<div style="margin-top:32px;margin-bottom:62px;">This is the information that will displayed after X minutes.</div> <?php $field_name = "oh_announcements_config"; if (isset($_POST["a_saved"]) and isset($_POST["a_time"])) { $time = (int) strip_tags(trim($_POST["a_time"])); if (!is_numeric($time)) { $time = 30; } if ($time < 0 or $time > 60 * 24) { $time = 30; } $lobby = strip_tags(trim($_POST["a_lobby"])); $data = "repeat\t{$time}\tlobby\t{$lobby}"; OS_add_custom_field(1, $field_name, $data); $saved = 1; OS_AddLog($_SESSION["username"], "[os_announcements] Edited Announcements Config"); } $config = OS_get_custom_field(1, $field_name); $cfg = explode("\t", $config); if (isset($cfg[1])) { $time = $cfg[1]; } else { $time = 30; } if (isset($cfg[3])) { $lby = $cfg[3]; } else { $lby = 0; }
function OS_ForgotPassword() { $errors = ""; global $db; global $mail; global $lang; if (isset($_POST["reset_password"]) and isset($_POST["reset_password_submit"])) { global $lang; $email = EscapeStr(trim($_POST["reset_password"])); if (isset($_SESSION["password_send"])) { $errors .= "<h4>You have already sent a request to reset the password. Please check your mail.</h4>"; } if (!preg_match("/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}\$/i", $email)) { $errors .= "<h4>Invalid Email address</h4>"; } if (empty($errors)) { $sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_email = :email LIMIT 1 "); $sth->bindValue(':email', $email, PDO::PARAM_STR); $result = $sth->execute(); if ($sth->rowCount() <= 0) { $errors .= "<h4>Email address does not exist in our database.</h4>"; } if (empty($errors)) { $code = generate_hash(16); OS_add_custom_field(0, 'reset_password|' . $email, $code); require "inc/class.phpmailer.php"; $message = "You have requested a password reset.<br />"; $message .= "Click on the link below to reset your password:<br /><br />"; $message .= OS_HOME . "?action=reset_password&e=" . $email . "&c=" . $code . "<br /><br />"; $message .= "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />"; $message .= "If you did not request a password reset just ignore this email and delete it.<br />"; $mail = new PHPMailer(); $mail->CharSet = 'UTF-8'; $mail->ContentType = 'text/plain'; $mail->IsHTML(true); $mail->SetFrom($lang["email_from"], $lang["email_from_full"]); //$mail->AddReplyTo( $lang["email_from"], $lang["email_from_full"] ); $mail->AddAddress($email, ""); $mail->Subject = "Password reset!"; $mail->MsgHTML($message); $mail->AltBody = "This is the body in plain text for non-HTML mail clients"; $mail->Send(); $_SESSION["password_send"] = time(); //Not error, just a message $errors = "<h4>You have successfully submitted a request to reset your password. Please check your mail.</h4>"; } } } ?> <div id="content" class="s-c-x"> <div class="wrapper"> <div id="main-column"> <div class="padding"> <div class="inner"> <h2>Reset password</h2> <div class="padTop"></div> <?php if (isset($errors) and !empty($errors)) { echo $errors; } ?> <?php if (!isset($_GET["c"]) and !isset($_GET["e"])) { ?> <form action="" method="post"> <table style="width:800px;"> <tr class="row"> <td></td> <td> <b>You can't retrieve your password, but you can set a new one by following a link sent to you by email.</b> <div>- This is the email address you used to register on the site.</div> <div>- If you do not receive an email, check your "Spam" folder.