Security fix, issue 51 - checking for entry

admin/admin.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry')) define('entry',true);  
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS
@@ -9,15 +10,11 @@
   Copyright (C) 2007 by Pedro Santana <pecesama at gmail dot com>
 
   =========================== */
-?>
-<?php
-require_once('../config.php');
+
 include("../classes/user.class.php");
 include("../classes/functions.php");
 require_once("../classes/configuration.class.php");
-
-$user = new user();
-$conf = new configuration();
+require_once('../entry.php');
 
 if ($user->isAdmin()) {
 	

admin/ajax.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry'))define('entry', true);
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS

admin/close.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry'))define('entry', true);
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS
@@ -11,15 +12,10 @@
   =========================== */
 ?>
 <?php
-require_once('../config.php');
-include("../classes/functions.php");
-include("../classes/user.class.php");
-require_once("../classes/configuration.class.php");
+require('../entry.php');
+global $user;
+$closed = $user->closeSession();
 
-session_start();
-$user = new user();
-$conf = new configuration();
-$user->closeSession()
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 	<html xmlns="http://www.w3.org/1999/xhtml">
@@ -52,7 +48,7 @@ $user->closeSession()
 					<div class="tabla">
 						<p>
 <?php
-						if (@session_destroy()) {
+						if ($closed) {
 ?>		
 							<h2><?php echo __("Ending session...")?></h2>
 <?php

admin/comments.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry')) define('entry',true);
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS
@@ -11,17 +12,9 @@
   =========================== */
 ?>
 <?php
-require_once('../config.php');
-include("../classes/functions.php");
-include("../classes/user.class.php");
-include("../classes/comments.class.php");
-include("../classes/templates.class.php");
-include("../classes/pagination.class.php");
-require_once("../classes/configuration.class.php");
+require_once('../entry.php');
 
-$user = new user();
 $comment = new comments();
-$conf = new configuration();
 $template = new plantillas("admin");
 $isAdmin = $user->isAdmin();
 $isEdition = isset($_GET["edit"]);

admin/index.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry'))define('entry', true);
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS
@@ -11,18 +12,10 @@
   =========================== */
 ?>
 <?php
-require_once('../config.php');
-include("../classes/functions.php");
-include("../classes/user.class.php");
-include("../classes/pagination.class.php");
-include("../classes/gelato.class.php");
-include("../classes/textile.class.php");
-include("../classes/templates.class.php");
-require_once("../classes/configuration.class.php");
 
-$user = new user();
-$tumble = new gelato();
-$conf = new configuration();
+
+require('../entry.php');
+global $user, $conf, $tumble;
 $template = new plantillas("admin");
 
 $isEdition = (isset($_GET["edit"])) ? true : false;
@@ -144,7 +137,7 @@ if ($user->isAdmin()) {
 				<h1><a href="<?php echo $conf->urlGelato;?>/admin/index.php" title="gelato :: <?php echo __("home")?>">gelato cms</a></h1>
 				<ul id="nav">
 					<li><a href="<?php echo $conf->urlGelato;?>/" title="<?php echo __("Take me to the tumblelog")?>"><?php echo __("View Tumblelog")?></a></li>
-					<li><a href="close.php" title="Log off" onclick="return exit('div-process','<?php echo $conf->urlGelato;?>/admin/ajax.php?action=close');"><?php echo __("Log out")?></a></li>
+					<li><a href="close.php" title="Log off" ><?php echo __("Log out")?></a></li>
 			  	</ul>
 			</div>
 			<div id="main">
@@ -241,8 +234,8 @@ if ($user->isAdmin()) {
 							$body = ($isEdition) ? stripslashes($post["description"]) : "";
 							$url = ($isEdition) ? $post["url"] : "";
 							
-							
-							switch (isset($_GET["new"]) && $_GET["new"]) {
+							if (!isset($_GET['new'])) $_GET['new'] = 'default';
+							switch ($_GET["new"]) {
 								case "post":
 									$input = array("{type}", "{date}", "{id_user}", "{editTitle}", "{editBody}");
 									$output = array("1", $date, $_SESSION['user_id'], $title, $body);

admin/options.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry')) define('entry',true);  
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS
@@ -11,15 +12,11 @@
   =========================== */
 ?>
 <?php
-require_once('../config.php');
 include("../classes/functions.php");
 include("../classes/user.class.php");
 include("../classes/gelato.class.php");
 require_once("../classes/configuration.class.php");
-
-$user = new user();
-$tumble = new gelato();
-$conf = new configuration();
+require_once('../entry.php');
 
 if ($user->isAdmin()) {
 	

admin/settings.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry')) define('entry',true);  
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS
@@ -9,17 +10,12 @@
   Copyright (C) 2007 by Pedro Santana <pecesama at gmail dot com>
 
