function login($username, $pass)
{
$pdo = newPDO();
$query = $pdo->prepare("SELECT * FROM users WHERE username=:username AND password=:pass LIMIT 1");
$query->execute(array(':username' => $username, ':pass' => $pass));
$results = $query->fetchAll(PDO::FETCH_ASSOC);
// if user found in the database (username and password is corrent)
if (count($results) == 1) {
setCookies($results[0]["id"], $results[0]["username"], $results[0]["name"], $results[0]["email"]);
$_SESSION['userid'] = $results[0]["id"];
$_SESSION['username'] = $results[0]["username"];
$_SESSION['user_name'] = $results[0]["name"];
$_SESSION['usermail'] = $results[0]["email"];
return json_encode($results);
} else {
return "failed";
}
}
function loginUser()
{
$username = $_POST['username'];
// checks it against the database
$query = "SELECT * FROM users WHERE username = '******'";
$check = mysql_query($query) or die(mysql_error());
if ($info = mysql_fetch_array($check)) {
$sessionId = rand_string(32);
// update lastLogon & session id
$now = date('c');
$update = "UPDATE users SET lastLogon='{$now}', session_id='{$sessionId}' WHERE username='******'";
$result = mysql_query($update) or die(mysql_error());
$hashUsername = $info['sha256_user'];
// if login is ok then we add a cookie
setCookies($hashUsername, $sessionId);
$sessionId = rand_string(32);
logLogin($hashUsername);
//then redirect them to the members area
header('Location: main.php');
} else {
dieError("ERROR: Cannot find user record in database. Please contact the administrator");
}
}
$query->bindValue(':id', $modID, PDO::PARAM_INT);
$query->execute() or error(db_error($query));
}
// Refresh
$query = prepare("SELECT * FROM `mods` WHERE `id` = :id");
$query->bindValue(':id', $modID, PDO::PARAM_INT);
$query->execute() or error(db_error($query));
if (!($_mod = $query->fetch())) {
error($config['error']['404']);
}
if ($_mod['id'] == $mod['id']) {
// Changed own password. Update cookies
if (!login($_mod['username'], $_mod['password'], false, true)) {
error(_('Could not re-login after changing password. (?)'));
}
setCookies();
}
if (hasPermission($config['mod']['manageusers'])) {
header('Location: ?/users', true, $config['redirect_http']);
} else {
header('Location: ?/', true, $config['redirect_http']);
}
exit;
}
$__boards = '<ul style="list-style:none;padding:2px 5px">';
$boards = array_merge(array(array('uri' => '*', 'title' => 'All')), listBoards());
$_mod['boards'] = explode(',', $_mod['boards']);
foreach ($boards as &$_board) {
$__boards .= '<li>' . '<input type="checkbox" name="board_' . $_board['uri'] . '" id="board_' . $_board['uri'] . '"' . (in_array($_board['uri'], $_mod['boards']) ? ' checked="checked"' : '') . '/> ' . '<label style="display:inline" for="board_' . $_board['uri'] . '">' . ($_board['uri'] == '*' ? '<em>"*"</em>' : sprintf($config['board_abbreviation'], $_board['uri'])) . ' - ' . $_board['title'] . '</label>' . '</li>';
}
$__boards .= '</ul>';
require_once '../init.php';
require_once '../pager.php';
require_once getCacheFilePath('folders.php');
require_once './../../' . ADMIN_DIR . '/language/language.php';
if (!isAdmin()) {
exit($_AL['all.notlogin']);
}
$curPage = intval($_GET["page"]);
$folderid = intval($_GET["folderid"]);
if ($folderid > 0) {
setCookies("lastfolderid", $folderid);
} else {
$folderid = intval(getCookies("lastfolderid"));
}
//preview
setCookies("lastfoldertype", 2);
$pagerlink = "files.php?page={page}&folderid={$folderid}";
$condition = "folderid={$folderid}";
$orderstr = "id desc";
$pager = new Pager();
$pager->init(10, $curPage, $pagerlink);
$attachements = $pager->queryRows($db, "attachments", $condition, "*", $orderstr);
foreach ($attachements as $key => $att) {
$att['shortfilename'] = htmlFilter(cutStr($att['filename'], 12));
$att['filename'] = htmlFilter($att['filename']);
$att['uploadtime'] = getDateStr($att['uploadtime']);
$attachements[$key] = $att;
}
$folderrow = $cache_folders[$folderid];
$folderrow['title'] = htmlFilter($folderrow['title']);
print <<<EOT
function checkViewLang($type, $id)
{
global $_SLANG;
$reallangid;
switch ($type) {
case 'articlelist':
case 'page':
$row = $this->db->row_select_one("channels", "id={$id}");
empty($row) && exitRes($_SLANG['webcore.channel.ne']);
$reallangid = $row['langid'];
break;
case 'productlist':
$row = $this->db->row_select_one("procates", "id={$id}");
empty($row) && exitRes($_SLANG['webcore.cate.ne']);
$reallangid = $row['langid'];
break;
case 'product':
$row = $this->db->row_select_one("products", "id={$id}");
empty($row) && exitRes($_SLANG['webcore.product.ne']);
$reallangid = $row['langid'];
break;
case 'view':
$row = $this->db->row_select_one("articles", "id={$id}");
empty($row) && exitRes($_SLANG['webcore.art.ne']);
$reallangid = $row['langid'];
break;
}
setCookies("langid", $reallangid, 3600 * 24 * 365);
$tourl = '';
unset($_GET['langid']);
foreach ($_GET as $getkey => $getvalue) {
!empty($getvalue) && ($tourl .= "&{$getkey}={$getvalue}");
