function system_handle_form_submit

7.x system.module system_handle_form_submit()
6.x system.module system_handle_form_submit()
4.x system.module system_handle_form_submit()
5.x system.module system_handle_form_submit()

Intercepts form submissions from forms built with the form API.

File

modules/system/system.module, line 2093

Code

function system_handle_form_submit() {

  $callback = $_REQUEST ["callback"];

  $form_type = $_REQUEST ["form_type"];
  $form_include = $_REQUEST ["form_include"];

  $form_token = $_REQUEST ["form_token"];
  // Make sure the form_token is valid!
  if ($form_token != md5($callback . fp_token())) {
    die(t("Sorry, but you have encountered an error.  A form submission was flagged
          as possibly being an invalid or forged submission.  This may constitute a bug
          in the system.  Please report this error to your Systems Administrator."));
  }

  if ($form_include != "") {
    // This is a file we need to include in order to complete the submission process.

    // We will also make sure that we only allow certain file extensions to be included.
    $allowed_ext = array(
      "php",
      "inc",
      "class",
      "module",
    );

    $temp = explode(".", $form_include);
    $test_ext = trim($temp [count($temp) - 1]);

    if (!in_array($test_ext, $allowed_ext)) {
      fp_add_message(t("Include file type (%ext) not allowed in form submission.", array("%ext" => $test_ext)), "error");
      fp_goto("<front>");
      return;
    }

    // We need to make sure, before we include this file, that it is something only available from within the main FlightPath directory.
    $absolute_path = realpath($form_include);
    $absolute_path = str_replace("\\", "/", $absolute_path);

    // In order for us to proceed, the $absolute_path must BEGIN with our base FlightPath installation directory.  
    $file_system_path = $GLOBALS ['fp_system_settings']['file_system_path'];


    if (substr($absolute_path, 0, strlen($file_system_path)) != $file_system_path) {
      fp_add_message(t("Include file in form submission is outside of the FlightPath installation directory.
                          <br>FlightPath directory path: %fsp
                          <br>Include file path: %ap", array("%fsp" => $file_system_path, "%ap" => $absolute_path)), "error");
      fp_goto("<front>");
      return;
    }


    include_once ($form_include);
  }


  // We need to make sure the user has permission to submit this form!
  $form_path = $_REQUEST ["form_path"];
  // Check the menu router table for whatever the permissions were for this
  // path, if any.
  if ($form_path != "") {
    $router_item = menu_get_item($form_path);
    if (!menu_check_user_access($router_item)) {
      // The user does NOT have access to submit this form!  The fact that
      // it has made it this far means this may be some sort of hacking attempt.
      die(t("Sorry, but you have encountered an error.  A form submission was flagged
          as possibly being an invalid or having insufficient permissions to submit.  
          This may constitute a bug in the system.  
          Please report this error to your Systems Administrator."));

    }
  }

  // Let's get our set of allowed values, by looking at the original form,
  // and grab what's in the POST which matches the name.

  $values = array();
  $safe_values = array(); // will be the same as $values, but anything of type password will not be included.

  if (function_exists($callback)) {

    // Get any params for the callback, or, an empty array.    
    $form_params = @unserialize(base64_decode($_REQUEST ['form_params']));
    if (!$form_params) {
      $form_params = array();
    }
    // Actually get the form now.    
    $form = fp_get_form($callback, $form_params);
    foreach ($form as $name => $element) {

      // Save to our $values array, but we don't care about markup.
      if (@$element ["type"] != "" && @$element ["type"] != "markup") {
        $values [$name] = @$_POST [$name];

        // Save to save_values, too, if this is not a password field.
        if (@$element ["type"] != "password") {
          $safe_values [$name] = @$_POST [$name];
        }

      }
      // Do we need to alter the value from the POST?

