Public/infopump
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security updates to settings.php

Browse Source
This commit is contained in:
Daniel Messer
2025-10-08 16:00:29 -05:00
parent e85c7fd578
commit 0830311340
3 changed files with 242 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
archive/settings-old.php Normal file
View File

@@ -0,0 +1,24 @@
<?php
$sitesettings = new SQLite3('settings.sqlite');
$getName = $sitesettings->query('SELECT description FROM site WHERE id = 1');
while ($row = $getName->fetchArray()) {
$SiteName = $row['description'];
}
$getSubName = $sitesettings->query('SELECT description FROM site WHERE id = 2');
while ($row = $getSubName->fetchArray()) {
$SubName = $row['description'];
}
$getURL = $sitesettings->query('SELECT description FROM site WHERE id = 3');
while ($row = $getURL->fetchArray()) {
$SiteURL = $row['description'];
}
?>

251
recent.php
View File

@@ -2,80 +2,131 @@
include_once "settings.php"; include_once "settings.php";
// Get and use a basic title search for pulling records. // Initialize variables
$keywordsearch = htmlspecialchars($_GET["kw"]); $keywordsearch = '';
$authorsearch = htmlspecialchars($_GET["au"]); $authorsearch = '';
$typesearch = htmlspecialchars($_GET["ty"]); $typesearch = '';
$searchtopic = '';
$searchtype = '';
$socialkw = mb_convert_case($keywordsearch, MB_CASE_TITLE, "UTF-8"); // Sanitize and validate input
$socialau = mb_convert_case($authorsearch, MB_CASE_TITLE, "UTF-8"); if (!empty($_GET["kw"])) {
$socialty = mb_convert_case($typesearch, MB_CASE_TITLE, "UTF-8"); $keywordsearch = trim($_GET["kw"]);
$searchtopic = 'Keyword: ' . htmlspecialchars($keywordsearch, ENT_QUOTES, 'UTF-8');
if (!empty($keywordsearch)) { $searchtype = 'keyword';
$searchtopic = 'Keyword: '.$socialkw; } elseif (!empty($_GET["au"])) {
} elseif (!empty($authorsearch)) { $authorsearch = trim($_GET["au"]);
$searchtopic = 'Author: '.$socialau; $searchtopic = 'Author: ' . htmlspecialchars($authorsearch, ENT_QUOTES, 'UTF-8');
} else { $searchtype = 'author';
$searchtopic = 'Type: '.$socialty; } elseif (!empty($_GET["ty"])) {
$typesearch = trim($_GET["ty"]);
$searchtopic = 'Type: ' . htmlspecialchars(mb_convert_case($typesearch, MB_CASE_TITLE, "UTF-8"), ENT_QUOTES, 'UTF-8');
$searchtype = 'type';
} }
// If no valid search parameter, redirect to index
if (empty($searchtype)) {
header('Location: index.php');
exit;
}
// -------------------- BEGIN DATABASE QUERIES -------------------- // -------------------- BEGIN DATABASE QUERIES --------------------
// Establish atabase connection // Establish database connection
try {
$db = new SQLite3('metadata.sqlite'); $db = new SQLite3('metadata.sqlite');
$db->enableExceptions(true);
} catch (Exception $e) {
error_log("Database connection error: " . $e->getMessage());
die("Database connection failed");
}
$keywordquery = $db->query("SELECT // Prepare the appropriate query based on search type
$results = null;
switch ($searchtype) {
case 'keyword':
$searchPattern = '%' . $keywordsearch . '%';
$stmt = $db->prepare("SELECT
DISTINCT books.id AS id, DISTINCT books.id AS id,
books.title AS title, books.title AS title,
SUBSTR(comments.text, 0, 120) AS excerpt SUBSTR(comments.text, 0, 120) AS excerpt
FROM books FROM books
INNER JOIN INNER JOIN comments ON comments.book = books.id
comments ON comments.book = books.id INNER JOIN books_tags_link ON books_tags_link.book = books.id
INNER JOIN INNER JOIN tags ON tags.id = books_tags_link.tag
books_tags_link ON books_tags_link.book = books.id WHERE books.title LIKE :search
