Merge pull request 'Rework DBA to use PDO' (#53) from pdo into master

Reviewed-on: Public/pics#53
Reviewed-by: Roflin <d.brentjes@gmail.com>

controllers/EditAlbum.php

@@ -41,13 +41,13 @@ class EditAlbum extends HTMLController
 				exit;
 			}
 			else
-				trigger_error('Cannot delete album: an error occured while processing the request.', E_USER_ERROR);
+				throw new Exception('Cannot delete album: an error occured while processing the request.');
 		}
 		// Editing one, then, surely.
 		else
 		{
 			if ($album->kind !== 'Album')
-				trigger_error('Cannot edit album: not an album.', E_USER_ERROR);
+				throw new Exception('Cannot edit album: not an album.');
 
 			parent::__construct('Edit album \'' . $album->tag . '\'');
 			$form_title = 'Edit album \'' . $album->tag . '\'';
@@ -67,7 +67,7 @@ class EditAlbum extends HTMLController
 
 		// Gather possible parents for this album to be filed into
 		$parentChoices = [0 => '-root-'];
-		foreach (PhotoAlbum::getHierarchy('tag', 'up') as $parent)
+		foreach (Tag::getOffset(0, 9999, 'tag', 'up', true) as $parent)
 		{
 			if (!empty($id_tag) && $parent['id_tag'] == $id_tag)
 				continue;
@@ -139,6 +139,10 @@ class EditAlbum extends HTMLController
 				];
 			}
 		}
+		elseif (empty($_POST) && isset($album))
+		{
+			$formDefaults = get_object_vars($album);
+		}
 		elseif (empty($_POST) && count($parentChoices) > 1)
 		{
 			// Choose the first non-root album as the default parent
@@ -146,9 +150,8 @@ class EditAlbum extends HTMLController
 			next($parentChoices);
 			$formDefaults = ['id_parent' => key($parentChoices)];
 		}
-
+		else
-		if (!isset($formDefaults))
+			$formDefaults = $_POST;
-			$formDefaults = isset($album) ? get_object_vars($album) : $_POST;
 
 		// Create the form, add in default values.
 		$this->form->setData($formDefaults);

controllers/EditAsset.php

@@ -67,7 +67,7 @@ class EditAsset extends HTMLController
 
 		// Get a list of available photo albums
 		$allAlbums = [];
-		foreach (PhotoAlbum::getHierarchy('tag', 'up') as $album)
+		foreach (Tag::getOffset(0, 9999, 'tag', 'up', true) as $album)
 			$allAlbums[$album['id_tag']] = $album['tag'];
 
 		// Figure out the current album id

controllers/EditTag.php

@@ -39,13 +39,13 @@ class EditTag extends HTMLController
 				exit;
 			}
 			else
-				trigger_error('Cannot delete tag: an error occured while processing the request.', E_USER_ERROR);
+				throw new Exception('Cannot delete tag: an error occured while processing the request.');
 		}
 		// Editing one, then, surely.
 		else
 		{
 			if ($tag->kind === 'Album')
-				trigger_error('Cannot edit tag: is actually an album.', E_USER_ERROR);
+				throw new Exception('Cannot edit tag: is actually an album.');
 
 			parent::__construct('Edit tag \'' . $tag->tag . '\'');
 			$form_title = 'Edit tag \'' . $tag->tag . '\'';

controllers/EditUser.php

@@ -33,7 +33,7 @@ class EditUser extends HTMLController
 		{
 			// Don't be stupid.
 			if ($current_user->getUserId() == $id_user)
-				trigger_error('Sorry, I cannot allow you to delete yourself.', E_USER_ERROR);
+				throw new Exception('Sorry, I cannot allow you to delete yourself.');
 
 			// So far so good?
 			$user = Member::fromId($id_user);
@@ -43,7 +43,7 @@ class EditUser extends HTMLController
 				exit;
 			}
 			else
-				trigger_error('Cannot delete user: an error occured while processing the request.', E_USER_ERROR);
+				throw new Exception('Cannot delete user: an error occured while processing the request.');
 		}
 		// Editing one, then, surely.
 		else

controllers/Login.php

@@ -24,7 +24,9 @@ class Login extends HTMLController
 			if (Authentication::checkPassword($_POST['emailaddress'], $_POST['password']))
 			{
 				parent::__construct('Login');
-				$_SESSION['user_id'] = Authentication::getUserId($_POST['emailaddress']);
+
+				$user = Member::fromEmailAddress($_POST['emailaddress']);
+				$_SESSION['user_id'] = $user->getUserId();
 
 				if (isset($_POST['redirect_url']))
 					header('Location: ' . base64_decode($_POST['redirect_url']));

controllers/ManageAlbums.php

@@ -35,18 +35,14 @@ class ManageAlbums extends HTMLController
 				'tag' => [
 					'header' => 'Album',
 					'is_sortable' => true,
-					'parse' => [
 					'link' => BASEURL . '/editalbum/?id={ID_TAG}',
-						'data' => 'tag',
+					'value' => 'tag',
-					],
 				],
 				'slug' => [
 					'header' => 'Slug',
 					'is_sortable' => true,
-					'parse' => [
 					'link' => BASEURL . '/editalbum/?id={ID_TAG}',
-						'data' => 'slug',
+					'value' => 'slug',
-					],
 				],
 				'count' => [
 					'header' => '# Photos',
@@ -54,30 +50,21 @@ class ManageAlbums extends HTMLController
 					'value' => 'count',
 				],
 			],
-			'start' => !empty($_GET['start']) ? (int) $_GET['start'] : 0,
+			'default_sort_order' => 'tag',
-			'sort_order' => !empty($_GET['order']) ? $_GET['order'] : null,
+			'default_sort_direction' => 'up',
-			'sort_direction' => !empty($_GET['dir']) ? $_GET['dir'] : null,
+			'start' => $_GET['start'] ?? 0,
+			'sort_order' => $_GET['order'] ?? '',
+			'sort_direction' => $_GET['dir'] ?? '',
 			'title' => 'Manage albums',
 			'no_items_label' => 'No albums meet the requirements of the current filter.',
 			'items_per_page' => 9999,
 			'index_class' => 'col-md-6',
 			'base_url' => BASEURL . '/managealbums/',
-			'get_data' => function($offset = 0, $limit = 9999, $order = '', $direction = 'up') {
+			'get_data' => function($offset, $limit, $order, $direction) {
-				if (!in_array($order, ['id_tag', 'tag', 'slug', 'count']))
+				return Tag::getOffset($offset, $limit, $order, $direction, true);
-					$order = 'tag';
-				if (!in_array($direction, ['up', 'down']))
-					$direction = 'up';
-
-				$rows = PhotoAlbum::getHierarchy($order, $direction);
-
-				return [
-					'rows' => $rows,
-					'order' => $order,
-					'direction' => ($direction == 'up' ? 'up' : 'down'),
-				];
 			},
 			'get_count' => function() {
-				return 9999;
+				return Tag::getCount(false, 'Album', true);
 			}
 		];
 

controllers/ManageAssets.php

@@ -38,12 +38,33 @@ class ManageAssets extends HTMLController
 				'checkbox' => [
 					'header' => '<input type="checkbox" id="selectall">',
 					'is_sortable' => false,
-					'parse' => [
+					'format' => fn($row) =>
-						'type' => 'function',
+						'<input type="checkbox" class="asset_select" name="delete[]" value="' . $row['id_asset'] . '">',
-						'data' => function($row) {
-							return '<input type="checkbox" class="asset_select" name="delete[]" value="' . $row['id_asset'] . '">';
-						},
 				],
+				'thumbnail' => [
+					'header' => '&nbsp;',
+					'is_sortable' => false,
+					'cell_class' => 'text-center',
+					'format' => function($row) {
+						$asset = Image::byRow($row);
+						$width = $height = 65;
+						if ($asset->isImage())
+						{
+							if ($asset->isPortrait())
+								$width = null;
+							else
+								$height = null;
+
+							$thumb = $asset->getThumbnailUrl($width, $height);
+						}
+						else
+							$thumb = BASEURL . '/images/nothumb.svg';
+
+						$width = isset($width) ? $width . 'px' : 'auto';
+						$height = isset($height) ? $height . 'px' : 'auto';
+
+						return sprintf('<img src="%s" style="width: %s; height: %s;">', $thumb, $width, $height);
+					},
 				],
 				'id_asset' => [
 					'value' => 'id_asset',
@@ -59,18 +80,13 @@ class ManageAssets extends HTMLController
 					'value' => 'filename',
 					'header' => 'Filename',
 					'is_sortable' => true,
-					'parse' => [
-						'type' => 'value',
 					'link' => BASEURL . '/editasset/?id={ID_ASSET}',
-						'data' => 'filename',
+					'value' => 'filename',
-					],
 				],
 				'id_user_uploaded' => [
 					'header' => 'User uploaded',
 					'is_sortable' => true,
-					'parse' => [
+					'format' => function($row) {
-						'type' => 'function',
-						'data' => function($row) {
 						if (!empty($row['id_user']))
 							return sprintf('<a href="%s/edituser/?id=%d">%s</a>', BASEURL, $row['id_user'],
 								$row['first_name'] . ' ' . $row['surname']);
@@ -78,13 +94,10 @@ class ManageAssets extends HTMLController
 							return 'n/a';
 					},
 				],
-				],
 				'dimensions' => [
 					'header' => 'Dimensions',
 					'is_sortable' => false,
-					'parse' => [
+					'format' => function($row) {
-						'type' => 'function',
-						'data' => function($row) {
 						if (!empty($row['image_width']))
 							return $row['image_width'] . ' x ' . $row['image_height'];
 						else
@@ -92,39 +105,17 @@ class ManageAssets extends HTMLController
 					},
 				],
 			],
-			],
+			'default_sort_order' => 'id_asset',
-			'start' => !empty($_GET['start']) ? (int) $_GET['start'] : 0,
+			'default_sort_direction' => 'down',
-			'sort_order' => !empty($_GET['order']) ? $_GET['order'] : '',
+			'start' => $_GET['start'] ?? 0,
-			'sort_direction' => !empty($_GET['dir']) ? $_GET['dir'] : '',
+			'sort_order' => $_GET['order'] ?? '',
+			'sort_direction' => $_GET['dir'] ?? '',
 			'title' => 'Manage assets',
 			'no_items_label' => 'No assets meet the requirements of the current filter.',
 			'items_per_page' => 30,
 			'index_class' => 'col-md-6',
 			'base_url' => BASEURL . '/manageassets/',
-			'get_data' => function($offset = 0, $limit = 30, $order = '', $direction = 'down') {
+			'get_data' => 'Asset::getOffset',
-				if (!in_array($order, ['id_asset', 'id_user_uploaded', 'title', 'subdir', 'filename']))
-					$order = 'id_asset';
-
-				$data = Registry::get('db')->queryAssocs('
-					SELECT a.id_asset, a.subdir, a.filename,
-						a.image_width, a.image_height,
-						u.id_user, u.first_name, u.surname
-					FROM assets AS a
-					LEFT JOIN users AS u ON a.id_user_uploaded = u.id_user
-					ORDER BY {raw:order}
-					LIMIT {int:offset}, {int:limit}',
-					[
-						'order' => $order . ($direction == 'up' ? ' ASC' : ' DESC'),
-						'offset' => $offset,
-						'limit' => $limit,
-					]);
-
-				return [
-					'rows' => $data,
-					'order' => $order,
-					'direction' => $direction,
-				];
-			},
 			'get_count' => 'Asset::getCount',
 		];
 

controllers/ManageErrors.php

@@ -14,8 +14,8 @@ class ManageErrors extends HTMLController
 		if (!Registry::get('user')->isAdmin())
 			throw new NotAllowedException();
 
-		// Flushing, are we?
+		// Clearing, are we?
-		if (isset($_POST['flush']) && Session::validateSession('get'))
+		if (isset($_POST['clear']) && Session::validateSession('get'))
 		{
 			ErrorLog::flush();
 			header('Location: ' . BASEURL . '/manageerrors/');
@@ -31,7 +31,7 @@ class ManageErrors extends HTMLController
 				'method' => 'post',
 				'class' => 'col-md-6 text-end',
 				'buttons' => [
-					'flush' => [
+					'clear' => [
 						'type' => 'submit',
 						'caption' => 'Delete all',
 						'class' => 'btn-danger',
@@ -39,15 +39,15 @@ class ManageErrors extends HTMLController
 				],
 			],
 			'columns' => [
-				'id' => [
+				'id_entry' => [
 					'value' => 'id_entry',
 					'header' => '#',
 					'is_sortable' => true,
 				],
 				'message' => [
-					'parse' => [
+					'header' => 'Message / URL',
-						'type' => 'function',
+					'is_sortable' => false,
-						'data' => function($row) {
+					'format' => function($row) {
 						return $row['message'] . '<br>' .
 							'<div><a onclick="this.parentNode.childNodes[1].style.display=\'block\';this.style.display=\'none\';">Show debug info</a>' .
 							'<pre style="display: none">' . htmlspecialchars($row['debug_info']) .
@@ -55,10 +55,7 @@ class ManageErrors extends HTMLController
 							'<small><a href="' . BASEURL .
 								htmlspecialchars($row['request_uri']) . '">' .
 								htmlspecialchars($row['request_uri']) . '</a></small>';
-						}
+					},
-					],
-					'header' => 'Message / URL',
-					'is_sortable' => false,
 				],
 				'file' => [
 					'value' => 'file',
@@ -71,12 +68,10 @@ class ManageErrors extends HTMLController
 					'is_sortable' => true,
 				],
 				'time' => [
-					'parse' => [
+					'format' => [
 						'type' => 'timestamp',
-						'data' => [
-							'timestamp' => 'time',
 						'pattern' => 'long',
-						],
+						'value' => 'time',
 					],
 					'header' => 'Time',
 					'is_sortable' => true,
@@ -89,41 +84,21 @@ class ManageErrors extends HTMLController
 				'uid' => [
 					'header' => 'UID',
 					'is_sortable' => true,
-					'parse' => [
 					'link' => BASEURL . '/edituser/?id={ID_USER}',
-						'data' => 'id_user',
+					'value' => 'id_user',
 				],
 			],
-			],
+			'default_sort_order' => 'id_entry',
-			'start' => !empty($_GET['start']) ? (int) $_GET['start'] : 0,
+			'default_sort_direction' => 'down',
-			'sort_order' => !empty($_GET['order']) ? $_GET['order'] : '',
+			'start' => $_GET['start'] ?? 0,
-			'sort_direction' => !empty($_GET['dir']) ? $_GET['dir'] : '',
+			'sort_order' => $_GET['order'] ?? '',
+			'sort_direction' => $_GET['dir'] ?? '',
 			'no_items_label' => "No errors to display -- we're all good!",
 			'items_per_page' => 20,
 			'index_class' => 'col-md-6',
 			'base_url' => BASEURL . '/manageerrors/',
 			'get_count' => 'ErrorLog::getCount',
-			'get_data' => function($offset = 0, $limit = 20, $order = '', $direction = 'down') {
+			'get_data' => 'ErrorLog::getOffset',
-				if (!in_array($order, ['id_entry', 'file', 'line', 'time', 'ipaddress', 'id_user']))
-					$order = 'id_entry';
-
-				$data = Registry::get('db')->queryAssocs('
-					SELECT *
-					FROM log_errors
-					ORDER BY {raw:order}
-					LIMIT {int:offset}, {int:limit}',
-					[
-						'order' => $order . ($direction === 'up' ? ' ASC' : ' DESC'),
-						'offset' => $offset,
-						'limit' => $limit,
-					]);
-
-				return [
-					'rows' => $data,
-					'order' => $order,
-					'direction' => $direction,
-				];
-			},
 		];
 
