function mystery_log_violation($code, $message = '')
{
// This function process a serious error/violation
global $_MYSTERY;
$types['Red'] = 'Spoofed User';
$types['Orange'] = 'Spoofed File';
$types['Yellow'] = 'Spoofed Action';
$types['Green'] = 'Illegal Query';
$types['Blue'] = 'Virus Upload';
$types['Purple'] = 'Spoofed Table';
$types['Brown'] = 'Illegal Many To Many Addition';
ob_start();
echo "SERVER: ";
print_r($_SERVER);
echo "SESSION: ";
print_r($_SESSION);
echo "REQUEST: ";
print_r($_REQUEST);
$context = ob_get_contents();
ob_end_clean();
$table = $_MYSTERY['table_prefix'] . 'security_log';
$data['exception_type'] = $types[$code] . ' - ' . $message;
$data['exception_code'] = $code;
$data['user_id'] = $_SESSION['user_id'];
$data['user_ip_address'] = $_SERVER['REMOTE_ADDR'];
$data['user_action'] = $_REQUEST['action'];
$data['user_time'] = date('Y-m-d h:i:s');
$data['user_request'] = $_SERVER['REQUEST_URI'];
$data['user_variables'] = $context;
$log_id = mystery_insert_query($table, $data, 'record_id');
// Prepare error string
$error_parts = array();
while (list($key, $value) = each($data)) {
$error_parts[] .= ucwords(str_replace('_', ' ', $key)) . ': ' . $value;
}
$error_string = implode("\n", $error_parts) . "\n\n";
mystery_log_error_to_file('security_log', $error_string);
// make them wait a couple seconds so they won't automate the attack
sleep(2);
mystery_header();
echo '
<h1>Access Denied</h1>
<p>Sorry, but the account you arelogged in as cannot perform the requested action. (<em>Code: ', $code, '</em>)</p>
';
mystery_display_admin_contact_info();
if ($code == 'Blue') {
echo '<p>The file you tried to upload is infected with a <strong>virus</strong>.
Please <strong>disinfect the file</strong> and try again.</p>
<p><code>', $_MYSTERY['virus_feedback'], '</code></p>';
}
mystery_footer();
}
function mystery_session_write($id, $mystery_session_data)
{
global $_MYSTERY;
$table = $_MYSTERY['table_prefix'] . 'sessions';
$query = 'DELETE FROM ' . $table . ' WHERE session_key = ?';
$params = array($id);
mystery_delete_query($query, $params);
$pk = 'session_id';
$data['session_key'] = $id;
$data['session_timestamp'] = date('YmdHis');
$data['session_data'] = $mystery_session_data;
mystery_insert_query($table, $data, $pk);
return true;
}
if ($diy_id == '') {
mystery_redirect('/course/');
}
if (isset($_PORTAL['params']['process'])) {
$query = 'DELETE FROM portal_comments_ratings WHERE comment_diy_identifier = ? AND comment_author = ?';
$params = array($diy_id, $_SESSION['portal']['member_id']);
$status = mystery_delete_query($query, $params, 'portal_dbh');
if (!isset($_REQUEST['comment_delete'])) {
$data = array();
$data['comment_author'] = $_SESSION['portal']['member_id'];
$data['comment_diy_identifier'] = $diy_id;
$data['comment_title'] = $_REQUEST['comment_title'];
$data['comment_body'] = $_REQUEST['comment_body'];
//$data['comment_rating'] = $_REQUEST['comment_rating'];
$data['creation_date'] = date('Y-m-d H:i:s');
$comment_id = mystery_insert_query('portal_comments_ratings', $data, 'comment_id', 'portal_dbh');
echo '<p style="color: #009900;"><em>Comment saved!</em></p>';
} else {
echo '<p style="color: #009900;"><em>Comment deleted!</em></p>';
}
}
$activity_info = portal_get_activity_info_from_diy_id($diy_id);
$page_title = $activity_info['activity_name'] . ' by ' . $activity_info['activity_author'];
$comments = portal_get_activity_comments($diy_id);
$average_rating = portal_lookup_activity_rating($diy_id);
$my_comments = portal_get_member_activity_comments($diy_id, $_SESSION['portal']['member_id']);
