function decrypt($string)
{
global $secretkey;
if (!$secretkey) {
return html_error('Value for $secretkey is empty, please create a random one (56 chars max) in accounts.php!');
}
require_once 'class.pcrypt.php';
/*
MODE: MODE_ECB or MODE_CBC
ALGO: BLOWFISH
KEY: Your secret key :) (max lenght: 56)
*/
$crypt = new pcrypt(MODE_CBC, 'BLOWFISH', "{$secretkey}");
// to decrypt
$decrypted = $crypt->decrypt($string);
return $decrypted;
}
function decrypt($string)
{
global $secretkey;
if (empty($string)) {
return '';
}
if (empty($secretkey) || $secretkey == 'UijSY5wjP1Ii') {
return html_error("Value for \$secretkey is empty or use default secretkey value, please create a random one (56 chars max) in your configs/config.php!", 0);
}
require_once 'class.pcrypt.php';
/*
MODE: MODE_ECB or MODE_CBC
ALGO: BLOWFISH
KEY: Your secret key :) (max lenght: 56)
*/
$crypt = new pcrypt(MODE_CBC, "BLOWFISH", "{$secretkey}");
// Return decrypted string
return $crypt->decrypt($string);
}
/* Id: PCRYPT_TEST.php
* Simple test script to illustrate the use of pcrypt to cipher/decipher data.
*
* Author: Tim Gall
* Date: 2009-02-02 14-50 (+10 GMT)
*/
// I recommend you put the pcrypt.php class in a .htaccess protected folder rather than at the top level.
// For one, it will stop web-bots trying to index it.
// It will also eliminate the chance of someone tampering with it.
// The choice of location is up to you.
include 'pcrypt.php';
// EG: path/to/this/file/pcrypt.php
$key = 'mysecretkey akldjshfsaldkjhfaslkdfjh=-+*';
// string. Please make it a good one and store securely
$encryptor = new pcrypt($key);
// init class
//// To change keys during use:
//$encryptor->make_key('new key source');
$plain_text = 'This is some secret stuff';
echo 'Plain Text: ' . $plain_text . '<br />';
//// To cipher:
$cipher_text = $encryptor->cipher($plain_text);
echo 'Cipher Text: ' . $cipher_text . '<br />';
//// To decipher:
$plain_text = $encryptor->decipher($cipher_text);
echo 'Plain Text Again: ' . $plain_text . '<br />';
//To cleanup after use:
if (version_compare(PHP_VERSION, '5', '<')) {
$encryptor->destruct_cipher();
}
function lock_hide($params, $content)
{
global $mybb, $post, $templates, $db;
// if the tag has no content, do nothing.
if (!$content) {
return false;
}
// return nothing if the print thread page is viewed
if (empty($post['pid'])) {
return 'Hidden Content';
}
// does the user have to pay for the content?
if ($mybb->settings['lock_purchases_enabled'] == true || (int) $mybb->settings['lock_default_price'] > 0) {
// is the pay to view feature allowed in this forum?
$disabled = explode(',', $mybb->settings['lock_disabled_forums']);
if (!in_array($post['fid'], $disabled)) {
// does the content have a price? can the user set the price?
if (!isset($params['cost']) || !(bool) $mybb->settings['lock_allow_user_prices']) {
// if not, do we have a default price?
if ($mybb->settings['lock_default_price'] > 0) {
$params['cost'] = $mybb->settings['lock_default_price'];
} else {
$params['cost'] = null;
}
}
// is the cost an actual number?
if (is_numeric($params['cost'])) {
// cost must be valid, because numbers aren't evil.
$cost = $params['cost'];
// check to see whether the user hasn't already unlocked the content.
$allowed = explode(',', $post['unlocked']);
if (in_array($mybb->user['uid'], $allowed)) {
$paid = true;
}
}
}
}
if (!isset($cost)) {
// if there's no cost, this must be a "post to view" hide tag
// check to see whether the user has posted in this thread.
$query = $db->simple_select('posts', '*', "tid = '{$post['tid']}' AND uid = '{$mybb->user['uid']}'");
if ($db->num_rows($query)) {
$posted = true;
}
}
// if no title has been set, set a default title.
if (!isset($params['title'])) {
$params['title'] = "Hidden Content";
}
// if the user is not the OP, and has not been exempt from having hidden content
if ($mybb->user['uid'] != $post['uid'] && !in_array($mybb->user['usergroup'], explode(',', $mybb->settings['lock_exempt']))) {
// if the user isn't logged in, tell them to login or register.
if ($mybb->user['uid'] == 0) {
$return = "You must <a href=\"{$mybb->settings['bburl']}/member.php?action=register\">register</a> or <a href=\"{$mybb->settings['bburl']}/member.php?action=login\">login</a> to view this content.";
// if they are logged in, but the item has a price that they haven't paid yet, tell them how they can pay for it.
} elseif (isset($cost) && !$paid) {
// include the pcrypt class, so we can encrypt our data; to keep it safe from spookys.
require_once __DIR__ . '/../pcrypt.php';
$key = $mybb->settings['lock_key'];
$pcrypt = new pcrypt(MODE_ECB, "BLOWFISH", $key);
// place the info we need, into an array
$info = array('pid' => $post['pid'], 'cost' => $cost);
// encode the information as json, for safe transit
$info = json_encode($info);
// encrypt the json, and encode it as base64; so it can be submitted in a form.
$info = base64_encode($pcrypt->encrypt($info));
// build the return button.
$return = "<form method=\"post\">\n <button type=\"submit\">Unlock for {$cost} points.</button>\n <input type=\"hidden\" name=\"info\" value=\"{$info}\" />\n <input type=\"hidden\" name=\"action\" value=\"purchase\" />\n </form>";
// if the user doesn't need to pay, but hasn't posted
} elseif (!$paid && !$posted) {
// tell them to reply to the thread.
$return = "You must reply to this thread to view this content.";
// all is good.
} else {
// give them the content.
$return = $content;
}
// bypass the hide tags.
} else {
// give them the content
$return = $content;
}
eval("\$return = \"" . $templates->get("lock_wrapper") . "\";");
return $return;
}
<?php
// if the action is not purchase, we don't need to continue.
if ($_POST['action'] !== 'purchase') {
return;
}
// if the purchases functionality has not been enabled, we do not need to continue.
if ($mybb->settings['lock_purchases_enabled'] != true) {
return;
}
$key = $mybb->settings['lock_key'];
// include the pcrypt class, so we can decrypt the sent info.
require_once __DIR__ . '/../pcrypt.php';
$pcrypt = new pcrypt(MODE_ECB, "BLOWFISH", $key);
// convert the sent info back into json data
$json = $pcrypt->decrypt(base64_decode($_POST['info']));
// if the data is indeed json data
if ($info = json_decode($json)) {
// if the data has been successfully turned back into an object.
if (is_object($info)) {
// if the cost and post id are not numbers, return an error.
if (!is_numeric($info->cost) || !is_numeric($info->pid)) {
error("Something went wrong: NaN");
}
// check whether the current user has already unlocked the content
$query = $db->write_query("SELECT uid,unlocked FROM " . TABLE_PREFIX . "posts WHERE pid='{$info->pid}'");
$post = $db->fetch_array($query);
$allowed = explode(',', $post['unlocked']);
if (!is_array($allowed)) {
$allowed = array();
}