}
$tourl = "{$type}.php?langid={$reallangid}{$tourl}";
//exit($tourl);
_header_("location:{$tourl}");
}
function mod_user($uid)
{
global $config, $mod;
if (!hasPermission($config['mod']['editusers']) && !(hasPermission($config['mod']['change_password']) && $uid == $mod['id'])) {
error($config['error']['noaccess']);
}
$query = prepare('SELECT * FROM ``mods`` WHERE `id` = :id');
$query->bindValue(':id', $uid);
$query->execute() or error(db_error($query));
if (!($user = $query->fetch(PDO::FETCH_ASSOC))) {
error($config['error']['404']);
}
if (hasPermission($config['mod']['editusers']) && isset($_POST['username'], $_POST['password'])) {
if (isset($_POST['allboards'])) {
$boards = array('*');
} else {
$_boards = listBoards();
foreach ($_boards as &$board) {
$board = $board['uri'];
}
$boards = array();
foreach ($_POST as $name => $value) {
if (preg_match('/^board_(' . $config['board_regex'] . ')$/u', $name, $matches) && in_array($matches[1], $_boards)) {
$boards[] = $matches[1];
}
}
}
if (isset($_POST['delete'])) {
if (!hasPermission($config['mod']['deleteusers'])) {
error($config['error']['noaccess']);
}
$query = prepare('DELETE FROM ``mods`` WHERE `id` = :id');
$query->bindValue(':id', $uid);
$query->execute() or error(db_error($query));
modLog('Deleted user ' . utf8tohtml($user['username']) . ' <small>(#' . $user['id'] . ')</small>');
header('Location: ?/users', true, $config['redirect_http']);
return;
}
if ($_POST['username'] == '') {
error(sprintf($config['error']['required'], 'username'));
}
$query = prepare('UPDATE ``mods`` SET `username` = :username, `boards` = :boards WHERE `id` = :id');
$query->bindValue(':id', $uid);
$query->bindValue(':username', $_POST['username']);
$query->bindValue(':boards', implode(',', $boards));
$query->execute() or error(db_error($query));
if ($user['username'] !== $_POST['username']) {
// account was renamed
modLog('Renamed user "' . utf8tohtml($user['username']) . '" <small>(#' . $user['id'] . ')</small> to "' . utf8tohtml($_POST['username']) . '"');
}
if ($_POST['password'] != '') {
$salt = generate_salt();
$password = hash('sha256', $salt . sha1($_POST['password']));
$query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
$query->bindValue(':id', $uid);
$query->bindValue(':password', $password);
$query->bindValue(':salt', $salt);
$query->execute() or error(db_error($query));
modLog('Changed password for ' . utf8tohtml($_POST['username']) . ' <small>(#' . $user['id'] . ')</small>');
if ($uid == $mod['id']) {
login($_POST['username'], $_POST['password']);
setCookies();
}
}
if (hasPermission($config['mod']['manageusers'])) {
header('Location: ?/users', true, $config['redirect_http']);
} else {
header('Location: ?/', true, $config['redirect_http']);
}
return;
}
if (hasPermission($config['mod']['change_password']) && $uid == $mod['id'] && isset($_POST['password'])) {
if ($_POST['password'] != '') {
$salt = generate_salt();
$password = hash('sha256', $salt . sha1($_POST['password']));
$query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
$query->bindValue(':id', $uid);
$query->bindValue(':password', $password);
$query->bindValue(':salt', $salt);
$query->execute() or error(db_error($query));
modLog('Changed own password');
login($user['username'], $_POST['password']);
setCookies();
}
if (hasPermission($config['mod']['manageusers'])) {
header('Location: ?/users', true, $config['redirect_http']);
} else {
header('Location: ?/', true, $config['redirect_http']);
}
return;
}
if (hasPermission($config['mod']['modlog'])) {
$query = prepare('SELECT * FROM ``modlogs`` WHERE `mod` = :id ORDER BY `time` DESC LIMIT 5');
$query->bindValue(':id', $uid);
$query->execute() or error(db_error($query));
$log = $query->fetchAll(PDO::FETCH_ASSOC);
} else {
$log = array();
}
$user['boards'] = explode(',', $user['boards']);
mod_page(_('Edit user'), 'mod/user.html', array('user' => $user, 'logs' => $log, 'boards' => listBoards(), 'token' => make_secure_link_token('users/' . $user['id'])));
}
<?php
require_once 'inc/init.php';
$t = -86400 * 365 * 2;
uSESSION('memberid');
uSESSION('groupid');
//session_destroy();
setCookies('username', '', $t);
setCookies('userpass', '', $t);
setCookies('expire', '', $t);
setCookies('memberauth', '', $t);
printMsg('logout_succeed');
}
$odt['proid'] = $row['id'];
$odt['proname'] = $row['name'];
$protmppic = $webcore->getPics($row['picids'], $row['picpaths'], 0, false);
$odt['picid'] = $protmppic['picid'];
$odt['picpath'] = $protmppic['picpath'];
$odt['addtime'] = time();
$odt['price'] = $row['price1'];
$odt['langid'] = $_SYS['langid'];
if ($cartid == 0) {
$odt['pronum'] = 1;
$db->row_insert("orderdetails", $odt);
$cartid = $db->insert_id();
$odt['cartid'] = $cartid;
$db->row_update("orderdetails", $odt, "id={$cartid}");
setCookies("cartid", $cartid, 3600 * 24 * 7);
} else {
$odtrow = $db->row_select_one("orderdetails", "proid={$proid} and cartid={$cartid} and langid={$_SYS['langid']}");
