCEPTION));    
+$sql = "use $dbname";
+$dbi->exec($sql);
+
+/*
 
 if(!$dbi = mysql_connect($dbhost, $dbuname, $dbpass)){
@@ -110 +114 @@
 }
 mysql_query("SET NAMES 'utf8'", $dbi);
-
+*/
 # protezione csrf ottobre 2012 - by l.apolito
 if (file_exists("inc/csrf-magic/csrf-magic.php")) {
@@ -122 +126 @@
 
 # carica i parametri di default sulla tabella
-$res = mysql_query("SELECT * FROM ".$prefix."_config" , $dbi);
-$row = mysql_fetch_array($res);
+$sql = $dbi->prepare("SELECT * FROM ".$prefix."_config");
+$sql->execute();
+while($riga = $sql->fetchAll(PDO::FETCH_ASSOC)){$row=$riga[0];
 $sitename = stripslashes($row['sitename']);
 $siteurl = $row['siteurl'];
@@ -146 +151 @@
 $ed_user = $row['ed_user'];
 #tema mobile
-
+}
 
 
 
 # altre config
-$res = mysql_query("SELECT * FROM ".$prefix."_ele_comuni where id_comune='$siteistat' ", $dbi);
-$row = mysql_fetch_array($res);
+$sql = $dbi->prepare("SELECT * FROM ".$prefix."_ele_comuni where id_comune='$siteistat' ");
+$sql->execute();
+$riga = $sql->fetchAll(PDO::FETCH_ASSOC);
+$row=$riga[0];
 $id_cons_pred = intval($row['id_cons']);
 if($id_cons_pred=='0')$id_cons_pred='';
 if(!isset($id_cons_gen)) $id_cons_gen=$id_cons_pred;
 # carica il metodo d'hontd 
-$res = mysql_query("SELECT * FROM ".$prefix."_ele_cons_comune where id_cons_gen='$id_cons_gen' ", $dbi);
-$row = mysql_fetch_array($res);
-
-
-
+##$sql = $dbi->prepare("SELECT * FROM ".$prefix."_ele_cons_comune where id_cons_gen='$id_cons_gen' ");
+##$sql->execute();
 
 $param=strip_tags(strtolower($_SERVER['REQUEST_METHOD'])) == 'get' ? $_GET : $_POST;
@@ -170 +174 @@
 $id_cons_bak=intval($param['id_cons_gen']);
 if (isset($param['id_comune'])) $id_combak=intval($param['id_comune']); else $id_combak=$_SESSION['id_comune'];
-$res = mysql_query("SELECT id_cons,id_conf FROM ".$prefix."_ele_cons_comune where id_cons_gen='$id_cons_bak' and id_comune='$id_combak'" , $dbi);
-list($id_cons,$hondt) = mysql_fetch_row($res);
+$sql = $dbi->prepare("SELECT id_cons,id_conf FROM ".$prefix."_ele_cons_comune where id_cons_gen='$id_cons_bak' and id_comune='$id_combak'");
+$sql->execute();
+$row = $sql->fetchAll(PDO::FETCH_ASSOC);
+$id_cons=$row[1];$hondt=$row[2];
 
 // incluso in consiglieri.php, ma io carico le vecchie variabili per compatibilit'a all'indietro
 if($hondt>=1){
 # proiezione consiglio
-      $res = mysql_query("SELECT * FROM ".$prefix."_ele_conf where id_conf='$hondt'", $dbi);
-      $row = mysql_fetch_array($res);
+      $row = $dbi->exec("SELECT * FROM ".$prefix."_ele_conf where id_conf='$hondt'");
+      
       $descrizione_consiglio = $row['descrizione'];
       $LIMITE = intval($row['limite']);

trunk/client/modules/Elezioni/grafici.php

@@ -11 +11 @@
     die ("You can't access this file directly...");
 }
+
+include "pdoquery.php";
+$res=tipocons();
+$descr_cons=$res[1];$tipo_cons=$res[2];$genere=$res[3];$votog=$res[4];$votol=$res[5];$votoc=$res[6];$circo=$res[7];
+die("SELECT t1.descrizione, t1.tipo_cons,t2.genere, t2.voto_g, t2.voto_l, t2.voto_c, t2.circo ($descr_cons,$tipo_cons,$genere,$votog,$votol,$votoc,$circo)");
 
