update to v1.03
This commit is contained in:
parent
a0fae0405f
commit
5dead3923e
|
@ -0,0 +1,144 @@
|
|||
<?php
|
||||
|
||||
if(empty($run))
|
||||
die('This file may not be run directly');
|
||||
|
||||
//Declare the variable for our user array
|
||||
$user="";
|
||||
|
||||
|
||||
//Lets make sure the user is authenticated correctly
|
||||
if(!empty($_COOKIE['token']))
|
||||
{
|
||||
|
||||
//First, lets check that their login token is in the system
|
||||
$stmt = mysqli_prepare($sql,"SELECT `token`, `ipverification`, `ip`, `expires`, `userid` FROM `tokens` WHERE `token` = ?");
|
||||
mysqli_stmt_bind_param($stmt, "s", $_COOKIE['token']);
|
||||
mysqli_stmt_execute($stmt);
|
||||
|
||||
//and fetch the results
|
||||
$token_query=mysqli_stmt_get_result($stmt);
|
||||
|
||||
//Unset our stmt variable to free memory
|
||||
unset($stmt);
|
||||
|
||||
//If the token isn't in the system, clear the user's cookie
|
||||
if(mysqli_num_rows($token_query) == 0)
|
||||
{
|
||||
setcookie("token", "");
|
||||
}
|
||||
|
||||
//Otherwise, lets make sure its valid
|
||||
else
|
||||
{
|
||||
|
||||
//Lets fetch an array from our querried token data
|
||||
$token_data=mysqli_fetch_array($token_query);
|
||||
|
||||
//Verify that the token hasn't expired and that the IP matched the user's IP (if IP verification is turned on)
|
||||
$time=time();
|
||||
if($token_data['expires'] > $time && ($_SERVER['REMOTE_ADDR'] == $token_data['ip'] || $token_data['ipverification'] == 0))
|
||||
{
|
||||
$user=mysqli_fetch_assoc(mysqli_query($sql, "SELECT * FROM `users` WHERE `id` = $token_data[userid]"));
|
||||
|
||||
$time=time();
|
||||
mysqli_query($sql, "UPDATE `users` SET `lastview` = $time WHERE `id` = $user[id]");
|
||||
|
||||
}
|
||||
|
||||
//check if the IP is different and IP verification is enabled; if so, log as a failed verification
|
||||
else if($_SERVER['REMOTE_ADDR'] != $token_data['ip'] && $token_data['ipverification'] == 1)
|
||||
{
|
||||
$stmt = mysqli_prepare($sql,"INSERT INTO `ipverificationfailures` (`originalip`, `failedip`, `userid`) VALUES (?, ?, ?)");
|
||||
mysqli_stmt_bind_param($stmt, "ssi", $token_data['ip'], $_SERVER['REMOTE_ADDR'], $token_data['userid']);
|
||||
mysqli_stmt_execute($stmt);
|
||||
|
||||
|
||||
|
||||
$stmt = mysqli_prepare($sql,"DELETE FROM `tokens` WHERE `token` = ?");
|
||||
mysqli_stmt_bind_param($stmt, "s", $_COOKIE['token']);
|
||||
mysqli_stmt_execute($stmt);
|
||||
|
||||
unset($stmt);
|
||||
|
||||
setcookie("token", "");
|
||||
|
||||
}
|
||||
//If it doesn't, remove the token from the database and unset their cookie
|
||||
else
|
||||
{
|
||||
|
||||
$stmt = mysqli_prepare($sql,"DELETE FROM `tokens` WHERE `token` = ?");
|
||||
mysqli_stmt_bind_param($stmt, "s", $_COOKIE['token']);
|
||||
mysqli_stmt_execute($stmt);
|
||||
|
||||
unset($stmt);
|
||||
|
||||
setcookie("token", "");
|
||||
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
unset($token_query);
|
||||
unset($token_data);
|
||||
}
|
||||
|
||||
//Now let's do some ip logging for security purposes
|
||||
if(!empty($user))
|
||||
{
|
||||
|
||||
//Let's log the IP the user is connecting from
|
||||
$numberONE=1;
|
||||
$stmt = mysqli_prepare($sql,"INSERT INTO `iphistory_user` (`userid`, `ip`, `views`) VALUES (?, ?, ?) ON DUPLICATE KEY UPDATE `views` = `views` + 1, `lastuseragent` = ?");
|
||||
mysqli_stmt_bind_param($stmt, "isis", $user['id'], $_SERVER['REMOTE_ADDR'], $numberONE, $_SERVER['HTTP_USER_AGENT']);
|
||||
mysqli_stmt_execute($stmt);
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
//lets do some guest loggin
|
||||
|
||||
|
||||
//add a guest entry
|
||||
$date=time();
|
||||
$ip=mysqli_real_escape_string($sql, $_SERVER['REMOTE_ADDR']);
|
||||
$numberONE=1;
|
||||
