}
// compare the tokens against each other if they are still the same
if ($_SESSION[$form . '_token'] !== $_POST['token']) {
return false;
}
return true;
}
function check_input($data)
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
if (isset($_POST['submit'])) {
if (verifyFormToken('form1')) {
$name = check_input($_POST["name"]);
$email = check_input($_POST["emailaddress"]);
$message = check_input($_POST["message"]);
$ForwardTo = '*****@*****.**';
$details = 'Name: ' . $name . "\n" . 'Email: ' . $email . "\n" . 'Message: ' . $message . "\n";
$data['success'] = true;
$data['message'] = 'Success!';
mail($ForwardTo, "Construction of Hope Contact", $details, "From:{$email}");
} else {
$data['success'] = false;
$data['errors'] = $errors;
}
exit('
<body>
<?php
if ($_POST['recipient'] != "") {
// VERIFY LEGITIMACY OF TOKEN
if (verifyFormToken('cwfile')) {
// CHECK TO SEE IF THIS IS A MAIL POST
if (isset($_POST['active'])) {
// Building a whitelist array with keys which will send through the form, no others would be accepted later on
$whitelist = array('token', 'term', 'recipient', 'name', 'protect', 'active', 'password', 'content', 'duration', 'specificdate', 'gallery[]', 'redirect', 'imgtype', 'userid', 'img', 'imgsizes', 'id', 'CwFileCode', 'encryptid', 'cwfilecode');
// Building an array with the $_POST-superglobal
foreach ($_POST as $key => $item) {
// Check if the value $key (fieldname from $_POST) can be found in the whitelisting array, if not, die with a short message to the hacker
if (!in_array($key, $whitelist)) {
writeLog('Unknown form fields');
die("Hack-Attempt detected. Please use only the fields in the form");
}
}
// Lets check the URL whether it's a real URL or not. if not, stop the script
# if(!filter_var($_POST['active'],FILTER_VALIDATE_URL)) {
# writeLog('URL Validation');
# die('Hack-Attempt detected. Please insert a valid URL');
# }
// SAVE INFO AS COOKIE, if user wants name and email saved
$saveCheck = $_POST['save-stuff'];
if ($saveCheck == 'on') {
setcookie("WRCF-Name", $_POST['recipient'], time() + 60 * 60 * 24 * 365);
setcookie("WRCF-Email", $_POST['recipient'], time() + 60 * 60 * 24 * 365);
}
$Sender = "Pk Design";
$Expire = date("M-d-Y", $CwFileExpire);
$CwLink = $CwLink . "?request={$CwFileCode}";
<?php
$auth_name = 'ban';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
if (!$_POST['ban-sub']) {
// if the form not is submitted
set_error('Please do not call that page directly, thank you.');
send('../../index.php');
}
## check that the sent form token is corret
if (!verifyFormToken('ban', $tokens)) {
// verify token
ifTokenBad('Add ban');
}
## Type of ban and get and set vars ##
$pb_ban = cleanvar($_POST['pb']);
if ($pb_ban == 'on') {
$is_pb_ban = true;
} else {
$is_pb_ban = false;
$duration_form = cleanvar($_POST['duration']);
$time = cleanvar($_POST['time']);
emptyInput($time, 'time frame');
emptyInput($duration_form, 'penalty duration');
}
$reason = cleanvar($_POST['reason']);
$client_id = cleanvar($_POST['cid']);
$pbid = cleanvar($_POST['c-pbid']);
$c_name = cleanvar($_POST['c-name']);
$is_add = true;
} elseif ($_POST['type'] == 'edit') {
$is_add = false;
} else {
sendBack('Missing Data');
}
## Check Token ##
if ($is_add) {
// if add server request
if (verifyFormToken('addserver', $tokens) == false) {
// verify token
ifTokenBad('Add Server');
}
} else {
// if edit server settings
if (verifyFormToken('editserversettings', $tokens) == false) {
// verify token
ifTokenBad('Server Settings Edit');
}
}
## Get Vars ##
$name = cleanvar($_POST['name']);
$ip = cleanvar($_POST['ip']);
