if ($_POST['submit']) {
$uname = $_POST['uname'];
$pwd = $_POST['pwd'];
$message = $_POST['message'];
$injection = $_POST['injection'];
$validation = $_POST['validation'];
$success = 0;
if (0 == strcmp($validation, "allow")) {
$success = form_validation($uname, $pwd, $message, $injection);
} else {
if (0 == strcmp($validation, "block")) {
$success = 1;
}
}
if ($success == 1) {
$attack = check_blacklist($uname, $pwd);
$user_details = strict_form_checking($injection, $uname, $pwd, $message);
$uname = $user_details[0];
$pwd = $user_details[1];
submit_form($uname, $pwd, $attack);
}
} else {
echo "<h2>Hmm...I think you reached this page by mistake.</h2>";
}
/*
* ---------------------------------------------------------------------------#
* Perform HTML sanitizing if code injection is blocked. While sanitizing data,
* ensure that suspicious characters are subsitututed or encoded with
* respective HTML character entities
* ---------------------------------------------------------------------------#
*
function _xRegister()
{
global $t, $C;
require_once 'validator.php';
$_REQUEST = string_strip_tags($_REQUEST);
$v =& Validator::Get();
$v->Register($_REQUEST['return_url'], VT_VALID_HTTP_URL, "The 'URL to Send Traffic' field must be a valid HTTP URL");
if (!string_is_empty($_REQUEST['return_url'])) {
require_once 'http.php';
$http = new HTTP();
$v->Register($http->GET($_REQUEST['return_url'], null, true), VT_NOT_FALSE, "The 'URL to Send Traffic' does not seem to be working: " . $http->error);
$_REQUEST['header'] = $http->response_headers;
$_REQUEST['content'] = $http->body;
}
if ($C['flag_req_email'] || !empty($_REQUEST['email'])) {
$v->Register($_REQUEST['email'], VT_VALID_EMAIL, "The 'E-mail Address' field must be a valid email");
}
if ($C['flag_req_site_name'] || !empty($_REQUEST['site_name'])) {
$v->Register($_REQUEST['site_name'], VT_LENGTH_BETWEEN, "The 'Site Name' field must have between {$C['site_name_min']} and {$C['site_name_max']} characters", array($C['site_name_min'], $C['site_name_max']));
}
if ($C['flag_req_site_description'] || !empty($_REQUEST['site_description'])) {
$v->Register($_REQUEST['site_description'], VT_LENGTH_BETWEEN, "The 'Site Description' field must have between {$C['site_description_min']} and {$C['site_description_max']} characters", array($C['site_description_min'], $C['site_description_max']));
}
if ($C['flag_req_icq'] || !empty($_REQUEST['icq'])) {
$v->Register($_REQUEST['icq'], VT_IS_NUMERIC, "The 'ICQ Number' field must be numeric");
}
if ($C['flag_req_nickname'] || !empty($_REQUEST['nickname'])) {
$v->Register($_REQUEST['nickname'], VT_NOT_EMPTY, "The 'Nickname' field is required");
}
if ($C['flag_req_banner'] || !empty($_REQUEST['banner'])) {
$v->Register($_REQUEST['banner'], VT_VALID_HTTP_URL, "The 'Banner URL' field must be a valid HTTP URL");
if (!string_is_empty($_REQUEST['banner'])) {
require_once 'http.php';
$http = new HTTP();
$v->Register($http->GET($_REQUEST['banner'], null, true), VT_NOT_FALSE, "The 'Banner URL' does not seem to be working: " . $http->error);
}
}
if ($C['flag_captcha_register']) {
require_once 'captcha.php';
$captcha = new Captcha();
$captcha->Verify();
}
$_REQUEST['domain'] = domain_from_url($_REQUEST['return_url']);
require_once 'dirdb.php';
$db = new TradeDB();
$v->Register($db->Exists($_REQUEST['domain']), VT_IS_FALSE, "The site you are trying to register already exists in our database");
// Check blacklist
$_REQUEST['server_ip'] = gethostbyname($domain);
$_REQUEST['dns'] = gethostbyname($domain);