   =========================== */
-?>
-<?php
-require_once('../config.php');
+
 include("../classes/functions.php");
 include("../classes/user.class.php");
 include("../classes/gelato.class.php");
 require_once("../classes/configuration.class.php");
-
-$user = new user();
-$tumble = new gelato();
-$conf = new configuration();
+require_once('../entry.php');
 
 if ($user->isAdmin()) {
 	

admin/user.php

@@ -1,5 +1,5 @@
 <?php
-/* ===========================
+if(!defined('entry') || !entry) die('Not a valid page'); /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS
   development version

api.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry') || !entry) die('Not a valid page'); 
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS

classes/comments.class.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry') || !entry) die('Not a valid page'); 
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS
@@ -9,10 +10,6 @@
   Copyright (C) 2007 by Pedro Santana <pecesama at gmail dot com>
 
   =========================== */
-?>
-<?php
-require_once("configuration.class.php");
-require_once("functions.php");
 
 class comments extends Conexion_Mysql {
 	var $conf;

classes/configuration.class.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry') || !entry) die('Not a valid page'); 
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS
@@ -12,6 +13,7 @@
 ?>
 <?php
 require_once("lang.functions.php");
+require_once('mysql_connection.class.php');
 class configuration extends Conexion_Mysql {
 	
 	var $urlGelato;

classes/functions.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry') || !entry) die('Not a valid page'); 
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS

classes/gelato.class.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry') || !entry) die('Not a valid page'); 
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS

classes/gettext.class.php

@@ -1,4 +1,6 @@
 <?php
+ if(!defined('entry') || !entry) die('Not a valid page');
+ 
 /*
    Copyright (c) 2003 Danilo Segan <danilo@kvota.net>.
    Copyright (c) 2005 Nico Kaiser <nico@siriux.net>

classes/imgsize.php

@@ -1,4 +1,5 @@
 <?php
+ if(!defined('entry') || !entry) die('Not a valid page');
 header ("Content-type: image/jpeg");
 header('Cache-Control: max-age=172800, must-revalidate');
 header('Expires: ' . date('r', time()+120));

