Public/infopump
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security updates to settings.php

Browse Source
This commit is contained in:
Daniel Messer
2025-10-08 16:00:29 -05:00
parent e85c7fd578
commit 0830311340
3 changed files with 242 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
archive/settings-old.php Normal file
View File

@@ -0,0 +1,24 @@
<?php
$sitesettings = new SQLite3('settings.sqlite');
$getName = $sitesettings->query('SELECT description FROM site WHERE id = 1');
while ($row = $getName->fetchArray()) {
$SiteName = $row['description'];
}
$getSubName = $sitesettings->query('SELECT description FROM site WHERE id = 2');
while ($row = $getSubName->fetchArray()) {
$SubName = $row['description'];
}
$getURL = $sitesettings->query('SELECT description FROM site WHERE id = 3');
while ($row = $getURL->fetchArray()) {
$SiteURL = $row['description'];
}
?>

287
recent.php
View File

@@ -2,80 +2,131 @@
include_once "settings.php"; include_once "settings.php";
// Get and use a basic title search for pulling records. // Initialize variables
$keywordsearch = htmlspecialchars($_GET["kw"]); $keywordsearch = '';
$authorsearch = htmlspecialchars($_GET["au"]); $authorsearch = '';
$typesearch = htmlspecialchars($_GET["ty"]); $typesearch = '';
$searchtopic = '';
$searchtype = '';
$socialkw = mb_convert_case($keywordsearch, MB_CASE_TITLE, "UTF-8"); // Sanitize and validate input
$socialau = mb_convert_case($authorsearch, MB_CASE_TITLE, "UTF-8"); if (!empty($_GET["kw"])) {
$socialty = mb_convert_case($typesearch, MB_CASE_TITLE, "UTF-8"); $keywordsearch = trim($_GET["kw"]);
$searchtopic = 'Keyword: ' . htmlspecialchars($keywordsearch, ENT_QUOTES, 'UTF-8');
if (!empty($keywordsearch)) { $searchtype = 'keyword';
$searchtopic = 'Keyword: '.$socialkw; } elseif (!empty($_GET["au"])) {
} elseif (!empty($authorsearch)) { $authorsearch = trim($_GET["au"]);
$searchtopic = 'Author: '.$socialau; $searchtopic = 'Author: ' . htmlspecialchars($authorsearch, ENT_QUOTES, 'UTF-8');
} else { $searchtype = 'author';
$searchtopic = 'Type: '.$socialty; } elseif (!empty($_GET["ty"])) {
$typesearch = trim($_GET["ty"]);
$searchtopic = 'Type: ' . htmlspecialchars(mb_convert_case($typesearch, MB_CASE_TITLE, "UTF-8"), ENT_QUOTES, 'UTF-8');
$searchtype = 'type';
} }
// If no valid search parameter, redirect to index
if (empty($searchtype)) {
header('Location: index.php');
exit;
}
// -------------------- BEGIN DATABASE QUERIES -------------------- // -------------------- BEGIN DATABASE QUERIES --------------------
// Establish atabase connection // Establish database connection
$db = new SQLite3('metadata.sqlite'); try {
$db = new SQLite3('metadata.sqlite');
$db->enableExceptions(true);
} catch (Exception $e) {
error_log("Database connection error: " . $e->getMessage());
die("Database connection failed");
}
$keywordquery = $db->query("SELECT // Prepare the appropriate query based on search type
DISTINCT books.id AS id, $results = null;
books.title AS title,
SUBSTR(comments.text,0,120) AS excerpt
FROM books
INNER JOIN
comments ON comments.book = books.id
INNER JOIN
books_tags_link ON books_tags_link.book = books.id
INNER JOIN
tags ON tags.id = books_tags_link.tag
WHERE books.title LIKE '%$keywordsearch%'
OR books.author_sort LIKE '%$keywordsearch%'
OR comments.text LIKE '%$keywordsearch%'
OR tags.name LIKE '%$keywordsearch%'
ORDER BY books.timestamp DESC");
$authorquery = $db->query("SELECT switch ($searchtype) {
DISTINCT books.id AS id, case 'keyword':
books.title AS title, $searchPattern = '%' . $keywordsearch . '%';
SUBSTR(comments.text,0,120) AS excerpt $stmt = $db->prepare("SELECT
FROM books DISTINCT books.id AS id,