 		$error_log = new GenericTable($options);

controllers/ManageTags.php

@@ -37,25 +37,19 @@ class ManageTags extends HTMLController
 				'tag' => [
 					'header' => 'Tag',
 					'is_sortable' => true,
-					'parse' => [
 					'link' => BASEURL . '/edittag/?id={ID_TAG}',
-						'data' => 'tag',
+					'value' => 'tag',
-					],
 				],
 				'slug' => [
 					'header' => 'Slug',
 					'is_sortable' => true,
-					'parse' => [
 					'link' => BASEURL . '/edittag/?id={ID_TAG}',
-						'data' => 'slug',
+					'value' => 'slug',
-					],
 				],
 				'id_user_owner' => [
 					'header' => 'Owning user',
 					'is_sortable' => true,
-					'parse' => [
+					'format' => function($row) {
-						'type' => 'function',
-						'data' => function($row) {
 						if (!empty($row['id_user']))
 							return sprintf('<a href="%s/edituser/?id=%d">%s</a>', BASEURL, $row['id_user'],
 								$row['first_name'] . ' ' . $row['surname']);
@@ -63,53 +57,27 @@ class ManageTags extends HTMLController
 							return 'n/a';
 					},
 				],
-				],
 				'count' => [
 					'header' => 'Cardinality',
 					'is_sortable' => true,
 					'value' => 'count',
 				],
 			],
-			'start' => !empty($_GET['start']) ? (int) $_GET['start'] : 0,
+			'default_sort_order' => 'tag',
-			'sort_order' => !empty($_GET['order']) ? $_GET['order'] : null,
+			'default_sort_direction' => 'up',
-			'sort_direction' => !empty($_GET['dir']) ? $_GET['dir'] : null,
+			'start' => $_GET['start'] ?? 0,
+			'sort_order' => $_GET['order'] ?? '',
+			'sort_direction' => $_GET['dir'] ?? '',
 			'title' => 'Manage tags',
 			'no_items_label' => 'No tags meet the requirements of the current filter.',
 			'items_per_page' => 30,
 			'index_class' => 'col-md-6',
 			'base_url' => BASEURL . '/managetags/',
-			'get_data' => function($offset = 0, $limit = 30, $order = '', $direction = 'up') {
+			'get_data' => function($offset, $limit, $order, $direction) {
-				if (!in_array($order, ['id_tag', 'tag', 'slug', 'kind', 'count']))
+				return Tag::getOffset($offset, $limit, $order, $direction, false);
-					$order = 'tag';
-				if (!in_array($direction, ['up', 'down']))
-					$direction = 'up';
-
-				$data = Registry::get('db')->queryAssocs('
-					SELECT t.*, u.id_user, u.first_name, u.surname
-					FROM tags AS t
-					LEFT JOIN users AS u ON t.id_user_owner = u.id_user
-					WHERE kind != {string:album}
-					ORDER BY {raw:order}
-					LIMIT {int:offset}, {int:limit}',
-					[
-						'order' => $order . ($direction == 'up' ? ' ASC' : ' DESC'),
-						'offset' => $offset,
-						'limit' => $limit,
-						'album' => 'Album',
-					]);
-
-				return [
-					'rows' => $data,
-					'order' => $order,
-					'direction' => ($direction == 'up' ? 'up' : 'down'),
-				];
 			},
 			'get_count' => function() {
-				return Registry::get('db')->queryValue('
+				return Tag::getCount(false, null, false);
-					SELECT COUNT(*)
-					FROM tags
-					WHERE kind != {string:album}',
-					['album' => 'Album']);
 			}
 		];
 

controllers/ManageUsers.php

@@ -37,26 +37,20 @@ class ManageUsers extends HTMLController
 				'surname' => [
 					'header' => 'Last name',
 					'is_sortable' => true,
-					'parse' => [
 					'link' => BASEURL . '/edituser/?id={ID_USER}',
-						'data' => 'surname',
+					'value' => 'surname',
-					],
 				],
 				'first_name' => [
 					'header' => 'First name',
 					'is_sortable' => true,
-					'parse' => [
 					'link' => BASEURL . '/edituser/?id={ID_USER}',
-						'data' => 'first_name',
+					'value' => 'first_name',
-					],
 				],
 				'slug' => [
 					'header' => 'Slug',
 					'is_sortable' => true,
-					'parse' => [
 					'link' => BASEURL . '/edituser/?id={ID_USER}',
-						'data' => 'slug',
+					'value' => 'slug',
-					],
 				],
 				'emailaddress' => [
 					'value' => 'emailaddress',
@@ -64,12 +58,11 @@ class ManageUsers extends HTMLController
 					'is_sortable' => true,
 				],
 				'last_action_time' => [
-					'parse' => [
+					'format' => [
 						'type' => 'timestamp',
-						'data' => [
-							'timestamp' => 'last_action_time',
 						'pattern' => 'long',
-						],
+						'value' => 'last_action_time',
+						'if_null' => 'n/a',
 					],
 					'header' => 'Last activity',
 					'is_sortable' => true,
@@ -82,48 +75,21 @@ class ManageUsers extends HTMLController
 				'is_admin' => [
 					'is_sortable' => true,
 					'header' => 'Admin?',
-					'parse' => [
+					'format' => fn($row) => $row['is_admin'] ? 'yes' : 'no',
-						'type' => 'function',
-						'data' => function($row) {
-							return $row['is_admin'] ? 'yes' : 'no';
-						}
 				],
 			],
-			],
+			'default_sort_order' => 'id_user',
-			'start' => !empty($_GET['start']) ? (int) $_GET['start'] : 0,
+			'default_sort_direction' => 'down',
-			'sort_order' => !empty($_GET['order']) ? $_GET['order'] : '',
+			'start' => $_GET['start'] ?? 0,
-			'sort_direction' => !empty($_GET['dir']) ? $_GET['dir'] : '',
+			'sort_order' => $_GET['order'] ?? '',
+			'sort_direction' => $_GET['dir'] ?? '',
 			'title' => 'Manage users',
 			'no_items_label' => 'No users meet the requirements of the current filter.',
 			'items_per_page' => 30,
 			'index_class' => 'col-md-6',
 			'base_url' => BASEURL . '/manageusers/',
-			'get_data' => function($offset = 0, $limit = 30, $order = '', $direction = 'down') {
+			'get_data' => 'Member::getOffset',
-				if (!in_array($order, ['id_user', 'surname', 'first_name', 'slug', 'emailaddress', 'last_action_time', 'ip_address', 'is_admin']))
+			'get_count' => 'Member::getCount',
-					$order = 'id_user';
-
-				$data = Registry::get('db')->queryAssocs('
-					SELECT *
-					FROM users
-					ORDER BY {raw:order}
-					LIMIT {int:offset}, {int:limit}',
-					[
-						'order' => $order . ($direction == 'up' ? ' ASC' : ' DESC'),
-						'offset' => $offset,
-						'limit' => $limit,
-					]);
-
-				return [
-					'rows' => $data,
-					'order' => $order,
-					'direction' => $direction,
-				];
-			},
-			'get_count' => function() {
-				return Registry::get('db')->queryValue('
-					SELECT COUNT(*)
-					FROM users');
-			}
 		];
 
 		$table = new GenericTable($options);

controllers/ResetPassword.php

@@ -16,14 +16,65 @@ class ResetPassword extends HTMLController
 
 		// Verifying an existing reset key?
 		if (isset($_GET['step'], $_GET['email'], $_GET['key']) && $_GET['step'] == 2)
+			$this->verifyResetKey();
+		else
+			$this->requestResetKey();
+	}
+
+	private function requestResetKey()
+	{
+		parent::__construct('Reset password - ' . SITE_TITLE);
+		$form = new ForgotPasswordForm();
+		$this->page->adopt($form);
+
+		// Have they submitted an email address yet?
+		if (isset($_POST['emailaddress']) && preg_match('~^.+@.+\.[a-z]+$~', trim($_POST['emailaddress'])))
+		{
+			$user = Member::fromEmailAddress($_POST['emailaddress']);
+			if (!$user)
+			{
+				$form->adopt(new Alert('Invalid email address', 'The email address you provided could not be found in our system. Please try again.', 'danger'));
+				return;
+			}
+
+			if (Authentication::getResetTimeOut($user->getUserId()) > 0)
+			{
+				// Update the reset time-out to prevent hammering
+				$resetTimeOut = Authentication::updateResetTimeOut($user->getUserId());
+
+				// Present it to the user in a readable way
+				if ($resetTimeOut > 3600)
+					$timeOut = sprintf('%d hours', ceil($resetTimeOut / 3600));
+				elseif ($resetTimeOut > 60)
+					$timeOut = sprintf('%d minutes', ceil($resetTimeOut / 60));
+				else
+					$timeOut = sprintf('%d seconds', $resetTimeOut);
+
+				$form->adopt(new Alert('Password reset token already sent', 'We already sent a password reset token to this email address recently. ' .
+					'If no email was received, please wait ' . $timeOut . ' to try again.', 'error'));
+				return;
+			}
+
+			Authentication::setResetKey($user->getUserId());
+			Email::resetMail($user->getUserId());
+
+			// Show the success message
+			$this->page->clear();
+			$box = new DummyBox('An email has been sent');
+			$box->adopt(new Alert('', 'We have sent an email to ' . $_POST['emailaddress'] . ' containing details on how to reset your password.', 'success'));
+			$this->page->adopt($box);
+		}
+	}
+
+	private function verifyResetKey()
 	{
 		$email = rawurldecode($_GET['email']);
-			$id_user = Authentication::getUserid($email);
+		$user = Member::fromEmailAddress($email);
-			if ($id_user === false)
+		if (!$user)
 			throw new UserFacingException('Invalid email address. Please make sure you copied the full link in the email you received.');
 
 		$key = $_GET['key'];
-			if (!Authentication::checkResetKey($id_user, $key))
+		if (!Authentication::checkResetKey($user->getUserId(), $key))
 			throw new UserFacingException('Invalid reset token. Please make sure you copied the full link in the email you received. Note: you cannot use the same token twice.');
 
 		parent::__construct('Reset password - ' . SITE_TITLE);
@@ -42,7 +93,11 @@ class ResetPassword extends HTMLController
 			// So, are we good to go?
 			if (empty($missing))
 			{
-					Authentication::updatePassword($id_user, Authentication::computeHash($_POST['password1']));
+				Authentication::updatePassword($user->getUserId(), Authentication::computeHash($_POST['password1']));
+
+				// Consume token, ensuring it isn't used again
+				Authentication::consumeResetKey($user->getUserId());
+
 				$_SESSION['login_msg'] = ['Your password has been reset', 'You can now use the form below to log in to your account.', 'success'];
 				header('Location: ' . BASEURL . '/login/');
 				exit;
@@ -51,31 +106,4 @@ class ResetPassword extends HTMLController
 				$form->adopt(new Alert('Some fields require your attention', '<ul><li>' . implode('</li><li>', $missing) . '</li></ul>', 'danger'));
 		}
 	}
-		else
-		{
-			parent::__construct('Reset password - ' . SITE_TITLE);
-			$form = new ForgotPasswordForm();
-			$this->page->adopt($form);
-
-			// Have they submitted an email address yet?
-			if (isset($_POST['emailaddress']) && preg_match('~^.+@.+\.[a-z]+$~', trim($_POST['emailaddress'])))
-			{
-				$id_user = Authentication::getUserid(trim($_POST['emailaddress']));
-				if ($id_user === false)
-				{
-					$form->adopt(new Alert('Invalid email address', 'The email address you provided could not be found in our system. Please try again.', 'danger'));
-					return;
-				}
-
-				Authentication::setResetKey($id_user);
-				Email::resetMail($id_user);
-
-				// Show the success message
-				$this->page->clear();
-				$box = new DummyBox('An email has been sent');
-				$box->adopt(new Alert('', 'We have sent an email to ' . $_POST['emailaddress'] . ' containing details on how to reset your password.', 'success'));
-				$this->page->adopt($box);
-			}
-		}
-	}
 }

controllers/ViewPhotoAlbum.php

@@ -289,10 +289,4 @@ class ViewPhotoAlbum extends HTMLController
 		$description = !empty($tag->description) ? $tag->description : '';
 		return new AlbumHeaderBox($tag->tag, $description, $back_link, $back_link_title);
 	}
-
-	public function __destruct()
-	{
-		if (isset($this->iterator))
-			$this->iterator->clean();
-	}
 }

controllers/ViewTimeline.php

@@ -54,10 +54,4 @@ class ViewTimeline extends HTMLController
 		// Set the canonical url.
 		$this->page->setCanonicalUrl(BASEURL . '/timeline/');
 	}
-
-	public function __destruct()
-	{
-		if (isset($this->iterator))
-			$this->iterator->clean();
-	}
 }

migrations/2024-11-05.sql

@@ -0,0 +1,2 @@
+/* Add time-out to password reset keys, and prevent repeated mails */
+ALTER TABLE `users` ADD `reset_blocked_until` INT  UNSIGNED  NULL  AFTER `reset_key`;

models/Asset.php

@@ -24,7 +24,7 @@ class Asset
 	protected $tags;
 	protected $thumbnails;
 
-	protected function __construct(array $data)
+	public function __construct(array $data)
 	{
 		foreach ($data as $attribute => $value)
 		{
@@ -32,7 +32,7 @@ class Asset
 				$this->$attribute = $value;
 		}
 
-		if (!empty($data['date_captured']) && $data['date_captured'] !== 'NULL')
+		if (isset($data['date_captured']) && $data['date_captured'] !== null && !is_object($data['date_captured']))
 			$this->date_captured = new DateTime($data['date_captured']);
 	}
 
@@ -56,7 +56,7 @@ class Asset
 		$row = Registry::get('db')->queryAssoc('
 			SELECT *
 			FROM assets
-			WHERE id_asset = {int:id_asset}',
+			WHERE id_asset = :id_asset',
 			[
 				'id_asset' => $id_asset,
 			]);
@@ -69,7 +69,7 @@ class Asset
 		$row = Registry::get('db')->queryAssoc('
 			SELECT *
 			FROM assets
-			WHERE slug = {string:slug}',
+			WHERE slug = :slug',
 			[
 				'slug' => $slug,
 			]);
@@ -85,7 +85,7 @@ class Asset
 		$row['meta'] = $db->queryPair('
 			SELECT variable, value
 			FROM assets_meta
-			WHERE id_asset = {int:id_asset}',
+			WHERE id_asset = :id_asset',
 			[
 				'id_asset' => $row['id_asset'],
 			]);
@@ -94,21 +94,20 @@ class Asset
 		$row['thumbnails'] = $db->queryPair('
 			SELECT
 				CONCAT(
-					width,
+					width, :x, height,
-					{string:x},
+					IF(mode != :empty1, CONCAT(:_, mode), :empty2)
-					height,
-					IF(mode != {string:empty}, CONCAT({string:_}, mode), {string:empty})
 				) AS selector, filename
 			FROM assets_thumbs
-			WHERE id_asset = {int:id_asset}',
+			WHERE id_asset = :id_asset',
 			[
 				'id_asset' => $row['id_asset'],
-				'empty' => '',
+				'empty1' => '',
+				'empty2' => '',
 				'x' => 'x',
 				'_' => '_',
 			]);
 
-		return $return_format == 'object' ? new Asset($row) : $row;
+		return $return_format === 'object' ? new static($row) : $row;
 	}
 
 	public static function fromIds(array $id_assets, $return_format = 'array')
@@ -121,14 +120,14 @@ class Asset
 		$res = $db->query('
 			SELECT *
 			FROM assets
-			WHERE id_asset IN ({array_int:id_assets})
+			WHERE id_asset IN (@id_assets)
 			ORDER BY id_asset',
 			[
 				'id_assets' => $id_assets,
 			]);
 
 		$assets = [];
-		while ($asset = $db->fetch_assoc($res))
+		while ($asset = $db->fetchAssoc($res))
 		{
 			$assets[$asset['id_asset']] = $asset;
 			$assets[$asset['id_asset']]['meta'] = [];
@@ -138,7 +137,7 @@ class Asset
 		$metas = $db->queryRows('
 			SELECT id_asset, variable, value
 			FROM assets_meta
-			WHERE id_asset IN ({array_int:id_assets})
+			WHERE id_asset IN (@id_assets)
 			ORDER BY id_asset',
 			[
 				'id_assets' => $id_assets,
@@ -150,17 +149,16 @@ class Asset
 		$thumbnails = $db->queryRows('
 			SELECT id_asset,
 				CONCAT(
-					width,
+					width, :x, height,
-					{string:x},
+					IF(mode != :empty1, CONCAT(:_, mode), :empty2)
-					height,
-					IF(mode != {string:empty}, CONCAT({string:_}, mode), {string:empty})
 				) AS selector, filename
 			FROM assets_thumbs
-			WHERE id_asset IN ({array_int:id_assets})
+			WHERE id_asset IN (@id_assets)
 			ORDER BY id_asset',
 			[
 				'id_assets' => $id_assets,
-				'empty' => '',
+				'empty1' => '',
+				'empty2' => '',
 				'x' => 'x',
 				'_' => '_',
 			]);
@@ -168,8 +166,10 @@ class Asset
 		foreach ($thumbnails as $thumb)
 			$assets[$thumb[0]]['thumbnails'][$thumb[1]] = $thumb[2];
 
