function PrepareTextDB($text) { $text = trim($text); while (strstr($text, "\n\n")) { $text = str_replace("\n\n", "\n", $text); } $text = str_replace("\n\r\n\r", "\n\r", $text); while (strstr($text, "\n\r\n\r")) { $text = str_replace("\n\r\n\r", "\n\r", $text); } $text = str_replace("\n", "<br />", $text); $text = preg_replace('/\\v+|\\\\[rn]/', '<br />', $text); $text = nl2br($text) . ""; while (strstr($text, "<br /><br />")) { $text = str_replace("<br /><br />", "<br />", $text); } $text = str_replace("<br /><br />", "<br />", $text); $text = stripslashes($text); $text = EscapeStr($text); //if (get_magic_quotes_gpc()) //$text = stripslashes($text); return $text; }
$name = 'iprange'; } if (!empty($ip) and $ip != '0.0.0.0') { $ipv = explode(".", $ip); if (count($ipv) >= 2) { $ip_part = $ipv[0] . "." . $ipv[1]; } $ip_part = str_replace(":", "", $ip_part); } else { $ip_part = ""; } $admin = safeEscape(trim($_POST["admin"])); $gn = safeEscape(trim($_POST["gn"])); $date = EscapeStr(trim($_POST["date"])); $expire = EscapeStr(trim($_POST["expire"])); $warn = EscapeStr(trim($_POST["warn"])); if (empty($ip)) { $sth = $db->prepare("SELECT * FROM " . OSDB_GP . " WHERE name = '" . $name . "' AND ip!='' LIMIT 1"); $result = $sth->execute(); $row = $sth->fetch(PDO::FETCH_ASSOC); $ip = $row["ip"]; } if (date("Y", strtotime($expire)) <= 1990) { $expire = ""; } if (strlen($name) <= 2) { $errors .= "<div>Field Name does not have enough characters</div>"; } if (!OS_IsRoot() and strstr($ip, ":")) { $errors .= "<div style='color: #ab0900; font-weight:bold;'><img src='del.png' alt='delete' width='16' height='16' class='imgvalign' /> You don't have permission to ban IP range</div>"; }
//eDIT if (isset($_GET["edit"]) and is_numeric($_GET["edit"]) or isset($_GET["add"])) { $name = ""; $server = ""; $reason = ""; $ip = ""; $admin = ""; $gn = ""; if (isset($_GET["edit"]) and is_numeric($_GET["edit"])) { $id = safeEscape((int) $_GET["edit"]); } //UPDATE if (isset($_POST["edit_ban"])) { $name = safeEscape(trim($_POST["name"])); $server = safeEscape(trim($_POST["server"])); $reason = EscapeStr(convEnt2(trim($_POST["reason"]))); $ip = safeEscape(trim($_POST["ip"])); $admin = safeEscape(trim($_POST["admin"])); $gn = safeEscape(trim($_POST["gn"])); $warnc = safeEscape(trim((int) $_POST["warnc"])); $d = safeEscape(trim($_POST["d"])); $m = safeEscape(trim($_POST["m"])); $y = safeEscape(trim($_POST["y"])); $h = safeEscape(trim($_POST["h"])); $i = safeEscape(trim($_POST["i"])); $expire = "{$y}-{$m}-{$d} {$h}:{$i}:00"; $expireT = strtotime($expire); $expireSql = date('Y-m-d H:i:00', $expireT); if ($d < 0 or $d > 31) { $expire = ''; }
<?php //if (!defined('IN_OS')) exit; if (isset($_GET["replayLoc"])) { $replayloc = "../" . EscapeStr($_GET["replayLoc"]); } if (file_exists("{$replayloc}")) { $drawTable = "replay_header"; include "themes/" . $DefaultStyle . "/game_log.php"; require 'inc/replay_parser/chat.php'; $replay = new replay($replayloc); if (!isset($error)) { /////////////////// COLORS //////////// $firstBlood = true; $i = 1; foreach ($replay->teams as $team => $players) { if ($team != 12) { foreach ($players as $player) { // remember there's no color in tournament replays from battle.net website if ($player['color']) { //echo('<span class="'.$player['color'].'">'.$player['color'].'</span>'); // since version 2.0 of the parser there's no players array so // we have to gather colors and names earlier as it will be harder later ;) $colors[$player['player_id']] = $player['color']; $names[$player['player_id']] = $player['name']; } } $i++; } } for ($i = 0; $i <= 14; $i++) {
