From b9b3367865b80c8ea6088d0d90f265c203cfe976 Mon Sep 17 00:00:00 2001
From: Ryan Walberg <generalpf@gmail.com>
Date: Tue, 27 Nov 2012 16:13:52 +0000
Subject: [PATCH] new validation for setup, checks Smarty installation too.

---
 src/setup.php | 207 ++++++++++++++++++++++++++++----------------------
 1 file changed, 116 insertions(+), 91 deletions(-)

diff --git a/src/setup.php b/src/setup.php
index 4aba487..ef1b4e5 100644
--- a/src/setup.php
+++ b/src/setup.php
@@ -13,17 +13,24 @@
 // along with this program; if not, write to the Free Software
 // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 
-include("config.php");
-include("db.php");
+require_once(dirname(__FILE__) . "/includes/config.php");
 
-$query = "SELECT COUNT(*) AS user_count FROM {$OPT["table_prefix"]}users";
-$rs = mysql_query($query) or die("Could not query: " . mysql_error());
-$row = mysql_fetch_array($rs,MYSQL_ASSOC);
-$user_count = $row["user_count"];
-mysql_free_result($rs);
-if ($user_count != 0) {
-	echo "Database has already been set up.";
-	exit;
+$opt = getGlobalOptions();
+
+function dbh($opt) {
+	return new PDO($opt["pdo_connection_string"], $opt["pdo_username"], $opt["pdo_password"]);
+}
+
+$stmt = dbh($opt)->prepare("SELECT COUNT(*) AS user_count FROM {$opt["table_prefix"]}users");
+$stmt->execute();
+if ($row = $stmt->fetch()) {
+	$user_count = $row["user_count"];
+	if (false && $user_count != 0) {
+		die("Database has already been set up.");
+	}
+}
+else {
+	die("Database has not been created.");
 }
 
 if (isset($_POST["action"])) {
@@ -33,93 +40,105 @@ if (isset($_POST["action"])) {
 		$pwd = $_POST["pwd"];
 		$email = $_POST["email"];
 		$familyname = $_POST["familyname"];
-		if (!get_magic_quotes_gpc()) {
-			$username = addslashes($username);
-			$fullname = addslashes($fullname);
-			$pwd = addslashes($pwd);
-			$email = addslashes($email);
-			$familyname = addslashes($familyname);
-		}
 
 		// 1. create the family.
-		$query = "INSERT INTO {$OPT["table_prefix"]}families(familyname) VALUES('$familyname')";
-		mysql_query($query) or die("Could not query: " . mysql_error());
+		$stmt = dbh($opt)->prepare("INSERT INTO {$opt["table_prefix"]}families(familyname) VALUES(?)");
+		$stmt->bindParam(1, $familyname, PDO::PARAM_STR);
+		$stmt->execute();
 						         
 		// 2. get the familyid.
-		$query = "SELECT familyid FROM {$OPT["table_prefix"]}families";
-		$rs = mysql_query($query) or die("Could not query: " . mysql_error());
-		$row = mysql_fetch_assoc($rs) or die("Could not query: " . mysql_error());
-		$familyid = $row["familyid"];
-		mysql_free_result($rs);
+		$stmt = dbh($opt)->prepare("SELECT MAX(familyid) AS familyid FROM {$opt["table_prefix"]}families");
+		$stmt->execute();
+		if ($row = $stmt->fetch()) {
+			$familyid = $row["familyid"];
+		}
+		else die("No family was created.");
 
 		// 3. insert the user.
-		$query = "INSERT INTO {$OPT["table_prefix"]}users(username,fullname,password,email,approved,admin,initialfamilyid) VALUES('$username','$fullname',{$OPT["password_hasher"]}('$pwd'),'$email',1,1,$familyid)";
-		mysql_query($query) or die("Could not query: " . mysql_error());
+		$stmt = dbh($opt)->prepare("INSERT INTO {$opt["table_prefix"]}users(username,fullname,password,email,approved,admin,initialfamilyid) VALUES(?, ?, {$opt["password_hasher"]}(?), ?, 1, 1, ?)");
+		$stmt->bindParam(1, $username, PDO::PARAM_STR);
+		$stmt->bindParam(2, $fullname, PDO::PARAM_STR);
+		$stmt->bindParam(3, $pwd, PDO::PARAM_STR);
+		$stmt->bindParam(4, $email, PDO::PARAM_STR);
+		$stmt->bindParam(5, $familyid, PDO::PARAM_INT);
+		$stmt->execute();
 
