function run_pre_input_addons(&$convoArr, $say) { global $format; $convoArr = checkIP($convoArr); if ($format == 'html') { $say = parseInput($say); } return $say; }
function getClientIPAddress() { if (checkIP(getenv('HTTP_CLIENT_IP'))) { return getenv('HTTP_CLIENT_IP'); } if (checkIP(getenv('REMOTE_ADDR'))) { return getenv('REMOTE_ADDR'); } return "unknown"; }
/** * Created by PhpStorm. * User: tanggaolin * Date: 15-7-28 * Time: 下午10:01 */ function getRealIp() { $ip = false; if (!empty($_SERVER['HTTP_CLIENT_IP'])) { $ip = $_SERVER['HTTP_CLIENT_IP']; } if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ips = explode(', ', $_SERVER['HTTP_X_FORWARDED_FOR']); if ($ip) { array_unshift($ips, $ip); $ip = FALSE; } foreach ($ips as $v) { if (checkIP($v)) { $ip = $v; break; } } } if ($ip == false && $_SERVER['REMOTE_ADDR'] == '127.0.0.1') { echo 'unknown'; } return $ip ? $ip : $_SERVER['REMOTE_ADDR']; }
function determineIP() { if (isset($_SERVER["HTTP_CLIENT_IP"])) { if (checkIP($_SERVER["HTTP_CLIENT_IP"])) { return $_SERVER["HTTP_CLIENT_IP"]; } } if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) { foreach (explode(",", $_SERVER["HTTP_X_FORWARDED_FOR"]) as $ip) { if (checkIP(trim($ip))) { return $ip; } } } if (isset($_SERVER["HTTP_X_FORWARDED"])) { if (checkIP($_SERVER["HTTP_X_FORWARDED"])) { return $_SERVER["HTTP_X_FORWARDED"]; } } if (isset($_SERVER["HTTP_X_CLUSTER_CLIENT_IP"])) { if (checkIP($_SERVER["HTTP_X_CLUSTER_CLIENT_IP"])) { return $_SERVER["HTTP_X_CLUSTER_CLIENT_IP"]; } } if (isset($_SERVER["HTTP_FORWARDED_FOR"])) { if (checkIP($_SERVER["HTTP_FORWARDED_FOR"])) { return $_SERVER["HTTP_FORWARDED_FOR"]; } } if (isset($_SERVER["HTTP_FORWARDED"])) { if (checkIP($_SERVER["HTTP_FORWARDED"])) { return $_SERVER["HTTP_FORWARDED"]; } } return $_SERVER["REMOTE_ADDR"]; }
} $content .= sprintf($html->string_error, $toprint) . '<br>'; $localerror = 1; } } } } // end no error after empty checks if (!$localerror) { // **************************************** // * Create new zone * // **************************************** // import zone content if (!empty($serverimport)) { // check if server is IP or NS name if (!(checkIP($serverimport) || checkDomain($serverimport))) { $content .= sprintf($html->string_warning, $l['str_bad_serverimport_name']); $server = ""; } } if (0) { if (!empty($zonearea)) { if (strcmp($zonetypenew, 'P')) { $content .= sprintf($html->string_warning, $l['str_no_zonearea']); $zonearea = ""; } } } if ($config->usergroups) { // if usergroups, zone is owned by // group and not individuals
session_start(); include 'includes/globals.php'; include 'includes/functions.php'; $database = new Database(); $username = trim($_POST['username']); $passwd = trim($_POST['password']); $ipaddress = $_SERVER["REMOTE_ADDR"]; $captcha_test = intval($_POST['captcha_challenge']); $sql = "INSERT INTO LoginAttempts (ip,attempts,login,Last) VALUES ( :ipaddress, :attempts, :username, NOW())"; $database->query($sql); $database->bind(':ipaddress', $ipaddress); $database->bind(':attempts', 1); $database->bind(':username', $username); $database->execute(); //Check IP $ipcheck = checkIP($ipaddress, $username); if ($ipcheck == true) { $sql = "SELECT * FROM users WHERE user_login=:user_login"; $database->query($sql); $database->bind(':user_login', $username); $row_user = $database->single(); $check_passwd = password_verify($passwd, $row_user['user_passwd']); if ($check_passwd) { //Cookie if ($_POST["remember"] == "1") { $identifier = hash('sha256', $row_user['user_id'] . KEY); $token = md5(uniqid(rand(), TRUE)); $timeout = time() + 60 * 60 * 24 * 365; $date = date("Y-m-d H:i:s", $timeout); setcookie("oauth", "{$identifier}:{$token}", $timeout); $sql = "INSERT INTO auth_tokens (identifier,token,userid,expires) VALUES (:identifier,:token, :userid, :expires)";
