function run_pre_input_addons(&$convoArr, $say)
{
global $format;
$convoArr = checkIP($convoArr);
if ($format == 'html') {
$say = parseInput($say);
}
return $say;
}
function getClientIPAddress()
{
if (checkIP(getenv('HTTP_CLIENT_IP'))) {
return getenv('HTTP_CLIENT_IP');
}
if (checkIP(getenv('REMOTE_ADDR'))) {
return getenv('REMOTE_ADDR');
}
return "unknown";
}
/**
* Created by PhpStorm.
* User: tanggaolin
* Date: 15-7-28
* Time: 下午10:01
*/
function getRealIp()
{
$ip = false;
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
}
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ips = explode(', ', $_SERVER['HTTP_X_FORWARDED_FOR']);
if ($ip) {
array_unshift($ips, $ip);
$ip = FALSE;
}
foreach ($ips as $v) {
if (checkIP($v)) {
$ip = $v;
break;
}
}
}
if ($ip == false && $_SERVER['REMOTE_ADDR'] == '127.0.0.1') {
echo 'unknown';
}
return $ip ? $ip : $_SERVER['REMOTE_ADDR'];
}
function determineIP()
{
if (isset($_SERVER["HTTP_CLIENT_IP"])) {
if (checkIP($_SERVER["HTTP_CLIENT_IP"])) {
return $_SERVER["HTTP_CLIENT_IP"];
}
}
if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) {
foreach (explode(",", $_SERVER["HTTP_X_FORWARDED_FOR"]) as $ip) {
if (checkIP(trim($ip))) {
return $ip;
}
}
}
if (isset($_SERVER["HTTP_X_FORWARDED"])) {
if (checkIP($_SERVER["HTTP_X_FORWARDED"])) {
return $_SERVER["HTTP_X_FORWARDED"];
}
}
if (isset($_SERVER["HTTP_X_CLUSTER_CLIENT_IP"])) {
if (checkIP($_SERVER["HTTP_X_CLUSTER_CLIENT_IP"])) {
return $_SERVER["HTTP_X_CLUSTER_CLIENT_IP"];
}
}
if (isset($_SERVER["HTTP_FORWARDED_FOR"])) {
if (checkIP($_SERVER["HTTP_FORWARDED_FOR"])) {
return $_SERVER["HTTP_FORWARDED_FOR"];
}
}
if (isset($_SERVER["HTTP_FORWARDED"])) {
if (checkIP($_SERVER["HTTP_FORWARDED"])) {
return $_SERVER["HTTP_FORWARDED"];
}
}
return $_SERVER["REMOTE_ADDR"];
}
}
$content .= sprintf($html->string_error, $toprint) . '<br>';
$localerror = 1;
}
}
}
}
// end no error after empty checks
if (!$localerror) {
// ****************************************
// * Create new zone *
// ****************************************
// import zone content
if (!empty($serverimport)) {
// check if server is IP or NS name
if (!(checkIP($serverimport) || checkDomain($serverimport))) {
$content .= sprintf($html->string_warning, $l['str_bad_serverimport_name']);
$server = "";
}
}
if (0) {
if (!empty($zonearea)) {
if (strcmp($zonetypenew, 'P')) {
$content .= sprintf($html->string_warning, $l['str_no_zonearea']);
$zonearea = "";
}
}
}
if ($config->usergroups) {
// if usergroups, zone is owned by
// group and not individuals
session_start();
include 'includes/globals.php';
include 'includes/functions.php';
$database = new Database();
$username = trim($_POST['username']);
$passwd = trim($_POST['password']);
$ipaddress = $_SERVER["REMOTE_ADDR"];
$captcha_test = intval($_POST['captcha_challenge']);
$sql = "INSERT INTO LoginAttempts (ip,attempts,login,Last) VALUES ( :ipaddress, :attempts, :username, NOW())";
$database->query($sql);
$database->bind(':ipaddress', $ipaddress);
$database->bind(':attempts', 1);
$database->bind(':username', $username);
$database->execute();
//Check IP
$ipcheck = checkIP($ipaddress, $username);
if ($ipcheck == true) {
$sql = "SELECT * FROM users WHERE user_login=:user_login";
$database->query($sql);
$database->bind(':user_login', $username);
$row_user = $database->single();
$check_passwd = password_verify($passwd, $row_user['user_passwd']);
