Exemple #1
0
function safesql($StrFiltKey, $StrFiltValue, $type)
{
    $getfilter = "\\<.+javascript:window\\[.{1}\\\\x|<.*=(&#\\d+?;?)+?>|<.*(data|src)=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\\s*?\\(\\d+?|sleep\\s*?\\(.*\\)|load_file\\s*?\\()|<[a-z]+?\\b[^>]*?\\bon([a-z]{4,})\\s*?=|^\\+\\/v(8|9)|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\\s+?[\\w]+?\\s+?\\bin\\b\\s*?\\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|\\/\\*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?)|UPDATE(\\(.+\\)|\\s+?.+?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?)FROM(\\(.+\\)|\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
    $postfilter = "<.*=(&#\\d+?;?)+?>|<.*data=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\\s*?\\(\\d+?|sleep\\s*?\\(.*\\)|load_file\\s*?\\()|<[^>]*?\\b(onerror|onmousemove|onload|onclick|onmouseover)\\b|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\\s+?[\\w]+?\\s+?\\bin\\b\\s*?\\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|\\/\\*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?)|UPDATE(\\(.+\\)|\\s+?.+?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?)FROM(\\(.+\\)|\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
    $cookiefilter = "benchmark\\s*?\\(\\d+?|sleep\\s*?\\(.*\\)|load_file\\s*?\\(|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\\s+?[\\w]+?\\s+?\\bin\\b\\s*?\\(|\\blike\\b\\s+?[\"'])|\\/\\*.+?\\*\\/|\\/\\*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?)|UPDATE(\\(.+\\)|\\s+?.+?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?)FROM(\\(.+\\)|\\s+?.+?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
    if ($type == "GET") {
        $ArrFiltReq = $getfilter;
    } elseif ($type == "POST") {
        $ArrFiltReq = $postfilter;
    } elseif ($type == "COOKIE") {
        $ArrFiltReq = $cookiefilter;
    }
    if (is_array($StrFiltValue)) {
        foreach ($StrFiltValue as $key => $value) {
            safesql($key, $value, $type);
        }
    } else {
        if (preg_match("/" . $ArrFiltReq . "/is", $StrFiltValue) == 1) {
            exit(safe_pape());
        }
    }
    if (preg_match("/" . $ArrFiltReq . "/is", $StrFiltKey) == 1) {
        exit(safe_pape());
    }
}
Exemple #2
0
 function get_end_pos($catid, $parent = 0)
 {
     global $data;
     $catid = safesql($catid, "int");
     $pos = 1;
     do {
         if ($parent == 0) {
             $temp = $data->select_query("menu_items", "WHERE cat = {$catid} AND pos = '{$pos}'");
         } else {
             $temp = $data->select_query("menu_items", "WHERE cat = {$catid} AND pos = '{$pos}' AND parent={$parent}");
         }
         if ($data->num_rows($temp) != 0) {
             $pos++;
         }
     } while ($data->num_rows($temp) != 0);
     return $pos;
 }
 function getSqlList($type, $field, $userid)
 {
     global $data;
     if ($userid == "") {
         $owned = $data->select_fetch_all_rows($number, "owners", "WHERE item_type='{$type}'");
         $ownedSql = '';
         if ($number > 0) {
             for ($i = 0; $i < $number; $i++) {
                 $ownedSql .= "{$field}  != " . safesql($owned[$i]['item_id'], "int");
                 if ($i != $number - 1) {
                     $ownedSql .= " AND ";
                 }
             }
         } else {
             $ownedSql = "{$field} >= 0";
         }
     } else {
         $ownedSql = owner_items_sql_list($field, $type, true, $userid);
     }
     return $ownedSql;
 }
Exemple #4
0
 } else {
     include "admin/admin_main.php";
     $tpl->assign('file', $filetouse);
 }
 $tpl->assign("mainpage", $page);
 $tpl->assign("pagename", $pagename);
 $tpl->assign("ex", $ex);
 $tpl->assign("error", $error);
 $tpl->assign('menufile', $menufile);
 $tpl->assign('message', $message);
 $tpl->assign('show', $show);
 $tpl->assign('userlevel', $check['level']);
 $tpl->assign('notsecond', $notsecond);
 $tpl->assign("timeoffset", getuseroffset($check['uname']));
 //Check for user message
 $uid = safesql($check['uid'], "text");
 $messages = $data->select_fetch_one_row("messages", "WHERE uid={$uid} AND type = 3");
 $data->delete_query("messages", "uid={$uid} AND type = 3");
 if ($messages) {
     $tpl->assign("infomessage", $messages['message'] . ($messages['type'] == 3 ? " (Click on the message to hide)" : ""));
     if ($messages['post'] != NULL) {
         $post = unserialize($messages['post']);
         $tpl->assign("repost", $post);
     }
     if ($messages['type'] == 1) {
         $tpl->assign("nohide", true);
     }
 }
 /********************************************End Content Generation*****************************************/
 //Compile page
 if ($config['softdebug'] == 1) {
Exemple #5
0
                    $newtopic = $data->fetch_array($sql);
                    $data->update_query("forums", "lasttopic='{$newtopic['id']}', lastpost='{$newtopic['lastpost']}', lastdate={$newtopic['lastdate']}", "id={$topic['forum']}", "", "", false);