-		if ($return_format == 'array')
+		if ($return_format === 'array')
+		{
 			return $assets;
+		}
 		else
 		{
 			$objects = [];
@@ -262,10 +262,10 @@ class Asset
 			INSERT INTO assets
 			(id_user_uploaded, subdir, filename, title, slug, mimetype, image_width, image_height, date_captured, priority)
 			VALUES
-			({int:id_user_uploaded}, {string:subdir}, {string:filename}, {string:title}, {string:slug}, {string:mimetype},
+			(:id_user_uploaded, :subdir, :filename, :title, :slug, :mimetype,
-			 {int:image_width}, {int:image_height},
+			 :image_width, :image_height,
-			 IF({int:date_captured} > 0, FROM_UNIXTIME({int:date_captured}), NULL),
+			 IF(:date_captured > 0, FROM_UNIXTIME(:date_captured), NULL),
-			 {int:priority})',
+			 :priority)',
 			[
 				'id_user_uploaded' => isset($id_user) ? $id_user : Registry::get('user')->getUserId(),
 				'subdir' => $preferred_subdir,
@@ -273,9 +273,9 @@ class Asset
 				'title' => $title,
 				'slug' => $slug,
 				'mimetype' => $mimetype,
-				'image_width' => isset($image_width) ? $image_width : 'NULL',
+				'image_width' => isset($image_width) ? $image_width : null,
-				'image_height' => isset($image_height) ? $image_height : 'NULL',
+				'image_height' => isset($image_height) ? $image_height : null,
-				'date_captured' => isset($date_captured) ? $date_captured : 'NULL',
+				'date_captured' => isset($date_captured) ? $date_captured : null,
 				'priority' => isset($priority) ? (int) $priority : 0,
 			]);
 
@@ -285,7 +285,7 @@ class Asset
 			return false;
 		}
 
-		$data['id_asset'] = $db->insert_id();
+		$data['id_asset'] = $db->insertId();
 		return $return_format === 'object' ? new self($data) : $data;
 	}
 
@@ -324,7 +324,7 @@ class Asset
 		$posts = Registry::get('db')->queryValues('
 			SELECT id_post
 			FROM posts_assets
-			WHERE id_asset = {int:id_asset}',
+			WHERE id_asset = :id_asset',
 			['id_asset' => $this->id_asset]);
 
 		// TODO: fix empty post iterator.
@@ -495,18 +495,18 @@ class Asset
 		return Registry::get('db')->query('
 			UPDATE assets
 			SET
-				mimetype = {string:mimetype},
+				mimetype = :mimetype,
-				image_width = {int:image_width},
+				image_width = :image_width,
-				image_height = {int:image_height},
+				image_height = :image_height,
-				date_captured = {datetime:date_captured},
+				date_captured = :date_captured,
-				priority = {int:priority}
+				priority = :priority
-			WHERE id_asset = {int:id_asset}',
+			WHERE id_asset = :id_asset',
 			[
 				'id_asset' => $this->id_asset,
 				'mimetype' => $this->mimetype,
-				'image_width' => isset($this->image_width) ? $this->image_width : 'NULL',
+				'image_width' => isset($this->image_width) ? $this->image_width : null,
-				'image_height' => isset($this->image_height) ? $this->image_height : 'NULL',
+				'image_height' => isset($this->image_height) ? $this->image_height : null,
-				'date_captured' => isset($this->date_captured) ? $this->date_captured : 'NULL',
+				'date_captured' => isset($this->date_captured) ? $this->date_captured : null,
 				'priority' => $this->priority,
 			]);
 	}
@@ -527,8 +527,8 @@ class Asset
 			if (!empty($to_remove))
 				$db->query('
 					DELETE FROM assets_meta
-					WHERE id_asset = {int:id_asset} AND
+					WHERE id_asset = :id_asset AND
-						variable IN({array_string:variables})',
+						variable IN(@variables)',
 					[
 						'id_asset' => $this->id_asset,
 						'variables' => array_keys($to_remove),
@@ -559,63 +559,40 @@ class Asset
 	{
 		$db = Registry::get('db');
 
-		// First: delete associated metadata
+		// Delete any and all thumbnails, if this is an image.
+		if ($this->isImage())
+		{
+			$image = $this->getImage();
+			$image->removeAllThumbnails();
+		}
+
+		// Delete all meta info for this asset.
 		$db->query('
 			DELETE FROM assets_meta
-			WHERE id_asset = {int:id_asset}',
+			WHERE id_asset = :id_asset',
-			[
+			['id_asset' => $this->id_asset]);
-				'id_asset' => $this->id_asset,
-			]);
 
-		// Second: figure out what tags to recount cardinality for
+		// Figure out what tags to recount cardinality for
 		$recount_tags = $db->queryValues('
 			SELECT id_tag
 			FROM assets_tags
-			WHERE id_asset = {int:id_asset}',
+			WHERE id_asset = :id_asset',
-			[
+			['id_asset' => $this->id_asset]);
-				'id_asset' => $this->id_asset,
-			]);
 
+		// Delete asset association for these tags
 		$db->query('
 			DELETE FROM assets_tags
-			WHERE id_asset = {int:id_asset}',
+			WHERE id_asset = :id_asset',
-			[
+			['id_asset' => $this->id_asset]);
-				'id_asset' => $this->id_asset,
-			]);
 
 		Tag::recount($recount_tags);
 
-		// Third: figure out what associated thumbs to delete
-		$thumbs_to_delete = $db->queryValues('
-			SELECT filename
-			FROM assets_thumbs
-			WHERE id_asset = {int:id_asset}',
-			[
-				'id_asset' => $this->id_asset,
-			]);
-
-		foreach ($thumbs_to_delete as $filename)
-		{
-			$thumb_path = THUMBSDIR . '/' . $this->subdir . '/' . $filename;
-			if (is_file($thumb_path))
-				unlink($thumb_path);
-		}
-
-		$db->query('
-			DELETE FROM assets_thumbs
-			WHERE id_asset = {int:id_asset}',
-			[
-				'id_asset' => $this->id_asset,
-			]);
-
 		// Reset asset ID for tags that use this asset for their thumbnail
-		$rows = $db->query('
+		$rows = $db->queryValues('
 			SELECT id_tag
 			FROM tags
-			WHERE id_asset_thumb = {int:id_asset}',
+			WHERE id_asset_thumb = :id_asset',
-			[
+			['id_asset' => $this->id_asset]);
-				'id_asset' => $this->id_asset,
-			]);
 
 		if (!empty($rows))
 		{
@@ -632,10 +609,8 @@ class Asset
 
 		$return = $db->query('
 			DELETE FROM assets
-			WHERE id_asset = {int:id_asset}',
+			WHERE id_asset = :id_asset',
-			[
+			['id_asset' => $this->id_asset]);
-				'id_asset' => $this->id_asset,
-			]);
 
 		return $return;
 	}
@@ -664,7 +639,7 @@ class Asset
 
 		Registry::get('db')->query('
 			DELETE FROM assets_tags
-			WHERE id_asset = {int:id_asset} AND id_tag IN ({array_int:id_tags})',
+			WHERE id_asset = :id_asset AND id_tag IN (@id_tags)',
 			[
 				'id_asset' => $this->id_asset,
 				'id_tags' => $id_tags,
@@ -680,6 +655,24 @@ class Asset
 			FROM assets');
 	}
 
+	public static function getOffset($offset, $limit, $order, $direction)
+	{
+		$order = $order . ($direction == 'up' ? ' ASC' : ' DESC');
+
+		return Registry::get('db')->queryAssocs('
+			SELECT a.id_asset, a.subdir, a.filename,
+				a.image_width, a.image_height, a.mimetype,
+				u.id_user, u.first_name, u.surname
+			FROM assets AS a
+			LEFT JOIN users AS u ON a.id_user_uploaded = u.id_user
+			ORDER BY ' . $order . '
+			LIMIT :offset, :limit',
+			[
+				'offset' => $offset,
+				'limit' => $limit,
+			]);
+	}
+
 	public function save()
 	{
 		if (empty($this->id_asset))
@@ -687,18 +680,16 @@ class Asset
 
 		return Registry::get('db')->query('
 			UPDATE assets
-			SET id_asset = {int:id_asset},
+			SET subdir = :subdir,
-				id_user_uploaded = {int:id_user_uploaded},
+				filename = :filename,
-				subdir = {string:subdir},
+				title = :title,
-				filename = {string:filename},
+				slug = :slug,
-				title = {string:title},
+				mimetype = :mimetype,
-				slug = {string:slug},
+				image_width = :image_width,
-				mimetype = {string:mimetype},
+				image_height = :image_height,
-				image_width = {int:image_width},
+				date_captured = :date_captured,
-				image_height = {int:image_height},
+				priority = :priority
-				date_captured = {datetime:date_captured},
+			WHERE id_asset = :id_asset',
-				priority = {int:priority}
-			WHERE id_asset = {int:id_asset}',
 			get_object_vars($this));
 	}
 
@@ -716,27 +707,27 @@ class Asset
 		// Direction depends on whether we're browsing a tag or timeline
 		if (isset($tag))
 		{
-			$where[] = 't.id_tag = {int:id_tag}';
+			$where[] = 't.id_tag = :id_tag';
 			$params['id_tag'] = $tag->id_tag;
-			$params['where_op'] = $previous ? '<' : '>';
+			$where_op = $previous ? '<' : '>';
-			$params['order_dir'] = $previous ? 'DESC' : 'ASC';
+			$order_dir = $previous ? 'DESC' : 'ASC';
 		}
 		else
 		{
-			$params['where_op'] = $previous ? '>' : '<';
+			$where_op = $previous ? '>' : '<';
-			$params['order_dir'] = $previous ? 'ASC' : 'DESC';
+			$order_dir = $previous ? 'ASC' : 'DESC';
 		}
 
 		// Take active filter into account as well
 		if (!empty($activeFilter) && ($user = Member::fromSlug($activeFilter)) !== false)
 		{
-			$where[] = 'id_user_uploaded = {int:id_user_uploaded}';
+			$where[] = 'id_user_uploaded = :id_user_uploaded';
 			$params['id_user_uploaded'] = $user->getUserId();
 		}
 
 		// Use complete ordering when sorting the set
-		$where[] = '(a.date_captured, a.id_asset) {raw:where_op} ' .
+		$where[] = '(a.date_captured, a.id_asset) ' . $where_op .
-			'({datetime:date_captured}, {int:id_asset})';
+			' (:date_captured, :id_asset)';
 
 		// Stringify conditions together
 		$where = '(' . implode(') AND (', $where) . ')';
@@ -748,7 +739,7 @@ class Asset
 			' . (isset($tag) ? '
 			INNER JOIN assets_tags AS t ON a.id_asset = t.id_asset' : '') . '
 			WHERE ' . $where . '
-			ORDER BY a.date_captured {raw:order_dir}, a.id_asset {raw:order_dir}
+			ORDER BY a.date_captured ' . $order_dir . ', a.id_asset ' . $order_dir . '
 			LIMIT 1',
 			$params);
 

models/AssetIterator.php

@@ -1,42 +1,50 @@
 <?php
 /*****************************************************************************
  * AssetIterator.php
- * Contains key class AssetIterator.
+ * Contains model class AssetIterator.
  *
- * Kabuki CMS (C) 2013-2015, Aaron van Geffen
+ * Kabuki CMS (C) 2013-2025, Aaron van Geffen
  *****************************************************************************/
 
-class AssetIterator extends Asset
+class AssetIterator implements Iterator
 {
-	private Database $db;
 	private $direction;
-
 	private $return_format;
-	private $res_assets;
+	private $rowCount;
-	private $res_meta;
-	private $res_thumbs;
 
-	protected function __construct($res_assets, $res_meta, $res_thumbs, $return_format, $direction)
+	private $assets_iterator;
+	private $meta_iterator;
+	private $thumbs_iterator;
+
+	protected function __construct(PDOStatement $stmt_assets, PDOStatement $stmt_meta, PDOStatement $stmt_thumbs,
+		$return_format, $direction)
 	{
-		$this->db = Registry::get('db');
 		$this->direction = $direction;
-		$this->res_assets = $res_assets;
-		$this->res_meta = $res_meta;
-		$this->res_thumbs = $res_thumbs;
 		$this->return_format = $return_format;
+		$this->rowCount = $stmt_assets->rowCount();
+
+		$this->assets_iterator = new CachedPDOIterator($stmt_assets);
+		$this->assets_iterator->rewind();
+
+		$this->meta_iterator = new CachedPDOIterator($stmt_meta);
+		$this->thumbs_iterator = new CachedPDOIterator($stmt_thumbs);
 	}
 
-	public function next()
+	public static function all()
 	{
-		$row = $this->db->fetch_assoc($this->res_assets);
+		return self::getByOptions();
+	}
 
-		// No more rows?
+	public function current(): mixed
+	{
+		$row = $this->assets_iterator->current();
 		if (!$row)
-			return false;
+			return $row;
 
-		// Looks up metadata.
+		// Collect metadata
 		$row['meta'] = [];
-		while ($meta = $this->db->fetch_assoc($this->res_meta))
+		$this->meta_iterator->rewind();
+		foreach ($this->meta_iterator as $meta)
 		{
 			if ($meta['id_asset'] != $row['id_asset'])
 				continue;
@@ -44,54 +52,23 @@ class AssetIterator extends Asset
 			$row['meta'][$meta['variable']] = $meta['value'];
 		}
 
-		// Reset internal pointer for next asset.
+		// Collect thumbnails
-		$this->db->data_seek($this->res_meta, 0);
-
-		// Looks up thumbnails.
 		$row['thumbnails'] = [];
-		while ($thumbs = $this->db->fetch_assoc($this->res_thumbs))
+		$this->thumbs_iterator->rewind();
+		foreach ($this->thumbs_iterator as $thumb)
 		{
-			if ($thumbs['id_asset'] != $row['id_asset'])
+			if ($thumb['id_asset'] != $row['id_asset'])
 				continue;
 
-			$row['thumbnails'][$thumbs['selector']] = $thumbs['filename'];
+			$row['thumbnails'][$thumb['selector']] = $thumb['filename'];
 		}
 
-		// Reset internal pointer for next asset.
-		$this->db->data_seek($this->res_thumbs, 0);
-
 		if ($this->return_format === 'object')
 			return new Asset($row);
 		else
 			return $row;
 	}
 
-	public function reset()
-	{
-		$this->db->data_seek($this->res_assets, 0);
-		$this->db->data_seek($this->res_meta, 0);
-		$this->db->data_seek($this->res_thumbs, 0);
-	}
-
-	public function clean()
-	{
-		if (!$this->res_assets)
-			return;
-
-		$this->db->free_result($this->res_assets);
-		$this->res_assets = null;
-	}
-
-	public function num()
-	{
-		return $this->db->num_rows($this->res_assets);
-	}
-
-	public static function all()
-	{
-		return self::getByOptions();
-	}
-
 	public static function getByOptions(array $options = [], $return_count = false, $return_format = 'object')
 	{
 		$params = [
@@ -114,9 +91,9 @@ class AssetIterator extends Asset
 		{
 			$params['mime_type'] = $options['mime_type'];
 			if (is_array($options['mime_type']))
-				$where[] = 'a.mimetype IN({array_string:mime_type})';
+				$where[] = 'a.mimetype IN(@mime_type)';
 			else
-				$where[] = 'a.mimetype = {string:mime_type}';
+				$where[] = 'a.mimetype = :mime_type';
 		}
 		if (isset($options['id_user_uploaded']))
 		{
@@ -129,7 +106,17 @@ class AssetIterator extends Asset
 			$where[] = 'id_asset IN(
 				SELECT l.id_asset
 				FROM assets_tags AS l
-				WHERE l.id_tag = {int:id_tag})';
+				WHERE l.id_tag = :id_tag)';
+		}
+		elseif (isset($options['tag']))
+		{
+			$params['tag'] = $options['tag'];
+			$where[] = 'id_asset IN(
+				SELECT l.id_asset
+				FROM assets_tags AS l
+				INNER JOIN tags AS t
+				ON l.id_tag = t.id_tag
+				WHERE t.slug = :tag)';
 		}
 
 		// Make it valid SQL.
@@ -145,7 +132,7 @@ class AssetIterator extends Asset
 			FROM assets AS a
 			WHERE ' . $where . '
 			ORDER BY ' . $order . (!empty($params['limit']) ? '
-			LIMIT {int:offset}, {int:limit}' : ''),
+			LIMIT :offset, :limit' : ''),
 			$params);
 
 		// Get a resource object for the asset meta.
@@ -165,9 +152,9 @@ class AssetIterator extends Asset
 			SELECT id_asset, filename,
 				CONCAT(
 					width,
-					{string:x},
+					:x,
 					height,
-					IF(mode != {string:empty}, CONCAT({string:_}, mode), {string:empty})
+					IF(mode != :empty1, CONCAT(:_, mode), :empty2)
 				) AS selector
 			FROM assets_thumbs
 			WHERE id_asset IN(
@@ -177,7 +164,8 @@ class AssetIterator extends Asset
 			)
 			ORDER BY id_asset',
 			$params + [
-				'empty' => '',
+				'empty1' => '',
+				'empty2' => '',
 				'x' => 'x',
 				'_' => '_',
 			]);
@@ -199,13 +187,38 @@ class AssetIterator extends Asset
 			return $iterator;
 	}
 
-	public function isAscending()
+	public function key(): mixed
+	{
+		return $this->assets_iterator->key();
+	}
+
+	public function isAscending(): bool
 	{
 		return $this->direction === 'asc';
 	}
 
