function PrepareTextDB($text)
{
$text = trim($text);
while (strstr($text, "\n\n")) {
$text = str_replace("\n\n", "\n", $text);
}
$text = str_replace("\n\r\n\r", "\n\r", $text);
while (strstr($text, "\n\r\n\r")) {
$text = str_replace("\n\r\n\r", "\n\r", $text);
}
$text = str_replace("\n", "<br />", $text);
$text = preg_replace('/\\v+|\\\\[rn]/', '<br />', $text);
$text = nl2br($text) . "";
while (strstr($text, "<br /><br />")) {
$text = str_replace("<br /><br />", "<br />", $text);
}
$text = str_replace("<br /><br />", "<br />", $text);
$text = stripslashes($text);
$text = EscapeStr($text);
//if (get_magic_quotes_gpc())
//$text = stripslashes($text);
return $text;
}
$name = 'iprange';
}
if (!empty($ip) and $ip != '0.0.0.0') {
$ipv = explode(".", $ip);
if (count($ipv) >= 2) {
$ip_part = $ipv[0] . "." . $ipv[1];
}
$ip_part = str_replace(":", "", $ip_part);
} else {
$ip_part = "";
}
$admin = safeEscape(trim($_POST["admin"]));
$gn = safeEscape(trim($_POST["gn"]));
$date = EscapeStr(trim($_POST["date"]));
$expire = EscapeStr(trim($_POST["expire"]));
$warn = EscapeStr(trim($_POST["warn"]));
if (empty($ip)) {
$sth = $db->prepare("SELECT * FROM " . OSDB_GP . " WHERE name = '" . $name . "' AND ip!='' LIMIT 1");
$result = $sth->execute();
$row = $sth->fetch(PDO::FETCH_ASSOC);
$ip = $row["ip"];
}
if (date("Y", strtotime($expire)) <= 1990) {
$expire = "";
}
if (strlen($name) <= 2) {
$errors .= "<div>Field Name does not have enough characters</div>";
}
if (!OS_IsRoot() and strstr($ip, ":")) {
$errors .= "<div style='color: #ab0900; font-weight:bold;'><img src='del.png' alt='delete' width='16' height='16' class='imgvalign' /> You don't have permission to ban IP range</div>";
}
//eDIT
if (isset($_GET["edit"]) and is_numeric($_GET["edit"]) or isset($_GET["add"])) {
$name = "";
$server = "";
$reason = "";
$ip = "";
$admin = "";
$gn = "";
if (isset($_GET["edit"]) and is_numeric($_GET["edit"])) {
$id = safeEscape((int) $_GET["edit"]);
}
//UPDATE
if (isset($_POST["edit_ban"])) {
$name = safeEscape(trim($_POST["name"]));
$server = safeEscape(trim($_POST["server"]));
$reason = EscapeStr(convEnt2(trim($_POST["reason"])));
$ip = safeEscape(trim($_POST["ip"]));
$admin = safeEscape(trim($_POST["admin"]));
$gn = safeEscape(trim($_POST["gn"]));
$warnc = safeEscape(trim((int) $_POST["warnc"]));
$d = safeEscape(trim($_POST["d"]));
$m = safeEscape(trim($_POST["m"]));
$y = safeEscape(trim($_POST["y"]));
$h = safeEscape(trim($_POST["h"]));
$i = safeEscape(trim($_POST["i"]));
$expire = "{$y}-{$m}-{$d} {$h}:{$i}:00";
$expireT = strtotime($expire);
$expireSql = date('Y-m-d H:i:00', $expireT);
if ($d < 0 or $d > 31) {
$expire = '';
}
<?php
//if (!defined('IN_OS')) exit;
if (isset($_GET["replayLoc"])) {
$replayloc = "../" . EscapeStr($_GET["replayLoc"]);
}
if (file_exists("{$replayloc}")) {
$drawTable = "replay_header";
include "themes/" . $DefaultStyle . "/game_log.php";
require 'inc/replay_parser/chat.php';
$replay = new replay($replayloc);
if (!isset($error)) {
/////////////////// COLORS ////////////
$firstBlood = true;
$i = 1;
foreach ($replay->teams as $team => $players) {
if ($team != 12) {
foreach ($players as $player) {
// remember there's no color in tournament replays from battle.net website
if ($player['color']) {
//echo('<span class="'.$player['color'].'">'.$player['color'].'</span>');
