Exemplo n.º 1
0
    }
    // compare the tokens against each other if they are still the same
    if ($_SESSION[$form . '_token'] !== $_POST['token']) {
        return false;
    }
    return true;
}
function check_input($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}
if (isset($_POST['submit'])) {
    if (verifyFormToken('form1')) {
        $name = check_input($_POST["name"]);
        $email = check_input($_POST["emailaddress"]);
        $message = check_input($_POST["message"]);
        $ForwardTo = '*****@*****.**';
        $details = 'Name: ' . $name . "\n" . 'Email: ' . $email . "\n" . 'Message: ' . $message . "\n";
        $data['success'] = true;
        $data['message'] = 'Success!';
        mail($ForwardTo, "Construction of Hope Contact", $details, "From:{$email}");
    } else {
        $data['success'] = false;
        $data['errors'] = $errors;
    }
    exit('
      <body>
Exemplo n.º 2
0
<?php

if ($_POST['recipient'] != "") {
    // VERIFY LEGITIMACY OF TOKEN
    if (verifyFormToken('cwfile')) {
        // CHECK TO SEE IF THIS IS A MAIL POST
        if (isset($_POST['active'])) {
            // Building a whitelist array with keys which will send through the form, no others would be accepted later on
            $whitelist = array('token', 'term', 'recipient', 'name', 'protect', 'active', 'password', 'content', 'duration', 'specificdate', 'gallery[]', 'redirect', 'imgtype', 'userid', 'img', 'imgsizes', 'id', 'CwFileCode', 'encryptid', 'cwfilecode');
            // Building an array with the $_POST-superglobal
            foreach ($_POST as $key => $item) {
                // Check if the value $key (fieldname from $_POST) can be found in the whitelisting array, if not, die with a short message to the hacker
                if (!in_array($key, $whitelist)) {
                    writeLog('Unknown form fields');
                    die("Hack-Attempt detected. Please use only the fields in the form");
                }
            }
            // Lets check the URL whether it's a real URL or not. if not, stop the script
            #            if(!filter_var($_POST['active'],FILTER_VALIDATE_URL)) {
            #            			writeLog('URL Validation');
            #            		die('Hack-Attempt detected. Please insert a valid URL');
            #            }
            // SAVE INFO AS COOKIE, if user wants name and email saved
            $saveCheck = $_POST['save-stuff'];
            if ($saveCheck == 'on') {
                setcookie("WRCF-Name", $_POST['recipient'], time() + 60 * 60 * 24 * 365);
                setcookie("WRCF-Email", $_POST['recipient'], time() + 60 * 60 * 24 * 365);
            }
            $Sender = "Pk Design";
            $Expire = date("M-d-Y", $CwFileExpire);
            $CwLink = $CwLink . "?request={$CwFileCode}";
Exemplo n.º 3
0
<?php

