static function insertUpdateInfo($conn, $old_version, $new_version, $name, $description, $userid)
{
try {
$stmt = $conn->prepare('
INSERT INTO updates(from_version, version, name, result, description, userid, datetime_update)
VALUES(?,?,?,?,?,?,NOW())
');
$stmt->execute(array($old_version, $new_version, $name, 'updated', $description, $userid));
} catch (PDOException $e) {
APIHelpers::showerror(1010, $e->getMessage());
}
}
static function loadUserProfile($conn)
{
try {
$profile = array();
$inserts = array();
$defaults = array();
$defaults['template'] = 'base';
$defaults['country'] = '?';
$defaults['city'] = '?';
$defaults['university'] = '?';
$defaults['game'] = '0';
$defaults['lasteventid'] = '0';
$query = 'SELECT * FROM users_profile WHERE userid = ?';
$stmt = $conn->prepare($query);
$stmt->execute(array(APISecurity::userid()));
while ($row = $stmt->fetch()) {
$name = $row['name'];
$value = $row['value'];
$profile[$name] = $value;
}
foreach ($defaults as $k => $v) {
if (!isset($profile[$k])) {
$inserts[$k] = $v;
// default value
$profile[$k] = $v;
// default value
}
}
foreach ($profile as $k => $v) {
$_SESSION['user']['profile'][$k] = $v;
}
$stmt2 = $conn->prepare('INSERT INTO users_profile(userid,name,value,date_change) VALUES(?,?,?,NOW());');
foreach ($inserts as $k => $v) {
$stmt2->execute(array(APISecurity::userid(), $k, $v));
}
} catch (PDOException $e) {
APIHelpers::showerror(1195, $e->getMessage());
}
}
uuid,
pass,
status,
email,
nick,
role,
logo,
dt_last_login,
dt_create
)
VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, NOW());
');
$stmt_insert->execute(array($uuid, $password_hash, 'activated', $email, $nick, 'user', 'files/users/0.png', '0000-00-00 00:00:00'));
if (!APISecurity::login($conn, $email, $password_hash)) {
APIEvents::addPublicEvents($conn, 'errors', 'Alert! Admin, registration is broken!');
APIHelpers::showerror(1287, '[Registration] Sorry registration is broken. Please send report to the admin about this.');
} else {
APISecurity::insertLastIp($conn, APIHelpers::getParam('client', 'none'));
APIUser::loadUserProfile($conn);
APISecurity::logout();
}
$email_subject = "Registration on FreeHackQuest.";
$email_message = '
Registration:
If you was not tried registering on ' . $httpname . ' just remove this email.
Welcome to FreeHackQuest!
Your login: '******'
Your password: '******' (You must change it)
static function startpage($config)
{
header("Access-Control-Allow-Origin: *");
header('Content-Type: application/json');
APIHelpers::$TIMESTART = microtime(true);
$issetToken = APIHelpers::issetParam('token');
if ($issetToken) {
APIHelpers::$TOKEN = APIHelpers::getParam('token', '');
$conn = APIHelpers::createConnection($config);
try {
$stmt = $conn->prepare('SELECT data FROM users_tokens WHERE token = ? AND status = ? AND end_date > NOW()');
$stmt->execute(array(APIHelpers::$TOKEN, 'active'));
if ($row = $stmt->fetch()) {
APIHelpers::$FHQSESSION = json_decode($row['data'], true);
APIHelpers::$FHQSESSION_ORIG = json_decode($row['data'], true);
}
} catch (PDOException $e) {
APIHelpers::showerror(1188, $e->getMessage());
}
} else {
APIHelpers::$FHQSESSION = $_SESSION;
APIHelpers::$FHQSESSION_ORIG = $_SESSION;
}
$response = array('result' => 'fail', 'lead_time_sec' => 0, 'data' => array());
return $response;
}
APIHelpers::showerror(1346, 'Not found files ' . count($_FILES));
}
$keys = array_keys($_FILES);
$response['result'] = 'ok';
// $prefix = 'quest'.$id.'_';
// $output_dir = 'files/';
for ($i = 0; $i < count($keys); $i++) {
$filename = $keys[$i];
if ($_FILES[$filename]['error'] > 0) {
APIHelpers::showerror(1347, 'Error with files ' . $_FILES[$filename]["error"]);
} else {
$response[$filename] = 'try';
$zip = new ZipArchive();
$filename = $_FILES[$filename]["tmp_name"];
if ($zip->open($filename) !== TRUE) {
APIHelpers::showerror(1348, 'Could not open zip-archive');
}
// print_r($zip);
$jsonfilename = '';
$pngfilename = '';
for ($i = 0; $i < $zip->numFiles; $i++) {
$stat = $zip->statIndex($i);
$name = basename($stat['name']);
if (substr($name, -strlen('.json')) === '.json') {
$jsonfilename = $name;
}
if (substr($name, -strlen('.png')) === '.png') {
$pngfilename = $name;
}
}
$pngdata = $zip->getFromName($pngfilename);
foreach ($columns as $k => $v) {
$values_q[] = '?';
if ($k == 'owner') {
$param_values[$k] = $v;
} else {
if (APIHelpers::issetParam($k)) {
$param_values[$k] = APIHelpers::getParam($k, $v);
} else {
APIHelpers::showerror(1161, 'not found parameter "' . $k . '"');