if ($check_passwd) {
//Cookie
if ($_POST["remember"] == "1") {
$identifier = hash('sha256', $row_user['user_id'] . KEY);
$token = md5(uniqid(rand(), TRUE));
$timeout = time() + 60 * 60 * 24 * 365;
$date = date("Y-m-d H:i:s", $timeout);
setcookie("oauth", "{$identifier}:{$token}", $timeout);
$sql = "INSERT INTO auth_tokens (identifier,token,userid,expires) VALUES (:identifier,:token, :userid, :expires)";
function is_ok()
{
// check tokens, session vars, ip, referrer, cookie etc
// in case of problem, destroy session and redirect
global $auto_restrict;
$expired = false;
// fatal problem
if (!checkReferer()) {
return death("You are definitely NOT from here !");
}
if (!checkIP()) {
return death("Hey... you were banished, f**k off !");
}
if (!checkToken()) {
return death("You need a valid token to do that, boy !");
}
//
if (checkCookie()) {
return true;
}
if (!isset($_SESSION['id_user'])) {
return false;
}
if ($_SESSION['expire'] < time()) {
$expired = true;
}
$sid = Dechiffre($_SESSION['id_user'], $auto_restrict['encryption_key']);
$id = id_user();
if ($sid != $id || $expired == true) {
// problème d'identité
return false;
} else {
// all fine
//session can survive a bit more ^^
$_SESSION['expire'] = time() + 60 * $auto_restrict['session_expiration_delay'];
return true;
}
}
function is_ok()
{
# check tokens, session vars, ip, referrer, cookie etc
# in case of problem, destroy session and redirect
global $auto_restrict;
$expired = false;
if (!isset($_SESSION['id_user'])) {
return false;
}
# fatal problem
if (!checkReferer()) {
return death('<div class="error">You are definitely NOT from here !</div>');
}
if (!checkIP()) {
return death('<div class="error">Hey... you were banished, f**k off !</div>');
}
if (!checkToken()) {
return death('<div class="error">Invalid token</div>');
}
#
if (checkCookie()) {
return true;
}
if ($_SESSION['expire'] < time()) {
$expired = true;
}
$sid = Dechiffre($_SESSION['id_user'], $auto_restrict['users'][$_SESSION['login']]['encryption_key']);
$id = id_user();
if ($sid != $id || $expired == true) {
# problème d'identité
return false;
} else {
# all fine
#session can survive a bit more ^^
$_SESSION['expire'] = time() + 60 * $auto_restrict['session_expiration_delay'];
return true;
}
}
/**
* Do an axfr dig of a zone
*
*@param string $server server to dig
*@param string $zone zone to dig
*@return string dig result
*/
function zoneDig($server, $zone)
{
global $config;
if (!checkIP($server) && !checkDomain($server)) {
return "";
}
$server = escapeshellarg($server);
$zone = escapeshellarg($zone);
$cmd = escapeshellcmd("{$config->bindig} @{$server} {$zone} axfr -b '{$config->nsaddress}'");
$result = shell_exec($cmd);
return $result;
}
public function testCheckIP()
{
$this->assertTrue(checkIP("127.0.0.1", array('*')));
$this->assertTrue(checkIP("127.0.0.1", '*'));
$this->assertTrue(checkIP("128.0.0.1", '127.*,128.*'));
$this->assertTrue(checkIP("192.168.0.1", '192.168.0.*'));
$this->assertTrue(!checkIP("192.168.0.1", '192.168.1.*'));
$this->assertTrue(!checkIP("192.168.0.1", ''));
}
/**
* Check if SRV value is valid
*
*@param string $string value to be checked
*@return int 1 if valid, 0 else
*/
function checkSRVValue($string)
{
$string = strtolower($string);
// value can't be an IP
if (checkIP($string)) {
return 0;
}
// dot cannot be first
if (strpos($string, ".") === 0) {
return 0;
}
if (strpos($string, "__") !== false) {