-	public function isDescending()
+	public function isDescending(): bool
 	{
 		return $this->direction === 'desc';
 	}
+
+	public function next(): void
+	{
+		$this->assets_iterator->next();
+	}
+
+	public function num(): int
+	{
+		return $this->rowCount;
+	}
+
+	public function rewind(): void
+	{
+		$this->assets_iterator->rewind();
+	}
+
+	public function valid(): bool
+	{
+		return $this->assets_iterator->valid();
+	}
 }

models/Authentication.php

@@ -12,48 +12,27 @@
  */
 class Authentication
 {
-	/**
+	const DEFAULT_RESET_TIMEOUT = 30;
-	 * Checks whether a user still exists in the database.
-	 */
-	public static function checkExists($id_user)
-	{
-		$res = Registry::get('db')->queryValue('
-			SELECT id_user
-			FROM users
-			WHERE id_user = {int:id}',
-			[
-				'id' => $id_user,
-			]);
-
-		return $res !== null;
-	}
 
 	/**
-	 * Finds the user id belonging to a certain emailaddress.
+	 * Checks a password for a given username against the database.
 	 */
-	public static function getUserId($emailaddress)
+	public static function checkPassword($emailaddress, $password)
 	{
-		$res = Registry::get('db')->queryValue('
+		// Retrieve password hash for user matching the provided emailaddress.
-			SELECT id_user
+		$password_hash = Registry::get('db')->queryValue('
+			SELECT password_hash
 			FROM users
-			WHERE emailaddress = {string:emailaddress}',
+			WHERE emailaddress = :emailaddress',
 			[
 				'emailaddress' => $emailaddress,
 			]);
 
-		return empty($res) ? false : $res;
+		// If there's no hash, the user likely does not exist.
-	}
+		if (!$password_hash)
+			return false;
 
-	public static function setResetKey($id_user)
+		return password_verify($password, $password_hash);
-	{
-		return Registry::get('db')->query('
-			UPDATE users
-			SET reset_key = {string:key}
-			WHERE id_user = {int:id}',
-			[
-				'id' => $id_user,
-				'key' => self::newActivationKey(),
-			]);
 	}
 
 	public static function checkResetKey($id_user, $reset_key)
@@ -69,22 +48,55 @@ class Authentication
 		return $key == $reset_key;
 	}
 
+	/**
+	 * Computes a password hash.
+	 */
+	public static function computeHash($password)
+	{
+		$hash = password_hash($password, PASSWORD_DEFAULT);
+		if (!$hash)
+			throw new Exception('Hash creation failed!');
+		return $hash;
+	}
+
+	public static function consumeResetKey($id_user)
+	{
+		return Registry::get('db')->query('
+			UPDATE users
+			SET reset_key = NULL,
+				reset_blocked_until = NULL
+			WHERE id_user = {int:id_user}',
+			['id_user' => $id_user]);
+	}
+
+	public static function getResetTimeOut($id_user)
+	{
+		$resetTime = Registry::get('db')->queryValue('
+			SELECT reset_blocked_until
+			FROM users
+			WHERE id_user = {int:id_user}',
+			['id_user' => $id_user]);
+
+		return max(0, $resetTime - time());
+	}
+
 	/**
 	 * Verifies whether the user is currently logged in.
 	 */
 	public static function isLoggedIn()
 	{
-		// Check whether the active session matches the current user's environment.
+		if (!isset($_SESSION['user_id']))
-		if (isset($_SESSION['ip_address'], $_SESSION['user_agent']) && (
+			return false;
-			 (isset($_SERVER['REMOTE_ADDR']) && $_SESSION['ip_address'] != $_SERVER['REMOTE_ADDR']) ||
+
-			 (isset($_SERVER['HTTP_USER_AGENT']) && $_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT'])))
+		try
+		{
+			$exists = Member::fromId($_SESSION['user_id']);
+			return true;
+		}
+		catch (NotFoundException $e)
 		{
-			session_destroy();
 			return false;
 		}
-
-		// A user is logged in if a user id exists in the session and this id is (still) in the database.
-		return isset($_SESSION['user_id']) && self::checkExists($_SESSION['user_id']);
 	}
 
 	/**
@@ -99,36 +111,17 @@ class Authentication
 		return $string;
 	}
 
-	/**
+	public static function setResetKey($id_user)
-	 * Checks a password for a given username against the database.
-	 */
-	public static function checkPassword($emailaddress, $password)
 	{
-		// Retrieve password hash for user matching the provided emailaddress.
+		return Registry::get('db')->query('
-		$password_hash = Registry::get('db')->queryValue('
+			UPDATE users
-			SELECT password_hash
+			SET reset_key = {string:key},
-			FROM users
+				reset_blocked_until = UNIX_TIMESTAMP() + ' . static::DEFAULT_RESET_TIMEOUT . '
-			WHERE emailaddress = {string:emailaddress}',
+			WHERE id_user = {int:id}',
 			[
-				'emailaddress' => $emailaddress,
+				'id' => $id_user,
+				'key' => self::newActivationKey(),
 			]);
-
-		// If there's no hash, the user likely does not exist.
-		if (!$password_hash)
-			return false;
-
-		return password_verify($password, $password_hash);
-	}
-
-	/**
-	 * Computes a password hash.
-	 */
-	public static function computeHash($password)
-	{
-		$hash = password_hash($password, PASSWORD_DEFAULT);
-		if (!$hash)
-			throw new Exception('Hash creation failed!');
-		return $hash;
 	}
 
 	/**
@@ -139,13 +132,35 @@ class Authentication
 		return Registry::get('db')->query('
 			UPDATE users
 			SET
-				password_hash = {string:hash},
+				password_hash = :hash,
-				reset_key = {string:blank}
+				reset_key = :blank
-			WHERE id_user = {int:id_user}',
+			WHERE id_user = :id_user',
 			[
 				'id_user' => $id_user,
 				'hash' => $hash,
 				'blank' => '',
 			]);
 	}
+
+	public static function updateResetTimeOut($id_user)
+	{
+		$currentResetTimeOut = static::getResetTimeOut($id_user);
+
+		// New timeout: between 30 seconds, double the current timeout, and a full day
+		$newResetTimeOut = min(max(static::DEFAULT_RESET_TIMEOUT, $currentResetTimeOut * 2), 60 * 60 * 24);
+
+		$success = Registry::get('db')->query('
+			UPDATE users
+			SET reset_blocked_until = {int:new_time_out}
+			WHERE id_user = {int:id_user}',
+			[
+				'id_user' => $id_user,
+				'new_time_out' => time() + $newResetTimeOut,
+			]);
+
+		if (!$success)
+			throw new UnexpectedValueException('Could not set password reset timeout!');
+
+		return $newResetTimeOut;
+	}
 }

models/CachedPDOIterator.php

@@ -0,0 +1,56 @@
+<?php
+/*****************************************************************************
+ * CachedPDOIterator.php
+ * Contains model class CachedPDOIterator.
+ *
+ * Based on https://gist.github.com/hakre/5152090
+ *
+ * Kabuki CMS (C) 2013-2021, Aaron van Geffen
+ *****************************************************************************/
+
+class CachedPDOIterator extends CachingIterator
+{
+    private $index;
+
+    public function __construct(PDOStatement $statement)
+    {
+        parent::__construct(new IteratorIterator($statement), self::FULL_CACHE);
+    }
+
+    public function rewind(): void
+    {
+        if ($this->index === null)
+        {
+            parent::rewind();
+        }
+        $this->index = 0;
+    }
+
+    public function current(): mixed
+    {
+        if ($this->offsetExists($this->index))
+        {
+            return $this->offsetGet($this->index);
+        }
+        return parent::current();
+    }
+
+    public function key(): mixed
+    {
+        return $this->index;
+    }
+
+    public function next(): void
+    {
+        $this->index++;
+        if (!$this->offsetExists($this->index))
+        {
+            parent::next();
+        }
+    }
+
+    public function valid(): bool
+    {
+        return $this->offsetExists($this->index) || parent::valid();
+    }
+}

models/Database.php

@@ -1,44 +1,34 @@
 <?php
 /*****************************************************************************
  * Database.php
- * Contains key class Database.
+ * Contains model class Database.
  *
- * Adapted from SMF 2.0's DBA (C) 2011 Simple Machines
+ * Kabuki CMS (C) 2013-2025, Aaron van Geffen
- * Used under BSD 3-clause license.
- *
- * Kabuki CMS (C) 2013-2015, Aaron van Geffen
  *****************************************************************************/
 
-/**
- * The database model used to communicate with the MySQL server.
- */
 class Database
 {
 	private $connection;
 	private $query_count = 0;
 	private $logged_queries = [];
-	private array $db_callback;
 
-	/**
+	public function __construct($host, $user, $password, $name)
-	 * Initialises a new database connection.
-	 * @param server: server to connect to.
-	 * @param user: username to use for authentication.
-	 * @param password: password to use for authentication.
-	 * @param name: database to select.
-	 */
-	public function __construct($server, $user, $password, $name)
 	{
-		$this->connection = @mysqli_connect($server, $user, $password, $name);
+		try
-
+		{
+			$this->connection = new PDO("mysql:host=$host;dbname=$name;charset=utf8mb4", $user, $password, [
+				PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
+				PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+				PDO::ATTR_EMULATE_PREPARES => false,
+			]);
+		}
 		// Give up if we have a connection error.
-		if (mysqli_connect_error())
+		catch (PDOException $e)
 		{
-			header('HTTP/1.1 503 Service Temporarily Unavailable');
+			http_response_code(503);
 			echo '<h2>Database Connection Problems</h2><p>Our software could not connect to the database. We apologise for any inconvenience and ask you to check back later.</p>';
 			exit;
 		}
-
-		$this->query('SET NAMES {string:utf8mb4}', ['utf8mb4' => 'utf8mb4']);
 	}
 
 	public function getQueryCount()
@@ -52,305 +42,227 @@ class Database
 	}
 
 	/**
-	 * Fetches a row from a given recordset, using field names as keys.
+	 * Fetches a row from a given statement/recordset, using field names as keys.
 	 */
-	public function fetch_assoc($resource)
+	public function fetchAssoc($stmt)
 	{
-		return mysqli_fetch_assoc($resource);
+		return $stmt->fetch(PDO::FETCH_ASSOC);
 	}
 
 	/**
-	 * Fetches a row from a given recordset, using numeric keys.
+	 * Fetches a row from a given statement/recordset, encapsulating into an object.
 	 */
-	public function fetch_row($resource)
+	public function fetchObject($stmt, $class)
 	{
-		return mysqli_fetch_row($resource);
+		return $stmt->fetchObject($class);
 	}
 
 	/**
-	 * Destroys a given recordset.
+	 * Fetches a row from a given statement/recordset, using numeric keys.
 	 */
-	public function free_result($resource)
+	public function fetchNum($stmt)
 	{
-		return mysqli_free_result($resource);
+		return $stmt->fetch(PDO::FETCH_NUM);
-	}
-
-	public function data_seek($result, $row_num)
-	{
-		return mysqli_data_seek($result, $row_num);
 	}
 
 	/**
-	 * Returns the amount of rows in a given recordset.
+	 * Destroys a given statement/recordset.
 	 */
-	public function num_rows($resource)
+	public function free($stmt)
 	{
-		return mysqli_num_rows($resource);
+		return $stmt->closeCursor();
 	}
 
 	/**
-	 * Returns the amount of fields in a given recordset.
+	 * Returns the amount of rows in a given statement/recordset.
 	 */
-	public function num_fields($resource)
+	public function rowCount($stmt)
 	{
-		return mysqli_num_fields($resource);
+		return $stmt->rowCount();
 	}
 
 	/**
-	 * Escapes a string.
+	 * Returns the amount of fields in a given statement/recordset.
 	 */
-	public function escape_string($string)
+	public function columnCount($stmt)
 	{
-		return mysqli_real_escape_string($this->connection, $string);
+		return $stmt->columnCount();
-	}
-
-	/**
-	 * Unescapes a string.
-	 */
-	public function unescape_string($string)
-	{
-		return stripslashes($string);
-	}
-
-	/**
-	 * Returns the last MySQL error.
-	 */
-	public function error()
-	{
-		return mysqli_error($this->connection);
-	}
-
-	public function server_info()
-	{
-		return mysqli_get_server_info($this->connection);
-	}
-
-	/**
-	 * Selects a database on a given connection.
-	 */
-	public function select_db($database)
-	{
-		return mysqli_select_db($database, $this->connection);
-	}
-
-	/**
-	 * Returns the amount of rows affected by the previous query.
-	 */
-	public function affected_rows()
-	{
-		return mysqli_affected_rows($this->connection);
 	}
 
 	/**
 	 * Returns the id of the row created by a previous query.
 	 */
-	public function insert_id()
+	public function insertId($name = null)
 	{
-		return mysqli_insert_id($this->connection);
+		return $this->connection->lastInsertId($name);
 	}
 
 	/**
-	 * Do a MySQL transaction.
+	 * Start a transaction.
 	 */
-	public function transaction($operation = 'commit')
+	public function beginTransaction()
 	{
-		switch ($operation)
+		return $this->connection->beginTransaction();
-		{
-				case 'begin':
-				case 'rollback':
-				case 'commit':
-					return @mysqli_query($this->connection, strtoupper($operation));
-			default:
-				return false;
-		}
 	}
 
 	/**
-	 * Function used as a callback for the preg_match function that parses variables into database queries.
+	 * Rollback changes in a transaction.
 	 */
-	private function replacement_callback($matches)
+	public function rollback()
 	{
-		list ($values, $connection) = $this->db_callback;
+		return $this->connection->rollBack();
-
-		if (!isset($matches[2]))
-			trigger_error('Invalid value inserted or no type specified.', E_USER_ERROR);
-
-		if (!isset($values[$matches[2]]))
-			trigger_error('The database value you\'re trying to insert does not exist: ' . htmlspecialchars($matches[2]), E_USER_ERROR);
-
-		$replacement = $values[$matches[2]];
-
-		switch ($matches[1])
-		{
-			case 'int':
-				if ((!is_numeric($replacement) || (string) $replacement !== (string) (int) $replacement) && $replacement !== 'NULL')
-					trigger_error('Wrong value type sent to the database for field: ' . $matches[2] . '. Integer expected.', E_USER_ERROR);
-				return $replacement !== 'NULL' ? (string) (int) $replacement : 'NULL';
-			break;
-
-			case 'string':
-			case 'text':
-				return $replacement !== 'NULL' ? sprintf('\'%1$s\'', mysqli_real_escape_string($connection, $replacement)) : 'NULL';
-			break;
-
-			case 'array_int':
-				if (is_array($replacement))
-				{
-					if (empty($replacement))
-						trigger_error('Database error, given array of integer values is empty.', E_USER_ERROR);
-
-					foreach ($replacement as $key => $value)
-					{
-						if (!is_numeric($value) || (string) $value !== (string) (int) $value)
-							trigger_error('Wrong value type sent to the database for field: ' . $matches[2] . '. Array of integers expected.', E_USER_ERROR);
-
-						$replacement[$key] = (string) (int) $value;
-					}
-
-					return implode(', ', $replacement);
-				}
-				else
-					trigger_error('Wrong value type sent to the database for field: ' . $matches[2] . '. Array of integers expected.', E_USER_ERROR);
-
-			break;
-
-			case 'array_string':
-				if (is_array($replacement))
-				{
-					if (empty($replacement))
-						trigger_error('Database error, given array of string values is empty.', E_USER_ERROR);
-
-					foreach ($replacement as $key => $value)
-						$replacement[$key] = sprintf('\'%1$s\'', mysqli_real_escape_string($connection, $value));
-
-					return implode(', ', $replacement);
-				}
-				else
-					trigger_error('Wrong value type sent to the database for field: ' . $matches[2] . '. Array of strings expected.', E_USER_ERROR);
-			break;
-
-			case 'date':
-				if (preg_match('~^(\d{4})-([0-1]?\d)-([0-3]?\d)$~', $replacement, $date_matches) === 1)
-					return sprintf('\'%04d-%02d-%02d\'', $date_matches[1], $date_matches[2], $date_matches[3]);
-				elseif ($replacement === 'NULL')
-					return 'NULL';
-				else
-					trigger_error('Wrong value type sent to the database for field: ' . $matches[2] . '. Date expected.', E_USER_ERROR);
-			break;
-
-			case 'datetime':
-				if (is_a($replacement, 'DateTime'))
-					return $replacement->format('\'Y-m-d H:i:s\'');
-				elseif (preg_match('~^(\d{4})-([0-1]?\d)-([0-3]?\d) (\d{2}):(\d{2}):(\d{2})$~', $replacement, $date_matches) === 1)
-					return sprintf('\'%04d-%02d-%02d %02d:%02d:%02d\'', $date_matches[1], $date_matches[2], $date_matches[3], $date_matches[4], $date_matches[5], $date_matches[6]);
-				elseif ($replacement === 'NULL')
-					return 'NULL';
-				else
-					trigger_error('Wrong value type sent to the database for field: ' . $matches[2] . '. DateTime expected.', E_USER_ERROR);
-			break;
-
-			case 'float':
-				if (!is_numeric($replacement) && $replacement !== 'NULL')
-					trigger_error('Wrong value type sent to the database for field: ' . $matches[2] . '. Floating point number expected.', E_USER_ERROR);
-				return $replacement !== 'NULL' ? (string) (float) $replacement : 'NULL';
-			break;
-
-			case 'identifier':
-				// Backticks inside identifiers are supported as of MySQL 4.1. We don't need them here.
-				return '`' . strtr($replacement, ['`' => '', '.' => '']) . '`';
-			break;
-
-			case 'raw':
-				return $replacement;
-			break;
-
-			case 'bool':
-			case 'boolean':
-				// In mysql this is a synonym for tinyint(1)
-				return (bool)$replacement ? 1 : 0;
-			break;
-
-			default:
-				trigger_error('Undefined type <b>' . $matches[1] . '</b> used in the database query', E_USER_ERROR);
-			break;
-		}
 	}
 