}
}
}
if (!is_numeric($param_values['owner'])) {
APIHelpers::showerror(1162, 'incorrect owner');
}
$param_values['owner'] = intval($param_values['owner']);
$query = 'INSERT INTO games(' . implode(',', array_keys($param_values)) . ', date_change, date_create)
VALUES(' . implode(',', $values_q) . ', NOW(), NOW());';
$values = array_values($param_values);
// $response['param_values'] = $param_values;
// $response['query'] = $query;
try {
$stmt = $conn->prepare($query);
$stmt->execute($values);
$response['data']['game']['id'] = $conn->lastInsertId();
$response['result'] = 'ok';
APIEvents::addPublicEvents($conn, 'games', "New game #" . $response['data']['game']['id'] . ' ' . htmlspecialchars($param_values['title']));
} catch (PDOException $e) {
APIHelpers::showerror(1163, $e->getMessage());
}
APIHelpers::endpage($response);
include_once $curdir . "/../api.lib/api.helpers.php";
include_once $curdir . "/../api.lib/api.security.php";
include_once $curdir . "/../api.lib/api.user.php";
include_once $curdir . "/../../config/config.php";
$result = array('result' => 'fail', 'data' => array());
$token = '';
if (!APIHelpers::issetParam('email')) {
APIHelpers::showerror(1001, 'Parameter email was not found');
}
if (!APIHelpers::issetParam('password')) {
APIHelpers::showerror(1316, 'Parameter password was not found');
}
$email = APIHelpers::getParam('email', '');
$password = APIHelpers::getParam('password', '');
$conn = APIHelpers::createConnection($config);
$hash_password2 = APISecurity::generatePassword2($email, $password);
if (APISecurity::login($conn, $email, $hash_password2)) {
$result['result'] = 'ok';
APIHelpers::$TOKEN = APIHelpers::gen_guid();
$result['data']['token'] = APIHelpers::$TOKEN;
$result['data']['session'] = APIHelpers::$FHQSESSION;
} else {
APIHelpers::showerror(1002, 'email or/and password was not found in system ');
}
if ($result['result'] == 'ok') {
APISecurity::insertLastIp($conn, APIHelpers::getParam('client', 'none'));
APIUser::loadUserProfile($conn);
// APIUser::loadUserScore($conn);
APISecurity::saveByToken();
}
echo json_encode($result);
// calculate score
$query2 = '
SELECT
ifnull(SUM(quest.score),0) as sum_score
FROM
users_quests
INNER JOIN
quest ON quest.idquest = users_quests.questid AND quest.gameid = ?
WHERE
(users_quests.userid = ?);
';
$score = 0;
$stmt4 = $conn->prepare($query2);
$stmt4->execute(array(intval($game_id), APISecurity::userid()));
if ($row3 = $stmt4->fetch()) {
$score = $row3['sum_score'];
}
$stmt3 = $conn->prepare('INSERT INTO users_games (userid, gameid, score, date_change) VALUES(?,?,?,NOW())');
$stmt3->execute(array(intval(APISecurity::userid()), intval($game_id), intval($score)));
$_SESSION['user']['score'] = $score;
APIHelpers::$FHQSESSION['user']['score'] = $score;
$response['user'] = array();
$response['user']['score'] = $score;
}
// } catch(PDOException $e) {
// APIHelpers::showerror(1179, $e->getMessage());
// }
} else {
APIHelpers::showerror(1180, 'not found parameter id');
}
APIHelpers::endpage($response);
* API_NAME: Insert event
* API_DESCRIPTION: Method for insert event
* API_ACCESS: admin
* API_INPUT: token - string, token
* API_INPUT: type - string, type of event
* API_INPUT: message - string, message of event
*/
$curdir_events_insert = dirname(__FILE__);
include_once $curdir_events_insert . "/../api.lib/api.helpers.php";
include_once $curdir_events_insert . "/../../config/config.php";
include_once $curdir_events_insert . "/../api.lib/api.base.php";
$response = APIHelpers::startpage($config);
APIHelpers::checkAuth();
if (!APISecurity::isAdmin()) {
APIHelpers::showerror(1230, 'access denie. you must be admin.');
}
if (!APIHelpers::issetParam('type')) {
APIHelpers::showerror(1231, 'not found parameter type');
}
if (!APIHelpers::issetParam('message')) {
APIHelpers::showerror(1232, 'not found parameter message');
}
$type = APIHelpers::getParam('type', 'info');
$message = APIHelpers::getParam('message', '???');
if (strlen($message) <= 3) {
APIHelpers::showerror(1233, 'message must be informative! (more than 3 character)');
}
$conn = APIHelpers::createConnection($config);
APIEvents::addPublicEvents($conn, $type, $message);
$response['result'] = 'ok';
APIHelpers::endpage($response);
function getCountStatBy($conn, $table, $questid, $passed)
{
$res = 0;
try {
$stmt = $conn->prepare('
select
count(t0.id) as cnt
from
' . $table . ' t0
inner join users t1 on t1.id = t0.iduser
where
t0.idquest = ?