function is_ok() { // check tokens, session vars, ip, referrer, cookie etc // in case of problem, destroy session and redirect global $auto_restrict; $expired = false; // fatal problem if (!checkReferer()) { return death("You are definitely NOT from here !"); } if (!checkIP()) { return death("Hey... you were banished, f**k off !"); } if (!checkToken()) { return death("You need a valid token to do that, boy !"); } // if (checkCookie()) { return true; } if (!isset($_SESSION['id_user'])) { return false; } if ($_SESSION['expire'] < time()) { $expired = true; } $sid = Dechiffre($_SESSION['id_user'], $auto_restrict['encryption_key']); $id = id_user(); if ($sid != $id || $expired == true) { // problème d'identité return false; } else { // all fine //session can survive a bit more ^^ $_SESSION['expire'] = time() + 60 * $auto_restrict['session_expiration_delay']; return true; } }
function is_ok() { # check tokens, session vars, ip, referrer, cookie etc # in case of problem, destroy session and redirect global $auto_restrict; $expired = false; if (!isset($_SESSION['id_user'])) { return false; } # fatal problem if (!checkReferer()) { return death('<div class="error">You are definitely NOT from here !</div>'); } if (!checkIP()) { return death('<div class="error">Hey... you were banished, f**k off !</div>'); } if (!checkToken()) { return death('<div class="error">Invalid token</div>'); } # if (checkCookie()) { return true; } if ($_SESSION['expire'] < time()) { $expired = true; } $sid = Dechiffre($_SESSION['id_user'], $auto_restrict['users'][$_SESSION['login']]['encryption_key']); $id = id_user(); if ($sid != $id || $expired == true) { # problème d'identité return false; } else { # all fine #session can survive a bit more ^^ $_SESSION['expire'] = time() + 60 * $auto_restrict['session_expiration_delay']; return true; } }
/** * Do an axfr dig of a zone * *@param string $server server to dig *@param string $zone zone to dig *@return string dig result */ function zoneDig($server, $zone) { global $config; if (!checkIP($server) && !checkDomain($server)) { return ""; } $server = escapeshellarg($server); $zone = escapeshellarg($zone); $cmd = escapeshellcmd("{$config->bindig} @{$server} {$zone} axfr -b '{$config->nsaddress}'"); $result = shell_exec($cmd); return $result; }
public function testCheckIP() { $this->assertTrue(checkIP("127.0.0.1", array('*'))); $this->assertTrue(checkIP("127.0.0.1", '*')); $this->assertTrue(checkIP("128.0.0.1", '127.*,128.*')); $this->assertTrue(checkIP("192.168.0.1", '192.168.0.*')); $this->assertTrue(!checkIP("192.168.0.1", '192.168.1.*')); $this->assertTrue(!checkIP("192.168.0.1", '')); }
/** * Check if SRV value is valid * *@param string $string value to be checked *@return int 1 if valid, 0 else */ function checkSRVValue($string) { $string = strtolower($string); // value can't be an IP if (checkIP($string)) { return 0; } // dot cannot be first if (strpos($string, ".") === 0) { return 0; } if (strpos($string, "__") !== false) { return 0; } if (strpos($string, "..") !== false) { return 0; } // allowed chars if (strspn($string, "0123456789abcdefghijklmnopqrstuvwxyz._-") != strlen($string)) { return 0; } return 1; }