 	/**
-	 * Escapes and quotes a string using values passed, and executes the query.
+	 * Commit changes in a transaction.
 	 */
-	public function query($db_string, $db_values = [])
+	public function commit()
 	{
-		// One more query....
+		return $this->connection->commit();
-		$this->query_count ++;
-
-		// Overriding security? This is evil!
-		$security_override = $db_values === 'security_override' || !empty($db_values['security_override']);
-
-		// Please, just use new style queries.
-		if (strpos($db_string, '\'') !== false && !$security_override)
-			trigger_error('Hack attempt!', 'Illegal character (\') used in query.', E_USER_ERROR);
-
-		if (!$security_override && !empty($db_values))
-		{
-			// Set some values for use in the callback function.
-			$this->db_callback = [$db_values, $this->connection];
-
-			// Insert the values passed to this function.
-			$db_string = preg_replace_callback('~{([a-z_]+)(?::([a-zA-Z0-9_-]+))?}~', [&$this, 'replacement_callback'], $db_string);
-
-			// Save some memory.
-			$this->db_callback = [];
 	}
 
-		if (defined("DB_LOG_QUERIES") && DB_LOG_QUERIES)
+	private function expandPlaceholders($db_string, array &$db_values)
-			$this->logged_queries[] = $db_string;
-
-		$return = @mysqli_query($this->connection, $db_string, empty($this->unbuffered) ? MYSQLI_STORE_RESULT : MYSQLI_USE_RESULT);
-
-		if (!$return)
 	{
-			$clean_sql = implode("\n", array_map('trim', explode("\n", $db_string)));
+		foreach ($db_values as $key => &$value)
-			trigger_error($this->error() . '<br>' . $clean_sql, E_USER_ERROR);
+		{
+			if (str_contains($db_string, ':' . $key))
+			{
+				if (is_array($value))
+				{
+					throw new UnexpectedValueException('Array ' . $key .
+						' is used as a scalar placeholder. Did you mean to use \'@\' instead?');
 				}
 
-		return $return;
+				// Prepare date/time values
+				if (is_a($value, 'DateTime'))
+				{
+					$value = $value->format('Y-m-d H:i:s');
+				}
+			}
+			elseif (str_contains($db_string, '@' . $key))
+			{
+				if (!is_array($value))
+				{
+					throw new UnexpectedValueException('Scalar value ' . $key .
+						' is used as an array placeholder. Did you mean to use \':\' instead?');
 				}
 
-	/**
+				// Create placeholders for all array elements
-	 * Escapes and quotes a string just like db_query, but does not execute the query.
+				$placeholders = array_map(fn($num) => ':' . $key . $num, range(0, count($value) - 1));
-	 * Useful for debugging purposes.
+				$db_string = str_replace('@' . $key, implode(', ', $placeholders), $db_string);
-	 */
+			}
-	public function quote($db_string, $db_values = [])
+			else
 			{
-		// Please, just use new style queries.
+				// throw new Exception('Warning: unused key in query: ' . $key);
-		if (strpos($db_string, '\'') !== false)
+			}
-			trigger_error('Hack attempt!', 'Illegal character (\') used in query.', E_USER_ERROR);
+		}
-
-		// Save some values for use in the callback function.
-		$this->db_callback = [$db_values, $this->connection];
-
-		// Insert the values passed to this function.
-		$db_string = preg_replace_callback('~{([a-z_]+)(?::([a-zA-Z0-9_-]+))?}~', [&$this, 'replacement_callback'], $db_string);
-
-		// Save some memory.
-		$this->db_callback = [];
 
 		return $db_string;
 	}
 
 	/**
-	 * Executes a query, returning an array of all the rows it returns.
+	 * Escapes and quotes a string using values passed, and executes the query.
 	 */
-	public function queryRow($db_string, $db_values = [])
+	public function query($db_string, array $db_values = []): PDOStatement
+	{
+		// One more query...
+		$this->query_count++;
+
+		// Error out if hardcoded strings are detected
+		if (strpos($db_string, '\'') !== false)
+			throw new UnexpectedValueException('Hack attempt: illegal character (\') used in query.');
+
+		if (defined('DB_LOG_QUERIES') && DB_LOG_QUERIES)
+			$this->logged_queries[] = $db_string;
+
+		try
+		{
+			// Preprocessing/checks: prepare any arrays for binding
+			$db_string = $this->expandPlaceholders($db_string, $db_values);
+
+			// Prepare query for execution
+			$statement = $this->connection->prepare($db_string);
+
+			// Bind parameters... the hard way, due to a limit/offset hack.
+			// NB: bindParam binds by reference, hence &$value here.
+			foreach ($db_values as $key => &$value)
+			{
+				// Assumption: both scalar and array values are preprocessed to use named ':' placeholders
+				if (!str_contains($db_string, ':' . $key))
+					continue;
+
+				if (!is_array($value))
+				{
+					$statement->bindParam(':' . $key, $value);
+					continue;
+				}
+
+				foreach (array_values($value) as $num => &$element)
+				{
+					$statement->bindParam(':' . $key . $num, $element);
+				}
+			}
+
+			$statement->execute();
+			return $statement;
+		}
+		catch (PDOException $e)
+		{
+			ob_start();
+
+			$debug = ob_get_clean();
+
+			throw new Exception($e->getMessage() . "\n" . var_export($e->errorInfo, true) . "\n" . var_export($db_values, true));
+		}
+	}
+
+	/**
+	 * Executes a query, returning an object of the row it returns.
+	 */
+	public function queryObject($class, $db_string, $db_values = [])
 	{
 		$res = $this->query($db_string, $db_values);
 
-		if (!$res || $this->num_rows($res) == 0)
+		if (!$res || $this->rowCount($res) === 0)
+			return null;
+
+		$object = $this->fetchObject($res, $class);
+		$this->free($res);
+
+		return $object;
+	}
+
+	/**
+	 * Executes a query, returning an array of objects of all the rows returns.
+	 */
+	public function queryObjects($class, $db_string, $db_values = [])
+	{
+		$res = $this->query($db_string, $db_values);
+
+		if (!$res || $this->rowCount($res) === 0)
 			return [];
 
-		$row = $this->fetch_row($res);
+		$rows = [];
-		$this->free_result($res);
+		while ($object = $this->fetchObject($res, $class))
+			$rows[] = $object;
+
+		$this->free($res);
+
+		return $rows;
+	}
+
+	/**
+	 * Executes a query, returning an array of all the rows it returns.
+	 */
+	public function queryRow($db_string, array $db_values = [])
+	{
+		$res = $this->query($db_string, $db_values);
+
+		if ($this->rowCount($res) === 0)
+			return [];
+
+		$row = $this->fetchNum($res);
+		$this->free($res);
 
 		return $row;
 	}
@@ -358,18 +270,18 @@ class Database
 	/**
 	 * Executes a query, returning an array of all the rows it returns.
 	 */
-	public function queryRows($db_string, $db_values = [])
+	public function queryRows($db_string, array $db_values = [])
 	{
 		$res = $this->query($db_string, $db_values);
 
-		if (!$res || $this->num_rows($res) == 0)
+		if ($this->rowCount($res) === 0)
 			return [];
 
 		$rows = [];
-		while ($row = $this->fetch_row($res))
+		while ($row = $this->fetchNum($res))
 			$rows[] = $row;
 
-		$this->free_result($res);
+		$this->free($res);
 
 		return $rows;
 	}
@@ -377,18 +289,18 @@ class Database
 	/**
 	 * Executes a query, returning an array of all the rows it returns.
 	 */
-	public function queryPair($db_string, $db_values = [])
+	public function queryPair($db_string, array $db_values = [])
 	{
 		$res = $this->query($db_string, $db_values);
 
-		if (!$res || $this->num_rows($res) == 0)
+		if ($this->rowCount($res) === 0)
 			return [];
 
 		$rows = [];
-		while ($row = $this->fetch_row($res))
+		while ($row = $this->fetchNum($res))
 			$rows[$row[0]] = $row[1];
 
-		$this->free_result($res);
+		$this->free($res);
 
 		return $rows;
 	}
@@ -396,21 +308,21 @@ class Database
 	/**
 	 * Executes a query, returning an array of all the rows it returns.
 	 */
-	public function queryPairs($db_string, $db_values = [])
+	public function queryPairs($db_string, $db_values = array())
 	{
 		$res = $this->query($db_string, $db_values);
 
-		if (!$res || $this->num_rows($res) == 0)
+		if (!$res || $this->rowCount($res) === 0)
 			return [];
 
 		$rows = [];
-		while ($row = $this->fetch_assoc($res))
+		while ($row = $this->fetchAssoc($res))
 		{
 			$key_value = reset($row);
 			$rows[$key_value] = $row;
 		}
 
-		$this->free_result($res);
+		$this->free($res);
 
 		return $rows;
 	}
@@ -418,15 +330,15 @@ class Database
 	/**
 	 * Executes a query, returning an associative array of all the rows it returns.
 	 */
-	public function queryAssoc($db_string, $db_values = [])
+	public function queryAssoc($db_string, array $db_values = [])
 	{
 		$res = $this->query($db_string, $db_values);
 
-		if (!$res || $this->num_rows($res) == 0)
+		if ($this->rowCount($res) === 0)
 			return [];
 
-		$row = $this->fetch_assoc($res);
+		$row = $this->fetchAssoc($res);
-		$this->free_result($res);
+		$this->free($res);
 
 		return $row;
 	}
@@ -434,18 +346,18 @@ class Database
 	/**
 	 * Executes a query, returning an associative array of all the rows it returns.
 	 */
-	public function queryAssocs($db_string, $db_values = [], $connection = null)
+	public function queryAssocs($db_string, array $db_values = [])
 	{
 		$res = $this->query($db_string, $db_values);
 
-		if (!$res || $this->num_rows($res) == 0)
+		if ($this->rowCount($res) === 0)
 			return [];
 
 		$rows = [];
-		while ($row = $this->fetch_assoc($res))
+		while ($row = $this->fetchAssoc($res))
 			$rows[] = $row;
 
-		$this->free_result($res);
+		$this->free($res);
 
 		return $rows;
 	}
@@ -453,16 +365,16 @@ class Database
 	/**
 	 * Executes a query, returning the first value of the first row.
 	 */
-	public function queryValue($db_string, $db_values = [])
+	public function queryValue($db_string, array $db_values = [])
 	{
 		$res = $this->query($db_string, $db_values);
 
 		// If this happens, you're doing it wrong.
-		if (!$res || $this->num_rows($res) == 0)
+		if ($this->rowCount($res) === 0)
 			return null;
 
-		list($value) = $this->fetch_row($res);
+		list($value) = $this->fetchNum($res);
-		$this->free_result($res);
+		$this->free($res);
 
 		return $value;
 	}
@@ -470,18 +382,18 @@ class Database
 	/**
 	 * Executes a query, returning an array of the first value of each row.
 	 */
-	public function queryValues($db_string, $db_values = [])
+	public function queryValues($db_string, array $db_values = [])
 	{
 		$res = $this->query($db_string, $db_values);
 
-		if (!$res || $this->num_rows($res) == 0)
+		if ($this->rowCount($res) === 0)
 			return [];
 
 		$rows = [];
-		while ($row = $this->fetch_row($res))
+		while ($row = $this->fetchNum($res))
 			$rows[] = $row[0];
 
-		$this->free_result($res);
+		$this->free($res);
 
 		return $rows;
 	}
@@ -499,35 +411,45 @@ class Database
 		if (!is_array($data[array_rand($data)]))
 			$data = [$data];
 
-		// Create the mold for a single row insert.
-		$insertData = '(';
-		foreach ($columns as $columnName => $type)
-		{
-			// Are we restricting the length?
-			if (strpos($type, 'string-') !== false)
-				$insertData .= sprintf('SUBSTRING({string:%1$s}, 1, ' . substr($type, 7) . '), ', $columnName);
-			else
-				$insertData .= sprintf('{%1$s:%2$s}, ', $type, $columnName);
-		}
-		$insertData = substr($insertData, 0, -2) . ')';
-
-		// Create an array consisting of only the columns.
-		$indexed_columns = array_keys($columns);
-
-		// Here's where the variables are injected to the query.
-		$insertRows = [];
-		foreach ($data as $dataRow)
-			$insertRows[] = $this->quote($insertData, array_combine($indexed_columns, $dataRow));
-
 		// Determine the method of insertion.
-		$queryTitle = $method === 'replace' ? 'REPLACE' : ($method === 'ignore' ? 'INSERT IGNORE' : 'INSERT');
+		$method = $method == 'replace' ? 'REPLACE' : ($method == 'ignore' ? 'INSERT IGNORE' : 'INSERT');
 
-		// Do the insert.
+		// What columns are we inserting?
-		return $this->query('
+		$columns = array_keys($data[0]);
-			' . $queryTitle . ' INTO ' . $table . ' (`' . implode('`, `', $indexed_columns) . '`)
+
-			VALUES
+		// Start building the query.
-				' . implode(',
+		$db_string = $method . ' INTO ' . $table . ' (' . implode(',', $columns) . ') VALUES ';
-				', $insertRows),
+
-			['security_override' => true]);
+		// Create the mold for a single row insert.
+		$placeholders = '(' . substr(str_repeat('?, ', count($columns)), 0, -2) . '), ';
+
+		// Append it for every row we're to insert.
+		$values = [];
+		foreach ($data as $row)
+		{
+			$values = array_merge($values, array_values($row));
+			$db_string .= $placeholders;
+		}
+
+		// Get rid of the tailing comma.
+		$db_string = substr($db_string, 0, -2);
+
+		// Prepare for your impending demise!
+		$statement = $this->connection->prepare($db_string);
+
+		// Bind parameters... the hard way, due to a limit/offset hack.
+		foreach ($values as $key => $value)
+			$statement->bindValue($key + 1, $values[$key]);
+
+		// Handle errors.
+		try
+		{
+			$statement->execute();
+			return $statement;
+		}
+		catch (PDOException $e)
+		{
+			throw new Exception($e->getMessage() . '<br><br>' . $db_string . '<br><br>' . print_r($values, true));
+		}
 	}
 }

models/Dispatcher.php

@@ -44,6 +44,19 @@ class Dispatcher
 		}
 	}
 
+	public static function errorPage($title, $body)
+	{
+		$page = new MainTemplate($title);
+		$page->adopt(new ErrorPage($title, $body));
+
+		if (Registry::get('user')->isAdmin())
+		{
+			$page->appendStylesheet(BASEURL . '/css/admin.css');
+		}
+
+		$page->html_main();
+	}
+
 	/**
 	 * Kicks a guest to a login form, redirecting them back to this page upon login.
 	 */
@@ -60,37 +73,24 @@ class Dispatcher
 		exit;
 	}
 
-	public static function trigger400()
+	private static function trigger400()
 	{
-		header('HTTP/1.1 400 Bad Request');
+		http_response_code(400);
-		$page = new MainTemplate('Bad request');
+		self::errorPage('Bad request', 'The server does not understand your request.');
-		$page->adopt(new DummyBox('Bad request', '<p>The server does not understand your request.</p>'));
-		$page->html_main();
 		exit;
 	}
 
-	public static function trigger403()
+	private static function trigger403()
 	{
-		header('HTTP/1.1 403 Forbidden');
+		http_response_code(403);
-		$page = new MainTemplate('Access denied');
+		self::errorPage('Forbidden', 'You do not have access to this page.');
-		$page->adopt(new DummyBox('Forbidden', '<p>You do not have access to the page you requested.</p>'));
-		$page->html_main();
 		exit;
 	}
 