$stmt = mysqli_prepare($sql,"INSERT INTO `guests` (`ip`, `firstview`, `lastview`, `views`, `lastuseragent`) VALUES (?, ?, ?, ?, ?) ON DUPLICATE KEY UPDATE `lastview` = ?, `views` = `views` + 1, `lastuseragent` = ?");
|
||||
mysqli_stmt_bind_param($stmt, "siiisis", $_SERVER['REMOTE_ADDR'], $date, $date, $numberONE, $_SERVER['HTTP_USER_AGENT'], $date, $_SERVER['HTTP_USER_AGENT']);
|
||||
mysqli_stmt_execute($stmt);
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
//Now let's do some more IP logging
|
||||
if(empty($_COOKIE['sessiontoken']))
|
||||
{
|
||||
$sessiontoken=bin2hex(random_bytes(30));
|
||||
|
||||
//create a new persistant session cookie to track IP addresses
|
||||
setcookie("sessiontoken", $sessiontoken, 0, "", "", false, true);
|
||||
|
||||
|
||||
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
//Let's log the IP the user is connecting from
|
||||
//we didnt want to do this up above because if a user has cookies disabled, it'll had a whole new row to the database on every page load
|
||||
$numberONE=1;
|
||||
$stmt = mysqli_prepare($sql,"INSERT INTO `iphistory_global` (`token`, `ip`, `views`, `lastuseragent`) VALUES (?, ?, ?, ?) ON DUPLICATE KEY UPDATE `views` = `views` + 1, `lastuseragent` = ?");
|
||||
mysqli_stmt_bind_param($stmt, "ssiss", $_COOKIE['sessiontoken'], $_SERVER['REMOTE_ADDR'], $numberONE, $_SERVER['HTTP_USER_AGENT'], $_SERVER['HTTP_USER_AGENT']);
|
||||
mysqli_stmt_execute($stmt);
|
||||
|
||||
|
||||
}
|
||||
|
||||
//Lastly, lets increment the view counter
|
||||
mysqli_query($sql, "INSERT INTO `config` (`name`, `value`) VALUES ('views', 1) ON DUPLICATE KEY UPDATE `value` = `value` + 1");
|
||||
?>
|
|
@ -0,0 +1,80 @@
|
|||
<?php
|
||||
|
||||
$starttime=hrtime(true);
|
||||
|
||||
//Disables all javascript using Content Security Policy; requires a CSP-compatible browser however
|
||||
header('Content-Security-Policy: script-src \'self\';');
|
||||
|
||||
if(empty($run))
|
||||
die('This file may not be run directly');
|
||||
|
||||
|
||||
//BEGIN CONFIG
|
||||
|
||||
//Connect to mysql server
|
||||
$sql=mysqli_connect( 'host', 'username', 'password', 'database') or die('Couldn\'t connect to database!');
|
||||
mysqli_query($sql,"SET profiling = 1;");
|
||||
|
||||
//used for rss lol
|
||||
$siteroot="http://mybord.example.fish/";
|
||||
|
||||
//Max number of posts to grab via RSS
|
||||
$options['rssLimit'] = 20;
|
||||
|
||||
//Name of board
|
||||
$boardname="mybord";
|
||||
|
||||
//Default theme id
|
||||
$defaultThemeID=7;
|
||||
|
||||
//default scheme path
|
||||
$defaultSchemePath="schemes/default.php";
|
||||
|
||||
//default banner
|
||||
$defaultbanner="images/logoo.png";
|
||||
|
||||
//If true, please enable htmLawed, otherwise you will be vulnerable to XSS!!!!
|
||||
$options['enableHTML'] = false; //If true, please enable htmLawed, otherwise you will be vulnerable to XSS!!!!
|
||||
|
||||
//If true, resanitizes existing HTML already in database when displayed (makes no changes to the database)
|
||||
//Useful if HTML was enabled at one point, but later disabled (to prevent already stored HTML from rendering)
|
||||
//Only takes effect if 'enableHTML' is false
|
||||
//Note that this *will* be messy (especially if users had post layouts) so it's mostly useful for emergency purposes
|
||||
$options['sanitizeExistingIfHTMLDisabled'] = true;
|
||||
|
||||
//Clean up and prevent HTML abuse; requires an external library
|
||||
//Please read through the default htmLawed config below before enabling this
|
||||
//If you follow the minibord installation instructions, the htmLawedPath should not need to be changed
|
||||
$options['enablehtmLawed'] = true;
|
||||
$options['htmLawedPath'] = 'lib/htmLawed.php';
|
||||
|
||||
//htmLawed config
|
||||
//
|
||||
//htmLawed has a variety of different options that it supports.