INNER JOIN books.title AS title,
comments ON comments.book = books.id SUBSTR(comments.text, 0, 120) AS excerpt
INNER JOIN FROM books
books_tags_link ON books_tags_link.book = books.id INNER JOIN comments ON comments.book = books.id
WHERE books.author_sort LIKE '%$authorsearch%' INNER JOIN books_tags_link ON books_tags_link.book = books.id
ORDER BY books.timestamp DESC"); INNER JOIN tags ON tags.id = books_tags_link.tag
WHERE books.title LIKE :search
OR books.author_sort LIKE :search
OR comments.text LIKE :search
OR tags.name LIKE :search
ORDER BY books.timestamp DESC
LIMIT 100");
$stmt->bindValue(':search', $searchPattern, SQLITE3_TEXT);
break;
$typequery = $db->query("SELECT case 'author':
DISTINCT books.id AS id, $searchPattern = '%' . $authorsearch . '%';
books.title AS title, $stmt = $db->prepare("SELECT
SUBSTR(comments.text,0,120) AS excerpt DISTINCT books.id AS id,
FROM books books.title AS title,
INNER JOIN SUBSTR(comments.text, 0, 120) AS excerpt
comments ON comments.book = books.id FROM books
INNER JOIN INNER JOIN comments ON comments.book = books.id
books_custom_column_1_link ON books_custom_column_1_link.book = books.id INNER JOIN books_tags_link ON books_tags_link.book = books.id
INNER JOIN WHERE books.author_sort LIKE :search
custom_column_1 ON custom_column_1.id = books_custom_column_1_link.value ORDER BY books.timestamp DESC
WHERE LIMIT 100");
custom_column_1.value = '$typesearch' $stmt->bindValue(':search', $searchPattern, SQLITE3_TEXT);
ORDER BY books.timestamp DESC"); break;
case 'type':
$stmt = $db->prepare("SELECT
DISTINCT books.id AS id,
books.title AS title,
SUBSTR(comments.text, 0, 120) AS excerpt
FROM books
INNER JOIN comments ON comments.book = books.id
INNER JOIN books_custom_column_1_link ON books_custom_column_1_link.book = books.id
INNER JOIN custom_column_1 ON custom_column_1.id = books_custom_column_1_link.value
WHERE custom_column_1.value = :search
ORDER BY books.timestamp DESC
LIMIT 100");
$stmt->bindValue(':search', $typesearch, SQLITE3_TEXT);
break;
}
// Execute query and handle errors
try {
$results = $stmt->execute();
} catch (Exception $e) {
error_log("Query execution error: " . $e->getMessage());
$results = null;
}
// Get types for menu
try {
$types = $db->query("SELECT value FROM custom_column_1 ORDER BY value ASC");
} catch (Exception $e) {
error_log("Types query error: " . $e->getMessage());
$types = null;
}
// Build social media URLs safely
$socialUrl = '';
switch ($searchtype) {
case 'keyword':
$socialUrl = $SiteURL . '/recent.php?kw=' . urlencode($keywordsearch);
break;
case 'author':
$socialUrl = $SiteURL . '/recent.php?au=' . urlencode($authorsearch);
break;
case 'type':
$socialUrl = $SiteURL . '/recent.php?ty=' . urlencode($typesearch);
break;
}
$types = $db->query("SELECT
value
FROM custom_column_1
ORDER BY value ASC");
?> ?>
<!DOCTYPE html> <!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]--> <!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]--> <!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
@@ -84,9 +135,9 @@ ORDER BY value ASC");
<head> <head>
<meta charset="utf-8"> <meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Infopump - Recently Added - <?php echo $searchtopic; ?></title> <title>Infopump - Recently Added - <?php echo htmlspecialchars($searchtopic, ENT_QUOTES, 'UTF-8'); ?></title>
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Free HTML5 Template by FREEHTML5.CO" /> <meta name="description" content="Recently added items for <?php echo htmlspecialchars($searchtopic, ENT_QUOTES, 'UTF-8'); ?>" />