if (!empty($odtrow)) {
$odt['pronum'] = $odtrow['pronum'] + 1;
$db->row_update("orderdetails", $odt, "id={$odtrow['id']}");
} else {
$odt['pronum'] = 1;
$odt['cartid'] = $cartid;
$db->row_insert("orderdetails", $odt);
}
}
succeedFlag();
break;
case "delFromCart":
$proid = intval($_GET["proid"]);
function mod_user($uid)
{
global $config, $mod;
if (!hasPermission($config['mod']['editusers']) && !(hasPermission($config['mod']['edit_profile']) && $uid == $mod['id'])) {
error($config['error']['noaccess']);
}
if (in_array($mod['boards'][0], array('infinity', 'z'))) {
error('This board has profile changing disabled.');
}
$query = prepare('SELECT * FROM ``mods`` WHERE `id` = :id');
$query->bindValue(':id', $uid);
$query->execute() or error(db_error($query));
if (!($user = $query->fetch(PDO::FETCH_ASSOC))) {
error($config['error']['404']);
}
if (hasPermission($config['mod']['editusers']) && isset($_POST['username'], $_POST['password'])) {
if (isset($_POST['allboards'])) {
$boards = array('*');
} else {
$_boards = listBoards();
foreach ($_boards as &$board) {
$board = $board['uri'];
}
$boards = array();
foreach ($_POST as $name => $value) {
if (preg_match('/^board_(' . $config['board_regex'] . ')$/u', $name, $matches) && in_array($matches[1], $_boards)) {
$boards[] = $matches[1];
}
}
}
if (isset($_POST['delete'])) {
if (!hasPermission($config['mod']['deleteusers'])) {
error($config['error']['noaccess']);
}
$query = prepare('DELETE FROM ``mods`` WHERE `id` = :id');
$query->bindValue(':id', $uid);
$query->execute() or error(db_error($query));
modLog('Deleted user ' . utf8tohtml($user['username']) . ' <small>(#' . $user['id'] . ')</small>');
header('Location: ?/users', true, $config['redirect_http']);
return;
}
if ($_POST['username'] == '') {
error(sprintf($config['error']['required'], 'username'));
}
$query = prepare('UPDATE ``mods`` SET `username` = :username, `boards` = :boards WHERE `id` = :id');
$query->bindValue(':id', $uid);
$query->bindValue(':username', $_POST['username']);
$query->bindValue(':boards', implode(',', $boards));
$query->execute() or error(db_error($query));
if ($user['username'] !== $_POST['username']) {
// account was renamed
modLog('Renamed user "' . utf8tohtml($user['username']) . '" <small>(#' . $user['id'] . ')</small> to "' . utf8tohtml($_POST['username']) . '"');
}
if ($_POST['password'] != '') {
$salt = generate_salt();
$password = hash('sha256', $salt . sha1($_POST['password']));
$query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
$query->bindValue(':id', $uid);
$query->bindValue(':password', $password);
$query->bindValue(':salt', $salt);
$query->execute() or error(db_error($query));
modLog('Changed password for ' . utf8tohtml($_POST['username']) . ' <small>(#' . $user['id'] . ')</small>');
if ($uid == $mod['id']) {
login($_POST['username'], $_POST['password']);
setCookies();
}
}
if (hasPermission($config['mod']['manageusers'])) {
header('Location: ?/users', true, $config['redirect_http']);
} else {
header('Location: ?/', true, $config['redirect_http']);
}
return;
}
if (hasPermission($config['mod']['edit_profile']) && $uid == $mod['id']) {
if (isset($_POST['password']) && $_POST['password'] != '') {
$salt = generate_salt();
$password = hash('sha256', $salt . sha1($_POST['password']));
$query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
$query->bindValue(':id', $uid);
$query->bindValue(':password', $password);
$query->bindValue(':salt', $salt);
$query->execute() or error(db_error($query));
modLog('Changed own password');
login($user['username'], $_POST['password']);
setCookies();
}
if (isset($_POST['username']) && $user['username'] !== $_POST['username']) {
if ($_POST['username'] == '') {
error(sprintf($config['error']['required'], 'username'));
}
if (!preg_match('/^[a-zA-Z0-9._]{1,30}$/', $_POST['username'])) {
error(_('Invalid username'));
}
$query = prepare('SELECT `username` FROM ``mods``');
$query->execute() or error(db_error($query));
$users = $query->fetchAll(PDO::FETCH_ASSOC);
foreach ($users as $i => $v) {
if (strtolower($_POST['username']) == strtolower($v['username'])) {
error(_('Refusing to change your username because another user is already using it.'));
}
}
$query = prepare('UPDATE ``mods`` SET `username` = :username WHERE `id` = :id');
$query->bindValue(':id', $uid);
$query->bindValue(':username', $_POST['username']);
$query->execute() or error(db_error($query));
modLog('Renamed user "' . utf8tohtml($user['username']) . '" <small>(#' . $user['id'] . ')</small> to "' . utf8tohtml($_POST['username']) . '"');
}
if (isset($_POST['email']) && $user['email'] !== $_POST['email'] && (empty($_POST['email']) || filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))) {
// account was renamed
$query = prepare('UPDATE ``mods`` SET `email` = :email WHERE `id` = :id');
$query->bindValue(':id', $uid);
$query->bindValue(':email', $_POST['email']);
$query->execute() or error(db_error($query));
