function cleanmygets() { //some white lists $list_bool = array("1", "0"); $list_date = array("1", "2", "3", "4", "5", "6", "7", "8", "9", "0", "-"); //id must be an integer if (isset($_GET['id'])) { $_GET['id'] = (int) $_GET['id']; } //page must be an integer if (isset($_GET['page'])) { $_GET['page'] = (int) $_GET['page']; } //com must be either 1 or 0 if (isset($_GET['com']) && !in_array($_GET['com'], $list_bool)) { $_GET['com'] = "0"; } //date must contain only numbers and hyphens if (isset($_GET['date'])) { if (!whitelist_okay($_GET['date'], $list_date)) { $_GET['date'] = "2000-01-01"; } } //cat must not contain evil characters if (isset($_GET['cat'])) { $_GET['cat'] = killevilcharacters($_GET['cat']); } //tag must not contain evil characters if (isset($_GET['tag'])) { $_GET['tag'] = killevilcharacters($_GET['tag']); } }
function loop_postings($content) { //returns a certain number of postings global $currentid; global $postings; global $nextpage; global $howmanypages; global $settings; $att = getattributes($content); $content = stripcontainer($content); //preview postings from the admin pages if (isset($_GET['preview']) and $_GET['preview'] == "1" and $settings['previews'] == "1") { $preview = "true"; } else { $preview = "false"; } //possible attributes and default-values if (isset($att['sort'])) { $sort = killevilcharacters($att['sort']); } else { $sort = "posted"; } if (isset($att['number'])) { $loops = $att['number']; } else { $loops = 5; } if (isset($att['order'])) { $order = strtoupper($att['order']); } else { $order = "DESC"; } if (isset($att['forceloop'])) { $forceloop = $att['forceloop']; } else { $forceloop = "false"; } if (isset($att['paging'])) { $paging = $att['paging']; } else { $paging = "true"; } if (isset($att['static'])) { $static = $att['static']; } else { $static = "false"; } if (isset($att['stickies'])) { $stickies = $att['stickies']; } else { $stickies = "true"; } $return = ""; $howmanypages = "1"; //offset / splitting into pages if (isset($_GET['page']) and $paging == "true") { $start = $loops * ($_GET['page'] - 1); } else { $start = 0; } //no request from url? show us a loop of postings! if (!isset($_GET['id']) or $forceloop == "true" or $static == "true") { //getting data from postings-table $trunk = " FROM " . $GLOBALS['prefix'] . "lb_postings WHERE "; //showing postings from certain date if (isset($_GET['date']) and $static == "false") { //analyzing the length of the date-string switch (strlen($_GET['date'])) { case 4: //show us a year! $from = $_GET['date'] . "-01-01 00:00:00"; $to = $_GET['date'] . "-12-31 23:59:59"; $trunk .= "posted >= '" . $from . "' AND "; $trunk .= "posted <= '" . $to . "' AND "; break; case 7: //show us a month! $from = $_GET['date'] . "-01 00:00:00"; $to = $_GET['date'] . "-31 23:59:59"; $trunk .= "posted >= '" . $from . "' AND "; $trunk .= "posted <= '" . $to . "' AND "; break; case 10: //show us a day! $from = $_GET['date'] . " 00:00:00"; $to = $_GET['date'] . " 23:59:59"; $trunk .= "posted >= '" . $from . "' AND "; $trunk .= "posted <= '" . $to . "' AND "; } } //posting must be "live" to be displayed $trunk .= "status = '3' "; //posting must not be published in the future if ($static == "false") { $trunk .= "AND posted < '" . date("Y-m-d H:i:s") . "' "; } //if tag is set, filter postings which doesn't fit // we switched to tags instead of categories in 0.7.0 and provided both in 0.8.0 if (isset($_GET['tag']) and $static == "false") { $tagsToShow = explode('+', $_GET['tag']); $tagSQL = array(); foreach ($tagsToShow as $tagToShow) { $tagSQL[] = ' tags LIKE \'%' . $tagToShow . '%\''; } $trunk .= ' AND (' . join(' OR ', $tagSQL) . ') '; } //if category is set, filter postings which doesn't fit if (isset($_GET['cat']) and $static == "false") { //which category-id do we request via url? $tempcatid = getcategoryidshort($_GET['cat']); if ($tempcatid != "") { $trunk .= "AND (category1_id = " . $tempcatid . " "; $trunk .= "OR category2_id = " . $tempcatid . " "; $trunk .= "OR category3_id = " . $tempcatid . " "; $trunk .= "OR category4_id = " . $tempcatid . ") "; } } $trunk .= $stickies == 'false' ? "ORDER BY {$sort} {$order}" : "ORDER BY sticky DESC, {$sort} {$order}"; //count total number of posts and calculate the number of pages //the global variable $howmanypages can be used to construct a paging plugin $countingquery = "SELECT COUNT(*)" . $trunk; $count = $GLOBALS['lbdata']->GetArray($countingquery); $total = $count[0]['COUNT(*)']; $howmanypages = round($total / $loops); if ($howmanypages < $total / $loops) { $howmanypages += 1; } //now we execute the main query $dosql = "SELECT * " . $trunk; $tempp = $GLOBALS['lbdata']->SelectLimit($dosql, $loops + 1, $start); $allrows = $tempp->GetArray(); $i = 0; //use all results! foreach ($allrows as $temp) { $i += 1; if ($i <= $loops) { $currentid = $temp['id']; $postings[$currentid] = $temp; $return .= fullparse($content); //if there is one more posting than requested, we can show a "next page"-button. } else { if ($paging == "true") { $nextpage = true; } } } } else { //ah, we want to show a single posting with a given id? no problem! //getting data from postings-table $dosql = "SELECT * FROM " . $GLOBALS['prefix'] . "lb_postings\n WHERE id='" . $_GET['id'] . "'"; //are previews allowed? if ($preview == "false") { $dosql .= "AND posted < '" . date("Y-m-d H:i:s") . "' AND status='3'"; } $temp = $GLOBALS['lbdata']->GetArray($dosql); $currentid = $temp[0]['id']; $postings[$currentid] = $temp[0]; $return .= fullparse($content); } return trim($return); }