// since version 2.0 of the parser there's no players array so
// we have to gather colors and names earlier as it will be harder later ;)
$colors[$player['player_id']] = $player['color'];
$names[$player['player_id']] = $player['name'];
}
}
$i++;
}
}
for ($i = 0; $i <= 14; $i++) {
if (isset($_POST["search"])) {
function HighlightKeyword($str, $search)
{
$occurrences = substr_count(strtolower($str), strtolower($search));
$newstring = $str;
$match = array();
for ($i = 0; $i < $occurrences; $i++) {
$match[$i] = stripos($str, $search, $i);
$match[$i] = substr($str, $match[$i], strlen($search));
$newstring = str_replace($match[$i], '[#]' . $match[$i] . '[@]', strip_tags($newstring));
}
$newstring = str_replace('[#]', '<b>', $newstring);
$newstring = str_replace('[@]', '</b>', $newstring);
return $newstring;
}
$search = EscapeStr(trim($_POST["search"]));
$sth = $db->prepare("SELECT * FROM `" . OSDB_STATS_P . "` \n\tWHERE player LIKE ('%" . $search . "%') GROUP BY player ORDER BY user_level DESC, id DESC LIMIT 50");
$result = $sth->execute();
?>
<div class="LiveSearchWrapper">
<a href="javascript:;" onclick="OS_ResetSearch()" style="float: right;"><img src="<?php
echo OS_HOME;
?>
img/close.png" alt="close" width="16" height="16" class="imgvalign" /></a>
<?php
while ($row = $sth->fetch(PDO::FETCH_ASSOC)) {
$player = HighlightKeyword($row["player"], $search);
?>
<div><a href="<?php
echo OS_HOME;
?>
}
if (isset($_GET["edit"]) or isset($_GET["add"])) {
if (isset($_GET["edit"])) {
$edit = safeEscape($_GET["edit"]);
}
if (isset($_GET["add"])) {
$HeroName = "";
$heroid = "";
$desc = "";
$stats = "";
$skills = "";
$type = 0;
}
if (isset($_POST["edit_hero"])) {
$HeroName = EscapeStr($_POST["hero_name"]);
$heroid = EscapeStr($_POST["heroid"]);
$desc = my_nl2br(trim($_POST["desc"]));
$desc = str_replace(array("Š", "š"), array("Š", "š"), $desc);
$type = (int) $_POST["type"];
$stats = my_nl2br(removeDoubleSpaces(trim($_POST["stats"])));
$stats = str_replace(array("Š", "š"), array("Š", "š"), $stats);
$skills = my_nl2br(removeDoubleSpaces(trim($_POST["skills"])));
$skills = str_replace(array("Š", "š"), array("Š", "š"), $skills);
if ($heroid != "" and strlen($HeroName) >= 2) {
if (isset($_GET["edit"])) {
$update = $db->update(OSDB_HEROES, array("description" => $HeroName, "summary" => $desc, "stats" => $stats, "skills" => $skills, "type" => $type), "heroid = '" . $edit . "' ");
OS_AddLog($_SESSION["username"], "[os_heroes] EDITED HERO ( {$edit}, {$HeroName} )");
} else {
$hid = str_replace(".gif", "", $heroid);
$check = $db->prepare("SELECT * FROM " . OSDB_HEROES . " WHERE heroid = '" . $hid . "' ");
$result = $check->execute();
$itemID = "";
if (isset($_GET["edit"]) or isset($_GET["add"])) {
if (isset($_GET["edit"])) {
$edit = safeEscape($_GET["edit"]);
} else {
$edit = "";
}
if (isset($_POST["edit_item"])) {
$icon = safeEscape($_POST["icon"]);
$name = convEnt2($_POST["name"]);
$shortname = convEnt2($_POST["shortname"]);
$item_info = my_nl2br(convEnt2(trim($_POST["item_info"])));
$item_info = str_replace(array("Š", "š"), array("Š", "š"), $item_info);
$price = EscapeStr($_POST["price"]);
$type = EscapeStr($_POST["type"]);
$icon = EscapeStr($_POST["icon"]);
if (strlen($name) >= 2 and strlen($shortname) >= 2) {
if (isset($_GET["edit"])) {
$upd = 1;