modLog('Changed user\'s email "' . utf8tohtml($user['email']) . '" <small>(#' . $user['id'] . ')</small> to "' . utf8tohtml($_POST['email']) . '"');
}
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (hasPermission($config['mod']['manageusers'])) {
header('Location: ?/users', true, $config['redirect_http']);
} else {
header('Location: ?/', true, $config['redirect_http']);
}
return;
}
}
if (hasPermission($config['mod']['modlog'])) {
$query = prepare('SELECT * FROM ``modlogs`` WHERE `mod` = :id ORDER BY `time` DESC LIMIT 5');
$query->bindValue(':id', $uid);
$query->execute() or error(db_error($query));
$log = $query->fetchAll(PDO::FETCH_ASSOC);
} else {
$log = array();
}
if ($mod['type'] >= ADMIN) {
$boards = listBoards();
} else {
$boards2 = explode(',', $user['boards']);
foreach ($boards2 as $string) {
$boards[] = array("uri" => $string, "title" => _("My board"));
}
}
$user['boards'] = explode(',', $user['boards']);
mod_page(_('Edit user profile'), 'mod/user.html', array('user' => $user, 'logs' => $log, 'boards' => $boards, 'token' => make_secure_link_token('users/' . $user['id'])));
}
function changeCookie()
{
// header("Content-Type: text/html; charset=utf-8");
//Checks if there is a login cookie
if (getCookie('ID')) {
if (!get_magic_quotes_gpc()) {
$funcHash = addslashes(getCookie('ID'));
$funcSession = addslashes(getCookie('Session_ID'));
} else {
$funcHash = getCookie('ID');
$funcSession = getCookie('Session_ID');
}
$funcCheck = mysql_query("SELECT * FROM users WHERE sha256_user = '******'");
if ($funcCheck) {
while ($funcInfo = mysql_fetch_array($funcCheck)) {
// this resets the stored session id
$funcNewSession = rand_string(32);
$funcUpdate = "UPDATE users SET session_id='{$funcNewSession}' WHERE sha256_user='******'";
$funcResult = mysql_query($funcUpdate);
if ($funcSession != $funcInfo['session_id']) {
//this deletes the cookie
clearCookies();
// clear the variable values
$funcHash = rand_string(32);
$funcSession = rand_string(32);
$funcNewSession = rand_string(32);
$funcCheck = rand_string(32);
$funcInfo = rand_string(32);
// kick them out
header('Location: logout.php');
} else {
// reset the cookie
setCookies($funcHash, $funcNewSession);
}
}
} else {
//this deletes the cookie
clearCookies();
// clear the variable values
$funcHash = rand_string(32);
$funcSession = rand_string(32);
$funcNewSession = rand_string(32);
$funcCheck = rand_string(32);
$funcInfo = rand_string(32);
// kick them out
header('Location: logout.php');
}
} else {
//this deletes the cookie
clearCookies();
// clear the variable values
$funcHash = rand_string(32);
$funcSession = rand_string(32);
$funcNewSession = rand_string(32);
$funcCheck = rand_string(32);
$funcInfo = rand_string(32);
// kick them out
header('Location: logout.php');
}
// clear the variable values
$funcHash = rand_string(32);
$funcNewSession = rand_string(32);
$funcSession = rand_string(32);
$funcCheck = rand_string(32);
$funcInfo = rand_string(32);
}
}
}
if ($voterow['level'] == 2 && intval(getCookies("vote{$voteid}")) == 1) {
$votetips = $_SLANG['vote.voted'];
}
//成功投票
if (empty($votetips)) {
foreach ($rows as $row) {
if (in_array($row['id'], $voteitemid)) {
$tip = getIP();
$db->query_unbuffered("update `{$db->pre}voteitems` set votednum=votednum+1, voteips=" . $db->concat("voteips", "'{$tip}'") . " where id={$row['id']}");
}
}
//写cookies
if ($voterow['level'] == 2) {
setCookies("vote{$voteid}", '1');
}
$totalrow = $db->row_query_one("SELECT SUM(votednum) as total FROM `{$db->pre}voteitems` WHERE voteid={$voteid} LIMIT 1");
$db->query_unbuffered("update `{$db->pre}votes` set votednum={$totalrow['total']} where id={$voteid}");
$votetips = $_SLANG['vote.succeed'];
}
$votetips = empty($votetips) ? "" : "<div class='votesucceed'>{$votetips}</div>";
}
}
$votecolors = array('', '#DCEF17', '#FFBF2A', '#EA793F', '#ECA45C', '#4CBA4A', '#5D74B1', '#98C6D5', '#DD30AE', '#BDF752', '#EE335F');
$votestr .= "<div class='view_vote'>";
$voterow = $db->row_select_one("votes", "id={$id}");
$allvotednum = $voterow['votednum'];
$itemrows = $db->row_select("voteitems", "voteid={$id}", 0, "*", "id");
$votestarttime = getDateStr($voterow['starttime'], 'dateonly', false);
$votestoptime = getDateStr($voterow['stoptime'], 'dateonly', false);
$key = md5(rand(-100, 100) . $_SERVER['REMOTE_ADDR']);
$ip = $_SERVER['REMOTE_ADDR'];
$id_prac = $row['ID_PRAC'];
if ($result2 = @$connectionDB->query(sprintf("SELECT * FROM sesja2 WHERE id_prac = '%s' ", mysqli_real_escape_string($connectionDB, $id_prac)))) {
$rowCount2 = $result2->num_rows;
// jesli ktos juz byl wczesniej zalogowany na to konto na innym komputerze to zostaje usuniety
if ($rowCount2 > 0) {
// usuwanie z sesji z bazy dla id usera
mysqli_query($connectionDB, sprintf("call usun_sesje2('%s'); ", mysqli_real_escape_string($connectionDB, $id_prac)));
// nastawianie cookies
setCookies($key, $id_prac, $ip);
// wstawianie do bazy nowej sesji
