X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=includes%2Fui%2Fui_controls.inc;h=89decab4d1e928062794204f74ce9afe989e4caa;hb=c640dae024fb9554d476bd863a68ef82ada8822d;hp=f3731a86078cb4dd143bf2e7c05e098717183faf;hpb=04e10a2fef964ee04596dc8d7672a6e55aa3987a;p=fa-stable.git diff --git a/includes/ui/ui_controls.inc b/includes/ui/ui_controls.inc index f3731a86..89decab4 100644 --- a/includes/ui/ui_controls.inc +++ b/includes/ui/ui_controls.inc @@ -1,42 +1,103 @@ . +***********************************************************************/ +/* + Retrieve value of POST variable(s). + For $name passed as array $dflt is not used, + default values can be passed as values with non-numeric keys instead. + If some field have user formatted numeric value, pass float default value to + convert automatically to POSIX. +*/ +function get_post($name, $dflt='') +{ + if (is_array($name)) { + $ret = array(); + foreach($name as $key => $dflt) + if (!is_numeric($key)) { + $ret[$key] = is_float($dflt) ? input_num($key, $dflt) : get_post($key, $dflt); + } else { + $ret[$dflt] = get_post($dflt, null); + } + return $ret; + } else + return is_float($dflt) ? input_num($name, $dflt) : + ((!isset($_POST[$name]) /*|| $_POST[$name] === ''*/) ? $dflt : $_POST[$name]); +} //--------------------------------------------------------------------------------- +$form_nested = -1; -function start_form($multi=false, $sid=false, $action="", $name="") +function start_form($multi=false, $dummy=false, $action="", $name="") { + // $dummy - leaved for compatibility with 2.0 API + global $form_nested; + + if (++$form_nested) return; + if ($name != "") $name = "name='$name'"; if ($action == "") $action = $_SERVER['PHP_SELF']; - if ($sid) - { - if (strpos($action, "?")) - $action .= "&" . SID; - else - $action .= "?" . SID; - } + if ($multi) - echo "
\n"; + hidden('_focus'); + hidden('_modified', get_post('_modified', 0)); + hidden('_confirmed'); // helper for final form confirmation + hidden('_token', $_SESSION['csrf_token']); + + echo implode('', $hidden_fields)."\n"; + $Ajax->activate('_token'); + $Ajax->activate('_confirmed'); } -function start_table($extra="", $padding='2', $spacing='0') +function check_csrf_token() +{ + if ($_SESSION['csrf_token'] != @$_POST['_token']) + { + display_error(_("Request from outside of this page is forbidden.")); + error_log(_("CSRF attack detected from: ").@$_SERVER['HTTP_HOST'].' ('.@$_SERVER['HTTP_REFERER'].')'); + return false; + } + return true; +} + +function start_table($class=false, $extra="", $padding='2', $spacing='0') { echo "\n"; // outer table +} + +function table_section($number=1, $width=false) +{ + if ($number > 1) + { + echo " |