classes/install.class.php

@@ -0,0 +1,280 @@
+<?php
+if(!defined('entry') || !entry) die('Not a valid page'); 
+require('classes/mysql_connection.class.php');
+
+class Install {
+	var $data = null;
+	var $errors = null;
+	var $showForm;
+	var $errors_d = array();
+	
+	function Install(){
+		$this->errors_d[1]="The login field cannot be empty";
+		$this->errors_d[2]="The password field cannot be empty";
+		$this->errors_d[3]="Password does not match the confirm password";
+		$this->errors_d[4]="The e-mail field cannot be empty";
+		$this->errors_d[5]="The installation URL field cannot be empty";
+		$this->errors_d[6]="Error establishing a database connection";
+		$this->errors_d[7]="Please add a hostname for the database server";
+		$this->errors_d[8]="Please name the database";
+	}
+	
+    function run() {
+    	
+    	if (empty($this->data)) false;
+    	
+    	if (!$this->create_config()) return false;
+    	
+    	$this->create_db();
+    	
+    	if (!$this->install_db()) return false;
+		
+		return true;
+    }
+    
+    function create_db(){
+		
+	    $link =  mysql_connect($this->data['db_host'], $this->data['db_login'], $this->data['db_password']);
+		if (!$link) {
+		    die('Could not connect: ' . mysql_error());
+		}
+		
+		$sql = 'CREATE DATABASE ' . $this->data['db_name'];
+		if (!mysql_query($sql, $link)) {
+			$link = mysql_close($link);
+			return false;
+		} 
+		
+		return true;    	
+    }
+    
+	function install_db(){
+		require('config.php');
+		$db = new Conexion_Mysql(DB_name, DB_Server, DB_User, DB_Password);	
+		$sqlStr = array();
+		
+		$sqlStr[] = "CREATE TABLE `".Table_prefix."data` (
+			  `id_post` int(11) NOT NULL auto_increment,
+			  `title` text NULL,
+			  `url` varchar(250)  default NULL,
+			  `description` text NULL,
+			  `type` tinyint(4) NOT NULL default '1',
+			  `date` datetime NOT NULL,
+			  `id_user` int(10) NOT NULL,
+			  PRIMARY KEY  (`id_post`)
+			) ENGINE = MYISAM ;";
+
+		$sqlStr[] = "CREATE TABLE `".Table_prefix."users` (
+			  `id_user` int(10) unsigned NOT NULL auto_increment,
+			  `name` varchar(100) default NULL,
+			  `login` varchar(100) NOT NULL default '',
+			  `password` varchar(64) NOT NULL default '',
+			  `email` varchar(100) default NULL,
+			  `website` varchar(150) default NULL,
+			  `about` text,
+			  PRIMARY KEY  (`id_user`)
+			) ENGINE = MYISAM;";
+
+		$sqlStr[] = "CREATE TABLE `".Table_prefix."config` (
+			  `posts_limit` int(3) NOT NULL,
+			  `title` varchar(250) NOT NULL,
+			  `description` text NOT NULL,
+			  `lang` varchar(10) NOT NULL,
+			  `template` varchar(100) NOT NULL,
+			  `url_installation` varchar(250) NOT NULL,
+			  PRIMARY KEY  (`title`)
+			) ENGINE = MYISAM ;";
+			
+
+		
+		$sqlStr[] = "CREATE TABLE `".Table_prefix."options` (
+		  `name` varchar(100) NOT NULL,
+		  `val` varchar(255) NOT NULL,
+		  PRIMARY KEY  (`name`)
+		) ENGINE = MYISAM ;";
+
+		
+		$sqlStr[] = "CREATE TABLE `".Table_prefix."comments` (
+		  `id_comment` int(11) NOT NULL auto_increment,
+		  `id_post` int(11) NOT NULL,
+		  `username` varchar(50) NOT NULL,
+		  `email` varchar(100) NOT NULL,
+		  `web` varchar(250) default NULL,
+		  `content` text NOT NULL,
+		  `ip_user` varchar(50) NOT NULL,
+		  `comment_date` datetime NOT NULL,
+		  `spam` tinyint(4) NOT NULL,
+		  PRIMARY KEY  (`id_comment`)
+		) ENGINE = MYISAM ;";
+					
+		$sqlStr[] =  "INSERT INTO `".Table_prefix."config` VALUES (". $this->data['posts_limit'] .", '".$this->data['title']."', '".$this->data['description']."', '".$this->data['lang']."', '".$this->data['template']."', '".$this->data['url_installation']."');";		
+		$sqlStr[] =  "INSERT INTO `".Table_prefix."users` VALUES ('', '', '".$this->data['login']."', '".md5($this->data['password'])."', '".$this->data['email']."', '".$this->data['website']."', '".$this->data['about']."');";
+		$sqlStr[] =  "INSERT INTO `".Table_prefix."options` VALUES ('url_friendly', '1');";
+		$sqlStr[] =  "INSERT INTO `".Table_prefix."options` VALUES ('rich_text', '0');";		
+		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('allow_comments', '0');";
+		$sqlStr[] =  "INSERT INTO `".Table_prefix."options` VALUES ('offset_city', '".$this->data['offset_city']."');";		
+		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('offset_time', '".$this->data['offset_time']."');";
+		
+		foreach($sqlStr as $key => $query){
+			if(!$db->ejecutarConsulta($query)){
+				return false;
+			}
+		}
+
+		return true;
+	}
+	
+	function inerrors($n) {
+		if ( strpos($this->errors,$n)===false) {
+			return false;
+		} else {
+			return true;
+		}
+	}
+	
+	function mostrarerror($n) {
+		if ($this->inerrors($n)) {
+			return '<span class="error">'.$this->errors_d[$n].'</span>';
+		} else {
+			return "";
+		}
+	}
+	
+	function is_gelato_installed(){
+		if (!$this->check_for_config()){ 
+			return false; 
+		} else {/*
+			if (!$this->is_db_installed()){
+				return false;
+			}
+			*/
+		}
+		
+		return true;
+	}
+	/*
+	function is_db_installed(){
+	
+			global $db;	
+			
+			if (function_exists($db->ejecutarConsulta)){
+				$sqlStr = "SELECT * FROM `".Table_prefix."config`";
+				if($db->ejecutarConsulta($sqlStr)) {
+					return ($db->contarRegistros() > 0);
+				}
+			} else {
+				false;
+			}
+	
+	}
+	*/
+	function check_for_config(){
+		if(!file_exists('config.php')) return false;
+		if(!defined('DB_Server')) return false;
+		if(!defined('DB_name')) return false;
+		if(!defined('DB_User')) return false;
+		if(!defined('DB_Password')) return false;
+		
+		return true;
+	}
+	
+	function create_config(){
+		$config = fopen("config.php", 'w+');
+		$contents = '<?php
+if(!defined(\'entry\') || !entry) die(\'Not a valid page\'); 
+/* ===========================
+
+  gelato CMS - A PHP based tumblelog CMS
+  development version
+  http://www.gelatocms.com/
+
+  gelato CMS is a free software licensed under the GPL 2.0
+  Copyright (C) 2007 by Pedro Santana <pecesama at gmail dot com>
+
+  =========================== */
+
+define(\'DB_Server\', \''. $this->data['db_host'] . '\');
+define(\'DB_name\', \''. $this->data['db_name'] . '\');
+define(\'DB_User\', \''. $this->data['db_login'] . '\');
+define(\'DB_Password\', \''. $this->data['db_password'] . '\'); 
+define(\'Table_prefix\', \'gel_\');
+define(\'Absolute_Path\', dirname(__FILE__).DIRECTORY_SEPARATOR);
+
+?>';
+
+	    if (fwrite($config, $contents) === FALSE) {
+	        $this->errors = "Could not write config file to directory";
+	        return false;
+	    } 
+	    fclose($config);
+	    return true;		
+	}
+	
+	function check_form(){
+
+		$action="";
+		
+		if (isset($this->data['action'])){
+			$action=$this->data['action'];
+		}
+		
+		if (!$this->is_gelato_installed()){
+			
+		$this->showForm = true;
+			
+		
+			if ($action=="config") {
+				
+				$sep_err="";
+				$this->errors = false;
+				
+				if (!$this->data['login'] || !$this->data['db_login']) {
+					$this->errors =$this->errors.$sep_err."1";
+					$sep_err="|";
+				}
+				if (!$this->data['password'] ||  !$this->data['db_password']) {
+					$this->errors=$this->errors.$sep_err."2";
+					$sep_err="|";
+				}
+				if (!$this->data['email']) {
+					$this->errors=$this->errors.$sep_err."4";
+					$sep_err="|";
+				}
+				if (!$this->data['url_installation'] ) {
+					$this->errors=$this->errors.$sep_err."5";
+					$sep_err="|";
+				}
+				if (!$this->data['db_host'] ) {
+					$this->errors=$this->errors.$sep_err."7";
+					$sep_err="|";
+				}
+				if (!$this->data['db_name'] ) {
+					$this->errors=$this->errors.$sep_err."8";
+					$sep_err="|";
+				}
+				if ($this->data['password']!=$_POST['password2'] ||  $_POST['db_password']!=$_POST['db_password2'] ) {
+					$this->errors=$this->errors.$sep_err."3";
+					$sep_err="|";
+				}
+				$off_r= split("," , $this->data['time_offsets']);
+				$this->data['offset_time'] = $off_r[0];
+				$this->data['offset_city'] = $off_r[1];
+				unset($this->data['time_offsets']);
+				
+				if (!$this->errors) {
+							
+					if ($this->run($this->data)) {
+						$this->showForm=false;
+					} else {
+						$this->errors=$this->errors.$sep_err."6";
+						$sep_err="|";
+						$this->showForm=true;
+					}		
+				} else {
+					$this->showForm=true;
+				}
+			}
+		}	
+	}	
+}
+?>