                    echo "<script>window.location='index.php?page=forums&action=topic&t={$tid}&menuid={$menuid}';</script>";
                    exit;
                }
            }
            $pagenum = 7;
            $tpl->assign("tid", $tid);
        } else {
            echo "<script>alert('You don\\'t have the required permisions to delete a post''); window.location='index.php?page=forums&action=topic&t={$tid}';</script>";
            exit;
        }
        break;
    case "stopwatching":
        $tid = safesql($_GET['tid'], "int");
        $user = safesql($_GET['u'], "int");
        $data->update_query("forumstopicwatch", "notify=0", "uid = {$user} AND topic_id={$tid}", "", "", false);
        show_message("You are no longer watching the topic");
        include "forums/view_forum.php";
        break;
    case "allread":
        $sql = $data->delete_query("forumnew", "uid={$check['id']}");
        include "forums/view_forum.php";
        break;
    case "forumread":
        $sql = $data->delete_query("forumnew", "uid={$check['id']} AND forum={$f}");
    default:
        include "forums/view_forum.php";
}
$tpl->assign("username", $check['uname']);
$tpl->assign("userauths", $userauths);
Exemple #6
0
     //display all photos
     $photo = array();
     while ($temp = $data->fetch_array($photosql)) {
         $temp['caption'] = censor($temp['caption']);
         $photo[] = $temp;
     }
 }
 if (!$inarticle) {
     $editFormAction = $_SERVER['PHP_SELF'];
     if (isset($_SERVER['QUERY_STRING'])) {
         $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
     }
     $tpl->assign('editFormAction', $editFormAction);
     $id = safesql($albumid, "int");
     if (isset($_POST['submit']) && $_POST['submit'] == "Post Comment") {
         $comment = safesql(strip_tags($_POST['comment']), "text");
         if ($config['confirmcomment'] == 1) {
             $allowed = 0;
         } else {
             $allowed = 1;
         }
         $timestamp = time();
         $data->insert_query("comments", "'', {$id}, '{$check['id']}', 1, {$timestamp}, {$comment}, {$allowed}", "", "", false);
         if (confirm('comment')) {
             $page = $_SERVER['PHP_SELF'];
             if (isset($_SERVER['QUERY_STRING'])) {
                 $page .= "?" . $_SERVER['QUERY_STRING'];
             }
             $comment = $data->select_fetch_one_row("comments", "WHERE uid='{$check['id']}' AND item_id={$id} AND date={$timestamp}");
             confirmMail("comment", $comment);
             show_message("The comment first needs to be reviewed before it will be visible", $page);
    if ($action == "edit_advancements" && pageauth("troop", "edit") == 1) {
        $recordsql = $data->select_query("scoutrecord", "WHERE userid={$safe_memberid} AND scheme = {$safe_scheme}");
        if ($data->num_rows($recordsql) > 0) {
            $record = safesql(serialize($_POST['requirement']), "text");
            $comments = safesql(serialize($_POST['comment']), "text");
            $data->update_query("scoutrecord", "requirements={$record}, comment={$comments}", "userid={$safe_memberid} AND scheme= {$safe_scheme}");
        } else {
            $record = safesql(serialize($_POST['requirement']), "text");
            $comments = safesql(serialize($_POST['comment']), "text");
            $data->insert_query("scoutrecord", "'', {$safe_memberid}, {$record}, {$comments}, {$safe_scheme}");
        }
        show_admin_message("Record Updated", "admin.php?page={$page}&subpage=records&id={$id}&action=view_advancements");
    } elseif ($action == "addbadge" && pageauth("troop", "edit") == 1) {
        $badgeid = safesql($_POST['bid'], "int");
        $comment = safesql($_POST['comment'], "text");
        $date = safesql(time(), "int");
        $data->insert_query("userbadges", "'', {$safe_memberid}, {$badgeid}, {$comment}, {$date}");
        show_admin_message("Badge Added", "admin.php?page={$page}&subpage=records&id={$id}&action=view_badges");
    }
}
$schemes = $data->select_fetch_all_rows($numschemes, "awardschemes", "ORDER BY name ASC");
$tpl->assign("schemes", $schemes);
$tpl->assign("numschemes", $numschemes);
if ($action == "view_advancements" || $action == "" || $action == "edit_advancements" && pageauth("troop", "edit") == 1) {
    $advansql = $data->select_query("advancements", "WHERE scheme = {$safe_scheme} ORDER BY position ASC");
    $numadva = $data->num_rows($advansql);
    $advancements = array();
    $numitems = 0;
    $recordsql = $data->select_fetch_one_row("scoutrecord", "WHERE userid={$safe_memberid} AND scheme = {$safe_scheme}");
    $scoutRecord['requirement'] = unserialize($recordsql['requirements']);
    $scoutRecord['comment'] = unserialize($recordsql['comment']);
Exemple #8
0
 /**
  * Авторизация пользователя
  * Проверка логина и пароля
  * 
  * @param string		логин
  * @param string		пароль (не хеш)
  * @param string		тип авторизации (по логину или по email)
  * @return int|bool		возвращает ID пользователя, в случае успеха и false в случае неудачи.