</div> </td> </tr> <tr class="row"> <td width="120" class="padLeft">Email address:</td> <td class="padLeft"> <input type="text" name="reset_password" size="39" value="" style="height:26px;" /> </td> </tr> <tr class="row"> <td width="120" class="padLeft"></td> <td class="padLeft"><input type="submit" name="reset_password_submit" class="menuButtons" value="Send" /> <div class="padBottom"></div> </td> </tr> </table> </form> <?php } else { if (isset($_GET["e"])) { $email = EscapeStr(trim($_GET["e"])); } else { $email = generate_hash(12); } if (isset($_GET["c"])) { $code = EscapeStr(trim($_GET["c"])); } else { $code = generate_hash(12); } if (!preg_match("/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}\$/i", $email)) { $errors .= "<h4>Invalid Email address</h4>"; } if (empty($errors)) { $sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_email = :email LIMIT 1 "); $sth->bindValue(':email', $email, PDO::PARAM_STR); $result = $sth->execute(); if ($sth->rowCount() <= 0) { $errors .= "<h4>Email address does not exist in our database.</h4>"; } } if (empty($errors)) { $value = OS_get_custom_field(0, 'reset_password|' . $email); if ($code != $value or strlen($code) <= 5) { $errors .= "<h4>Link has expired, or the password has already been reset</h4>"; } } //FINALLY RESET if (empty($errors) and isset($_POST["reset_1"]) and isset($_POST["reset_2"])) { $p1 = strip_tags($_POST["reset_1"]); $p2 = strip_tags($_POST["reset_2"]); if ($p1 != $p2) { $errors .= "<h4>Both passwords are not the same</h4>"; } else { $hash = generate_hash(16, 1); $password_db = generate_password($p1, $hash); $result = $db->update(OSDB_USERS, array("user_password" => $password_db, "password_hash" => $hash), "user_email = '" . $email . "'"); //OS_delete_custom_field( 0, 'reset_password|'.$email , $code); $delete = $db->exec("DELETE FROM " . OSDB_CUSTOM_FIELDS . " \n\t\t WHERE field_value='" . $code . "' AND field_name = 'reset_password|" . $email . "' LIMIT 1"); $PasswordReset = 1; } } if (isset($errors) and !empty($errors)) { echo $errors; } else { if (isset($PasswordReset) and $PasswordReset == 1) { ?> <h2>Password has been successfully changed. Now you can log in.</h2> <?php } else { ?> <form action="" method="post"> <table style="width:600px;"> <tr class="row"> <td class="padLeft">New password:</td> <td class="padLeft"><input type="password" name="reset_1" size="6" value="" /></td> </tr> <tr class="row"> <td class="padLeft">Repeat password:</td> <td class="padLeft"><input type="password" name="reset_2" size="6" value="" /></td> </tr> <tr class="row"> <td width="120" class="padLeft"></td> <td class="padLeft"><input type="submit" name="reset_pw" class="menuButtons" value="Reset your password" /> <div class="padBottom"></div> </td> </tr> </table> </form> <?php } } } ?> <div style="height:260px;"></div> </div> </div> </div> </div> </div> <?php }
<?php if (!isset($website)) { header('HTTP/1.1 404 Not Found'); die; } $field_name = "oh_badwords"; if (isset($_POST["submit_wf"]) and isset($_POST["bad_words"])) { $words = strip_tags(trim($_POST["bad_words"])); OS_add_custom_field(1, $field_name, $words); $saved = 1; OS_AddLog($_SESSION["username"], "[os_badwords] Edited Bad words"); } $badwords = OS_get_custom_field(1, $field_name); ?> <div align="center"> <h2>Word Filter</h2> <form action="" method="post"> <textarea rows="10" cols="60" name="bad_words"><?php echo $badwords; ?> </textarea> <div> <input type="submit" value="Save word filter" name="submit_wf" class="menuButtons" /> </div> </form> <?php if (isset($saved)) { ?>