 		// 4. get the userid.
-		$query = "SELECT userid FROM {$OPT["table_prefix"]}users";
-		$rs = mysql_query($query) or die("Could not query: " . mysql_error());
-		$row = mysql_fetch_assoc($rs) or die("Could not query: " . mysql_error());
-		$userid = $row["userid"];
-		mysql_free_result($rs);
+		$stmt = dbh($opt)->prepare("SELECT MAX(userid) AS userid FROM {$opt["table_prefix"]}users");
+		$stmt->execute();
+		if ($row = $stmt->fetch()) {
+			$userid = $row["userid"];
+		}
+		else die("No user was created.");
 
 		// 5. create the membership.
-		$query = "INSERT INTO {$OPT["table_prefix"]}memberships(userid,familyid) VALUES($userid,$familyid)";
-		mysql_query($query) or die("Could not query: " . mysql_error());
+		$stmt = dbh($opt)->prepare("INSERT INTO {$opt["table_prefix"]}memberships(userid,familyid) VALUES(?, ?)");
+		$stmt->bindParam(1, $userid, PDO::PARAM_INT);
+		$stmt->bindParam(2, $familyid, PDO::PARAM_INT);
+		$stmt->execute();
 	}
 }
-echo "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\r\n";
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
-<title>Gift Registry - Setup</title>
-<link href="styles.css" type="text/css" rel="stylesheet" />
-<script language="JavaScript" type="text/javascript">
-	function validateSetup() {
-		field = document.setup.username;
-		if (field == null || field == undefined || !field.value.match("\\S")) {
-			alert("You must supply a username.");
-			field.focus();
-			return false;
-		}
-		
-		field = document.setup.fullname;
-		if (field == null || field == undefined || !field.value.match("\\S")) {
-			alert("You must supply your full name.");
-			field.focus();
-			return false;
-		}
-
-		field = document.setup.pwd;
-		if (field == null || field == undefined || !field.value.match("\\S")) {
-			alert("You must supply your password.");
-			field.focus();
-			return false;
-		}
-		if (field.value != document.setup.confirmpwd.value) {
-			alert("Passwords do not match.");
-			field.focus();
-			return false;
-		}
-		
-		field = document.setup.email;
-		if (!field.value.match("\\w+([-+.]\\w+)*@\\w+([-.]\\w+)*\\.\\w+([-.]\\w+)*")) {
-			alert("The e-mail address '" + field.value + "' is not a valid address.");
-			field.focus();
-			return false;
-		}
-
-		field = document.setup.familyname;
-		if (field == null || field == undefined || !field.value.match("\\S")) {
-			alert("You must specify the name of the default/initial family.");
-			field.focus();
-			return false;
-		}
-		
-		return true;
-	}
-</script>
+	<title>Gift Registry - Setup</title>
+	<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
+	<script src="js/jquery.validate.min.js"></script>
+	<script language="JavaScript" type="text/javascript">
+		$(document).ready(function() {
+			$("#setupform").validate({
+				rules: {
+					"username": {
+						required: true,
+						maxlength: 20
+					},
+					"pwd": {
+						required: true,
+						maxlength: 50
+					},
+					"confirmpwd": {
+						required: true,
+						equalTo: "#pwd",
+						maxlength: 50
+					},
+					"fullname": {
+						required: true,
+						maxlength: 50
+					},
+					"email": {
+						required: true,
+						maxlength: 255,
+						email: true
+					}
+				},
+				messages: {
+					"username": {
+						required: "The initial username is required.",
+						maxlength: "The initial username must be 20 characters or less."
+					},
+					"pwd": {
+						required: "The initial password is required.",
+						maxlength: "The initial password must be 50 characters or less."
+					},
+					"confirmpwd": {
+						required: "This value is required.",
+						equalTo: "This value must match the initial password.",
+						maxlength: "This value must be 50 characters or less."
+					},
+					"fullname": {
+						required: "The full name is required.",
+						maxlength: "The full name must be 50 characters or less."
+					},
+					"email": {
+						required: "The e-mail address is required.",