<meta name="keywords" content="free html5, free template, free bootstrap, html5, css3, mobile first, responsive" /> <meta name="keywords" content="free html5, free template, free bootstrap, html5, css3, mobile first, responsive" />
<meta name="author" content="FREEHTML5.CO" /> <meta name="author" content="FREEHTML5.CO" />
@@ -105,33 +156,14 @@ ORDER BY value ASC");
--> -->
<!-- Facebook and Twitter integration --> <!-- Facebook and Twitter integration -->
<meta property="og:title" content=<?php echo '"'.$SiteName.' - Recently Added - '.$searchtopic.'" />';?> <meta property="og:title" content="<?php echo htmlspecialchars($SiteName . ' - Recently Added - ' . $searchtopic, ENT_QUOTES, 'UTF-8'); ?>" />
<meta property="og:image" content="<?php echo htmlspecialchars($SiteURL, ENT_QUOTES, 'UTF-8'); ?>/images/og-site-avatar.jpg" />
<meta property="og:image" content=<?php echo '"'.$SiteURL.'/images/og-site-avatar.jpg" />';?> <meta property="og:url" content="<?php echo htmlspecialchars($socialUrl, ENT_QUOTES, 'UTF-8'); ?>" />
<meta property="og:site_name" content="<?php echo htmlspecialchars($SiteName . ' - Recently Added', ENT_QUOTES, 'UTF-8'); ?>" />
<?php <meta property="og:description" content="<?php echo htmlspecialchars($SubName, ENT_QUOTES, 'UTF-8'); ?>" />
if (!empty($keywordsearch)) { <meta name="twitter:title" content="<?php echo htmlspecialchars($SiteName . ' - Recently Added - ' . $searchtopic, ENT_QUOTES, 'UTF-8'); ?>" />
echo '<meta property="og:url" content="'.$SiteURL.'/recent.php?kw='.$socialkw.'" />'; <meta name="twitter:image" content="<?php echo htmlspecialchars($SiteURL, ENT_QUOTES, 'UTF-8'); ?>/images/og-site-avatar.jpg" />
echo '<meta name="twitter:url" content="'.$SiteURL.'/recent.php?kw='.$socialkw.'" />'; <meta name="twitter:url" content="<?php echo htmlspecialchars($socialUrl, ENT_QUOTES, 'UTF-8'); ?>" />
} elseif (!empty($authorsearch)) {
echo '<meta property="og:url" content="'.$SiteURL.'/recent.php?au='.$socialau.'" />';
echo '<meta name="twitter:url" content="'.$SiteURL.'/recent.php?au='.$socialau.'" />';
} else {
echo '<meta property="og:url" content="'.$SiteURL.'/recent.php?ty='.$socialty.'" />';
echo '<meta name="twitter:url" content="'.$SiteURL.'/recent.php?ty='.$socialty.'" />';
}
?>
<meta property="og:site_name" content=<?php echo '"'.$SiteName.' - Recently Added" />';?>
<meta property="og:description" content=<?php echo '"'.$SubName.'" />';?>
<meta name="twitter:title" content=<?php echo '"'.$SiteName.' - Recently Added - '.$searchtopic.'" />';?>
<meta name="twitter:image" content=<?php echo '"'.$SiteURL.'/images/og-site-avatar.jpg" />';?>
<meta name="twitter:card" content="summary" /> <meta name="twitter:card" content="summary" />
<!-- Place favicon.ico and apple-touch-icon.png in the root directory --> <!-- Place favicon.ico and apple-touch-icon.png in the root directory -->
@@ -144,10 +176,8 @@ ORDER BY value ASC");
<link rel="stylesheet" href="css/icomoon.css"> <link rel="stylesheet" href="css/icomoon.css">
<!-- Bootstrap --> <!-- Bootstrap -->
<link rel="stylesheet" href="css/bootstrap.css"> <link rel="stylesheet" href="css/bootstrap.css">
<link rel="stylesheet" href="css/style.css"> <link rel="stylesheet" href="css/style.css">
<!-- Modernizr JS --> <!-- Modernizr JS -->
<script src="js/modernizr-2.6.2.min.js"></script> <script src="js/modernizr-2.6.2.min.js"></script>
<!-- FOR IE9 below --> <!-- FOR IE9 below -->
@@ -165,7 +195,7 @@ ORDER BY value ASC");
</figure> </figure>
<h3 class="heading">About the Project</h3> <h3 class="heading">About the Project</h3>
<a href="index.php"><h2>Infopump</h2></a> <a href="index.php"><h2>Infopump</h2></a>
<p>A bibliographic management and display system.</p> <p>A bibliographic management and display system.<br /><a href="about.php">More info</a></p>