      // If this element is a cfieldset, it may contain other elements.  We should get
      // those values too.
      if (isset($element ["elements"])) {
        foreach ($element ["elements"] as $k => $v) {
          foreach ($element ["elements"][$k] as $cname => $celement) {
            // Save to our $values array, but we don't care about markup.
            if (@$celement ["type"] != "" && @$celement ["type"] != "markup") {
              $values [$cname] = @$_POST [$cname];

              // Save to save_values, too, if this is not a password field.
              if (@$celement ["type"] != "password") {
                $safe_values [$cname] = @$_POST [$cname];
              }


            }
          }
        }
      }


      // If this is a checkbox, and we have any value in the POST, it should
      // be saved as boolean TRUE
      if (isset($element ["type"]) && $element ["type"] == "checkbox") {
        if (isset($_POST [$name]) && $_POST [$name] === "1") {
          $values [$name] = TRUE;
        }
      }

    }
  }

  // Does the form have any defined submit_handler's?  If not, let's assign it the
  // default of callback_submit().    
  $submit_handlers = $form ["#submit_handlers"];
  if (!is_array($submit_handlers)) {
    $submit_handlers = array();
  }

  // If the submit_handlers is empty, then add our default submit handler.  We don't
  // want to do this if the user went out of their way to enter a different handler.
  if (count($submit_handlers) == 0) {
    array_push($submit_handlers, $callback . "_submit");
  }

  // Does the form have any defined validate_handler's?  This works exactly like the submit handler.
  $validate_handlers = $form ["#validate_handlers"];
  if (!is_array($validate_handlers)) {
    $validate_handlers = array();
  }

  if (count($validate_handlers) == 0) {
    array_push($validate_handlers, $callback . "_validate");
  }

  // Let's store our values in the SESSION in case we need them later on.
  // But only if this is NOT a system_settings form!
  if ($form_type != "system_settings") {

    // Do not store any "password" field, for security, so it isn't stored
    // in the server's session file in plain text.
    // For this reason we will use the $safe_values array we created earlier.    

    $_SESSION ["fp_form_submissions"][$callback]["values"] = $safe_values;
  }

  $form_state = array("values" => $values, "POST" => $_POST);

  // Let's pass this through our default form validator (mainly to check for required fields
  // which do not have values entered)
  form_basic_validate($form, $form_state);

  if (!form_has_errors()) {
    // Let's now pass it through all of our custom validators, if there are any.
    foreach ($validate_handlers as $validate_callback) {
      if (function_exists($validate_callback)) {

        call_user_func_array($validate_callback, array(&$form, &$form_state));
      }
    }
  }

  if (!form_has_errors()) {
    // No errors from the validate, so let's continue.

    // Is this a "system settings" form, or a normal form?
    if ($form_type == "system_settings") {
      // This is system settings, so let's save all of our values to the variables table.
      // Write our values array to our variable table.
      foreach ($form_state ["values"] as $name => $val) {
        variable_set($name, $val);
      }

      fp_add_message("Settings saved successfully.");

    }

    // Let's go through the form's submit handlers now.
    foreach ($submit_handlers as $submit_callback) {
      if (function_exists($submit_callback)) {
        //call_user_func($submit_callback, $form, &$form_state);

        call_user_func_array($submit_callback, array(&$form, &$form_state));

      }
    }



  }

  // Figure out where we are supposed to redirect the user.
  $redirect_path = $redirect_query = "";

  if (isset($form ["#redirect"]) && is_array($form ["#redirect"])) {
    $redirect_path = $form ["#redirect"]["path"];
    $redirect_query = $form ["#redirect"]["query"];
  }
  else {
    $redirect_path = @$_REQUEST ["default_redirect_path"];
    $redirect_query = @$_REQUEST ["default_redirect_query"];


    // To help prevent directory traversal attacks, the redirect_path cannot contain periods (.) and semi-colons, and other trouble characters
    $redirect_path = str_replace(".", "", $redirect_path);
    $redirect_path = str_replace(";", "", $redirect_path);
    $redirect_path = str_replace("'", "", $redirect_path);
    $redirect_path = str_replace('"', "", $redirect_path);
    $redirect_path = str_replace(' ', "", $redirect_path);


  }

  // If there is a Batch process we need to do, do it here instead of the fp_goto.
  if (isset($_SESSION ["fp_batch_id"]) && function_exists("batch_menu")) {
    $batch_id = $_SESSION ["fp_batch_id"];
    unset($_SESSION ["fp_batch_id"]);
    batch_start_batch_from_form_submit($batch_id, $redirect_path, $redirect_query);
    return;
  }
  else if (isset($_SESSION ["fp_batch_id"]) && !function_exists("batch_menu")) {
    // We requested a batch action, but the batch module is not installed.
    fp_add_message(t("A batch process was attempted, but it appears that the Batch module is not enabled.  Please contact your FlightPath administrator."), "error");
    unset($_SESSION ["fp_batch_id"]);
  }

  // Okay, go back to where we were!  
  fp_goto($redirect_path, $redirect_query);

}