<?php
$auth_name = 'ban';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
if (!$_POST['ban-sub']) {
// if the form not is submitted
set_error('Please do not call that page directly, thank you.');
send('../../index.php');
}
## check that the sent form token is corret
if (!verifyFormToken('ban', $tokens)) {
// verify token
ifTokenBad('Add ban');
}
## Type of ban and get and set vars ##
$pb_ban = cleanvar($_POST['pb']);
if ($pb_ban == 'on') {
$is_pb_ban = true;
} else {
$is_pb_ban = false;
$duration_form = cleanvar($_POST['duration']);
$time = cleanvar($_POST['time']);
emptyInput($time, 'time frame');
emptyInput($duration_form, 'penalty duration');
}
$reason = cleanvar($_POST['reason']);
$client_id = cleanvar($_POST['cid']);
$pbid = cleanvar($_POST['c-pbid']);
$c_name = cleanvar($_POST['c-name']);
$is_add = false;
} else {
sendBack('Missing Data');
}
## Check Token ##
if ($is_add) {
// if add server request
if (verifyFormToken('addserver', $tokens) == false) {
// verify token
ifTokenBad('Add Server');
}
} else {
// if edit server settings
if (verifyFormToken('editserversettings', $tokens) == false) {
// verify token
ifTokenBad('Server Settings Edit');
}
}
## Get Vars ##
$name = cleanvar($_POST['name']);
$ip = cleanvar($_POST['ip']);
$pb = cleanvar($_POST['pb']);
// DB Vars
$rcon_ip = cleanvar($_POST['rcon-ip']);
$rcon_port = cleanvar($_POST['rcon-port']);
$rcon_pw_cng = cleanvar($_POST['cng-pw']);
$rcon_pw = cleanvar($_POST['rcon-pass']);
$server_id = cleanvar($_POST['server']);
if ($is_add) {
$game_id = cleanvar($_POST['game-id']);
}
## Find Type ##
if ($_POST['type'] == 'add') {
$is_add = true;
} elseif ($_POST['type'] == 'edit') {
$is_add = false;
} else {
sendBack('Missing Data');
}
## Check Token ##
if ($is_add) {
//if(!verifyFormToken('addgame', $tokens)) // verify token
//ifTokenBad('Add Game');
} else {
if (!verifyFormToken('gamesettings', $tokens)) {
// verify token
ifTokenBad('Game Settings Edit');
}
}
## Get Vars ##
$name = cleanvar($_POST['name']);
$name_short = cleanvar($_POST['name-short']);
if ($is_add) {
$game_type = cleanvar($_POST['game-type']);
}
// DB Vars
$db_host = cleanvar($_POST['db-host']);
$db_user = cleanvar($_POST['db-user']);
$db_pw_cng = cleanvar($_POST['cng-pw']);
$db_pw = cleanvar($_POST['db-pw']);
$db_name = cleanvar($_POST['db-name']);
// plugins enabled
<?php
$auth_name = 'add_user';
// this page is add user, so that if you can add keys you should be able to remove them
require '../inc.php';
if ($_POST['t'] == 'del') {
// if this is a deletion request
$key = cleanvar($_POST['key']);
if (verifyFormToken('keydel' . $key, $tokens) == false) {
// verify token
ifTokenBad('Reg Key Delete');
}
// if bad token, log and send error
$result = $dbl->delKey($key);
if ($result) {
sendGood('Registration key deleted');
} else {
sendBack('There was an problem completeing your request');
}
exit;
// no need continuing with this script
} elseif ($_POST['comment']) {
// if this is an edit comment request
$key = cleanvar($_POST['key']);
$comment = cleanvar($_POST['comment']);
emptyInput($comment, 'comment');
$result = $dbl->editKeyComment($key, $comment, $mem->id);
// this is an ajax request, so we need to echo error/success messages
if ($result) {
echo 'yes';
} else {
$bl_id = $_POST['id'];
if (!verifyFormToken('act' . $bl_id, $tokens)) {
// verify token
ifTokenBad('BL De-activate');
}
// if bad log and send error
$dbl->BLactive($bl_id, true);
// run query to reactivate BL ban
sendGood('This blacklist ban has been re-activiated');
exit;
// no need to continue
} elseif ($_POST['ip']) {
// if this is an add request
if (!verifyFormToken('addbl', $tokens)) {
// verify token
ifTokenBad('BL Add');
}
// if bad log, add hack counter and throw error
// set and clean vars
$reason = cleanvar($_POST['reason']);
$ip = cleanvar($_POST['ip']);
// check for empty inputs
emptyInput($reason, 'the reason');
emptyInput($ip, 'IP Address');
// if reason is default comment msg, send back with error
if ($reason == "Enter a reason for this ban...") {
sendBack('You must add a reason as to why this IP ban is being added');
}