if (isset($_POST["search"])) { function HighlightKeyword($str, $search) { $occurrences = substr_count(strtolower($str), strtolower($search)); $newstring = $str; $match = array(); for ($i = 0; $i < $occurrences; $i++) { $match[$i] = stripos($str, $search, $i); $match[$i] = substr($str, $match[$i], strlen($search)); $newstring = str_replace($match[$i], '[#]' . $match[$i] . '[@]', strip_tags($newstring)); } $newstring = str_replace('[#]', '<b>', $newstring); $newstring = str_replace('[@]', '</b>', $newstring); return $newstring; } $search = EscapeStr(trim($_POST["search"])); $sth = $db->prepare("SELECT * FROM `" . OSDB_STATS_P . "` \n\tWHERE player LIKE ('%" . $search . "%') GROUP BY player ORDER BY user_level DESC, id DESC LIMIT 50"); $result = $sth->execute(); ?> <div class="LiveSearchWrapper"> <a href="javascript:;" onclick="OS_ResetSearch()" style="float: right;"><img src="<?php echo OS_HOME; ?> img/close.png" alt="close" width="16" height="16" class="imgvalign" /></a> <?php while ($row = $sth->fetch(PDO::FETCH_ASSOC)) { $player = HighlightKeyword($row["player"], $search); ?> <div><a href="<?php echo OS_HOME; ?>
} if (isset($_GET["edit"]) or isset($_GET["add"])) { if (isset($_GET["edit"])) { $edit = safeEscape($_GET["edit"]); } if (isset($_GET["add"])) { $HeroName = ""; $heroid = ""; $desc = ""; $stats = ""; $skills = ""; $type = 0; } if (isset($_POST["edit_hero"])) { $HeroName = EscapeStr($_POST["hero_name"]); $heroid = EscapeStr($_POST["heroid"]); $desc = my_nl2br(trim($_POST["desc"])); $desc = str_replace(array("Š", "š"), array("Š", "š"), $desc); $type = (int) $_POST["type"]; $stats = my_nl2br(removeDoubleSpaces(trim($_POST["stats"]))); $stats = str_replace(array("Š", "š"), array("Š", "š"), $stats); $skills = my_nl2br(removeDoubleSpaces(trim($_POST["skills"]))); $skills = str_replace(array("Š", "š"), array("Š", "š"), $skills); if ($heroid != "" and strlen($HeroName) >= 2) { if (isset($_GET["edit"])) { $update = $db->update(OSDB_HEROES, array("description" => $HeroName, "summary" => $desc, "stats" => $stats, "skills" => $skills, "type" => $type), "heroid = '" . $edit . "' "); OS_AddLog($_SESSION["username"], "[os_heroes] EDITED HERO ( {$edit}, {$HeroName} )"); } else { $hid = str_replace(".gif", "", $heroid); $check = $db->prepare("SELECT * FROM " . OSDB_HEROES . " WHERE heroid = '" . $hid . "' "); $result = $check->execute();
$itemID = ""; if (isset($_GET["edit"]) or isset($_GET["add"])) { if (isset($_GET["edit"])) { $edit = safeEscape($_GET["edit"]); } else { $edit = ""; } if (isset($_POST["edit_item"])) { $icon = safeEscape($_POST["icon"]); $name = convEnt2($_POST["name"]); $shortname = convEnt2($_POST["shortname"]); $item_info = my_nl2br(convEnt2(trim($_POST["item_info"]))); $item_info = str_replace(array("Š", "š"), array("Š", "š"), $item_info); $price = EscapeStr($_POST["price"]); $type = EscapeStr($_POST["type"]); $icon = EscapeStr($_POST["icon"]); if (strlen($name) >= 2 and strlen($shortname) >= 2) { if (isset($_GET["edit"])) { $upd = 1; $update = $db->update(OSDB_ITEMS, array("name" => $name, "shortname" => $shortname, "item_info" => $item_info, "price" => $price, "type" => $type, "icon" => $icon), "itemid = '" . $edit . "' "); if ($upd) { ?