require_once 'connect.php';
$link = mysqli_connect($host, $user, $password, $database) or die("Connection error. " . mysqli_error($link));
function checkCaptcha()
{
if (isset($_POST['g-recaptcha-response']) && !empty($_POST['g-recaptcha-response'])) {
$secret = '6Ld7_BITAAAAACP9BFhXD51dUr8AbhfN_PT0BtXF';
$verifyResponse = file_get_contents('https://www.google.com/recaptcha/api/siteverify?secret=' . $secret . '&response=' . $_POST['g-recaptcha-response']);
$responseData = json_decode($verifyResponse);
if ($responseData->success) {
return true;
} else {
return false;
}
} else {
return false;
}
}
if (isset($_POST['author']) && isset($_POST['message'])) {
$author = htmlentities(mysqli_real_escape_string($link, $_POST['author']));
$message = htmlentities(mysqli_real_escape_string($link, $_POST['message']));
$timestamp = date('Y-m-d H:i:s');
$query = "INSERT INTO posts VALUES(DEFAULT, '{$author}', '{$timestamp}', '{$message}')";
if (checkCaptcha()) {
$result = mysqli_query($link, $query) or die("Posting error. " . mysqli_error($link));
if ($result) {
echo "<script>if ( confirm(\"Пост добавлен!\") ) { window.location.href = '/_blog/'; }</script>";
}
} else {
echo "<script>alert(\"Captcha неверна.\");</script>";
}
}
$tpl->menuitem = MNU_START_NEWS_POST;
require $opt['rootpath'] . 'lib2/logic/captcha.inc.php';
require $opt['rootpath'] . 'lib2/mail.class.php';
$topicid = isset($_REQUEST['topic']) ? $_REQUEST['topic'] : 1;
$newstext = isset($_REQUEST['newstext']) ? $_REQUEST['newstext'] : '';
$newshtml = isset($_REQUEST['newshtml']) ? $_REQUEST['newshtml'] + 0 : 0;
$email = isset($_REQUEST['email']) ? $_REQUEST['email'] : '';
$captcha_id = isset($_REQUEST['captcha_id']) ? $_REQUEST['captcha_id'] : '';
$captcha = isset($_REQUEST['captcha']) ? $_REQUEST['captcha'] : '';
$emailok = false;
$tpl->assign('email_error', 0);
$tpl->assign('captcha_error', 0);
$tpl->assign('confirm', 0);
if (isset($_REQUEST['submit'])) {
$emailok = is_valid_email_address($email) ? true : false;
$captchaok = checkCaptcha($captcha_id, $captcha);
if ($emailok == true && $captchaok == true) {
// filtern und ausgabe vorbereiten
$tpl->assign('confirm', 1);
if ($newshtml == 0) {
$newstext = htmlspecialchars($newstext, ENT_COMPAT, 'UTF-8');
} else {
$purifier = new OcHTMLPurifier($opt);
$newstext = $purifier->purify($newstext);
}
$sTopic = sql_value("SELECT `name` FROM `news_topics` WHERE `id`='&1'", '', $topicid);
$tpl->assign('newstopic', $sTopic);
$tpl->assign('newstext', $newstext);
// in DB schreiben
sql("INSERT INTO `news` (`content`, `topic`, `display`) VALUES ('&1', '&2', '&3')", $newstext, $topicid, 0);
$rs = sql("SELECT `email` FROM `user` WHERE `admin`\\&'&1'='&1'", ADMIN_USER);
private function validateForm()
{
$this->data['field_name'] = $this->input->post('name');
if (utf8_strlen($this->input->post('name')) < 3 || utf8_strlen($this->input->post('name')) > 20) {
$this->error['name'] = lang('error_name');
}
$this->load->helper('email');
$this->data['field_email'] = $this->input->post('email');
if (!valid_email($this->input->post('email'))) {
$this->error['email'] = lang('error_email');
}
$this->data['field_title'] = $this->input->post('title');
if (utf8_strlen($this->input->post('title')) <= 0) {
$this->error['title'] = lang('error_title');
}
$this->data['field_enquiry'] = $this->input->post('enquiry');
if (utf8_strlen($this->input->post('enquiry')) <= 0) {
$this->error['content'] = lang('error_content');
}
if (!checkCaptcha($this->input->post('captcha'), 'captcha_contact')) {
$this->error['captcha'] = lang('error_captcha');
}
if (!$this->error) {
return true;
} else {
return false;
}
}
$contact_achternaam_error = "achternaam is niet ingevuld!";
$controle = false;
}