return 0;
}
if (strpos($string, "..") !== false) {
return 0;
}
// allowed chars
if (strspn($string, "0123456789abcdefghijklmnopqrstuvwxyz._-") != strlen($string)) {
return 0;
}
return 1;
}
<?php
include 'connection.php';
//database connection
function checkIP()
{
$db = getConnection();
$ip = $_SERVER['REMOTE_ADDR'];
$ua = $_SERVER['HTTP_USER_AGENT'];
$db->query("INSERT INTO `access_log`\n (accessid, system, ip, useragent, timestamp) VALUES\n (NULL, 'traffic-input', '{$ip}', '{$ua}', SYSDATE())");
$ip = explode(".", $ip);
if (!($ip[0] == "::1" || $ip[0] == "148" && $ip[1] == "61" || $ip[0] == "35" && $ip[1] == "40" || $ip[0] == "207" && $ip[1] == "72" && ($ip[2] >= 160 && $ip[2] <= 191))) {
die;
}
}
checkIP();
session_start();
if ($_GET['logout']) {
$_SESSION = array();
session_destroy();
}
if ($_SESSION['loggedIn'] != true) {
header('location: login.php');
}
include 'getFromDb.php';
//functions to retreive from database
include 'formDisplayFunctions.php';
//functions to display the form
date_default_timezone_set("America/Detroit");
//required for inserting the time into the database
public static function admin_login($username, $password)
{
global $_G;
if (!$password || !$username) {
//登录信息不能为空!
return -1;
} elseif ($_G['setting']['global']['captcha']['show'] == 'on' && (!$_SESSION['captcha'] || strtolower($_POST['captcha']) != strtolower($_SESSION['captcha']))) {
//验证码输入错误!
return -2;
} elseif (strlen($password) != 32 || !$_SESSION['RNDCODE'] || $_SESSION['RNDCODE'] != $_POST["rndcode"]) {
//写入安全日志
self::insert_event("login", time(), time(), "尝试登录系统时使用密码不符合规则:" . $password);
//密码或随机验证输入错误!
return -3;
} elseif ($_G['setting']['global']["ipzone"] && !checkIP(explode("\n", $_G['setting']['global']["ipzone"]), GetIP())) {
//写入安全日志
self::insert_event("login", time(), time(), "尝试登录系统时使用的IP不在允许的范围内:" . GetIP());
//当前IP不在授权的范围!
return -4;
} else {
//登录脚本
$sql = "SELECT id,gid,account,avatar,email,phone,theme,last_login,last_active,stat_login from `sys:admin` WHERE ( account='" . $username . "' and password = md5( concat( '" . $password . "', `salt` ) ) and `state`>0 ) LIMIT 0, 1";
//查询数据库(Manager)
$row = self::$db->getOne($sql);
if (is_array($row) == FALSE) {
//用户名或密码错误!
return -5;
} else {
//同一用户只能登录一次
if ($_G['setting']['global']["sso"] == "on" && $row["last_active"] && time() - $row["last_active"] <= $_G['setting']['global']["interval"]) {
//该用户已经在登录状态!
return -6;
} else {
//设置Session
self::admin_session($row);
//time
$time = time();
//更新用户最后活动信息
$sql = "UPDATE `sys:admin` SET stat_login=stat_login+1,last_ip='" . GetIP() . "',last_login='******',last_active=" . $time . " WHERE id = " . $_G['manager']['id'];
self::$db->execute($sql);
//清除最近的登录日志
self::delete_event($_G['manager']['id'], "login");
//写入日志
self::insert_event("login", $time, $time);
return $_G['manager']['id'];
}
}
}
}
function update()
{
$okcols = 0;
$qcols = '';
$qvals = '';
foreach ($this->columns as $col) {
$value = '';
if (!empty($_POST["new_{$col->name}"])) {
$value = $_POST["new_{$col->name}"];
}
if ($value != "") {
if ($col->type == "ipaddress" && !checkIP($value)) {
$this->errors[] = "Column '{$col->title}' requires a valid IP address for new row";
$this->newerror = true;
$okcols++;
} else {
if ($qcols) {
$qcols .= ", ";
}
$qcols .= $col->name;
if ($qvals) {
$qvals .= ", ";
}
if ($col->type == "password") {
$qvals .= "MD5('{$value}')";