> <h2>Item successfully updated</h2><?php OS_AddLog($_SESSION["username"], "[os_items] EDITED ITEM ( {$name}, {$edit} )"); } } else { if (isset($_GET["add"])) { $id = safeEscape(strtoupper($_POST["itemid"])); $sth = $db->prepare("SELECT * FROM " . OSDB_ITEMS . " WHERE (itemid) = ('" . $id . "') LIMIT 1 "); $result = $sth->execute(); if ($sth->rowCount() >= 1) {
function OS_ForgotPassword() { $errors = ""; global $db; global $mail; global $lang; if (isset($_POST["reset_password"]) and isset($_POST["reset_password_submit"])) { global $lang; $email = EscapeStr(trim($_POST["reset_password"])); if (isset($_SESSION["password_send"])) { $errors .= "<h4>You have already sent a request to reset the password. Please check your mail.</h4>"; } if (!preg_match("/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}\$/i", $email)) { $errors .= "<h4>Invalid Email address</h4>"; } if (empty($errors)) { $sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_email = :email LIMIT 1 "); $sth->bindValue(':email', $email, PDO::PARAM_STR); $result = $sth->execute(); if ($sth->rowCount() <= 0) { $errors .= "<h4>Email address does not exist in our database.</h4>"; } if (empty($errors)) { $code = generate_hash(16); OS_add_custom_field(0, 'reset_password|' . $email, $code); require "inc/class.phpmailer.php"; $message = "You have requested a password reset.<br />"; $message .= "Click on the link below to reset your password:<br /><br />"; $message .= OS_HOME . "?action=reset_password&e=" . $email . "&c=" . $code . "<br /><br />"; $message .= "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />"; $message .= "If you did not request a password reset just ignore this email and delete it.<br />"; $mail = new PHPMailer(); $mail->CharSet = 'UTF-8'; $mail->ContentType = 'text/plain'; $mail->IsHTML(true); $mail->SetFrom($lang["email_from"], $lang["email_from_full"]); //$mail->AddReplyTo( $lang["email_from"], $lang["email_from_full"] ); $mail->AddAddress($email, ""); $mail->Subject = "Password reset!"; $mail->MsgHTML($message); $mail->AltBody = "This is the body in plain text for non-HTML mail clients"; $mail->Send(); $_SESSION["password_send"] = time(); //Not error, just a message $errors = "<h4>You have successfully submitted a request to reset your password. Please check your mail.</h4>"; } } } ?> <div id="content" class="s-c-x"> <div class="wrapper"> <div id="main-column"> <div class="padding"> <div class="inner"> <h2>Reset password</h2> <div class="padTop"></div> <?php if (isset($errors) and !empty($errors)) { echo $errors; } ?> <?php if (!isset($_GET["c"]) and !isset($_GET["e"])) { ?> <form action="" method="post"> <table style="width:800px;"> <tr class="row"> <td></td> <td> <b>You can't retrieve your password, but you can set a new one by following a link sent to you by email.</b> <div>- This is the email address you used to register on the site.</div> <div>- If you do not receive an email, check your "Spam" folder.