function OS_UpdateCustomField() { //Update data if (isset($_POST["change_profile"]) and isset($_POST["realm_un"]) and is_logged()) { global $db; $realm_un = safeEscape($_POST["realm_un"]); $dd = safeEscape($_POST["birthday_day"]); $mm = safeEscape($_POST["birthday_month"]); $yy = safeEscape($_POST["birthday_year"]); if ($dd <= 0 or $dd > 31) { $dd = ""; } else { $dd = $dd . '-'; } if ($mm <= 0 or $mm > 12) { $mm = ""; } else { $mm = $mm . '-'; } if ($yy <= 1930 or $yy > date("Y")) { $yy = ""; } else { $yy = $yy . ''; } $user_birth = $dd . $mm . $yy; $uid = (int) $_SESSION["user_id"]; //Check if data already exists OS_add_custom_field($uid, "realm_username", $realm_un); if ($dd == "" or $mm == "" or $yy == "") { OS_delete_custom_field($uid, "user_birthday"); } else { OS_add_custom_field($uid, "user_birthday", $user_birth); } } }
function OS_PMSystem() { if (OS_GetAction("pm")) { global $db; $sth = $db->prepare("SET NAMES 'utf8'"); $result = $sth->execute(); global $lang; global $DateFormat; $errors = ""; ?> <div class="clr"></div> <div class="ct-wrapper" id="content" class="s-c-x"> <div class="outer-wrapper wrapper"> <div class="content section" id="main-column"> <div class="widget Blog padding"> <div class="blog-posts hfeed padLeft padTop padBottom inner"> <h2>Private Messages</h2> <div> <a class="menuButtons" href="<?php echo OS_HOME; ?> ?action=pm&inbox">INBOX</a> <a class="menuButtons" href="<?php echo OS_HOME; ?> ?action=pm&sent_items">SENT ITEMS</a> <a class="menuButtons" href="<?php echo OS_HOME; ?> ?action=pm&new_message">NEW MESSAGE</a> </div> <?php //NEW MESSAGE if (isset($_GET["new_message"])) { $PMName = ""; $PMText = ""; if (isset($_POST["pm_message"]) and isset($_POST["pm_name"]) and isset($_SESSION["code"]) and isset($_POST["code"])) { $PMText = $_POST['pm_message']; $PMText = strip_tags($PMText); $PMName = safeEscape(trim($_POST["pm_name"])); if ($_SESSION["code"] != $_POST["code"]) { $errors .= "<h4>Form is not valid. Try again.</h4>"; } if (strlen($PMText) <= 2) { $errors .= "<h4>There are not enough characters in the message</h4>"; } if (strlen($PMName) <= 2) { $errors .= "<h4>Please, write a valid username</h4>"; } if (strtolower($PMName) == $_SESSION["username"]) { $errors .= "<h4>You can not send messages to yourself</h4>"; } if (empty($errors)) { $sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " \n\t\t\tWHERE LOWER(user_name) = ? LIMIT 1"); $sth->bindValue(1, strtolower($PMName), PDO::PARAM_STR); $result = $sth->execute(); if ($sth->rowCount() <= 0) { $errors .= "<h4>User not found</h4>"; } else { $row = $sth->fetch(PDO::FETCH_ASSOC); $userID = $row["user_id"]; } } if (!empty($errors)) { echo $errors; } else { if (isset($userID) and is_numeric($userID) and $userID != OS_GetUserID()) { OS_add_custom_field($userID, time() . "|" . OS_GetUserID() . "||p.m.0", $PMText); $MailText = $PMText; $PMName = ""; $PMText = ""; ?> <h4>Message was sent successfully</h4><?php //SEND EMAIL NOTIFICATION if (!isset($_SESSION["mail_sent"])) { //$row = $sth->fetch(PDO::FETCH_ASSOC); $_SESSION["mail_sent"] = 1; global $lang; global $mail; global $DefaultHomeTitle; $message = "You have just received a private message from " . $_SESSION["username"] . "<br />"; $message .