} else {
$qvals .= "'" . mysql_escape_string($value) . "'";
}
if ($col->type != "select" && $col->type != "hidden" && $value != $col->datasource) {
$okcols++;
}
}
} elseif ($col->required) {
$this->errors[] = "Required column '{$col->title}' must have a value for new row";
$this->newerror = true;
}
}
if ($okcols > 0 && !$this->errors) {
mysql_query("\n\t\t\t\t\tINSERT INTO\n\t\t\t\t\t\t{$this->table}\n\t\t\t\t\t\t(\n\t\t\t\t\t\t\t{$qcols}\n\t\t\t\t\t\t)\n\t\t\t\t\tVALUES\n\t\t\t\t\t(\n\t\t\t\t\t\t{$qvals}\n\t\t\t\t\t)");
if (mysql_error()) {
$this->errors[] = "DB Error: " . mysql_error();
}
} elseif ($okcols == 0) {
$this->errors = array();
$this->newerror = false;
}
if (!empty($_POST["rows"])) {
foreach ($_POST["rows"] as $row) {
$row = stripslashes($row);
if (!empty($_POST[$row . "_delete"])) {
mysql_query("\n\t\t\t\t\t\t\tDELETE FROM\n\t\t\t\t\t\t\t\t{$this->table}\n\t\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\t\t{$this->keycol}='" . addslashes($row) . "'\n\t\t\t\t\t\t");
} else {
$rowerror = false;
$query = "UPDATE {$this->table} SET ";
$i = 0;
foreach ($this->columns as $col) {
$value = '';
if (!empty($_POST[$row . "_" . $col->name])) {
$value = $_POST[$row . "_" . $col->name];
}
if ($col->type == "password" && $value == "(encrypted)") {
continue;
}
if ($value == "" && $col->required) {
$this->errors[] = "Required column '{$col->title}' must have a value for row '{$row}'";
$rowerror = true;
} elseif ($col->type == "ipaddress" && !checkIP($value)) {
$this->errors[] = "Column '{$col->title}' requires a valid IP address for row '{$row}'";
$rowerror = true;
}
if ($i > 0) {
$query .= ", ";
}
if ($col->type == "password") {
$query .= $col->name . "=MD5('{$value}')";
} else {
$query .= $col->name . "='" . mysql_escape_string($value) . "'";
}
$i++;
}
$query .= " WHERE {$this->keycol}='" . addslashes($row) . "'";
if (!$rowerror) {
mysql_query($query);
}
}
}
}
if ($this->error()) {
return false;
} else {
return true;
}
}
function parseZoneInput($dig)
{
global $db, $l;
$this->error = "";
$first = 1;
$dbqueries = 0;
$diglist = explode("\n", $dig);
foreach ($diglist as $line) {
$query = "";
if (!preg_match("/^\\s*;/", $line)) {
if (preg_match("/^\\s*?(.*?)\\s+(.*?)\\s+IN\\s+(.*?)\\s+(.*)\\s*\$/", $line, $record)) {
$data = preg_split("/\\s+/", $record[4]);
$shortname = preg_replace("/\\./", "\\.", $this->zonename);
$shortname = preg_replace("/\\." . $shortname . "\\.\$/", "", $record[1]);
switch ($record[3]) {
case "SOA":
if ($first) {
$first = 0;
// split SOA params
if (preg_match("/([^\\s]+)\\s+([^\\s]+)\\s+([^\\s]+)\\s+([^\\s]+)\\s+([^\\s]+)\\s*\$/", $record[4], $soa)) {
/* serial $soa[1]
refresh $soa[2];
retry $soa[3];
expire $soa[4];
negative caching $soa[5];
*/
$query = sprintf("INSERT INTO dns_confprimary\n (zoneid,serial,refresh,retry,expiry,minimum,xfer,defaultttl)\n VALUES('%s', '%s', '%s', '%s', '%s', '%s', 'any', '86400')", $this->zoneid, mysql_real_escape_string(intval($soa[1])), mysql_real_escape_string(intval($soa[2])), mysql_real_escape_string(intval($soa[3])), mysql_real_escape_string(intval($soa[4])), mysql_real_escape_string(intval($soa[5])));
}
// SOA params match
}
break;
case "NS":
if (!checkIP($data[0]) && !checkDomain($data[0])) {
print "<p><span class=\"error\">" . $l['str_log_unknown'] . "</span>" . "<br>\n" . $line . "\n</p>";
break;
}
// if NS on zone, create NS. Otherwise, create subns.
