$main_smarty->assign('user_url_news_downvoted2', getmyurl('user2', $login, 'downvoted'));
$main_smarty->assign('user_url_commented2', getmyurl('user2', $login, 'commented'));
$main_smarty->assign('user_url_saved2', getmyurl('user2', $login, 'saved'));
$main_smarty->assign('user_url_friends', getmyurl('user_friends', $login, 'following'));
$main_smarty->assign('user_url_friends2', getmyurl('user_friends', $login, 'followers'));
$main_smarty->assign('user_url_add', getmyurl('user_friends', $login, 'addfriend'));
$main_smarty->assign('user_url_remove', getmyurl('user_friends', $login, 'removefriend'));
$main_smarty->assign('user_rss', getmyurl('rssuser', $login));
$main_smarty->assign('URL_Profile2', getmyurl('user_edit', $login));
$main_smarty->assign('form_action', getmyurl('profile'));
$main_smarty->assign('user_url_member_groups', getmyurl('user2', $login, 'member_groups '));
$main_smarty->assign('user_followers', $user->getFollowersCount());
$main_smarty->assign('user_following', $user->getFollowingCount());
// uploading avatar
if (isset($_POST["avatar"]) && sanitize($_POST["avatar"], 3) == "uploaded" && Enable_User_Upload_Avatar == true) {
if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'profile_change')) {
$user_image_path = "avatars/user_uploaded" . "/";
$user_image_apath = "/" . $user_image_path;
$allowedFileTypes = array("image/jpeg", "image/gif", "image/png", 'image/x-png', 'image/pjpeg');
unset($imagename);
$myfile = $_FILES['image_file']['name'];
$imagename = basename($myfile);
$mytmpfile = $_FILES['image_file']['tmp_name'];
if (!in_array($_FILES['image_file']['type'], $allowedFileTypes)) {
$error['Type'] = 'Only these file types are allowed : jpeg, gif, png';
}
if (empty($error)) {
$imagesize = getimagesize($mytmpfile);
$width = $imagesize[0];
$height = $imagesize[1];
$imagename = $user->id . "_original.jpg";
$login = isset($_COOKIE['mnm_user']) ? sanitize($_COOKIE['mnm_user'], 3) : '';
//$login = isset($_GET['login']) ? sanitize($_GET['login'], 3) : '';
if ($login === '') {
if ($current_user->user_id > 0) {
$login = $current_user->user_login;
} else {
header('Location: ./');
die;
}
}
if (Allow_User_Change_Templates && file_exists("./templates/" . $_POST['template'] . "/header.tpl")) {
$domain = $_SERVER['HTTP_HOST'] == 'localhost' ? '' : preg_replace('/^www/', '', $_SERVER['HTTP_HOST']);
setcookie("template", $_POST['template'], time() + 60 * 60 * 24 * 30, '/', $domain);
}
$CSRF->check_expired('user_settings');
if (!$CSRF->check_valid(sanitize($_POST['token'], 3), 'user_settings')) {
$CSRF->show_invalid_error(1);
exit;
}
$login_user = $db->escape($login);
//$login_user = $_GET['login'];
$sqlGetiUserId = $db->get_var("SELECT user_id from " . table_users . " where user_login = '******';");
$select_check = $_POST['chack'];
/* $geturl = $_SERVER['HTTP_REFERER'];
$url = strtolower(end(explode('/', $geturl)));
$vowels = array($url);
$Get_URL = str_replace($vowels, "", $geturl); */
if ($_SERVER['HTTP_REFERER'] && strpos($_SERVER['HTTP_REFERER'], $my_base_url . $my_pligg_base) === 0) {
$geturl = $_SERVER['HTTP_REFERER'];
} else {
$geturl = sanitize($_SERVER['HTTP_REFERER'], 3);
$canIhaveAccess = checklevel('god');
if ($current_user->user_id != get_group_creator($requestID) && $canIhaveAccess != 1) {
//page redirect
$redirect = '';
$redirect = getmyurl("group_story", $requestID);
// header("Location: $redirect");
die;
}
// pagename
define('pagename', 'editgroup');
$main_smarty->assign('pagename', pagename);
$CSRF = new csrf();
// uploading avatar
if ($_POST["avatar"] == "uploaded") {