$auth_name = 'ban';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
if (!$_POST['ban-sub']) {
    // if the form not is submitted
    set_error('Please do not call that page directly, thank you.');
    send('../../index.php');
}
## check that the sent form token is corret
if (!verifyFormToken('ban', $tokens)) {
    // verify token
    ifTokenBad('Add ban');
}
## Type of ban and get and set vars ##
$pb_ban = cleanvar($_POST['pb']);
if ($pb_ban == 'on') {
    $is_pb_ban = true;
} else {
    $is_pb_ban = false;
    $duration_form = cleanvar($_POST['duration']);
    $time = cleanvar($_POST['time']);
    emptyInput($time, 'time frame');
    emptyInput($duration_form, 'penalty duration');
}
$reason = cleanvar($_POST['reason']);
$client_id = cleanvar($_POST['cid']);
$pbid = cleanvar($_POST['c-pbid']);
$c_name = cleanvar($_POST['c-name']);
Exemplo n.º 4
0
    $is_add = true;
} elseif ($_POST['type'] == 'edit') {
    $is_add = false;
} else {
    sendBack('Missing Data');
}
## Check Token ##
if ($is_add) {
    // if add server request
    if (verifyFormToken('addserver', $tokens) == false) {
        // verify token
        ifTokenBad('Add Server');
    }
} else {
    // if edit server settings
    if (verifyFormToken('editserversettings', $tokens) == false) {
        // verify token
        ifTokenBad('Server Settings Edit');
    }
}
## Get Vars ##
$name = cleanvar($_POST['name']);
$ip = cleanvar($_POST['ip']);
$pb = cleanvar($_POST['pb']);
// DB Vars
$rcon_ip = cleanvar($_POST['rcon-ip']);
$rcon_port = cleanvar($_POST['rcon-port']);
$rcon_pw_cng = cleanvar($_POST['cng-pw']);
$rcon_pw = cleanvar($_POST['rcon-pass']);
$server_id = cleanvar($_POST['server']);
if ($is_add) {
Exemplo n.º 5
0
    send('../index.php');
}
## Find Type ##
if ($_POST['type'] == 'add') {
    $is_add = true;
} elseif ($_POST['type'] == 'edit') {
    $is_add = false;
} else {
    sendBack('Missing Data');
}
## Check Token ##
if ($is_add) {
    //if(!verifyFormToken('addgame', $tokens)) // verify token
    //ifTokenBad('Add Game');
} else {
    if (!verifyFormToken('gamesettings', $tokens)) {
        // verify token
        ifTokenBad('Game Settings Edit');
    }
}
## Get Vars ##
$name = cleanvar($_POST['name']);
$name_short = cleanvar($_POST['name-short']);
if ($is_add) {
    $game_type = cleanvar($_POST['game-type']);
}
// DB Vars
$db_host = cleanvar($_POST['db-host']);
$db_user = cleanvar($_POST['db-user']);
$db_pw_cng = cleanvar($_POST['cng-pw']);
$db_pw = cleanvar($_POST['db-pw']);
Exemplo n.º 6
0
<?php

$auth_name = 'add_user';
// this page is add user, so that if you can add keys you should be able to remove them
require '../inc.php';
if ($_POST['t'] == 'del') {
    // if this is a deletion request
    $key = cleanvar($_POST['key']);
    if (verifyFormToken('keydel' . $key, $tokens) == false) {
        // verify token
        ifTokenBad('Reg Key Delete');
    }
    // if bad token, log and send error
    $result = $dbl->delKey($key);
    if ($result) {
        sendGood('Registration key deleted');
    } else {
        sendBack('There was an problem completeing your request');
    }
    exit;
    // no need continuing with this script
} elseif ($_POST['comment']) {
    // if this is an edit comment request
    $key = cleanvar($_POST['key']);
    $comment = cleanvar($_POST['comment']);
    emptyInput($comment, 'comment');
    $result = $dbl->editKeyComment($key, $comment, $mem->id);
    // this is an ajax request, so we need to echo error/success messages
    if ($result) {
        echo 'yes';
    } else {
Exemplo n.º 7
0
} elseif ($_POST['react']) {
    // if this is a re-activation request
    $bl_id = $_POST['id'];
    if (!verifyFormToken('act' . $bl_id, $tokens)) {
        // verify token
        ifTokenBad('BL De-activate');
    }
    // if bad log and send error
    $dbl->BLactive($bl_id, true);
    // run query to reactivate BL ban
    sendGood('This blacklist ban has been re-activiated');
    exit;
    // no need to continue
} elseif ($_POST['ip']) {
    // if this is an add request
    if (!verifyFormToken('addbl', $tokens)) {
        // verify token
        ifTokenBad('BL Add');
    }
    // if bad log, add hack counter and throw error
    // set and clean vars
    $reason = cleanvar($_POST['reason']);
    $ip = cleanvar($_POST['ip']);
    // check for empty inputs
    emptyInput($reason, 'the reason');
    emptyInput($ip, 'IP Address');
    // if reason is default comment msg, send back with error
    if ($reason == "Enter a reason for this ban...") {
        sendBack('You must add a reason as to why this IP ban is being added');
    }
    // check if it is a valid IP address
Exemplo n.º 8
0
<?php