</div> </td> </tr> <tr class="row"> <td width="120" class="padLeft">Email address:</td> <td class="padLeft"> <input type="text" name="reset_password" size="39" value="" style="height:26px;" /> </td> </tr> <tr class="row"> <td width="120" class="padLeft"></td> <td class="padLeft"><input type="submit" name="reset_password_submit" class="menuButtons" value="Send" /> <div class="padBottom"></div> </td> </tr> </table> </form> <?php } else { if (isset($_GET["e"])) { $email = EscapeStr(trim($_GET["e"])); } else { $email = generate_hash(12); } if (isset($_GET["c"])) { $code = EscapeStr(trim($_GET["c"])); } else { $code = generate_hash(12); } if (!preg_match("/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}\$/i", $email)) { $errors .= "<h4>Invalid Email address</h4>"; } if (empty($errors)) { $sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_email = :email LIMIT 1 "); $sth->bindValue(':email', $email, PDO::PARAM_STR); $result = $sth->execute(); if ($sth->rowCount() <= 0) { $errors .= "<h4>Email address does not exist in our database.</h4>"; } } if (empty($errors)) { $value = OS_get_custom_field(0, 'reset_password|' . $email); if ($code != $value or strlen($code) <= 5) { $errors .= "<h4>Link has expired, or the password has already been reset</h4>"; } } //FINALLY RESET if (empty($errors) and isset($_POST["reset_1"]) and isset($_POST["reset_2"])) { $p1 = strip_tags($_POST["reset_1"]); $p2 = strip_tags($_POST["reset_2"]); if ($p1 != $p2) { $errors .= "<h4>Both passwords are not the same</h4>"; } else { $hash = generate_hash(16, 1); $password_db = generate_password($p1, $hash); $result = $db->update(OSDB_USERS, array("user_password" => $password_db, "password_hash" => $hash), "user_email = '" . $email . "'"); //OS_delete_custom_field( 0, 'reset_password|'.$email , $code); $delete = $db->exec("DELETE FROM " . OSDB_CUSTOM_FIELDS . " \n\t\t WHERE field_value='" . $code . "' AND field_name = 'reset_password|" . $email . "' LIMIT 1"); $PasswordReset = 1; } } if (isset($errors) and !empty($errors)) { echo $errors; } else { if (isset($PasswordReset) and $PasswordReset == 1) { ?> <h2>Password has been successfully changed. Now you can log in.</h2> <?php } else { ?> <form action="" method="post"> <table style="width:600px;"> <tr class="row"> <td class="padLeft">New password:</td> <td class="padLeft"><input type="password" name="reset_1" size="6" value="" /></td> </tr> <tr class="row"> <td class="padLeft">Repeat password:</td> <td class="padLeft"><input type="password" name="reset_2" size="6" value="" /></td> </tr> <tr class="row"> <td width="120" class="padLeft"></td> <td class="padLeft"><input type="submit" name="reset_pw" class="menuButtons" value="Reset your password" /> <div class="padBottom"></div> </td> </tr> </table> </form> <?php } } } ?> <div style="height:260px;"></div> </div> </div> </div> </div> </div> <?php }
$errors .= "<div>" . $lang["error_invalid_login"] . "</div>"; } else { $errors = "<div>" . $lang["error_invalid_login"] . "</div>"; } } } //REGISTER if (isset($_GET["login"]) and !is_logged() and isset($_POST["register_"])) { if ($UserActivation == 2) { require_once OS_PLUGINS_DIR . 'index.php'; os_init(); header('location: ' . OS_HOME . ''); die; } $username = OS_StrToUTF8($_POST["reg_un"]); $username = EscapeStr(trim($username)); $email = safeEscape(trim($_POST["reg_email"])); $email = strtolower($email); $password = safeEscape($_POST["reg_pw"]); $password2 = safeEscape($_POST["reg_pw2"]); $registration_errors = ""; $AllowedCharacters = '0123456789QWERTZUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklyxcvbnmљњертзуиопшђасдфгхјклчћжѕџцвбнмšđč枊ĐČĆŽЉЊЕРТЗУИОПШЂАСДФГХЈКЛЧЋЖЅЏЦВБНМ_-'; if (!preg_match('/^[' . $AllowedCharacters . ']+$/', $username)) { $registration_errors .