function nodemoved()
{
global $apx, $set;
if (!checkToken()) {
return;
}
if (!$apx->user->has_right('news.catedit') || !$set['news']['subcats']) {
return;
}
$id = (int) $_REQUEST['id'];
$newparent = (int) $_REQUEST['parentid'];
$beforeid = (int) $_REQUEST['before'];
$afterid = (int) $_REQUEST['after'];
if (!$id) {
return;
}
require_once BASEDIR . 'lib/class.recursivetree.php';
$tree = new RecursiveTree(PRE . '_news_cat', 'id');
//In einen Knoten verschieben
if (!$beforeid && !$afterid) {
$tree->moveNode($id, $newparent);
} elseif ($beforeid) {
$tree->moveNodeBefore($id, $newparent, $beforeid);
} elseif ($afterid) {
$tree->moveNodeAfter($id, $newparent, $afterid);
}
}
function getFilesInFolder($folder)
{
checkToken();
$params = array('maxResults' => '1000', 'orderBy' => 'title', 'q' => "'" . $folder . "' in parents");
$results = getDriveService()->files->listFiles($params);
if (count($results->getItems()) == 0) {
//return "No files found.";
return file_get_contents('includes/json/filenotfound.json');
} else {
return json_encode($results->getItems());
}
}
function nodemoved()
{
global $apx;
if (!checkToken()) {
return;
}
if (!$apx->user->has_right('teaser.edit')) {
return;
}
$id = (int) $_REQUEST['id'];
$beforeid = (int) $_REQUEST['before'];
$afterid = (int) $_REQUEST['after'];
if (!$id || !$beforeid && !$afterid) {
return;
}
require_once BASEDIR . 'lib/class.orderedlist.php';
$list = new OrderedList(PRE . '_teaser', 'id');
//Vor einen Knoten verschieben
if ($beforeid) {
$list->moveBefore($id, $beforeid);
} elseif ($afterid) {
$list->moveAfter($id, $afterid);
}
}
function sendpm_exec()
{
global $apx, $db, $set;
//Token prüfen
if (!checkToken()) {
printInvalidToken();
return;
}
//FORWARDER
if (!isset($_REQUEST['done'])) {
tmessage('sending', array('FORWARDER' => 'action.php?action=user.sendpm&doit=1&sectoken=' . $apx->session->get('sectoken') . '&done=0'));
return;
}
//VARS
$done = (int) $_REQUEST['done'];
$countPerCall = 50;
@set_time_limit(600);
//Newsletter-Info auslesen
$newsletter = $set['user']['sendpm_data'];
if (!isset($newsletter['text'])) {
die('no valid newsletter!');
}
$newsletter['text_clear'] = $newsletter['text'];
while (preg_match('#\\[([a-z0-9]+)(=.*?)?\\](.*?)\\[/\\1\\]#si', $newsletter['text_clear'])) {
$text = preg_replace('#\\[([a-z0-9]+)(=.*?)?\\](.*?)\\[/\\1\\]#si', '\\3', $newsletter['text_clear']);
}
//SEND NEWSLETTER
if (is_array($newsletter['groups']) && count($newsletter['groups'])) {
$data = $db->fetch("SELECT userid, email, pub_poppm, pub_mailpm FROM " . PRE . "_user WHERE active=1 AND reg_key='' AND groupid IN (" . implode(',', $newsletter['groups']) . ") ORDER BY email ASC LIMIT " . $done . "," . $countPerCall);
} else {
$data = $db->fetch("SELECT userid, email, pub_poppm, pub_mailpm FROM " . PRE . "_user WHERE active=1 AND reg_key='' ORDER BY email ASC LIMIT " . $done . "," . $countPerCall);
}
if (count($data)) {
foreach ($data as $res) {
++$i;
$this->sendpm_send($res, $newsletter['subject'], $newsletter['text'], $newsletter['text_clear']);
}
////// FORWARDER
//Vorgang beendet
if ($i < $countPerCall) {
$db->query("UPDATE " . PRE . "_config SET value='' WHERE module='user' AND varname='sendpm_data' LIMIT 1");
logit('USER_SENDPM');
message($apx->lang->get('MSG_OK'));
return;
} else {
tmessage('sending', array('FORWARDER' => 'action.php?action=user.sendpm&doit=1&sectoken=' . $apx->session->get('sectoken') . '&done=' . ($done + $countPerCall)));
return;
}
} else {
$db->query("UPDATE " . PRE . "_config SET value='' WHERE module='user' AND varname='sendpm_data' LIMIT 1");
logit('USER_SENDPM');
message($apx->lang->get('MSG_OK'));
return;
}
}
<?php
if (isset($_GET['Submit'])) {
// Check Anti-CSRF token
checkToken($_REQUEST['user_token'], $_SESSION['session_token'], 'index.php');
// Get input
$id = $_GET['id'];
// Was a number entered?