$CSRF->check_expired('edit_group');
if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'edit_group')) {
$user_image_path = "avatars/groups_uploaded" . "/";
$user_image_apath = "/" . $user_image_path;
$allowedFileTypes = array("image/jpeg", "image/gif", "image/png", 'image/x-png', 'image/pjpeg');
unset($imagename);
$myfile = $_FILES['image_file']['name'];
$imagename = basename($myfile);
$mytmpfile = $_FILES['image_file']['tmp_name'];
if (!in_array($_FILES['image_file']['type'], $allowedFileTypes)) {
$error['Type'] = 'Only these file types are allowed : jpeg, gif, png';
}
if (empty($error)) {
$imagesize = getimagesize($mytmpfile);
$width = $imagesize[0];
$height = $imagesize[1];
$idname = $_POST["idname"];
$group_published_date = 943941600;
$group_name = $group_title;
$group_description = $group_description;
// $group_safename = str_replace(' ', '-', $group_title);
$group_safename = makeUrlFriendly($group_title, true);
if (isset($_POST['group_privacy'])) {
$group_privacy = $db->escape(sanitize($_POST['group_privacy'], 3));
}
if (auto_approve_group == 'true') {
$group_status = 'enable';
} else {
$group_status = 'disable';
}
if (isset($_POST['group_title'])) {
$CSRF->check_expired('submit_group');
if (!$CSRF->check_valid(sanitize($_POST['token'], 3), 'submit_group')) {
$CSRF->show_invalid_error(1);
exit;
}
$errors = '';
if (!$group_name) {
$errors = $main_smarty->get_config_vars('PLIGG_Visual_Group_Empty_Title');
} else {
$exists = $db->get_var("select COUNT(*) from " . table_groups . " WHERE group_name='{$group_name}'");
if ($exists) {
$errors = $main_smarty->get_config_vars('PLIGG_Visual_Group_Title_Exists');
}
}
if (!$errors) {
//to insert a group
$insert_group = "INSERT IGNORE INTO " . table_groups . " (group_creator, group_status, group_members, group_date, group_safename, group_name, group_description, group_privacy, group_vote_to_publish, group_notify_email) VALUES ({$group_author}, '{$group_status}', {$group_members},FROM_UNIXTIME({$group_date}),'{$group_safename}','{$group_name}', '{$group_description}', '{$group_privacy}', '{$group_vote_to_publish}', '{$group_notify_email}')";
//initialize a Rain TPL object
$tpl = new RainTPL();
$tpl->assign("theme", $theme);
$tpl->assign("title", $title);
$tpl->assign("headingtitletxt", $headingtitletxt);
$tpl->assign("addentrytxt", $addentrytxt);
$tpl->assign("viewguestbooktxt", $viewguestbooktxt);
$tpl->assign("newpostfirsttxt", $newpostfirsttxt);
$tpl->assign("newpostlasttxt", $newpostlasttxt);
$tpl->assign("searchlabeltxt", $searchlabeltxt);
$tpl->assign("searchbuttontxt", $searchbuttontxt);
$tpl->assign("currentyear", date("Y"));
$tpl->assign("goback", $goback);
// Validate Form Token
$csrf = new csrf();
if ($csrf->check_valid('post') == false) {
$tpl->assign("error_msg", $errorFormToken);
$html = $tpl->draw('error', $return_string = true);
echo $html;
exit;
}
// Image Verification Classic
if ($image_verify == 1) {
$number = $_POST['txtNumber'];
if (md5($number) != $_SESSION['image_random_value']) {
$tpl->assign("error_msg", $errorImageVerification);
$html = $tpl->draw('error', $return_string = true);
echo $html;
exit;
}
}
<?php
session_start();
include 'php/csrf.class.php';
$check = 'Спасибо, ваше сообщение отправлено';
$csrf = new csrf();
$token_id = $csrf->get_token_id();
$token_value = $csrf->get_token($token_id);
$form_names = $csrf->form_names(array('email', 'name', 'referer'), false);
if (isset($_POST[$form_names['name']], $_POST[$form_names['email']])) {
// Check if token id and token value are valid.
if ($csrf->check_valid('post')) {
// Get the Form Variables.