|
||||
//Below are the default options for minibord. Please read through the explanations of each one.
|
||||
//
|
||||
//'safe'=>1 is what mitigates XSS in HTML. It is highly recommended to keep this
|
||||
//
|
||||
//'balance'=>0 disables balancing HTML. Without it, <divs> stretched between postheader and postfooter wouldn't work (since those are processed independently)
|
||||
//
|
||||
//'make_tag_strict'=>0 allows deprecated HTML elements. You can remove this if you want
|
||||
//
|
||||
//'style_pass'=>1 disables sanitizing inline styles. While I cannot find any information about true XSS through inline styles on modern browsers,
|
||||
// there are some odd (and possibly no longer relevant [citation needed]) browser-specific extensions that may make this possible.
|
||||
// Leave this in at your own risk, but removing it breaks URLs in inline styles. There are, however, CSS exploits that allow a CSRF token to
|
||||
// be leaked, but minibord does not use them (it should and might in the future, however)
|
||||
//
|
||||
//'css_expression'=>1 disables some odd old IE-specific thing. Included just incase 'style_pass'=>1 disables this
|
||||
//
|
||||
$options['htmLawedconfig'] = array('safe'=>1, 'balance'=>0, 'make_tag_strict'=>0, 'style_pass'=>1, 'css_expression'=>1);
|
||||
|
||||
//Lets include our functions
|
||||
require('corefiles/functions.php');
|
||||
|
||||
//Verify the user is logged in
|
||||
require('corefiles/auth.php');
|
||||
|
||||
//Now lets include our script that generates the theme
|
||||
require('corefiles/layoutgen.php');
|
||||
|
||||
?>
|
|
@ -0,0 +1,89 @@
|
|||
<?php
|
||||
|
||||
|
||||
if(empty($run))
|
||||
die('This file may not be run directly');
|
||||
|
||||
|
||||
//This file stores (almost) all the custom functions for the bord
|
||||
|
||||
|
||||
//print site footer
|
||||
function printfooter()
|
||||
{
|
||||
global $starttime;
|
||||
global $themesettings;
|
||||
global $sql;
|
||||
|
||||
$endtime = hrtime(true);
|
||||
$rendertime = ($endtime - $starttime) / 1e+9;
|
||||
|
||||
|
||||
//$exec_time_result=mysqli_query($sql,"SELECT query_id, SUM(duration) FROM information_schema.profiling GROUP BY query_id ORDER BY query_id DESC LIMIT 1;");
|
||||
//$exec_time_row = mysqli_fetch_array($exec_time_result);
|
||||
|
||||
//echo "<p>Query executed in ".$exec_time_row[1].' seconds';
|
||||
|
||||
print "</div><div class=\"footer\">minibord v1.03 - lots 'o junkz plus optional html after a decent hiatus edition <a href=https://github.com/NinCollin/minibord>(github)</a><br>PHP execution time: $rendertime</div>";
|
||||
}
|
||||
|
||||
|
||||
//Get username
|
||||
function getusername($userid)
|
||||
{
|
||||
global $sql;
|
||||
|
||||
$userdata=mysqli_fetch_array(mysqli_query($sql, "SELECT `name`, `id`, `minipicurl`, `namecolor` FROM `users` WHERE `id` = $userid"));
|
||||
|
||||
if($userdata['namecolor'] == 0)
|
||||
$namecolor = "#9da4f5";
|
||||
|
||||
elseif($userdata['namecolor'] == 1)
|
||||
$namecolor = "#f59de5";
|
||||
|
||||
elseif($userdata['namecolor'] == 2)
|
||||
$namecolor = "#c69df5";
|
||||
|
||||
|
||||
return "<b><a href=profile.php?id=$userdata[id]><font color=$namecolor>$userdata[name]</font></a></b>";
|
||||
|
||||
}
|
||||
|
||||
//convert text to smilies
|
||||
function showsmilies($text)
|
||||
{
|
||||
global $sql;
|
||||
|
||||
$smiliequery = mysqli_query($sql, "SELECT * FROM `smilies`");
|
||||
while($smilie=mysqli_fetch_array($smiliequery))
|
||||
{
|
||||