if (is_numeric($id)) {
// Check the database
$data = $db->prepare('SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;');
$data->bindParam(':id', $id, PDO::PARAM_INT);
$data->execute();
// Get results
if ($data->rowCount() == 1) {
// Feedback for end user
$html .= '<pre>User ID exists in the database.</pre>';
} else {
// User wasn't found, so the page wasn't!
header($_SERVER['SERVER_PROTOCOL'] . ' 404 Not Found');
// Feedback for end user
$html .= '<pre>User ID is MISSING from the database.</pre>';
}
}
}
// Generate Anti-CSRF token
generateSessionToken();
<?php
require_once 'phpconf.php';
require_once 'phpfunc.php';
require_once 'phpsecurity.php';
session_cache_expire(0);
session_cache_limiter('private_no_expire');
session_start();
if ($_SERVER['REQUEST_METHOD'] != 'POST') {
// CSRF対策
setToken();
} else {
$_POST = arrayString($_POST);
checkToken();
$emailre = '/^(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){255,})(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){65,}@)(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22))(?:\\.(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22)))*@(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-9]+(?:-[a-z0-9]+)*\\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-[a-z0-9]+)*)|(?:\\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-9][:\\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\\]))$/iD';
$passre = '/^[0-9a-zA-Z]{6,20}$/';
$birthre = '/\\d{4}\\-\\d{2}\\-\\d{2}/';
$error = [];
if (1 > strlen($_POST['name']) || strlen($_POST['name']) > 20) {
$error[] = '名前は1文字以上20文字以内';
}
if (!preg_match($emailre, $_POST['email'])) {
$error[] = '不正なメールアドレス';
} else {
if (emailExists($_POST['email']) != 0) {
$error[] = 'このメールアドレスは既に登録されています';
}
}
if (!preg_match($passre, $_POST['password'])) {
$error[] = 'パスワードは英数字6文字以上20文字以内';
} else {
<?php
include "connect.php";
include "token.php";
$authorId = checkToken(addslashes($_POST["token"]), $returnData);
if ($authorId == -1) {
echo json_encode($returnData);
return;
}
$questionId = addslashes($_POST["questionId"]);
$content = addslashes($_POST["content"]);
$date = time();
$sql = "INSERT INTO answer ( authorId , questionId , content , date ) VALUES ( '" . $authorId . "' , '" . $questionId . "','" . $content . "',now())";
if (mysql_query($sql)) {
$update = "UPDATE question SET answerCount=answerCount+1 , recent = now() WHERE id = {$questionId}";
mysql_query($update);
$returnData["info"] = $sql;
} else {
header("http/1.1 500 Internal Server Error");
$returnData["error"] = $sql . mysql_error();
}
echo json_encode($returnData);
break;
case 'edit-tag':
//http://blog.martindoms.com/2010/01/20/using-the-google-reader-api-part-3/
$token = isset($_POST['T']) ? trim($_POST['T']) : '';
checkToken($conf, $token);
$a = isset($_POST['a']) ? $_POST['a'] : '';
//Add: user/-/state/com.google/read user/-/state/com.google/starred
$r = isset($_POST['r']) ? $_POST['r'] : '';
//Remove: user/-/state/com.google/read user/-/state/com.google/starred
$e_ids = multiplePosts('i');
//item IDs
editTag($e_ids, $a, $r);
break;
case 'mark-all-as-read':
$token = isset($_POST['T']) ? trim($_POST['T']) : '';
checkToken($conf, $token);
$streamId = $_POST['s'];
//StreamId
$ts = isset($_POST['ts']) ? $_POST['ts'] : '0';
//Older than timestamp in nanoseconds
if (!ctype_digit($ts)) {
$ts = '0';
}
markAllAsRead($streamId, $ts);
break;
case 'token':
token($conf);
break;
}
} elseif ($pathInfos[1] === 'check' && $pathInfos[2] === 'compatibility') {
checkCompatibility();
function disable()
{
global $set, $db, $apx;
$_REQUEST['id'] = (int) $_REQUEST['id'];
if (!$_REQUEST['id']) {
die('missing ID!');
}
if ($_POST['send']) {
if (!checkToken()) {
printInvalidToken();
} else {
$db->query("UPDATE " . PRE . "_poll SET starttime='0',endtime='0' WHERE ( id='" . $_REQUEST['id'] . "' ) LIMIT 1");
logit('POLL_DISABLE', 'ID #' . $_REQUEST['id']);
printJSReload();
}
} else {
list($title) = $db->first("SELECT question FROM " . PRE . "_poll WHERE id='" . $_REQUEST['id'] . "' LIMIT 1");