INNER JOIN OR books.author_sort LIKE :search
tags ON tags.id = books_tags_link.tag OR comments.text LIKE :search
WHERE books.title LIKE '%$keywordsearch%' OR tags.name LIKE :search
OR books.author_sort LIKE '%$keywordsearch%' ORDER BY books.timestamp DESC
OR comments.text LIKE '%$keywordsearch%' LIMIT 100");
OR tags.name LIKE '%$keywordsearch%' $stmt->bindValue(':search', $searchPattern, SQLITE3_TEXT);
ORDER BY books.timestamp DESC"); break;
$authorquery = $db->query("SELECT case 'author':
$searchPattern = '%' . $authorsearch . '%';
$stmt = $db->prepare("SELECT
DISTINCT books.id AS id, DISTINCT books.id AS id,
books.title AS title, books.title AS title,
SUBSTR(comments.text, 0, 120) AS excerpt SUBSTR(comments.text, 0, 120) AS excerpt
FROM books FROM books
INNER JOIN INNER JOIN comments ON comments.book = books.id
comments ON comments.book = books.id INNER JOIN books_tags_link ON books_tags_link.book = books.id
INNER JOIN WHERE books.author_sort LIKE :search
books_tags_link ON books_tags_link.book = books.id ORDER BY books.timestamp DESC
WHERE books.author_sort LIKE '%$authorsearch%' LIMIT 100");
ORDER BY books.timestamp DESC"); $stmt->bindValue(':search', $searchPattern, SQLITE3_TEXT);
break;
$typequery = $db->query("SELECT case 'type':
$stmt = $db->prepare("SELECT
DISTINCT books.id AS id, DISTINCT books.id AS id,
books.title AS title, books.title AS title,
SUBSTR(comments.text, 0, 120) AS excerpt SUBSTR(comments.text, 0, 120) AS excerpt
FROM books FROM books
INNER JOIN INNER JOIN comments ON comments.book = books.id
comments ON comments.book = books.id INNER JOIN books_custom_column_1_link ON books_custom_column_1_link.book = books.id
INNER JOIN INNER JOIN custom_column_1 ON custom_column_1.id = books_custom_column_1_link.value
books_custom_column_1_link ON books_custom_column_1_link.book = books.id WHERE custom_column_1.value = :search
INNER JOIN ORDER BY books.timestamp DESC
custom_column_1 ON custom_column_1.id = books_custom_column_1_link.value LIMIT 100");
WHERE $stmt->bindValue(':search', $typesearch, SQLITE3_TEXT);
custom_column_1.value = '$typesearch' break;
ORDER BY books.timestamp DESC"); }
// Execute query and handle errors
try {
$results = $stmt->execute();
} catch (Exception $e) {
error_log("Query execution error: " . $e->getMessage());
$results = null;
}
// Get types for menu
try {
$types = $db->query("SELECT value FROM custom_column_1 ORDER BY value ASC");
} catch (Exception $e) {
error_log("Types query error: " . $e->getMessage());
$types = null;
}
// Build social media URLs safely
$socialUrl = '';
switch ($searchtype) {
case 'keyword':
$socialUrl = $SiteURL . '/recent.php?kw=' . urlencode($keywordsearch);
break;
case 'author':
$socialUrl = $SiteURL . '/recent.php?au=' . urlencode($authorsearch);
break;
case 'type':
$socialUrl = $SiteURL . '/recent.php?ty=' . urlencode($typesearch);
break;
}
$types = $db->query("SELECT
value
FROM custom_column_1
ORDER BY value ASC");
?> ?>
<!DOCTYPE html> <!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]--> <!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]--> <!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
@@ -84,9 +135,9 @@ ORDER BY value ASC");
<head> <head>
<meta charset="utf-8"> <meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Infopump - Recently Added - <?php echo $searchtopic; ?></title> <title>Infopump - Recently Added - <?php echo htmlspecialchars($searchtopic, ENT_QUOTES, 'UTF-8'); ?></title>
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Free HTML5 Template by FREEHTML5.CO" /> <meta name="description" content="Recently added items for <?php echo htmlspecialchars($searchtopic, ENT_QUOTES, 'UTF-8'); ?>" />
