Graphictoria
/
Graphictoria-V4
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

first commit

This commit is contained in:
VirtuBrick 2024-01-20 11:51:59 -05:00
commit 56db58f650
543 changed files with 38913 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
.htaccess Normal file
View File

@ -0,0 +1,43 @@
ErrorDocument 404 /core/views/error/notfound.php
ErrorDocument 403 /core/views/error/notfound.php
RewriteEngine On
RewriteRule ^user/dashboard/?(.*)$ /core/views/user/dashboard.php [L]
RewriteRule ^user/settings/?(.*)$ /core/views/user/settings.php [L]
RewriteRule ^user/messages/?(.*)$ /core/views/user/messages.php [L]
RewriteRule ^blog/?(.*)$ /core/views/blog/main.php [L]
RewriteRule ^user/online/?(.*)$ /core/views/online.php [L]
RewriteRule ^users/([^/]+)/?$ /core/views/users.php?term=$1 [L,QSA]
RewriteRule ^users/?(.*)$ /core/views/users.php [L]
RewriteRule ^admin/ban/?(.*)$ /core/views/admin/ban.php [L]
RewriteRule ^admin/reports/?(.*)$ /core/views/admin/reports.php [L]
RewriteRule ^admin/statistics/?(.*)$ /core/views/admin/statistics.php [L]
RewriteRule ^admin/assets/?(.*)$ /core/views/admin/assets.php [L]
RewriteRule ^admin/unban/?(.*)$ /core/views/admin/unban.php [L]
RewriteRule ^admin/newHat/?(.*)$ /core/views/admin/newHat.php [L]
RewriteRule ^admin/rewardPostie/?(.*)$ /core/views/admin/rewardPostie.php [L]
RewriteRule ^admin/prune/?(.*)$ /core/views/admin/prune.php [L]
RewriteRule ^admin/?(.*)$ /core/views/admin/main.php [L]
RewriteRule ^groups/search/([^/]+)/?$ /core/views/user/groups/search.php?term=$1 [L,QSA]
RewriteRule ^groups/search/?(.*)$ /core/views/user/groups/search.php [L]
RewriteRule ^groups/create/?(.*)$ /core/views/user/groups/create.php [L]
RewriteRule ^groups/view/([^/]+)/?$ /core/views/user/groups/view.php?id=$1 [L,QSA]
RewriteRule ^groups/admin/([^/]+)/?$ /core/views/user/groups/admin.php?id=$1 [L,QSA]
RewriteRule ^groups/?(.*)$ /core/views/user/groups/main.php [L]
RewriteRule ^user/character/?(.*)$ /core/views/user/character.php [L]
RewriteRule ^user/logout/?(.*)$ /core/views/user/logout.php [L]
RewriteRule ^forum/?(.*)$ /core/views/forum/index.php [L]
RewriteRule ^games/new/?(.*)$ /core/views/games/new.php [L]
RewriteRule ^games/view/([^/]+)/?$ /core/views/games/view.php?id=$1 [L,QSA]
RewriteRule ^games/?(.*)$ /core/views/games/main.php [L]
RewriteRule ^account/suspended?(.*)$ /core/views/user/security/banned.php [L]
RewriteRule ^account/resetpassword/([^/]+)/([^/]+)/?$ /core/views/user/security/resetpassword.php?userid=$1&key=$2 [L,QSA]
RewriteRule ^account/verification/email?(.*)$ /core/views/user/security/verifyEmail.php [L]
RewriteRule ^account/verification/twostepauth?(.*)$ /core/views/user/security/twostepauth.php [L]
RewriteRule ^catalog/?$ /core/views/catalog/main.php [L]
RewriteRule ^catalog/upload/?$ /core/views/catalog/upload.php [L]
RewriteRule ^catalog/item/([^/]+)/?$ /core/views/catalog/item.php?id=$1 [L,QSA]
RewriteRule ^user/profile/([^/]+)/?$ /core/views/user/profile.php?username=$1 [L,QSA]
RewriteRule ^friends/?$ /core/views/friends/main.php [L]
RewriteRule ^friends/requests/?$ /core/views/friends/requests.php [L]
RewriteRule ^friends/show/([^/]+)/?$ /core/views/friends/show.php?id=$1 [L,QSA]

2
README.md Normal file
View File

@ -0,0 +1,2 @@
### Graphictoria Website
This is what used to be Graphictoria 4's website. Keep in mind that the code is quite disgusting. This in no way represents how I develop websites nowadays.