$apx->tmpl->assign('MESSAGE', $apx->lang->get('MSG_TEXT', array('TITLE' => compatible_hsc($title))));
tmessageOverlay('disable', array('ID' => $_REQUEST['id']));
}
}
function is_ok()
{
// check tokens, session vars, ip, referrer, cookie etc
// in case of problem, destroy session and redirect
global $auto_restrict;
$expired = false;
// fatal problem
if (!checkReferer()) {
return death("You are definitely NOT from here !");
}
if (!checkIP()) {
return death("Hey... you were banished, f**k off !");
}
if (!checkToken()) {
return death("You need a valid token to do that, boy !");
}
//
if (checkCookie()) {
return true;
}
if (!isset($_SESSION['id_user'])) {
return false;
}
if ($_SESSION['expire'] < time()) {
$expired = true;
}
$sid = Dechiffre($_SESSION['id_user'], $auto_restrict['encryption_key']);
$id = id_user();
if ($sid != $id || $expired == true) {
// problème d'identité
return false;
} else {
// all fine
//session can survive a bit more ^^
$_SESSION['expire'] = time() + 60 * $auto_restrict['session_expiration_delay'];
return true;
}
}
<?php
include_once 'formvalidation.php';
$csrf_token = isset($_GET['csrf_token']) ? $_GET['csrf_token'] : "undefined";
echo "hi";
echo $csrf_token;
$continue = checkToken($csrf_token);
echo "adadas";
if ($continue) {
session_start();
session_destroy();
header('Location:' . 'index.php');
die;
} else {
echo "</br>wrong token</br>";
}
switch ($_GET['method']) {
case 'getUser':
if (!isset($_GET['user'])) {
badRequest();
} else {
getUserAPI($_GET['user']);
}
break;
case 'getUsers':
getUsers();
break;
case 'checkToken':
if (!isset($_GET['token'])) {
badRequest();
} else {
checkToken($_GET['token']);
}
break;
case 'checkTokenUser':
if (!isset($_GET['token']) || !isset($_GET['user'])) {
badRequest();
} else {
checkTokenUser($_GET['token'], $_GET['user']);
}
break;
default:
badRequest();
break;
}
}
/**
function is_ok()
{
# check tokens, session vars, ip, referrer, cookie etc
# in case of problem, destroy session and redirect
global $auto_restrict;
$expired = false;
if (!isset($_SESSION['id_user'])) {
return false;
}
# fatal problem
if (!checkReferer()) {
return death('<div class="error">You are definitely NOT from here !</div>');
}
if (!checkIP()) {
return death('<div class="error">Hey... you were banished, f**k off !</div>');
}
if (!checkToken()) {
return death('<div class="error">Invalid token</div>');
}
#
if (checkCookie()) {
return true;
}
if ($_SESSION['expire'] < time()) {
$expired = true;
}
$sid = Dechiffre($_SESSION['id_user'], $auto_restrict['users'][$_SESSION['login']]['encryption_key']);
$id = id_user();
if ($sid != $id || $expired == true) {
# problème d'identité
return false;
} else {
# all fine
#session can survive a bit more ^^
$_SESSION['expire'] = time() + 60 * $auto_restrict['session_expiration_delay'];
return true;
}
}
$response = syncQuota();
setmsg(t('Users data updated!'), 'notice');
break;
case 'remove':
$token = token();
$name = isset($_REQUEST['name']) ? $_REQUEST['name'] : '';
if (!isadmin() && $me != $name) {
setmsg(t('Permission Denied.'));
//break;
}
$name = preg_replace("/[^a-z0-9]+/i", "", $name);
if (!$name) {
redirect('user.php');
}
$user = ZUser::getUser($name);
if (checkToken()) {
if (ZUser::removeUser($name)) {
setmsg(t('Removed!'), 'notice');
} else {
setmsg(t('Error'));
}
}
break;
case 'list':
default:
$task = 'list';
$start = 0;
$limit = 20;
if ($role == 0) {
// user
redirect('?task=edit&name=' . $me);
function del()
{
global $set, $db, $apx;
$_REQUEST['id'] = (int) $_REQUEST['id'];
if (!$_REQUEST['id']) {
die('missing ID!');
}
if ($_POST['send'] == 1) {
if (!checkToken()) {
printInvalidToken();
} else {
$db->query("DELETE FROM " . PRE . "_contact WHERE id='" . $_REQUEST['id'] . "' LIMIT 1");
logit('CONTACT_DEL', 'ID #' . $_REQUEST['id']);
printJSRedirect(get_index('contact.show'));
}
} else {
list($title) = $db->first("SELECT title FROM " . PRE . "_contact WHERE id='" . $_REQUEST['id'] . "' LIMIT 1");