$pb = cleanvar($_POST['pb']);
// DB Vars
$rcon_ip = cleanvar($_POST['rcon-ip']);
$rcon_port = cleanvar($_POST['rcon-port']);
$rcon_pw_cng = cleanvar($_POST['cng-pw']);
$rcon_pw = cleanvar($_POST['rcon-pass']);
$server_id = cleanvar($_POST['server']);
if ($is_add) {
send('../index.php');
}
## Find Type ##
if ($_POST['type'] == 'add') {
$is_add = true;
} elseif ($_POST['type'] == 'edit') {
$is_add = false;
} else {
sendBack('Missing Data');
}
## Check Token ##
if ($is_add) {
//if(!verifyFormToken('addgame', $tokens)) // verify token
//ifTokenBad('Add Game');
} else {
if (!verifyFormToken('gamesettings', $tokens)) {
// verify token
ifTokenBad('Game Settings Edit');
}
}
## Get Vars ##
$name = cleanvar($_POST['name']);
$name_short = cleanvar($_POST['name-short']);
if ($is_add) {
$game_type = cleanvar($_POST['game-type']);
}
// DB Vars
$db_host = cleanvar($_POST['db-host']);
$db_user = cleanvar($_POST['db-user']);
$db_pw_cng = cleanvar($_POST['cng-pw']);
$db_pw = cleanvar($_POST['db-pw']);
<?php
$auth_name = 'add_user';
// this page is add user, so that if you can add keys you should be able to remove them
require '../inc.php';
if ($_POST['t'] == 'del') {
// if this is a deletion request
$key = cleanvar($_POST['key']);
if (verifyFormToken('keydel' . $key, $tokens) == false) {
// verify token
ifTokenBad('Reg Key Delete');
}
// if bad token, log and send error
$result = $dbl->delKey($key);
if ($result) {
sendGood('Registration key deleted');
} else {
sendBack('There was an problem completeing your request');
}
exit;
// no need continuing with this script
} elseif ($_POST['comment']) {
// if this is an edit comment request
$key = cleanvar($_POST['key']);
$comment = cleanvar($_POST['comment']);
emptyInput($comment, 'comment');
$result = $dbl->editKeyComment($key, $comment, $mem->id);
// this is an ajax request, so we need to echo error/success messages
if ($result) {
echo 'yes';
} else {
} elseif ($_POST['react']) {
// if this is a re-activation request
$bl_id = $_POST['id'];
if (!verifyFormToken('act' . $bl_id, $tokens)) {
// verify token
ifTokenBad('BL De-activate');
}
// if bad log and send error
$dbl->BLactive($bl_id, true);
// run query to reactivate BL ban
sendGood('This blacklist ban has been re-activiated');
exit;
// no need to continue
} elseif ($_POST['ip']) {
// if this is an add request
if (!verifyFormToken('addbl', $tokens)) {
// verify token
ifTokenBad('BL Add');
}
// if bad log, add hack counter and throw error
// set and clean vars
$reason = cleanvar($_POST['reason']);
$ip = cleanvar($_POST['ip']);
// check for empty inputs
emptyInput($reason, 'the reason');
emptyInput($ip, 'IP Address');
// if reason is default comment msg, send back with error
if ($reason == "Enter a reason for this ban...") {
sendBack('You must add a reason as to why this IP ban is being added');
}
// check if it is a valid IP address
<?php
$auth_name = 'add_user';
require '../inc.php';
## if form is submitted ##
if (!isset($_POST['add-user'])) {
// if this was not a post request then send back with error
sendBack('Please do not access that page directly');
}
## check that the sent form token is corret
if (!verifyFormToken('adduser', $tokens)) {
// verify token
ifTokenBad('Add User');
}
// set email and comment and clean
$email = cleanvar($_POST['email']);
$comment = cleanvar($_POST['comment']);
$group = cleanvar($_POST['group']);
// check the new email address is a valid email address
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
sendBack('That email is not valid');
}
// Create a unique key for the user