$update = $db->update(OSDB_ITEMS, array("name" => $name, "shortname" => $shortname, "item_info" => $item_info, "price" => $price, "type" => $type, "icon" => $icon), "itemid = '" . $edit . "' ");
if ($upd) {
?>
<h2>Item successfully updated</h2><?php
OS_AddLog($_SESSION["username"], "[os_items] EDITED ITEM ( {$name}, {$edit} )");
}
} else {
if (isset($_GET["add"])) {
$id = safeEscape(strtoupper($_POST["itemid"]));
$sth = $db->prepare("SELECT * FROM " . OSDB_ITEMS . " WHERE (itemid) = ('" . $id . "') LIMIT 1 ");
$result = $sth->execute();
if ($sth->rowCount() >= 1) {
function OS_ForgotPassword()
{
$errors = "";
global $db;
global $mail;
global $lang;
if (isset($_POST["reset_password"]) and isset($_POST["reset_password_submit"])) {
global $lang;
$email = EscapeStr(trim($_POST["reset_password"]));
if (isset($_SESSION["password_send"])) {
$errors .= "<h4>You have already sent a request to reset the password. Please check your mail.</h4>";
}
if (!preg_match("/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}\$/i", $email)) {
$errors .= "<h4>Invalid Email address</h4>";
}
if (empty($errors)) {
$sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_email = :email LIMIT 1 ");
$sth->bindValue(':email', $email, PDO::PARAM_STR);
$result = $sth->execute();
if ($sth->rowCount() <= 0) {
$errors .= "<h4>Email address does not exist in our database.</h4>";
}
if (empty($errors)) {
$code = generate_hash(16);
OS_add_custom_field(0, 'reset_password|' . $email, $code);
require "inc/class.phpmailer.php";
$message = "You have requested a password reset.<br />";
$message .= "Click on the link below to reset your password:<br /><br />";
$message .= OS_HOME . "?action=reset_password&e=" . $email . "&c=" . $code . "<br /><br />";
$message .= "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />";
$message .= "If you did not request a password reset just ignore this email and delete it.<br />";
$mail = new PHPMailer();
$mail->CharSet = 'UTF-8';
$mail->ContentType = 'text/plain';
$mail->IsHTML(true);
$mail->SetFrom($lang["email_from"], $lang["email_from_full"]);
//$mail->AddReplyTo( $lang["email_from"], $lang["email_from_full"] );
$mail->AddAddress($email, "");
$mail->Subject = "Password reset!";
$mail->MsgHTML($message);
$mail->AltBody = "This is the body in plain text for non-HTML mail clients";
$mail->Send();
$_SESSION["password_send"] = time();
//Not error, just a message
$errors = "<h4>You have successfully submitted a request to reset your password. Please check your mail.</h4>";
}
}
}
?>
<div id="content" class="s-c-x">
<div class="wrapper">
<div id="main-column">
<div class="padding">
<div class="inner">
<h2>Reset password</h2>
<div class="padTop"></div>
<?php
if (isset($errors) and !empty($errors)) {
echo $errors;
}
?>
<?php
if (!isset($_GET["c"]) and !isset($_GET["e"])) {
?>
<form action="" method="post">
<table style="width:800px;">
<tr class="row">
<td></td>
<td>
<b>You can't retrieve your password, but you can set a new one by following a link sent to you by email.</b>
<div>- This is the email address you used to register on the site.</div>
<div>- If you do not receive an email, check your "Spam" folder.</div>
</td>
</tr>
<tr class="row">
<td width="120" class="padLeft">Email address:</td>
<td class="padLeft">
<input type="text" name="reset_password" size="39" value="" style="height:26px;" />
</td>