= "Click on the following link to read the message<br />"; $message .= "" . OS_HOME . "?action=pm&inbox"; $message .= "<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />"; $message .= convEnt($MailText); $message .= "<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />{$DefaultHomeTitle}"; require "inc/class.phpmailer.php"; $mail = new PHPMailer(); $mail->CharSet = 'UTF-8'; $mail->SetFrom($lang["email_from"], $lang["email_from_full"]); $mail->AddReplyTo($lang["email_from"], $lang["email_from_full"]); $mail->AddAddress($row["user_email"], ""); $mail->Subject = "New Private Message"; $mail->MsgHTML($message); $mail->AltBody = "This is the body in plain text for non-HTML mail clients"; $mail->Send(); } } else { ?> <h4>The message could not be sent</h4><?php } } } $code = generate_hash(8); $_SESSION["code"] = $code; ?> <form action="" method="post" accept-charset="UTF-8"> <table> <tr class="row"> <td width="70" class="padLeft"><b>To:</b></td> <td><input type="text" value="<?php echo $PMName; ?> " size="65" name="pm_name" /></td> </tr> <tr class="row"> <td width="70" class="padLeft"><b>Message:</b></td> <td><textarea name="pm_message" rows="9" cols="80" ><?php echo $PMText; ?> </textarea></td> </tr> <tr class="row"> <td width="70" class="padLeft"></td> <td><input type="submit" value="Send PM" class="menuButtons" /></td> </tr> </table> <input type="hidden" name="code" value="<?php echo $code; ?> " /> </form> <?php } //SEND MESSAGE (USER ID) if (isset($_GET["send"]) and is_numeric($_GET["send"])) { $uid = safeEscape((int) $_GET["send"]); if (OS_GetUserID() == $uid) { ?> <h4>You can not send messages to yourself</h4> <?php } else { if (isset($_POST["pm_message"]) and isset($_SESSION["code"]) and isset($_POST["code"])) { if ($_SESSION["code"] != $_POST["code"]) { $errors .= "<div>Form is not valid. Try again.</div>"; } $PMText = strip_tags($_POST['pm_message']); if (strlen($PMText) <= 2) { $errors .= "<div>There are not enough characters in the message</div>"; } if (!empty($errors)) { ?> <h4><?php echo $errors; ?> </h4><?php } else { //ADD MESSAGE //ARG: TO - user ID, FROM - time_UserID, message $sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_id = ? LIMIT 1"); $sth->bindValue(1, $uid, PDO::PARAM_INT); $result = $sth->execute(); if ($sth->rowCount() >= 1) { OS_add_custom_field($uid, time() . "|" . OS_GetUserID() . "||p.m.0", $PMText); } ?> <h4>Message was sent successfully</h4><?php } } $code = generate_hash(8); $_SESSION["code"] = $code; $sth = $db->prepare("SELECT * FROM " . OSDB_USERS . " WHERE user_id = ? LIMIT 1"); $sth->bindValue(1, $uid, PDO::PARAM_INT); $result = $sth->execute(); if ($sth->rowCount() >= 1) { $row = $sth->fetch(PDO::FETCH_ASSOC); $sendTo = $row["user_name"]; ?> <form action="" method="post" accept-charset="UTF-8"> <table> <tr class="row"> <td width="120" class="padLeft"><b>Send to:</b></td> <td><?php echo $sendTo; ?> </td> </tr> <tr class="row"> <td width="120" class="padLeft"><b>Message:</b></td> <td><textarea name="pm_message" rows="9" cols="80" ></textarea></td> </tr> <tr class="row"> <td width="120" class="padLeft"></td> <td><input type="submit" value="Send PM" class="menuButtons" /></td> </tr> </table> <input type="hidden" name="code" value="<?php echo $code; ?