$text = $admin_id . $email . uniqid(microtime(), true) . $group;
// take sent data and some random data to create a random string
$rand_text = str_shuffle($text);
// shuffle the string to make more random
$user_key = genHash($rand_text);
// hash the random string to get the user hash
## run query to add key to the DB ##
$add_user = $dbl->addEchKey($user_key, $email, $comment, $group, $mem->id);
<?php
$auth_name = 'greeting';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
if ($_POST['greeting-sub']) {
// if the form is submitted
## check that the sent form token is corret
if (verifyFormToken('greeting', $tokens) == false) {
// verify token
ifTokenBad('Add comment');
}
$greeting = cleanvar($_POST['greeting']);
$client_id = cleanvar($_POST['cid']);
// NOTE: allow for an empty comment. An empty comment means no comment
emptyInput($client_id, 'data not sent');
if (!isID($client_id)) {
sendBack('Invalid data sent, greeting not changed');
}
## Add Log Message ##
$comment = 'Greeting message changed';
$dbl->addEchLog('Greeting', $comment, $client_id, $mem->id);
## Query ##
$query = "UPDATE clients SET greeting = ? WHERE id = ? LIMIT 1";
$stmt = $db->mysql->prepare($query) or sendBack('Database Error');
$stmt->bind_param('si', $greeting, $client_id);
$stmt->execute();
if ($stmt->affected_rows) {
sendGood('Greeting has been updated');
} else {
<?php
$auth_name = 'edit_ban';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
if (!$_POST['eb-sub']) {
// if the form not is submitted
set_error('Please do not call that page directly, thank you.');
send('../../index.php');
}
## check that the sent form token is corret
if (verifyFormToken('editban', $tokens) == false) {
// verify token
ifTokenBad('Edit ban');
}
$ban_id = cleanvar($_POST['banid']);
$pbid = cleanvar($_POST['pbid']);
$pb_ban = cleanvar($_POST['pb']);
$reason = cleanvar($_POST['reason']);
$cid = cleanvar($_POST['cid']);
if ($pb_ban == 'on') {
$is_pb_ban = true;
$type = 'Ban';
$duration = 0;
$time_expire = '-1';
} else {
$is_pb_ban = false;
$type = 'TempBan';
$duration_form = cleanvar($_POST['duration']);
$time = cleanvar($_POST['time']);
$auth_name = 'unban';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
## Check the form was submitted ##
if (!$_POST['unban-sub']) {
// if the form not is submitted
set_error('Please do not call that page directly, thank you.');
send('../../index.php');
}
## get vars ##
$ban_id = $_POST['banid'];
$type = cleanvar($_POST['type']);
## check that the sent form token is correct ##
if (verifyFormToken('unban' . $ban_id, $tokens) == false) {
// verify token
ifTokenBad('Unban');
}
## Check for empties ##
emptyInput($type, 'data not sent');
emptyInput($ban_id, 'data not sent');
## Check ban_id is a number ##
if (!isID($ban_id)) {
sendBack('Invalid data sent, ban not added');
}
## Send query ##
$results = $db->makePenInactive($ban_id);
if (!$results) {
// if bad send back warning
sendBack('Penalty has not been removed');
<?php
$auth_name = 'comment';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
if (!isset($_POST['comment-sub'])) {
// if the form is submitted
set_error('Please do not call that page directly');
send('../../');
}
## check that the sent form token is corret
if (verifyFormToken('comment', $tokens) == false) {
// verify token
ifTokenBad('Add comment');
}
// Gets vars from form
$cid = cleanvar($_POST['cid']);
$comment = cleanvar($_POST['comment']);
// Check for empties
emptyInput($comment, 'comment');
emptyInput($cid, 'client id not sent');
## Check sent client_id is a number ##
if (!isID($cid)) {
sendBack('Invalid data sent, ban not added');