10
core/func/api/account/getNotifications.php Normal file
View File

@ -0,0 +1,10 @@
<?php
// Ping and maintenance checker
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$maintenanceOn = false;
if ($maintenanceOn == false) {
echo 'no-maintenance';
}else{
echo 'Graphictoria is under maintenance.';
}
?>

40
core/func/api/account/liftBan.php Normal file
View File

@ -0,0 +1,40 @@
<?php
if (isset($_POST['csrf'])) {
$GLOBALS['bypassRedirect'] = true;
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf_token = $_POST['csrf'];
if ($csrf_token != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or $GLOBALS['userTable']['banned'] == 0) die("error");
if ($GLOBALS['userTable']['bantype'] != 5 and $GLOBALS['userTable']['bantype'] != 0) {
$timeSince = round(abs(strtotime(context::getCurrentTime()) - strtotime($GLOBALS['userTable']['bantime'])) / 60,2);
if ($GLOBALS['userTable']['bantype'] == 1) {
security::liftBan();
}
if ($GLOBALS['userTable']['bantype'] == 2) {
if ($timeSince > 1440) {
security::liftBan();
}else{
security::returnLiftError();
}
}
if ($GLOBALS['userTable']['bantype'] == 3) {
if ($timeSince > 10080) {
security::liftBan();
}else{
security::returnLiftError();
}
}
if ($GLOBALS['userTable']['bantype'] == 4) {
if ($timeSince > 43200) {
security::liftBan();
}else{
security::returnLiftError();
}
}
}else{
die("error");
}
}else{
die("error");
}
?>

30
core/func/api/admin/get/getAssets.php Normal file
View File

@ -0,0 +1,30 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($GLOBALS['loggedIn'] == false) {
exit;
}
if ($GLOBALS['userTable']['rank'] == 0) {
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM catalog WHERE approved = 0 AND declined = 0;");
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo '<p>There are no pending assets to approve at this moment.</p>';
}
$count = 0;
foreach($stmt as $result) {
$itemName = htmlentities($result['name'], ENT_QUOTES, "UTF-8");
if (strlen($itemName) > 16) {
$itemName = substr($itemName, 0, 7) . '...';
}
echo '<div class="col-md-4 col-sm-4 col-xs-12 Center"><div class="well" style="box-shadow:none;"><span class="content">'.$itemName.'</span><br>';
$creator = $result['creator_uid'];
$stmt = $dbcon->prepare("SELECT username FROM users WHERE id=:id;");
$stmt->bindParam(':id', $creator, PDO::PARAM_INT);
$stmt->execute();
$result2 = $stmt->fetch(PDO::FETCH_ASSOC);
$username = $result2['username'];
echo '<img width="150" src="https://xdiscuss.net/data/assets/uploads/'.$result['fileHash'].'"><br><b>Type : '.$result['type'].'</b><br><b>Uploaded by <a href="/user/profile/'.$username.'">'.$username.'</a></b><br><button type="submit" name="acceptAsset" class="btn btn-success" onclick="approveAsset('.$result['id'].');">Accept</button><button type="submit" name="denyAsset" class="btn btn-danger" onclick="denyAsset('.$result['id'].');">Decline</button></div></div>';
}
?>

70
core/func/api/admin/post/approveAsset.php Normal file
View File

@ -0,0 +1,70 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['itemID'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$itemID = $_POST['itemID'];
if (is_numeric($itemID) == false) die("error");
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($itemID) == 0 or $GLOBALS['userTable']['rank'] == 0) {
echo 'error';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM catalog WHERE id=:id;");
$stmt->bindParam(':id', $itemID, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'error';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$assetID = $result['assetid'];
$type = $result['type'];
$creatorID = $result['creator_uid'];
$assetName = $result['name'];
if ($result['approved'] == 0 and $result['declined'] == 0) {
$stmt = $GLOBALS['dbcon']->prepare("UPDATE catalog SET approved = 1 WHERE id=:id");
$stmt->bindParam(':id', $itemID, PDO::PARAM_INT);
$stmt->execute();
if ($type == "shirts" or $type == "pants" or $type == "tshirts") {
$query = "INSERT INTO renders (`render_id`, `type`) VALUES (:id, :dbtype);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $assetID, PDO::PARAM_INT);
$stmt->bindParam(':dbtype', $type, PDO::PARAM_STR);
$stmt->execute();
}
if ($type != "decals") {
$query = "INSERT INTO ownedItems (`uid`, `catalogid`, `type`) VALUES (:uid, :catid, :type);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $creatorID, PDO::PARAM_INT);
$stmt->bindParam(':catid', $itemID, PDO::PARAM_INT);
$stmt->bindParam(':type', $type, PDO::PARAM_STR);
$stmt->execute();
}
if ($type != "decals") {
$message = 'Your asset named '.$assetName.' has been approved and can be seen in the catalog. You also have received the item in your inventory. Your item can be found at https://xdiscuss.net/catalog/item/'.$itemID;
}else{
$message = 'Your asset named '.$assetName.' has been approved and can be seen in the catalog. Your item can be found at https://xdiscuss.net/catalog/item/'.$itemID;
}
$title = 'Asset Approval result for '.$assetName;
$query = "INSERT INTO messages (`recv_uid`, `sender_uid`, `title`, `content`) VALUES (:userId2, 10370, :title, :msg);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':userId2', $creatorID, PDO::PARAM_INT);
$stmt->bindParam(':msg', $message, PDO::PARAM_STR);
$stmt->bindParam(':title', $title, PDO::PARAM_STR);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
}else{
echo 'error';
}
?>