  */
 function user_auth($user_login = '', $user_password = '', $type = 'login')
 {
     if (!$user_login or !$user_password) {
         return false;
     }
     $user_login = safesql($user_login);
     switch ($type) {
         default:
             $query = $this->db->get_where('users', array('login' => $user_login), 1);
             break;
         case 'email':
             $query = $this->db->get_where('users', array('email' => $user_login), 1);
             break;
     }
     if ($query->num_rows > 0) {
         $this->user_data = $query->row_array();
         $user_data =& $this->user_data;
         // Проверка на разрешенные IP
         if ($user_data['is_admin'] && isset($this->config->config['admin_ip'])) {
             if (!$this->_check_subnet()) {
                 return false;
             }
         }
         // Используется blowfish
         $password_hash = hash_password($user_password, $this->user_data['password']);
     } else {
         return false;
     }
     // Проверка пароля
     if ($password_hash == $this->user_data['password']) {
         $this->auth_id = (int) $user_data['id'];
         $this->auth_login = $user_data['login'];
         $this->auth_data = $user_data;
         $this->auth_data['balance'] = (int) $this->encrypt->decode($user_data['balance']);
         return $this->auth_id;
     } else {
         return false;
     }
 }
Exemple #9
0
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
**************************************************************************/
if (!defined('SCOUT_NUKE')) {
    die("You have accessed this page illegally, please go use the main menu");
}
if (isset($_GET['f'])) {
    $fid = safesql($_GET['f'], "int");
}
if (isset($_GET['t'])) {
    $tid = safesql($_GET['t'], "int");
}
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
    $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
$sql = $data->select_query("forums");
$numforums = $data->num_rows($sql);
if (empty($_GET['t'])) {
    $sql = $data->select_query("forums", "WHERE id={$fid}");
    $forum = $data->fetch_array($sql);
    $sql = $data->select_query("forumtopics", "WHERE forum={$fid}");
    $numtopics = $data->num_rows($sql);
    $topics = array();
    while ($topics[] = $data->fetch_array($sql)) {
    }
} else {
    $editFormAction = $_SERVER['PHP_SELF'];
    if (isset($_SERVER['QUERY_STRING'])) {
        $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
    }
    $Submit = $_POST['Submit'];
    $id = $_GET['id'];
    $action = $_GET['action'];
    // Edit content
    if ($Submit == "Update" && pageauth("emailedit", "edit") == 1) {
        $id = safesql($id, "int");
        $subject = safesql($_POST['subject'], "text");
        $email = safesql($_POST['email'], "text");
        if ($data->update_query("emails", "subject={$subject}, email={$email}", "id={$id}")) {
            show_admin_message("Email updated", $pagename);
        }
    }
    // Show specific content
    if ($id != "" && pageauth("emailedit", "edit") == 1) {
        // Show selected content
        $id = safesql($id, "int");
        $email = $data->select_fetch_one_row("emails", "WHERE id={$id}");
        $tpl->assign("email", $email);
    }
    // Show all news
    $emails = $data->select_fetch_all_rows($numemails, "emails", "ORDER BY name ASC");
    $tpl->assign('action', $action);
    $tpl->assign('numemails', $numemails);
    $tpl->assign('emails', $emails);
    $filetouse = "admin_emailedit.tpl";
}
Exemple #11
0
 }
 $tpl->assign("numalbums", $numalbums);
 $tpl->assign("album", $album);
 $tpl->assign("numarticles", $numart);
 $tpl->assign("article", $articles);
 $tpl->assign("numevents", $numevents);
 $tpl->assign("event", $events);
 $tpl->assign("numdownloads", $numdown);
 $tpl->assign("download", $downloads);
 $tpl->assign("numnews", $numnews);
 $tpl->assign("news", $newsitems);
 if ($_POST['submit'] == "Submit") {
     if (validate($_POST['validation'])) {
         $news = safesql($_POST['story'], "text", false);
         $title = safesql($_POST['title'], "text");
         $attachment = safesql($_POST['attachment'], "text");
         if (confirm('news')) {
             $Add = $data->insert_query("newscontent", "NULL, {$title}, {$news}, {$timestamp}, {$attachment}, 0, 0");
             $addon = "The news item first needs to be reviewed before it will be available on the site.";
         } else {
             $Add = $data->insert_query("newscontent", "NULL, {$title}, {$news}, {$timestamp}, {$attachment}, 1, 0");
         }
         $data->update_query("users", "numnews = numnews + 1", "id='{$check['id']}'");
         $article = $data->fetch_array($data->select_query("newscontent", "WHERE title={$title} AND event={$timestamp} ORDER BY id DESC", "id, title, news"));
         if (confirm('news')) {
             confirmMail("news", $article);
         } else {
             email('newitem', array("news", $article));
         }
         $data->insert_query("owners", "'', {$article['id']}, 'newsitem', {$check['id']}, 0, 0, 0");
         show_message("Your news item has been added. {$addon}", "index.php?page=mythings&menuid={$menuid}");
Exemple #12
0
                        $temp['etime'] = strftime("%H:%M", $temp['enddate']);
                        $calendar .= "\n        <div class=\"newsitem\">\n        <h3>" . censor($temp['summary']) . "</h3>\n        <span class=\"smalltext\"><b>Start Date: </b>{$temp['sdate']} | <b>Start Time: </b>{$temp['stime']}</span><br />\n        <span class=\"smalltext\"><b>End Date: </b>{$temp['edate']} | <b>End Time: </b>{$temp['etime']}</span>";
                        if ($temp['detail'] != NULL) {
                            $calendar .= "<p>" . censor($temp['detail']) . "</p>";
                        }
                        $calendar .= "</div>";
                    }
                }
            } else {
