function upd_do_query($query, $no_log = false)
{
global $update_tables, $db_prefix;
upd_add_more_time();
if (!$no_log) {
upd_log_message("Performing query '{$query}'");
}
sn_db_connect();
if (!(strpos($query, '{{') === false)) {
foreach ($update_tables as $tableName => $cork) {
$query = str_replace("{{{$tableName}}}", $db_prefix . $tableName, $query);
}
}
$result = __db_query($query) or die('Query error for ' . $query . ': ' . db_error());
return $result;
}
function warning($message, $title = 'System Message', $log_code = 300, $dump = false)
{
global $link, $user, $lang, $sys_log_disabled;
require SN_ROOT_PHYSICAL . 'config.' . PHP_EX;
if (!$link) {
sn_db_connect();
// $link = mysql_connect($dbsettings['server'], $dbsettings['user'], $dbsettings['pass']);
// mysql_query('/*!40101 SET NAMES \'utf8\' */');
// mysql_select_db($dbsettings['name']);
}
$error_backtrace = $this->dump($dump, false);
if (!$sys_log_disabled) {
$query = "INSERT INTO `{{logs}}` SET\n `log_time` = '" . time() . "', `log_code` = '" . db_escape($log_code) . "', `log_sender` = '" . db_escape($user['id']) . "',\n `log_username` = '" . db_escape($user['user_name']) . "', `log_title` = '" . db_escape($title) . "', `log_text` = '" . db_escape($message) . "',\n `log_page` = '" . db_escape(strpos($_SERVER['SCRIPT_NAME'], SN_ROOT_RELATIVE) === false ? $_SERVER['SCRIPT_NAME'] : substr($_SERVER['SCRIPT_NAME'], strlen(SN_ROOT_RELATIVE))) . "'" . ($error_backtrace ? ", `log_dump` = '" . db_escape(serialize($error_backtrace)) . "'" : '') . ";";
__db_query($query);
} else {
print "<hr>User ID {$user['id']} made log entry with code {$log_code} titled '{$title}' with text '{$message}' on page {$_SERVER['SCRIPT_NAME']}";
}
}
function doquery($query, $table = '', $fetch = false, $skip_query_check = false)
{
global $numqueries, $link, $debug, $sn_cache, $config, $db_prefix;
if (!is_string($table)) {
$fetch = $table;
}
if (!$link) {
sn_db_connect();
}
$query = trim($query);
security_watch_user_queries($query);
$skip_query_check or security_query_check_bad_words($query);
$sql = $query;
if (strpos($sql, '{{') !== false) {
foreach ($sn_cache->tables as $tableName) {
$sql = str_replace("{{{$tableName}}}", $db_prefix . $tableName, $sql);
}
}
if ($config->debug) {
$numqueries++;
$arr = debug_backtrace();
$file = end(explode('/', $arr[0]['file']));
$line = $arr[0]['line'];
$debug->add("<tr><th>Query {$numqueries}: </th><th>{$query}</th><th>{$file}({$line})</th><th>{$table}</th><th>{$fetch}</th></tr>");
}
if (defined('DEBUG_SQL_COMMENT')) {
$backtrace = debug_backtrace();
$sql_comment = $debug->compact_backtrace($backtrace, defined('DEBUG_SQL_COMMENT_LONG'));
// pdump($backtrace[0]);
// pdump($backtrace[1]);
// print("<hr/>");
// foreach($backtrace as $a_trace)
// {
// if(!in_array($a_trace['function'], array('doquery', 'db_query', 'db_get_record_list'))) break;
// }
// // $a_trace = $backtrace[1]['function'] == 'db_query' ? $backtrace[2] : $backtrace[1];
// $function =
// ($a_trace['type']
// ? ($a_trace['type'] == '->'
// ? "({$a_trace['class']})" . get_class($a_trace['object'])
// : $a_trace['class']
// ) . $a_trace['type']
// : ''
// ) . $a_trace['function'] . '()';
//
// $file = str_replace(SN_ROOT_PHYSICAL, '', str_replace('\\', '/', $a_trace['file']));
