X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=includes%2Fsession.inc;h=5620c78d1af384e68f1e966683808ddc09e616c5;hb=8bc62affeb4931af38076490facde167cf7b84b1;hp=5c5ec42be41a5e208924c0a6593a7e8fedf126b5;hpb=279d7962a249da9cbc3074360e3a68a23a31145e;p=fa-stable.git

diff --git a/includes/session.inc b/includes/session.inc
index 5c5ec42b..5620c78d 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -131,6 +131,18 @@ function strip_quotes($data)
 	return $data;
 }
 
+function html_cleanup(&$parms)
+{
+	foreach($parms as $name => $value) {
+//		$value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding);
+		if (is_array($value))
+			html_cleanup($parms[$name]);
+		else
+			$parms[$name] = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding);
+	}
+	reset($parms); // needed for direct key() usage later throughout the sources
+}
+
 //============================================================================
 //
 //
@@ -165,6 +177,8 @@ include_once($path_to_root . "/includes/ajax.inc");
 include_once($path_to_root . "/includes/ui/ui_msgs.inc");
 include_once($path_to_root . "/includes/prefs/sysprefs.inc");
 
+include_once($path_to_root . "/includes/hooks.inc");
+
 /*
 	Uncomment the setting below when using FA on shared hosting
 	to avoid unexpeced session timeouts.
@@ -174,12 +188,14 @@ include_once($path_to_root . "/includes/prefs/sysprefs.inc");
 
 ini_set('session.gc_maxlifetime', 36000); // 10hrs
 
-session_name('FrontAccounting');
+session_name('FA'.md5(dirname(__FILE__)));
+//include_once($path_to_root.'/modules/www_statistics/includes/db_sessions.inc');
 session_start();
 
 // this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks
 header("Cache-control: private");
 
+include_once($path_to_root . "/config.php");
 get_text_init();
 
 // Page Initialisation
@@ -187,20 +203,14 @@ if (!isset($_SESSION['language']) || !method_exists($_SESSION['language'], 'set_
 {
 	$l = array_search_value($dflt_lang, $installed_languages,  'code');
 	$_SESSION['language'] = new language($l['name'], $l['code'], $l['encoding'],
-	 isset($l['rtl']) ? 'rtl' : 'ltr');
+	 (isset($l['rtl']) && $l['rtl'] === true) ? 'rtl' : 'ltr');
 }
 
 $_SESSION['language']->set_language($_SESSION['language']->code);
 
-// include $Hooks object if locale file exists
-if (file_exists($path_to_root . "/lang/".$_SESSION['language']->code."/locale.inc"))
-{
-	include_once($path_to_root . "/lang/".$_SESSION['language']->code."/locale.inc");
-	$Hooks = new Hooks();
-}
 
 include_once($path_to_root . "/includes/access_levels.inc");
-include_once($path_to_root . "/config.php");
+include_once($path_to_root . "/version.php");
 include_once($path_to_root . "/includes/main.inc");
 
 // Ajax communication object
@@ -225,6 +235,10 @@ set_error_handler('error_handler' /*, errtypes */);
 if (!isset($_SESSION["wa_current_user"]))
 	$_SESSION["wa_current_user"] = new current_user();
 
+html_cleanup($_GET);
+html_cleanup($_POST);
+html_cleanup($_REQUEST);
+
 // logout.php is the only page we should have always 
 // accessable regardless of access level and current login status.
 if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
@@ -238,7 +252,7 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
 		{
 			// strip ajax marker from uri, to force synchronous page reload
 			$_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s',
-					'', @$_SERVER['REQUEST_URI']), 
+					'', @htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES, $_SESSION['language']->encoding)), 
 				'post' => $_POST);
 
 			include($path_to_root . "/access/login.php");
@@ -246,7 +260,9 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
 				$Ajax->activate('_page_body');
 			exit;
 		} else {
-			$succeed = $_SESSION["wa_current_user"]->login($_POST["company_login_name"],
+
+			$succeed = isset($db_connections[$_POST["company_login_name"]]) &&
+				$_SESSION["wa_current_user"]->login($_POST["company_login_name"],
 				$_POST["user_name_entry_field"], md5($_POST["password"]));
 			// select full vs fallback ui mode on login
 			$_SESSION["wa_current_user"]->ui_mode = $_POST['ui_mode'];
@@ -264,6 +280,8 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
 	if (!$_SESSION["wa_current_user"]->old_db)
 		include_once($path_to_root . '/company/'.user_company().'/installed_extensions.php');
 
+	install_hooks();
+
 	if (!isset($_SESSION["App"])) {
 		$_SESSION["App"] = new front_accounting();
 		$_SESSION["App"]->init();
@@ -274,6 +292,6 @@ $SysPrefs = &$_SESSION['SysPrefs'];
 
 // POST vars cleanup needed for direct reuse.
 // We quote all values later with db_escape() before db update.
-	$_POST = strip_quotes($_POST);
+$_POST = strip_quotes($_POST);
 
 ?>
\ No newline at end of file