                $calendar .= "There are no events happening during {$month}.";
            }
            $calendar .= "<div class=\"smalltext\">You can see a year view by clicking on the <img src=\"{$templateinfo['imagedir']}calendar.png\" border=\"0\" title=\"Year View\" alt=\"Year View\"/> icon <br />You can see a month view by clicking on the <img src=\"{$templateinfo['imagedir']}view_month.png\" title=\"View Month\" alt=\"View Month\" border=\"0\"/> icon <br />You can goto the current date by clicking on the <img src=\"{$templateinfo['imagedir']}today.png\" border=\"0\" title=\"Today\" alt=\"Today\"/> icon</div>";
        }
        $add = get_auth('addevent') == 1 ? true : false;
        $addlink = "index.php?page=addevent&amp;menuid={$menuid}";
        $rssuname = safesql(md5($check['uname']), "text");
        if ($data->num_rows($data->select_query("rssfeeds", "WHERE itemid=1 AND type=3 AND uname={$rssuname}", "id"))) {
            $rss = 1;
        } else {
            $rss = 0;
        }
        $tpl->assign("calendar", $calendar);
        $tpl->assign("rss", $rss);
        $show_detail = false;
    }
} else {
    $calendar = new vcalendar();
    $calsql = $data->select_query("calendar_items", "WHERE allowed = 1 AND trash=0");
    while ($temp = $data->fetch_array($calsql)) {
        $groups = unserialize($temp['groups']);
        if (is_array($groups)) {
    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
**************************************************************************/
if (!empty($getmodules)) {
    $module['Configuration']['Module Manager'] = "modules";
    $moduledetails[$modulenumbers]['name'] = "Module Manager";
    $moduledetails[$modulenumbers]['details'] = "Manage CMScout modules";
    $moduledetails[$modulenumbers]['access'] = "Allowed to access the module manager";
    $moduledetails[$modulenumbers]['add'] = "notused";
    $moduledetails[$modulenumbers]['edit'] = "notused";
    $moduledetails[$modulenumbers]['delete'] = "notused";
    $moduledetails[$modulenumbers]['publish'] = "Allowed to deactivate and reactivate modules";
    $moduledetails[$modulenumbers]['limit'] = "notused";
    $moduledetails[$modulenumbers]['id'] = "modules";
    return;
} else {
    $id = safesql($_GET['id'], "int");
    if ($_GET['action'] == 'activate' && pageauth("modules", "publish")) {
        $sqlq = $data->update_query("functions", "active = 1", "id={$id}");
        header("Location: {$pagename}");
    } elseif ($_GET['action'] == 'deactivate' && pageauth("modules", "publish")) {
        $sqlq = $data->update_query("functions", "active = 0", "id={$id}");
        header("Location: {$pagename}");
    }
    $modules = $data->select_fetch_all_rows($nummodule, "functions", "WHERE type != 3 ORDER BY name ASC", "id, name, type, active");
    $tpl->assign("modules", $modules);
    $tpl->assign("nummodule", $nummodule);
    $filetouse = "admin_modules.tpl";
}
     $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
 }
 $tpl->assign('editFormAction', $editFormAction);
 if (isset($_POST["submit"])) {
     if (validate($_POST['validation'])) {
         $album_name = strip_tags($_POST['album_name']);
         $patrol = $_POST['patrol'];
         $insertSQL = sprintf("NULL, %s, %s", safesql($album_name, "text"), safesql($patrol, "int"));
         if (confirm('album')) {
             $message = "Your album has been added, but first needs to be reviewed by an administrator.";
             $insertSQL .= ", 0";
         } else {
             $message = "Your album has been added.";
             $insertSQL .= ", 1";
         }
         $album_name = safesql($album_name, "text");
         if ($data->insert_query("album_track", $insertSQL . ", 0")) {
             $album = $data->select_fetch_one_row("album_track", "WHERE album_name={$album_name} ORDER BY ID DESC");
             $data->update_query("users", "numalbums = numalbums + 1", "uname='{$check['uname']}'");
             $data->insert_query("owners", "'', {$album['ID']}, 'album', {$check['id']}, 0, 0, 0");
             if (confirm('album')) {
                 confirmMail("album", $album);
             } else {
                 email('newitem', array("album", $album));
             }
             show_message("Your photo album has been created. {$extra}", "index.php?page=mythings&cat=album&action=edit&id={$album['ID']}&menuid={$menuid}");
         } else {
             show_message("There was an error adding your photo album. If this error persists please contact the site administrator.", "index.php?page=addphotoalbum", true);
         }
     } else {
         show_message("There where some errors with some fields, please check them again and resubmit.", "index.php?page=addphotoalbum&menuid={$menuid}", true);
Exemple #15
0
 $poll['pollq'] = $_POST['question'];
 if ($poll['pollq'] != "") {
     $poll['pollq'] = safesql($poll['pollq'], "text");
     $poll['stopdate'] = $poll['stopdate'] != "" ? safesql(strtotime($poll['stopdate']), "int") : 0;
     if (confirm('poll')) {
         $message = "Your poll has been added, but first needs to be reviewed by an administrator.";
         $allow = 0;
     } else {
         $message = "Your poll has been added.";
         $allow = 1;
     }
     $results = array();
     for ($i = 0; $i < count($_POST['option']); $i++) {
         $results[str_replace(' ', '', $_POST['option'][$i])] = 0;
     }
     $results = safesql(serialize($results), "text");
     $sql = $data->insert_query("polls", "NULL, {$poll['pollq']}, {$timestamp}, {$poll['stopdate']}, {$options}, {$results}, {$allow}, 0");
     if ($sql) {
         $polling = $data->select_fetch_one_row("polls", "WHERE question = {$poll['pollq']} AND date_start={$timestamp} ORDER BY id DESC", "id");
         if ($data->insert_query("owners", "'', {$polling['id']}, 'pollitems', {$check['id']}, 0, 0, 0")) {
             if (confirm('poll')) {