<hr> <hr>
<p>A free, open source project from:<br /> <p>A free, open source project from:<br />
<a href="https://rss.com/podcasts/l0wl1f3podcast/">The L0WL1F3 Podcast</a><br /> <a href="https://rss.com/podcasts/l0wl1f3podcast/">The L0WL1F3 Podcast</a><br />
@@ -173,8 +203,8 @@ ORDER BY value ASC");
<a href="https://cyberpunklibrarian.com">Cyberpunk Librarian</a> <a href="https://cyberpunklibrarian.com">Cyberpunk Librarian</a>
</p> </p>
<ul class="fh5co-social"> <ul class="fh5co-social">
<!--<li><a href="#"><i class="icon-twitter"></i></a></li>--> <!--<li><a href="#"><i class="icon-twitter"></i></a></li>
<!--<li><a href="#"><i class="icon-facebook"></i></a></li> <li><a href="#"><i class="icon-facebook"></i></a></li>
<li><a href="#"><i class="icon-instagram"></i></a></li>--> <li><a href="#"><i class="icon-instagram"></i></a></li>-->
</ul> </ul>
</div> </div>
@@ -184,22 +214,22 @@ ORDER BY value ASC");
<h3 class="heading">Recent Additions</h3> <h3 class="heading">Recent Additions</h3>
<ul> <ul>
<?php <?php
while ($row = $types->fetchArray()) { if ($types) {
$row_value = $row['value']; while ($row = $types->fetchArray(SQLITE3_ASSOC)) {
$row_titlecase = mb_convert_case($row_value, MB_CASE_TITLE, "UTF-8"); $row_value = htmlspecialchars($row['value'], ENT_QUOTES, 'UTF-8');
echo '<li><a href="recent.php?ty='.$row_value.'">'.$row_titlecase.'</a></li>'; $row_titlecase = htmlspecialchars(mb_convert_case($row['value'], MB_CASE_TITLE, "UTF-8"), ENT_QUOTES, 'UTF-8');
//echo '<li>'.$row_value.'</li>'; echo '<li><a href="recent.php?ty=' . urlencode($row['value']) . '">' . $row_titlecase . '</a></li>';
}
} }
?> ?>
</ul> </ul>
</div> </div>
<div class="fh5co-box"> <div class="fh5co-box">
<h3 class="heading">Search</h3> <h3 class="heading">Search</h3>
<form action="results.php" method="get"> <form action="results.php" method="get">
<div class="form-group"> <div class="form-group">
<input type="text" class="form-control" name="kw" placeholder="Keyword search"> <input type="text" class="form-control" name="kw" placeholder="Keyword search" maxlength="100">
</div> </div>
</form> </form>
</div> </div>
@@ -219,7 +249,7 @@ ORDER BY value ASC");
<li><a href="#"><i class="icon-instagram"></i></a></li> <li><a href="#"><i class="icon-instagram"></i></a></li>
</ul> --> </ul> -->
<div class="col-lg-12 col-md-12 text-center"> <div class="col-lg-12 col-md-12 text-center">
<h1 id="fh5co-logo"><a href="index.php">Recently Added<br /><br /><?php echo $searchtopic; ?></a></h1> <h1 id="fh5co-logo"><a href="index.php">Recently Added<br /><br /><?php echo htmlspecialchars($searchtopic, ENT_QUOTES, 'UTF-8'); ?></a></h1>
</div> </div>
</div> </div>
@@ -235,31 +265,26 @@ ORDER BY value ASC");
<div class="row rp-b"> <div class="row rp-b">
<div class="col-md-12 animate-box"> <div class="col-md-12 animate-box">
<?php <?php
if ($keywordsearch != '') { if ($results) {
while ($row = $keywordquery->fetchArray()) { $hasResults = false;
$row_id = $row['id']; while ($row = $results->fetchArray(SQLITE3_ASSOC)) {
$row_title = $row['title']; $hasResults = true;
$row_excerpt = $row['excerpt']; $row_id = (int)$row['id'];
$row_title = htmlspecialchars($row['title'], ENT_QUOTES, 'UTF-8');
$row_excerpt = htmlspecialchars(strip_tags($row['excerpt']), ENT_QUOTES, 'UTF-8');
echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>'; echo '<p style="padding:25px 0 35px 0;">';
echo '<img style="float:left; max-height: 120px; padding: 10px 10px" src="images/' . $row_id . '.jpg" alt="' . $row_title . '">';
echo '<strong><em><a href="itemrecord.php?itemid=' . $row_id . '">' . $row_title . '</a></em> :</strong> ';