> " /> </form> <?php if (isset($_GET["m"])) { $sth = $db->prepare("SELECT * FROM " . OSDB_CUSTOM_FIELDS . " WHERE field_name = ? "); $sth->bindValue(1, safeEscape($_GET["m"]), PDO::PARAM_STR); $result = $sth->execute(); $row = $sth->fetch(PDO::FETCH_ASSOC); $dateFor = explode("|", $row["field_name"]); $date = (int) $dateFor[0]; //print_r($dateFor); ?> <div class="padTop"></div> <table> <tr class="row"> <td class="padLeft"><b><?php echo $sendTo; ?> </b>, <?php echo date($DateFormat, $date); ?> </td> </tr> <tr> <td><?php echo convEnt($row["field_value"]); ?> </td> </tr> </table> <?php } } else { ?> <h4>User not found</h4><?php } } } //SENT ITEMS if (isset($_GET["sent_items"]) and is_logged()) { ?> <h4>Sent items</h4><?php //GET ALL MESSAGES if (!empty($_GET["sent_items"]) and is_numeric($_GET["sent_items"]) and isset($_GET["m"])) { $id = safeEscape((int) $_GET["sent_items"]); $field = safeEscape($_GET["m"]); $sql = "AND c.field_name = ? "; } else { $sql = ""; } $sth = $db->prepare("SELECT COUNT(*) FROM " . OSDB_CUSTOM_FIELDS . " as c\n\t\tWHERE c.field_name LIKE ? {$sql}"); $sth->bindValue(1, "%|" . (int) $_SESSION["user_id"] . "||p.m.%", PDO::PARAM_STR); if (!empty($sql)) { $sth->bindValue(2, $field, PDO::PARAM_STR); } $result = $sth->execute(); $r = $sth->fetch(PDO::FETCH_NUM); $numrows = $r[0]; $result_per_page = 10; $offset = os_offset($numrows, $result_per_page); $sth = $db->prepare("SELECT c.field_id, c.field_name, c.field_value, u.user_name, u.user_avatar\n\t\tFROM " . OSDB_CUSTOM_FIELDS . " as c\n\t\tLEFT JOIN " . OSDB_USERS . " as u ON u.user_id = c.field_id\n\t\tWHERE c.field_name LIKE ? {$sql}\n\t\tORDER BY c.field_name DESC\n\t\tLIMIT {$offset}, {$result_per_page}"); $sth->bindValue(1, "%|" . OS_GetUserID() . "||p.m.%", PDO::PARAM_STR); if (!empty($sql)) { $sth->bindValue(2, $field, PDO::PARAM_STR); } $result = $sth->execute(); ?> <table> <?php while ($row = $sth->fetch(PDO::FETCH_ASSOC)) { $dateFor = explode("|", $row["field_name"]); $date = $dateFor[0]; if (!isset($_GET["m"])) { $text = limit_words(convEnt($row["field_value"]), 40); } else { $text = AutoLinkShort(convEnt($row["field_value"])); } ?> <tr class="row"> <td width="140"><a href="<?php echo OS_HOME; ?> ?action=pm&sent_items=<?php echo $row["field_id"]; ?> &m=<?php echo $row["field_name"]; ?> "><b><?php echo $row["user_name"]; ?> </b>, <?php echo date($DateFormat, $date); ?> </a></td> <td><?php echo $text; ?> <?php if (isset($_GET["m"])) { ?> <div class="padTop"> <a class="menuButtons" href="<?php echo OS_HOME; ?> ?action=pm&send=<?php echo $row["field_id"]; ?> &m=<?php echo $_GET["m"]; ?> ">[SEND MESSAGE]</a> <a class="menuButtons" href="<?php echo OS_HOME; ?> ?action=pm&sent_items">« Back</a> </div> <?php } else { ?> <a href="<?php echo OS_HOME; ?> ?action=pm&sent_items=<?php echo $row["field_id"]; ?> &m=<?php echo $row["field_name"]; ?> ">more » </a> <?php } ?> </td> </tr> <?php } if ($sth->rowCount() <= 0) { ?> <tr><td>No new messages</td></tr><?php } ?> </table> <?php os_pagination($numrows, $result_per_page, 5, 1, '&sent_items'); } //INBOX MESSAGES if (isset($_GET["inbox"]) and is_logged()) { ?> <h4>Inbox</h4><?php if (!empty($_GET["inbox"]) and is_numeric($_GET["inbox"]) and isset($_GET["m"])) { $id = safeEscape((int) $_GET["inbox"]); $field = safeEscape($_GET["m"]); $sql = "AND c.field_name = :field_name "; $field_name = substr($field, 0, -1) . "1"; } else { $sql = ""; } $sth = $db->prepare("SELECT COUNT(*) FROM " . OSDB_CUSTOM_FIELDS . " as c\n\t\tWHERE c.field_id = '" . OS_GetUserID() . "' {$sql}"); //$sth->bindValue(':field_id', "%_".OS_GetUserID()."