                 confirmMail("poll", $polling);
             } else {
                 email('newitem', array("poll", $polling));
             }
             show_message($message, "index.php?page=mythings&menuid={$menuid}");
         } else {
             show_message("There was an error adding your poll. If this error persists please contact the site administrator.", "index.php?page=addpoll&menuid={$menuid}", true);
         }
     }
 }
             $options = array();
             $options[0] = $_POST['numoptions'];
             for ($i = 1; $i <= $_POST['numoptions']; $i++) {
                 $temp = $_POST['option' . $i];
                 if ($temp != '') {
                     $options[] = $temp;
                 } else {
                     --$options[0];
                 }
             }
             break;
         case 6:
             $options = "''";
     }
     $pos = get_end_pos();
     $options = safesql(serialize($options), "text");
     if ($action == "new") {
         $data->insert_query("profilefields", "'', {$name}, {$query}, {$options}, {$hint}, {$type}, {$required}, {$register}, {$profileview}, {$pos}, 0, 0");
         show_admin_message("Field Added", $pagename);
     } elseif ($action == "edit") {
         $data->update_query("profilefields", "query={$query}, options={$options}, hint={$hint}, type={$type}, required={$required}, register={$register}, profileview={$profileview}", "id={$id}");
         show_admin_message("Field Updated", $pagename);
     }
 }
 if ($action == "") {
     $sql = $data->select_query("profilefields", "WHERE place=0 ORDER BY pos ASC");
     $numfields = $data->num_rows($sql);
     $field = array();
     while ($field[] = $data->fetch_array($sql)) {
         $tpl->assign("numfields", $numfields);
     }
Exemple #17
0
        $parentforum = $data->fetch_array($sql);
        $tpl->assign("issubforum", 1);
        $tpl->assign("parentforum", $parentforum);
    }
    $tpl->assign("forum", $forum);
    $tpl->assign("new", $new);
} elseif (!$new && $edit && $userauths['edit']) {
    if ($_POST['submit'] == "Submit") {
        $subject = safesql($_POST['subject'], "text");
        $post = safesql($_POST['story'], "text", false);
        $type = safesql($_POST['type'], "text");
        $sql = $data->select_query("forumposts", "WHERE id={$pid}");
        $posts = $data->fetch_array($sql);
        $sql = $data->select_query("forumposts", "WHERE topic={$posts['topic']} ORDER BY dateposted ASC");
        $first = $data->fetch_array($sql);
        $attach = safesql($_POST['attach'], "text");
        if ($first['dateposted'] == $posts['dateposted']) {
            $firstpost = 1;
        } else {
            $firstpost = 0;
        }
        if ($firstpost == 1) {
            $data->update_query("forumtopics", "type={$type}", "id={$posts['topic']}");
        }
        $sql = $data->update_query("forumposts", "subject = {$subject}, posttext = {$post}, edittime={$timestamp}, edituser='******'id']}', attachment={$attach}", "id={$pid}", "", "", false);
        if ($sql) {
            $sql = $data->select_query("forumposts", "WHERE id={$pid}");
            $post = $data->fetch_array($sql);
            show_message("Thank you for your edit", "index.php?page=forums&action=topic&t={$post['topic']}&menuid={$menuid}");
        }
    } elseif ($_POST['preview'] == "Preview Post") {
     $gid = safesql($_POST['gid'], "int");
     $utype = safesql($_POST['utype'], "int");
     $sql = $data->select_query("usergroups", "WHERE userid={$uid} AND groupid={$gid}");
     if ($data->num_rows($sql) == 0 && $gid != 0) {
         $data->insert_query("usergroups", "{$gid}, {$uid}, {$utype}");
     }
 } elseif ($action == "moveup") {
     $uid = safesql($_GET['uid'], "int");
     $userGroups = $data->select_fetch_one_row("usergroups", "WHERE userid={$uid} AND groupid={$gid}");
     $userGroups['utype'] = $userGroups['utype'] + 1;
     if ($userGroups['type'] <= 2) {
         $data->update_query("usergroups", "utype={$userGroups['utype']}", "userid = {$uid} AND groupid={$gid}");
     }
     show_admin_message("User type changed", str_replace('&amp;', '&', $pagename) . "&uid={$uid}");
 } elseif ($action == "movedown") {
     $uid = safesql($_GET['uid'], "int");
     $userGroups = $data->select_fetch_one_row("usergroups", "WHERE userid={$uid} AND groupid={$gid}");
     $userGroups['utype'] = $userGroups['utype'] - 1;
     if ($userGroups['type'] >= 0) {
         $data->update_query("usergroups", "utype={$userGroups['utype']}", "userid = {$uid} AND groupid={$gid}");
     }
     show_admin_message("User type changed", str_replace('&amp;', '&', $pagename) . "&uid={$uid}");
 }
 $sql = $data->select_query("users", "WHERE id={$uid}");
 $userinfo = $data->fetch_array($sql);
 $sql = $data->select_query("usergroups", "WHERE userid={$uid}");
 $usergroups = array();
 $numusergroups = $data->num_rows($sql);
 while ($temp = $data->fetch_array($sql)) {
     $sql2 = $data->select_query("groups", "WHERE id={$temp['groupid']}", "id, teamname");
     $temp2 = $data->fetch_array($sql2);
             if ($status == 1) {
                 email_user($user['id'], "account_actived");
             } else {
                 email_user($user['id'], "account_deactiv");
             }
         }
         $insertSQL = sprintf("uname=%s, status=%s, timezone=%s, firstname=%s, lastname=%s, email=%s, custom=%s", safesql($username, "text"), safesql($status, "text"), safesql($_POST['zone'], "text"), safesql($firstname, "text"), safesql($lastname, "text"), safesql($email, "text"), safesql($custom, "text"));
         if ($password) {
             $insertSQL .= ", passwd=" . safesql(md5($password), "text");
         }
         $Result1 = $data->update_query("users", $insertSQL, "id={$id}");
         if ($Result1) {
             show_admin_message("User details updated", "admin.php?page=users");