</tr>
<tr class="row">
<td width="120" class="padLeft"></td>
<td class="padLeft"><input type="submit" name="reset_password_submit" class="menuButtons" value="Send" />
<div class="padBottom"></div>
</td>
</tr>
</table>
</form>
<?php
} else {
if (isset($_GET["e"])) {
$email = EscapeStr(trim($_GET["e"]));
} else {
$email = generate_hash(12);
}
if (isset($_GET["c"])) {
$code = EscapeStr(trim($_GET["c"]));
} else {
$code = generate_hash(12);
}
if (!preg_match("/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}\$/i", $email)) {
$errors .= "<h4>Invalid Email address</h4>";
}
if (empty($errors)) {
$sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_email = :email LIMIT 1 ");
$sth->bindValue(':email', $email, PDO::PARAM_STR);
$result = $sth->execute();
if ($sth->rowCount() <= 0) {
$errors .= "<h4>Email address does not exist in our database.</h4>";
}
}
if (empty($errors)) {
$value = OS_get_custom_field(0, 'reset_password|' . $email);
if ($code != $value or strlen($code) <= 5) {
$errors .= "<h4>Link has expired, or the password has already been reset</h4>";
}
}
//FINALLY RESET
if (empty($errors) and isset($_POST["reset_1"]) and isset($_POST["reset_2"])) {
$p1 = strip_tags($_POST["reset_1"]);
$p2 = strip_tags($_POST["reset_2"]);
if ($p1 != $p2) {
$errors .= "<h4>Both passwords are not the same</h4>";
} else {
$hash = generate_hash(16, 1);
$password_db = generate_password($p1, $hash);
$result = $db->update(OSDB_USERS, array("user_password" => $password_db, "password_hash" => $hash), "user_email = '" . $email . "'");
//OS_delete_custom_field( 0, 'reset_password|'.$email , $code);
$delete = $db->exec("DELETE FROM " . OSDB_CUSTOM_FIELDS . " \n\t\t WHERE field_value='" . $code . "' AND field_name = 'reset_password|" . $email . "' LIMIT 1");
$PasswordReset = 1;
}
}
if (isset($errors) and !empty($errors)) {
echo $errors;
} else {
if (isset($PasswordReset) and $PasswordReset == 1) {
?>
<h2>Password has been successfully changed. Now you can log in.</h2>
<?php
} else {
?>
<form action="" method="post">
<table style="width:600px;">
<tr class="row">
<td class="padLeft">New password:</td>
<td class="padLeft"><input type="password" name="reset_1" size="6" value="" /></td>
</tr>
<tr class="row">
<td class="padLeft">Repeat password:</td>
<td class="padLeft"><input type="password" name="reset_2" size="6" value="" /></td>
</tr>
<tr class="row">
<td width="120" class="padLeft"></td>
<td class="padLeft"><input type="submit" name="reset_pw" class="menuButtons" value="Reset your password" />
<div class="padBottom"></div>
</td>
</tr>
</table>
</form>
<?php
}
}
}
?>
<div style="height:260px;"></div>
</div>
</div>
</div>
</div>
</div>
<?php
}
$errors .= "<div>" . $lang["error_invalid_login"] . "</div>";
} else {
$errors = "<div>" . $lang["error_invalid_login"] . "</div>";
}
}
}
//REGISTER
if (isset($_GET["login"]) and !is_logged() and isset($_POST["register_"])) {
if ($UserActivation == 2) {
require_once OS_PLUGINS_DIR . 'index.php';
os_init();
header('location: ' . OS_HOME . '');
die;
}
$username = OS_StrToUTF8($_POST["reg_un"]);
$username = EscapeStr(trim($username));
$email = safeEscape(trim($_POST["reg_email"]));
$email = strtolower($email);
$password = safeEscape($_POST["reg_pw"]);
$password2 = safeEscape($_POST["reg_pw2"]);
$registration_errors = "";