__p.m.%", PDO::PARAM_STR); //$sth->bindValue(1, "%_".OS_GetUserID()."__p.m.%", PDO::PARAM_STR); if (!empty($sql)) { $sth->bindValue(':field_name', $field, PDO::PARAM_STR); } //$sth->bindValue(2, $field, PDO::PARAM_STR); $result = $sth->execute(); $r = $sth->fetch(PDO::FETCH_NUM); $numrows = $r[0]; $result_per_page = 10; $offset = os_offset($numrows, $result_per_page); $sth = $db->prepare("SELECT c.field_id, c.field_name, c.field_value, u.user_name, u.user_avatar\n\t\tFROM " . OSDB_CUSTOM_FIELDS . " as c\n\t\tLEFT JOIN " . OSDB_USERS . " as u ON u.user_id = c.field_id\n\t\tWHERE c.field_id = '" . OS_GetUserID() . "'\n\t\tAND field_name LIKE('%||p.m.%')\n\t\t{$sql}\n\t\tORDER BY c.field_name DESC\n\t\tLIMIT {$offset}, {$result_per_page}"); //$sth->bindValue(':field_id', "%_".OS_GetUserID()."__p.m.%", PDO::PARAM_STR); if (!empty($sql)) { $sth->bindValue(':field_name', $field, PDO::PARAM_STR); } $result = $sth->execute(); //UPDATE "read" message if (!empty($_GET["inbox"]) and is_numeric($_GET["inbox"]) and isset($_GET["m"])) { $field = safeEscape($_GET["m"]); $field_name = substr($field, 0, -1) . "1"; $result = $db->update(OSDB_CUSTOM_FIELDS, array("field_name" => $field_name), "field_name = '" . $field . "'"); } ?> <table> <?php while ($row = $sth->fetch(PDO::FETCH_ASSOC)) { $dateFor = explode("|", $row["field_name"]); $date = $dateFor[0]; $FromID = $dateFor[1]; $read = substr($row["field_name"], strlen($row["field_name"]) - 1, 1); if ($read == 1) { $col = '686A6B'; $readTxt = 'read'; } else { $col = 'A41600'; $readTxt = '<b>new</b>'; } if (!isset($_GET["m"])) { $text = limit_words(convEnt($row["field_value"]), 12); if ($read == 0) { $text = '<span style="color: #000;"><b>' . convEnt($text) . '<b/></span>'; } if ($read == 1) { $text = '<span style="color: #686A6B;">' . convEnt($text) . '</span>'; } } else { $text = AutoLinkShort(convEnt($row["field_value"])); } ?> <?php if (!isset($_GET["m"])) { ?> <tr class="row"> <td width="120" class="padLeft"> <a href="<?php echo OS_HOME; ?> ?action=pm&inbox=<?php echo $FromID; ?> &m=<?php echo $row["field_name"]; ?> "><span style="color: #<?php echo $col; ?> "><b><?php echo OS_GetUsernameByUserID($FromID); ?> </b></span></a> </td> <td width="600"><a href="<?php echo OS_HOME; ?> ?action=pm&inbox=<?php echo $FromID; ?> &m=<?php echo $row["field_name"]; ?> "><?php echo $text; ?> </a></td> <td><?php echo date($DateFormat, $date); ?> </td> </tr> <?php } else { ?> <tr class="row"> <td class="padLeft"><span style="color: #<?php echo $col; ?> "><b><?php echo OS_GetUsernameByUserID($FromID); ?> </b>, <?php echo date($DateFormat, $date); ?> </span></td> </tr> <tr> <td><?php echo $text; ?> </td> </tr> <tr> <td><div class="padTop padBottom"> <a class="menuButtons" href="<?php echo OS_HOME; ?> ?action=pm&send=<?php echo $FromID; ?> &m=<?php echo $_GET["m"]; ?> ">[SEND MESSAGE]</a> <a class="menuButtons" href="<?php echo OS_HOME; ?> ?action=pm&inbox">« Back</a> </div></td> </tr> <?php } ?> <?php } if ($sth->rowCount() <= 0) { ?> <tr><td>No new messages</td></tr><?php } ?> </table> <?php os_pagination($numrows, $result_per_page, 5, 1, '&inbox'); } ?> <div class="padTop" style="margin-top:124px;"></div> </div> </div> </div> </div> </div> <?php } }