         }
     } else {
         $insertSQL = sprintf("firstname=%s, lastname=%s, email=%s, custom=%", safesql($firstname, "text"), safesql($lastname, "text"), safesql($email, "text"), safesql($custom, "text"));
         $Result1 = $data->update_query("users", $insertSQL, "id={$id}");
         if ($Result1) {
             show_admin_message("User details updated", "admin.php?page=users");
         }
     }
 }
 if ($action == "Edit") {
     $user_query = $data->select_query("users", "WHERE id={$safe_id}");
     $users = $data->fetch_array($user_query);
     $action = 'Edit';
 }
 $sql = $data->select_query("timezones", "ORDER BY offset ASC");
 $zone = array();
 $numzones = $data->num_rows($sql);
 while ($zone[] = $data->fetch_array($sql)) {
Exemple #20
0
             }
         }
         show_admin_message("Photo updated", "{$pagename}&action=view&id={$id}");
     }
 } elseif ($action == "new") {
     if (pageauth("photo", "limit") == 1) {
         $groupsqllist = group_sql_list_id("id", "OR", true);
         $teams = $data->select_fetch_all_rows($numteams, "groups", "WHERE ({$groupsqllist}) AND ispublic=1");
     } else {
         $teams = $data->select_fetch_all_rows($numteams, "groups", "WHERE ispublic=1");
     }
     $tpl->assign('teams', $teams);
     $tpl->assign('numteams', $numteams);
     if ($_POST['submit'] == "Add Album") {
         $group = safesql($_POST['patrol'], "int");
         $name = safesql($_POST['album_name'], "text");
         $data->insert_query("album_track", "'', {$name}, {$group}, 1, 0");
         show_admin_message("Album added", "{$pagename}");
     }
 } elseif ($action == "") {
     if (pageauth("photo", "limit")) {
         $patrollist = group_sql_list_id("patrol", "OR");
         $result = $data->select_query("album_track", "WHERE ({$patrollist}) AND trash=0 ORDER BY album_name ASC");
     } else {
         $result = $data->select_query("album_track", "WHERE trash=0 ORDER BY album_name ASC");
     }
     $albums = array();
     while ($temp = $data->fetch_array($result)) {
         if ($temp['patrol'] > 0) {
             $temp2 = $data->select_fetch_one_row("groups", "WHERE id={$temp['patrol']}", "teamname");
             $temp['patrol'] = $temp2['teamname'];
     $tpl->assign("numpatrols", $numpatrols);
     $tpl->assign("patrols", $patrols);
     $tpl->assign("numsubsites", $numsubsites);
     $tpl->assign("subsites", $subsites);
     if ($Submit == "Move") {
         $moveto = $_POST['place'];
         if ($moveto == '0') {
             $pid = 0;
             $type = 0;
         } else {
             $moveto = explode("_", $moveto);
             if ($moveto[0] == "group") {
                 $pid = safesql($moveto[1], "int");
                 $type = 1;
             } elseif ($moveto[0] == "site") {
                 $pid = safesql($moveto[1], "int");
                 $type = 2;
             }
         }
         $data->update_query("static_content", "type={$type}, frontpage=0, pid={$pid}", "id={$safe_id}");
         show_admin_message("Content moved", "admin.php?page=patrol&subpage=patrolcontent&pid={$patrolid}");
     }
 }
 $result = $data->select_query("static_content", "WHERE type=1 AND pid={$safe_patrolid} ORDER BY friendly ASC");
 $content = array();
 $content[] = $data->fetch_array($result);
 $numcontent = $data->num_rows($result);
 while ($content[] = $data->fetch_array($result)) {
 }
 $tpl->assign("item", $item);
 $tpl->assign("patrolname", $patrolname);
Exemple #22
0
    $okusers = array();
    $notokusers = array();
    for ($i = 0; $i < count($tousers); $i++) {
        $message = "";
        $to = safesql(trim($tousers[$i]), "text");
        $sql = $data->select_query("users", "WHERE uname = {$to}", "id");
        $userinfo = $data->fetch_array($sql);
        if ($data->num_rows($sql) > 0 && $tousers[$i] != $check['uname']) {
            if ($sql) {
                $okusers[] = $userinfo['id'];
            }
        }
    }
    if (count($okusers) > 0) {
        $userlist = implode(', ', $okusers);
        $to = safesql($userlist, "text");
        $sql = $data->select_query("pms", "WHERE type=4 AND fromuser={$check['id']} ORDER BY date ASC", "id");
        if ($data->num_rows($sql) >= $config['numpm']) {
            $temp = $data->fetch_array($sql);
            $data->delete_query("pms", "id={$temp['id']}");
        }
        $sql = $data->insert_query("pms", "NULL, {$subject}, {$pm}, {$timestamp}, 4, 1, 0, {$check['id']}, {$to}", "", "", false);
        $message .= "Your message has been saved in your drafts folder. ";
    }
    show_message($message, "index.php?page=pmmain&action=drafts&menuid={$menuid}");
}
$tpl->assign("isedit", "simp");
$location = "User Control Panel >> New Message";
$tpl->assign("pm", $inboxpm);
$tpl->assign("numpm", $numpm);
$tpl->assign("onpage", "New Personal Message");
Exemple #23
0
**************************************************************************/
if (!defined('SCOUT_NUKE')) {
    die("You have accessed this page illegally, please go use the main menu");
}
if (isset($_GET['action'])) {
    $action = $_GET['action'];
}
$pagenum = 1;
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
    $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
$editit = false;
$reply = false;
$sendit = false;
$userid = safesql($check['id'], "int");
if ($_POST['delete'] == "Delete Selected Messages") {
    $username = $check['uname'];
    $page = $_POST['oldpage'];
    switch ($page) {
        case "Inbox":
            $type = 1;
            break;
        case "Drafts":
            $type = 4;
            break;
        case "Sentbox":
            $type = 2;
            break;
        case "Savebox":
            $type = 3;
Exemple #24
0
         $new[$config_name] = $default_config[$config_name];
         $errorconfig = '';
         if ($allowed_array[$config_name] && isset($_POST[$config_name])) {