 
@@ -657 +662 @@
 
 function graf_candidato(){
-global $bgcolor1, $bgcolor5,$bgcolor5, $prefix, $dbi, $offset, $min,$descr_cons, $id_cons,$tipo_cons,$copy,$id_comune,$id_istat,$genere,$votog,$votol,$votoc,$circo,$siteistat;
+global $descr_com, $bgcolor1, $bgcolor5,$bgcolor5, $prefix, $dbi, $offset, $min,$descr_cons, $id_cons,$tipo_cons,$copy,$id_comune,$id_istat,$genere,$votog,$votol,$votoc,$circo,$siteistat;
 
 $logo=verificasimbolo(); // carica_logo da funzioni.php 
@@ -700 +705 @@
                         while (list($id_lista,$id_cand,$nome,$cognome,$voti)  = mysql_fetch_row($res)){
                                 $candidato[$i]=$cognome;
-                                $pro[$i]=number_format($voti*100/$tot,2);
+                                if ($tot) $pro[$i]=number_format($voti*100/$tot,2); else $pro[$i]=0;
                                 // sviluppo tabella dati
                                 $e=$i+1;

trunk/client/modules/Elezioni/gruppo.php

@@ -638 +638 @@
                                         $voticompl=$sevaltot+$senultot+$sebiatot+$secontot+$sevnutot;
                                         $resvt = mysql_query("SELECT voti from ".$prefix."_ele_voti_$tab15 where id_cons='$id_cons'",$dbi);
-                                        list($votlt)=mysql_fetch_row($resvt);
+                                        if($resvt) list($votlt)=mysql_fetch_row($resvt); else $votlt=0;
                                         $temp3=arrayperc($tempar,$sevaltot);
                                         while (list($key,$voti)= each($temp)) {
@@ -680 +680 @@
                 }else{
                         $res_lis = mysql_query("SELECT id_gruppo, descrizione,num_gruppo from ".$prefix."_ele_gruppo where id_cons=$id_cons order by num_gruppo",$dbi);
-                        $numliste=mysql_num_rows($res_lis);
+                        if($res_lis) $numliste=mysql_num_rows($res_lis); else $numliste=0;
 
                         if (!isset($offset)) $offset=10;
@@ -695 +695 @@
                                 echo "<input type=\"hidden\" name=\"id_comune\" value=\"$id_comune\"></input>";                 
                                 echo ""._SCELTA." "._CONSULTAZIONE.": <select name=\"id_gruppo\">";
-                                while(list($id_rif,$descrizione,$num_lis) = mysql_fetch_row($res_lis)) {
+                                if($res_lis)
+                                    while(list($id_rif,$descrizione,$num_lis) = mysql_fetch_row($res_lis)) {
                                         if (!$id_gruppo) $id_gruppo=$id_rif;
                                         $sel = ($id_rif == $id_gruppo) ? "selected=\"selected\"" : "";
@@ -701 +702 @@
                                         for ($j=strlen($num_lis);$j<2;$j++) { echo "&nbsp;&nbsp;";}
                                         echo $num_lis.") ".strip_tags(substr($descrizione,0,50))."</option>";
-                                }
+                                    }
                                 echo "</select>";
                                 echo "<br />"._VIS_PERC.": <input type=\"checkbox\" name=\"perc\" value=\"true\"";
@@ -724 +725 @@
                         order by $tab3, t1.num_gruppo
                         ", $dbi);
-                        $num_sez=mysql_num_rows($res);
-                        list($num_gruppo,$descr)= mysql_fetch_row($res_ref);
+                        if($res) $num_sez=mysql_num_rows($res); else $num_sez=0;
+                        if($res_ref) list($num_gruppo,$descr)= mysql_fetch_row($res_ref); else {$num_gruppo=0;$descr='';}
                         