and t0.passed = ?
and t1.role = ?
');
$stmt->execute(array(intval($questid), $passed, 'user'));
if ($row = $stmt->fetch()) {
$res = $row['cnt'];
}
} catch (PDOException $e) {
APIHelpers::showerror(1079, $e->getMessage());
}
return $res;
}
}
$uuid = APIHelpers::getParam('uuid', APIHelpers::gen_guid());
$logo = APIHelpers::getParam('logo', 'files/users/0.png');
$email = APIHelpers::getParam('email', '1');
$role = APIHelpers::getParam('role', 'user');
$nick = APIHelpers::getParam('nick', '1');
$password = APIHelpers::getParam('password', '1');
$status = APIHelpers::getParam('status', 'activated');
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
APIHelpers::showerror(1036, 'Invalid e-mail address.');
}
$stmt = $conn->prepare('select count(*) as cnt from users where email = ?');
$stmt->execute(array($email));
if ($row = $stmt->fetch()) {
if (intval($row['cnt']) >= 1) {
APIHelpers::showerror(1037, 'This e-mail was already registered.');
}
}
// same code exists in api/security/registration.php
$email = strtolower($email);
$password_hash = APISecurity::generatePassword2($email, $password);
$stmt_insert = $conn->prepare('
INSERT INTO users(
uuid,
pass,
status,
email,
nick,
role,
logo,
last_ip,
<?php
/*
* API_NAME: Settings
* API_DESCRIPTION: returned all config. Passwords will be removed.
* API_ACCESS: only admin
* API_INPUT: token - guid, secret token
*/
$curdir_admin_settings = dirname(__FILE__);
include_once $curdir_admin_settings . "/../api.lib/api.base.php";
include_once $curdir_admin_settings . "/../api.lib/api.security.php";
include_once $curdir_admin_settings . "/../api.lib/api.helpers.php";
include_once $curdir_admin_settings . "/../api.lib/api.updates.php";
include_once $curdir_admin_settings . "/../../config/config.php";
$response = APIHelpers::startpage($config);
$conn = APIHelpers::createConnection($config);
APIHelpers::checkAuth();
if (!APISecurity::isAdmin()) {
APIHelpers::showerror(1280, 'This method only for admin');
}
$response['result'] = 'ok';
$response['data'] = $config;
unset($response['data']['mail']['password']);
unset($response['data']['db']['userpass']);
$response['data']['db']['version'] = APIUpdates::getVersion($conn);
APIHelpers::endpage($response);
header("Access-Control-Allow-Origin: *");
header('Content-Type: application/json');
/*
* API_NAME: Install Updates
* API_DESCRIPTION: Method for install updates for database
* API_ACCESS: admin only
* API_OKRESPONSE: { "result":"ok", "data" : { "u0010" : "installed" } }
*/
$curdir = dirname(__FILE__);
include_once $curdir . "/../api.lib/api.base.php";
include_once $curdir . "/../api.lib/api.game.php";
include_once $curdir . "/../api.lib/api.updates.php";
include_once $curdir . "/../../config/config.php";
APIHelpers::checkAuth();
if (!APISecurity::isAdmin()) {
APIHelpers::showerror(1007, 'This function allowed only for admin');
}
$result = array('result' => 'fail', 'data' => array());
$result['result'] = 'ok';
$conn = APIHelpers::createConnection($config);
$version = APIUpdates::getVersion($conn);
$result['version'] = $version;
$updates = array();
$curdir = dirname(__FILE__);
$filename = $curdir . '/updates/' . $version . '.php';
while (file_exists($filename)) {
include_once $filename;
$function_update = 'update_' . $version;
if (!function_exists($function_update)) {
$result['data'][$version] = 'Not found function ' . $function_update;
break;
foreach ($columns as $k) {
$info[$k] = $row[$k];
}
$oldlogoname = $curdir_games_export . '/../../' . $row['logo'];
if (file_exists($oldlogoname)) {
$newlogoname = $row['uuid'] . '.png';
$zip->addFile($oldlogoname, $newlogoname);
$info['logo'] = $row['uuid'] . '.png';
} else {
$info['logo'] = "";
}
} else {
APIHelpers::showerror(1336, 'Does not found game with this id');
}
} catch (PDOException $e) {
APIHelpers::showerror(1332, $e->getMessage());
}
// normalize filename
$title = preg_replace("([^A-Za-z0-9])", '', $info['title']);
$filename = 'game_' . $title . '_' . $info['uuid'] . '.zip';