-	public static function trigger404()
+	private static function trigger404()
 	{
-		header('HTTP/1.1 404 Not Found');
+		http_response_code(404);
-		$page = new MainTemplate('Page not found');
+		$page = new ViewErrorPage('Page not found!');
-
+		$page->showContent();
-		if (Registry::has('user') && Registry::get('user')->isAdmin())
-		{
-			$page->appendStylesheet(BASEURL . '/css/admin.css');
-		}
-
-		$page->adopt(new DummyBox('Well, this is a bit embarrassing!', '<p>The page you requested could not be found. Don\'t worry, it\'s probably not your fault. You\'re welcome to browse the website, though!</p>', 'errormsg'));
-		$page->addClass('errorpage');
-		$page->html_main();
-		exit;
 	}
 }

models/ErrorHandler.php

@@ -3,7 +3,7 @@
  * ErrorHandler.php
  * Contains key class ErrorHandler.
  *
- * Kabuki CMS (C) 2013-2016, Aaron van Geffen
+ * Kabuki CMS (C) 2013-2025, Aaron van Geffen
  *****************************************************************************/
 
 class ErrorHandler
@@ -47,10 +47,8 @@ class ErrorHandler
 		// Log the error in the database.
 		self::logError($error_message, $debug_info, $file, $line);
 
-		// Are we considering this fatal? Then display and exit.
+		// Display error and exit.
-		// !!! TODO: should we consider warnings fatal?
+		self::display($error_message, $file, $line, $debug_info);
-		if (true) // DEBUG || (!DEBUG && $error_level === E_WARNING || $error_level === E_USER_WARNING))
-			self::display($file . ' (' . $line . ')<br>' . $error_message, $debug_info);
 
 		// If it wasn't a fatal error, well...
 		self::$handling_error = false;
@@ -118,7 +116,7 @@ class ErrorHandler
 	}
 
 	// Logs an error into the database.
-	private static function logError($error_message = '', $debug_info = '', $file = '', $line = 0)
+	public static function logError($error_message = '', $debug_info = '', $file = '', $line = 0)
 	{
 		if (!ErrorLog::log([
 			'message' => $error_message,
@@ -130,7 +128,7 @@ class ErrorHandler
 			'request_uri' => isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '',
 			]))
 		{
-			header('HTTP/1.1 503 Service Temporarily Unavailable');
+			http_response_code(503);
 			echo '<h2>An Error Occurred</h2><p>Our software could not connect to the database. We apologise for any inconvenience and ask you to check back later.</p>';
 			exit;
 		}
@@ -138,7 +136,7 @@ class ErrorHandler
 		return $error_message;
 	}
 
-	public static function display($message, $debug_info, $is_sensitive = true)
+	public static function display($message, $file, $line, $debug_info, $is_sensitive = true)
 	{
 		$is_admin = Registry::has('user') && Registry::get('user')->isAdmin();
 
@@ -167,7 +165,8 @@ class ErrorHandler
 		$is_admin = Registry::has('user') && Registry::get('user')->isAdmin();
 		if (DEBUG || $is_admin)
 		{
-			$page->adopt(new DummyBox('An error occurred!', '<p>' . $message . '</p><pre>' . $debug_info . '</pre>'));
+			$debug_info = sprintf("Trigger point:\n%s (L%d)\n\n%s", $file, $line, $debug_info);
+			$page->adopt(new ErrorPage('An error occurred!', $message, $debug_info));
 
 			// Let's provide the admin navigation despite it all!
 			if ($is_admin)
@@ -176,9 +175,9 @@ class ErrorHandler
 			}
 		}
 		elseif (!$is_sensitive)
-			$page->adopt(new DummyBox('An error occurred!', '<p>' . $message . '</p>'));
+			$page->adopt(new ErrorPage('An error occurred!', '<p>' . $message . '</p>'));
 		else
-			$page->adopt(new DummyBox('An error occurred!', '<p>Our apologies, an error occurred while we were processing your request. Please try again later, or contact us if the problem persists.</p>'));
+			$page->adopt(new ErrorPage('An error occurred!', 'Our apologies, an error occurred while we were processing your request. Please try again later, or contact us if the problem persists.'));
 
 		// If we got this far, make sure we're not showing stuff twice.
 		ob_end_clean();

models/ErrorLog.php

@@ -17,14 +17,14 @@ class ErrorLog
 			INSERT INTO log_errors
 			(id_user, message, debug_info, file, line, request_uri, time, ip_address)
 			VALUES
-			({int:id_user}, {string:message}, {string:debug_info}, {string:file}, {int:line},
+			(:id_user, :message, :debug_info, :file, :line,
-			 {string:request_uri}, CURRENT_TIMESTAMP, {string:ip_address})',
+			 :request_uri, CURRENT_TIMESTAMP, :ip_address)',
 			$data);
 	}
 
 	public static function flush()
 	{
-		return Registry::get('db')->query('TRUNCATE log_errors');
+		return Registry::get('db')->query('DELETE FROM log_errors');
 	}
 
 	public static function getCount()
@@ -33,4 +33,20 @@ class ErrorLog
 			SELECT COUNT(*)
 			FROM log_errors');
 	}
+
+	public static function getOffset($offset, $limit, $order, $direction)
+	{
+		assert(in_array($order, ['id_entry', 'file', 'line', 'time', 'ipaddress', 'id_user']));
+		$order = $order . ($direction === 'up' ? ' ASC' : ' DESC');
+
+		return Registry::get('db')->queryAssocs('
+			SELECT *
+			FROM log_errors
+			ORDER BY ' . $order . '
+			LIMIT :offset, :limit',
+			[
+				'offset' => $offset,
+				'limit' => $limit,
+			]);
+	}
 }

models/GenericTable.php

@@ -15,7 +15,6 @@ class GenericTable
 
 	private $title;
 	private $title_class;
-	private $tableIsSortable = false;
 
 	public $form_above;
 	public $form_below;
@@ -29,58 +28,22 @@ class GenericTable
 
 	public function __construct($options)
 	{
-		// Make sure we're actually sorting on something sortable.
+		$this->initOrder($options);
-		if (!isset($options['sort_order']) || (!empty($options['sort_order']) && empty($options['columns'][$options['sort_order']]['is_sortable'])))
+		$this->initPagination($options);
-			$options['sort_order'] = '';
 
-		// Order in which direction?
+		$data = $options['get_data']($this->start, $this->items_per_page,
-		if (!empty($options['sort_direction']) && !in_array($options['sort_direction'], ['up', 'down']))
+			$this->sort_order, $this->sort_direction);
-			$options['sort_direction'] = 'up';
-
-		// Make sure we know whether we can actually sort on something.
-		$this->tableIsSortable = !empty($options['base_url']);
-
-		// How much data do we have?
-		$this->recordCount = $options['get_count'](...(!empty($options['get_count_params']) ? $options['get_count_params'] : []));
-
-		// How much data do we need to retrieve?
-		$this->items_per_page = !empty($options['items_per_page']) ? $options['items_per_page'] : 30;
-
-		// Figure out where to start.
-		$this->start = empty($options['start']) || !is_numeric($options['start']) || $options['start'] < 0 || $options['start'] > $this->recordCount ? 0 : $options['start'];
-
-		// Figure out where we are on the whole, too.
-		$numPages = max(1, ceil($this->recordCount / $this->items_per_page));
-		$this->currentPage = min(ceil($this->start / $this->items_per_page) + 1, $numPages);
-
-		// Let's bear a few things in mind...
-		$this->base_url = $options['base_url'];
-
-		// Gather parameters for the data gather function first.
-		$parameters = [$this->start, $this->items_per_page, $options['sort_order'], $options['sort_direction']];
-		if (!empty($options['get_data_params']) && is_array($options['get_data_params']))
-			$parameters = array_merge($parameters, $options['get_data_params']);
-
-		// Okay, let's fetch the data!
-		$data = $options['get_data'](...$parameters);
-
-		// Extract data into local variables.
-		$rawRowData = $data['rows'];
-		$this->sort_order = $data['order'];
-		$this->sort_direction = $data['direction'];
-		unset($data);
 
 		// Okay, now for the column headers...
 		$this->generateColumnHeaders($options);
 
 		// Should we create a page index?
-		$needsPageIndex = !empty($this->items_per_page) && $this->recordCount > $this->items_per_page;
+		if ($this->recordCount > $this->items_per_page)
-		if ($needsPageIndex)
 			$this->generatePageIndex($options);
 
 		// Process the data to be shown into rows.
-		if (!empty($rawRowData))
+		if (!empty($data))
-			$this->processAllRows($rawRowData, $options);
+			$this->processAllRows($data, $options);
 		else
 			$this->body = $options['no_items_label'] ?? '';
 
@@ -95,6 +58,38 @@ class GenericTable
 		$this->form_below = $options['form_below'] ?? $options['form'] ?? null;
 	}
 
+	private function initOrder($options)
+	{
+		assert(isset($options['default_sort_order']));
+		assert(isset($options['default_sort_direction']));
+
+		// Validate sort order (column)
+		$this->sort_order = $options['sort_order'];
+		if (empty($this->sort_order) || empty($options['columns'][$this->sort_order]['is_sortable']))
+			$this->sort_order = $options['default_sort_order'];
+
+		// Validate sort direction
+		$this->sort_direction = $options['sort_direction'];
+		if (empty($this->sort_direction) || !in_array($this->sort_direction, ['up', 'down']))
+			$this->sort_direction = $options['default_sort_direction'];
+	}
+
+	private function initPagination(array $options)
+	{
+		assert(isset($options['base_url']));
+		assert(isset($options['items_per_page']));
+
+		$this->base_url = $options['base_url'];
+
+		$this->recordCount = $options['get_count']();
+		$this->items_per_page = !empty($options['items_per_page']) ? $options['items_per_page'] : 30;
+
+		$this->start = empty($options['start']) || !is_numeric($options['start']) || $options['start'] < 0 || $options['start'] > $this->recordCount ? 0 : $options['start'];
+
+		$numPages = max(1, ceil($this->recordCount / $this->items_per_page));
+		$this->currentPage = min(ceil($this->start / $this->items_per_page) + 1, $numPages);
+	}
+
 	private function generateColumnHeaders($options)
 	{
 		foreach ($options['columns'] as $key => $column)
@@ -102,14 +97,14 @@ class GenericTable
 			if (empty($column['header']))
 				continue;
 
-			$isSortable = $this->tableIsSortable && !empty($column['is_sortable']);
+			$isSortable = !empty($column['is_sortable']);
 			$sortDirection = $key == $this->sort_order && $this->sort_direction === 'up' ? 'down' : 'up';
 
 			$header = [
 				'class' => isset($column['class']) ? $column['class'] : '',
 				'cell_class' => isset($column['cell_class']) ? $column['cell_class'] : null,
 				'colspan' => !empty($column['header_colspan']) ? $column['header_colspan'] : 1,
-				'href' => $isSortable ? $this->getLink($this->start, $key, $sortDirection) : null,
+				'href' => $isSortable ? $this->getHeaderLink($this->start, $key, $sortDirection) : null,
 				'label' => $column['header'],
 				'scope' => 'col',
 				'sort_mode' => $key == $this->sort_order ? $this->sort_direction : null,
@@ -126,7 +121,7 @@ class GenericTable
 			'base_url' => $this->base_url,
 			'index_class' => $options['index_class'] ?? '',
 			'items_per_page' => $this->items_per_page,
-			'linkBuilder' => [$this, 'getLink'],
+			'linkBuilder' => [$this, 'getHeaderLink'],
 			'recordCount' => $this->recordCount,
 			'sort_direction' => $this->sort_direction,
 			'sort_order' => $this->sort_order,
@@ -134,7 +129,7 @@ class GenericTable
 		]);
 	}
 
-	public function getLink($start = null, $order = null, $dir = null)
+	public function getHeaderLink($start = null, $order = null, $dir = null)
 	{
 		if ($start === null)
 			$start = $this->start;
@@ -196,12 +191,18 @@ class GenericTable
 
 			foreach ($options['columns'] as $column)
 			{
-				// Process data for this particular cell.
+				// Process formatting
-				if (isset($column['parse']))
+				if (isset($column['format']) && is_callable($column['format']))
-					$value = self::processCell($column['parse'], $row);
+					$value = $column['format']($row);
+				elseif (isset($column['format']))
+					$value = self::processFormatting($column['format'], $row);
 				else
 					$value = $row[$column['value']];
 
+				// Turn value into a link?
+				if (!empty($column['link']))
+					$value = $this->processLink($column['link'], $value, $row);
+
 				// Append the cell to the row.
 				$newRow['cells'][] = [
 					'class' => $column['cell_class'] ?? '',
@@ -214,68 +215,47 @@ class GenericTable
 		}
 	}
 
-	private function processCell($options, $rowData)
+	private function processFormatting($options, $rowData)
 	{
-		if (!isset($options['type']))
+		if ($options['type'] === 'timestamp')
-			$options['type'] = 'value';
-
-		// Parse the basic value first.
-		switch ($options['type'])
 		{
-			// Basic option: simply take a use a particular data property.
+			if (empty($options['pattern']) || $options['pattern'] === 'long')
-			case 'value':
-				$value = htmlspecialchars($rowData[$options['data']]);
-				break;
-
-			// Processing via a lambda function.
-			case 'function':
-				$value = $options['data']($rowData);
-				break;
-
-			// Using sprintf to fill out a particular pattern.
-			case 'sprintf':
-				$parameters = [$options['data']['pattern']];
-				foreach ($options['data']['arguments'] as $identifier)
-					$parameters[] = $rowData[$identifier];
-
-				$value = sprintf(...$parameters);
-				break;
-
-			// Timestamps get custom treatment.
-			case 'timestamp':
-				if (empty($options['data']['pattern']) || $options['data']['pattern'] === 'long')
 				$pattern = 'Y-m-d H:i';
-				elseif ($options['data']['pattern'] === 'short')
+			elseif ($options['pattern'] === 'short')
 				$pattern = 'Y-m-d';
 			else
-					$pattern = $options['data']['pattern'];
+				$pattern = $options['pattern'];
 
-				if (!isset($rowData[$options['data']['timestamp']]))
+			assert(array_key_exists($options['value'], $rowData));
-					$timestamp = 0;
+			if (isset($rowData[$options['value']]) && !is_numeric($rowData[$options['value']]))
-				elseif (!is_numeric($rowData[$options['data']['timestamp']]))
+				$timestamp = strtotime($rowData[$options['value']]);
-					$timestamp = strtotime($rowData[$options['data']['timestamp']]);
 			else
-					$timestamp = (int) $rowData[$options['data']['timestamp']];
+				$timestamp = (int) $rowData[$options['value']];
 
-				if (isset($options['data']['if_null']) && $timestamp == 0)
+			if (isset($options['if_null']) && $timestamp == 0)
-					$value = $options['data']['if_null'];
+				$value = $options['if_null'];
 			else
 				$value = date($pattern, $timestamp);
-				break;
+
+			return $value;
+		}
+		else
+			throw ValueError('Unexpected formatter type: ' . $options['type']);
 	}
 
-		// Generate a link, if requested.
+	private function processLink($template, $value, array $rowData)
-		if (!empty($options['link']))
+	{
+		$href = $this->rowReplacements($template, $rowData);
+		return '<a href="' . $href . '">' . $value . '</a>';
+	}
+
+	private function rowReplacements($template, array $rowData)
 	{
-			// First, generate the replacement variables.
 		$keys = array_keys($rowData);
 		$values = array_values($rowData);
 		foreach ($keys as $keyKey => $keyValue)
 			$keys[$keyKey] = '{' . strtoupper($keyValue) . '}';
 
-			$value = '<a href="' . str_replace($keys, $values, $options['link']) . '">' . $value . '</a>';
+		return str_replace($keys, $values, $template);
-		}
-
-		return $value;
 	}
 }

models/Image.php

@@ -12,12 +12,6 @@ class Image extends Asset
 	const TYPE_LANDSCAPE = 2;
 	const TYPE_PORTRAIT = 4;
 
-	protected function __construct(array $data)
-	{
-		foreach ($data as $attribute => $value)
-			$this->$attribute = $value;
-	}
-
 	public static function fromId($id_asset, $return_format = 'object')
 	{
 		$asset = parent::fromId($id_asset, 'array');
@@ -171,7 +165,7 @@ class Image extends Asset
 
 		return Registry::get('db')->query('
 			DELETE FROM assets_thumbs
-			WHERE id_asset = {int:id_asset}',
+			WHERE id_asset = :id_asset',
 			['id_asset' => $this->id_asset]);
 	}
 