//
// $transaction_id = classSupernova::db_transaction_check(false) ? classSupernova::$transaction_id : classSupernova::$transaction_id++;
//
// $sql = "/* {$function} '{$file}' Line {$a_trace['line']} tID {$transaction_id} */ " . $sql;
$sql_commented = '/* ' . implode("<br />", $sql_comment) . '<br /> */ ' . preg_replace("/\\s+/", ' ', $sql);
if (defined('DEBUG_SQL_ONLINE')) {
$debug->warning($sql_commented, 'SQL Debug', LOG_DEBUG_SQL);
}
if (defined('DEBUG_SQL_ERROR')) {
array_unshift($sql_comment, preg_replace("/\\s+/", ' ', $sql));
$debug->add_to_array($sql_comment);
// $debug->add_to_array($sql_comment . preg_replace("/\s+/", ' ', $sql));
}
$sql = $sql_commented;
}
$sqlquery = __db_query($sql) or $debug->error(db_error() . "<br />{$sql}<br />", 'SQL Error');
return $fetch ? db_fetch($sqlquery) : $sqlquery;
}
// По нормальным делам это должна быть загрузка модулей и лишь затем инициализация - что бы минимизировать размер процесса в памяти
foreach ($load_order as $loaded_module_name => $load_order) {
if ($load_order < 0) {
continue;
}
$sn_module[$loaded_module_name]->initialize();
$sn_module_list[$sn_module[$loaded_module_name]->manifest['package']][$loaded_module_name] =& $sn_module[$loaded_module_name];
}
// Скрипач не нужон
unset($load_order);
unset($sn_req);
// А теперь проверяем - поддерживают ли у нас загруженный код такую страницу
if (!isset($sn_data['pages'][$sn_page_name])) {
$sn_page_name = '';
}
sn_db_connect();
global $lang;
$lang = new classLocale(DEFAULT_LANG, $config->server_locale_log_usage);
$lang->lng_switch(sys_get_param_str('lang'));
if ($config->server_updater_check_auto && $config->server_updater_check_last + $config->server_updater_check_period <= SN_TIME_NOW) {
include SN_ROOT_PHYSICAL . 'ajax_version_check' . DOT_PHP_EX;
}
if ($config->user_birthday_gift && SN_TIME_NOW > $config->user_birthday_celebrate + PERIOD_DAY) {
require_once SN_ROOT_PHYSICAL . "includes/includes/user_birthday_celebrate" . DOT_PHP_EX;
sn_user_birthday_celebrate();
}
if (!$config->var_online_user_count || $config->var_online_user_time + 30 < SN_TIME_NOW) {
$config->db_saveItem('var_online_user_count', db_user_count(true));
$config->db_saveItem('var_online_user_time', SN_TIME_NOW);
if ($config->server_log_online) {
doquery("INSERT IGNORE INTO {{log_users_online}} SET online_count = {$config->var_online_user_count};");
function doquery($query, $table = '', $fetch = false)
{
global $numqueries, $link, $debug, $user, $tableList, $sn_cache, $is_watching, $config, $dm_change_legit;
if ($config->game_watchlist_array) {
if (!$is_watching && in_array($user['id'], $config->game_watchlist_array)) {
// if(stripos($query, 'SELECT') !== 0)
if (!preg_match('/^(select|commit|rollback|start transaction)/i', $query)) {
$is_watching = true;
$msg = "\$query = \"{$query}\"\n\rtable = '{$table}', fetch = '{$fetch}'";
if (!empty($_POST)) {
$msg .= "\n\r" . dump($_POST, '$_POST');
}
if (!empty($_GET)) {
$msg .= "\n\r" . dump($_GET, '$_GET');
}
$debug->warning($msg, "Watching user {$user['id']}", 399, array('base_dump' => true));
$is_watching = false;
}
}
}
$badword = false;
if (stripos($query, 'RUNCATE TABL') != FALSE && $table != 'logs') {
$badword = true;
} elseif (stripos($query, 'ROP TABL') != FALSE) {