echo $row_excerpt . '...</p>';
}
if (!$hasResults) {
echo '<p>No recent items found.</p>';
}
} else {
echo '<p>An error occurred while retrieving recent items. Please try again.</p>';
} }
} elseif ($typesearch != '') {
while ($row = $typequery->fetchArray()) {
$row_id = $row['id'];
$row_title = $row['title'];
$row_excerpt = $row['excerpt'];
echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>';
}
} else {
while ($row = $authorquery->fetchArray()) {
$row_id = $row['id'];
$row_title = $row['title'];
$row_excerpt = $row['excerpt'];
echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>';
}
}
?> ?>
</div> </div>
</div> </div>
@@ -270,7 +295,7 @@ ORDER BY value ASC");
</div> </div>
<footer id="fh5co-footer"> <footer id="fh5co-footer">
<p><small>&copy; Creative Commons By-NC-SA<br> Design by <a href="http://freehtml5.co" target="_blank">FREEHTML5.co</a></small></p> <p><small>&copy; Creative Commons By-NC-SA<br> Design by <a href="http://freehtml5.co" target="_blank">FREEHTML5.co</a></small></p>
</footer> </footer>
<!-- jQuery --> <!-- jQuery -->
@@ -287,3 +312,7 @@ ORDER BY value ASC");
</body> </body>
</html> </html>
<?php
// Close database connection
$db->close();
?>

74
settings.php
View File

@@ -1,24 +1,68 @@
<?php <?php
$sitesettings = new SQLite3('settings.sqlite'); /**
* Site Settings Configuration
* Loads site settings from SQLite database
*/
$getName = $sitesettings->query('SELECT description FROM site WHERE id = 1'); // Initialize default values
$SiteName = 'Infopump';
$SubName = 'A bibliographic display system';
$SiteURL = '';
while ($row = $getName->fetchArray()) { try {
$SiteName = $row['description']; // Establish database connection
$sitesettings = new SQLite3('settings.sqlite', SQLITE3_OPEN_READONLY);
$sitesettings->enableExceptions(true);
// Fetch all settings in a single query for efficiency
$stmt = $sitesettings->prepare('SELECT id, description FROM site WHERE id IN (1, 2, 3) ORDER BY id');
$result = $stmt->execute();
// Process results
$settings = [];
while ($row = $result->fetchArray(SQLITE3_ASSOC)) {
$settings[(int)$row['id']] = $row['description'];
}
// Assign settings to variables with validation
if (isset($settings[1]) && !empty(trim($settings[1]))) {
$SiteName = htmlspecialchars(trim($settings[1]), ENT_QUOTES, 'UTF-8');
}
if (isset($settings[2]) && !empty(trim($settings[2]))) {
$SubName = htmlspecialchars(trim($settings[2]), ENT_QUOTES, 'UTF-8');
}
if (isset($settings[3]) && !empty(trim($settings[3]))) {
// Validate and sanitize URL
$url = trim($settings[3]);
// Remove trailing slash for consistency
$url = rtrim($url, '/');
// Basic URL validation
if (filter_var($url, FILTER_VALIDATE_URL)) {
$SiteURL = htmlspecialchars($url, ENT_QUOTES, 'UTF-8');
} else {
error_log("Invalid site URL in settings: " . $url);
}
}
// Close database connection
$sitesettings->close();
} catch (Exception $e) {
// Log error but continue with default values
error_log("Settings database error: " . $e->getMessage());
// Ensure variables are set even if database fails
if (!isset($SiteName)) $SiteName = 'Infopump';
if (!isset($SubName)) $SubName = 'A bibliographic display system';
if (!isset($SiteURL)) $SiteURL = '';
} }
$getSubName = $sitesettings->query('SELECT description FROM site WHERE id = 2'); // Verify all required settings are defined
if (empty($SiteName) || empty($SubName)) {
while ($row = $getSubName->fetchArray()) { error_log("Critical site settings are missing or empty");
$SubName = $row['description'];
} }
$getURL = $sitesettings->query('SELECT description FROM site WHERE id = 3');
while ($row = $getURL->fetchArray()) {
$SiteURL = $row['description'];
}
?> ?>