104
core/func/api/admin/post/banUser.php Normal file
View File

@ -0,0 +1,104 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['username']) and isset($_POST['banReason']) and isset($_POST['duration'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$username = $_POST['username'];
$banReason = $_POST['banReason'];
$duration = $_POST['duration'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or $GLOBALS['userTable']['rank'] == 0) {
echo 'error';
exit;
}
if (strlen($username) == 0 or strlen($banReason) == 0 or strlen($duration) == 0) {
echo 'missing-info';
exit;
}
if (is_numeric($duration == false) || $duration > 5) die("invalid-duration");
if (strtolower($username) == strtolower($GLOBALS['userTable']['username'])) {
echo 'can-not-ban-yourself';
exit;
}
if (strlen($banReason) > 512) {
echo 'reason-too-long';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT id, rank, banned, email, username FROM users WHERE username=:uname;");
$stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'no-user';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$email = $result['email'];
$udb = $result['username'];
if ($GLOBALS['userTable']['rank'] == 1) {
if ($result['rank'] == 1) {
echo 'can-not-ban-user';
exit;
}
}else{
if ($result['rank'] > 0) {
echo 'can-not-ban-user';
exit;
}
}
if ($result['banned'] == 1) {
echo 'user-already-banned';
exit;
}
$query = "UPDATE `users` SET `banned`=1 WHERE `username`=:uname;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$stmt->execute();
$query = "UPDATE `users` SET `bantype`=:type WHERE `username`=:uname;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$stmt->bindParam(':type', $duration, PDO::PARAM_STR);
$stmt->execute();
$query = "UPDATE `users` SET `banreason`=:reason WHERE `username`=:uname;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$stmt->bindParam(':reason', $banReason, PDO::PARAM_STR);
$stmt->execute();
$query = "UPDATE `users` SET `bantime`=NOW() WHERE `username`=:uname;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$stmt->execute();
// Get userID
$query = "SELECT id FROM users WHERE username = :uname";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$userID = $result['id'];
$query = "INSERT INTO `banlogs` (`banned_by_uid`, `banned_by_uname`, `banned_uid`, `banned_uname`, `reason`, `bantype`) VALUES (:bannedbyuid, :bannedbyuname, :banneduid, :banneduname, :reason, :bantype);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':bannedbyuid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':bannedbyuname', $GLOBALS['userTable']['username'], PDO::PARAM_STR);
$stmt->bindParam(':banneduid', $userID, PDO::PARAM_INT);
$stmt->bindParam(':banneduname', $username, PDO::PARAM_STR);
$stmt->bindParam(':reason', $banReason, PDO::PARAM_STR);
$stmt->bindParam(':bantype', $duration, PDO::PARAM_INT);
$stmt->execute();
context::sendDiscordMessage(":first_place: ".$GLOBALS['userTable']['username']." has banned **".$username."** for reason **".$banReason."** (banType=".$duration.")");
echo 'success';
}else{
echo 'error';
}
?>

52
core/func/api/admin/post/denyAsset.php Normal file
View File

@ -0,0 +1,52 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['itemID'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$itemID = $_POST['itemID'];
if (is_numeric($itemID) == false) die("error");
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($itemID) == 0 or $GLOBALS['userTable']['rank'] == 0) {
echo 'error';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM catalog WHERE id=:id;");
$stmt->bindParam(':id', $itemID, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$assetID = $result['assetid'];
$type = $result['type'];
$creatorID = $result['creator_uid'];
$assetName = $result['name'];
$fileHash = $result['fileHash'];
if ($result['approved'] == 0 and $result['declined'] == 0) {
$stmt = $GLOBALS['dbcon']->prepare("UPDATE catalog SET declined = 1 WHERE id=:id");
$stmt->bindParam(':id', $itemID, PDO::PARAM_INT);
$stmt->execute();
if ($result['type'] == "tshirts" || $result['type'] == "shirts" || $result['type'] == "pants" || $result['type'] == "decals") {
@unlink($_SERVER['DOCUMENT_ROOT'].'/data/assets/uploads/'.$result['fileHash']);
}
$query = "INSERT INTO badHashes (`hash`) VALUES (:hash);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':hash', $fileHash, PDO::PARAM_STR);
$stmt->execute();
$message = 'Your asset named <b>'.$assetName.'</b> has been denied because it violated our rules. You have not been refunded.';
$title = 'Asset Approval result for '.$assetName;
$query = "INSERT INTO messages (`recv_uid`, `sender_uid`, `title`, `content`) VALUES (:userId2, 10370, :title, :msg);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':userId2', $creatorID, PDO::PARAM_INT);
$stmt->bindParam(':msg', $message, PDO::PARAM_STR);
$stmt->bindParam(':title', $title, PDO::PARAM_STR);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
}else{
echo 'error';
}
?>