// check if it is a valid IP address
if (!filter_var($ip, FILTER_VALIDATE_IP)) {
sendBack('That IP address is not valid');
<?php
$auth_name = 'add_user';
require '../inc.php';
## if form is submitted ##
if (!isset($_POST['add-user'])) {
// if this was not a post request then send back with error
sendBack('Please do not access that page directly');
}
## check that the sent form token is corret
if (!verifyFormToken('adduser', $tokens)) {
// verify token
ifTokenBad('Add User');
}
// set email and comment and clean
$email = cleanvar($_POST['email']);
$comment = cleanvar($_POST['comment']);
$group = cleanvar($_POST['group']);
// check the new email address is a valid email address
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
sendBack('That email is not valid');
}
// Create a unique key for the user
$text = $admin_id . $email . uniqid(microtime(), true) . $group;
// take sent data and some random data to create a random string
$rand_text = str_shuffle($text);
// shuffle the string to make more random
$user_key = genHash($rand_text);
// hash the random string to get the user hash
## run query to add key to the DB ##
$add_user = $dbl->addEchKey($user_key, $email, $comment, $group, $mem->id);
<?php
$auth_name = 'greeting';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
if ($_POST['greeting-sub']) {
// if the form is submitted
## check that the sent form token is corret
if (verifyFormToken('greeting', $tokens) == false) {
// verify token
ifTokenBad('Add comment');
}
$greeting = cleanvar($_POST['greeting']);
$client_id = cleanvar($_POST['cid']);
// NOTE: allow for an empty comment. An empty comment means no comment
emptyInput($client_id, 'data not sent');
if (!isID($client_id)) {
sendBack('Invalid data sent, greeting not changed');
}
## Add Log Message ##
$comment = 'Greeting message changed';
$dbl->addEchLog('Greeting', $comment, $client_id, $mem->id);
## Query ##
$query = "UPDATE clients SET greeting = ? WHERE id = ? LIMIT 1";
$stmt = $db->mysql->prepare($query) or sendBack('Database Error');
$stmt->bind_param('si', $greeting, $client_id);
$stmt->execute();
if ($stmt->affected_rows) {
sendGood('Greeting has been updated');
} else {
// Subject of the email
$subject = "Echelon Password Reset";
// send email
if (!mail($email, $subject, $body, $headers)) {
sendback('There was a problem sending the email.');
}
// all good set good message
set_good('The final instructions have been emailed to you. Please check your inbox.');
sendLogin();
// return to login page instead of sending back
exit;
} elseif ($_POST['resetpw']) {
## This section works with the results of the reset password form ##
if (verifyFormTokenLogin('resetpw', $tokens) == false) {
// verify token
ifTokenBad('Lost Password');
}
// if bad log and send error
// get and clean vars
$pw1 = $_POST['pw2'];
$pw2 = $_POST['pw1'];
$key = cleanvar($_POST['key']);
$email = cleanvar($_POST['email']);
if (!testPW($pass1)) {
// test for unwanted characters
sendBack('Your new password contains illegal characters: = \' " or space');
}
// check both passwords are the same
if ($pw1 != $pw2) {
sendBack('The two passwords do not match');
}
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
## Check the form was submitted ##
if (!$_POST['unban-sub']) {
// if the form not is submitted
set_error('Please do not call that page directly, thank you.');
send('../../index.php');
}
## get vars ##
$ban_id = $_POST['banid'];
$type = cleanvar($_POST['type']);
## check that the sent form token is correct ##
if (verifyFormToken('unban' . $ban_id, $tokens) == false) {
// verify token
ifTokenBad('Unban');
}
## Check for empties ##
emptyInput($type, 'data not sent');
emptyInput($ban_id, 'data not sent');
## Check ban_id is a number ##
if (!isID($ban_id)) {
sendBack('Invalid data sent, ban not added');
}
## Send query ##
$results = $db->makePenInactive($ban_id);
if (!$results) {
// if bad send back warning
sendBack('Penalty has not been removed');
}
## If a permaban send unban rcon command ##
<?php
$auth_name = 'edit_ban';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
if (!$_POST['eb-sub']) {