                         if (!$csv){
@@ -811 +812 @@
                 $ar[0][5]=_BIANCHI;
                 $ar[0][6]=_CONTESTATI;
-                
-                while (list($num_gruppo,$desc_ref) = mysql_fetch_row($res_ref)){
+                if($res_ref)
+                    while (list($num_gruppo,$desc_ref) = mysql_fetch_row($res_ref)){
                         $ar[0][$i++]= $num_gruppo.") ".$desc_ref;
                         $ar[1][$y++]= "SI";
                         $ar[1][$y++]= "NO";
-                }
+                    }
                 $num_sez++;
                 $tot_si=0;
@@ -824 +825 @@
                 $tot_bi=0;
                 $tot_co=0;
-                while (list($num_circ,$desc_circ,$num_gruppo,$desc_ref,$simbolo,$si,$no,$validi,$nulli,$bianchi, $contestati)  = mysql_fetch_row($res)){
+                if($res)
+                    while (list($num_circ,$desc_circ,$num_gruppo,$desc_ref,$simbolo,$si,$no,$validi,$nulli,$bianchi, $contestati)  = mysql_fetch_row($res)){
                         $i=1;
                         $votanti=$validi+$nulli+$bianchi+$contestati;
@@ -852 +854 @@
                         $ar[$num_circ][$i++]= $perc=='true' ? $contestati."<br /><span class=\"red\"><i>0.00%</i></span>":$contestati;
                         }
-                }
+                    }
                 $i=1;
                 $tot_vo=$tot_va+$tot_nu+$tot_bi+$tot_co;

trunk/client/modules/Elezioni/index.php

@@ -15 +15 @@
         $_GET : $_POST;
 
-
+include("pdoquery.php");
 if (isset($param['rss'])) $rss=intval($param['rss']); else $rss='0';
 if (isset($param['xls'])) $xls=intval($param['xls']); else $xls='0';
@@ -24 +24 @@
 if (isset($param['id_cons_gen'])) $id_cons_gen=intval($param['id_cons_gen']); else 
 {
-        $res = mysql_query("SELECT id_cons FROM ".$prefix."_ele_comuni where id_comune='$id_comune' ", $dbi);
-        list($id_cons_pred)=mysql_fetch_row($res);
-        $res = mysql_query("SELECT id_cons_gen FROM ".$prefix."_ele_cons_comune where id_cons='$id_cons_pred' ", $dbi);
-        list($id_cons_gen)=mysql_fetch_row($res);
+        $id_cons_gen=dbpredefinita();
+        
 }       
 if (isset($param['op'])) $op=$param['op']; else $op='';
@@ -62 +60 @@
 $ordine=htmlentities($ordine); 
 