154
core/func/api/admin/post/newHat.php Normal file
View File

@ -0,0 +1,154 @@
<?php
if (isset($_FILES['meshFile']) && isset($_FILES['textureFile']) && isset($_POST['hatName']) && isset($_POST['hatDescription']) && isset($_POST['hatPrice']) && isset($_POST['isBuyable']) && isset($_POST['RBXAsset']) && isset($_POST['xmlContent']) && isset($_POST['datafileName']) && isset($_POST['csrf_token'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$meshFile = $_FILES['meshFile'];
$textureFile = $_FILES['textureFile'];
$hatName = $_POST['hatName'];
$hatDescription = $_POST['hatDescription'];
$isBuyable = $_POST['isBuyable'];
$rbxasset = $_POST['RBXAsset'];
$hatPrice = $_POST['hatPrice'];
$xmlContent = $_POST['xmlContent'];
$datafileName = $_POST['datafileName'];
$csrf = $_POST['csrf_token'];
if ($csrf != $GLOBALS['csrf_token'] || $GLOBALS['loggedIn'] == false) {
echo 'error';
exit;
}
if ($GLOBALS['userTable']['rank'] != 1 && $GLOBALS['userTable']['hatuploader'] == 0) exit;
// Validate if everything matches up in terms of string length and such, assuming admins do not bypass string checks
if (strlen($hatName) == 0 || strlen($isBuyable) == 0 || strlen($hatDescription) == 0 || strlen($xmlContent) == 0 || strlen($hatPrice) == 0 || strlen($datafileName) == 0) {
echo 'missing-info';
exit;
}
if (strlen($hatName) > 50) {
echo 'name-too-long';
exit;
}
if (strlen($datafileName) > 50) {
echo 'datafilename-too-long';
exit;
}
if (strlen($hatDescription) > 128) {
echo 'description-too-long';
exit;
}
// Validate some things like, force price to be an integer and such
if ($isBuyable != "true" && $isBuyable != "false") {
echo 'illegal-buyable';
exit;
}
if ($isBuyable != "false") {
$buyable = 1;
}else{
$buyable = 0;
}
if ($rbxasset != "false") {
$rbxassetv = 1;
}else{
$rbxassetv = 0;
}
if (is_numeric($hatPrice) == false && $hatPrice != 0 || $hatPrice < 1) die("price-too-low");
// Check if the datafile name is in use (if this fails, there are several other checks in place)
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM catalog WHERE datafile=:dfile");
$stmt->bindParam(':dfile', $datafileName, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() > 0) {
echo 'datafile-mesh-already-exists';
exit;
}
// Now move on to the files part, where the upload happens
// Check if the meshfile is a text file as meshes are pretty much text files
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['meshFile']['tmp_name']);
if ($mime != "text/plain") {
echo 'meshfile-illegalFileType';
exit;
}
// Move the file if it is a text/mesh file.
$uploadDirectory_meshFile = $_SERVER['DOCUMENT_ROOT'].'/data/assets/hats/mesh/';
$uploadDirectory_modelFile = $_SERVER['DOCUMENT_ROOT'].'/data/assets/hats/models/';
$uploadDirectory_textureFile = $_SERVER['DOCUMENT_ROOT'].'/data/assets/hats/texture/';
if (!file_exists($uploadDirectory_meshFile.$datafileName)) {
if (!move_uploaded_file($_FILES["meshFile"]["tmp_name"], $uploadDirectory_meshFile.$datafileName)) {
echo 'file-upload-error';
exit;
}
}else{
echo 'datafile-mesh-already-exists';
exit;
}
// Parse the XML file (or model file)
if (!file_exists($uploadDirectory_modelFile.$datafileName)) {
$XMLFile = fopen($uploadDirectory_modelFile.$datafileName, "w") or die("file-upload-error");
fwrite($XMLFile, $xmlContent);
fclose($XMLFile);
}else{
echo 'datafile-mesh-already-exists';
exit;
}
// Now parse the texture file
$check = @getimagesize($_FILES["textureFile"]["tmp_name"]);
if (!$check) {
echo 'texture-illegalFileType';
exit;
}
$imageFileType = pathinfo($_FILES['textureFile']["name"], PATHINFO_EXTENSION);
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['textureFile']['tmp_name']);
if ($imageFileType != "jpg" && $imageFileType != "JPG" && $imageFileType != "png" && $imageFileType != "PNG" && $imageFileType != "jpeg" && $imageFileType != "JPEG" && $mime != "image/png" && $mime != "image/jpeg") {
echo 'texture-illegalFileType';
exit;
}
if (exif_imagetype($_FILES['textureFile']['tmp_name']) != IMAGETYPE_PNG && exif_imagetype($_FILES['textureFile']['tmp_name']) != IMAGETYPE_JPEG) {
echo 'texture-illegalFileType';
exit;
}
if (!file_exists($uploadDirectory_textureFile .$datafileName)) {
if (!move_uploaded_file($_FILES["textureFile"]["tmp_name"], $uploadDirectory_textureFile.$datafileName)) {
echo 'file-upload-error';
exit;
}
}else{
echo 'datafile-mesh-already-exists';
exit;
}
// It looks like we've come this far, that we can finally add the hat to the catalog and render its image.
$stmt = $dbcon->prepare("INSERT INTO catalog (`price`, `creator_uid`, `name`, `description`, `type`, `approved`, `datafile`, `buyable`, `rbxasset`) VALUES (:price, :user, :name, :description, 'hats', 1, :datafile, :buyable, :rbxasset);");
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':price', $hatPrice, PDO::PARAM_INT);
$stmt->bindParam(':name', $hatName, PDO::PARAM_STR);
$stmt->bindParam(':description', $hatDescription, PDO::PARAM_STR);
$stmt->bindParam(':datafile', $datafileName, PDO::PARAM_STR);
$stmt->bindParam(':buyable', $buyable, PDO::PARAM_INT);
$stmt->bindParam(':rbxasset', $rbxassetv, PDO::PARAM_INT);
$stmt->execute();
$query = "INSERT INTO renders (`render_id`, `type`) VALUES (:id, 'hats');";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $datafileName, PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'no-file';
}
?>