+						maxlength: "The e-mail address must be 255 characters or less.",
+						email: "The e-mail address is invalid."
+					}
+				}
+			});
+		});
+	</script>
 </head>
 <body>
 <?php
@@ -134,7 +153,7 @@ if (isset($_POST["action"]) && $_POST["action"] == "setup") {
 	</p>
 	<table border="1" cellpadding="2" cellspacing="2">
 		<?php
-		foreach ($OPT as $key => $value) {
+		foreach ($opt as $key => $value) {
 			?>
 			<tr>
 				<td><?php echo $key; ?></td>
@@ -150,7 +169,7 @@ else {
 	// check their image_subdir for writeability.
 	echo "<p>";
 	$parts = pathinfo($_SERVER["SCRIPT_FILENAME"]);
-	$image_dir = $parts['dirname'] . "/" . $OPT["image_subdir"];
+	$image_dir = $parts['dirname'] . "/" . $opt["image_subdir"];
 	$writeable = is_writable($image_dir);
 	if ($writeable) {
 		echo "<font color=\"green\">$image_dir is writeable, images can be uploaded.</font>";
@@ -159,8 +178,14 @@ else {
 		echo "<font color=\"red\">$image_dir is NOT writeable, images cannot be uploaded.  Either chmod this directory to allow the web server to write to it, or disable image uploading in config.php.</font>";
 	}
 	echo "</p>";
+
+	// check if Smarty works.
+	echo "<p>Testing Smarty installation... ensure the result is OK.</p>";
+	require_once(dirname(__FILE__) . "/includes/MySmarty.class.php");
+	$smarty = new MySmarty();
+	$smarty->testInstall();
 	?>
-	<form name="setup" method="post" action="setup.php">	
+	<form name="setupform" id="setupform" method="post" action="setup.php">	
 		<input type="hidden" name="action" value="setup">
 		<div align="center">
 			<table cellpadding="3" class="partbox" width="50%">
@@ -177,42 +202,42 @@ else {
 				<tr>
 					<td>Admin username</td>
 					<td>
-						<input name="username" size="20" maxlength="20" type="text" value="<?php if (isset($_POST["username"])) echo htmlspecialchars(stripslashes($_POST["username"])); ?>"/>
+						<input id="username" name="username" size="20" maxlength="20" type="text" value="<?php if (isset($_POST["username"])) echo htmlspecialchars($_POST["username"]); ?>"/>
 					</td>
 				</tr>
 				<tr>
 					<td>Admin password</td>
 					<td>
-						<input name="pwd" size="20" maxlength="50" type="password" />
+						<input id="pwd" name="pwd" size="20" maxlength="50" type="password" />
 					</td>
 				</tr>
 				<tr>
 					<td>Confirm admin password</td>
 					<td>
-						<input name="confirmpwd" size="20" maxlength="50" type="password" />
+						<input id="confirmpwd" name="confirmpwd" size="20" maxlength="50" type="password" />
 					</td>
 				</tr>
 				<tr>
 					<td>Admin full name</td>
 					<td>
-						<input name="fullname" size="30" maxlength="50" type="text" value="<?php if (isset($_POST["fullname"])) echo htmlspecialchars(stripslashes($_POST["fullname"])); ?>" />
+						<input id="fullname" name="fullname" size="30" maxlength="50" type="text" value="<?php if (isset($_POST["fullname"])) echo htmlspecialchars($_POST["fullname"]); ?>" />
 					</td>
 				</tr>
 				<tr>
 					<td>Admin e-mail address</td>
 					<td>
-						<input name="email" size="30" maxlength="255" type="text" value="<?php if (isset($_POST["email"])) echo $_POST["email"]; ?>" />
+						<input id="email" name="email" size="30" maxlength="255" type="text" value="<?php if (isset($_POST["email"])) echo htmlspecialchars($_POST["email"]); ?>" />
 					</td>
 				</tr>
 				<tr>
 					<td>Default/initial family name</td>
 					<td>
-						<input name="familyname" size="50" maxlength="255" type="text" value="<?php if (isset($_POST["familyname"])) echo $_POST["familyname"]; ?>" />
+						<input id="familyname" name="familyname" size="50" maxlength="255" type="text" value="<?php if (isset($_POST["familyname"])) echo htmlspecialchars($_POST["familyname"]); ?>" />
 					</td>
 				</tr>
 				<tr>
 					<td colspan="2" align="center">
-						<input type="submit" value="Submit" onClick="return validateSetup();" />
+						<input type="submit" value="Submit" />
 					</td>
 				</tr>
 			</table>