             if ($config_name == "siteaddress" && $config['siteaddress'] != $newvalue) {
                 $new = urlencode($_POST[$config_name]);
                 $old = urlencode($config['siteaddress']);
                 @file("http://www.cmscout.co.za/newaddress.php?address={$old}&new={$new}");
             }
             $newvalue = safesql($_POST[$config_name], "text", false);
             echo $newvalue . '<br>';
             $sql = $data->update_query("config", "value = {$newvalue}", "name = '{$config_name}'", "", "", false);
         }
     }
     $config_name = 'exclusion';
     $_POST[$config_name] = serialize(is_array($_POST[$config_name]) ? $_POST[$config_name] : '');
     $newvalue = safesql($_POST[$config_name], "text", false);
     $sql = $data->update_query("config", "value = {$newvalue}", "name = '{$config_name}'", "", "", false);
     show_admin_message("Configuration Updated", "admin.php?page=config");
 }
 $theme_q = $data->select_query("themes", "ORDER BY name ASC");
 $theme = array();
 $numthemes = $data->num_rows($theme_q);
 while ($theme[] = $data->fetch_array($theme_q)) {
 }
 $sql = $data->select_query("timezones", "ORDER BY offset ASC");
 $zone = array();
 $numzones = $data->num_rows($sql);
 while ($zone[] = $data->fetch_array($sql)) {
 }
 $sql = $data->select_query("groups", "ORDER BY teamname ASC", "id, teamname");
 $group = array();
Exemple #25
0
 if ($detail['id'] == -1 && $detail['status'] == 1) {
     if ($redirectpage != "" && $redirectpage != "page=logon" && $_GET['redirect'] != "administration_panel") {
         show_message("Incorrect username or password", 'index.php?page=' . $redirectpage, false, $detail['uid']);
     } else {
         show_message("Incorrect username or password", false, false, $detail['uid']);
     }
 } elseif ($detail['id'] == -1 && $detail['status'] == 0) {
     $uname = safesql($uname, "text");
     $temp = $data->select_fetch_one_row("users", "WHERE uname = {$uname}", "id");
     if ($redirectpage != "" && $redirectpage != "page=logon" && $_GET['redirect'] != "administration_panel") {
         show_message("<a href=\"activate.php?id={$temp['id']}\">Your account has not been activated yet. Click here to resend the activation email.</a>", 'index.php?page=' . $redirectpage, false, $detail['uid'], 1);
     } else {
         show_message("<a href=\"activate.php?id={$temp['id']}\">Your account has not been activated yet. Click here to resend the activation email.</a>", false, false, $detail['uid'], 1);
     }
 } elseif ($detail['id'] == -1 && $detail['status'] == -1) {
     $uname = safesql($uname, "text");
     $temp = $data->select_fetch_one_row("users", "WHERE uname = {$uname}", "id");
     if ($redirectpage != "" && $redirectpage != "page=logon" && $_GET['redirect'] != "administration_panel") {
         show_message("Your account has been blocked. Please contact the administrator to unblock it.", 'index.php?page=' . $redirectpage, false, $detail['uid']);
     } else {
         show_message("Your account has been blocked. Please contact the administrator to unblock it.", false, false, $detail['uid']);
     }
 } else {
     if ($redirectpage != "" && $_GET['redirect'] != "register" && $_GET['redirect'] != "forgot" && $redirectpage != "page=logon" && $_GET['redirect'] != "administration_panel") {
         header("Location: index.php?page={$redirectpage}");
     } elseif ($_GET['redirect'] == "administration_panel") {
         header("Location: admin.php");
     } else {
         header("Location: index.php");
     }
 }
    $moduledetails[$modulenumbers]['limit'] = "notused";
    $moduledetails[$modulenumbers]['id'] = "sections";
    return;
} else {
    $id = safesql($_GET['id'], "int");
    $Submit = $_POST['Submit'];
    $action = $_GET['action'];
    if ($Submit == 'Submit') {
        if ($action == "new" && pageauth("sections", "add")) {
            $name = safesql($_POST['name'], "text");
            $sql = $data->insert_query("sections", "NULL, {$name}");
            if ($sql) {
                show_admin_message("Section added", $pagename);
            }
        } elseif ($action == "edit" && pageauth("sections", "edit")) {
            $name = safesql($_POST['name'], "text");
            $sql = $data->update_query("sections", "name = {$name}", "id = {$id}");
            if ($sql) {
                show_admin_message("Section updated", $pagename);
            }
        }
    }
    if ($action == "edit" && pageauth("sections", "edit")) {
        $result = $data->select_query("sections", "WHERE id = '{$id}'");
        $section = $data->fetch_array($result);
        $tpl->assign("section", $section);
    } elseif ($action == "delete" && pageauth("sections", "delete")) {
        $sql = $data->delete_query("sections", "id = '{$id}'");
        if ($sql) {
            show_admin_message("Section deleted", $pagename);
        }
             $custom[$temp['name']] = $temp2;
         } else {
             $custom[$temp['name']] = $_POST[$temp['name']];
         }
     }
     $custom = safesql(serialize($custom), "text");
     $insertSQL = "'', '', {$username}, {$password}, {$status}, {$timestamp}, 0, 0, 0, 0, {$zone}, 0, {$firstname}, {$lastname}, {$email}, '', '', 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, {$custom}";
     if ($data->insert_query("users", $insertSQL)) {
         $uinfo = $data->select_fetch_one_row("users", "WHERE uname={$username}");
         $data->insert_query("usergroups", "{$config['defaultgroup']}, {$uinfo['id']}, 0");
         if ($_POST['member'] == 1) {
             $type = safesql($_POST['type'], "int");
             $sex = safesql($_POST['sex'], "int");
             $address = safesql('None', "text");
             $tel = safesql('None', "text");
             $cell = safesql('None', "text");