161
core/func/api/admin/post/prunePosts.php Normal file
View File

@ -0,0 +1,161 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['username'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$username = $_POST['username'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or $GLOBALS['userTable']['rank'] != 1) {
echo 'error';
exit;
}
if (strlen($username) == 0) {
echo 'missing-info';
exit;
}
if (strtolower($username) == strtolower($GLOBALS['userTable']['username'])) {
echo 'can-not-prune-yourself';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT id, rank, banned FROM users WHERE username=:uname;");
$stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'no-user';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($GLOBALS['userTable']['rank'] == 1) {
if ($result['rank'] == 1) {
echo 'can-not-prune-user';
exit;
}
}else{
if ($result['rank'] > 0) {
echo 'can-not-prune-user';
exit;
}
}
$userID = $result['id'];
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET posts = 0 WHERE id=:id;");
$stmt->bindParam(':id', $userID, PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM topics WHERE author_uid = :uid");
$stmt->bindParam(':uid', $userID, PDO::PARAM_STR);
$stmt->execute();
foreach($stmt as $result) {
$postID = $result['id'];
$forumId = $result['forumId'];
$stmt = $GLOBALS['dbcon']->prepare("DELETE FROM topics WHERE id = :id");
$stmt->bindParam(':id', $postID, PDO::PARAM_STR);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("DELETE FROM replies WHERE postId = :id");
$stmt->bindParam(':id', $postID, PDO::PARAM_STR);
$stmt->execute();
$query = "SELECT id FROM topics WHERE forumId=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $forumId, PDO::PARAM_INT);
$stmt->execute();
$total = $stmt->rowCount();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE forums SET posts = :posts WHERE id=:id;");
$stmt->bindParam(':id', $forumId, PDO::PARAM_INT);
$stmt->bindParam(':posts', $total, PDO::PARAM_INT);
$stmt->execute();
$query = "SELECT id FROM replies WHERE forumId=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $forumId, PDO::PARAM_INT);
$stmt->execute();
$total = $stmt->rowCount();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE forums SET replies = :posts WHERE id=:id;");
$stmt->bindParam(':id', $forumId, PDO::PARAM_INT);
$stmt->bindParam(':posts', $total, PDO::PARAM_INT);
$stmt->execute();
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT id, postId, forumId FROM replies WHERE author_uid = :uid");
$stmt->bindParam(':uid', $userID, PDO::PARAM_INT);
$stmt->execute();
foreach($stmt as $result) {
$replyID = $result['id'];
$postID = $result['postId'];
$forumId = $result['forumId'];
$stmt = $GLOBALS['dbcon']->prepare("DELETE FROM replies WHERE id = :id;");
$stmt->bindParam(':id', $replyID, PDO::PARAM_STR);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("SELECT post_time FROM replies WHERE postId = :id ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':id', $postID, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$postTime = $result['post_time'];
if ($stmt->rowCount() > 0) {
$query = "UPDATE `topics` SET `lastActivity`=:date WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postID, PDO::PARAM_INT);
$stmt->bindParam(':date', $postTime, PDO::PARAM_STR);
$stmt->execute();
}else{
$stmt = $GLOBALS['dbcon']->prepare("SELECT postTime FROM topics WHERE id = :id;");
$stmt->bindParam(':id', $postID, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$OPPostTime = $result['postTime'];
$query = "UPDATE `topics` SET `lastActivity`=:date WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postID, PDO::PARAM_INT);
$stmt->bindParam(':date', $OPPostTime , PDO::PARAM_STR);
$stmt->execute();
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM replies WHERE postId = :id;");
$stmt->bindParam(':id', $postID, PDO::PARAM_INT);
$stmt->execute();
$replyCount = $stmt->rowCount();
$query = "UPDATE `topics` SET `replies`=:rCount WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postID, PDO::PARAM_INT);
$stmt->bindParam(':rCount', $replyCount , PDO::PARAM_STR);
$stmt->execute();
$query = "SELECT * FROM topics WHERE forumId=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $forumId, PDO::PARAM_INT);
$stmt->execute();
$total = $stmt->rowCount();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE forums SET posts = :posts WHERE id=:id;");
$stmt->bindParam(':id', $forumId, PDO::PARAM_INT);
$stmt->bindParam(':posts', $total, PDO::PARAM_INT);
$stmt->execute();
$query = "SELECT * FROM replies WHERE forumId=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $forumId, PDO::PARAM_INT);
$stmt->execute();
$total = $stmt->rowCount();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE forums SET replies = :posts WHERE id=:id;");
$stmt->bindParam(':id', $forumId, PDO::PARAM_INT);
$stmt->bindParam(':posts', $total, PDO::PARAM_INT);
$stmt->execute();
}
context::sendDiscordMessage($GLOBALS['userTable']['username'].' has pruned the posts of user **'.$username.'**');
echo 'success';
}else{
echo 'error';
}
?>

