public function loginValidate() { // Remove old login attempts $this->db->delete("loginattempts")->condition("attempt_time", time() - 1200, "<")->execute(); // Are we locked out still? $results = $this->db->select("loginattempts")->fields("loginattempts", array("attempt_ip"))->condition("attempt_ip", $_SERVER['REMOTE_ADDR'])->execute()->fetchAll(); if (count($results) > 5) { kxFunc::showError(_gettext('System lockout'), _gettext('Sorry, because of your numerous failed logins, you have been locked out from logging in for 20 minutes. Please wait and then try again.')); } else { // Find users with the username supplied to us $results = $this->db->select("staff")->fields("staff", array("user_id", "user_name", "user_password", "user_salt"))->condition("user_name", $this->request['username'])->execute()->fetchAll(); if (count($results) > 0) { if (md5($this->request['password'] . $results[0]->user_salt) == $results[0]->user_password) { // Let's make our session $session_id = md5(uniqid(microtime())); $this->request['sid'] = $session_id; // Delete any sessions that already exist for this user $this->db->delete("manage_sessions")->condition("session_staff_id", $results[0]->user_id)->execute(); // Insert our new values $this->db->insert("manage_sessions")->fields(array('session_id' => $session_id, 'session_ip' => $_SERVER['REMOTE_ADDR'], 'session_staff_id' => $results[0]->user_id, 'session_location' => "index", 'session_log_in_time' => time(), 'session_last_action' => time(), 'session_url' => ""))->execute(); // Set the cookies so ajax functions will load $this->SetModerationCookies(); //$this->environment->get('kx:classes:core:logging:id')->manageLog(_gettext('Logged in'), 1); // Let's figure out where we need to go $whereto = ""; // Unfiltered on purpose if ($_POST['qstring']) { $whereto = stripslashes($_POST['qstring']); $whereto = str_replace(kxEnv::Get('kx:paths:script:path'), "", $whereto); $whereto = str_ireplace("?manage.php", "", $whereto); $whereto = ltrim($whereto, '?'); $whereto = preg_replace("/sid=(\\w){32}/", "", $whereto); $whereto = str_replace(array('old_&', 'old_&'), "", $whereto); $whereto = str_replace("module=login", "", $whereto); $whereto = str_replace("do=login-validate", "", $whereto); $whereto = str_replace('&', '&', $whereto); $whereto = preg_replace("/&{1,}/", "&", $whereto); } $url = kxEnv::Get('kx:paths:script:path') . kxEnv::Get('kx:paths:script:folder') . '/manage.php?sid=' . $session_id . '&' . $whereto; if (!empty($_COOKIE['use_frames'])) { $twigData['url'] = $url; kxTemplate::output("manage/frames", $twigData); } else { kxFunc::doRedirect($url, true); } exit; } else { $this->db->insert("loginattempts")->fields(array('attempt_name' => $this->request['username'], 'attempt_ip' => $_SERVER['REMOTE_ADDR'], 'attempt_time' => time()))->execute(); $this->showForm(_gettext('Incorrect username/password.')); } } else { $this->db->insert("loginattempts")->fields(array('attempt_name' => $this->request['username'], 'attempt_ip' => $_SERVER['REMOTE_ADDR'], 'attempt_time' => time()))->execute(); $this->showForm(_gettext('Incorrect username/password.')); } } }
public function exec(kxEnv $environment) { // Before we do anything, let's check if we even have any board info if (!$this->request['board']) { die; kxFunc::doRedirect(kxEnv::Get('kx:paths:main:webpath')); } // Grabing essential data about the board $boardType = $this->db->select("boards")->fields("boards", array("board_type"))->condition("board_name", $this->request['board'])->execute()->fetchField(); // Uh oh! Someone's being naughty! Silently redirect them to the mainpage if they supply us with a non-existing board. if ($boardType === false) { kxFunc::doRedirect(kxEnv::Get('kx:paths:main:webpath')); } //Check against our built-in board types. if (in_array($boardType, array(0, 1, 2, 3))) { $types = array('image', 'text', 'oekaki', 'upload'); $module_to_load = $types[$boardType]; } else { $result = $this->db->select("modules")->fields("modules", array("module_variables", "module_directory"))->condition("module_application", 1)->execute()->fetchAll(); foreach ($result as $line) { $varibles = unserialize($line->module_variables); if (isset($variables['board_type_id']) && $variables['board_type_id'] == $boardType) { $module_to_load = $line->module_directory; } } } // Module loading time! $moduledir = kxFunc::getAppDir("board") . '/modules/public/' . $module_to_load . '/'; if (file_exists($moduledir . $module_to_load . '.php')) { require_once $moduledir . $module_to_load . '.php'; } else { kxFunc::doRedirect(kxEnv::Get('kx:paths:main:webpath')); } // Some routine checks... $className = "public_board_" . $module_to_load . "_" . $module_to_load; if (class_exists($className)) { $module_class = new ReflectionClass($className); if ($module_class->isSubClassOf(new ReflectionClass('kxCmd'))) { $this->_boardClass = $module_class->newInstance($this->environment); $this->_boardClass->execute($this->environment); } else { kxFunc::doRedirect(kxEnv::Get('kx:paths:main:webpath')); } } else { kxFunc::doRedirect(kxEnv::Get('kx:paths:main:webpath')); } // Include our posting class require_once kxFunc::getAppDir('core') . '/classes/posting.php'; $this->_postingClass = new posting($this->environment); $this->environment->set('kx:classes:board:posting:id', $this->_postingClass); // Phew, that's over with. Let's now prepare our post for generation. //Are we UTF-8? $this->_postingClass->checkUTF8(); // Is post valid according to our board's spec? if ($this->_boardClass->validPost()) { $this->db->startTransaction(); // Do we have files? $this->postData['files'] = isset($_FILES['imagefile']) ? $_FILES['imagefile']['name'] : ''; // Backwards compatability hack for dumpers that don't support multifile uploading if ($this->postData['files'] && !is_array($this->postData['files'])) { foreach ($_FILES['imagefile'] as $key => $value) { $_FILES['imagefile'][$key] = array($value); } $this->postData['files'] = array($_FILES['imagefile']['name'][0]); } $this->postData['is_reply'] = $this->_postingClass->isReply($this->_boardClass->board->board_id); $this->_postingClass->checkPostingTime($this->postData['is_reply'], $this->_boardClass->board->board_id); $this->_postingClass->checkMessageLength($this->_boardClass->board->max_message_length); $this->_postingClass->checkBlacklistedText($this->_boardClass->board->board_id); $this->_postingClass->checkCaptcha($this->_boardClass->board, $this->postData); $this->_postingClass->checkBannedHash($this->_boardClass->board); //How many replies, is the thread locked, etc if ($this->postData['is_reply']) { $this->postData['thread_info'] = $this->_postingClass->threadInfo($this->_boardClass->board_id, $this->request['replythread']); } else { $this->postData['thread_info'] = array('replies' => 0, 'locked' => 0, 'parent' => 0); } // Subject, email, etc fields need special processing $this->postData['post_fields'] = $this->_postingClass->parseFields(); $this->postData['post_fields']['postpassword'] = isset($this->request['postpassword']) ? $this->request['postpassword'] : ''; $nextid = $this->db->select("posts")->fields("posts", array("post_id"))->condition("post_board", $this->_boardClass->board->board_id)->execute()->fetchField(); if ($nextid) { $this->postData['next_id'] = $nextid + 1; } else { $this->postData['next_id'] = 1; } // Are we modposting? $this->postData['user_authority'] = $this->_postingClass->userAuthority(); if (isset($this->request['displaystaffstatus'])) { $this->postData['flags'] .= 'D'; } if (isset($this->request['lockonpost'])) { $this->postData['flags'] .= 'L'; } if (isset($this->request['stickyonpost'])) { $this->postData['flags'] .= 'S'; } if (isset($this->request['rawhtml'])) { $this->postData['flags'] .= 'RH'; } if (isset($this->request['usestaffname'])) { $this->postData['flags'] .= 'N'; } $this->postData['display_status'] = 0; $this->postData['lock_on_post'] = 0; $this->postData['sticky_on_post'] = 0; // If they are just a normal user, or vip... if ($this->postData['user_authority'] == 0 || $this->postData['user_authority'] > 2) { // If the thread is locked if ($this->postData['thread_info']['locked'] == 1) { // Don't let the user post kxFunc::showError(_gettext('Sorry, this thread is locked and can not be replied to.')); } $this->postData['thread_info']['message'] = $this->_boardClass->parseData($this->request['message']); // Or, if they are a moderator/administrator... } else { // If they checked the D checkbox, set the variable to tell the script to display their staff status (Admin/Mod) on the post during insertion if (isset($this->request['displaystaffstatus'])) { $this->postData['display_status'] = true; } // If they checked the RH checkbox, set the variable to tell the script to insert the post as-is... if (isset($this->request['rawhtml'])) { $this->postData['thread_info']['message'] = $this->request['message']; // Otherwise, parse it as usual... } else { $this->postData['thread_info']['message'] = $this->_boardClass->parseData($this->request['message']); } // If they checked the L checkbox, set the variable to tell the script to lock the post after insertion if (isset($this->request['lockonpost'])) { $this->postData['lock_on_post'] = true; } // If they checked the S checkbox, set the variable to tell the script to sticky the post after insertion if (isset($this->request['stickyonpost'])) { $this->postData['sticky_on_post'] = true; } if (isset($this->request['usestaffname'])) { $_POST['name'] = kxFunc::md5_decrypt($this->request['modpassword'], kxEnv::Get('kx:misc:randomseed')); $post_name = kxFunc::md5_decrypt($this->request['modpassword'], kxEnv::Get('kx:misc:randomseed')); } } //kxFunc::checkBadUnicode($this->postData['post_fields']); $this->_boardClass->processPost($this->postData); $url = kxEnv::Get("kx:paths:boards:path") . '/' . $this->_boardClass->board->board_name; if (!$this->postData['is_reply']) { $url .= '/' . kxEnv::Get('kx:pages:first'); } else { $url .= '/res/' . intval($this->request['replythread']) . '.html'; } @header('Location: ' . $url); } }