<meta name="keywords" content="free html5, free template, free bootstrap, html5, css3, mobile first, responsive" /> <meta name="keywords" content="free html5, free template, free bootstrap, html5, css3, mobile first, responsive" />
<meta name="author" content="FREEHTML5.CO" /> <meta name="author" content="FREEHTML5.CO" />
@@ -105,33 +156,14 @@ ORDER BY value ASC");
--> -->
<!-- Facebook and Twitter integration --> <!-- Facebook and Twitter integration -->
<meta property="og:title" content=<?php echo '"'.$SiteName.' - Recently Added - '.$searchtopic.'" />';?> <meta property="og:title" content="<?php echo htmlspecialchars($SiteName . ' - Recently Added - ' . $searchtopic, ENT_QUOTES, 'UTF-8'); ?>" />
<meta property="og:image" content="<?php echo htmlspecialchars($SiteURL, ENT_QUOTES, 'UTF-8'); ?>/images/og-site-avatar.jpg" />
<meta property="og:image" content=<?php echo '"'.$SiteURL.'/images/og-site-avatar.jpg" />';?> <meta property="og:url" content="<?php echo htmlspecialchars($socialUrl, ENT_QUOTES, 'UTF-8'); ?>" />
<meta property="og:site_name" content="<?php echo htmlspecialchars($SiteName . ' - Recently Added', ENT_QUOTES, 'UTF-8'); ?>" />
<?php <meta property="og:description" content="<?php echo htmlspecialchars($SubName, ENT_QUOTES, 'UTF-8'); ?>" />
if (!empty($keywordsearch)) { <meta name="twitter:title" content="<?php echo htmlspecialchars($SiteName . ' - Recently Added - ' . $searchtopic, ENT_QUOTES, 'UTF-8'); ?>" />
echo '<meta property="og:url" content="'.$SiteURL.'/recent.php?kw='.$socialkw.'" />'; <meta name="twitter:image" content="<?php echo htmlspecialchars($SiteURL, ENT_QUOTES, 'UTF-8'); ?>/images/og-site-avatar.jpg" />
echo '<meta name="twitter:url" content="'.$SiteURL.'/recent.php?kw='.$socialkw.'" />'; <meta name="twitter:url" content="<?php echo htmlspecialchars($socialUrl, ENT_QUOTES, 'UTF-8'); ?>" />
} elseif (!empty($authorsearch)) {
echo '<meta property="og:url" content="'.$SiteURL.'/recent.php?au='.$socialau.'" />';
echo '<meta name="twitter:url" content="'.$SiteURL.'/recent.php?au='.$socialau.'" />';
} else {
echo '<meta property="og:url" content="'.$SiteURL.'/recent.php?ty='.$socialty.'" />';
echo '<meta name="twitter:url" content="'.$SiteURL.'/recent.php?ty='.$socialty.'" />';
}
?>
<meta property="og:site_name" content=<?php echo '"'.$SiteName.' - Recently Added" />';?>
<meta property="og:description" content=<?php echo '"'.$SubName.'" />';?>
<meta name="twitter:title" content=<?php echo '"'.$SiteName.' - Recently Added - '.$searchtopic.'" />';?>
<meta name="twitter:image" content=<?php echo '"'.$SiteURL.'/images/og-site-avatar.jpg" />';?>
<meta name="twitter:card" content="summary" /> <meta name="twitter:card" content="summary" />
<!-- Place favicon.ico and apple-touch-icon.png in the root directory --> <!-- Place favicon.ico and apple-touch-icon.png in the root directory -->
@@ -144,10 +176,8 @@ ORDER BY value ASC");
<link rel="stylesheet" href="css/icomoon.css"> <link rel="stylesheet" href="css/icomoon.css">
<!-- Bootstrap --> <!-- Bootstrap -->
<link rel="stylesheet" href="css/bootstrap.css"> <link rel="stylesheet" href="css/bootstrap.css">
<link rel="stylesheet" href="css/style.css"> <link rel="stylesheet" href="css/style.css">
<!-- Modernizr JS --> <!-- Modernizr JS -->
<script src="js/modernizr-2.6.2.min.js"></script> <script src="js/modernizr-2.6.2.min.js"></script>
<!-- FOR IE9 below --> <!-- FOR IE9 below -->
@@ -165,7 +195,7 @@ ORDER BY value ASC");
</figure> </figure>