$zip->addFromString($info['uuid'] . '.json', json_encode($info));
$zip->close();
header_remove('Content-Type');
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"" . $filename . "\"");
header("Content-Transfer-Encoding: binary");
static function removeByToken($conn, $token)
{
try {
$query = 'DELETE FROM users_tokens WHERE token = ?';
$params = array($token);
$stmt = $conn->prepare($query);
$stmt->execute($params);
} catch (PDOException $e) {
APIHelpers::showerror(1199, $e->getMessage());
}
}
header("Access-Control-Allow-Origin: *");
header('Content-Type: application/json');
/*
* API_NAME: Remove dump of users
* API_DESCRIPTION: Method will be remove zip-archive
* API_ACCESS: admin only
* API_INPUT: filename - string, filename for removing
* API_OKRESPONSE: { "result":"ok", "data" : { "filename" : "files/dumps/users_XXXX.zip" } }
*/
$curdir_users_export_remove = dirname(__FILE__);
include_once $curdir_users_export_remove . "/../api.lib/api.base.php";
include_once $curdir_users_export_remove . "/../api.lib/api.game.php";
include_once $curdir_users_export_remove . "/../../config/config.php";
APIHelpers::checkAuth();
$message = '';
if (!APISecurity::isAdmin()) {
APIHelpers::showerror(1297, 'This function allowed only for admin');
}
$result = array('result' => 'fail', 'data' => array());
$result['result'] = 'ok';
if (!APIHelpers::issetParam('filename')) {
APIHelpers::showerror(1298, 'Parameter filename did not found');
}
$filename = $curdir_users_export_remove . '/../../files/dumps/' . APIHelpers::getParam('filename', '');
if (!file_exists($filename)) {
APIHelpers::showerror(1299, 'File did not found');
}
unlink($filename);
$result['result'] = 'ok';
$result['data']['filename'] = $filename;
echo json_encode($result);
} else {
$files[$name] = $zip->getFromName($name);
}
}
$quest = json_decode($zip->getFromName($jsonfilename), true);
$zip->close();
$conn = APIHelpers::createConnection($config);
// find gameid
$stmt = $conn->prepare('SELECT id FROM games WHERE uuid = ?');
$stmt->execute(array($quest['game']['uuid']));
$gameid = 0;
if ($row = $stmt->fetch()) {
$gameid = $row['id'];
}
if ($gameid == 0) {
APIHelpers::showerror(1352, 'Not found game');
}
$stmt = $conn->prepare('SELECT idquest FROM quest WHERE quest_uuid = ?');
$stmt->execute(array($quest['uuid']));
$questid = 0;
if ($row = $stmt->fetch()) {
$questid = $row['idquest'];
}
$columns = array('quest_uuid', 'name', 'text', 'answer', 'score', 'min_score', 'author', 'subject', 'state', 'description_state', 'date_create');
if ($questid == 0) {
$values = array();
$values_q = array();
foreach ($columns as $k) {
if ($k == 'quest_uuid') {
$values[] = $quest['uuid'];
} else {
imagealphablending($source, true);
$thumb = imagecreatetruecolor($newwidth, $newheight);
imagealphablending($thumb, true);
$black = imagecolorallocate($thumb, 0, 0, 0);
imagecolortransparent($thumb, $black);
imagecopyresized($thumb, $source, 0, 0, 0, 0, $newwidth, $newheight, $width, $height);
imagepng($thumb, $full_filename_new, 9, PNG_NO_FILTER);
imagedestroy($thumb);
imagedestroy($source);
unlink($full_filename);
} catch (Exception $e) {
unlink($full_filename);
APIHelpers::showerror(1057, 'Problem with convert image: ' . $e->getMessage());
}
}
}
}
$conn = APIHelpers::createConnection($config);
try {
$query = 'UPDATE games SET logo = ? WHERE id = ?';
$stmt = $conn->prepare($query);
if ($stmt->execute(array('files/games/' . $gameid . '.png', $gameid))) {
$response['result'] = 'ok';
$response['data']['logo'] = 'files/games/' . $gameid . '.png';
} else {
$response['result'] = 'fail';
}
} catch (PDOException $e) {
APIHelpers::showerror(1058, $e->getMessage());
}
APIHelpers::endpage($response);
$userid = $row['id'];
} else {
APIHelpers::showerror(1042, '[Restore] This e-mail was not registered.');
}
$password = substr(md5(rand() . rand()), 0, 8);
$password_hash = APISecurity::generatePassword2($email, $password);
$query = "";
$stmt_update = $conn->prepare('
UPDATE users SET
pass = ?