if (($blacklisted = check_blacklist($_REQUEST)) !== false) {
$v->SetError("You have matched one or more of our blacklist items and cannot register new trade accounts" . (!empty($blacklisted[1]) ? ": " . $blacklisted[1] : ''));
}
// Check category
$categories = array_map('trim', file(FILE_CATEGORIES));
if ($C['flag_allow_select_category'] && count($categories)) {
$v->Register(in_array($_REQUEST['category'], $categories), VT_IS_TRUE, "You have selected an invalid category");
$_REQUEST['categories'] = array($_REQUEST['category']);
}
if (!$v->Validate()) {
$t->Assign('g_errors', $v->GetErrors());
return _xRegisterShow();
}
$_REQUEST = array_merge($_REQUEST, unserialize(file_get_contents(FILE_NEW_TRADE_DEFAULTS)));
$password = $_REQUEST['password'] = get_random_password();
$t->AssignByRef('g_trade', $_REQUEST);
trade_add($_REQUEST, true);
$_REQUEST['password'] = $password;
$t->Display('register-complete.tpl');
}
} else {
// "normal" proxy request: init session variables
session_register('img_ml');
}
}
// START OF HAWXY MAIN PART
// init stack to hold received XML tags
$tag_stack = new HAX_tagstack();
// init XML parsing stuff
$xml_parser = xml_parser_create();
xml_set_element_handler($xml_parser, "startElement", "endElement");
xml_set_character_data_handler($xml_parser, "characterData");
// handle blacklist
if (isset($blacklist)) {
// blacklist available ==> check whether access to remote XML server is blocked
check_blacklist($blacklist, $xml_parser);
}
// QUERY_STRING contains "code" (=remote URL of XML file) and eventually
// other parameters which are required for remote server-sided pre-processing
// ==> we have to extract the "code" parameter (this is the URL we're reading the XML from)
// ==> we have to propagate all other parameters transparently to the remote server
$received_query_string = $_SERVER['QUERY_STRING'];
$received_query_string = explode("&", $received_query_string);
// create array of all parameters
$new_query_string = "";
while (list($key, $val) = each($received_query_string)) {
// create new query string with all parameters except "code"
if (substr($val, 0, 5) != "code=") {
$new_query_string .= "&" . $val;
}
}
// First, flood protection
$longip = ip2long($_SERVER['REMOTE_ADDR']);
if ($db->postedwithintime($longip) == true) {
THdie("You must wait a while before making another post.");
}
// This should have the cached version of banned keywords in an array named $spamblacklist.
@(include THpath . '/unlinked/blacklist.php');
if (count($spamblacklist) > 0) {
//The logic on this was entirely wrong. If you want to filter out certain things, set up wordfilters. This now (as of 12/16/12), stops the post.
if (check_blacklist($_POST['body'], $spamblacklist)) {
THdie("One of the phrases included in your post is not allowed.");
}
if (check_blacklist($_POST['link'], $spamblacklist)) {
THdie("One of the phrases included in your post is not allowed.");
}
if (check_blacklist($_POST['nombre'], $spamblacklist)) {
THdie("One of the phrases included in your post is not allowed.");
}
}
// The "email" field will have a big "IF YOU ARE HUMAN DO NOT FILL THIS IN" next to it. Bots might get tricked.
if (THvc == 2 && isset($_POST['email']) && $_POST['email'] != "") {
// get out spambot >:[
$redhammer = new ThornModDBI();
$redhammer->banip($longip, 0, "Suspected bot.", "", "Suspected bot.", $_POST['body'], 4, "autoban");
THdie("Abnormal reply");
// :getprophet:
}
// Prevent people from posting new threads if it's the mod or news board
if ($binfo['id'] == THmodboard || $binfo['id'] == Thnewsboard) {
THdie("POnonewth");
}