<h3 class="heading">About the Project</h3> <h3 class="heading">About the Project</h3>
<a href="index.php"><h2>Infopump</h2></a> <a href="index.php"><h2>Infopump</h2></a>
<p>A bibliographic management and display system.</p> <p>A bibliographic management and display system.<br /><a href="about.php">More info</a></p>
<hr> <hr>
<p>A free, open source project from:<br /> <p>A free, open source project from:<br />
<a href="https://rss.com/podcasts/l0wl1f3podcast/">The L0WL1F3 Podcast</a><br /> <a href="https://rss.com/podcasts/l0wl1f3podcast/">The L0WL1F3 Podcast</a><br />
@@ -173,8 +203,8 @@ ORDER BY value ASC");
<a href="https://cyberpunklibrarian.com">Cyberpunk Librarian</a> <a href="https://cyberpunklibrarian.com">Cyberpunk Librarian</a>
</p> </p>
<ul class="fh5co-social"> <ul class="fh5co-social">
<!--<li><a href="#"><i class="icon-twitter"></i></a></li>--> <!--<li><a href="#"><i class="icon-twitter"></i></a></li>
<!--<li><a href="#"><i class="icon-facebook"></i></a></li> <li><a href="#"><i class="icon-facebook"></i></a></li>
<li><a href="#"><i class="icon-instagram"></i></a></li>--> <li><a href="#"><i class="icon-instagram"></i></a></li>-->
</ul> </ul>
</div> </div>
@@ -184,22 +214,22 @@ ORDER BY value ASC");
<h3 class="heading">Recent Additions</h3> <h3 class="heading">Recent Additions</h3>
<ul> <ul>
<?php <?php
while ($row = $types->fetchArray()) { if ($types) {
$row_value = $row['value']; while ($row = $types->fetchArray(SQLITE3_ASSOC)) {
$row_titlecase = mb_convert_case($row_value, MB_CASE_TITLE, "UTF-8"); $row_value = htmlspecialchars($row['value'], ENT_QUOTES, 'UTF-8');
echo '<li><a href="recent.php?ty='.$row_value.'">'.$row_titlecase.'</a></li>'; $row_titlecase = htmlspecialchars(mb_convert_case($row['value'], MB_CASE_TITLE, "UTF-8"), ENT_QUOTES, 'UTF-8');
//echo '<li>'.$row_value.'</li>'; echo '<li><a href="recent.php?ty=' . urlencode($row['value']) . '">' . $row_titlecase . '</a></li>';
}
} }
?> ?>
</ul> </ul>
</div> </div>
<div class="fh5co-box"> <div class="fh5co-box">
<h3 class="heading">Search</h3> <h3 class="heading">Search</h3>
<form action="results.php" method="get"> <form action="results.php" method="get">
<div class="form-group"> <div class="form-group">
<input type="text" class="form-control" name="kw" placeholder="Keyword search"> <input type="text" class="form-control" name="kw" placeholder="Keyword search" maxlength="100">
</div> </div>
</form> </form>
</div> </div>
@@ -219,7 +249,7 @@ ORDER BY value ASC");
<li><a href="#"><i class="icon-instagram"></i></a></li> <li><a href="#"><i class="icon-instagram"></i></a></li>
</ul> --> </ul> -->
<div class="col-lg-12 col-md-12 text-center"> <div class="col-lg-12 col-md-12 text-center">
<h1 id="fh5co-logo"><a href="index.php">Recently Added<br /><br /><?php echo $searchtopic; ?></a></h1> <h1 id="fh5co-logo"><a href="index.php">Recently Added<br /><br /><?php echo htmlspecialchars($searchtopic, ENT_QUOTES, 'UTF-8'); ?></a></h1>
</div> </div>
</div> </div>
@@ -235,30 +265,25 @@ ORDER BY value ASC");
<div class="row rp-b"> <div class="row rp-b">
<div class="col-md-12 animate-box"> <div class="col-md-12 animate-box">
<?php <?php
if ($keywordsearch != '') { if ($results) {
while ($row = $keywordquery->fetchArray()) { $hasResults = false;
$row_id = $row['id']; while ($row = $results->fetchArray(SQLITE3_ASSOC)) {
$row_title = $row['title']; $hasResults = true;
$row_excerpt = $row['excerpt']; $row_id = (int)$row['id'];
$row_title = htmlspecialchars($row['title'], ENT_QUOTES, 'UTF-8');
$row_excerpt = htmlspecialchars(strip_tags($row['excerpt']), ENT_QUOTES, 'UTF-8');
echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>'; echo '<p style="padding:25px 0 35px 0;">';
echo '<img style="float:left; max-height: 120px; padding: 10px 10px" src="images/' . $row_id . '.jpg" alt="' . $row_title . '">';
echo '<strong><em><a href="itemrecord.php?itemid=' . $row_id . '">' . $row_title . '</a></em> :</strong> ';
echo $row_excerpt . '...</p>';
} }
} elseif ($typesearch != '') {
while ($row = $typequery->fetchArray()) {
$row_id = $row['id'];
$row_title = $row['title'];
$row_excerpt = $row['excerpt'];
echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>'; if (!$hasResults) {
echo '<p>No recent items found.</p>';
} }
} else { } else {
while ($row = $authorquery->fetchArray()) { echo '<p>An error occurred while retrieving recent items. Please try again.</p>';
$row_id = $row['id'];
$row_title = $row['title'];
$row_excerpt = $row['excerpt'];
echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>';
}
} }
?> ?>
</div> </div>
@@ -287,3 +312,7 @@ ORDER BY value ASC");
</body> </body>
</html> </html>
<?php
// Close database connection
$db->close();
?>

68
settings.php
View File

@@ -1,24 +1,68 @@
<?php <?php
$sitesettings = new SQLite3('settings.sqlite'); /**
* Site Settings Configuration
* Loads site settings from SQLite database
*/
$getName = $sitesettings->query('SELECT description FROM site WHERE id = 1'); // Initialize default values
$SiteName = 'Infopump';
$SubName = 'A bibliographic display system';
$SiteURL = '';
while ($row = $getName->fetchArray()) { try {
$SiteName = $row['description']; // Establish database connection
$sitesettings = new SQLite3('settings.sqlite', SQLITE3_OPEN_READONLY);
$sitesettings->enableExceptions(true);
// Fetch all settings in a single query for efficiency
$stmt = $sitesettings->prepare('SELECT id, description FROM site WHERE id IN (1, 2, 3) ORDER BY id');
$result = $stmt->execute();
// Process results
$settings = [];
while ($row = $result->fetchArray(SQLITE3_ASSOC)) {
$settings[(int)$row['id']] = $row['description'];
} }
$getSubName = $sitesettings->query('SELECT description FROM site WHERE id = 2'); // Assign settings to variables with validation
if (isset($settings[1]) && !empty(trim($settings[1]))) {
while ($row = $getSubName->fetchArray()) { $SiteName = htmlspecialchars(trim($settings[1]), ENT_QUOTES, 'UTF-8');
$SubName = $row['description'];
} }
$getURL = $sitesettings->query('SELECT description FROM site WHERE id = 3'); if (isset($settings[2]) && !empty(trim($settings[2]))) {
$SubName = htmlspecialchars(trim($settings[2]), ENT_QUOTES, 'UTF-8');
while ($row = $getURL->fetchArray()) {
$SiteURL = $row['description'];
} }
if (isset($settings[3]) && !empty(trim($settings[3]))) {
// Validate and sanitize URL
$url = trim($settings[3]);
// Remove trailing slash for consistency
$url = rtrim($url, '/');
// Basic URL validation
if (filter_var($url, FILTER_VALIDATE_URL)) {
$SiteURL = htmlspecialchars($url, ENT_QUOTES, 'UTF-8');
} else {
error_log("Invalid site URL in settings: " . $url);
}
}
// Close database connection
$sitesettings->close();
} catch (Exception $e) {
// Log error but continue with default values
error_log("Settings database error: " . $e->getMessage());
// Ensure variables are set even if database fails
if (!isset($SiteName)) $SiteName = 'Infopump';
if (!isset($SubName)) $SubName = 'A bibliographic display system';
if (!isset($SiteURL)) $SiteURL = '';
}
// Verify all required settings are defined
if (empty($SiteName) || empty($SubName)) {
error_log("Critical site settings are missing or empty");
}
?> ?>