if (!isset($_POST["contact-email"]) || $_POST["contact-email"] == "") {
$contact_email_error = "e-mail adres is niet ingevuld";
$controle = false;
}
if (!isset($_POST["contact-onderwerp"]) || $_POST["contact-onderwerp"] == "") {
$contact_onderwerp_error = "onderwerp is niet ingevuld!";
$controle = false;
}
if (!isset($_POST["contact-bericht"]) || $_POST["contact-bericht"] == "") {
$contact_bericht_error = "bericht is niet ingevuld!";
$controle = false;
}
if ($controle == true && checkCaptcha($_POST["g-recaptcha-response"])) {
$to = query("SELECT email FROM schilder limit 0,1", NULL);
$to = $to[0]['email'];
$subject = $_POST["contact-onderwerp"];
$message = "naam afzender: " . $_POST["contact-voornaam"] . " " . $_POST["contact-achternaam"] . "\nemail afzender: " . $_POST['contact-email'] . "\n\n" . $_POST["contact-bericht"];
$header = "From:contact@hofvanellen.nl \r\n";
$verzondenmail = mail($to, $subject, $message, $header);
}
}
?>
<div id="contact-page-content">
<h4>Voor vragen of opmerkingen, <br>kunt u hier uw gegevens invullen en deze versturen naar Ellen van 't Hof.</h4>
</div>
<div id="contact-foutmelding"> <?php
if ($controle == true && isset($_POST["contact-submit"])) {
if ($verzondenmail) {
$phone = "";
$city = "";
$comment = "";
if (isset($_POST) && !empty($_POST)) {
if (isset($_POST['full_name']) && !empty($_POST['full_name']) && isset($_POST['patient_name']) && !empty($_POST['patient_name']) && isset($_POST['type']) && !empty($_POST['type']) && isset($_POST['sex']) && !empty($_POST['sex']) && isset($_POST['dob']) && !empty($_POST['dob']) && isset($_POST['email']) && !empty($_POST['email']) && isset($_POST['phone']) && !empty($_POST['phone']) && isset($_POST['city']) && !empty($_POST['city']) && isset($_POST['comment']) && !empty($_POST['comment'])) {
$full_name = $_POST['full_name'];
$patient_name = $_POST['patient_name'];
$type = $_POST['type'];
$sex = $_POST['sex'];
$dob = $_POST['dob'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$city = $_POST['city'];
$comment = $_POST['comment'];
// Checking if captcha entered is corrected
if (checkCaptcha($_POST['captcha'])) {
$to = "*****@*****.**";
//$to = "*****@*****.**";
$subject = "Contact Us - Max Healthcare Nigeria - " . $_POST['type'];
$todayis = date("l, F j, Y, g:i a");
$message = "<table style='max-width:600px;width:100%;font-family:sans-serif;font-size:14px;line-height:20px;'>\n <tr>\n <td style='width:20%'>Date</td>\n <td style='width:10%'>:</td>\n <td style='width:70%'>{$todayis}</td>\n </tr>\n\n <tr>\n <td style='width:20%'>Name</td>\n <td style='width:10%'>:</td>\n <td style='width:70%'> " . $_POST['full_name'] . "</td>\n </tr>\n\n <tr>\n <td style='width:20%'>Patient Name</td>\n <td style='width:10%'>:</td>\n <td style='width:70%'> " . $_POST['patient_name'] . "</td>\n </tr>\n\n <tr>\n <td style='width:20%'>Type</td>\n <td style='width:10%'>:</td>\n <td style='width:70%'> " . $_POST['type'] . "</td>\n </tr>\n\n <tr>\n <td style='width:20%'>Gender</td>\n <td style='width:10%'>:</td>\n <td style='width:70%'> " . $_POST['sex'] . "</td>\n </tr>\n\n <tr>\n <td style='width:20%'>Patient Birth Date</td>\n <td style='width:10%'>:</td>\n <td style='width:70%'> " . $_POST['dob'] . "</td>\n </tr>\n\n <tr>\n <td style='width:20%'>Email</td>\n <td style='width:10%'>:</td>\n <td style='width:70%'> " . $_POST['email'] . "</td>\n </tr>\n\n <tr>\n <td style='width:20%'>Phone</td>\n <td style='width:10%'>:</td>\n <td style='width:70%'> " . $_POST['phone'] . "</td>\n </tr>\n\n\n <tr>\n <td style='width:20%'>City</td>\n <td style='width:10%'>:</td>\n <td style='width:70%'> " . $_POST['city'] . "</td>\n </tr>\n\n <tr>\n <td style='width:20%'>Comment</td>\n <td style='width:10%'>:</td>\n <td style='width:70%'> " . $_POST['comment'] . "</td>\n </tr>\n\n\n\n</table>";