$badword = true;
} elseif (stripos($query, 'ENAME TABL') != FALSE) {
$badword = true;
} elseif (stripos($query, 'REATE DATABAS') != FALSE) {
$badword = true;
} elseif (stripos($query, 'REATE TABL') != FALSE) {
$badword = true;
} elseif (stripos($query, 'ET PASSWOR') != FALSE) {
$badword = true;
} elseif (stripos($query, 'EOAD DAT') != FALSE) {
$badword = true;
} elseif (stripos($query, 'RPG_POINTS') != FALSE && stripos(trim($query), 'UPDATE ') === 0 && !$dm_change_legit) {
$badword = true;
} elseif (stripos($query, 'AUTHLEVEL') != FALSE && $user['authlevel'] < 3 && stripos($query, 'SELECT') !== 0) {
$badword = true;
}
if ($badword) {
$message = 'Привет, я не знаю то, что Вы пробовали сделать, но команда, которую Вы только послали базе данных, не выглядела очень дружественной и она была заблокированна.<br /><br />Ваш IP, и другие данные переданны администрации сервера. Удачи!.';
$report = "Hacking attempt (" . date("d.m.Y H:i:s") . " - [" . time() . "]):\n";
$report .= ">Database Inforamation\n";
$report .= "\tID - " . $user['id'] . "\n";
$report .= "\tUser - " . $user['username'] . "\n";
$report .= "\tAuth level - " . $user['authlevel'] . "\n";
$report .= "\tAdmin Notes - " . $user['adminNotes'] . "\n";
$report .= "\tCurrent Planet - " . $user['current_planet'] . "\n";
$report .= "\tUser IP - " . $user['user_lastip'] . "\n";
$report .= "\tUser IP at Reg - " . $user['ip_at_reg'] . "\n";
$report .= "\tUser Agent- " . $user['user_agent'] . "\n";
$report .= "\tCurrent Page - " . $user['current_page'] . "\n";
$report .= "\tRegister Time - " . $user['register_time'] . "\n";
$report .= "\n";
$report .= ">Query Information\n";
$report .= "\tTable - " . $table . "\n";
$report .= "\tQuery - " . $query . "\n";
$report .= "\n";
$report .= ">\$_SERVER Information\n";
$report .= "\tIP - " . $_SERVER['REMOTE_ADDR'] . "\n";
$report .= "\tHost Name - " . $_SERVER['HTTP_HOST'] . "\n";
$report .= "\tUser Agent - " . $_SERVER['HTTP_USER_AGENT'] . "\n";
$report .= "\tRequest Method - " . $_SERVER['REQUEST_METHOD'] . "\n";
$report .= "\tCame From - " . $_SERVER['HTTP_REFERER'] . "\n";
$report .= "\tPage is - " . $_SERVER['SCRIPT_NAME'] . "\n";
$report .= "\tUses Port - " . $_SERVER['REMOTE_PORT'] . "\n";
$report .= "\tServer Protocol - " . $_SERVER['SERVER_PROTOCOL'] . "\n";
$report .= "\n--------------------------------------------------------------------------------------------------\n";
$fp = fopen(SN_ROOT_PHYSICAL . 'badqrys.txt', 'a');
fwrite($fp, $report);
fclose($fp);
die($message);
}
$db_prefix = sn_db_connect($query);
$sql = str_replace('{{table}}', $db_prefix . $table, $query);
if (!(strpos($sql, '{{') === false)) {
foreach ($sn_cache->tables as $tableName) {
$sql = str_replace("{{{$tableName}}}", $db_prefix . $tableName, $sql);
}
}
$sqlquery = mysql_query($sql) or $debug->error(mysql_error() . "<br />{$sql}<br />", 'SQL Error');
if ($config->debug) {
$numqueries++;
$arr = debug_backtrace();
$file = end(explode('/', $arr[0]['file']));
$line = $arr[0]['line'];
$debug->add("<tr><th>Query {$numqueries}: </th><th>{$query}</th><th>{$file}({$line})</th><th>{$table}</th><th>{$fetch}</th></tr>");
}
if ($fetch) {
$sqlrow = mysql_fetch_assoc($sqlquery);
return $sqlrow;
} else {
return $sqlquery;
}
}