<?php include 'connection.php'; //database connection function checkIP() { $db = getConnection(); $ip = $_SERVER['REMOTE_ADDR']; $ua = $_SERVER['HTTP_USER_AGENT']; $db->query("INSERT INTO `access_log`\n (accessid, system, ip, useragent, timestamp) VALUES\n (NULL, 'traffic-input', '{$ip}', '{$ua}', SYSDATE())"); $ip = explode(".", $ip); if (!($ip[0] == "::1" || $ip[0] == "148" && $ip[1] == "61" || $ip[0] == "35" && $ip[1] == "40" || $ip[0] == "207" && $ip[1] == "72" && ($ip[2] >= 160 && $ip[2] <= 191))) { die; } } checkIP(); session_start(); if ($_GET['logout']) { $_SESSION = array(); session_destroy(); } if ($_SESSION['loggedIn'] != true) { header('location: login.php'); } include 'getFromDb.php'; //functions to retreive from database include 'formDisplayFunctions.php'; //functions to display the form date_default_timezone_set("America/Detroit"); //required for inserting the time into the database
public static function admin_login($username, $password) { global $_G; if (!$password || !$username) { //登录信息不能为空! return -1; } elseif ($_G['setting']['global']['captcha']['show'] == 'on' && (!$_SESSION['captcha'] || strtolower($_POST['captcha']) != strtolower($_SESSION['captcha']))) { //验证码输入错误! return -2; } elseif (strlen($password) != 32 || !$_SESSION['RNDCODE'] || $_SESSION['RNDCODE'] != $_POST["rndcode"]) { //写入安全日志 self::insert_event("login", time(), time(), "尝试登录系统时使用密码不符合规则:" . $password); //密码或随机验证输入错误! return -3; } elseif ($_G['setting']['global']["ipzone"] && !checkIP(explode("\n", $_G['setting']['global']["ipzone"]), GetIP())) { //写入安全日志 self::insert_event("login", time(), time(), "尝试登录系统时使用的IP不在允许的范围内:" . GetIP()); //当前IP不在授权的范围! return -4; } else { //登录脚本 $sql = "SELECT id,gid,account,avatar,email,phone,theme,last_login,last_active,stat_login from `sys:admin` WHERE ( account='" . $username . "' and password = md5( concat( '" . $password . "', `salt` ) ) and `state`>0 ) LIMIT 0, 1"; //查询数据库(Manager) $row = self::$db->getOne($sql); if (is_array($row) == FALSE) { //用户名或密码错误! return -5; } else { //同一用户只能登录一次 if ($_G['setting']['global']["sso"] == "on" && $row["last_active"] && time() - $row["last_active"] <= $_G['setting']['global']["interval"]) { //该用户已经在登录状态! return -6; } else { //设置Session self::admin_session($row); //time $time = time(); //更新用户最后活动信息 $sql = "UPDATE `sys:admin` SET stat_login=stat_login+1,last_ip='" . GetIP() . "',last_login='******',last_active=" . $time . " WHERE id = " . $_G['manager']['id']; self::$db->execute($sql); //清除最近的登录日志 self::delete_event($_G['manager']['id'], "login"); //写入日志 self::insert_event("login", $time, $time); return $_G['manager']['id']; } } } }
function update() { $okcols = 0; $qcols = ''; $qvals = ''; foreach ($this->columns as $col) { $value = ''; if (!empty($_POST["new_{$col->name}"])) { $value = $_POST["new_{$col->name}"]; } if ($value != "") { if ($col->type == "ipaddress" && !checkIP($value)) { $this->errors[] = "Column '{$col->title}' requires a valid IP address for new row"; $this->newerror = true; $okcols++; } else { if ($qcols) { $qcols .= ", "; } $qcols .= $col->name; if ($qvals) { $qvals .= ", "; } if ($col->type == "password") { $qvals .= "MD5('{$value}')"; } else { $qvals .= "'" . mysql_escape_string($value) . "'"; } if ($col->type != "select" && $col->type != "hidden" && $value != $col->datasource) { $okcols++; } } } elseif ($col->required) { $this->errors[] = "Required column '{$col->title}' must have a value for new row"; $this->newerror = true; } } if ($okcols > 0 && !