/install.sql |
---|
11,6 → 11,8 |
Password TEXT, |
EmailAddress TEXT, |
Name TEXT, |
Salt TEXT, |
CSRFToken TEXT, |
ChallengeID INT, |
PRIMARY KEY(ID) |
); |
64,7 → 66,7 |
PRIMARY KEY(ID) |
); |
INSERT INTO Users VALUES (1, 0, "admin", SHA1("password"), "admins@tim32.org", "Tim32 Admin", 0); |
INSERT INTO Users VALUES (1, 0, "admin", SHA1("passwordrostok"), "admins@tim32.org", "Tim32 Admin", "rostok", "rostok", 0); |
INSERT INTO BlogPosts VALUES(1, -1, 1, "Welcome to Tim32!", "Welcome to the new Tim32 website! It has had a complete design re-think to make it simpler and easier to use!", NOW(), "Tim32", FALSE); |
INSERT INTO Projects VALUES (1, 1, "TAIOS", "TAIOS (The All In One System) is a PHP based system to make the Tim32 website very self contained and altogether.", "http://websvn.kde.org/*checkout*/trunk/kdesupport/oxygen-icons/64x64/categories/applications-internet.png", "", "http://tim32.org/~tom/taios/", "SVN", NOW()); |
INSERT INTO ForumCategories VALUES (1, -1, "Tim32", "Talk about Tim32 in here"); |
/projects/edit-project-do.php |
---|
2,6 → 2,8 |
require '../_taios.php'; |
$page->checkCSRFToken($page->getLoggedInUser()->ID, $_POST['csrftoken']); |
$page = new Taios_Page('Edit Project', '../'); |
$project = $page->getProject($page->getPostID()); |
/projects/edit-project.php |
---|
62,6 → 62,7 |
<td class="bold"></td> |
<td><input type="submit" value="Edit Project" /></td> |
</tr> |
<input type="hidden" name="csrftoken" value=""<?php echo $page->getCSRFToken($page->getLoggedInUser()->ID); ?>" /> |
</table> |
</form> |
/projects/add-project-do.php |
---|
2,6 → 2,8 |
require '../_taios.php'; |
$page->checkCSRFToken($page->getLoggedInUser()->ID, $_POST['csrftoken']); |
$page = new Taios_Page('Add Project', '../'); |
$title = $_POST['title']; |
/projects/add-project.php |
---|
54,6 → 54,7 |
<td class="bold"></td> |
<td><input type="submit" value="Add Project" /></td> |
</tr> |
<input type="hidden" name="csrftoken" value=""<?php echo $page->getCSRFToken($page->getLoggedInUser()->ID); ?>" /> |
</table> |
</form> |
/_taios.php |
---|
142,7 → 142,7 |
write('</p><br />'); |
} |
$ids = $this->findIDs('BlogPosts', 'WHERE ParentID="' . $id . '"'); |
$ids = $this->findIDs('BlogPosts', 'WHERE ParentID=?', array($id)); |
for ($i = 0; $i < count($ids); $i++) |
{ |
write('<div class="indent">'); |
186,6 → 186,7 |
'/\[b\](.+?)\[\/b\]/is', |
'/\[i\](.+?)\[\/i\]/is', |
'/\[u\](.+?)\[\/u\]/is', |
'/\[s\](.+?)\[\/s\]/is', |
'/\[url\](.+?)\[\/url\]/is', |
'/\[w\](.+?)\[\/w\]/is', |
'/\[url=(?:")?(.+?)(?:")?\](.+?)\[\/url\]/is', |
203,6 → 204,7 |
'<b>$1</b>', |
'<i>$1</i>', |
'<u>$1</u>', |
'<del>$1</del>', |
'<a href="$1">$1</a>', |
'<a href="/wiki/index.php?page=$1">$1</a>', |
'<a href="$1">$2</a>', |
354,8 → 356,10 |
$user->accessID = $row['AccessID']; |
$user->username = $row['Username']; |
$user->password = $row['Password']; |
$user->salt = $row['Salt']; |
$user->emailAddress = $row['EmailAddress']; |
$user->name = $row['Name']; |
$user->csrftoken = $row['CSRFToken']; |
$user->challengeID = $row['ChallengeID']; |
return $user; |
468,6 → 472,37 |
$this->query("DELETE FROM BlogPosts WHERE ID = ?", array($id)); |
} |
function saltAndBurn($pass, $salt) { |
return sha1($salt . $pass); |
} |
function rndString($len = 8) { |
$chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZlolphp'; |
$clen = strlen($chars); |
$res = ''; |
for ($i = $len - 1; $i >= 0; $i--) { |
$res .= $chars[rand(0, $clen - 1)]; |
} |
return $res; |
} |
function getCSRFToken($id) { |
$token = $this->rndString(); |
$this->query("UPDATE Users Set CSRFToken = ? WHERE ID = ?", array($token, $id)); |
return $token; |
} |
function checkCSRFToken($id, $token) { |
$user = $this->getUserByID($id); |
if ($token !== $user->csrftoken) { |