= "<div>" . $lang["error_username"] . "</div>"; } //die($registration_errors." - ".$username); if (!preg_match("/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}\$/i", $email)) { $registration_errors .= "<div>" . $lang["error_email"] . "</div>"; } if (strlen($username) <= 2) { $registration_errors .= "<div>" . $lang["error_short_un"] . "</div>";
if (!isset($website)) { header('HTTP/1.1 404 Not Found'); die; } $BanAppeal = ""; $MenuClass["bans"] = "active"; if (isset($_POST["submit_appeal"])) { $player = safeEscape(trim($_SESSION["bnet_username"])); $subject = safeEscape(trim($_POST["subject"])); $reason = safeEscape(trim($_POST["message"])); $reason = my_nl2br(trim($_POST["message"])); $reason = nl2br($reason); $reason = EscapeStr($reason); $game_url = EscapeStr(trim($_POST["game_url"])); $replay_url = EscapeStr(trim($_POST["replay_url"])); $errors = ""; if (strlen($player) <= 2) { $errors .= "<div>" . $lang["error_report_player"] . "</div>"; } if (strlen($reason) <= 3) { $errors .= "<div>" . $lang["error_report_reason"] . "</div>"; } if (!is_logged()) { $errors = "<div>" . $lang["error_report_login"] . "</div>"; } if (isset($_SESSION["last_report"]) and $_SESSION["last_report"] + $BanReportTime > time()) { $TimeLeft = time() - $_SESSION["last_report"]; $errors = "<div>" . $lang["error_report_time2"] . " " . ($BanReportTime - $TimeLeft) . " " . $lang["error_sec"] . " </div>"; } if (empty($errors)) {
} ?> <?php if (isset($_GET["hid"])) { $hid = safeEscape($_GET["hid"]); if (isset($_POST["heroid"])) { $hid = safeEscape($_POST["heroid"]); } $sth = $db->prepare("SELECT * FROM " . OSDB_HEROES . " WHERE original!='' AND heroid = '" . $hid . "' "); $result = $sth->execute(); if ($sth->rowCount() >= 1) { $row = $sth->fetch(PDO::FETCH_ASSOC); if (isset($_POST["add_guide"]) and isset($_POST["guide_url"])) { $url = EscapeStr($_POST["guide_url"]); $title = EscapeStr(convEnt2($_POST["guide_title"])); $errors = ""; $edit = ""; $code = $_POST["code"]; if ($code != $_SESSION["code"]) { $errors .= '<div><img src="' . $website . 'adm/del.png" alt="edit" /> Invalid form</div>'; } if (!strstr($url, "http")) { $errors .= "<div>Link is not valid.</div>"; } if (empty($errors)) { if (isset($_GET["edit"]) and is_numeric($_GET["edit"])) { $edit = safeEscape((int) $_GET["edit"]); $sql = "AND id != '" . $edit . "'"; } else { $sql = "";
$location = safeEscape(trim($_POST["location"])); $realm = safeEscape(trim($_POST["realm"])); $www = EscapeStr(trim($_POST["website"])); $gender = EscapeStr(trim($_POST["gender"])); $clan = EscapeStr(trim($_POST["clan"])); $user_ppwd = EscapeStr(trim($_POST["user_ppwd"])); if (isset($_POST["hide"])) { $hide = (int) EscapeStr(trim($_POST["hide"])); } if (strstr($user_ppwd, " ")) { $user_ppwd = ""; } if (strstr($user_ppwd, "\t")) { $user_ppwd = ""; } $lang = EscapeStr(trim($_POST["lang"])); $sql = "UPDATE " . OSDB_USERS . " SET "; if (isset($_POST["admin_realm"])) { if ($_POST["admin_realm"] == "OHConnect") { $sql .= " admin_realm = 'OHConnect', "; } if ($_POST["admin_realm"] == "europe.battle.net") { $sql .= " admin_realm = 'europe.battle.net', "; } if ($_POST["admin_realm"] == "useast.battle.net") { $sql .= " admin_realm = 'useast.battle.net', "; } if ($_POST["admin_realm"] == "uswest.battle.net") { $sql .= " admin_realm = 'uswest.battle.net', "; } if ($_POST["admin_realm"] == "server.eurobattle.net") {