$apx->tmpl->assign('MESSAGE', $apx->lang->get('MSG_TEXT', array('TITLE' => compatible_hsc($title))));
tmessageOverlay('deltitle', array('ID' => $_REQUEST['id']), '/');
}
}
function group()
{
global $set, $db, $apx, $html;
$_REQUEST['id'] = (int) $_REQUEST['id'];
$data = $set['content']['groups'];
//Kategorie löschen
if ($_REQUEST['do'] == 'del' && isset($data[$_REQUEST['id']])) {
list($count) = $db->first("SELECT count(*) FROM " . PRE . "_content WHERE catid='" . $_REQUEST['id'] . "'");
if (!$count) {
if (isset($_POST['id'])) {
if (!checkToken()) {
infoInvalidToken();
} else {
unset($data[$_REQUEST['id']]);
$db->query("UPDATE " . PRE . "_config SET value='" . addslashes(serialize($data)) . "' WHERE module='content' AND varname='groups' LIMIT 1");
logit('CONTENT_CATDEL', $_REQUEST['id']);
printJSReload();
}
} else {
$apx->tmpl->assign('MESSAGE', $apx->lang->get('MSG_TEXT', array('TITLE' => compatible_hsc($data[$_REQUEST['id']]))));
tmessageOverlay('catdel', array('ID' => $_REQUEST['id']));
}
}
return;
}
//Kategorie leeren
if ($_REQUEST['do'] == 'clean' && isset($data[$_REQUEST['id']])) {
if ($_POST['id'] && $_POST['moveto']) {
if (!checkToken()) {
infoInvalidToken();
} else {
$db->query("UPDATE " . PRE . "_content SET catid='" . intval($_POST['moveto']) . "' WHERE catid='" . $_REQUEST['id'] . "'");
logit('CONTENT_CATCLEAN', "ID #" . $_REQUEST['id']);
//Kategorie löschen
if ($_POST['delcat']) {
unset($data[$_REQUEST['id']]);
$db->query("UPDATE " . PRE . "_config SET value='" . addslashes(serialize($data)) . "' WHERE module='content' AND varname='groups' LIMIT 1");
logit('CONTENT_CATDEL', $_REQUEST['id']);
}
printJSReload();
return;
}
} else {
//Kategorien auflisten
$catlist = '';
$data = $set['content']['groups'];
if (count($data)) {
foreach ($data as $id => $title) {
if ($id == $_REQUEST['id']) {
continue;
}
$catlist .= '<option value="' . $id . '"' . iif($_REQUEST['catid'] == $id, ' selected="selected"') . '>' . replace($title) . '</option>';
}
}
$apx->tmpl->assign('ID', $_REQUEST['id']);
$apx->tmpl->assign('TITLE', compatible_hsc($data[$_REQUEST['id']]));
$apx->tmpl->assign('DELCAT', (int) $_POST['delcat']);
$apx->tmpl->assign('CATLIST', $catlist);
tmessageOverlay('catclean');
}
return;
} elseif ($_REQUEST['do'] == 'edit' && isset($data[$_REQUEST['id']])) {
if (isset($_POST['title'])) {
if (!checkToken()) {
infoInvalidToken();
} elseif (!$_POST['title']) {
info('back');
} else {
$data[$_REQUEST['id']] = $_POST['title'];
$db->query("UPDATE " . PRE . "_config SET value='" . addslashes(serialize($data)) . "' WHERE module='content' AND varname='groups' LIMIT 1");
logit('CONTENT_CATEDIT', $_REQUEST['id']);
printJSRedirect('action.php?action=content.group');
return;
}
} else {
$_POST['title'] = $data[$_REQUEST['id']];
$apx->tmpl->assign('TITLE', $_POST['title']);
$apx->tmpl->assign('ACTION', 'edit');
$apx->tmpl->assign('ID', $_REQUEST['id']);
$apx->tmpl->parse('catadd_catedit');
}
} elseif ($_REQUEST['do'] == 'add') {
if ($_POST['send']) {
if (!checkToken()) {
printInvalidToken();
} elseif (!$_POST['title']) {
info('back');
} else {
if (!count($data)) {
$data[1] = $_POST['title'];
} else {
$data[] = $_POST['title'];
}
$db->query("UPDATE " . PRE . "_config SET value='" . addslashes(serialize($data)) . "' WHERE module='content' AND varname='groups' LIMIT 1");
logit('CONTENT_CATADD', array_key_max($data));
printJSRedirect('action.php?action=content.group');
return;
}
}
} else {
$apx->tmpl->assign('ACTION', 'add');
$apx->tmpl->parse('catadd_catedit');
}
$col[] = array('ID', 1, 'align="center"');
$col[] = array('COL_TITLE', 80, 'class="title"');
$col[] = array('COL_CONTENTS', 20, 'align="center"');
//AUSGABE
asort($data);
foreach ($data as $id => $res) {
++$i;
list($count) = $db->first("SELECT count(*) FROM " . PRE . "_content WHERE catid='" . $id . "'");
$tabledata[$i]['COL1'] = $id;
$tabledata[$i]['COL2'] = $res;
$tabledata[$i]['COL3'] = $count;
$tabledata[$i]['OPTIONS'] .= optionHTML('edit.gif', 'content.group', 'do=edit&id=' . $id, $apx->lang->get('CORE_EDIT'));