mysqli_query($connectionDB, sprintf("call dodaj_sesje2('%s','%s','%s'); ", mysqli_real_escape_string($connectionDB, $id_prac), mysqli_real_escape_string($connectionDB, $key), mysqli_real_escape_string($connectionDB, $ip)));
} else {
// nastawianie cookies
setCookies($key, $id_prac, $ip);
// wstawianie do bazy nowej sesji
mysqli_query($connectionDB, sprintf("call dodaj_sesje2('%s','%s','%s'); ", mysqli_real_escape_string($connectionDB, $id_prac), mysqli_real_escape_string($connectionDB, $key), mysqli_real_escape_string($connectionDB, $ip)));
}
}
setcookie('error', null);
$result->close();
header('location: logged.php');
//TODO
// tworze cookie ( z tabelka danych do sesji)
// tworze baze z sesja
// na stronie moze byc https zamiast hash w js
// porownuje sesje z wpisem w bazie
// wylogowanie usuniêcie wpisów z bazy i cookies
// event timestamp
} else {
$key = md5(rand(-100, 100) . $_SERVER['REMOTE_ADDR']);
$ip = $_SERVER['REMOTE_ADDR'];
$id_uzyt = $row['ID_UZYT'];
if ($result2 = @$connectionDB->query(sprintf("SELECT * FROM sesja WHERE id_uzt = '%s' ", mysqli_real_escape_string($connectionDB, $id_uzyt)))) {
$rowCount2 = $result2->num_rows;
// jesli ktos juz byl wczesniej zalogowany na to konto na innym komputerze to zostaje usuniety
if ($rowCount2 > 0) {
// usuwanie z sesji z bazy dla id usera
mysqli_query($connectionDB, sprintf("call usun_sesje('%s'); ", mysqli_real_escape_string($connectionDB, $id_uzyt)));
// nastawianie cookies
setCookies($key, $id_uzyt, $ip);
// wstawianie do bazy nowej sesji
mysqli_query($connectionDB, sprintf("call dodaj_sesje('%s','%s','%s'); ", mysqli_real_escape_string($connectionDB, $id_uzyt), mysqli_real_escape_string($connectionDB, $key), mysqli_real_escape_string($connectionDB, $ip)));
} else {
// nastawianie cookies
setCookies($key, $id_uzyt, $ip);
// wstawianie do bazy nowej sesji
mysqli_query($connectionDB, sprintf("call dodaj_sesje('%s','%s','%s'); ", mysqli_real_escape_string($connectionDB, $id_uzyt), mysqli_real_escape_string($connectionDB, $key), mysqli_real_escape_string($connectionDB, $ip)));
}
}
setcookie('error', null);
$result->close();
header('location: logged.php');
//TODO
// tworze cookie ( z tabelka danych do sesji)
// tworze baze z sesja
// na stronie moze byc https zamiast hash w js
// porownuje sesje z wpisem w bazie
// wylogowanie usuni�cie wpis�w z bazy i cookies
// event timestamp
} else {
if ($_GET['action'] == "checklogin") {
$username = strFilter($_POST['membername']);
$userpass = strFilter($_POST['memberpass']);
$userpass = encrypt($username, $userpass);
if (empty($username) || empty($userpass)) {
printMsg('signup_required_1');
}
$row = $db->row_select_one("members", "membername='{$username}' and memberpass='******'");
if ($row == false) {
printMsg('login_namepasserr');
} else {
$uobj['logintime'] = time();
$db->row_update("members", $uobj, "id={$row['id']}");
$t = -86400 * 365 * 2;
wSESSION('memberid', $row['id']);
wSESSION('groupid', $row['groupid']);
wSESSION('membername', $row['membername'], $t);
wSESSION('memberpass', $row['memberpass'], $t);
setCookies("cartid", $row['id'], 3600 * 24 * 7);
//session_destroy();
setCookies('membername', $username, $t);
setCookies('userpass', $userpass, $t);
setCookies('expire', '', $t);
wSESSION('memberauth', md5($row['membername'] . $row['memberpass'] . $cache_global['salt']), $t);
printMsg('login_succeed');
}
} else {
require_once './header.php';
require_once getTemplatePath('login.htm');
footer();
}
function commentForm($id, $atts = NULL)
{
global $prefs;
extract($prefs);
extract(lAtts(array('isize' => '25', 'msgrows' => '5', 'msgcols' => '25', 'msgstyle' => '', 'form' => 'comment_form'), $atts));
$namewarn = false;
$emailwarn = false;
$commentwarn = false;
$name = pcs('name');
$email = clean_url(pcs('email'));
$web = clean_url(pcs('web'));
extract(doStripTags(doDeEnt(psa(array('remember', 'forget', 'parentid', 'preview', 'message', 'submit', 'backpage')))));
if ($preview) {
$name = ps('name');
$email = clean_url(ps('email'));
$web = clean_url(ps('web'));
$nonce = getNextNonce();
$secret = getNextSecret();
safe_insert("txp_discuss_nonce", "issue_time=now(), nonce='{$nonce}', secret='{$secret}'");
$namewarn = $comments_require_name && !trim($name);
$emailwarn = $comments_require_email && !trim($email);
$commentwarn = !trim($message);
$evaluator =& get_comment_evaluator();
if ($namewarn) {
$evaluator->add_estimate(RELOAD, 1, gTxt('comment_name_required'));
}
if ($emailwarn) {
$evaluator->add_estimate(RELOAD, 1, gTxt('comment_email_required'));
}
if ($commentwarn) {
$evaluator->add_estimate(RELOAD, 1, gTxt('comment_required'));
}
}
// If the form fields are filled (anything other than blank), pages
// really should not be saved by a public cache. rfc2616/14.9.1
if ($name || $email || $web) {
header('Cache-Control: private');
}
$parentid = !$parentid ? $id : $parentid;
if (pcs('name') || pcs('email') || pcs('web')) {
// Form-input different from Cookie, let's update the Cookie.