$text=str_replace($smilie['code'], "<img src=\"$smilie[image]\" alt=\"$smilie[code]\">", $text);
|
||||
|
||||
}
|
||||
|
||||
return $text;
|
||||
}
|
||||
|
||||
//print a message
|
||||
function printmessage($string)
|
||||
{
|
||||
global $themesettings;
|
||||
|
||||
print "<table width=345 $themesettings[tableAttributes] class=\"table\"><tr><td align=center $themesettings[tdStyle1Attributes] class=\"tdStyle1\">$string</td></tr></table><br>
|
||||
";
|
||||
}
|
||||
|
||||
//print a message and die
|
||||
function printdiemessage($string)
|
||||
{
|
||||
global $themesettings;
|
||||
|
||||
printmessage($string);
|
||||
|
||||
printfooter();
|
||||
|
||||
die();
|
||||
}
|
||||
|
||||
|
||||
?>
|
|
@ -0,0 +1,97 @@
|
|||
<?php
|
||||
|
||||
if(empty($run))
|
||||
die('This file may not be run directly');
|
||||
|
||||
//Let's populate the theme array with the default settings
|
||||
$themesettings = array(
|
||||
|
||||
//You can overwrite the default banner with a special one if you choose
|
||||
"useCustomImageBanner" => false,
|
||||
"banner" => NULL,
|
||||
|
||||
//Most styling should be done through CSS
|
||||
"styletag" => "<style>
|
||||
.body;
|
||||
|
||||
.header;
|
||||
.tableHeader;
|
||||
.tdBanner;
|
||||
.tdHeaderLinks1;
|
||||
.tdHeaderLinks2;
|
||||
.tdHeaderViewCounter;
|
||||
.tdHeaderTime;
|
||||
.tdHeaderSpacer;
|
||||
|
||||
.content;
|
||||
|
||||
.table;
|
||||
.thRegular;
|
||||
.thCategory;
|
||||
.tdStyle1;
|
||||
.tdStyle2;
|
||||
|
||||
.smallText;
|
||||
.footer;
|
||||
|
||||
</style>",
|
||||
|
||||
//Use only if necessary; CSS for styling is preferred
|
||||
|
||||
//Attributes to inject into the <body> tag
|
||||
"bodyAttributes" => "",
|
||||
|
||||
//Attributes to inject into <table> <td> and <th> tags
|
||||
"tableAttributes" => "",
|
||||
"thRegularAttributes" => "",
|
||||
"thCategoryAttributes" => "",
|
||||
"tdStyle1Attributes" => "",
|
||||
"tdStyle2Attributes" => "",
|
||||
|
||||
//Atributes to inject into the header table tags
|
||||
"tableHeaderAttributes" => "",
|
||||
"tdBannerAttributes" => "",
|
||||
"tdHeaderLinks1Attributes" => "",
|
||||
"tdHeaderLinks2Attributes" => "",
|
||||
"tdHeaderViewCounterAttributes" => "",
|
||||
"tdHeaderTimeAttributes" => "",
|
||||
"tdHeaderSpacerAttributes" => ""
|
||||
|
||||
|
||||
|
||||
);
|
||||
|
||||
$isCookieThemeIDValid=0;
|
||||
$cookieThemeID=0;
|
||||
if(!empty($_COOKIE['theme']) && empty($user['theme']))
|
||||
{
|
||||
$cookieThemeID=intval($_COOKIE['theme']);
|
||||
$isCookieThemeIDValid=mysqli_num_rows(mysqli_query($sql,"SELECT `id` FROM `themes` WHERE `id` = $cookieThemeID"));
|
||||
}
|
||||
if(!empty($user['theme']))
|
||||
{
|
||||
$themeArray=mysqli_fetch_array(mysqli_query($sql,"SELECT `path` FROM `themes` WHERE `id` = $user[theme]"));
|
||||
include($themeArray['path']);
|
||||
}
|
||||
elseif(!empty($isCookieThemeIDValid))
|
||||
{
|
||||
$themeArray=mysqli_fetch_array(mysqli_query($sql,"SELECT `path` FROM `themes` WHERE `id` = $cookieThemeID"));
|
||||
include($themeArray['path']);
|
||||
}
|
||||
else
|
||||
{
|
||||
$themeArray=mysqli_fetch_array(mysqli_query($sql,"SELECT `path` FROM `themes` WHERE `id` = $defaultThemeID"));
|
||||
include($themeArray['path']);
|
||||
}
|
||||
|
||||
if(!empty($themesettings['schemePath']))
|
||||
{
|
||||
|
||||
include($themesettings['schemePath']);
|
||||
}
|
||||
else
|
||||
{
|
||||
include($defaultSchemePath);
|
||||
}
|
||||
|
||||
?>
|
Loading…
Reference in New Issue