/*$message = "
Date - $todayis
Name - " . $_POST['full_name'] . "
Patient Name - " . $_POST['patient_name'] . "
Type - " . $_POST['type'] . "
Gender - " . $_POST['sex'] . "
Patient Birth Date - " . $_POST['dob'] . "
Email - " . $_POST['email'] . "
Phone - " . $_POST['phone'] . "
City - " . $_POST['city'] . "
session_start();
function checkCaptcha($response)
{
if (isset($_SESSION['captcha_login_form']) && strtolower($_SESSION['captcha_login_form']) === strtolower($response)) {
$res = true;
} else {
$res = false;
}
//this has to be done everytime you check captcha
//otherwise your captcha is ineffective (not one-time)
unset($_SESSION['captcha_login_form']);
return $res;
}
if (isset($_POST['CAPTCHA'])) {
if (checkCaptcha($_POST['CAPTCHA'])) {
echo "Valid.";
} else {
echo "Invalid.";
}
}
?>
<form method='post'>
<label>Captcha:</label>
<input type='text' name='CAPTCHA' placeholder='captcha' />
<a href='#' onclick='var t=document.getElementById("captcha"); t.src=t.src+"&"+Math.random();'
><img id='captcha' src='purecaptcha_img.php?t=login_form' height='22'/></a>
<br/>
<?php
// niet via hier openen ga naar /admin/index.php
$usernameError = "";
$passwordError = "";
$password = "";
$username = "";
$correct = true;
if ($_SESSION["attempts"] == null) {
$_SESSION["attempts"] = 0;
}
// check post
if (isset($_POST["username"]) && isset($_POST["password"])) {
$_SESSION["attempts"]++;
if ($_SESSION["attempts"] < 3 || checkCaptcha($_POST["g-recaptcha-response"])) {
$password = trim($_POST["password"]);
$username = trim($_POST["username"]);
if ($username == "") {
// check naam input
$usernameError = "Naam is verplicht";
$correct = false;
}
if ($password == "") {
// check ww input
$passwordError = "Wachtwoord is verplicht";
$correct = false;
}
if ($correct) {
// check combi naam+ww
$password = hash("sha256", $password);
$query = "SELECT Username FROM gebruikers WHERE Username = ? AND Wachtwoord = ?";
</script>
<?php
$params = array($_GET["id"]);
// eerst schilderij ophalen
$schilderijlijst = query("SELECT S.titel, S.jaar, S.hoogte, S.breedte, S.beschrijving, \n C.Categorie_naam, SC.Subcategorie_naam, M.Materiaal_soort, S.img, S.prijs, S.lijst, \n S.passepartout, S.isStaand\n FROM schilderij S \n JOIN categorie C ON C.CategorieID = S.CategorieID \n LEFT JOIN subcategorie SC ON SC.SubcategorieID = S.SubcategorieID \n JOIN materiaal M ON M.MateriaalID = S.MateriaalID\n \n WHERE S.Schilderij_ID = ? AND S.OpWebsite = 1", $params);
if (count($schilderijlijst) != 1) {
header("location: gallerij.php");
exit;
}
$schilderij = $schilderijlijst[0];
$naam = "";
$commentaar = "";
$email = "";
$correct = true;
if (isset($_POST["naam"]) && isset($_POST["commentaar"]) && checkCaptcha($_POST["g-recaptcha-response"])) {
$commentaar = uppercase($_POST["commentaar"]);
$naam = trim($_POST["naam"]);
if ($naam == "") {
$naamleeg = "Naam is verplicht";
$correct = false;
}
if ($commentaar == "") {
$commentaarleeg = "Commentaar is verplicht";
$correct = false;
}
if ($correct) {
$naamklant = str_replace("<", "<", $_POST["naam"]);
$naamklant = str_replace(">", ">", $naamklant);
$naamklant = uppercase($naamklant);
$email = str_replace("<", "<", $_POST["email"]);
function handleRequest($action)
{
switch ($action) {
case 'getLevelList':
// [uid], [orderBy], [orderDir]
$orderDirs = array('id' => 'ASC', 'playcount' => 'DESC', 'updated' => 'DESC', 'name' => 'ASC', 'user_id' => 'DESC');
$orderBy = reqparam('orderBy');
if (!in_array($orderBy, array_keys($orderDirs))) {
$orderBy = 'id';
}
$orderDir = reqparam('orderDir');
if (!in_array($orderDir, array('ASC', 'DESC'))) {
$orderDir = $orderDirs[$orderBy];
}