WHERE email = ?;
');
$stmt_update->execute(array($password_hash, $email));
if (!APISecurity::login($conn, $email, $password_hash)) {
APIEvents::addPublicEvents($conn, 'errors', 'Admin, restore password is broken!');
APIHelpers::showerror(1315, '[Restore] Sorry restore is broken. Please send report to the admin about this.');
} else {
APISecurity::insertLastIp($conn, APIHelpers::getParam('client', 'none'));
APIUser::loadUserProfile($conn);
APISecurity::logout();
}
$email_subject = "Restore password to your account on FreeHackQuest.";
$email_message = '
Restore:
Somebody (may be you) reseted your password on ' . $httpname . '
Your login: '******'
Your new password: '******' (You must change it)
Link: ' . $httpname . 'index.php
';
$stmt_insert2 = $conn->prepare('
include_once $curdir_events_count . "/../api.lib/api.helpers.php";
include_once $curdir_events_count . "/../../config/config.php";
$response = APIHelpers::startpage($config);
$conn = APIHelpers::createConnection($config);
if (!APIHelpers::issetParam('id')) {
APIHelpers::showerror(1225, 'Not found parameter "id"');
}
$type = APIHelpers::getParam('type', '');
$id = APIHelpers::getParam('id', 0);
if (!is_numeric($id)) {
APIHelpers::showerror(1226, 'id must be integer');
}
try {
$params = array();
$params[] = $id;
$query = 'SELECT count(*) as cnt FROM public_events WHERE id > ?';
if ($type != '') {
$query .= ' AND type = ?';
$params[] = $type;
}
$stmt = $conn->prepare($query);
$stmt->execute($params);
if ($row = $stmt->fetch()) {
$count = $row['cnt'];
$response['data']['count'] = $count;
$response['result'] = 'ok';
}
} catch (PDOException $e) {
APIHelpers::showerror(1227, $e->getMessage());
}
APIHelpers::endpage($response);
APIHelpers::showerror(1023, $message);
}
if (!APISecurity::isAdmin()) {
APIHelpers::showerror(1024, 'Access denied. You are not admin.');
}
if (!APIHelpers::issetParam('questid')) {
APIHelpers::showerror(1025, 'Not found parameter "questid"');
}
$questid = APIHelpers::getParam('questid', 0);
if (!is_numeric($questid)) {
APIHelpers::showerror(1026, 'parameter "questid" must be numeric');
}
$params = array('name' => '', 'text' => '', 'score' => '', 'min_score' => '', 'subject' => '', 'idauthor' => '', 'author' => '', 'answer' => '', 'state' => '', 'description_state' => '');
foreach ($params as $key => $val) {
if (!APIHelpers::issetParam($key)) {
APIHelpers::showerror(1027, 'Not found parameter "' . $key . '"');
}
$params[$key] = APIHelpers::getParam($key, '');
}
$questname = $params['name'];
$params['answer_upper_md5'] = md5(strtoupper($params['answer']));
$params['score'] = intval($params['score']);
$params['min_score'] = intval($params['min_score']);
$params['gameid'] = APIGame::id();
$params['idauthor'] = intval($params['idauthor']);
// $params['state'] = $params['state'];
// $params['description_state'] = $params['description_state'];
// $params['quest_uuid'] = $params['quest_uuid'];
// $params['gameid'] = APIGame::id();
$params['userid'] = APISecurity::userid();
$conn = APIHelpers::createConnection($config);