if (cs('name') != ps('name') or cs('email') != ps('email') or cs('web') != ps('web')) {
}
$remember = 1;
}
if ($remember == 1) {
setCookies($name, $email, $web);
}
if ($forget == 1) {
destroyCookies();
}
$url = $GLOBALS['pretext']['request_uri'];
// Experimental clean urls with only 404-error-document on apache
// possibly requires messy urls for POST requests.
if (defined('PARTLY_MESSY') and PARTLY_MESSY) {
$url = hu . '?id=' . intval($parentid);
}
$out = '<form method="post" action="' . $url . '#cpreview" id="txpCommentInputForm">';
$Form = fetch('Form', 'txp_form', 'name', $form);
$msgstyle = $msgstyle ? ' style="' . $msgstyle . '"' : '';
$msgrows = ($msgrows and is_numeric($msgrows)) ? ' rows="' . intval($msgrows) . '"' : '';
$msgcols = ($msgcols and is_numeric($msgcols)) ? ' cols="' . intval($msgcols) . '"' : '';
$textarea = '<textarea class="txpCommentInputMessage' . ($commentwarn ? ' comments_error"' : '"') . ' name="message" id="message" ' . $msgcols . $msgrows . $msgstyle . '>' . htmlspecialchars($message) . '</textarea>';
$comment_submit_button = $preview ? fInput('submit', 'submit', gTxt('submit'), 'button') : '';
$checkbox = !empty($_COOKIE['txp_name']) ? checkbox('forget', 1, 0) . tag(gTxt('forget'), 'label', ' for="forget"') : checkbox('remember', 1, 1) . tag(gTxt('remember'), 'label', ' for="remember"');
$vals = array('comment_name_input' => input('text', 'name', htmlspecialchars($name), $isize, 'comment_name_input' . ($namewarn ? ' comments_error' : ''), ""), 'comment_email_input' => input('text', 'email', htmlspecialchars($email), $isize, 'comment_email_input' . ($emailwarn ? ' comments_error' : ''), ""), 'comment_web_input' => input('text', 'web', htmlspecialchars($web), $isize, 'comment_web_input', ""), 'comment_message_input' => $textarea . '<!-- plugin-place-holder -->', 'comment_remember' => $checkbox, 'comment_preview' => input('submit', 'preview', gTxt('preview'), '', 'button'), 'comment_submit' => $comment_submit_button);
foreach ($vals as $a => $b) {
$Form = str_replace('<txp:' . $a . ' />', $b, $Form);
}
$form = parse($Form);
$out .= $form;
$out .= fInput('hidden', 'parentid', $parentid);
$split = rand(1, 31);
$out .= $preview ? hInput(substr($nonce, 0, $split), substr($nonce, $split)) : '';
$out .= !$preview ? fInput('hidden', 'backpage', serverset("REQUEST_URI")) : fInput('hidden', 'backpage', $backpage);
$out = substr_replace($out, callback_event('comment.form'), strpos($out, '<!-- plugin-place-holder -->'), strlen('<!-- plugin-place-holder -->'));
$out .= '</form>';
return $out;
}
function commentForm($id, $atts = NULL)
{
global $prefs;
extract($prefs);
extract(lAtts(array('isize' => '25', 'msgrows' => '5', 'msgcols' => '25', 'msgstyle' => '', 'form' => 'comment_form'), $atts));
$namewarn = '';
$emailwarn = '';
$commentwarn = '';
$name = pcs('name');
$email = pcs('email');
$web = pcs('web');
extract(doStripTags(doDeEnt(psa(array('remember', 'forget', 'parentid', 'preview', 'message', 'submit', 'backpage')))));
if ($preview) {
$name = ps('name');
$email = ps('email');
$web = ps('web');
$nonce = md5(uniqid(rand(), true));
$secret = md5(uniqid(rand(), true));
safe_insert("txp_discuss_nonce", "issue_time=now(), nonce='{$nonce}', secret='{$secret}'");
$namewarn = $comments_require_name ? !trim($name) ? gTxt('comment_name_required') . br : '' : '';
$emailwarn = $comments_require_email ? !trim($email) ? gTxt('comment_email_required') . br : '' : '';
$commentwarn = !trim($message) ? gTxt('comment_required') . br : '';
}
// If the form fields are filled (anything other than blank), pages
// really should not be saved by a public cache. rfc2616/14.9.1
if ($name || $email || $web) {
header('Cache-Control: private');
}
$parentid = !$parentid ? $id : $parentid;
if (pcs('name') || pcs('email') || pcs('web')) {
// Form-input different from Cookie, let's update the Cookie.