$AllowedCharacters = '0123456789QWERTZUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklyxcvbnmљњертзуиопшђасдфгхјклчћжѕџцвбнмšđč枊ĐČĆŽЉЊЕРТЗУИОПШЂАСДФГХЈКЛЧЋЖЅЏЦВБНМ_-';
if (!preg_match('/^[' . $AllowedCharacters . ']+$/', $username)) {
$registration_errors .= "<div>" . $lang["error_username"] . "</div>";
}
//die($registration_errors." - ".$username);
if (!preg_match("/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}\$/i", $email)) {
$registration_errors .= "<div>" . $lang["error_email"] . "</div>";
}
if (strlen($username) <= 2) {
$registration_errors .= "<div>" . $lang["error_short_un"] . "</div>";
if (!isset($website)) {
header('HTTP/1.1 404 Not Found');
die;
}
$BanAppeal = "";
$MenuClass["bans"] = "active";
if (isset($_POST["submit_appeal"])) {
$player = safeEscape(trim($_SESSION["bnet_username"]));
$subject = safeEscape(trim($_POST["subject"]));
$reason = safeEscape(trim($_POST["message"]));
$reason = my_nl2br(trim($_POST["message"]));
$reason = nl2br($reason);
$reason = EscapeStr($reason);
$game_url = EscapeStr(trim($_POST["game_url"]));
$replay_url = EscapeStr(trim($_POST["replay_url"]));
$errors = "";
if (strlen($player) <= 2) {
$errors .= "<div>" . $lang["error_report_player"] . "</div>";
}
if (strlen($reason) <= 3) {
$errors .= "<div>" . $lang["error_report_reason"] . "</div>";
}
if (!is_logged()) {
$errors = "<div>" . $lang["error_report_login"] . "</div>";
}
if (isset($_SESSION["last_report"]) and $_SESSION["last_report"] + $BanReportTime > time()) {
$TimeLeft = time() - $_SESSION["last_report"];
$errors = "<div>" . $lang["error_report_time2"] . " " . ($BanReportTime - $TimeLeft) . " " . $lang["error_sec"] . " </div>";
}
if (empty($errors)) {
}
?>
<?php
if (isset($_GET["hid"])) {
$hid = safeEscape($_GET["hid"]);
if (isset($_POST["heroid"])) {
$hid = safeEscape($_POST["heroid"]);
}
$sth = $db->prepare("SELECT * FROM " . OSDB_HEROES . " WHERE original!='' AND heroid = '" . $hid . "' ");
$result = $sth->execute();
if ($sth->rowCount() >= 1) {
$row = $sth->fetch(PDO::FETCH_ASSOC);
if (isset($_POST["add_guide"]) and isset($_POST["guide_url"])) {
$url = EscapeStr($_POST["guide_url"]);
$title = EscapeStr(convEnt2($_POST["guide_title"]));
$errors = "";
$edit = "";
$code = $_POST["code"];
if ($code != $_SESSION["code"]) {
$errors .= '<div><img src="' . $website . 'adm/del.png" alt="edit" /> Invalid form</div>';
}
if (!strstr($url, "http")) {
$errors .= "<div>Link is not valid.</div>";
}
if (empty($errors)) {
if (isset($_GET["edit"]) and is_numeric($_GET["edit"])) {
$edit = safeEscape((int) $_GET["edit"]);
$sql = "AND id != '" . $edit . "'";
} else {
$sql = "";
$location = safeEscape(trim($_POST["location"]));
$realm = safeEscape(trim($_POST["realm"]));
$www = EscapeStr(trim($_POST["website"]));
$gender = EscapeStr(trim($_POST["gender"]));
$clan = EscapeStr(trim($_POST["clan"]));
$user_ppwd = EscapeStr(trim($_POST["user_ppwd"]));
if (isset($_POST["hide"])) {
$hide = (int) EscapeStr(trim($_POST["hide"]));
}
if (strstr($user_ppwd, " ")) {
$user_ppwd = "";
}
if (strstr($user_ppwd, "\t")) {
$user_ppwd = "";
}
$lang = EscapeStr(trim($_POST["lang"]));
$sql = "UPDATE " . OSDB_USERS . " SET ";
if (isset($_POST["admin_realm"])) {
if ($_POST["admin_realm"] == "OHConnect") {
$sql .= " admin_realm = 'OHConnect', ";
}
if ($_POST["admin_realm"] == "europe.battle.net") {