$auth_name = 'add_user';
require '../inc.php';
## if form is submitted ##
if (!isset($_POST['add-user'])) {
    // if this was not a post request then send back with error
    sendBack('Please do not access that page directly');
}
## check that the sent form token is corret
if (!verifyFormToken('adduser', $tokens)) {
    // verify token
    ifTokenBad('Add User');
}
// set email and comment and clean
$email = cleanvar($_POST['email']);
$comment = cleanvar($_POST['comment']);
$group = cleanvar($_POST['group']);
// check the new email address is a valid email address
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    sendBack('That email is not valid');
}
// Create a unique key for the user
$text = $admin_id . $email . uniqid(microtime(), true) . $group;
// take sent data and some random data to create a random string
$rand_text = str_shuffle($text);
// shuffle the string to make more random
$user_key = genHash($rand_text);
// hash the random string to get the user hash
## run query to add key to the DB ##
$add_user = $dbl->addEchKey($user_key, $email, $comment, $group, $mem->id);
Exemplo n.º 9
0
<?php

$auth_name = 'greeting';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
if ($_POST['greeting-sub']) {
    // if the form is submitted
    ## check that the sent form token is corret
    if (verifyFormToken('greeting', $tokens) == false) {
        // verify token
        ifTokenBad('Add comment');
    }
    $greeting = cleanvar($_POST['greeting']);
    $client_id = cleanvar($_POST['cid']);
    // NOTE: allow for an empty comment. An empty comment means no comment
    emptyInput($client_id, 'data not sent');
    if (!isID($client_id)) {
        sendBack('Invalid data sent, greeting not changed');
    }
    ## Add Log Message ##
    $comment = 'Greeting message changed';
    $dbl->addEchLog('Greeting', $comment, $client_id, $mem->id);
    ## Query ##
    $query = "UPDATE clients SET greeting = ? WHERE id = ? LIMIT 1";
    $stmt = $db->mysql->prepare($query) or sendBack('Database Error');
    $stmt->bind_param('si', $greeting, $client_id);
    $stmt->execute();
    if ($stmt->affected_rows) {
        sendGood('Greeting has been updated');
    } else {
Exemplo n.º 10
0
<?php

$auth_name = 'edit_ban';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
if (!$_POST['eb-sub']) {
    // if the form not is submitted
    set_error('Please do not call that page directly, thank you.');
    send('../../index.php');
}
## check that the sent form token is corret
if (verifyFormToken('editban', $tokens) == false) {
    // verify token
    ifTokenBad('Edit ban');
}
$ban_id = cleanvar($_POST['banid']);
$pbid = cleanvar($_POST['pbid']);
$pb_ban = cleanvar($_POST['pb']);
$reason = cleanvar($_POST['reason']);
$cid = cleanvar($_POST['cid']);
if ($pb_ban == 'on') {
    $is_pb_ban = true;
    $type = 'Ban';
    $duration = 0;
    $time_expire = '-1';
} else {
    $is_pb_ban = false;
    $type = 'TempBan';
    $duration_form = cleanvar($_POST['duration']);
    $time = cleanvar($_POST['time']);
Exemplo n.º 11
0
$auth_name = 'unban';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
## Check the form was submitted ##
if (!$_POST['unban-sub']) {
    // if the form not is submitted
    set_error('Please do not call that page directly, thank you.');
    send('../../index.php');
}
## get vars ##
$ban_id = $_POST['banid'];
$type = cleanvar($_POST['type']);
## check that the sent form token is correct ##
if (verifyFormToken('unban' . $ban_id, $tokens) == false) {
    // verify token
    ifTokenBad('Unban');
}
## Check for empties ##
emptyInput($type, 'data not sent');
emptyInput($ban_id, 'data not sent');
## Check ban_id is a number ##
if (!isID($ban_id)) {
    sendBack('Invalid data sent, ban not added');
}
## Send query ##
$results = $db->makePenInactive($ban_id);
if (!$results) {
    // if bad send back warning
    sendBack('Penalty has not been removed');
Exemplo n.º 12
0
<?php

$auth_name = 'comment';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
if (!isset($_POST['comment-sub'])) {
    // if the form is submitted
    set_error('Please do not call that page directly');
    send('../../');
}
## check that the sent form token is corret
if (verifyFormToken('comment', $tokens) == false) {
    // verify token
    ifTokenBad('Add comment');
}
// Gets vars from form
$cid = cleanvar($_POST['cid']);
$comment = cleanvar($_POST['comment']);
// Check for empties
emptyInput($comment, 'comment');
emptyInput($cid, 'client id not sent');
## Check sent client_id is a number ##
if (!isID($cid)) {
    sendBack('Invalid data sent, ban not added');
}
## Query ##
$result = $dbl->addEchLog('Comment', $comment, $cid, $mem->id, $game);
if ($result) {
    sendGood('Comment added');
} else {
Exemplo n.º 13
0
<?php

