* It also has some session register functions that work across various
* php versions.
*
- * @copyright 1999-2009 The SquirrelMail Project Team
+ * @copyright 1999-2020 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain="",
$bSecure=false, $bHttpOnly=true, $bReplace=false) {
+ // some environments can get overwhelmed by an excessive
+ // setting of the same cookie over and over (e.g., many
+ // calls to this function via sqsession_is_active() result
+ // in repeated setting of the session cookie when $bReplace
+ // is FALSE, but something odd happens (during login only)
+ // if we change that to default TRUE) ... so we keep our own
+ // naive per-request name/value cache and only set the cookie
+ // if its value is changing (or never seen before)
+ static $cookies = array();
+ if (isset($cookies[$sName]) && $cookies[$sName] === $sValue)
+ return;
+ else
+ $cookies[$sName] = $sValue;
+
+
// if we have a secure connection then limit the cookies to https only.
global $is_secure_connection;
if ($sName && $is_secure_connection)
/**
* php_self
*
- * Creates an URL for the page calling this function, using either the PHP global
- * REQUEST_URI, or the PHP global PHP_SELF with QUERY_STRING added. Before 1.5.1
- * function was stored in function/strings.php.
+ * Attempts to determine the path and filename and any arguments
+ * for the currently executing script. This is usually found in
+ * $_SERVER['REQUEST_URI'], but some environments may differ, so
+ * this function tries to standardize this value.
+ *
+ * Note that before SquirrelMail version 1.5.1, this function was
+ * stored in function/strings.php.
*
- * @return string the complete url for this page
* @since 1.2.3
+ * @return string The path, filename and any arguments for the
+ * current script
*/
-function php_self () {
+function php_self() {
- if (sqgetGlobalVar('PHP_SELF', $php_self, SQ_SERVER)
- && !empty($php_self)) {
+ $request_uri = '';
- // need to add query string to end of PHP_SELF to match REQUEST_URI
+ // first try $_SERVER['PHP_SELF'], which seems most reliable
+ // (albeit it usually won't include the query string)
+ //
+ $request_uri = '';
+ if (!sqgetGlobalVar('PHP_SELF', $request_uri, SQ_SERVER)
+ || empty($request_uri)) {
+
+ // well, then let's try $_SERVER['REQUEST_URI']
//
- if (sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER)
- && !empty($query_string)) {
- $php_self .= '?' . $query_string;
+ $request_uri = '';
+ if (!sqgetGlobalVar('REQUEST_URI', $request_uri, SQ_SERVER)
+ || empty($request_uri)) {
+
+ // TODO: anyone have any other ideas? maybe $_SERVER['SCRIPT_NAME']???
+ //
+ return '';
}
- return $php_self;
}
- // some versions of PHP, perhaps specifically in use with lighttpd,
- // return a blank string for PHP_SELF, so we use REQUEST_URI as a backup:
- //
- else if (sqgetGlobalVar('REQUEST_URI', $req_uri, SQ_SERVER)
- && !empty($req_uri)) {
+ // we may or may not have any query arguments, depending on
+ // which environment variable was used above, and the PHP
+ // version, etc., so let's check for it now
+ //
+ $query_string = '';
+ if (strpos($request_uri, '?') === FALSE
+ && sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER)
+ && !empty($query_string)) {
- // some versions of PHP (such as 4.4.4) don't include the query
- // string in REQUEST_URI, but most do... here's a fix for the
- // odd ones out (assuming QUERY_STRING is reliable in those cases)
- //
- if (strpos($req_uri, '?') === FALSE
- && sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER)
- && !empty($query_string)) {
+ $request_uri .= '?' . $query_string;
+ }
- $req_uri .= '?' . $query_string;
- }
-
- return $req_uri;
- }
+ return $request_uri;
- return '';
}
/**
- * Sanitize a value using htmlspecialchars() or similar, but also
- * recursively run htmlspecialchars() (or similar) on array keys
+ * Sanitize a value using sm_encode_html_special_chars() or similar, but also
+ * recursively run sm_encode_html_special_chars() (or similar) on array keys
* and values.
*
* If $value is not a string or an array with strings in it,
if ($quote_style === TRUE)
return str_replace(array('\'', '"'), array(''', '"'), $value);
else
- return htmlspecialchars($value, $quote_style);
+ return sm_encode_html_special_chars($value, $quote_style);
}
// anything else gets returned with no changes