$name = $_POST[$form_names['name']];
$email = $_POST[$form_names['email']];
$ref = $_POST[$form_names['referer']];
//$to='*****@*****.**';
$to = '*****@*****.**';
$headers = "From: admin@readymotors.ru\r\n" . 'Reply-To: ' . $email . "\r\n" . 'X-Mailer: PHP/' . phpversion();
$subject = 'Главная форма || Новый лид';
$body .= 'Имя: ' . $name . "\n";
$body .= 'Телефон: ' . $email . "\n";
$body .= 'Откуда пришел: ' . $ref . "\n";
mail($to, $subject, $body, $headers);
}
$form_names = $csrf->form_names(array('name', 'email', 'referer'), true);
} else {
echo "string";
$check = 'Сообщение не отправлено. Пожалуйста, проверьте правильность введенных данных и повторите попытку.';
}
?>
header("Location: " . getmyurl('login', $_SERVER['REQUEST_URI']));
die;
}
// read the mysql database to get the pligg version
$sql = "SELECT data FROM " . table_misc_data . " WHERE name = 'pligg_version'";
$pligg_version = $db->get_var($sql);
$main_smarty->assign('version_number', $pligg_version);
// sidebar
$main_smarty = do_sidebar($main_smarty);
if ($canIhaveAccess == 1) {
// sessions used to prevent CSRF
$CSRF = new csrf();
if (isset($_POST['submit'])) {
if ($_POST["enabled"]) {
$CSRF->check_expired('admin_users_list');
if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'admin_users_list')) {
foreach ($_POST["enabled"] as $id => $value) {
$_GET['id'] = $id = $db->escape($id);
$value = $db->escape($value);
$user = $db->get_row('SELECT * FROM ' . table_users . " where user_id={$id}");
if ($user->user_enabled != $value) {
canIChangeUser($user->user_level);
$db->query("UPDATE " . table_users . " SET user_enabled='{$value}', user_level=IF(user_level='Spammer','normal',user_level) WHERE user_id='" . $db->escape($id) . "'");
}
}
} else {
$CSRF->show_invalid_error(1);
exit;
}
}
if ($_POST['delete']) {
echo "Invalid User";
die;
}
// module system hook
$vars = '';
check_actions('admin_users_edit', $vars);
// show the template
$main_smarty->assign('tpl_center', '/admin/user_edit_center');
$main_smarty->display($template_dir . '/admin/admin.tpl');
}
if (sanitize($_GET["mode"], 3) == $main_smarty->get_config_vars('PLIGG_Visual_Profile_Save')) {
//save user info
// code to prevent CSRF
$CSRF->check_expired('admin_users_edit');
// code to prevent CSRF
if ($CSRF->check_valid(sanitize($_GET['token'], 3), 'admin_users_edit')) {
$user = $db->get_row('SELECT * FROM ' . table_users . ' where user_login="******"user"], 3) . '"');
canIChangeUser($user->user_level);
if ($user) {
$userdata = new User();
$userdata->username = $user->user_login;
if (!$userdata->read()) {
echo "Error reading user data.";
die;
}
// module system hook
$vars = '';
check_actions('admin_users_save', $vars);
$userdata->username = trim(sanitize($_GET["login"], 3));
$userdata->level = trim(sanitize($_GET["level"], 3));
$userdata->email = trim(sanitize($_GET["email"], 3));
rebuild_the_tree();
ordernew();
// put the category tree into an array for use in the qeip dropdown
$action = isset($_REQUEST['action']) && sanitize($_REQUEST['action'], 3) != '' ? sanitize($_REQUEST['action'], 3) : "view";
if ($action == "htaccess") {
$htaccess = '../.htaccess';
if (file_exists($htaccess)) {
echo "The file {$htaccess} already exists. To protect you from accidentally removing it, you must manually remove it from your server before moving on.";
} else {
rename("../htaccess.default", "../.htaccess");
echo "We have renamed htaccess.default to .htaccess for you. You still need to manually add the special category structure for it to fully work.";
}
}
if ($action == "save") {
$CSRF->check_expired('category_manager');
if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'category_manager')) {
if (!$_POST['safename']) {
$_POST['safename'] = makeCategoryFriendly($_POST['name']);
$row = $db->get_row("SELECT * FROM " . table_categories . " WHERE category_safe_name='" . mysql_real_escape_string(sanitize($_POST['safename'], 4)) . "' AND category__auto_id!='{$_POST['auto_id']}'");
$i = '';
while ($row->category_id > 0) {
$i++;
$row = $db->get_row("SELECT * FROM " . table_categories . " WHERE category_safe_name='" . mysql_real_escape_string(sanitize($_POST['safename'] . $i, 4)) . "' AND category__auto_id!='{$_POST['auto_id']}'");
}
$_POST['safename'] .= $i;
}
if ($_POST['auto_id'] && is_numeric($_POST['auto_id'])) {
$id = sanitize($_POST['auto_id'], 3);
$parent = sanitize($_POST['parent'], 3);
if (!is_numeric($id)) {
die;
$main_smarty->assign('ts_random', rand(10000000, 99999999));
$main_smarty->assign('Default_Message', Default_Message);
$main_smarty->assign('link_shakebox_index', $htmlid);
$main_smarty->assign('link_id', $linkid);
$main_smarty->assign('instpath', my_base_url . my_pligg_base . "/");
$main_smarty->display($the_template . '/recommend_small.tpl');