if (!strcmp($this->zonename . ".", $record[1])) {
$query = sprintf("INSERT INTO dns_record (zoneid,type,val1,ttl)\n VALUES ('%s', 'NS', '%s', '%s')", $this->zoneid, mysql_real_escape_string($data[0]), mysql_real_escape_string($record[2]));
} else {
// subns
$query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,ttl)\n VALUES ('%s', 'SUBNS', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($data[0]), mysql_real_escape_string($record[2]));
}
break;
case "MX":
$query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,val3,ttl)\n VALUES ('%s', 'MX', '%s', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($data[0]), mysql_real_escape_string($data[1]), mysql_real_escape_string($record[2]));
break;
case "A":
$query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,ttl)\n VALUES ('%s', 'A', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($data[0]), mysql_real_escape_string($record[2]));
break;
case "AAAA":
$query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,ttl)\n VALUES ('%s', 'AAAA', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($data[0]), mysql_real_escape_string($record[2]));
break;
case "CNAME":
if (preg_match("/^(.*)." . $this->zonename . ".\$/", $data[0], $tmp)) {
$data[0] = $tmp[1];
}
$query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,ttl)\n VALUES ('%s', 'CNAME', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($data[0]), mysql_real_escape_string($record[2]));
break;
case "PTR":
$query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,ttl)\n VALUES ('%s', 'PTR', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($data[0]), mysql_real_escape_string($record[2]));
break;
case "SRV":
$query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,val3,val4,val5,ttl)\n VALUES ('%s', 'SRV', '%s', '%s', '%s', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($data[0]), mysql_real_escape_string($data[1]), mysql_real_escape_string($data[2]), mysql_real_escape_string($data[3]), mysql_real_escape_string($record[2]));
break;
case "TXT":
$txt = $record[4];
$txt = str_replace('" "', '', $txt);
$txt = trim($txt, '"');
$query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,ttl)\n VALUES ('%s', 'TXT', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($txt), mysql_real_escape_string($record[2]));
break;
default:
print "<p><span class=\"error\">" . $l['str_log_unknown'] . "</span>" . "<br>\n" . $line . "\n</p>";
}
if (!empty($query)) {
$dbqueries++;
$db->query($query);
if ($db->error()) {
$this->error = $l['str_trouble_with_db'];
return 0;
}
}
}
// standard line
}
// not ";" beginning line
}
// end foreach line of dig result
$query = "UPDATE dns_record SET ttl='-1' WHERE ttl='86400' AND zoneid='" . $this->zoneid . "';";
$db->query($query);
if (!$dbqueries) {
$this->error .= '<pre>' . $dig . '</pre>';
}
return $dbqueries;
}
}
/*
* Used to display a message to the user on the
* add ban stat
*/
$msg = "";
/*
* See if an add IP ban was requested
*/
unset($_SESSION['addban']);
if (isset($_POST['addbanip'])) {
if (strlen($_POST['addbanip']) > 0) {
/*
* Do a simple check to make sure IP is valid.
*/
if (checkIP($_POST['addbanip'])) {
if (isset($_POST['addbanreason'])) {
if (strlen($_POST['addbanreason']) > 0) {
if (isset($_POST['addbanlength'])) {
if ($_POST['addbanlength'] == 0 || !is_numeric($_POST['addbanlength'])) {
$_SESSION['addban'] = array('ip' => $_POST['addbanip'], 'reason' => $_POST['addbanreason'], 'date' => date("Y-m-d"));
} else {
$_SESSION['addban'] = array('ip' => $_POST['addbanip'], 'reason' => $_POST['addbanreason'], 'date' => date("Y-m-d"), 'expiry' => date("Y-m-d", time() + $_POST['addbanlength'] * 86400), 'banlength' => $_POST['addbanlength']);
}
} else {
$_SESSION['addban'] = array('ip' => $_POST['addbanip'], 'reason' => $_POST['addbanreason'], 'date' => date("Y-m-d"));
}
} else {
$msg = "You need to specify a ban reason. If you continue, the ban will NOT be added.";
}
} else {