$data = sql('SELECT levels.id, UNIX_TIMESTAMP(levels.updated) AS updated, levels.name, levels.desc, levels.user_id, users.username
FROM levels
LEFT JOIN users ON levels.user_id=users.id
WHERE 1
' . (reqparam('uid') ? ' AND levels.user_id=:uid' : '') . '
ORDER BY levels.' . $orderBy . ' ' . $orderDir, array(':uid' => reqparam('uid')));
output(array('levels' => $data));
break;
case 'getLevel':
// id
$data = sql('SELECT levels.id, UNIX_TIMESTAMP(levels.updated) AS updated, levels.name, levels.desc, levels.data, levels.user_id, users.username
FROM levels
LEFT JOIN users ON levels.user_id=users.id
WHERE levels.id=:id
LIMIT 1', array(':id' => reqparam('id')), 1);
output($data);
break;
case 'saveLevel':
// sid, [id], name, [desc], data
$user = sql('SELECT users.id FROM users, sessions WHERE sessions.id=:sid AND users.id=sessions.user_id LIMIT 1', array(':sid' => reqparam('sid')), 1);
if (!$user) {
error('Invalid session!');
}
if (reqparam('id') == 'null') {
$_REQUEST['id'] = null;
}
if (reqparam('id')) {
$oldlevel = sql('SELECT id, user_id FROM levels WHERE id=:id', array(':id' => reqparam('id')), 1);
if (!$oldlevel) {
$_REQUEST['id'] = null;
} elseif ($oldlevel['user_id'] != $user['id']) {
error('Trying to overwrite another user\'s level!');
}
}
sql('INSERT INTO levels (' . (reqparam('id') ? '`id`, ' : '') . '`user_id`, `name`, `desc`, `data`)
VALUES(' . (reqparam('id') ? ':id, ' : '') . ':uid, :name, :desc, :data)
ON DUPLICATE KEY UPDATE id=LAST_INSERT_ID(id), `name`=:name, `desc`=:desc, `data`=:data', array(':id' => reqparam('id'), ':uid' => array('val' => $user['id'], 'type' => PDO::PARAM_INT), ':name' => reqparam('name'), ':desc' => reqparam('desc'), ':data' => reqparam('data')), 1, $insertID);
output(array('id' => $insertID));
break;
case 'getUserData':
// uid
$data = sql('SELECT id, username, (SELECT COUNT(*) FROM levels WHERE user_id=:uid) AS level_count FROM users WHERE id=:uid', array(':uid' => reqparam('uid')), 1);
output($data);
break;
case 'getSessionData':
// sid
$data = sql('SELECT users.id, users.username, sessions.id AS sid FROM users, sessions WHERE sessions.id=:sid AND users.id=sessions.user_id LIMIT 1', array(':sid' => reqparam('sid')), 1);
if (!empty($data)) {
output($data);
} else {
error('Invalid session!');
}
break;
case 'logout':
// sid
sql('DELETE FROM sessions WHERE id=:sid LIMIT 1', array(':sid' => reqparam('sid')), 0);
output(true);
break;
case 'login':
// username, password
// Get user info
$data = sql('SELECT id, username FROM users WHERE username=:username AND password=:password LIMIT 1', array(':username' => reqparam('username'), ':password' => reqparam('password')), 1);
if (!empty($data)) {
// Create a new session
$data['sid'] = uniqid('', true);
sql('INSERT INTO sessions (id, user_id) VALUES(:sid, :uid)', array(':sid' => $data['sid'], ':uid' => $data['id']), 0);
// Limit to 5 open sessions per user
sql('DELETE FROM sessions WHERE user_id=:uid AND id NOT IN ( SELECT id FROM ( SELECT id FROM sessions WHERE user_id=:uid ORDER BY created DESC LIMIT 5 ) foo )', array(':uid' => $data['id']), 0);
output($data);
} else {
error('Invalid username or password!');
}
break;
case 'register':
// usrename, password, captcha_challenge, captcha_response
// Check captcha
$resp = checkCaptcha();
if (!$resp->is_valid) {
error('Invalid CAPTCHA answer!');
}
// Check if username exists
$data = sql('SELECT * FROM users WHERE username=:username LIMIT 1', array(':username' => reqparam('username')));
if (count($data) > 0) {
error('Username already taken!');
}
// Create new user
sql('INSERT INTO users (username, password) VALUES(:username, :password)', array(':username' => reqparam('username'), ':password' => reqparam('password')), 0);
return handleRequest('login');
break;
default:
error('Invalid action');
}
}