die("a death"); |
} |
$this->getCSRFToken($id); // change to something else so we can't re-use it |
} |
function getGetID() { |
$id = $_GET['id']; |
if (empty($id)) { |
494,8 → 529,10 |
public $accessID; |
public $username; |
public $password; |
public $salt; |
public $emailAddress; |
public $name; |
public $csrftoken; |
public $challengeID; |
} |
/blog/edit-post.php |
---|
28,6 → 28,8 |
$error = ''; |
if (isset($_POST['id'])) { |
$page->checkCSRFToken($page->getLoggedInUser()->ID, $_POST['csrftoken']); |
$title = $_POST['title']; |
$content = $_POST['content']; |
$category = $_POST['category']; |
71,8 → 73,9 |
<?php |
write('<input type="hidden" name="id" value="' . $id . '" />'); |
?> |
<input type="hidden" name="csrftoken" value="<?php echo $page->getCSRFToken($page->getLoggedInUser()->ID); ?>" /> |
<tr> |
<tr> |
<td class="bold"></td> |
<td><input type="submit" value="Edit" /></td> |
</tr> |
/blog/add-post.php |
---|
21,6 → 21,8 |
if (isset($_POST['post'])) |
{ |
$page->checkCSRFToken($page->getLoggedInUser()->ID, $_POST['csrftoken']); |
$title = $_POST['title']; |
$content = $_POST['content']; |
$parentID = $_POST['parentID']; |
78,6 → 80,7 |
</tr> |
<input type="hidden" name="post" value="yes" /> |
<input type="hidden" name="csrftoken" value="<?php echo $page->getCSRFToken($page->getLoggedInUser()->ID); ?>" /> |
<?php |
write('<input type="hidden" name="parentID" value="' . getParentID() . '" />'); |
/blog/post.php |
---|
9,6 → 9,8 |
$page->redirect('index.php'); |
} |
$page->title = 'Blog Post · ' . $page->getBlogPost($page->getGetID())->title; |
$page->drawHeader(); |
$page->drawBlogCategoriesMenu(); |
$page->drawMiddle(); |
/blog/index.php |
---|
16,24 → 16,21 |
} |
$query = 'WHERE ParentID = -1'; |
$args = array(); |
if (isset($_GET['cat'])) |
{ |
$query = $query . ' AND Category = "' . $_GET['cat'] . '"'; |
if (isset($_GET['cat'])) { |
$query = $query . " AND Category = ?"; |
array_push($args, $_GET['cat']); |
write('<p>Only showing blog posts from the ' . $_GET['cat'] . ' category. <a href="index.php">Reset Filtering</a></p><br />'); |
} |
if(!$page->isUserGM($page->getLoggedInUser())) |
{ |
if (!$page->isUserGM($page->getLoggedInUser())) { |
$query = $query . ' AND Category != "Drafts"'; |
} |
$query = $query . " ORDER BY DatePosted DESC"; |
$ids = $page->findIDs('BlogPosts', $query); |
for ($i = 0; $i < count($ids); $i++) |
{ |
$id = $ids[$i]; |
foreach ($page->findIDs('BlogPosts', $query, $args) as $id) { |
$post = $page->getBlogPost($id); |
$ids2 = $page->findIDs('BlogPosts', 'WHERE ParentID="' . $id . '"'); |
/register-do.php |
---|
42,9 → 42,11 |
$page->redirect('register.php?error=Incorrect reCAPTCHA response'); |
} |
$args = array(2, $username, sha1($password), $email, $name, 0); |
$page->query("INSERT INTO Users (AccessID, Username, Password, EmailAddress, Name, ChallengeID) VALUES (?, ?, ?, ?, ?, ?)", $args); |
$salt = $username . "horses"; |
$args = array(2, $username, $page->saltAndBurn($password, $salt), $salt, $email, $name, $page->rndString(), 0); |
$page->query("INSERT INTO Users (AccessID, Username, Password, Salt, EmailAddress, Name, CSRFToken, ChallengeID) VALUES (?, ?, ?, ?, ?, ?, ?, ?)", $args); |
$page->redirect('login.php'); |
?> |
/admin/account-do.php |
---|
19,7 → 19,8 |
} |
if (!empty($password)) { |
$page->query("UPDATE Users SET Password = ? WHERE ID = ?", array(sha1($password), $userID)); |
$salt = $user->username . "sheeps"; |
$page->query("UPDATE Users SET Password = ?, Salt = ? WHERE ID = ?", array($page->saltAndBurn($password, $salt), $salt, $userID)); |
} |
if (!empty($email)) { |
/admin/all-accounts.php |
---|
17,7 → 17,7 |
write('<td class="bold">ID</td>'); |
write('<td class="bold">AccessID</td>'); |
write('<td class="bold">Username</td>'); |
