ThaMunsta/itflow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into stage
Some checks failed
SQL Syntax Check for db.sql / Check db.sql SQL Syntax (pull_request) Failing after 18s
Details
PHPLint / build (pull_request) Successful in 26s
Details
Welcome New Contributor / run (pull_request_target) Successful in 22s
Details

Browse Source 
# Conflicts:
#	guest/guest_post.php
This commit is contained in:
Mike Johnston
2025-10-21 13:07:25 -04:00
parent 57ae6b0c4c 0d5bfdafdf
commit ca551406c7
2998 changed files with 196488 additions and 27619 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
functions.php
View File

@@ -898,30 +898,26 @@ function checkFileUpload($file, $allowed_extensions)
return $secureFilename;
}
function sanitizeInput($input)
{
function sanitizeInput($input) {
global $mysqli;
if (!empty($input)) {
// Detect encoding
$encoding = mb_detect_encoding($input, ['UTF-8', 'ISO-8859-1', 'Windows-1252', 'ISO-8859-15'], true);
// If not UTF-8, convert to UTF8 (primarily Windows-1252 is problematic)
if ($encoding !== 'UTF-8') {
$input = mb_convert_encoding($input, 'UTF-8', $encoding);
// Only convert encoding if it's NOT valid UTF-8
if (!mb_check_encoding($input, 'UTF-8')) {
// Try converting from Windows-1252 as a safe default fallback
$input = mb_convert_encoding($input, 'UTF-8', 'Windows-1252');
}
}
// Remove HTML and PHP tags
$input = strip_tags((string) $input);
// Remove white space from beginning and end of input
// Trim white space
$input = trim($input);
// Escape special characters
// Escape for SQL
$input = mysqli_real_escape_string($mysqli, $input);
// Return sanitized input
return $input;
}
@@ -1493,10 +1489,14 @@ function enforceAdminPermission() {
}
function customAction($trigger, $entity) {
$original_dir = getcwd(); // Save
chdir(dirname(__FILE__));
if (file_exists(__DIR__ . "/xcustom/xcustom_action_handler.php")) {
include_once __DIR__ . "/xcustom/xcustom_action_handler.php";
if (file_exists(__DIR__ . "/custom/custom_action_handler.php")) {
include_once __DIR__ . "/custom/custom_action_handler.php";
}
chdir($original_dir); // Restore original working directory
}
function appNotify($type, $details, $action = null, $client_id = 0, $entity_id = 0) {
@@ -1615,6 +1615,8 @@ function getFieldById($table, $id, $field, $escape_method = 'sql') {
// Apply the desired escaping method or auto-detect integer type if using SQL escaping
switch ($escape_method) {
case 'raw':
return $value; // Return as-is from the database
case 'html':
return htmlspecialchars($value ?? '', ENT_QUOTES, 'UTF-8'); // Escape for HTML
case 'json':
@@ -1682,4 +1684,58 @@ function sanitize_url($url) {
// Safe schemes: return escaped original URL
return htmlspecialchars($url ?? '', ENT_QUOTES, 'UTF-8');
}
// Redirect Function
function redirect($url = null, $permanent = false) {
// Use referer if no URL is provided
if (!$url) {
$url = $_SERVER['HTTP_REFERER'] ?? 'index.php';
}
if (!headers_sent()) {
header('Location: ' . $url, true, $permanent ? 301 : 302);
exit;
} else {
// Fallback for headers already sent
echo "<script>window.location.href = '" . addslashes($url) . "';</script>";
echo '<noscript><meta http-equiv="refresh" content="0;url=' . htmlspecialchars($url) . '"></noscript>';
exit;
}
}
//Flash Alert Function
function flash_alert(string $message, string $type = 'success'): void {
$_SESSION['alert_type'] = $type;
$_SESSION['alert_message'] = $message;
}
// Sanitize File Names
function sanitize_filename($filename, $strict = false) {
// Remove path information and dots around the filename
$filename = basename($filename);
// Replace spaces and underscores with dashes
$filename = str_replace([' ', '_'], '-', $filename);
// Remove anything which isn't a word, number, dot, or dash
$filename = preg_replace('/[^A-Za-z0-9\.\-]/', '', $filename);
// Optionally make filename strict alphanumeric (keep dot and dash)
if ($strict) {
$filename = preg_replace('/[^A-Za-z0-9\.\-]/', '', $filename);
}
// Avoid multiple consecutive dashes
$filename = preg_replace('/-+/', '-', $filename);
// Remove leading/trailing dots and dashes
$filename = trim($filename, '.-');
// Ensure its not empty
if (empty($filename)) {
$filename = 'file';
}
return $filename;
}