if (!$count) {
$tabledata[$i]['OPTIONS'] .= optionHTMLOverlay('del.gif', 'content.group', 'do=del&id=' . $id, $apx->lang->get('CORE_DEL'));
} else {
$tabledata[$i]['OPTIONS'] .= '<img src="design/ispace.gif" alt="" />';
}
if ($count) {
$tabledata[$i]['OPTIONS'] .= optionHTMLOverlay('clean.gif', 'content.group', 'do=clean&id=' . $id, $apx->lang->get('CLEAN'));
} else {
$tabledata[$i]['OPTIONS'] .= '<img src="design/ispace.gif" alt="" />';
}
}
$apx->tmpl->assign('TABLE', $tabledata);
$html->table($col);
}
<?php
include_once 'dbconnection.php';
include_once 'checkrights.php';
if (checkToken($_REQUEST['username'], $_REQUEST['token'])) {
if ($_REQUEST['rightname']) {
$feature = "rightsedit";
if (CheckRights($_REQUEST['username'], $feature)) {
grantRight($_REQUEST['thisuser'], $_REQUEST['rightname'], $_REQUEST['value']);
} else {
echo "{\"error\": [{ \"type\": \"alert\", \"msg\":\"You do not have access to this feature.\"}]}";
}
} else {
$feature = "rightsedit";
if (CheckRights($_REQUEST['username'], $feature)) {
loadFeatures();
} else {
echo "{\"error\": [{ \"type\": \"alert\", \"msg\":\"You do not have access to this feature.\"}]}";
}
}
} else {
echo "[{\"error\":\"You are not logged in. Log in to view this data.\"}]";
}
function loadFeatures()
{
try {
$con = new PDO(DB_DSN, DB_USERNAME, DB_PASSWORD);
$con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT * FROM features";
$stmt = $con->prepare($sql);
$stmt->execute();
<?php
include "connect.php";
include "token.php";
$token = addslashes($_POST["token"]);
$comment = addslashes($_POST["comment"]);
$authorId = checkToken($token, $returnData);
if ($authorId == -1) {
echo json_encode($returnData);
return;
}
$sql = "INSERT INTO comment (,)VALUES()";
function isLoguedAsNotAdmin()
{
if (isset($_COOKIE['token'])) {
$token = $_COOKIE['token'];
return checkToken($token) && checkAsNotAdminUser($token);
} else {
return false;
}
}
} else {
// проверка чистая
// обновим последнюю проверку
cdim('db','query',"UPDATE `proxy` SET `last_check` = ".time()." WHERE `id` = ".$proxy->id.";");
}
}
*/
return $proxy;
}
include 'gears/RC4.php';
$rc4 = new RC4();
$detoken = unserialize($rc4->crypt_str($config['options']['rc4key'], base64url_decode($apitoken)));
$user_id = intval(trim($detoken[0]));
$flow_id = intval(trim($detoken[1]));
checkTarif($user_id);
$user = checkToken($user_id, $flow_id);
$token = getToken($flow_id);
/***** BLOCK ALL, witchout this list ******/
$user_ip_addr = $_SERVER['REMOTE_ADDR'];
$block_list_way = 'manage/addl/block_list_' . $user_id . '.lst';
if (file_exists($block_list_way)) {
$file_arr = array();
$file_data = file_get_contents($block_list_way);
$file_arr = unserialize($file_data);
if (isset($file_arr[$flow_id])) {
if (count($file_arr[$flow_id]) > 0 && !in_array($user_ip_addr, $file_arr[$flow_id])) {
die('..');
}
}
}
/***** BLOCK ALL, witchout this list ******/
<?php
include "../../connect.php";
include "../../token.php";
$user = checkToken(1, $result);
if ($user == -1) {
echo json_encode($result);
return;
}
$id = addslashes($_POST["id"]);
$sql = "\tSELECT \n\t\t\tvendor.name as vendor_name,\n\t\t\tvendor.id as vendor_id,\n\t\t\tline.id,\n\t\t\tline.name,\n\t\t\tline.word \n\t\tFROM vendor RIGHT JOIN line ON vendor.id = line.vendor_id \n\t\twhere vendor.id = '{$id}'";
$result = array();
$sqlresult = mysql_query($sql);
$result = array();
while ($row = mysql_fetch_assoc($sqlresult)) {
$result[] = $row;
}
echo json_encode($result);
<?php
if (IN_MANAGER_MODE != "true") {
die("<b>INCLUDE_ORDERING_ERROR</b><br /><br />Please use the MODX Content Manager instead of accessing this file directly.");
}
if (!$modx->hasPermission('file_manager')) {
$modx->webAlertAndQuit($_lang["error_no_privileges"]);
}
$token_check = checkToken();
$newToken = makeToken();
// settings
$theme_image_path = $modx->config['site_manager_url'] . 'media/style/' . $modx->config['manager_theme'] . '/images/';
$excludes = array('.', '..', '.svn');
$alias_suffix = !empty($friendly_url_suffix) ? ',' . ltrim($friendly_url_suffix, '.') : '';