classes/lang.functions.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry') || !entry) die('Not a valid page'); 
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS

classes/mysql_connection.class.php

@@ -1,4 +1,5 @@
 <?php
+ if(!defined('entry') || !entry) die('Not a valid page');
 /**
  * version 0.0.1
  *

classes/pagination.class.php

@@ -1,4 +1,6 @@
 <?php
+ if(!defined('entry') || !entry) die('Not a valid page');
+
 class pagination{
 /*
 Script Name: *Digg Style Paginator Class

classes/streams.class.php

@@ -1,4 +1,6 @@
 <?php
+ if(!defined('entry') || !entry) die('Not a valid page');
+
 /*
    Copyright (c) 2003, 2005 Danilo Segan <danilo@kvota.net>.
 

classes/templates.class.php

@@ -1,4 +1,6 @@
 <?php
+ if(!defined('entry') || !entry) die('Not a valid page');
+
 /**
  * version 0.0.1
  *

classes/textile.class.php

@@ -1,5 +1,5 @@
 <?php
-
+ if(!defined('entry') || !entry) die('Not a valid page');
 /**
  * Example: get XHTML from a given Textile-markup string ($string)
  *

classes/user.class.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry') || !entry) die('Not a valid page'); 
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS
@@ -15,41 +16,46 @@ require_once("configuration.class.php");
 
 class user extends Conexion_Mysql {
 	var $conf;
+	var $cookieString;
+	var $cookieTime;
+	var $persist = false;
+
 
 	function user() {
 		parent::Conexion_Mysql(DB_name, DB_Server, DB_User, DB_Password);
+		$this->cookie_life = 60*24*3600;
+		$this->cookieTime = time();
 		$this->conf = new configuration();
 	}
 
 	function isAdmin() {
-		if(isset($_COOKIE["gelato_cookie"]) && $_COOKIE["gelato_cookie"] && $_COOKIE["gelato_cookie"]!="") {
-			$galleta = explode(",",$_COOKIE["gelato_cookie"]);
-			if ($this->validateUser($galleta[1],$galleta[2])) {
-				$_SESSION["user_id"]=$galleta[0];
-				$_SESSION["user_login"]=$galleta[1];
-			} else {
-				$_SESSION["user_id"]="";
-				$_SESSION["user_login"]="";
-				unset($_SESSION["user_id"]);
-				unset($_SESSION["user_login"]);
-			}
-		}
-		if (isset($_SESSION["user_id"]) && isset($_SESSION["user_login"])) {
+		
+		if ((!empty($_SESSION["user_id"]) && !empty($_SESSION["user_login"]))  && (isset($_SESSION['authenticated'])  && $_SESSION['authenticated']==true)) {
 			return true;
 		}
+		
+		if(isset($_COOKIE["PHPSESSID"]) && $_COOKIE["PHPSESSID"]!="") {
+			if ((!empty($_SESSION["user_id"]) && !empty($_SESSION["user_login"]))  && (isset($_SESSION['authenticated'])  && $_SESSION['authenticated']==true)) {
+				return true;
+			} 
+		}
+		
 		return false;
+		
 	}
 