<link rel="stylesheet" type="text/css" href="backend/ie.css" /> <![endif]--> <script src="backend/jquery.js" type="text/javascript"></script> <script src="backend/functions.js" type="text/javascript"></script> <script src="backend/autocomplete.js" type="text/javascript"></script> <!-- <script src="backend/compressed.js" type="text/javascript"></script> --> </head> <body id="<?php if (!$access) { echo "login\" onLoad=\"document.loginform.nickname.focus();"; } else { if (isset($_GET['page'])) { echo killevilcharacters($_GET['page']); } else { echo "postings"; } } ?> "> <div id="wrapper">
session_register('ipnumber'); session_register('authorid'); $_SESSION['nickname'] = $_POST['nickname']; $_SESSION['authorid'] = getuserid($_POST['nickname']); // $_SESSION['password'] = md5($_POST['password']); $_SESSION['password'] = $_POST['password']; $_SESSION['ipnumber'] = $_SERVER['REMOTE_ADDR']; } if (isset($_POST['remember_me']) and $_POST['remember_me'] == 1) { $cookie_string = md5($_POST['nickname'] . ':' . $_POST['password']); setcookie('lbauth', $cookie_string, time() + 60 * 60 * 24 * 30); } if (isset($_COOKIE['lbauth'])) { $cookie_string = $_COOKIE['lbauth']; setcookie('lbauth', $cookie_string, time() + 60 * 60 * 24 * 30); } #var_dump($_POST['password']) ;echo ":"; var_dump($_SESSION['password']); include "inc/head.php"; //no url request? show postings as default if (!isset($_GET['page'])) { $loadme = "inc/backend_postings.php"; } else { $requested_page = killevilcharacters(strip_tags($_GET['page'])); $loadme = "inc/backend_" . $requested_page . ".php"; } //we don't want our users to run update scripts manually, do we? include "inc/autoupdate.php"; //yee-hah! finally we do show real content on our page! include $loadme; } include "inc/footer.php";
<?php //change the language if required by POST if (isset($_POST['language'])) { $mylanguage = killevilcharacters(strip_tags($_POST['language'])); include_once "lang/" . $mylanguage . ".php"; } echo "<h1>" . bla("hl_settings") . "</h1>\n"; include 'inc/navigation.php'; //check the rights if (!allowed(3, "")) { die("<p class=\"msg\">" . bla("msg_adminonly") . "</p>"); } //put the posted data into the databse if (isset($_GET['do']) and $_GET['do'] == "save") { //take care of picture 1 if (isset($_FILES['itunes_image']) && $_FILES['itunes_image']['size'] != "0") { $newfilename = $GLOBALS['audiopath'] . "itunescover.jpg"; move_uploaded_file($_FILES['itunes_image']['tmp_name'], $newfilename) or die("<p class=\"msg\">" . bla("msg_uploadbroken") . "</p>"); chmod($newfilename, 0777); } //take care of picture 2 if (isset($_FILES['feedimage']) and $_FILES['feedimage']['size'] != "0") { $newfilename = $GLOBALS['audiopath'] . "rssimage.jpg"; move_uploaded_file($_FILES['feedimage']['tmp_name'], $newfilename) or die("<p class=\"msg\">" . bla("msg_uploadbroken") . "</p>"); chmod($newfilename, 0777); } //forms with a checkbox will not be posted if not checked :-( if (!isset($_POST['countweb'])) { $_POST['countweb'] = "0"; }
$GLOBALS['templatepath'] = $lb_path . "/loudblog/custom/templates/"; //getting basic data $settings = getsettings(); dumpdata(); //get the language translation table global $lang; $lang = array(); @(include_once $GLOBALS['path'] . "/loudblog/lang/" . $settings['language'] . ".php"); // here comes bad behavior... if ($settings['badbehavior'] == "1") { require_once $lb_path . '/loudblog/inc/bad_behavior.php'; } //Ready to rock'n'roll? Let's start building the website! //template required by URL? Override template-setting if (isset($_GET['template'])) { $requested_template = killevilcharacters(strip_tags($_GET['template'])); $settings['template'] = $requested_template; } //building the right path to required template $templpath = $GLOBALS['templatepath'] . $settings['template'] . "/index.html"; //copies template into variable $connect = @fopen($templpath, "rb") or die("Unfortunately I could not find a valid template! {$templpath}"); $template = fread($connect, 262144); fclose($connect); //includes official loudblog-tags include "loudblog/inc/loudblogtags.php"; //includes plugins from plugins-folder $folder = opendir('loudblog/custom/plugins'); while ($file = readdir($folder)) { if (substr($file, -4, 4) == ".php") { include_once "loudblog/custom/plugins/" . $file;