}
## Query ##
$result = $dbl->addEchLog('Comment', $comment, $cid, $mem->id, $game);
if ($result) {
sendGood('Comment added');
} else {
<?php
$auth_name = 'edit_xlrstats';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../../inc.php';
if (!isset($_POST['xlrstats-sub'])) {
// if the form is submitted
set_error('Please do not call this page directly');
send('../../');
}
## check that the sent form token is corret
if (verifyFormToken('xlrstats', $tokens) == false) {
// verify token
ifTokenBad('XLRstats Edit');
}
// Gets vars from form
$cid = cleanvar($_POST['cid']);
$name = cleanvar($_POST['fixed-name']);
$hide = cleanvar($_POST['hidden']);
if ($hide == 'on') {
$hide = 1;
} else {
$hide = 0;
}
// NOTE: when the user supplies an empty fixed name, the db will be updated with a blank/NULL field, in effect disabling the feature
## Check sent client_id is a number ##
if (!isID($cid)) {
sendBack('Invalid data sent, ban not added');
}
## LOG Query ##
// check which auth level is needed
$auth_name = 'edit_client_level';
} else {
$auth_name = 'edit_mask';
}
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
## check that the sent form token is corret
if (!$is_mask) {
if (verifyFormToken('level', $tokens) == false) {
// verify token
ifTokenBad('Change client level');
}
} else {
if (verifyFormToken('mask', $tokens) == false) {
// verify token
ifTokenBad('Change client mask level');
}
}
## Set and clean vars ##
$level = cleanvar($_POST['level']);
$client_id = cleanvar($_POST['cid']);
$old_level = cleanvar($_POST['old-level']);
$password = cleanvar($_POST['password']);
## Check Empties ##
emptyInput($level, 'data not sent');
emptyInput($client_id, 'data not sent');
emptyInput($old_level, 'data not sent');
if (!$is_mask) {
// only the client level needs a password
}
$perms = substr($list, 0, -1);
// remove the final comma
## get slug from name ##
$name = strtolower(trim($name));
$slug = preg_replace('/[^a-z0-9-]/', '', $name);
$result = $dbl->addGroup($name, $slug, $perms);
if (!$result) {
sendBack('There was a problem creating the new group');
} else {
sendGood('The group ' . $name . ' has been created!');
}
} else {
// edit group perms
# verify token #
if (!verifyFormToken('perm-group-edit', $tokens)) {
ifTokenBad('Edit Group Permissions');
}
$group_id = cleanvar($_GET['gid']);
// get the group to update from the URL
## check numeric id ##
if (!is_numeric($group_id)) {
sendBack('Invalid data sent, request aborted');
}
$data = getPostsPerms($_POST);
$perms_list = $dbl->getPermissions(false);
// get a full list of all perms (without desc)
foreach ($perms_list as $perm) {
// compare the two lists and create a common list of perms
$perm_id = $perm['id'];
$perm_name = $perm['name'];
} else {
sendBack('There is a problem. The user has not been deleted');
}
exit;
} elseif ($_POST['ad-edit-user']) {
// admin edit user
## get and clean vars ##
$username = cleanvar($_POST['username']);
$display = cleanvar($_POST['display']);
$email = cleanvar($_POST['email']);
$group = cleanvar($_POST['group']);
$id = cleanvar($_POST['id']);
## check numeric id ##
if (!is_numeric($id)) {
sendBack('Invalid data sent, request aborted');
}
# verify token #
if (!verifyFormToken('adedituser', $tokens)) {
ifTokenBad('Edit Echelon User');
}
$result = $dbl->editUser($id, $username, $display, $email, $group);
if ($result) {
sendGood($display . "'s information has been updated");
} else {
sendBack('There is a problem. The user information has not been changed');
}
exit;
} else {
set_error('You cannot view this page directly');
send('sa.php');
}