if (count($my_comments) > 0) {
$add_edit_word = 'Edit';
$delete_checkbox = '<input type="checkbox" name="comment_delete" id="comment-delete" value="yes"> Delete this comment?';
} else {
$add_edit_word = 'Add';
if (isset($_PORTAL['params']['process'])) {
$data = array();
$data['class_name'] = $_REQUEST['class_name'];
$data['class_teacher'] = $_SESSION['portal']['member_id'];
//mystery_print_r($_REQUEST, $_PORTAL, $data); exit;
// check the class word
$class_word_in_use = 'no';
$class_using_word = portal_check_class_word($_REQUEST['class_word']);
if ($class_using_word != $id_param && $class_using_word != false) {
$class_word_in_use = 'yes';
}
if ($_REQUEST['class_word'] != '' && $class_word_in_use == 'no') {
if ($_PORTAL['activity'] == 'add' || $_PORTAL['activity'] == 'copy') {
$data['creation_date'] = date('Y-m-d H:i:s');
$data['class_uuid'] = portal_generate_uuid();
$class_id = mystery_insert_query('portal_classes', $data, 'class_id', 'portal_dbh');
$class_info['activities'] = array();
$class_info['diy_activities'] = array();
} else {
$class_id = $id_param;
$status = mystery_update_query('portal_classes', $data, 'class_id', $class_id, 'portal_dbh');
}
// update class word with the actual class word
portal_set_class_word($class_id, $_REQUEST['class_word']);
// add the standard activities here
$new_activities = @$_REQUEST['activities'];
if ($new_activities == '') {
$new_activities = array();
}
$old_activities = @$class_info['activities'];
if ($old_activities == '') {
function mystery_error_handler($type, $message, $file, $line, $context)
{
// This function replaces the built in PHP error handler
global $_MYSTERY;
// Check to see if this error was prepended with @
if (error_reporting() == 0) {
return;
}
$nice_types[E_NOTICE] = 'PHP Notice';
$nice_types[E_USER_NOTICE] = 'Application Notice';
$nice_types[E_WARNING] = 'PHP Warning';
$nice_types[E_USER_WARNING] = 'Application Warning';
$nice_types[E_USER_ERROR] = 'Application Fatal Error';
if (defined('E_STRICT')) {
$nice_types[E_STRICT] = 'PHP Code Needs Update';
}
if (defined('E_RECOVERABLE_ERROR')) {
$nice_types[E_RECOVERABLE_ERROR] = 'Recoverable Application Error';
}
$now = date('Y-m-d h:i:s');
$error_parts = array();
$error_parts[] = 'Date: ' . $now;
$error_parts[] = 'Type: ' . $nice_types[$type];
$error_parts[] = 'Message: ' . $message;
$error_parts[] = 'File: ' . $file;
$error_parts[] = 'Line: ' . $line;
$error_string = implode("\n", $error_parts) . "\n\n";
if (!defined('E_STRICT') || $type != E_STRICT) {
mystery_log_error_to_file('error_log', $error_string);
}
$table = $_MYSTERY['table_prefix'] . 'error_log';
$data = array();
$data['error_type'] = $nice_types[$type];
$data['error_message'] = $message;
$data['error_file'] = $file;
$data['error_line'] = $line;
$data['error_date'] = $now;
if (!defined('E_STRICT') || $type != E_STRICT) {
$this_error = mystery_insert_query($table, $data, 'error_id');
}
switch ($type) {
case E_NOTICE:
case E_USER_NOTICE:
if (@$_SESSION['is_administrator'] == 'yes') {
echo '<p style="background-color: #CEFFB5;">Notice: ', nl2br($error_string), '</p>';
}
break;
case E_WARNING:
case E_USER_WARNING:
if (@$_SESSION['is_administrator'] == 'yes') {
echo '<p style="background-color: #FCFFB5;">Warning: ', nl2br($error_string), '</p>';
}
break;
case E_USER_ERROR:
//mystery_header();
if (@$_SESSION['is_administrator'] == 'yes') {
echo '<p style="background-color: #FFB5B5;">Fatal Error: ', nl2br($error_string), '</p>';
// The following outputs way too much data. Uncomment if you must.
