} else { $msg = ''; } $recipient = new GeographUser($_REQUEST['to']); $from_name = !empty($_REQUEST['from_name']) ? stripslashes($_REQUEST['from_name']) : die('ERROR: no name'); $from_email = !empty($_REQUEST['from_email']) ? stripslashes($_REQUEST['from_email']) : die('ERROR: no email'); $domain = !empty($_REQUEST['domain']) && preg_match('/^[\\w.]+$/', $_REQUEST['domain']) ? stripslashes($_REQUEST['domain']) : die('ERROR: no domain'); $msg = !empty($_REQUEST['message']) ? $msg . stripslashes($_REQUEST['message']) : die('ERROR: no message'); #$msg = preg_replace("/[^\r]\n/","\r\n",$msg); $ok = true; $errors = array(); if (!isValidEmailAddress($from_email)) { $ok = false; $errors['from_email'] = 'Please specify a valid email address'; } if (!isValidRealName($from_name)) { $ok = false; $errors['from_name'] = 'Only letters A-Z, a-z, hyphens and apostrophes allowed'; } if (strlen($msg) == 0) { $ok = false; $errors['msg'] = "Please enter a message to send"; } if (isSpam($msg)) { $ok = false; $errors['msg'] = "Sorry, this looks like spam"; } if (!$ok) { die("ERROR: " . implode('. ', $errors)); } $smarty->assign_by_ref('msg', $msg);
$ok = true; $msg = htmlentities(trim(stripslashes($_POST['msg']))); $errors = array(); if (!isValidEmailAddress($from_email)) { $ok = false; $errors['from_email'] = $MESSAGES['ecard']['email_invalid']; } if (!isValidRealName($from_name)) { $ok = false; $errors['from_name'] = $MESSAGES['ecard']['name_chars']; } if (!isValidEmailAddress($to_email)) { $ok = false; $errors['to_email'] = $MESSAGES['ecard']['email_invalid']; } if (!isValidRealName($to_name)) { $ok = false; $errors['to_name'] = $MESSAGES['ecard']['name_chars']; } if (strlen($msg) == 0) { $ok = false; $errors['msg'] = $MESSAGES['ecard']['empty_message']; } $smarty->assign_by_ref('errors', $errors); $smarty->assign_by_ref('msg', html_entity_decode($msg)); //will be re-htmlentities'ed when output $smarty->assign_by_ref('charset', $CONF['mail_charset']); $smarty->assign_by_ref('contactmail', $CONF['abuse_email']); $enc_from_name = mb_encode_mimeheader($from_name, $CONF['mail_charset'], $CONF['mail_transferencoding']); $enc_to_name = mb_encode_mimeheader($to_name, $CONF['mail_charset'], $CONF['mail_transferencoding']); //still ok?
/** * force inline login if user isn't authenticated * only return after successful login */ function login($inline = true) { global $MESSAGES; $logged_in = false; if (!$this->registered) { $errors = array(); //lets see if we are processing a login? if (isset($_POST['email'])) { $email = stripslashes(trim($_POST['email'])); $password = stripslashes(trim($_POST['password'])); $remember_me = isset($_POST['remember_me']) ? 1 : 0; $db = $this->_getDB(); $sql = ""; if (isValidEmailAddress($email)) { $sql = 'select * from user where email=' . $db->Quote($email) . ' limit 1'; } elseif (isValidRealName($email)) { $sql = 'select * from user where nickname=' . $db->Quote($email) . ' limit 1'; } if (strlen($sql)) { //user registered? $arr = $db->GetRow($sql); if (count($arr)) { $md5password = hash_hmac('md5', $password, $arr['salt']); //passwords match? if ($arr['password'] == $md5password) { //final test = if they have no rights, they haven't confirmed //their registration if (strlen($arr['rights'])) { //copy user fields into this object foreach ($arr as $name => $value) { if (!is_numeric($name)) { $this->{$name} = $value; } } //temporary nickname fix for beta accounts if (strlen($this->nickname) == 0) { $this->nickname = str_replace(" ", "", $this->realname); } //give user a remember me cookie? if ($remember_me) { $token = md5(uniqid(rand(), 1)); $db->query("insert into autologin(user_id,token) values ('{$this->user_id}', '{$token}')"); setcookie('autologin', $this->user_id . '_' . $token, time() + 3600 * 24 * 365, '/'); } //we're changing privilege state, so we should //generate a new session id to avoid fixation attacks session_regenerate_id(); $this->registered = true; $logged_in = true; //log into forum too $this->_forumLogin(); if (isset($_SESSION['maptt'])) { unset($_SESSION['maptt']); } } else { $errors['general'] = sprintf($MESSAGES['class_user']['must_confirm'], $email); } } else { //speak friend and enter $errors['password'] = $MESSAGES['class_user']['invalid_password']; } } else { //sorry son, your name's not on the list $errors['email'] = $MESSAGES['class_user']['user_unknown']; } } else { $errors['email'] = $MESSAGES['class_user']['user_invalid']; } } //failure to login means we never return - we show a login page //instead... if (!$logged_in) { $smarty = new GeoGraphPage(); $smarty->assign('remember_me', isset($_COOKIE['autologin']) ? 1 : 0); $smarty->assign('inline', $inline); $smarty->assign('email', $email); $smarty->assign('password', $password); $smarty->assign('errors', $errors); $smarty->assign_by_ref('_post', $_POST); $smarty->display('login.tpl'); exit; } } else { $logged_in = true; } //we're logged in return $logged_in; }
# } # # $smarty->assign_by_ref("notification",$n); # # } # #} if ($template == 'profile.tpl') { //assume viewing logged in user $uid = $USER->user_id; //see if we were passed a param if (isset($_GET['u']) && preg_match('/^[0-9]+$/', $_GET['u'])) { $uid = $_GET['u']; } elseif (isset($_GET['id']) && preg_match('/^[0-9]+$/', $_GET['id'])) { $uid = $_GET['id']; } elseif (isset($_GET['user']) && isValidRealName($_GET['user'])) { if ($_GET['user'] == $USER->nickname) { $uid = $USER->user_id; } else { $profile = new GeographUser(); $profile->loadByNickname($_GET['user']); $uid = $profile->user_id; } if ($uid == 0) { header("HTTP/1.0 404 Not Found"); header("Status: 404 Not Found"); $smarty->display('static_404.tpl'); exit; } } if ($uid == 0 || $uid == $USER->user_id) {
if (isset($_SESSION['gameToken'])) { $game->setToken($_SESSION['gameToken']); } elseif (isset($_REQUEST['token'])) { $game->setToken($_REQUEST['token']); } if (isset($_REQUEST['debug']) && $USER->hasPerm('admin')) { print_r($game); } if (!empty($game->image)) { unset($game->image); } if (!empty($game->rastermap)) { unset($game->rastermap); } if (!empty($_REQUEST['save']) && ($USER->registered || !empty($_REQUEST['username']))) { if (!empty($_REQUEST['username']) && !isValidRealName($_REQUEST['username'])) { $smarty->assign('errormsg', "Please only use only letters and numbers in your name, in particular you should not enter an email address"); } else { $app = $game->saveScore($_REQUEST['save'], !empty($_REQUEST['username']) ? $_REQUEST['username'] : ''); if (isset($_SESSION['gameToken'])) { unset($_SESSION['gameToken']); } if (!empty($_REQUEST['username'])) { $_SESSION['username'] = $_REQUEST['username']; } if ($app) { header("Location: /games/moversboard.php?g={$game->game_id}&more"); } else { header("Location: /games/"); } exit;