}
} else {
// we're submitting the form and sending the emails
global $current_user, $db;
if (!$current_user->authenticated) {
echo '<br/><p><div class="error">' . $main_smarty->get_config_vars('PLIGG_Visual_Recommend_Logged_In') . '</div></p>';
die;
}
$CSRF->check_expired('recommend');
if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'recommend')) {
$sql = 'SELECT `last_email_friend` FROM `' . table_users . '` WHERE `user_login` = "' . $current_user->user_login . '"';
$last_email = $db->get_var($sql);
$time_since_last_email = time() - strtotime($last_email);
if ($time_since_last_email < Recommend_Time_Limit) {
echo '<br/><p><div class="error">' . $main_smarty->get_config_vars('PLIGG_Visual_Recommend_Limit') . '</div></p>';
die;
}
$requestID = isset($_POST['original_id']) && is_numeric($_POST['original_id']) ? $_POST['original_id'] : 0;
if ($requestID > 0) {
$id = $requestID;
$link = new Link();
$link->id = $requestID;
$link->read();
$link_url = my_base_url . getmyurl("story", $link->id);
$headers = 'From: ' . Send_From_Email . "\r\n";
# $user->id = $comment->author;
# $user->read();
$template_comments[] = array('comment_id' => $comment->id, 'comment_content' => txt_shorter($comment->content, 90), 'comment_content_long' => $comment->content, 'comment_votes' => $comment->votes, 'comment_author' => $dbfiltered->user_login, 'comment_link_id' => $comment->link, 'comment_status' => $comment->status, 'comment_date' => $dbfiltered->comment_date);
}
$main_smarty->assign('template_comments', $template_comments);
}
// breadcrumbs and page title
$navwhere['text1'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel');
$navwhere['link1'] = getmyurl('admin', '');
$navwhere['text2'] = $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel_Comments');
$main_smarty->assign('navbar_where', $navwhere);
$main_smarty->assign('posttitle', " / " . $main_smarty->get_config_vars('PLIGG_Visual_Header_AdminPanel'));
if (isset($_GET['action']) && sanitize($_GET['action'], 3) == "bulkmod" && isset($_POST['submit'])) {
$CSRF->check_expired('admin_comments_edit');
$killspammed = array();
if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'admin_comments_edit')) {
$comment = array();
foreach ($_POST["comment"] as $k => $v) {
$comment[intval($k)] = sanitize($v, 3);
}
foreach ($comment as $key => $value) {
if ($value == "published") {
$db->query($sql = 'UPDATE `' . table_comments . '` SET `comment_status` = "published" WHERE `comment_id` = "' . $key . '"');
} elseif ($value == "moderated") {
$db->query($sql = 'UPDATE `' . table_comments . '` SET `comment_status` = "moderated" WHERE `comment_id` = "' . $key . '"');
} elseif ($value == "discard" || $value == "delete") {
$db->query($sql = 'UPDATE `' . table_comments . '` SET `comment_status` = "discard" WHERE `comment_id` = "' . $key . '"');
$vars = array('comment_id' => $key);
check_actions('comment_discard', $vars);
} elseif ($value == "spam" && !$killspammed[$user_id]) {
$user_id = $db->get_var("SELECT comment_user_id FROM `" . table_comments . "` WHERE `comment_id` = " . $key . ";");
/////
if ($link) {
if ($link->link_author == $current_user->user_id || $current_user->user_level == "admin" || $current_user->user_level == "god") {
// DB 11/11/08
if ($current_user->user_level != "god" && $current_user->user_level != "admin" && limit_time_to_edit != 0 && (time() - $link->date) / 60 > edit_time_limit) {
echo "<br /><br />" . sprintf($main_smarty->get_config_vars('PLIGG_Visual_EditLink_Timeout'), edit_time_limit) . "<br/ ><br /><a href=" . my_base_url . my_pligg_base . ">" . $main_smarty->get_config_vars('PLIGG_Visual_Name') . " home</a>";
exit;
}
/////
$CSRF = new csrf();
if (isset($_POST["id"])) {
//print_r($_POST);
//exit;
echo $_POST['title'];
$CSRF->check_expired('edit_link');
if ($CSRF->check_valid(sanitize($_POST['token'], 3), 'edit_link')) {
$linkres = new Link();
$linkres->id = $link_id = sanitize($_GET['id'], 3);
if (!is_numeric($link_id)) {
die;
}
$linkres->read();
// if notify link submitter is selected
if (isset($_POST["notify"])) {
if (sanitize($_POST["notify"], 3) == "yes") {
$link_author = $db->get_col("SELECT link_author FROM " . table_links . " WHERE link_id=" . $theid . ";");
$user = $db->get_row("SELECT * FROM " . table_users . " WHERE user_id=" . $link_author[0] . ";");
$to = $user->user_email;
$subject = $main_smarty->get_config_vars('PLIGG_Visual_EditStory_Email_Subject');
$body = $user->user_login . ", \r\n\r\n" . $main_smarty->get_config_vars('PLIGG_Visual_EditStory_Email_AdminMadeChange') . "\r\n";
$body = $body . strtolower(strtok($_SERVER['SERVER_PROTOCOL'], '/')) . '://' . $_SERVER['HTTP_HOST'] . getmyurl('story', sanitize($_POST['id'], 3)) . "\r\n\r\n";