-	function validateUser($user="", $password="") {
-		if ($this->ejecutarConsulta("SELECT id_user, login, password  FROM ".$this->conf->tablePrefix."users WHERE login='".sql_escape($user)."' AND password='".$password."'")) {
+	function validateUser($username="", $password="") {
+
+		if ($this->ejecutarConsulta("SELECT id_user, login, password  FROM ".$this->conf->tablePrefix."users WHERE login='".sql_escape($username)."' AND password='".$password."'")) {
 			if ($this->contarRegistros()>0) {
 				$register=$this->obtenerRegistro();
 				$_SESSION['user_id']=$register["id_user"];
 				$_SESSION['user_login']=$register["login"];
+				$_SESSION['authenticated'] = true;
 				if (isset($_POST["save_pass"])) {
-					$cookie_life = 60*24*3600;
-					setcookie("gelato_cookie",$register["id_user"].",".$register["login"].",".$register["password"],time()+$cookie_life);
-				}
+					$this->persist = true;
+					setcookie("PHPSESSID",session_id(),$this->cookieTime+$this->cookie_life);
+				} 
 				return true;
 			} else {
 				return false;
@@ -59,18 +65,9 @@ class user extends Conexion_Mysql {
 		}
 	}
 
-	function closeSession() {
-		$_SESSION = array();
-		$_COOKIE["gelato_cookie"]="";
-		setcookie("gelato_cookie","",time()-3600,'/','',0);
-		setcookie("gelato_cookie","",0);
-		unset($_COOKIE["gelato_cookie"]);
-		unset($_COOKIE[session_name()]);
-		if (session_destroy()) {
-			return true;
-		} else {
-			return false;
-		}
+	function closeSession() {	
+		if (!$this->persist) session_destroy();
+		return true;	
 	}
 
 	function userExist($user="") {
@@ -82,6 +79,10 @@ class user extends Conexion_Mysql {
 			}
 		}
 	}
+	
+	function isAuthenticated(){
+		return $this->isAdmin();
+	}
 
 	function addUser($fieldsArray) {
 		if ($this->ejecutarConsulta("SELECT id_user FROM ".$this->conf->tablePrefix."users WHERE login='".$fieldsArray['login']."'")) {

comments.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry') || !entry) die('Not a valid page');
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS

config-sample.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry') || !entry) die('Not a valid page'); 
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS

entry.php

@@ -0,0 +1,51 @@
+<?php
+ if(!defined('entry') || !entry) die('Not a valid page');
+/*
+ * Created on Sep 15, 2007
+ *
+ * Known Entry Points 
+ * install.php
+ * index.php
+ * login.php
+ * admin/index.php
+ * admin/close.php
+ * admin/ajax.php
+ * admin/settings.php
+ * admin/options.php
+ * admin/admin.php
+ * admin/comments.php
+ */
+
+ 
+// PHP settings specific to Gelato
+ini_set('pcre.backtrack_limit', '10000');
+
+// Globals to be used throughout the application        
+$configFile = dirname(__FILE__).DIRECTORY_SEPARATOR."config.php";
+
+if (!file_exists($configFile)) {
+	header("Location: install.php");  
+} else {
+        require(dirname(__FILE__).DIRECTORY_SEPARATOR."config.php");
+}       
+
+require_once("classes/configuration.class.php");
+require_once("classes/textile.class.php");
+require_once("classes/gelato.class.php");    
+require_once("classes/templates.class.php");
+require_once("classes/pagination.class.php");
+require_once("classes/user.class.php");
+require_once("classes/comments.class.php");
+require_once(Absolute_Path.'classes'.DIRECTORY_SEPARATOR.'mysql_connection.class.php');
+require_once(Absolute_Path.'classes'.DIRECTORY_SEPARATOR.'streams.class.php');
+require_once(Absolute_Path.'classes'.DIRECTORY_SEPARATOR.'gettext.class.php');
+require_once(Absolute_Path.'classes'.DIRECTORY_SEPARATOR.'lang.functions.php');
+        
+$user = new user();
+$conf = new configuration();
+$tumble = new gelato();
+
+
+session_start();
+
+?>

index.php

@@ -1,5 +1,6 @@
 <?php
-/* ===========================
+if(!defined('entry'))define('entry', true);
+ /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS
   development version
@@ -11,32 +12,14 @@
   =========================== */
 ?>
 <?php
+
+// Received a valid request, better start setting globals we'll need throughout the app in entry.php
+require_once('entry.php');
+global $user, $tumble, $conf, $db;
+
+$template = new plantillas($conf->template);
         // My approach to MVC
-        
-        $configFile = dirname(__FILE__).DIRECTORY_SEPARATOR."config.php";
-        
-        if (!file_exists($configFile)) {
-                $mensaje = "
-                        <h3 class=\"important\">Error reading configuration file</h3>                   
-                        <p>There doesn't seem to be a <code>config.php</code> file. I need this before we can get started.</p>
-                        <p>This either means that you did not rename the <code>config-sample.php</code> file to <code>config.php</code>.</p>";
-                die($mensaje);  
-        } else {
-                require(dirname(__FILE__).DIRECTORY_SEPARATOR."config.php");
-        }       
-        
-        include("classes/configuration.class.php");
-        include("classes/textile.class.php");
-        include("classes/gelato.class.php");    
-        include("classes/templates.class.php");
-        include("classes/pagination.class.php");
-        include("classes/user.class.php");
-		include("classes/comments.class.php");
-                
-        $user = new user();
-        $conf = new configuration();
-        $tumble = new gelato();
-        $template = new plantillas($conf->template);
+
 
         if(isset($_SERVER['PATH_INFO'])) $param_url = explode("/",$_SERVER['PATH_INFO']);
 