if (cs('name') != ps('name') or cs('email') != ps('email') or cs('web') != ps('web')) {
}
$remember = 1;
}
if ($remember == 1) {
setCookies($name, $email, $web);
}
if ($forget == 1) {
destroyCookies();
}
$out = '<form method="post" action="#cpreview" id="txpCommentInputForm">';
$Form = fetch('Form', 'txp_form', 'name', $form);
$msgstyle = $msgstyle ? ' style="' . $msgstyle . '"' : '';
$msgrows = ($msgrows and is_numeric($msgrows)) ? ' rows="' . intval($msgrows) . '"' : '';
$msgcols = ($msgcols and is_numeric($msgcols)) ? ' cols="' . intval($msgcols) . '"' : '';
$textarea = '<textarea class="txpCommentInputMessage" name="message"' . $msgcols . $msgrows . $msgstyle . ' tabindex="1">' . htmlspecialchars($message) . '</textarea>';
$comment_submit_button = $preview ? fInput('submit', 'submit', gTxt('submit'), 'button') : '';
$checkbox = !empty($_COOKIE['txp_name']) ? checkbox('forget', 1, 0) . gTxt('forget') : checkbox('remember', 1, 1) . gTxt('remember');
$vals = array('comment_name_input' => $namewarn . input('text', 'name', $name, $isize, 'comment_name_input', "2"), 'comment_email_input' => $emailwarn . input('text', 'email', $email, $isize, 'comment_email_input', "3"), 'comment_web_input' => input('text', 'web', $web, $isize, 'comment_web_input', "4"), 'comment_message_input' => $commentwarn . $textarea, 'comment_remember' => $checkbox, 'comment_preview' => input('submit', 'preview', gTxt('preview'), 'comment_preview', 'button'), 'comment_submit' => $comment_submit_button);
foreach ($vals as $a => $b) {
$Form = str_replace('<txp:' . $a . ' />', $b, $Form);
}
$form = parse($Form);
$out .= $form;
$out .= graf(fInput('hidden', 'parentid', $parentid));
$out .= $preview ? hInput('nonce', $nonce) : '';
$out .= !$preview ? graf(fInput('hidden', 'backpage', serverset("REQUEST_URI"))) : graf(fInput('hidden', 'backpage', $backpage));
$out .= '</form>';
return $out;
}
$lg['groupid'] = GROUP_GUESS;
//自动登录
if (!empty($lg['membername']) && !empty($lg['memberpass'])) {
$lgrow = $db->row_select_one("members", "membername='{$lg[membername]}' and memberpass='******'", "id,groupid");
if (empty($lgrow)) {
$lg['groupid'] = GROUP_GUESS;
} else {
if ($lgrow['groupid'] == GROUP_NOVERIFY || $lgrow['groupid'] == GROUP_NOVISIT || $lgrow['groupid'] == GROUP_VERIFYFAILED) {
//待验证 //禁止访问 //验证不通过
$cleart = -86400 * 365 * 2;
setCookies('membername', '', $cleart);
setCookies('memberpass', '', $cleart);
setCookies('expire', '', $cleart);
_header_("location:index.php");
} else {
setCookies('memberauth', md5($lg['membername'] . $lg['memberpass'] . $cache_settings['salt']), $lg['expire']);
wSESSION('memberid', $lgrow['id']);
wSESSION('groupid', $lgrow['groupid']);
$lg['memberid'] = intval(rSESSION('memberid'));
$lg['groupid'] = intval(rSESSION('groupid'));
}
}
}
}
//模板相关
$_SYS['styleid'] = $cache_settings['template'];
if (isset($_GET['preview'])) {
$_SYS['styleid'] = $_GET['styleid'];
$_SYS['styleid'] = str_replace(array("'", "/", "\\", "\"", "."), array('', '', '', '', ''), $_SYS['styleid']);
}
//模板路径
function saveComment()
{
global $siteurl, $comments_moderate, $comments_sendmail, $txpcfg, $comments_disallow_images, $prefs;
$ref = serverset('HTTP_REFERRER');
$in = getComment();
$evaluator =& get_comment_evaluator();
extract($in);
if (!checkCommentsAllowed($parentid)) {
txp_die(gTxt('comments_closed'), '403');
}
$ip = serverset('REMOTE_ADDR');
if (!checkBan($ip)) {
txp_die(gTxt('you_have_been_banned'), '403');
}
$blacklisted = is_blacklisted($ip);
if ($blacklisted) {
txp_die(gTxt('your_ip_is_blacklisted_by' . ' ' . $blacklisted), '403');
}
$web = clean_url($web);
$email = clean_url($email);
if ($remember == 1 || ps('checkbox_type') == 'forget' && ps('forget') != 1) {
setCookies($name, $email, $web);
} else {
destroyCookies();
}
$name = doSlash(strip_tags(deEntBrackets($name)));
$web = doSlash(strip_tags(deEntBrackets($web)));
$email = doSlash(strip_tags(deEntBrackets($email)));
$message = substr(trim($message), 0, 65535);
$message2db = doSlash(markup_comment($message));
$isdup = safe_row("message,name", "txp_discuss", "name='{$name}' and message='{$message2db}' and ip='" . doSlash($ip) . "'");
if ($prefs['comments_require_name'] && !trim($name) || $prefs['comments_require_email'] && !trim($email) || !trim($message)) {
$evaluator->add_estimate(RELOAD, 1);
// The error-messages are added in the preview-code
}
if ($isdup) {
$evaluator->add_estimate(RELOAD, 1);
}
// FIXME? Tell the user about dupe?