$editablefiles = explode(',', 'txt,php,shtml,html,htm,xml,js,css,pageCache,htaccess' . $alias_suffix);
$inlineviewablefiles = explode(',', 'txt,php,html,htm,xml,js,css,pageCache,htaccess' . $alias_suffix);
$viewablefiles = explode(',', 'jpg,gif,png,ico');
$editablefiles = add_dot($editablefiles);
$inlineviewablefiles = add_dot($inlineviewablefiles);
$viewablefiles = add_dot($viewablefiles);
$proteted_path = array();
/* jp only
if($_SESSION['mgrRole']!=1)
{
*/
$proteted_path[] = $modx->config['site_manager_path'];
$proteted_path[] = $modx->config['base_path'] . 'temp/backup';
$proteted_path[] = $modx->config['base_path'] . 'assets/backup';
if (!$modx->hasPermission('save_plugin')) {
$proteted_path[] = $modx->config['base_path'] . 'assets/plugins';
}
echo "</xml>";
} else {
echo "<xml>";
echo "<status>error</status>";
echo "<message>Incomplete arguments</message>";
echo "</xml>";
}
} else {
echo "<xml>";
echo "<status>error</status>";
echo "<message>Invalid token</message>";
echo "</xml>";
}
break;
case 'course_from_user':
if (isset($_GET['token']) && checkToken($_GET['token'])) {
if (isset($_GET['login']) && isset($_GET['course'])) {
try {
$course = new EfrontCourse($_GET['course']);
$course->removeUsers($_GET['login']);
echo "<xml>";
echo "<status>ok</status>";
echo "</xml>";
} catch (Exception $e) {
echo "<xml>";
echo "<status>error</status>";
echo "<message>Invalid course/username or user not enrolled into course</message>";
echo "</xml>";
}
} else {
echo "<xml>";
<?php
session_start();
include_once "formvalidation.php";
$csrf_token = isset($_GET['csrf_token']) ? $_GET['csrf_token'] : "undefined";
$tokenOk = checkToken($csrf_token);
if ($tokenOk) {
// get the product id
$id = isset($_GET['id']) ? $_GET['id'] : "";
$productName = isset($_GET['productName']) ? $_GET['productName'] : "";
// remove the item from the array
unset($_SESSION['cart_items'][$id]);
// redirect to product list and tell the user it was added to cart
header('Location: cart.php?action=removed&id=' . $id . '&productName=' . $productName);
}
function group()
{
global $set, $db, $apx, $html;
$_REQUEST['id'] = (int) $_REQUEST['id'];
$data = $set['banner']['groups'];
//Kategorie löschen
if ($_REQUEST['do'] == 'del' && isset($data[$_REQUEST['id']])) {
list($count) = $db->first("SELECT count(*) FROM " . PRE . "_banner WHERE " . PRE . "_banner.group='" . $id . "'");
if (!$count) {
if (isset($_POST['id'])) {
if (!checkToken()) {
infoInvalidToken();
} else {
unset($data[$_REQUEST['id']]);
$db->query("UPDATE " . PRE . "_config SET value='" . addslashes(serialize($data)) . "' WHERE module='banner' AND varname='groups' LIMIT 1");
logit('BANNER_CATDEL', $_REQUEST['id']);
printJSReload();
}
} else {
$apx->tmpl->assign('MESSAGE', $apx->lang->get('MSG_TEXT', array('TITLE' => compatible_hsc($data[$_REQUEST['id']]))));
tmessageOverlay('catdel', array('ID' => $_REQUEST['id']));
}
return;
}
} elseif ($_REQUEST['do'] == 'edit' && isset($data[$_REQUEST['id']])) {
if (isset($_POST['title'])) {
if (!checkToken()) {
infoInvalidToken();
} elseif (!$_POST['title']) {
infoNotComplete();
} else {
$data[$_REQUEST['id']] = $_POST['title'];
$db->query("UPDATE " . PRE . "_config SET value='" . addslashes(serialize($data)) . "' WHERE module='banner' AND varname='groups' LIMIT 1");
logit('BANNER_CATEDIT', $_REQUEST['id']);
printJSRedirect('action.php?action=banner.group');
return;
}
} else {
$_POST['title'] = $data[$_REQUEST['id']];
$apx->tmpl->assign('TITLE', $_POST['title']);
$apx->tmpl->assign('ACTION', 'edit');
$apx->tmpl->assign('ID', $_REQUEST['id']);
$apx->tmpl->parse('catadd_catedit');
}
} elseif ($_REQUEST['do'] == 'add') {
if ($_POST['send']) {
if (!checkToken()) {
printInvalidToken();
} elseif (!$_POST['title']) {
infoNotComplete();
} else {
if (!count($data)) {
$data[1] = $_POST['title'];
} else {
$data[] = $_POST['title'];
}
$db->query("UPDATE " . PRE . "_config SET value='" . addslashes(serialize($data)) . "' WHERE module='banner' AND varname='groups' LIMIT 1");