-$res = mysql_query("SELECT id_conf FROM ".$prefix."_ele_cons_comune where id_cons_gen='$id_cons_gen' and id_comune='$id_comune'" , $dbi);
-list($hondt) = mysql_fetch_row($res);
-
-$sql = "SELECT t3.genere,t1.tipo_cons,t1.descrizione,t2.id_cons_gen FROM ".$prefix."_ele_consultazione as t1, ".$prefix."_ele_cons_comune as t2, ".$prefix."_ele_tipo as t3 where t1.tipo_cons=t3.tipo_cons and t2.id_comune=$id_comune and t1.id_cons_gen=t2.id_cons_gen and t2.id_cons_gen='$id_cons_gen' and t2.chiusa!='2' ";
-$res = mysql_query("$sql",$dbi);
-$tot=mysql_num_rows($res);
-if ($tot>0 and $id_cons_gen>0) {
-        $sql = "SELECT t3.genere,t1.tipo_cons,t1.descrizione,t2.id_cons_gen FROM ".$prefix."_ele_consultazione as t1, ".$prefix."_ele_cons_comune as t2, ".$prefix."_ele_tipo as t3 where t1.tipo_cons=t3.tipo_cons and t2.id_comune=$id_comune and t1.id_cons_gen=t2.id_cons_gen and t2.id_cons_gen='$id_cons_gen' and t2.chiusa!='2'";
-}else{
-        $sql = "SELECT t3.genere,t1.tipo_cons,t1.descrizione,t2.id_cons_gen FROM ".$prefix."_ele_consultazione as t1, ".$prefix."_ele_cons_comune as t2, ".$prefix."_ele_tipo as t3 where t1.tipo_cons=t3.tipo_cons and t2.id_comune=$id_comune and t1.id_cons_gen=t2.id_cons_gen and t2.chiusa!='2' order by t1.data_fine desc limit 0,1 ";
-}
-$res = mysql_query("$sql",$dbi);
-if ($res) list($genere,$tipo_cons,$descr_cons,$id_cons_gen) = mysql_fetch_row($res);
+$hondt = dbvalorehondt();
+
+$res=dbselectcons();
+
+$genere=$res['genere'];
+$tipo_cons=$res['tipo_cons'];
+$descr_cons=$res['descrizione'];
+$id_cons_gen=$res['id_cons_gen'];
+echo "descr:$descr_cons";
+
+
+
+##########
 
 if ($tipo_cons!=3) $limite=0;

trunk/client/modules/Elezioni/language/lang-it.php

@@ -272 +272 @@
 //global $tipo_cons;
 switch ($tipo_cons){
+        case '':
+                define("_CONSULTAZIONE","Consultazione");
+                break;
         case 1:
                 define("_SCELTA_CIR","Scegli la Circoscrizione");

trunk/client/temi/Futura2/config.php

@@ -6 +6 @@
 # devisualizz errori
 ini_set('display_errors','0');
-
+if(isset($_POST['rss'])) {$rss=intval($_POST['rss']);}
 # verifica cambiamento colore 
 # usata variabile rss gia esistente 
@@ -14 +14 @@
 elseif($rss==4){$colortheme="d";$_SESSION['colortheme']=$colortheme;}
 elseif($rss==5){$colortheme="e";$_SESSION['colortheme']=$colortheme;}
-elseif($rss==6){$colortheme="f";$_SESSION['colortheme']=$colortheme;}
+elseif($rss==6) {$colortheme="f";$_SESSION['colortheme']=$colortheme;}
+
+$defcolortheme='f';
+if (isset($_SESSION['colortheme'])) $colortheme=$_SESSION['colortheme']; else $colortheme=$defcolortheme;
+#elseif($rss==6){$colortheme="f";$_SESSION['colortheme']=$colortheme;}
+
+#colori
+#f=arancio;e=azzurro-grigio;d=verde;c=rosso;b=azzurro;a=grigio
 
 # verifica se arriva dalle app iphone e android

trunk/client/temi/Futura2/index.php

@@ -12 +12 @@
 
 # colore tema mobile
+
+
 include("temi/$tema/config.php");
-$colortheme=$_SESSION['colortheme'];
-if($colortheme=='')$colortheme="c";
+
+#if($colortheme=='')$colortheme="c";
 # descrizione comune
 if(!$id_comune or $id_comune=='') $id_comune=$siteistat;

trunk/client/versione.php

@@ -1 +1 @@
 <?php
 
-$versione = "2.0 rev 252";
+$versione = "2.0 rev 253";
 $version_number = $versione;
-$version = "Eleonline $version_number (<i>Data Release: 16 aprile 2016</i>)";
+$version = "Eleonline $version_number (<i>Data Release: 15 aprile 2017</i>)";