// echo '<pre style="background-color: #FFB5B5;">' . print_r($context) . '</pre>';
} else {
echo '
<h1>An Unexpected Error Occurred</h1>
<p>We regret than an unexpected error has occurred. The error has been logged
and the administrator of the system will look into it as soon as possible.</p>
';
mystery_display_admin_contact_info();
}
//mystery_footer();
exit;
break;
}
}
function portal_subscribe_class_to_diy_activities($class_id, $old_activities, $new_activities)
{
global $_PORTAL;
//mystery_print_r($old_activities); mystery_print_r($new_activities); exit;
$to_add = array_values(array_diff($new_activities, $old_activities));
$to_delete = array_values(array_diff($old_activities, $new_activities));
//mystery_print_r($to_add); mystery_print_r($to_delete); exit;
// first delete the old ones
if (count($to_delete) > 0) {
$query = 'DELETE FROM portal_class_diy_activities WHERE class_id = ? AND project_id = ? AND diy_activity_id IN (' . implode(',', $to_delete) . ')';
$params = array($class_id, $_PORTAL['project_info']['project_id']);
$status = mystery_delete_query($query, $params, 'portal_dbh');
}
// now add the new ones
for ($i = 0; $i < count($to_add); $i++) {
$data = array();
$data['class_id'] = $class_id;
$data['diy_activity_id'] = $to_add[$i];
$data['project_id'] = $_PORTAL['project_info']['project_id'];
$id = mystery_insert_query('portal_class_diy_activities', $data, 'class_diy_activity_id', 'portal_dbh');
}
}
break;
// STEP 4 - Ad a member for the teacher
// STEP 4 - Ad a member for the teacher
case 'info':
if (!isset($_REQUEST['school_id'])) {
$data = array();
$data['school_name'] = $_REQUEST['school_name'];
$data['school_district'] = $_REQUEST['district_id'];
$data['school_department'] = $_REQUEST['school_department'];
$data['school_address_1'] = $_REQUEST['school_address_1'];
$data['school_address_2'] = $_REQUEST['school_address_2'];
$data['school_city'] = $_REQUEST['school_city'];
$data['school_state'] = $_REQUEST['school_state'];
$data['school_zip'] = $_REQUEST['school_zip'];
$data['school_country'] = $_REQUEST['school_country'];
$_REQUEST['school_id'] = mystery_insert_query('portal_schools', $data, 'school_id', 'portal_dbh');
$_SESSION['school_created'] = 'yes';
}
// show the teacher info form
echo '
<form action="/signup/teacher/process/" method="post">
<h1>Teacher Registration — Step 4 — Your Info</h1>
<p><strong>First Name</strong> <br><input type="text" name="first_name" id="first-name" value="" size="35"></p>
<p><strong>Last Name</strong> <br><input type="text" name="last_name" id="last-name" value="" size="35"></p>
<p><strong>Email</strong> <br><input type="text" name="email" id="email" value="" size="35"></p>
<p><strong>Password</strong> <br><input type="text" name="password" id="password" value="" size="35"> <span class="form-field-info"><strong>Warning:</strong> this field will display your password<br><strong>Note:</strong> your password must be between 4 and 40 characters long</span></p>
function mystery_auth($username, $password)
{
// This is the general wrapper function for mystery authentication
// It takes a username and password and attempts to authenticate
// to the mystery_users table.