             $data->insert_query("members", "'', {$firstname}, NULL, {$lastname}, '0', {$sex}, {$address}, {$cell}, {$tel}, NULL, {$email}, NULL, NULL, NULL, NULL, NULL, 0, 0, {$type}, {$uinfo['id']}, 0, 0, 0, 0, NULL");
         }
         show_admin_message("User added", "admin.php?page=users");
     }
 }
 $zone = $data->select_fetch_all_rows($numzones, "timezones", "ORDER BY offset ASC");
 $sql = $data->select_query("profilefields", "WHERE place=0 ORDER BY pos ASC");
 $fields = array();
 $numfields = $data->num_rows($sql);
 while ($temp = $data->fetch_array($sql)) {
     $temp['options'] = unserialize($temp['options']);
     $fields[] = $temp;
 }
 $tpl->assign('fields', $fields);
 $tpl->assign('numfields', $numfields);
 function addguest($status)
 {
     global $data;
     $botlist = array("Teoma", "alexa", "froogle", "inktomi", "looksmart", "URL_Spider_SQL", "Firefly", "NationalDirectory", "Ask Jeeves", "TECNOSEEK", "InfoSeek", "WebFindBot", "girafabot", "crawler", "www.galaxy.com", "Googlebot", "Scooter", "Slurp", "appie", "FAST", "WebBug", "Spade", "ZyBorg", "rabaz", "msnbot");
     $botdetect = 0;
     foreach ($botlist as $bot) {
         if (ereg($bot, $_SERVER['HTTP_USER_AGENT'])) {
             if ($bot == "Googlebot") {
                 if (substr($REMOTE_HOST, 0, 11) == "216.239.46.") {
                     $bot = "Googlebot Deep Crawl";
                 } elseif (substr($REMOTE_HOST, 0, 7) == "64.68.8") {
                     $bot = "Google Freshbot";
                 }
             } elseif ($bot == "Slurp") {
                 $bot = "Yahoo! Slurp";
             } elseif ($bot == "msnbot") {
                 $bot = "MSNBot";
             }
             $botdetect = 1;
             break;
         }
     }
     $username = !$botdetect ? "Guest" : $bot;
     $nuid = $this->set_cookie($username);
     $ntime = time();
     $username = safesql($username, "text");
     $ip = safesql($_SERVER['REMOTE_ADDR'], "text");
     $data->delete_query("onlineusers", "uid='{$nuid}'");
     if ($botdetect == 1) {
         $data->delete_query("onlineusers", "uname='{$bot}'");
     }
     if (!$data->num_rows($data->select_query("onlineusers", "WHERE uid='{$nuid}'"))) {
         $data->insert_query("onlineusers", "'{$nuid}', {$username}, '{$ntime}', '{$ntime}', 1, 0, '', 0, {$ip}, 1, {$botdetect}");
     }
     $check['id'] = -1;
     $check['bot'] = $botdetect;
     $check['uname'] = !$botdetect ? "Guest" : $bot;
     $check['team'] = "Guest";
     $check['uid'] = $nuid;
     $check['status'] = $status == 1 ? 0 : ($status == -1 ? -1 : 1);
     return $check;
 }
     $teams = array();
     $team_query = $data->select_query("groups", "ORDER BY teamname ASC", "id, teamname");
     $numteams = $data->num_rows($team_query);
     while ($teams[] = $data->fetch_array($team_query)) {
     }
     $tpl->assign('teams', $teams);
     $tpl->assign('numteams', $numteams);
     $submit = $_POST["Submit"];
     if ($submit == "Submit") {
         $title = safesql($_POST['title'], "text");
         $sort = safesql($_POST['sort'], "text");
         $order = safesql($_POST['order'], "text");
         $display = safesql($_POST['display'], "int");
         $groupallowed = safesql(serialize($_POST['groups']), "text");
         $description = safesql($_POST['description'], "text");
         $perpage = safesql($_POST['perpage'], "int");
         $sql = $data->insert_query("articletopics", "'', {$title}, {$description}, {$sort}, {$order}, {$groupallowed}, {$display}, {$perpage}");
         if ($sql) {
             show_admin_message("Topic added", "{$pagename}&activetab=topics");
         }
     }
 } else {
     $action = "";
 }
 if ($action == "") {
     $row = array();
     if (pageauth("patrolart", "limit")) {
         $patrol = group_sql_list_id("patrol", "OR", true);
         $result = $data->select_query("patrol_articles", "WHERE ({$patrol}) AND trash=0 ORDER BY date_post DESC");
     } else {
         $result = $data->select_query("patrol_articles", "WHERE trash=0 ORDER BY date_post DESC");
Exemple #30
0
     $temp['options'] = unserialize($temp['options']);
     if ($temp['type'] == 4) {
         $temp2 = array();
         $temp2[] = 0;
         for ($i = 1; $i <= $temp['options'][0]; $i++) {
             $temp2[] = $_POST[$temp['name'] . $i] ? 1 : 0;
         }
         $custom[$temp['name']] = $temp2;
     } else {
         $custom[$temp['name']] = $_POST[$temp['name']];
     }
 }
 $custom = safesql(serialize($custom), "text");
 $status = $config['accountactivation'] != 0 ? 0 : 1;
 $activecode = md5($username . $password . (microtime() + mktime()));
 $safe_activecode = $config['accountactivation'] != 0 ? safesql($activecode, "text") : 0;
 $insertSQL = "'', '', {$username}, {$password}, {$status}, {$timestamp}, 0, 0, 0, 0, {$zone}, {$safe_activecode}, {$firstname}, {$lastname}, {$email}, '', '', 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, {$custom}";
 if ($data->insert_query("users", $insertSQL)) {
     $uinfo = $data->select_fetch_one_row("users", "WHERE uname={$username}");
     $data->insert_query("usergroups", "{$config['defaultgroup']}, {$uinfo['id']}, 0");
     if ($config['accountactivation'] == 0) {
         $activateinfo = "You can login right away.";
     } elseif ($config['accountactivation'] == 1) {
         $activateinfo = "You need to activate your account before you can use it. To activate it goto {$config['siteaddress']}activate.php?id={$uinfo["id"]}&code={$activecode}.";
         $link = "{$config['siteaddress']}activate.php?id={$uinfo["id"]}&code={$activecode}";
     } elseif ($config['accountactivation'] == 2) {
         $activateinfo = "The site administrator needs to activate your account before you can start using it. You will be emailed once the administrator has activated your account.";
     }
     $uname = $_POST['usernames'];
     $password = $_POST['password'];
     $emailAddress = $_POST['email'];