$sql .= " admin_realm = 'europe.battle.net', ";
}
if ($_POST["admin_realm"] == "useast.battle.net") {
$sql .= " admin_realm = 'useast.battle.net', ";
}
if ($_POST["admin_realm"] == "uswest.battle.net") {
$sql .= " admin_realm = 'uswest.battle.net', ";
}
if ($_POST["admin_realm"] == "server.eurobattle.net") {
?>
adm/?posts">« Back</a></h2>
</div>
<?php
}
//ADD / EDIT POST
if (isset($_GET["add"]) or isset($_GET["edit"]) and is_numeric($_GET["edit"])) {
if (isset($_POST["add_post"])) {
$title = EscapeStr($_POST["post_title"]);
$status = EscapeStr((int) $_POST["status"]);
$allow_comments = EscapeStr((int) $_POST["allow_comments"]);
$text = my_nl2br(convEnt2(trim($_POST["post_text"])));
$text = str_replace(array("Š", "š"), array("Š", "š"), $text);
$errors = "";
$time = time();
$author = EscapeStr((int) $_POST["author"]);
if (strlen($title) <= 3) {
$errors .= "<div>Field Title does not have enough characters</div>";
}
if (strlen($text) <= 5) {
$errors .= "<div>Field Text does not have enough characters</div>";
}
if (empty($errors)) {
if (isset($_GET["add"])) {
$ins = 1;
$insert = $db->prepare("INSERT INTO " . OSDB_NEWS . "(news_title, news_content, news_date, status, allow_comments, author)\n\t\tVALUES('" . $title . "', '" . $text . "', '" . $time . "', '" . $status . "', '" . $allow_comments . "', '" . $author . "') ");
$result = $insert->execute();
if ($ins) {
?>
<div align="center">
<h2>Post successfully added. <a href="<?php
/*
$text = my_nl2br( trim($_POST["comment"]) );
$text = nl2br($text);
$text = EscapeStr( ($text) );
$text = (($text));
*/
$text = PrepareTextDB($_POST["comment"]);
if (strlen($text) <= 2) {
$errors .= "<div>Field Text does not have enough characters</div>";
}
$time = date("Y-m-d H:i:s", time());
$d = EscapeStr($_POST["_d"]);
$m = EscapeStr($_POST["_m"]);
$Y = EscapeStr($_POST["_Y"]);
$H = EscapeStr($_POST["_H"]);
$i = EscapeStr($_POST["_i"]);
$DateErr = 0;
$PostTime = strtotime($Y . "-" . $m . "-" . $d . " " . $H . ":" . $i . ":00");
$sqlPostDate = ", date = '" . $PostTime . "' ";
if ($d <= 0 or $d >= 32) {
$sqlPostDate = '';
}
if ($m <= 0 or $m >= 13) {
$sqlPostDate = '';
}
if ($Y <= 0) {
$sqlPostDate = '';
}
if ($H < 0 or $H >= 25) {
$sqlPostDate = '';
}
<?php
OS_AddLog($_SESSION["username"], "[os_notes] Deleted Note: ( #" . (int) $id . " ) ");
}
//eDIT
if (isset($_GET["edit"]) and is_numeric($_GET["edit"]) or isset($_GET["add"])) {
$name = "";
$server = "";
$note = "";
if (isset($_GET["edit"]) and is_numeric($_GET["edit"])) {
$id = safeEscape((int) $_GET["edit"]);
}
//UPDATE
if (isset($_POST["edit_list"])) {
$name = safeEscape(trim($_POST["name"]));
$server = safeEscape(trim($_POST["server"]));
$note = EscapeStr(trim($_POST["note"]));
$note = strip_tags(strip_quotes($note));
if (strlen($name) <= 2) {
$errors .= "<div>Field Name does not have enough characters</div>";
}
if (strlen($name) > 20) {
$errors .= '<div>Field "Player Name" contains too many characters</div>';
}
$time = date("Y-m-d H:i:s", time());
if (isset($_GET["edit"])) {
$sql = "UPDATE " . OSDB_NOTES . " SET \n\t name= '" . $name . "', server = '" . $server . "', note = '" . $note . "'\n\t WHERE id ='" . $id . "' LIMIT 1 ";
}
if (isset($_GET["add"])) {
$sql = "INSERT INTO " . OSDB_NOTES . "(name, server, note) VALUES('" . $name . "', '" . $server . "', '" . $note . "' )";
}
if (empty($errors)) {