write('<td class="bold">SHA1 Password</td>'); |
write('<td class="bold">Salt and Burned Password</td>'); |
write('<td class="bold">Name</td>'); |
write('<td class="bold">Email Address</td>'); |
write('<td class="bold">Challenge ID</td>'); |
/admin/nowify.php |
---|
4,16 → 4,11 |
$page = new Taios_Page('Nowify', '../'); |
if (isset($_GET['id'])) |
{ |
if (isset($_GET['id'])) { |
$id = $_GET['id']; |
} |
else if (isset($_POST['id'])) |
{ |
} else if (isset($_POST['id'])) { |
$id = $_POST['id']; |
} |
else |
{ |
} else { |
$page->drawError('No ID set.'); |
} |
20,8 → 15,7 |
$page->checkLoggedIn(); |
$post = $page->getBlogPost($id); |
if ((!$page->isUserAdmin($page->getLoggedInUser()) && $page->getLoggedInUser()->ID != $post->author->ID) || !$page->isUserNormal($page->getLoggedInUser())) |
{ |
if ((!$page->isUserAdmin($page->getLoggedInUser()) && $page->getLoggedInUser()->ID != $post->author->ID) || !$page->isUserNormal($page->getLoggedInUser())) { |
$page->drawError('You do not have permission to access this page.'); |
} |
31,7 → 25,7 |
{ |
$title = $_POST['title']; |
$page->query('UPDATE BlogPosts SET DatePosted = NOW() WHERE ID = "' . $id . '"'); |
$page->query("UPDATE BlogPosts SET DatePosted = NOW() WHERE ID = ?", array($id)); |
$page->redirect('/blog/post.php?id=' . $id); |
} |
39,8 → 33,7 |
$page->drawBlogCategoriesMenu(); |
$page->drawMiddle(); |
if (!empty($error)) |
{ |
if (!empty($error)) { |
$page->drawError($error, false); |
} |
65,4 → 58,3 |
$page->drawFooter(); |
?> |
/login-do.php |
---|
23,7 → 23,7 |
} |
$user = $page->getUserByUsername($username); |
if (!$user || $user->password != sha1($password)) |
if (!$user || $user->password !== $page->saltAndBurn($password, $user->salt)) |
{ |
$page->redirect('login.php?error=Incorrect Username or Password&oldurl=' . urlencode($redirurl)); |
} |
/wiki/index.php |
---|
8,7 → 8,21 |
} |
require '../_taios.php'; |
if (get_magic_quotes_gpc()) { |
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST); |
while (list($key, $val) = each($process)) { |
foreach ($val as $k => $v) { |
unset($process[$key][$k]); |
if (is_array($v)) { |
$process[$key][stripslashes($k)] = $v; |
$process[] = &$process[$key][stripslashes($k)]; |
} else { |
$process[$key][stripslashes($k)] = stripslashes($v); |
} |
} |
} |
unset($process); |
} |
$pageName = $_GET['page']; |
if (empty($pageName)) |
{ |
15,7 → 29,7 |
$pageName = 'Index'; |
} |
$page = new Taios_Page('Wiki - ' . $pageName, '../'); |
$page = new Taios_Page('Wiki · ' . $pageName, '../'); |
if (isset($_GET['random'])) |
{ |
/wiki/edit.php |
---|
1,7 → 1,21 |
<?php |
require '../_taios.php'; |
if (get_magic_quotes_gpc()) { |
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST); |
while (list($key, $val) = each($process)) { |
foreach ($val as $k => $v) { |
unset($process[$key][$k]); |
if (is_array($v)) { |
$process[$key][stripslashes($k)] = $v; |
$process[] = &$process[$key][stripslashes($k)]; |
} else { |
$process[$key][stripslashes($k)] = stripslashes($v); |
} |
} |
} |
unset($process); |
} |
$pageName = $_GET['page']; |
if (empty($pageName)) |
{ |
/_config.dummy.php |
---|
0,0 → 1,9 |
<?php |
define('MYSQL_HOST', 'localhost'); |
define('MYSQL_USER', 'taios'); |
define('MYSQL_PASSWORD', 'dummy'); |
define('RECAPTCHA_PUBLICKEY', 'dummy'); |
define('RECAPTCHA_PRIVATEKEY', 'dummy'); |
?> |
/forums/add-post-do.php |
---|
7,13 → 7,12 |
$page->checkLoggedIn(); |
$parentID = $_POST['parentID']; |
if (empty($parentID)) |
{ |
if (empty($parentID)) { |
$parentID = -1; |
} |
$categoryID = $_POST['categoryID']; |
if (empty($categoryID)) |
{ |
if (empty($categoryID)) { |
$parentID = -1; |
} |
20,21 → 19,20 |
$title = $_POST['title']; |
$content = $_POST['content']; |
if (!$page->isUserNormal($page->getLoggedInUser())) |