@@ -189,9 +183,9 @@ class Image extends Asset
 
 		return Registry::get('db')->query('
 			DELETE FROM assets_thumbs
-			WHERE id_asset = {int:id_asset} AND
+			WHERE id_asset = :id_asset AND
-				width = {int:width} AND
+				width = :width AND
-				height = {int:height}',
+				height = :height',
 			[
 				'height' => $height,
 				'id_asset' => $this->id_asset,

models/Member.php

@@ -8,7 +8,7 @@
 
 class Member extends User
 {
-	private function __construct($data)
+	private function __construct($data = [])
 	{
 		foreach ($data as $key => $value)
 			$this->$key = $value;
@@ -18,12 +18,21 @@ class Member extends User
 		$this->is_admin = $this->is_admin == 1;
 	}
 
+	public static function fromEmailAddress($email_address)
+	{
+		return Registry::get('db')->queryObject(static::class, '
+			SELECT *
+			FROM users
+			WHERE emailaddress = :email_address',
+			['email_address' => $email_address]);
+	}
+
 	public static function fromId($id_user)
 	{
 		$row = Registry::get('db')->queryAssoc('
 			SELECT *
 			FROM users
-			WHERE id_user = {int:id_user}',
+			WHERE id_user = :id_user',
 			[
 				'id_user' => $id_user,
 			]);
@@ -40,7 +49,7 @@ class Member extends User
 		$row = Registry::get('db')->queryAssoc('
 			SELECT *
 			FROM users
-			WHERE slug = {string:slug}',
+			WHERE slug = :slug',
 			[
 				'slug' => $slug,
 			]);
@@ -68,6 +77,7 @@ class Member extends User
 			'creation_time' => time(),
 			'ip_address' => isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '',
 			'is_admin' => empty($data['is_admin']) ? 0 : 1,
+			'reset_key' => '',
 		];
 
 		if ($error)
@@ -83,12 +93,13 @@ class Member extends User
 			'creation_time' => 'int',
 			'ip_address' => 'string-45',
 			'is_admin' => 'int',
+			'reset_key' => 'string-16'
 		], $new_user, ['id_user']);
 
 		if (!$bool)
 			return false;
 
-		$new_user['id_user'] = $db->insert_id();
+		$new_user['id_user'] = $db->insertId();
 		$member = new Member($new_user);
 
 		return $member;
@@ -116,14 +127,14 @@ class Member extends User
 		return Registry::get('db')->query('
 			UPDATE users
 			SET
-				first_name = {string:first_name},
+				first_name = :first_name,
-				surname = {string:surname},
+				surname = :surname,
-				slug = {string:slug},
+				slug = :slug,
-				emailaddress = {string:emailaddress},
+				emailaddress = :emailaddress,
-				password_hash = {string:password_hash},
+				password_hash = :password_hash,
-				is_admin = {int:is_admin}
+				is_admin = :is_admin
-			WHERE id_user = {int:id_user}',
+			WHERE id_user = :id_user',
-			$params);
+			get_object_vars($this));
 	}
 
 	/**
@@ -134,7 +145,7 @@ class Member extends User
 	{
 		return Registry::get('db')->query('
 			DELETE FROM users
-			WHERE id_user = {int:id_user}',
+			WHERE id_user = :id_user',
 			['id_user' => $this->id_user]);
 	}
 
@@ -149,7 +160,7 @@ class Member extends User
 		$res = Registry::get('db')->queryValue('
 			SELECT id_user
 			FROM users
-			WHERE emailaddress = {string:emailaddress}',
+			WHERE emailaddress = :emailaddress',
 			[
 				'emailaddress' => $emailaddress,
 			]);
@@ -165,9 +176,9 @@ class Member extends User
 		return Registry::get('db')->query('
 			UPDATE users
 			SET
-				last_action_time = {int:now},
+				last_action_time = :now,
-				ip_address = {string:ip}
+				ip_address = :ip
-			WHERE id_user = {int:id}',
+			WHERE id_user = :id',
 			[
 				'now' => time(),
 				'id' => $this->id_user,
@@ -187,6 +198,22 @@ class Member extends User
 			FROM users');
 	}
 
+	public static function getOffset($offset, $limit, $order, $direction)
+	{
+		assert(in_array($order, ['id_user', 'surname', 'first_name', 'slug', 'emailaddress', 'last_action_time', 'ip_address', 'is_admin']));
+		$order = $order . ($direction === 'up' ? ' ASC' : ' DESC');
+
+		return Registry::get('db')->queryAssocs('
+			SELECT *
+			FROM users
+			ORDER BY ' . $order . '
+			LIMIT :offset, :limit',
+			[
+				'offset' => $offset,
+				'limit' => $limit,
+			]);
+	}
+
 	public function getProps()
 	{
 		// We should probably phase out the use of this function, or refactor the access levels of member properties...
@@ -196,7 +223,7 @@ class Member extends User
 	public static function getMemberMap()
 	{
 		return Registry::get('db')->queryPair('
-			SELECT id_user, CONCAT(first_name, {string:blank}, surname) AS full_name
+			SELECT id_user, CONCAT(first_name, :blank, surname) AS full_name
 			FROM users
 			ORDER BY first_name, surname',
 			[

models/PhotoAlbum.php

@@ -1,76 +0,0 @@
-<?php
-/*****************************************************************************
- * PhotoAlbum.php
- * Contains key class PhotoAlbum.
- *
- * Kabuki CMS (C) 2013-2015, Aaron van Geffen
- *****************************************************************************/
-
-class PhotoAlbum extends Tag
-{
-	public static function getHierarchy($order, $direction)
-	{
-		$db = Registry::get('db');
-		$res = $db->query('
-			SELECT *
-			FROM tags
-			WHERE kind = {string:album}
-			ORDER BY id_parent, {raw:order}',
-			[
-				'order' => $order . ($direction == 'up' ? ' ASC' : ' DESC'),
-				'album' => 'Album',
-			]);
-
-		$albums_by_parent = [];
-		while ($row = $db->fetch_assoc($res))
-		{
-			if (!isset($albums_by_parent[$row['id_parent']]))
-				$albums_by_parent[$row['id_parent']] = [];
-
-			$albums_by_parent[$row['id_parent']][] = $row + ['children' => []];
-		}
-
-		$albums = self::getChildrenRecursively(0, 0, $albums_by_parent);
-		$rows = self::flattenChildrenRecursively($albums);
-
-		return $rows;
-	}
-
-	private static function getChildrenRecursively($id_parent, $level, &$albums_by_parent)
-	{
-		$children = [];
-		if (!isset($albums_by_parent[$id_parent]))
-			return $children;
-
-		foreach ($albums_by_parent[$id_parent] as $child)
-		{
-			if (isset($albums_by_parent[$child['id_tag']]))
-				$child['children'] = self::getChildrenRecursively($child['id_tag'], $level + 1, $albums_by_parent);
-
-			$child['tag'] = ($level ? str_repeat('—', $level * 2) . ' ' : '') . $child['tag'];
-			$children[] = $child;
-		}
-
-		return $children;
-	}
-
-	private static function flattenChildrenRecursively($albums)
-	{
-		if (empty($albums))
-			return [];
-
-		$rows = [];
-		foreach ($albums as $album)
-		{
-			$rows[] = array_intersect_key($album, array_flip(['id_tag', 'tag', 'slug', 'count']));
-			if (!empty($album['children']))
-			{
-				$children = self::flattenChildrenRecursively($album['children']);
-				foreach ($children as $child)
-					$rows[] = array_intersect_key($child, array_flip(['id_tag', 'tag', 'slug', 'count']));
-			}
-		}
-
-		return $rows;
-	}
-}

models/PhotoMosaic.php

@@ -8,11 +8,11 @@
 
 class PhotoMosaic
 {
-	private $descending;
+	private bool $descending;
 	private AssetIterator $iterator;
-	private $layouts;
+	private array $layouts;
-	private $processedImages = 0;
+	private int $processedImages = 0;
-	private $queue = [];
+	private array $queue = [];
 
 	const IMAGE_MASK_ALL = Image::TYPE_PORTRAIT | Image::TYPE_LANDSCAPE | Image::TYPE_PANORAMA;
 	const NUM_DAYS_CUTOFF = 7;
@@ -25,11 +25,6 @@ class PhotoMosaic
 		$this->descending = $iterator->isDescending();
 	}
 
-	public function __destruct()
-	{
-		$this->iterator->clean();
-	}
-
 	private function availableLayouts()
 	{
 		static $layouts = [
@@ -86,9 +81,14 @@ class PhotoMosaic
 			}
 		}
 
-		// Check whatever's next up!
+		// Check whatever's up next!
-		while (($asset = $this->iterator->next()) && ($image = $asset->getImage()))
+		// NB: not is not a `foreach` so as to not reset the iterator implicitly
+		while ($this->iterator->valid())
 		{
+			$asset = $this->iterator->current();
+			$image = $asset->getImage();
+			$this->iterator->next();
+
 			// Give up on the recordset once dates are too far apart
 			if (isset($refDate) && abs(self::daysApart($image->getDateCaptured(), $refDate)) > self::NUM_DAYS_CUTOFF)
 			{

models/Registry.php

@@ -24,7 +24,7 @@ class Registry
 	public static function get($key)
 	{
 		if (!isset(self::$storage[$key]))
-			trigger_error('Key does not exist in Registry: ' . $key, E_USER_ERROR);
+			throw new Exception('Key does not exist in Registry: ' . $key);
 
 		return self::$storage[$key];
 	}
@@ -32,7 +32,7 @@ class Registry
 	public static function remove($key)
 	{
 		if (!isset(self::$storage[$key]))
-			trigger_error('Key does not exist in Registry: ' . $key, E_USER_ERROR);
+			throw new Exception('Key does not exist in Registry: ' . $key);
 
 		unset(self::$storage[$key]);
 	}

models/Session.php

@@ -33,7 +33,7 @@ class Session
 	public static function getSessionToken()
 	{
 		if (empty($_SESSION['session_token']))
-			trigger_error('Call to getSessionToken without a session token being set!', E_USER_ERROR);
+			throw new Exception('Call to getSessionToken without a session token being set!');
 
 		return $_SESSION['session_token'];
 	}
@@ -41,7 +41,7 @@ class Session
 	public static function getSessionTokenKey()
 	{
 		if (empty($_SESSION['session_token_key']))
-			trigger_error('Call to getSessionTokenKey without a session token key being set!', E_USER_ERROR);
+			throw new Exception('Call to getSessionTokenKey without a session token key being set!');
 
 		return $_SESSION['session_token_key'];
 	}

models/Setting.php

@@ -21,7 +21,7 @@ class Setting
 			REPLACE INTO settings
 			(id_user, variable, value, time_set)
 			VALUES
-			({int:id_user}, {string:key}, {string:value}, CURRENT_TIMESTAMP())',
+			(:id_user, :key, :value, CURRENT_TIMESTAMP())',
 			[
 				'id_user' => $id_user,
 				'key' => $key,
@@ -45,7 +45,7 @@ class Setting
 		$value = Registry::get('db')->queryValue('
 			SELECT value
 			FROM settings
-			WHERE id_user = {int:id_user} AND variable = {string:key}',
+			WHERE id_user = :id_user AND variable = :key',
 			[
 				'id_user' => $id_user,
 				'key' => $key,
@@ -63,11 +63,30 @@ class Setting
 
 	public static function remove($key, $id_user = null)
 	{
+		// User setting or global setting?
+		if ($id_user === null)
+			$id_user = Registry::get('user')->getUserId();
+
+		$pairs = Registry::get('db')->queryPair('
+			SELECT variable, value
+			FROM settings
+			WHERE id_user = :id_user',
+			[
+				'id_user' => $id_user,
+			]);
+
+		return $pairs;
+	}
+
+	public static function remove($key, $id_user = 0)
+	{
+		// User setting or global setting?
+		if ($id_user === null)
 			$id_user = Registry::get('user')->getUserId();
 
 		if (Registry::get('db')->query('
 			DELETE FROM settings
-			WHERE id_user = {int:id_user} AND variable = {string:key}',
+			WHERE id_user = :id_user AND variable = :key',
 			[
 				'id_user' => $id_user,
 				'key' => $key,

models/Tag.php

@@ -24,6 +24,11 @@ class Tag
 			$this->$attribute = $value;
 	}
 
+	public function __toString()
+	{
+		return $this->tag;
+	}
+
 	public static function fromId($id_tag, $return_format = 'object')
 	{
 		$db = Registry::get('db');
@@ -31,7 +36,7 @@ class Tag
 		$row = $db->queryAssoc('
 			SELECT *
 			FROM tags
-			WHERE id_tag = {int:id_tag}',
+			WHERE id_tag = :id_tag',
 			[
 				'id_tag' => $id_tag,
 			]);
@@ -50,7 +55,7 @@ class Tag
 		$row = $db->queryAssoc('
 			SELECT *
 			FROM tags
-			WHERE slug = {string:slug}',
+			WHERE slug = :slug',
 			[
 				'slug' => $slug,
 			]);
@@ -68,7 +73,7 @@ class Tag
 			SELECT *
 			FROM tags
 			ORDER BY ' . ($limit > 0 ? 'count
-			LIMIT {int:limit}' : 'tag'),
+			LIMIT :limit' : 'tag'),
 			[
 				'limit' => $limit,
 			]);
@@ -102,14 +107,14 @@ class Tag
 		$res = $db->query('
 			SELECT *
 			FROM tags
-			WHERE id_user_owner = {int:id_user_owner}
+			WHERE id_user_owner = :id_user_owner
 			ORDER BY tag',
 			[
 				'id_user_owner' => $id_user_owner,
 			]);
 
 		$objects = [];
-		while ($row = $db->fetch_assoc($res))
+		while ($row = $db->fetchAssoc($res))
 			$objects[$row['id_tag']] = new Tag($row);
 
 		return $objects;
@@ -120,9 +125,9 @@ class Tag
 		$rows = Registry::get('db')->queryAssocs('
 			SELECT *
 			FROM tags
-			WHERE id_parent = {int:id_parent} AND kind = {string:kind}
+			WHERE id_parent = :id_parent AND kind = :kind
 			ORDER BY tag ASC
-			LIMIT {int:offset}, {int:limit}',
+			LIMIT :offset, :limit',
 			[
 				'id_parent' => $id_parent,
 				'kind' => 'Album',
@@ -148,7 +153,7 @@ class Tag
 			FROM assets_tags AS at
 			LEFT JOIN assets AS a ON at.id_asset = a.id_asset
 			LEFT JOIN users AS u ON a.id_user_uploaded = u.id_user
-			WHERE at.id_tag = {int:id_tag}
+			WHERE at.id_tag = :id_tag
 			GROUP BY a.id_user_uploaded
 			ORDER BY u.first_name, u.surname',
 			[
@@ -161,9 +166,9 @@ class Tag
 		$rows = Registry::get('db')->queryAssocs('
 			SELECT *
 			FROM tags
-			WHERE id_parent = {int:id_parent} AND kind = {string:kind}
+			WHERE id_parent = :id_parent AND kind = :kind
 			ORDER BY tag ASC
-			LIMIT {int:offset}, {int:limit}',
+			LIMIT :offset, :limit',
 			[
 				'id_parent' => $id_parent,
 				'kind' => 'Person',
@@ -190,7 +195,7 @@ class Tag
 			WHERE id_tag IN(
 				SELECT id_tag
 				FROM assets_tags
-				WHERE id_asset = {int:id_asset}
+				WHERE id_asset = :id_asset
 			)
 			ORDER BY count DESC',
 			[
@@ -220,7 +225,7 @@ class Tag
 			WHERE id_tag IN(
 				SELECT id_tag
 				FROM posts_tags
-				WHERE id_post = {int:id_post}
+				WHERE id_post = :id_post
 			)
 			ORDER BY count DESC',
 			[
@@ -250,7 +255,7 @@ class Tag
 				FROM `assets_tags` AS at
 				WHERE at.id_tag = t.id_tag
 			)' . (!empty($id_tags) ? '
-			WHERE t.id_tag IN({array_int:id_tags})' : ''),
+			WHERE t.id_tag IN(@id_tags)' : ''),
 			['id_tags' => $id_tags]);
 	}
 
@@ -271,14 +276,14 @@ class Tag
 			INSERT IGNORE INTO tags
 			(id_parent, tag, slug, kind, description, count)
 			VALUES
-			({int:id_parent}, {string:tag}, {string:slug}, {string:kind}, {string:description}, {int:count})
+			(:id_parent, :tag, :slug, :kind, :description, :count)
 			ON DUPLICATE KEY UPDATE count = count + 1',
 			$data);
 
 		if (!$res)
-			trigger_error('Could not create the requested tag.', E_USER_ERROR);
+			throw new Exception('Could not create the requested tag.');
 
-		$data['id_tag'] = $db->insert_id();
+		$data['id_tag'] = $db->insertId();
 		return $return_format === 'object' ? new Tag($data) : $data;
 	}
 