@@ -78,7 +61,7 @@
         $template->cargarPlantilla($input, $output, "template_header");
         $template->mostrarPlantilla();
         
-        if ($user->isAdmin()) { 
+        if ($user->isAuthenticated()) { 
                 $input = array("{User}", "{URL_Tumble}");
                 $output = array($_SESSION["user_login"], $conf->urlGelato);
                 

install.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry'))define('entry', true);
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS
@@ -9,84 +10,15 @@
   Copyright (C) 2007 by Pedro Santana <pecesama at gmail dot com>
 
   =========================== */
-?>
-<?php
 
 $configFile = dirname(__FILE__).DIRECTORY_SEPARATOR."config.php";
-	
-if (!file_exists($configFile)) {
-	$mensaje = "
-			<h3 class=\"important\">Error reading configuration file</h3>			
-			<p>There doesn't seem to be a <code>config.php</code> file. I need this before we can get started.</p>
-			<p>This either means that you did not rename the <code>config-sample.php</code> file to <code>config.php</code>.</p>";
-	die($mensaje);
-} else {
-	require(dirname(__FILE__).DIRECTORY_SEPARATOR."config.php");
-	$showForm = true;
-}
 
-
-include("classes/functions.php");
+include('classes/functions.php');
+include('classes/install.class.php');
  
-$errors_d=array();
-$errors_d[1]="The login field cannot be empty";
-$errors_d[2]="The password field cannot be empty";
-$errors_d[3]="Password does not match the confirm password";
-$errors_d[4]="The e-mail field cannot be empty";
-$errors_d[5]="The installation URL field cannot be empty";
-$errors_d[6]="Error establishing a database connection";
-
-$action="";
-$errors="";
-
-if (isset($_POST['action'])){
-	$action=$_POST['action'];
-}
-
-if ($action=="config" && !is_db_installed()) {
-	
-	$sep_err="";
-	
-	if (!$_POST['login']) {
-		$errors=$errors.$sep_err."1";
-		$sep_err="|";
-	}
-	if (!$_POST['password']) {
-		$errors=$errors.$sep_err."2";
-		$sep_err="|";
-	}
-	if (!$_POST['email']) {
-		$errors=$errors.$sep_err."4";
-		$sep_err="|";
-	}
-	if (!$_POST['url_installation']) {
-		$errors=$errors.$sep_err."5";
-		$sep_err="|";
-	}
-	if ($_POST['password']!=$_POST['password2']) {
-		$errors=$errors.$sep_err."3";
-		$sep_err="|";
-	}
-	$off_r= split("," , $_POST['time_offsets']);
-	$_POST['offset_time'] = $off_r[0];
-	$_POST['offset_city'] = $off_r[1];
-	unset($_POST['time_offsets']);
-	
-	if (!$errors) {		
-		if (install_db($_POST['login'], $_POST['password'], $_POST['email'], $_POST['title'], $_POST['description'], $_POST['url_installation'], $_POST['posts_limit'], $_POST['lang'], $_POST['template'], $_POST['website'], $_POST['about'], $_POST['offset_city'], $_POST['offset_time'])) {
-			$showForm=false;
-		} else {
-			$errors=$errors.$sep_err."6";
-			$sep_err="|";
-			$showForm=true;
-		}		
-	} else {
-		$showForm=true;
-	}
-}
-	
-	
-	$showForm = (!is_db_installed());
+$install = new Install(); 
+$install->data = $_POST;
+$install->check_form();
 
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
@@ -110,7 +42,7 @@ if ($action=="config" && !is_db_installed()) {
 	
 <?php
 
-	if ($showForm) {
+	if ($install->showForm) {
 ?>
 	
 	<div class="box">
@@ -122,17 +54,32 @@ if ($action=="config" && !is_db_installed()) {
 	