//
// If successful, it sets $_SESSION
// variables for username, full name, and last name
// and returns true;
//
// If it fails, it tries any of the configured external
// authentication sources. If those are successful, it
// checks for extant mystery records for that user, creating
// them if they don't exist. If they fail it continues to the
// next source until exhausted.
//
// After all else fails, if the user still can't be authenticated
// the function takes a brief pause then returns false
global $_MYSTERY;
// Don't authenticate if user is logged in
if (@$_SESSION['is_logged_in'] == 'yes') {
return true;
}
// Try internal Mystery authentication first
$user_info = mystery_internal_auth($username, $password);
if (count($user_info) == 0) {
if (isset($_MYSTERY['external_auth_functions'])) {
// some external authentication functions are set, so include the custom auth file
include 'custom/authentication.php';
// loop through the custom function until one hopefully works
for ($i = 0; $i < count($_MYSTERY['external_auth_functions']); $i++) {
// call each function with the username and password parameters
// if we get back a non-zero array, stop checking
$user_info = call_user_func($_MYSTERY['external_auth_functions'][$i], $username, $password);
if (count($user_info) > 0) {
break;
}
}
}
}
if (count($user_info) == 0) {
// the authentication was not successful
//sleep(2);
return false;
} else {
// set the user's session information
$_SESSION['user_username'] = $username;
$_SESSION['user_first_name'] = $user_info['user_first_name'];
$_SESSION['user_last_name'] = $user_info['user_last_name'];
$_SESSION['user_email'] = $user_info['user_email'];
// check that the user is in Mystery. If not, add them. If so, get their id.
$query = 'SELECT * FROM ' . $_MYSTERY['table_prefix'] . 'users WHERE user_username = ? OR user_email = ?';
$params = array($_SESSION['user_username'], $_SESSION['user_username']);
$results = mystery_select_query($query, $params);
if (count($results) > 0) {
// user exists, set the session user_id variable
$_SESSION['user_id'] = $results[0]['user_id'];
} else {
// user doesn't exist. Add them
$table = $_MYSTERY['table_prefix'] . 'users';
$now = date('Y-m-d h:i:s');
$data['user_username'] = $user_info['user_username'];
$data['user_first_name'] = $user_info['user_first_name'];
$data['user_last_name'] = $user_info['user_last_name'];
$data['user_email'] = $user_info['user_email'];
$data['user_record_updated'] = $now;
$data['user_creation_date'] = $now;
$_SESSION['user_id'] = mystery_insert_query($table, $data, 'user_id');
// add the user to the default groups
if ($_MYSTERY['default_user_groups'] != '') {
// remove whitespace and split on the commas
$groups = explode(',', preg_replace('~\\s~', '', $_MYSTERY['default_user_groups']));
$table = $_MYSTERY['table_prefix'] . 'users_groups';
for ($i = 0; $i < count($groups); $i++) {
// for each group, add a record for the user
// NOTE: there should be a mystery function that better uses the prepared
// statements to insert multiple values, but I'm not sure how that works
// with sequences
$data = array();
$data['user_id'] = $_SESSION['user_id'];
$data['group_id'] = $groups[$i];
$ugid = mystery_insert_query($table, $data, 'ug_id');
}
}
}
// get the users groups and permissions
$query = 'SELECT group_id FROM ' . $_MYSTERY['table_prefix'] . 'users_groups WHERE user_id = ?';
$params = array($_SESSION['user_id']);
$user_groups = mystery_select_query($query, $params);
for ($i = 0; $i < count($user_groups); $i++) {
$_SESSION['user_groups'][] = $user_groups[$i]['group_id'];
if ($user_groups[$i]['group_id'] == '1') {
// user is in the admin group
$_SESSION['is_administrator'] = 'yes';
}
}
// set final session varialbes
$_SESSION['is_logged_in'] = 'yes';
return true;
}
}