$auth_name = 'edit_xlrstats';
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../../inc.php';
if (!isset($_POST['xlrstats-sub'])) {
    // if the form is submitted
    set_error('Please do not call this page directly');
    send('../../');
}
## check that the sent form token is corret
if (verifyFormToken('xlrstats', $tokens) == false) {
    // verify token
    ifTokenBad('XLRstats Edit');
}
// Gets vars from form
$cid = cleanvar($_POST['cid']);
$name = cleanvar($_POST['fixed-name']);
$hide = cleanvar($_POST['hidden']);
if ($hide == 'on') {
    $hide = 1;
} else {
    $hide = 0;
}
// NOTE: when the user supplies an empty fixed name, the db will be updated with a blank/NULL field, in effect disabling the feature
## Check sent client_id is a number ##
if (!isID($cid)) {
    sendBack('Invalid data sent, ban not added');
}
## LOG Query ##
Exemplo n.º 14
0
    // check which auth level is needed
    $auth_name = 'edit_client_level';
} else {
    $auth_name = 'edit_mask';
}
$b3_conn = true;
// this page needs to connect to the B3 database
require '../../inc.php';
## check that the sent form token is corret
if (!$is_mask) {
    if (verifyFormToken('level', $tokens) == false) {
        // verify token
        ifTokenBad('Change client level');
    }
} else {
    if (verifyFormToken('mask', $tokens) == false) {
        // verify token
        ifTokenBad('Change client mask level');
    }
}
## Set and clean vars ##
$level = cleanvar($_POST['level']);
$client_id = cleanvar($_POST['cid']);
$old_level = cleanvar($_POST['old-level']);
$password = cleanvar($_POST['password']);
## Check Empties ##
emptyInput($level, 'data not sent');
emptyInput($client_id, 'data not sent');
emptyInput($old_level, 'data not sent');
if (!$is_mask) {
    // only the client level needs a password
Exemplo n.º 15
0
    }
    $perms = substr($list, 0, -1);
    // remove the final comma
    ## get slug from name ##
    $name = strtolower(trim($name));
    $slug = preg_replace('/[^a-z0-9-]/', '', $name);
    $result = $dbl->addGroup($name, $slug, $perms);
    if (!$result) {
        sendBack('There was a problem creating the new group');
    } else {
        sendGood('The group ' . $name . ' has been created!');
    }
} else {
    // edit group perms
    # verify token #
    if (!verifyFormToken('perm-group-edit', $tokens)) {
        ifTokenBad('Edit Group Permissions');
    }
    $group_id = cleanvar($_GET['gid']);
    // get the group to update from the URL
    ## check numeric id ##
    if (!is_numeric($group_id)) {
        sendBack('Invalid data sent, request aborted');
    }
    $data = getPostsPerms($_POST);
    $perms_list = $dbl->getPermissions(false);
    // get a full list of all perms (without desc)
    foreach ($perms_list as $perm) {
        // compare the two lists and create a common list of perms
        $perm_id = $perm['id'];
        $perm_name = $perm['name'];
Exemplo n.º 16
0
    } else {
        sendBack('There is a problem. The user has not been deleted');
    }
    exit;
} elseif ($_POST['ad-edit-user']) {
    // admin edit user
    ## get and clean vars ##
    $username = cleanvar($_POST['username']);
    $display = cleanvar($_POST['display']);
    $email = cleanvar($_POST['email']);
    $group = cleanvar($_POST['group']);
    $id = cleanvar($_POST['id']);
    ## check numeric id ##
    if (!is_numeric($id)) {
        sendBack('Invalid data sent, request aborted');
    }
    # verify token #
    if (!verifyFormToken('adedituser', $tokens)) {
        ifTokenBad('Edit Echelon User');
    }
    $result = $dbl->editUser($id, $username, $display, $email, $group);
    if ($result) {
        sendGood($display . "'s information has been updated");
    } else {
        sendBack('There is a problem. The user information has not been changed');
    }
    exit;
} else {
    set_error('You cannot view this page directly');
    send('sa.php');
}