61
core/func/api/admin/post/rewardPostie.php Normal file
View File

@ -0,0 +1,61 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['username'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$username = $_POST['username'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or $GLOBALS['userTable']['rank'] == 0) {
echo 'error';
exit;
}
if (strlen($username) == 0) {
echo 'missing-info';
exit;
}
if (strtolower($username) == strtolower($GLOBALS['userTable']['username'])) {
echo 'can-not-reward-yourself';
exit;
}
if(!preg_match("/^[a-zA-Z0-9][\w\.]+[a-zA-Z0-9]$/", $username) == 1) {
echo 'no-user';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT id, rank, banned, lastAward2, posties FROM users WHERE username=:uname;");
$stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'no-user';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
// Rate limiting
$timeSince = round(abs(strtotime(date('Y-m-d H:i:s')) - strtotime($result['lastAward2'])) / 60,2);
if ($timeSince < 5) {
echo 'can-not-reward-user';
exit;
}
$newPosties = $result['posties']+10;
$query = "UPDATE `users` SET `posties`=:newPosties WHERE `username`=:uname;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':newPosties', $newPosties, PDO::PARAM_STR);
$stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$stmt->execute();
$query = "UPDATE `users` SET `lastAward2`=NOW() WHERE `username`=:uname;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$stmt->execute();
context::sendDiscordMessage($GLOBALS['userTable']['username'].' has awarded 10 posties to user **'.$username.'**');
echo 'success';
}else{
echo 'error';
}
?>

66
core/func/api/admin/post/unbanUser.php Normal file
View File

@ -0,0 +1,66 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['username'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$username = $_POST['username'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or $GLOBALS['userTable']['rank'] == 0) {
echo 'error';
exit;
}
if (strlen($username) == 0) {
echo 'missing-info';
exit;
}
if (strtolower($username) == strtolower($GLOBALS['userTable']['username'])) {
echo 'can-not-unban-yourself';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT id, rank, banned FROM users WHERE username=:uname;");
$stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'no-user';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($GLOBALS['userTable']['rank'] == 1) {
if ($result['rank'] == 1) {
echo 'can-not-unban-user';
exit;
}
}else{
if ($result['rank'] > 0) {
echo 'can-not-unban-user';
exit;
}
}
if ($result['banned'] == 0) {
echo 'user-not-banned';
exit;
}
$query = "UPDATE `users` SET `banned`=0 WHERE `username`=:uname;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$stmt->execute();
$query = "UPDATE `users` SET `bantype`=0 WHERE `username`=:uname;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$stmt->execute();
$query = "UPDATE `users` SET `banreason`=NULL WHERE `username`=:uname;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

68
core/func/api/auth/changeEmailVerify.php Normal file
View File

@ -0,0 +1,68 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['newEmail']) and isset($_POST['currentPassword'])) {
$GLOBALS['bypassRedirect'] = true;
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($GLOBALS['userTable']['emailverified'] == 1) die("error");
$csrf = $_POST['csrf'];
$newEmail = $_POST['newEmail'];
$currentPassword = $_POST['currentPassword'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) die("error");
if (strlen($newEmail) == 0 or strlen($currentPassword) == 0) die("missing-info");
if (strlen($newEmail) == 0) die("missing-info");
if (strlen($newEmail) > 128) die("inc-email");
if (!filter_var($newEmail, FILTER_VALIDATE_EMAIL)) die("inc-email");
$domain = substr($newEmail, strpos($newEmail, '@') + 1);
if (checkdnsrr($domain) == false) die("inc-email");
$from_time = strtotime($GLOBALS['userTable']['lastUpload']);
$to_time = strtotime(context::getCurrentTime());
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince < 60) die("rate-limit");
// Email domain whitelist, to stop disposable and fake emails.
$good_emails = array('@outlook', '@protonmail.com', '@xdiscuss.net', '@roblox.com', '@icloud.com', '@protonmail.ch', '@google.com',
"@yahoo.com.br", "@hotmail.com.br", "@outlook.com.br", "@uol.com.br", "@bol.com.br", "@terra.com.br", "@ig.com.br", "@itelefonica.com.br", "@r7.com", "@zipmail.com.br", "@globo.com", "@globomail.com", "@oi.com.br",
"@yahoo.com.mx", "@live.com.mx", "@hotmail.es", "@hotmail.com.mx", "@prodigy.net.mx",
"@hotmail.com.ar", "@live.com.ar", "@yahoo.com.ar", "@fibertel.com.ar", "@speedy.com.ar", "@arnet.com.ar",
"@hotmail.be", "@live.be", "@skynet.be", "@voo.be", "@tvcablenet.be", "@telenet.be",
"@mail.ru", "@rambler.ru", "@yandex.ru", "@ya.ru", "@list.ru",
"@gmx.de", "@hotmail.de", "@live.de", "@online.de", "@t-online.de", "@web.de", "@yahoo.de",
"@hotmail.fr", "@live.fr", "@laposte.net", "@yahoo.fr", "@wanadoo.fr", "@orange.fr", "@gmx.fr", "@sfr.fr", "@neuf.fr", "@free.fr",
"@sina.com", "@qq.com", "@naver.com", "@hanmail.net", "@daum.net", "@nate.com", "@yahoo.co.jp", "@yahoo.co.kr", "@yahoo.co.id", "@yahoo.co.in", "@yahoo.com.sg", "@yahoo.com.ph",
"@btinternet.com", "@virginmedia.com", "@blueyonder.co.uk", "@freeserve.co.uk", "@live.co.uk",
"@ntlworld.com", "@o2.co.uk", "@orange.net", "@sky.com", "@talktalk.co.uk", "@tiscali.co.uk",
"@virgin.net", "@wanadoo.co.uk", "@bt.com", "@bellsouth.net", "@charter.net", "@cox.net", "@earthlink.net", "@juno.com",
"@email.com", "@games.com", "@gmx.net", "@hush.com", "@hushmail.com", "@icloud.com", "@inbox.com",
"@lavabit.com", "@love.com", "@outlook.com", "@pobox.com", "@rocketmail.com",
"@safe-mail.net", "@wow.com", "@ygm.com", "@ymail.com", "@zoho.com", "@fastmail.fm",
"@yandex.com","@iname.com", "@aol.com", "@att.net", "@comcast.net", "@facebook.com", "@gmail.com", "@gmx.com", "@googlemail.com",
"@google.com", "@hotmail.com", "@hotmail.co.uk", "@mac.com", "@me.com", "@mail.com", "@msn.com",
"@live.com", "@sbcglobal.net", "@verizon.net", "@yahoo.com", "@yahoo.co.uk"
);
if (!context::contains(strtolower($newEmail), $good_emails)) die("unknown-email");
$auth_hash = crypt($currentPassword, $GLOBALS['userTable']['password_salt']);
if ($GLOBALS['userTable']['password'] != md5($currentPassword) and $auth_hash != $GLOBALS['userTable']['password_hash']) die("inc-password");
$stmt = $dbcon->prepare("SELECT email FROM users WHERE email = :email;");
$stmt->bindParam(':email', $newEmail, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() > 0) die("email-in-use");
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET email = :email WHERE id = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':email', $newEmail, PDO::PARAM_STR);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET lastUpload = NOW() WHERE id = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET emailcodeTime = NULL WHERE id = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