$this->errors) { mysql_query("\n\t\t\t\t\tINSERT INTO\n\t\t\t\t\t\t{$this->table}\n\t\t\t\t\t\t(\n\t\t\t\t\t\t\t{$qcols}\n\t\t\t\t\t\t)\n\t\t\t\t\tVALUES\n\t\t\t\t\t(\n\t\t\t\t\t\t{$qvals}\n\t\t\t\t\t)"); if (mysql_error()) { $this->errors[] = "DB Error: " . mysql_error(); } } elseif ($okcols == 0) { $this->errors = array(); $this->newerror = false; } if (!empty($_POST["rows"])) { foreach ($_POST["rows"] as $row) { $row = stripslashes($row); if (!empty($_POST[$row . "_delete"])) { mysql_query("\n\t\t\t\t\t\t\tDELETE FROM\n\t\t\t\t\t\t\t\t{$this->table}\n\t\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\t\t{$this->keycol}='" . addslashes($row) . "'\n\t\t\t\t\t\t"); } else { $rowerror = false; $query = "UPDATE {$this->table} SET "; $i = 0; foreach ($this->columns as $col) { $value = ''; if (!empty($_POST[$row . "_" . $col->name])) { $value = $_POST[$row . "_" . $col->name]; } if ($col->type == "password" && $value == "(encrypted)") { continue; } if ($value == "" && $col->required) { $this->errors[] = "Required column '{$col->title}' must have a value for row '{$row}'"; $rowerror = true; } elseif ($col->type == "ipaddress" && !checkIP($value)) { $this->errors[] = "Column '{$col->title}' requires a valid IP address for row '{$row}'"; $rowerror = true; } if ($i > 0) { $query .= ", "; } if ($col->type == "password") { $query .= $col->name . "=MD5('{$value}')"; } else { $query .= $col->name . "='" . mysql_escape_string($value) . "'"; } $i++; } $query .= " WHERE {$this->keycol}='" . addslashes($row) . "'"; if (!$rowerror) { mysql_query($query); } } } } if ($this->error()) { return false; } else { return true; } }
function parseZoneInput($dig) { global $db, $l; $this->error = ""; $first = 1; $dbqueries = 0; $diglist = explode("\n", $dig); foreach ($diglist as $line) { $query = ""; if (!preg_match("/^\\s*;/", $line)) { if (preg_match("/^\\s*?(.*?)\\s+(.*?)\\s+IN\\s+(.*?)\\s+(.*)\\s*\$/", $line, $record)) { $data = preg_split("/\\s+/", $record[4]); $shortname = preg_replace("/\\./", "\\.", $this->zonename); $shortname = preg_replace("/\\." . $shortname . "\\.\$/", "", $record[1]); switch ($record[3]) { case "SOA": if ($first) { $first = 0; // split SOA params if (preg_match("/([^\\s]+)\\s+([^\\s]+)\\s+([^\\s]+)\\s+([^\\s]+)\\s+([^\\s]+)\\s*\$/", $record[4], $soa)) { /* serial $soa[1] refresh $soa[2]; retry $soa[3]; expire $soa[4]; negative caching $soa[5]; */ $query = sprintf("INSERT INTO dns_confprimary\n (zoneid,serial,refresh,retry,expiry,minimum,xfer,defaultttl)\n VALUES('%s', '%s', '%s', '%s', '%s', '%s', 'any', '86400')", $this->zoneid, mysql_real_escape_string(intval($soa[1])), mysql_real_escape_string(intval($soa[2])), mysql_real_escape_string(intval($soa[3])), mysql_real_escape_string(intval($soa[4])), mysql_real_escape_string(intval($soa[5]))); } // SOA params match } break; case "NS": if (!checkIP($data[0]) && !checkDomain($data[0])) { print "<p><span class=\"error\">" . $l['str_log_unknown'] . "</span>" . "<br>\n" . $line . "\n</p>"; break; } // if NS on zone, create NS. Otherwise, create subns. if (!strcmp($this->zonename . ".", $record[1])) { $query = sprintf("INSERT INTO dns_record (zoneid,type,val1,ttl)\n VALUES ('%s', 'NS', '%s', '%s')", $this->zoneid, mysql_real_escape_string($data[0]), mysql_real_escape_string($record[2])); } else { // subns $query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,ttl)\n VALUES ('%s', 'SUBNS', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($data[0]), mysql_real_escape_string($record[2])); } break; case "MX": $query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,val3,ttl)\n VALUES ('%s', 'MX', '%s', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($data[0]), mysql_real_escape_string($data[1]), mysql_real_escape_string($record[2])); break; case "A": $query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,ttl)\n VALUES ('%s', 'A', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($data[0]), mysql_real_escape_string($record[2])); break; case "AAAA": $query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,ttl)\n VALUES ('%s', 'AAAA', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($data[0]), mysql_real_escape_string($record[2])); break; case "CNAME": if (preg_match("/^(.*)." . $this->zonename . ".\$/", $data[0], $tmp)) { $data[0] = $tmp[1]; } $query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,ttl)\n VALUES ('%s', 'CNAME', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($data[0]), mysql_real_escape_string($record[2])); break; case "PTR": $query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,ttl)\n VALUES ('%s', 'PTR', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($data[0]), mysql_real_escape_string($record[2])); break; case "SRV": $query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,val3,val4,val5,ttl)\n VALUES ('%s', 'SRV', '%s', '%s', '%s', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($data[0]), mysql_real_escape_string($data[1]), mysql_real_escape_string($data[2]), mysql_real_escape_string($data[3]), mysql_real_escape_string($record[2])); break; case "TXT": $txt = $record[4]; $txt = str_replace('" "', '', $txt); $txt = trim($txt, '"'); $query = sprintf("INSERT INTO dns_record (zoneid,type,val1,val2,ttl)\n VALUES ('%s', 'TXT', '%s', '%s', '%s')", $this->zoneid, mysql_real_escape_string($shortname), mysql_real_escape_string($txt), mysql_real_escape_string($record[2])); break; default: print "<p><span class=\"error\">" . $l['str_log_unknown'] . "</span>" . "<br>\n" . $line . "\n</p>"; } if (!empty($query)) { $dbqueries++; $db->query($query); if ($db->error()) { $this->error = $l['str_trouble_with_db']; return 0; } } } // standard line } // not ";" beginning line } // end foreach line of dig result $query = "UPDATE dns_record SET ttl='-1' WHERE ttl='86400' AND zoneid='" . $this->zoneid . "';"; $db->query($query); if (!$dbqueries) { $this->error .= '<pre>' . $dig . '</pre>'; } return $dbqueries; }
} /* * Used to display a message to the user on the * add ban stat */ $msg = ""; /* * See if an add IP ban was requested */ unset($_SESSION['addban']); if (isset($_POST['addbanip'])) { if (strlen($_POST['addbanip']) > 0) { /* * Do a simple check to make sure IP is valid. */ if (checkIP($_POST['addbanip'])) { if (isset($_POST['addbanreason'])) { if (strlen($_POST['addbanreason']) > 0) { if (isset($_POST['addbanlength'])) { if ($_POST['addbanlength'] == 0 || !is_numeric($_POST['addbanlength'])) { $_SESSION['addban'] = array('ip' => $_POST['addbanip'], 'reason' => $_POST['addbanreason'], 'date' => date("Y-m-d")); } else { $_SESSION['addban'] = array('ip' => $_POST['addbanip'], 'reason' => $_POST['addbanreason'], 'date' => date("Y-m-d"), 'expiry' => date("Y-m-d", time() + $_POST['addbanlength'] * 86400), 'banlength' => $_POST['addbanlength']); } } else { $_SESSION['addban'] = array('ip' => $_POST['addbanip'], 'reason' => $_POST['addbanreason'], 'date' => date("Y-m-d")); } } else { $msg = "You need to specify a ban reason. If you continue, the ban will NOT be added."; } } else {