logit('BANNER_CATADD', array_key_max($data));
printJSRedirect('action.php?action=banner.group');
return;
}
}
} else {
$apx->tmpl->assign('ACTION', 'add');
$apx->tmpl->parse('catadd_catedit');
}
$col[] = array('ID', 1, 'align="center"');
$col[] = array('COL_TITLE', 80, 'class="title"');
$col[] = array('COL_BANNERS', 20, 'align="center"');
//AUSGABE
asort($data);
foreach ($data as $id => $res) {
++$i;
list($count) = $db->first("SELECT count(*) FROM " . PRE . "_banner WHERE " . PRE . "_banner.group='" . $id . "'");
$tabledata[$i]['COL1'] = $id;
$tabledata[$i]['COL2'] = $res;
$tabledata[$i]['COL3'] = $count;
$tabledata[$i]['OPTIONS'] .= optionHTML('edit.gif', 'banner.group', 'do=edit&id=' . $id, $apx->lang->get('CORE_EDIT'));
if (!$count) {
$tabledata[$i]['OPTIONS'] .= optionHTMLOverlay('del.gif', 'banner.group', 'do=del&id=' . $id, $apx->lang->get('CORE_DEL'));
} else {
$tabledata[$i]['OPTIONS'] .= '<img src="design/ispace.gif" alt="" />';
}
}
$apx->tmpl->assign('TABLE', $tabledata);
$html->table($col);
}
<?php
session_start();
include "formvalidation.php";
// get the product id
$id = isset($_GET['id']) ? $_GET['id'] : "";
$productName = isset($_GET['productName']) ? $_GET['productName'] : "";
$quantity = isset($_GET['quantity']) ? $_GET['quantity'] : "";
$csrf_token = isset($_GET['csrf_token']) ? $_GET['csrf_token'] : "undefined";
checkToken($csrf_token);
/*
* check if the 'cart' session array was created
* if it is NOT, create the 'cart' session array
*/
if (!isset($_SESSION['cart_items'])) {
$_SESSION['cart_items'] = array();
}
// check if the item is in the array, if it is, do not add
if (array_key_exists($id, $_SESSION['cart_items'])) {
// redirect to product list and tell the user it was added to cart
header('Location: webbshop.php?action=exists&id' . $id . '&productName=' . $productName);
echo $id;
} else {
$_SESSION['cart_items'][$id] = $productName;
// redirect to product list and tell the user it was added to cart
header('Location: webbshop.php?action=added&id' . $id . '&productName=' . $productName);
echo $id;
}
function resync()
{
global $set, $apx, $db;
if ($_REQUEST['send']) {
if (!checkToken()) {
printInvalidToken();
} else {
@set_time_limit(600);
//Thread- und Beitragszahlen berichtigen
$data = $db->fetch("\n\t\t\t\tSELECT forumid\n\t\t\t\tFROM " . PRE . "_forums\n\t\t\t");
if (count($data)) {
foreach ($data as $res) {
$forumid = $res['forumid'];
$forumThreads = 0;
$forumPosts = 0;
$forumLastpost = array();
$forumLastthread = array();
//Threads auslesen
$threaddata = $db->fetch("\n\t\t\t\t\t\tSELECT threadid, prefix, title, icon, del\n\t\t\t\t\t\tFROM " . PRE . "_forum_threads\n\t\t\t\t\t\tWHERE del=0 AND moved=0 AND forumid='" . $forumid . "'\n\t\t\t\t\t");
if (count($threaddata)) {
foreach ($threaddata as $tres) {
$threadid = $tres['threadid'];
list($threadPosts) = $db->first("\n\t\t\t\t\t\t\t\tSELECT count(postid)\n\t\t\t\t\t\t\t\tFROM " . PRE . "_forum_posts\n\t\t\t\t\t\t\t\tWHERE del=0 AND threadid='" . $threadid . "'\n\t\t\t\t\t\t\t");
$threadLastpost = $db->first("\n\t\t\t\t\t\t\t\tSELECT postid, userid, username, time\n\t\t\t\t\t\t\t\tFROM " . PRE . "_forum_posts\n\t\t\t\t\t\t\t\tWHERE del=0 AND threadid='" . $threadid . "'\n\t\t\t\t\t\t\t\tORDER BY time DESC\n\t\t\t\t\t\t\t\tLIMIT 1\n\t\t\t\t\t\t\t");
$db->query("\n\t\t\t\t\t\t\t\tUPDATE " . PRE . "_forum_threads\n\t\t\t\t\t\t\t\tSET\n\t\t\t\t\t\t\t\t\tposts='" . $threadPosts . "',\n\t\t\t\t\t\t\t\t\tlastpost='" . $threadLastpost['postid'] . "',\n\t\t\t\t\t\t\t\t\tlastposter='" . addslashes($threadLastpost['username']) . "',\n\t\t\t\t\t\t\t\t\tlastposter_userid='" . $threadLastpost['userid'] . "',\n\t\t\t\t\t\t\t\t\tlastposttime='" . $threadLastpost['time'] . "'\n\t\t\t\t\t\t\t\tWHERE threadid='" . $threadid . "'\n\t\t\t\t\t\t\t");
//Themen/Beiträge im Forum
if (!$tres['del']) {
++$forumThreads;
}
$forumPosts += $threadPosts;
//Lastpost im Forum
if (!$forumLastpost || $forumLastpost['time'] < $threadLastpost['time']) {
