function check_auth_cookie()
{
list($user_id, $token) = explode('@', $_COOKIE['auth']);
return check_auth_token($user_id, $token);
}
<?php
require_once "../../utilities/database.php";
require_once "../../utilities/auth.php";
require_once "auth.php";
require_once "database.php";
$rest_json = file_get_contents("php://input");
$_POST = json_decode($rest_json, true);
$token = check_auth_token($_POST["token"], $DB_PASSWD);
if ($token) {
$response = array("response" => query("INSERT INTO Posts (title, content, style, date, author, category, tags) VALUES('" . $_POST["title"] . "', '" . $_POST["content"] . "', '" . $_POST["style"] . "', '" . $_POST["date"] . "', '" . $_POST["author"] . "', '" . $_POST["category"] . "', '" . $_POST["tags"] . "')", $DB_PASSWD, true), "token" => $token);
echo json_encode($response);
} else {
echo json_encode(array("error" => "Authentication error."));
}
$action = $_GET['action'];
$user_id = 0;
$answer = array('api_version' => API_VERSION, 'answer' => null, 'error' => null);
function json_encode_readable($arr)
{
//convmap since 0x80 char codes so it takes all multibyte codes (above ASCII 127). So such characters are being "hidden" from normal json_encoding
array_walk_recursive($arr, function (&$item, $key) {
if (is_string($item)) {
$item = mb_encode_numericentity($item, array(0x80, 0xffff, 0, 0xffff), 'UTF-8');
}
});
return mb_decode_numericentity(json_encode($arr), array(0x80, 0xffff, 0, 0xffff), 'UTF-8');
}
// check token for most action types
if (!in_array($action, array('search', 'login'))) {
$user_id = check_auth_token($_POST['user_id'], $_POST['token']);
if (!$user_id) {
throw new Exception('Incorrect token');
}
}
try {
switch ($action) {
case 'search':
if (isset($_GET['all_forms'])) {
$all_forms = (bool) $_GET['all_forms'];
} else {
$all_forms = false;
}
$answer['answer'] = get_search_results($_GET['query'], !$all_forms);
foreach ($answer['answer']['results'] as &$res) {
$parts = array();
require_once "../../utilities/auth.php";
require_once "auth.php";
require_once "database.php";
$image = file_get_contents("php://input");
$filename = preg_replace("/[^A-Za-z0-9.-_() ]+/", "", $_SERVER['HTTP_X_FILE_NAME']);
$allowed_extensions = array("tiff", "jpg", "jpeg", "gif", "png", "bmp");
$extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
$token_given = NULL;
foreach (apache_request_headers() as $header => $value) {
if (strcmp($header, "Token") == 0) {
$token_given = $value;
}
}
if (!$token_given) {
echo json_encode(array("error" => "Authentication error."));
return;
}
if (!in_array($extension, $allowed_extensions)) {
echo json_encode(array("error" => "This type of file extension is not allowed. (Talk to Joshua about it maybe?)"));
return;
}
$token = check_auth_token($token_given, $DB_PASSWD);
if ($token) {
$image_url = base_convert(strval(time()), 10, 36) . bin2hex(openssl_random_pseudo_bytes(2)) . "." . $extension;
file_put_contents("../../images/" . $image_url, $image);
query("INSERT INTO Images (image_url, image_low_res_url, image_name) VALUES ('" . $image_url . "', '', '" . $filename . "')", $DB_PASSWD, true);
$response = array("response" => array("image_url" => $image_url, "image_low_res_url" => "", "image_name" => $filename), "token" => $token);
echo json_encode($response);
} else {
echo json_encode(array("error" => "Authentication error."));
}