@@ -292,14 +297,15 @@ class Tag
 		return Registry::get('db')->query('
 			UPDATE tags
 			SET
-				id_parent = {int:id_parent},
+				id_parent = :id_parent,
-				id_asset_thumb = {int:id_asset_thumb},' . (isset($this->id_user_owner) ? '
+				id_asset_thumb = :id_asset_thumb,' . (isset($this->id_user_owner) ? '
-				id_user_owner = {int:id_user_owner},' : '') . '
+				id_user_owner = :id_user_owner,' : '') . '
-				tag = {string:tag},
+				tag = :tag,
-				slug = {string:slug},
+				slug = :slug,
-				description = {string:description},
+				kind = :kind,
-				count = {int:count}
+				description = :description,
-			WHERE id_tag = {int:id_tag}',
+				count = :count
+			WHERE id_tag = :id_tag',
 			get_object_vars($this));
 	}
 
@@ -307,9 +313,10 @@ class Tag
 	{
 		$db = Registry::get('db');
 
+		// Unlink any tagged assets
 		$res = $db->query('
 			DELETE FROM assets_tags
-			WHERE id_tag = {int:id_tag}',
+			WHERE id_tag = :id_tag',
 			[
 				'id_tag' => $this->id_tag,
 			]);
@@ -317,9 +324,10 @@ class Tag
 		if (!$res)
 			return false;
 
+		// Delete the actual tag
 		return $db->query('
 			DELETE FROM tags
-			WHERE id_tag = {int:id_tag}',
+			WHERE id_tag = :id_tag',
 			[
 				'id_tag' => $this->id_tag,
 			]);
@@ -331,15 +339,15 @@ class Tag
 		$new_id = $db->queryValue('
 			SELECT MAX(id_asset) as new_id
 			FROM assets_tags
-			WHERE id_tag = {int:id_tag}',
+			WHERE id_tag = :id_tag',
 			[
 				'id_tag' => $this->id_tag,
 			]);
 
 		return $db->query('
 			UPDATE tags
-			SET id_asset_thumb = {int:new_id}
+			SET id_asset_thumb = :new_id
-			WHERE id_tag = {int:id_tag}',
+			WHERE id_tag = :id_tag',
 			[
 				'new_id' => $new_id ?? 0,
 				'id_tag' => $this->id_tag,
@@ -354,7 +362,7 @@ class Tag
 		return Registry::get('db')->queryPair('
 			SELECT id_tag, tag
 			FROM tags
-			WHERE LOWER(tag) LIKE {string:tokens}
+			WHERE LOWER(tag) LIKE :tokens
 			ORDER BY tag ASC',
 			['tokens' => '%' . strtolower(implode('%', $tokens)) . '%']);
 	}
@@ -384,7 +392,7 @@ class Tag
 		return Registry::get('db')->queryPair('
 			SELECT id_tag, tag
 			FROM tags
-			WHERE tag = {string:tag}',
+			WHERE tag = :tag',
 			['tag' => $tag]);
 	}
 
@@ -396,7 +404,7 @@ class Tag
 		return Registry::get('db')->queryValue('
 			SELECT id_tag
 			FROM tags
-			WHERE slug = {string:slug}',
+			WHERE slug = :slug',
 			['slug' => $slug]);
 	}
 
@@ -405,31 +413,103 @@ class Tag
 		return Registry::get('db')->queryPair('
 			SELECT tag, id_tag
 			FROM tags
-			WHERE tag IN ({array_string:tags})',
+			WHERE tag IN (:tags)',
 			['tags' => $tags]);
 	}
 
-	public static function getCount($only_active = 1, $kind = '')
+	public static function getCount($only_used = true, $kind = '', $isAlbum = false)
 	{
 		$where = [];
-		if ($only_active)
+		if ($only_used)
 			$where[] = 'count > 0';
-		if (!empty($kind))
+		if (empty($kind))
-			$where[] = 'kind = {string:kind}';
+			$kind = 'Album';
 
-		if (!empty($where))
+		$operator = $isAlbum ? '=' : '!=';
-			$where = 'WHERE ' . implode(' AND ', $where);
+		$where[] = 'kind ' . $operator . ' :kind';
-		else
+		$where = implode(' AND ', $where);
-			$where = '';
 
 		return Registry::get('db')->queryValue('
 			SELECT COUNT(*)
-			FROM tags ' . $where,
+			FROM tags
-			['kind' => $kind]);
+			WHERE ' . $where,
+			[
+				'kind' => $kind,
+			]);
 	}
 
-	public function __toString()
+	public static function getOffset($offset, $limit, $order, $direction, $isAlbum = false)
 	{
-		return $this->tag;
+		assert(in_array($order, ['id_tag', 'tag', 'slug', 'count']));
+		$order = $order . ($direction === 'up' ? ' ASC' : ' DESC');
+
+		$operator = $isAlbum ? '=' : '!=';
+
+		$db = Registry::get('db');
+		$res = $db->query('
+			SELECT t.*, u.id_user, u.first_name, u.surname
+			FROM tags AS t
+			LEFT JOIN users AS u ON t.id_user_owner = u.id_user
+			WHERE kind ' . $operator . ' :album
+			ORDER BY id_parent, ' . $order . '
+			LIMIT :offset, :limit',
+			[
+				'offset' => $offset,
+				'limit' => $limit,
+				'album' => 'Album',
+			]);
+
+		$albums_by_parent = [];
+		while ($row = $db->fetchAssoc($res))
+		{
+			if (!isset($albums_by_parent[$row['id_parent']]))
+				$albums_by_parent[$row['id_parent']] = [];
+
+			$albums_by_parent[$row['id_parent']][] = $row + ['children' => []];
+		}
+
+		$albums = self::getChildrenRecursively(0, 0, $albums_by_parent);
+		$rows = self::flattenChildrenRecursively($albums);
+
+		return $rows;
+	}
+
+	private static function getChildrenRecursively($id_parent, $level, &$albums_by_parent)
+	{
+		$children = [];
+		if (!isset($albums_by_parent[$id_parent]))
+			return $children;
+
+		foreach ($albums_by_parent[$id_parent] as $child)
+		{
+			if (isset($albums_by_parent[$child['id_tag']]))
+				$child['children'] = self::getChildrenRecursively($child['id_tag'], $level + 1, $albums_by_parent);
+
+			$child['tag'] = ($level ? str_repeat('—', $level * 2) . ' ' : '') . $child['tag'];
+			$children[] = $child;
+		}
+
+		return $children;
+	}
+
+	private static function flattenChildrenRecursively($albums)
+	{
+		if (empty($albums))
+			return [];
+
+		$rows = [];
+		foreach ($albums as $album)
+		{
+			static $headers_to_keep = ['id_tag', 'tag', 'slug', 'count', 'id_user', 'first_name', 'surname'];
+			$rows[] = array_intersect_key($album, array_flip($headers_to_keep));
+			if (!empty($album['children']))
+			{
+				$children = self::flattenChildrenRecursively($album['children']);
+				foreach ($children as $child)
+					$rows[] = array_intersect_key($child, array_flip($headers_to_keep));
+			}
+		}
+
+		return $rows;
 	}
 }

models/Thumbnail.php

@@ -335,7 +335,7 @@ class Thumbnail
 		if ($success)
 		{
 			$thumb_selector = $this->width . 'x' . $this->height . $this->filename_suffix;
-			$this->thumbnails[$thumb_selector] = $filename !== 'NULL' ? $filename : null;
+			$this->thumbnails[$thumb_selector] = $filename ?? null;
 
 			// For consistency, write new thumbnail filename to parent Image object.
 			// TODO: there could still be an inconsistency if multiple objects exists for the same image asset.
@@ -349,7 +349,7 @@ class Thumbnail
 
 	private function markAsQueued()
 	{
-		$this->updateDb('NULL');
+		$this->updateDb(null);
 	}
 
 	private function markAsGenerated($filename)

models/User.php

@@ -23,6 +23,7 @@ abstract class User
 	protected $ip_address;
 	protected $is_admin;
 	protected $reset_key;
+	protected $reset_blocked_until;
 
 	protected bool $is_logged;
 	protected bool $is_guest;

public/css/default.css

@@ -366,8 +366,8 @@ div.polaroid a {
 /* Album button box
 ---------------------*/
 .album_button_box {
-	float: right;
 	display: flex;
+	justify-content: flex-end;
 	margin-bottom: 3rem;
 }
 .album_button_box > a,

templates/AlbumButtonBox.php

@@ -22,7 +22,7 @@ class AlbumButtonBox extends Template
 	public function html_main()
 	{
 		echo '
-			<div class="album_button_box">';
+			<div class="container album_button_box">';
 
 		foreach ($this->buttons as $button)
 			echo '

templates/ErrorPage.php

@@ -0,0 +1,41 @@
+<?php
+/*****************************************************************************
+ * ErrorPage.php
+ * Defines the template class ErrorPage.
+ *
+ * Kabuki CMS (C) 2013-2025, Aaron van Geffen
+ *****************************************************************************/
+
+class ErrorPage extends Template
+{
+	private $debug_info;
+	private $message;
+	private $title;
+
+	public function __construct($title, $message, $debug_info = null)
+	{
+		$this->title = $title;
+		$this->message = $message;
+		$this->debug_info = $debug_info;
+	}
+
+	public function html_main()
+	{
+		echo '
+				<div class="content-box container">
+					<h2>', $this->title, '</h2>
+					<p>', nl2br(htmlspecialchars($this->message)), '</p>';
+
+		if (isset($this->debug_info))
+		{
+			echo '
+				</div>
+				<div class="content-box container">
+					<h4>Debug Info</h4>
+					<pre>', htmlspecialchars($this->debug_info), '</pre>';
+		}
+
+		echo '
+				</div>';
+	}
+}

templates/FeaturedThumbnailManager.php

@@ -8,12 +8,12 @@
 
 class FeaturedThumbnailManager extends SubTemplate
 {
-	private $assets;
+	private $iterator;
 	private $currentThumbnailId;
 
-	public function __construct(AssetIterator $assets, $currentThumbnailId)
+	public function __construct(AssetIterator $iterator, $currentThumbnailId)
 	{
-		$this->assets = $assets;
+		$this->iterator = $iterator;
 		$this->currentThumbnailId = $currentThumbnailId;
 	}
 
@@ -25,7 +25,7 @@ class FeaturedThumbnailManager extends SubTemplate
 			<h2>Select thumbnail</h2>
 			<ul id="featuredThumbnail">';
 
-		while ($asset = $this->assets->next())
+		foreach ($this->iterator as $asset)
 		{
 			$image = $asset->getImage();
 			echo '
@@ -36,8 +36,6 @@ class FeaturedThumbnailManager extends SubTemplate
 				</li>';
 		}
 
-		$this->assets->clean();
-
 		echo '
 				</ul>
 				<input type="hidden" name="', Session::getSessionTokenKey(), '" value="', Session::getSessionToken(), '">

templates/MainNavBar.php

@@ -33,7 +33,7 @@ class MainNavBar extends NavBar
 					<span class="navbar-toggler-icon"></span>
 				</button>';
 
-		if (Registry::get('user')->isLoggedIn())
+		if (Registry::has('user') && Registry::get('user')->isLoggedIn())
 		{
 			echo '
 				<div class="collapse navbar-collapse justify-content-end" id="', $this->innerMenuId, '">

templates/PhotoPage.php

@@ -174,8 +174,11 @@ class PhotoPage extends Template
 		echo '
 					</ul>';
 
+		if ($allowLinkingNewTags)
+		{
 			$this->printNewTagScript($tagKind, $tagListId, $newTagId);
 		}
+	}
 
 	private function printNewTagScript($tagKind, $tagListId, $newTagId)
 	{

templates/TabularData.php

@@ -8,7 +8,7 @@
 
 class TabularData extends SubTemplate
 {
-	private GenericTable $_t;
+	protected GenericTable $_t;
 
 	public function __construct(GenericTable $table)
 	{
@@ -16,6 +16,47 @@ class TabularData extends SubTemplate
 	}
 
 	protected function html_content()
+	{
+		$this->renderTitle();
+
+		foreach ($this->_subtemplates as $template)
+			$template->html_main();
+
+		// Showing an inline form?
+		$pager = $this->_t->getPageIndex();
+		if (!empty($pager) || isset($this->_t->form_above))
+			$this->renderPaginationForm($pager, $this->_t->form_above);
+
+		$tableClass = $this->_t->getTableClass();
+		if ($tableClass)
+			echo '
+			<div class="', $tableClass, '">';
+
+		// Build the table!
+		echo '
+				<table class="table table-striped table-condensed">';
+
+		$this->renderTableHead($this->_t->getHeader());
+		$this->renderTableBody($this->_t->getBody());
+
+		echo '
+				</table>';
+
+		if ($tableClass)
+			echo '
+			</div>';
+
+		// Showing an inline form?
+		if (!empty($pager) || isset($this->_t->form_below))
+			$this->renderPaginationForm($pager, $this->_t->form_below);
+
+		$title = $this->_t->getTitle();
+		if (!empty($title))
+			echo '
+			</div>';
+	}
+
+	protected function renderTitle()
 	{
 		$title = $this->_t->getTitle();
 		if (!empty($title))
@@ -25,43 +66,32 @@ class TabularData extends SubTemplate
 			<div class="generic-table', !empty($titleclass) ? ' ' . $titleclass : '', '">
 				<h1>', htmlspecialchars($title), '</h1>';
 		}
+	}
 
-		foreach ($this->_subtemplates as $template)
+	protected function renderPaginationForm($pager, $form, $class='row')
-			$template->html_main();
-
-		// Showing an inline form?
-		$pager = $this->_t->getPageIndex();
-		if (!empty($pager) || isset($this->_t->form_above))
 	{
 		echo '
-				<div class="row clearfix justify-content-end">';
+			<div class="', $class, ' clearfix justify-content-end">';
 
 		// Page index?
 		if (!empty($pager))
 			PageIndexWidget::paginate($pager);
 
 		// Form controls?
-			if (isset($this->_t->form_above))
+		if (isset($form))
-				$this->showForm($this->_t->form_above);
+			$this->renderInlineForm($form);
 
 		echo '
 			</div>';
 	}
 
-		$tableClass = $this->_t->getTableClass();
+	protected function renderTableHead(array $headers)
-		if ($tableClass)
+	{
 		echo '
-			<div class="', $tableClass, '">';
-
-		// Build the table!
-		echo '
-				<table class="table table-striped table-condensed">
 					<thead>
 						<tr>';
 
-		// Show all headers in their full glory!
+		foreach ($headers as $th)
-		$header = $this->_t->getHeader();
-		foreach ($header as $th)
 		{
 			echo '
 							<th', (!empty($th['width']) ? ' width="' . $th['width'] . '"' : ''), (!empty($th['class']) ? ' class="' . $th['class'] . '"' : ''), ($th['colspan'] > 1 ? ' colspan="' . $th['colspan'] . '"' : ''), ' scope="', $th['scope'], '">',
@@ -75,11 +105,14 @@ class TabularData extends SubTemplate
 
 		echo '
 						</tr>
-					</thead>
+					</thead>';
+	}
+
+	protected function renderTableBody($body)
+	{
+		echo '
 					<tbody>';
 
-		// The body is what we came to see!
-		$body = $this->_t->getBody();
 		if (is_array($body))
 		{
 			foreach ($body as $tr)
@@ -90,59 +123,31 @@ class TabularData extends SubTemplate
 				foreach ($tr['cells'] as $td)
 				{
 					echo '
-							<td', (!empty($td['width']) ? ' width="' . $td['width'] . '"' : ''), '>';
+							<td',
-
+								(!empty($td['class']) ? ' class="' . $td['class'] . '"' : ''),
-					if (!empty($td['class']))
+								(!empty($td['width']) ? ' width="' . $td['width'] . '"' : ''), '>',
-						echo '<span class="', $td['class'], '">', $td['value'], '</span>';
+								$td['value'],
-					else
+							'</td>';
-						echo $td['value'];
-
-					echo '</td>';
 				}
 
 				echo '
 						</tr>';
 			}
 		}
-		// !!! Sum colspan!
 		else
+		{
+			$header = $this->_t->getHeader();
 			echo '
 						<tr>
 							<td colspan="', count($header), '" class="fullwidth">', $body, '</td>
 						</tr>';
-
-		echo '
-					</tbody>
-				</table>';
-
-		if ($tableClass)
-			echo '
-			</div>';
-
-		// Showing an inline form?
-		if (!empty($pager) || isset($this->_t->form_below))
-		{
-			echo '
-				<div class="row clearfix justify-content-end">';
-
-			// Page index?
-			if (!empty($pager))
-				PageIndexWidget::paginate($pager);
-
-			// Form controls?
-			if (isset($this->_t->form_below))
-				$this->showForm($this->_t->form_below);
-
-			echo '
-				</div>';
 		}
 
-		if (!empty($title))
 		echo '
-			</div>';
+					</tbody>';
 	}
 
-	protected function showForm($form)
+	protected function renderInlineForm($form)
 	{
 		if (!isset($form['is_embed']))
 			echo '