$forumLastthread = $tres;
$forumLastpost = $threadLastpost;
}
}
}
//Forum aktualisieren
$db->query("\n\t\t\t\t\t\tUPDATE " . PRE . "_forums\n\t\t\t\t\t\tSET\n\t\t\t\t\t\t\tthreads='" . $forumThreads . "',\n\t\t\t\t\t\t\tposts='" . $forumPosts . "',\n\t\t\t\t\t\t\tlastpost='" . $forumLastpost['postid'] . "',\n\t\t\t\t\t\t\tlastposter='" . addslashes($forumLastpost['username']) . "',\n\t\t\t\t\t\t\tlastposter_userid='" . $forumLastpost['userid'] . "',\n\t\t\t\t\t\t\tlastposttime='" . $forumLastpost['time'] . "',\n\t\t\t\t\t\t\tlastthread='" . $forumLastthread['threadid'] . "',\n\t\t\t\t\t\t\tlastthread_title='" . addslashes($forumLastthread['title']) . "',\n\t\t\t\t\t\t\tlastthread_icon='" . addslashes($forumLastthread['icon']) . "',\n\t\t\t\t\t\t\tlastthread_prefix='" . addslashes($forumLastthread['prefix']) . "'\n\t\t\t\t\t\tWHERE forumid='" . $forumid . "'\n\t\t\t\t\t\tLIMIT 1");
}
}
logit('FORUM_RESYNC');
message($apx->lang->get('MSG_OK'));
}
} else {
tmessage('resync');
}
}
function endGame($win, $los, $gameId)
{
if (!checkToken($_SERVER['REMOTE_ADDR'], $_COOKIE['token'])) {
return "verification_error";
} else {
//check to make sure this hasn't been ended already
$game = getGameData($gameId);
foreach ($game as $player) {
if ($player->gameOver == 1) {
return -1;
}
}
//end game in DB
if (endGameData($gameId) > 0) {
//update wins
addWinData($win);
//update loss
addLossData($los);
}
}
}
function blockcontent()
{
global $set, $db, $apx, $html;
$_REQUEST['key'] = (int) $_REQUEST['key'];
//IP löschen
if ($_REQUEST['do'] == 'del') {
if ($_POST['send']) {
if (!checkToken()) {
printInvalidToken();
} else {
unset($set['guestbook']['blockstring'][$_REQUEST['id']]);
$db->query("UPDATE " . PRE . "_config SET value='" . addslashes(serialize($set['guestbook']['blockstring'])) . "' WHERE module='guestbook' AND varname='blockstring' LIMIT 1");
printJSRedirect('action.php?action=guestbook.blockcontent');
}
} else {
$apx->tmpl->assign('MESSAGE', $apx->lang->get('MSG_DEL', array('TITLE' => compatible_hsc($set['guestbook']['blockstring'][$_REQUEST['id']]))));
tmessageOverlay('contentdel', array('ID' => $_REQUEST['id']));
}
return;
} elseif ($_REQUEST['do'] == 'add') {
if (!checkToken()) {
printInvalidToken();
} elseif (!$_POST['string']) {
infoNotComplete();
} else {
$set['guestbook']['blockstring'][] = $_POST['string'];
$db->query("UPDATE " . PRE . "_config SET value='" . addslashes(serialize($set['guestbook']['blockstring'])) . "' WHERE module='guestbook' AND varname='blockstring' LIMIT 1");
printJSRedirect('action.php?action=guestbook.blockcontent');
}
return;
}
quicklink_index('guestbook.show');
quicklink_out();
//AUFLISTUNG BEGINNT
$strings = $set['guestbook']['blockstring'];
if (!is_array($strings)) {
$strings = array();
}
$strings = array_sort($strings, 0, 'asc');
$col[] = array('TITLE_GUESTBOOK_BLOCKCONTENT', 100, 'class="title"');
foreach ($strings as $i => $res) {
$tabledata[$i]['COL1'] = $res;
$tabledata[$i]['OPTIONS'] = optionHTMLOverlay('del.gif', 'guestbook.blockcontent', 'do=del&id=' . $i, $apx->lang->get('CORE_DEL'));
}
$apx->tmpl->assign('TABLE', $tabledata);
$html->table($col);
$apx->tmpl->parse('blockcontent');
}
<?php
include "connect.php";
include "token.php";
$user = checkToken(0, $result);
if ($user == -1) {
echo json_encode($result);
return;
}
$qiniu = new Qiniu();
$result = array("token" => $qiniu->uploadToken());
echo json_encode($result);
class Qiniu
{
private $accessKey = '7dh0-GZEY8xx5dpRMQBl19PGvE7zUixpJxUFhvVc';
private $secretKey = 'wzzcLKJMpgPa_UpQU4WCfW_wtti-58XSRxfaPtmv';
public function sign($data)
{
$hmac = hash_hmac('sha1', $data, $this->secretKey, true);
return $this->accessKey . ':' . $this->base64_urlSafeEncode($hmac);
}
public function signWithData($data)
{
$data = $this->base64_urlSafeEncode($data);
return $this->sign($data) . ':' . $data;
}
public function signRequest($urlString, $body, $contentType = null)
{
$url = parse_url($urlString);
$data = '';
if (isset($url['path'])) {