85
core/func/api/auth/forgot.php Normal file
View File

@ -0,0 +1,85 @@
<?php
if (isset($_POST['username']) && isset($_POST['csrf'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$IP = auth::getIP();
$username = $_POST['username'];
$csrf_token = $_POST['csrf'];
if ($csrf_token != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == true) {
echo 'error';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT id, username, email FROM users WHERE username = :username OR email = :email;");
$stmt->bindParam(':username', $username, PDO::PARAM_STR);
$stmt->bindParam(':email', $username, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'no-user';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$userID = $result['id'];
$username = $result['username'];
$email = $result['email'];
$query = "SELECT * FROM pwdreset WHERE ip = :ip LIMIT 1;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':ip', $IP, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($stmt->rowCount() > 0) {
$currentTime = date('Y-m-d H:i:s');
$to_time = strtotime($currentTime);
$from_time = strtotime($result['date']);
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince < 5) {
echo 'rate-limit';
exit;
}
}
// If IP is changed.
$query = "SELECT * FROM passwordresets WHERE userId = :uid LIMIT 1;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $userID, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($stmt->rowCount() > 0) {
$currentTime = date('Y-m-d H:i:s');
$to_time = strtotime($currentTime);
$from_time = strtotime($result['date']);
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince < 5) {
echo 'rate-limit';
exit;
}else{
// Delete every other request
$stmt = $dbcon->prepare("DELETE FROM passwordresets WHERE userId = :uid");
$stmt->bindParam(':uid', $userID, PDO::PARAM_INT);
$stmt->execute();
}
}
$stmt = $dbcon->prepare("DELETE FROM pwdreset WHERE ip = :ip");
$stmt->bindParam(':ip', $IP, PDO::PARAM_STR);
$stmt->execute();
$stmt = $dbcon->prepare("INSERT INTO `pwdreset` (`ip`) VALUES (:ip);");
$stmt->bindParam(':ip', $IP, PDO::PARAM_STR);
$stmt->execute();
$key = context::random_str(256);
$stmt = $dbcon->prepare("INSERT INTO `passwordresets` (`userId`, `key`) VALUES (:uid, :key);");
$stmt->bindParam(':uid', $userID, PDO::PARAM_INT);
$stmt->bindParam(':key', $key, PDO::PARAM_STR);
$stmt->execute();
mailHandler::sendMail('Hello '.$username.'! You can reset your password at https://xdiscuss.net/account/resetpassword/'.$userID.'/'.$key.' if you did not request this, you can ignore this. <br><br><a href="http://xdiscuss.net">Graphictoria</a><br>Please know that this message was generated automatically, do not reply to this. If you need help, send a message to <a href="mailto:support@xdiscuss.net">support@xdiscuss.net</a>.', "Hello ".$username."! You can reset your password at https://xdiscuss.net/account/resetpassword/".$userID."/".$key." if you did not request this, you can ignore this.", $email, "Graphictoria Password Reset", $username);
echo 'success';
}else{
echo 'error';
exit;
}
?>