if ($evaluator->get_result() != RELOAD && checkNonce($nonce)) {
callback_event('comment.save');
$visible = $evaluator->get_result();
if ($visible != RELOAD) {
$parentid = assert_int($parentid);
$rs = safe_insert("txp_discuss", "parentid = {$parentid},\n\t\t\t\t\t name\t\t = '{$name}',\n\t\t\t\t\t email\t = '{$email}',\n\t\t\t\t\t web\t\t = '{$web}',\n\t\t\t\t\t ip\t\t = '" . doSlash($ip) . "',\n\t\t\t\t\t message = '{$message2db}',\n\t\t\t\t\t visible = " . intval($visible) . ",\n\t\t\t\t\t posted\t = now()");
if ($rs) {
safe_update("txp_discuss_nonce", "used = 1", "nonce='" . doSlash($nonce) . "'");
if ($prefs['comment_means_site_updated']) {
update_lastmod();
}
if ($comments_sendmail) {
mail_comment($message, $name, $email, $web, $parentid, $rs);
}
$updated = update_comments_count($parentid);
$backpage = substr($backpage, 0, $prefs['max_url_len']);
$backpage = preg_replace("/[\n\r#].*\$/s", '', $backpage);
$backpage = preg_replace("#(https?://[^/]+)/.*\$#", "\$1", hu) . $backpage;
if (defined('PARTLY_MESSY') and PARTLY_MESSY) {
$backpage = permlinkurl_id($parentid);
}
$backpage .= (strstr($backpage, '?') ? '&' : '?') . 'commented=' . ($visible == VISIBLE ? '1' : '0');
txp_status_header('302 Found');
if ($comments_moderate) {
header('Location: ' . $backpage . '#txpCommentInputForm');
} else {
header('Location: ' . $backpage . '#c' . sprintf("%06s", $rs));
}
log_hit('302');
$evaluator->write_trace();
exit;
}
}
}
// Force another Preview
$_POST['preview'] = RELOAD;
//$evaluator->write_trace();
}
function commentForm($id)
{
global $txpac;
$namewarn = '';
$emailwarn = '';
$commentwarn = '';
$name = pcs('name');
$email = pcs('email');
$web = pcs('web');
extract(psa(array('remember', 'forget', 'parentid', 'preview', 'message', 'submit', 'backpage')));
if ($preview) {
$name = ps('name');
$email = ps('email');
$web = ps('web');
$nonce = md5(uniqid(rand(), true));
safe_insert("txp_discuss_nonce", "issue_time=now(), nonce='{$nonce}'");
$namewarn = $txpac['comments_require_name'] ? !trim($name) ? gTxt('comment_name_required') . br : '' : '';
$emailwarn = $txpac['comments_require_email'] ? !trim($email) ? gTxt('comment_email_required') . br : '' : '';
$commentwarn = !trim($message) ? gTxt('comment_required') . br : '';
}
$parentid = !$parentid ? $id : $parentid;
if ($remember == 1) {
setCookies($name, $email, $web);
}
if ($forget == 1) {
destroyCookies();
}
$out = '<form method="post" action="" style="margin-top:2em">';
$form = fetch('Form', 'txp_form', 'name', 'comment_form');
$textarea = '<textarea name="message" cols="1" rows="1" style="width:300px;height:250px" tabindex="4">' . htmlspecialchars($message) . '</textarea>';
$comment_submit_button = $preview ? fInput('submit', 'submit', gTxt('submit'), 'button') : '';
$checkbox = !empty($_COOKIE['txp_name']) ? checkbox('forget', 1, 0) . gTxt('forget') : checkbox('remember', 1, 1) . gTxt('remember');
$vals = array('comment_name_input' => $namewarn . input('text', 'name', $name, "25", '', "1"), 'comment_email_input' => $emailwarn . input('text', 'email', $email, "25", '', "2"), 'comment_web_input' => input('text', 'web', $web, "25", '', "3"), 'comment_message_input' => $commentwarn . $textarea, 'comment_remember' => $checkbox, 'comment_preview' => input('submit', 'preview', gTxt('preview'), '', 'button'), 'comment_submit' => $comment_submit_button);
foreach ($vals as $a => $b) {
$form = str_replace('<txp:' . $a . ' />', $b, $form);
}
$form = parse($form);
$out .= $form;
$out .= graf(fInput('hidden', 'parentid', $parentid));
$out .= $preview ? hInput('nonce', $nonce) : '';
$out .= !$preview ? graf(fInput('hidden', 'backpage', serverset("REQUEST_URI"))) : graf(fInput('hidden', 'backpage', $backpage));
$out .= '</form>';
return $out;
}