{ |
if (!$page->isUserNormal($page->getLoggedInUser())) { |
$page->redirect('add-post.php?error=You do not have permission to access this page'); |
} |
if (empty($title)) |
{ |
if (empty($title)) { |
$page->redirect('add-post.php?error=No Title Specified'); |
} |
if (empty($title)) |
{ |
if (empty($title)) { |
$page->redirect('add-post.php?error=No Content Specified'); |
} |
$page->query('INSERT INTO ForumPosts VALUES (0, "' .$page->getLoggedInUser()->ID . '", "' . $categoryID . '", "' . $parentID . '", "' . $title . '", "' . $content . '", NOW(), FALSE)'); |
$args = array($page->getLoggedInUser()->ID, $categoryID, $parentID, $title, $content); |
$page->query("INSERT INTO ForumPosts VALUES (0, ?, ?, ?, ?, ?, NOW(), FALSE)", $args); |
$page->redirect('index.php?parentID=' . $categoryID); |
?> |
/forums/delete-category-do.php |
---|
8,13 → 8,10 |
$id = $page->getGetID(); |
if ($page->isUserAdmin($page->getLoggedInUser())) |
{ |
$page->query('DELETE FROM ForumCategories WHERE ID = "' . $id . '"'); |
if ($page->isUserAdmin($page->getLoggedInUser())) { |
$page->query("DELETE FROM ForumCategories WHERE ID = ?", array($id)); |
$page->redirect('index.php'); |
} |
else |
{ |
} else { |
$page->drawError('You do not have permission to access this page.'); |
} |
/forums/edit-category-do.php |
---|
11,20 → 11,16 |
$title = $_POST['title']; |
$description = $_POST['description']; |
if ($page->isUserAdmin($page->getLoggedInUser())) |
{ |
if (empty($title)) |
{ |
if ($page->isUserAdmin($page->getLoggedInUser())) { |
if (empty($title)) { |
$page->redirect('edit-category.php?error=No Title Specified'); |
} |
$page->query('UPDATE ForumCategories SET Title = "' . $title . '", Description = "' . $description . '" WHERE ID = "' . $id . '"'); |
$args = array($title, $description, $id); |
$page->query("UPDATE ForumCategories SET Title = ?, Description = ? WHERE ID = ?", $args); |
$page->redirect('index.php'); |
} |
else |
{ |
} else { |
$page->drawError('You do not have permission to access this page.'); |
} |
?> |
/forums/add-category-do.php |
---|
7,8 → 7,7 |
$page->checkLoggedIn(); |
$parentID = $_POST['parentID']; |
if (empty($parentID)) |
{ |
if (empty($parentID)) { |
$parentID = -1; |
} |
15,20 → 14,15 |
$title = $_POST['title']; |
$description = $_POST['description']; |
if ($page->isUserAdmin($page->getLoggedInUser())) |
{ |
if (empty($title)) |
{ |
if ($page->isUserAdmin($page->getLoggedInUser())) { |
if (empty($title)) { |
$page->redirect('add-category.php?error=No Title Specified'); |
} |
$page->query('INSERT INTO ForumCategories VALUES (0, "' . $parentID . '", "' . $title . '", "' . $description . '")'); |
$page->query("INSERT INTO ForumCategories VALUES (0, ?, ?, ?)", array($parentID, $title, $description)); |
$page->redirect('index.php?parentID=' . $parentID); |
} |
else |
{ |
} else { |
$page->drawError('You do not have permission to access this page.'); |
} |
?> |
/forums/delete-post-do.php |
---|
9,22 → 9,15 |
$id = $page->getGetID(); |
$post = $page->getForumPost($id); |
if (($page->isUserAdmin($page->getLoggedInUser()) || $post->author->ID == $page->getLoggedInUser()->ID) && $post && $page->isUserNormal($page->getLoggedInUser())) |
{ |
$page->query('DELETE FROM ForumPosts WHERE ID = "' . $id . '"'); |
if (($page->isUserAdmin($page->getLoggedInUser()) || $post->author->ID == $page->getLoggedInUser()->ID) && $post && $page->isUserNormal($page->getLoggedInUser())) { |
$page->query("DELETE FROM ForumPosts WHERE ID = ?", array($id)); |
$page->redirect('index.php'); |
} |
else |
{ |
if (!$post) |
{ |
} else { |
if (!$post) { |
$page->drawError('No such forum post, #' . $id); |
} |
else |
{ |
} else { |
$page->drawError('You do not have permission to access this page.'); |
} |
} |
?> |