?> adm/?posts">« Back</a></h2> </div> <?php } //ADD / EDIT POST if (isset($_GET["add"]) or isset($_GET["edit"]) and is_numeric($_GET["edit"])) { if (isset($_POST["add_post"])) { $title = EscapeStr($_POST["post_title"]); $status = EscapeStr((int) $_POST["status"]); $allow_comments = EscapeStr((int) $_POST["allow_comments"]); $text = my_nl2br(convEnt2(trim($_POST["post_text"]))); $text = str_replace(array("Š", "š"), array("Š", "š"), $text); $errors = ""; $time = time(); $author = EscapeStr((int) $_POST["author"]); if (strlen($title) <= 3) { $errors .= "<div>Field Title does not have enough characters</div>"; } if (strlen($text) <= 5) { $errors .= "<div>Field Text does not have enough characters</div>"; } if (empty($errors)) { if (isset($_GET["add"])) { $ins = 1; $insert = $db->prepare("INSERT INTO " . OSDB_NEWS . "(news_title, news_content, news_date, status, allow_comments, author)\n\t\tVALUES('" . $title . "', '" . $text . "', '" . $time . "', '" . $status . "', '" . $allow_comments . "', '" . $author . "') "); $result = $insert->execute(); if ($ins) { ?> <div align="center"> <h2>Post successfully added. <a href="<?php
/* $text = my_nl2br( trim($_POST["comment"]) ); $text = nl2br($text); $text = EscapeStr( ($text) ); $text = (($text)); */ $text = PrepareTextDB($_POST["comment"]); if (strlen($text) <= 2) { $errors .= "<div>Field Text does not have enough characters</div>"; } $time = date("Y-m-d H:i:s", time()); $d = EscapeStr($_POST["_d"]); $m = EscapeStr($_POST["_m"]); $Y = EscapeStr($_POST["_Y"]); $H = EscapeStr($_POST["_H"]); $i = EscapeStr($_POST["_i"]); $DateErr = 0; $PostTime = strtotime($Y . "-" . $m . "-" . $d . " " . $H . ":" . $i . ":00"); $sqlPostDate = ", date = '" . $PostTime . "' "; if ($d <= 0 or $d >= 32) { $sqlPostDate = ''; } if ($m <= 0 or $m >= 13) { $sqlPostDate = ''; } if ($Y <= 0) { $sqlPostDate = ''; } if ($H < 0 or $H >= 25) { $sqlPostDate = ''; }
<?php OS_AddLog($_SESSION["username"], "[os_notes] Deleted Note: ( #" . (int) $id . " ) "); } //eDIT if (isset($_GET["edit"]) and is_numeric($_GET["edit"]) or isset($_GET["add"])) { $name = ""; $server = ""; $note = ""; if (isset($_GET["edit"]) and is_numeric($_GET["edit"])) { $id = safeEscape((int) $_GET["edit"]); } //UPDATE if (isset($_POST["edit_list"])) { $name = safeEscape(trim($_POST["name"])); $server = safeEscape(trim($_POST["server"])); $note = EscapeStr(trim($_POST["note"])); $note = strip_tags(strip_quotes($note)); if (strlen($name) <= 2) { $errors .= "<div>Field Name does not have enough characters</div>"; } if (strlen($name) > 20) { $errors .= '<div>Field "Player Name" contains too many characters</div>'; } $time = date("Y-m-d H:i:s", time()); if (isset($_GET["edit"])) { $sql = "UPDATE " . OSDB_NOTES . " SET \n\t name= '" . $name . "', server = '" . $server . "', note = '" . $note . "'\n\t WHERE id ='" . $id . "' LIMIT 1 "; } if (isset($_GET["add"])) { $sql = "INSERT INTO " . OSDB_NOTES . "(name, server, note) VALUES('" . $name . "', '" . $server . "', '" . $note . "' )"; } if (empty($errors)) {