 		<div class="tabla">
 			<form action="install.php" method="post" id="config_form" autocomplete="off" class="newpost">
+				<fieldset>
+					<legend class="install">Database Settings</legend>
+					<ul>
+						<li><label for="login">User:</label>
+							<input type="text" name="db_login" id="db_login" value="" class="txt"/><?php echo $install->mostrarerror("1")?></li>
+						<li><label for="password">Password:</label>
+							<input type="password" name="db_password" id="db_password" value="" class="txt"/><?php echo $install->mostrarerror("2")?></li>
+						<li><label for="password2">Re-type password:</label>
+							<input type="password" name="db_password2" id="db_password2" value="" class="txt"/><?php echo $install->mostrarerror("3")?></li>						
+						<li><label for="email">Database Host:</label>
+							<input type="text" name="db_host" id="db_host" value="localhost" class="txt"/><?php echo $install->mostrarerror("7")?></li>	
+						<li><label for="email">Database Name:</label>
+							<input type="text" name="db_name" id="db_name" value="gelatocms" class="txt"/><?php echo $install->mostrarerror("8")?></li>											
+					</ul>
+				</fieldset><br  />
 				<fieldset>
 					<legend class="install">Admin user</legend>
 					<ul>
 						<li><label for="login">User:</label>
-							<input type="text" name="login" id="login" value="" class="txt"/><?php echo mostrarerror($errors,$errors_d,"1")?></li>
+							<input type="text" name="login" id="login" value="" class="txt"/><?php echo $install->mostrarerror("1")?></li>
 						<li><label for="password">Password:</label>
-							<input type="password" name="password" id="password" value="" class="txt"/><?php echo mostrarerror($errors,$errors_d,"2")?></li>
+							<input type="password" name="password" id="password" value="" class="txt"/><?php echo $install->mostrarerror("2")?></li>
 						<li><label for="password2">Re-type password:</label>
-							<input type="password" name="password2" id="password2" value="" class="txt"/><?php echo mostrarerror($errors,$errors_d,"3")?></li>						
+							<input type="password" name="password2" id="password2" value="" class="txt"/><?php echo $install->mostrarerror("3")?></li>						
 						<li><label for="email">E-mail:</label>
-							<input type="text" name="email" id="email" value="" class="txt"/><?php echo mostrarerror($errors,$errors_d,"4")?></li>						
+							<input type="text" name="email" id="email" value="" class="txt"/><?php echo $install->mostrarerror("4")?></li>						
 					</ul>
 				</fieldset><br  />
 				<fieldset>
@@ -143,7 +90,7 @@ if ($action=="config" && !is_db_installed()) {
 						<li><label for="description">Description:</label>
 							<input type="text" name="description" id="description" value="" class="txt"/></li>
 						<li><label for="url_installation">Installation URL</label>
-							<input type="text" name="url_installation" id="url_installation" value="" class="txt"/><?php echo mostrarerror($errors,$errors_d,"5")?></li>
+							<input type="text" name="url_installation" id="url_installation" value="<?php print substr($_SERVER["SCRIPT_URI"], '0', '-12'); ?>" class="txt"/><?php echo $install->mostrarerror("5")?></li>
 						<li><label for="posts_limit">Post limit:</label>
 							<input type="text" name="posts_limit" id="posts_limit" value="10" class="txt"/></li>
 						<li><label for="lang">Language:</label>
@@ -254,131 +201,3 @@ if ($action=="config" && !is_db_installed()) {
 </div>
 </body>
 </html>
-
-<?php
-function install_db($login, $password, $email, $title, $description, $url_installation, $posts_limit, $lang, $template, $website, $about, $offset_city, $offset_time){
-
-		$db = new Conexion_Mysql(DB_name, DB_Server, DB_User, DB_Password);		
-		
-		$sqlStr = "CREATE TABLE `".Table_prefix."data` (
-			  `id_post` int(11) NOT NULL auto_increment,
-			  `title` text NULL,
-			  `url` varchar(250)  default NULL,
-			  `description` text NULL,
-			  `type` tinyint(4) NOT NULL default '1',
-			  `date` datetime NOT NULL,
-			  `id_user` int(10) NOT NULL,
-			  PRIMARY KEY  (`id_post`)
-			) ENGINE = MYISAM ;";
-		
-		$db->ejecutarConsulta($sqlStr);
-		
-		$sqlStr = "CREATE TABLE `".Table_prefix."users` (
-			  `id_user` int(10) unsigned NOT NULL auto_increment,
-			  `name` varchar(100) default NULL,
-			  `login` varchar(100) NOT NULL default '',
-			  `password` varchar(64) NOT NULL default '',
-			  `email` varchar(100) default NULL,
-			  `website` varchar(150) default NULL,
-			  `about` text,
-			  PRIMARY KEY  (`id_user`)
-			) ENGINE = MYISAM;";
-		
-		$db->ejecutarConsulta($sqlStr);
-			
-		$sqlStr = "CREATE TABLE `".Table_prefix."config` (
-			  `posts_limit` int(3) NOT NULL,
-			  `title` varchar(250) NOT NULL,
-			  `description` text NOT NULL,
-			  `lang` varchar(10) NOT NULL,
-			  `template` varchar(100) NOT NULL,
-			  `url_installation` varchar(250) NOT NULL,
-			  PRIMARY KEY  (`title`)
-			) ENGINE = MYISAM ;";
-			
-		$db->ejecutarConsulta($sqlStr);
-		
-		$sqlStr = "CREATE TABLE `".Table_prefix."options` (
-		  `name` varchar(100) NOT NULL,
-		  `val` varchar(255) NOT NULL,
-		  PRIMARY KEY  (`name`)
-		) ENGINE = MYISAM ;";
-		
-		$db->ejecutarConsulta($sqlStr);
-		
-		$sqlStr = "CREATE TABLE `".Table_prefix."comments` (
-		  `id_comment` int(11) NOT NULL auto_increment,
-		  `id_post` int(11) NOT NULL,
-		  `username` varchar(50) NOT NULL,
-		  `email` varchar(100) NOT NULL,
-		  `web` varchar(250) default NULL,
-		  `content` text NOT NULL,
-		  `ip_user` varchar(50) NOT NULL,
-		  `comment_date` datetime NOT NULL,
-		  `spam` tinyint(4) NOT NULL,
-		  PRIMARY KEY  (`id_comment`)
-		) ENGINE = MYISAM ;";
-		
-		$db->ejecutarConsulta($sqlStr);
-				
-		$url_installation = (endsWith($url_installation, "/")) ? substr($url_installation, 0, strlen($url_installation)-1) : $url_installation ;
-		
-		$sqlStr = "INSERT INTO `".Table_prefix."config` VALUES (".$posts_limit.", '".$title."', '".$description."', '".$lang."', '".$template."', '".$url_installation."');";		
-			
-		$db->ejecutarConsulta($sqlStr);
-		
-		$sqlStr = "INSERT INTO `".Table_prefix."users` VALUES ('', '', '".$login."', '".md5($password)."', '".$email."', '".$website."', '".$about."');";
-			
-		$db->ejecutarConsulta($sqlStr);
-		
-		$sqlStr = "INSERT INTO `".Table_prefix."options` VALUES ('url_friendly', '1');";
-		
-		$db->ejecutarConsulta($sqlStr);
-		
-		$sqlStr = "INSERT INTO `".Table_prefix."options` VALUES ('rich_text', '0');";
-		
-		$db->ejecutarConsulta($sqlStr);
-		
-		$sqlStr = "INSERT INTO `".Table_prefix."options` VALUES ('allow_comments', '0');";
-		
-		$db->ejecutarConsulta($sqlStr);
-		
-		$sqlStr = "INSERT INTO `".Table_prefix."options` VALUES ('offset_city', '".$offset_city."');";
-		
-		$db->ejecutarConsulta($sqlStr);
-		
-		$sqlStr = "INSERT INTO `".Table_prefix."options` VALUES ('offset_time', '".$offset_time."');";
-		
-		$db->ejecutarConsulta($sqlStr);
-
-		$db->cierraConexion();
-		return true;
-}
-
-function inerrors($errors,$n) {
-	if (strpos($errors,$n)===false) {
-		return false;
-	} else {
-		return true;
-	}
-}
-
-function mostrarerror($errors,$errors_d,$n) {
-	if (inerrors($errors,$n)) {
-		return '<span class="error">'.$errors_d[$n].'</span>';
-	} else {
-		return "";
-	}
-}
-
-function is_db_installed(){
-
-		$db = new Conexion_Mysql(DB_name, DB_Server, DB_User, DB_Password);		
-		
-		$sqlStr = "SELECT * FROM `".Table_prefix."config`";	
-		
-		$db->ejecutarConsulta($sqlStr);
-
-		return ($db->contarRegistros() > 0);
-}
-?>