// if the form not is submitted
set_error('Please do not call that page directly, thank you.');
send('../../index.php');
}
## check that the sent form token is corret
if (verifyFormToken('editban', $tokens) == false) {
// verify token
ifTokenBad('Edit ban');
}
$ban_id = cleanvar($_POST['banid']);
$pbid = cleanvar($_POST['pbid']);
$pb_ban = cleanvar($_POST['pb']);
$reason = cleanvar($_POST['reason']);
$cid = cleanvar($_POST['cid']);
if ($pb_ban == 'on') {
$is_pb_ban = true;
$type = 'Ban';
$duration = 0;
$time_expire = '-1';
} else {
$is_pb_ban = false;
$type = 'TempBan';
$duration_form = cleanvar($_POST['duration']);
$time = cleanvar($_POST['time']);
<?php
$auth_name = 'edit_xlrstats';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../../inc.php';
if (!isset($_POST['xlrstats-sub'])) {
// if the form is submitted
set_error('Please do not call this page directly');
send('../../');
}
## check that the sent form token is corret
if (verifyFormToken('xlrstats', $tokens) == false) {
// verify token
ifTokenBad('XLRstats Edit');
}
// Gets vars from form
$cid = cleanvar($_POST['cid']);
$name = cleanvar($_POST['fixed-name']);
$hide = cleanvar($_POST['hidden']);
if ($hide == 'on') {
$hide = 1;
} else {
$hide = 0;
}
// NOTE: when the user supplies an empty fixed name, the db will be updated with a blank/NULL field, in effect disabling the feature
## Check sent client_id is a number ##
if (!isID($cid)) {
sendBack('Invalid data sent, ban not added');
}
## LOG Query ##
} else {
$auth_name = 'edit_mask';
}
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
## check that the sent form token is corret
if (!$is_mask) {
if (verifyFormToken('level', $tokens) == false) {
// verify token
ifTokenBad('Change client level');
}
} else {
if (verifyFormToken('mask', $tokens) == false) {
// verify token
ifTokenBad('Change client mask level');
}
}
## Set and clean vars ##
$level = cleanvar($_POST['level']);
$client_id = cleanvar($_POST['cid']);
$old_level = cleanvar($_POST['old-level']);
$password = cleanvar($_POST['password']);
## Check Empties ##
emptyInput($level, 'data not sent');
emptyInput($client_id, 'data not sent');
emptyInput($old_level, 'data not sent');
if (!$is_mask) {
// only the client level needs a password
emptyInput($password, 'current password');
}
$perms = substr($list, 0, -1);
// remove the final comma
## get slug from name ##
$name = strtolower(trim($name));
$slug = preg_replace('/[^a-z0-9-]/', '', $name);
$result = $dbl->addGroup($name, $slug, $perms);
if (!$result) {
sendBack('There was a problem creating the new group');
} else {
sendGood('The group ' . $name . ' has been created!');
}
} else {
// edit group perms
# verify token #
if (!verifyFormToken('perm-group-edit', $tokens)) {
ifTokenBad('Edit Group Permissions');
}
$group_id = cleanvar($_GET['gid']);
// get the group to update from the URL
## check numeric id ##
if (!is_numeric($group_id)) {
sendBack('Invalid data sent, request aborted');
}
$data = getPostsPerms($_POST);
$perms_list = $dbl->getPermissions(false);
// get a full list of all perms (without desc)
foreach ($perms_list as $perm) {
// compare the two lists and create a common list of perms
$perm_id = $perm['id'];
$perm_name = $perm['name'];
if (array_key_exists($perm_name, $data)) {
} else {
sendBack('There is a problem. The user has not been deleted');
}
exit;
} elseif ($_POST['ad-edit-user']) {
// admin edit user
## get and clean vars ##
$username = cleanvar($_POST['username']);
$display = cleanvar($_POST['display']);
$email = cleanvar($_POST['email']);
$group = cleanvar($_POST['group']);
$id = cleanvar($_POST['id']);
## check numeric id ##
if (!is_numeric($id)) {
sendBack('Invalid data sent, request aborted');
}
# verify token #
if (!verifyFormToken('adedituser', $tokens)) {
ifTokenBad('Edit Echelon User');
}
$result = $dbl->editUser($id, $username, $display, $email, $group);
if ($result) {
sendGood($display . "'s information has been updated");
} else {
sendBack('There is a problem. The user information has not been changed');
}
exit;
} else {
set_error('You cannot view this page directly');
send('sa.php');
}