login.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry'))define('entry', true);
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS
@@ -12,25 +13,21 @@
 ?>
 <?php
 header("Cache-Control: no-cache, must-revalidate");
-require( dirname(__FILE__) . '/config.php' );
-include(dirname(__FILE__)."/classes/functions.php");
-include(dirname(__FILE__)."/classes/user.class.php");
-require_once(dirname(__FILE__)."/classes/configuration.class.php");
- 
-$user = new user();
-$conf = new configuration();
 
-if ($user->isAdmin()) {
+require_once('entry.php');
+global $user, $conf;
+
+if ($user->isAuthenticated()) {
 	header("Location: ".$conf->urlGelato."/admin/index.php");
 } else {
 	if (isset($_POST["pass"]) && isset($_POST["login"])) {		
+		//print "<pre>"; print_r($_SESSION); print "</pre>";die();
 		if ($user->validateUser($_POST['login'], md5($_POST['pass']))) {
 			header("Location: ".$conf->urlGelato."/admin/index.php");
 		} else {
 			header("Location: ".$conf->urlGelato."/login.php?error=1");
 		}
-	}
-	else {
+	} else {
 ?>
 	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 	<html xmlns="http://www.w3.org/1999/xhtml">

rss.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry') || !entry) die('Not a valid page'); 
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS

update.php

@@ -1,4 +1,5 @@
 <?php
+if(!defined('entry') || !entry) die('Not a valid page'); 
 /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS

uploads/index.php

@@ -1,5 +1,5 @@
 <?php
-/* ===========================
+if(!defined('entry') || !entry) die('Not a valid page'); /* ===========================
 
   gelato CMS - A PHP based tumblelog CMS
   development version