234
core/func/api/auth/login.php Normal file
View File

@ -0,0 +1,234 @@
<?php
if (isset($_POST['username']) && isset($_POST['passwd']) && isset($_POST['csrf'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$IP = auth::getIP();
$username = $_POST['username'];
$password = $_POST['passwd'];
$csrf_token = $_POST['csrf'];
if ($csrf_token != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == true) {
echo 'error';
exit;
}
if (strlen($username) == 0 or strlen($password) == 0) {
echo 'missing-info';
exit;
}
$query = "SELECT * FROM loginAttempts WHERE ip = :ip ORDER BY id DESC LIMIT 1";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':ip', $IP, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() == 1) {
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result['count'] == 3) {
$from_time = strtotime($result['time']);
$to_time = strtotime(context::getCurrentTime());
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince < 2) {
echo 'rate-limit';
exit;
}
}
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT id, password_salt, password, password_hash, registerIP, passwordVersion, rank, posts, username FROM users WHERE username = :username OR email = :email;");
$stmt->bindParam(':username', $username, PDO::PARAM_STR);
$stmt->bindParam(':email', $username, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($stmt->rowCount() == 0) {
echo 'no-user';
exit;
}
$auth_hash = crypt($password, $result['password_salt']);
if ($auth_hash == $result['password_hash']) {
if ($result['registerIP'] == NULL) {
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET registerIP = :ip WHERE id = :id;");
$stmt->bindParam(':id', $result['id'], PDO::PARAM_INT);
$stmt->bindParam(':ip', $IP, PDO::PARAM_STR);
$stmt->execute();
}
$form_code = md5(uniqid());
$aid = context::random_str(128);
$location = $_SERVER["HTTP_CF_IPCOUNTRY"];
$stmt = $GLOBALS['dbcon']->prepare('INSERT INTO `sessions` (`userId`, `sessionId`, `csrfToken`, `useragent`, `location`) VALUES (:userId, :sid, :csrf, :useragent, :location);');
$stmt->bindParam(':userId', $result['id'], PDO::PARAM_INT);
$stmt->bindParam(':sid', $aid, PDO::PARAM_STR);
$stmt->bindParam(':csrf', $form_code, PDO::PARAM_STR);
$stmt->bindParam(':useragent', $_SERVER['HTTP_USER_AGENT'], PDO::PARAM_STR);
$stmt->bindParam(':location', $location, PDO::PARAM_STR);
$stmt->execute();
if (isset($_COOKIE['auth_uid']) || isset($_COOKIE['a_id'])) {
setcookie('auth_uid', "", time() - 3600);
setcookie('a_id', "", time() - 3600);
}
setcookie("auth_uid", $result['id'], time() + (86400 * 30), "/", ".xdiscuss.net", false, true);
setcookie("a_id", $aid, time() + (86400 * 30), "/", ".xdiscuss.net", false, true);
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET lastIP = :ip WHERE id = :id;");
$stmt->bindParam(':id', $result['id'], PDO::PARAM_INT);
$stmt->bindParam(':ip', $IP, PDO::PARAM_STR);
$stmt->execute();
$key = sha1($form_code);
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET gameKey = :key WHERE id = :id;");
$stmt->bindParam(':id', $result['id'], PDO::PARAM_INT);
$stmt->bindParam(':key', $key, PDO::PARAM_STR);
$stmt->execute();
// Award badges
if ($result['rank'] == 1) {
// Check if the admin badge is owned
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM badges WHERE uid = :uid AND badgeId = 2");
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
// Award badge
$query = "INSERT INTO badges (`uid`, `badgeId`) VALUES (:uid, 2);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
}
// Check if the moderator badge is owned
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM badges WHERE uid = :uid AND badgeId = 3");
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
// Award badge
$query = "INSERT INTO badges (`uid`, `badgeId`) VALUES (:uid, 3);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
}
}
if ($result['rank'] == 2) {
// Check if the moderator badge is owned
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM badges WHERE uid = :uid AND badgeId = 3");
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
// Award badge
$query = "INSERT INTO badges (`uid`, `badgeId`) VALUES (:uid, 3);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
}
// Remove admin badge if any
$query = "DELETE FROM badges WHERE badgeId = 2 AND uid = :uid";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
}
if ($result['rank'] == 0) {
// Remove staff badges if any
$query = "DELETE FROM badges WHERE badgeId = 2 AND uid = :uid";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
$query = "DELETE FROM badges WHERE badgeId = 3 AND uid = :uid";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
}
// Check if the member badge is owned
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM badges WHERE uid = :uid AND badgeId = 5");
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
// Award badge
$query = "INSERT INTO badges (`uid`, `badgeId`) VALUES (:uid, 5);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
}
// Get forum post count
$postCount = $result['posts'];
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM badges WHERE uid = :uid AND badgeId = 4");
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0 and $postCount > 999) {
// Award badge
$query = "INSERT INTO badges (`uid`, `badgeId`) VALUES (:uid, 4);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
}else{
if ($postCount < 1000) {
$query = "DELETE FROM badges WHERE badgeId = 4 AND uid = :uid";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
}
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM badges WHERE uid = :uid AND badgeId = 7");
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0 and $result['id'] < 101) {
// Award badge
$query = "INSERT INTO badges (`uid`, `badgeId`) VALUES (:uid, 7);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
}else{
if ($result['id'] > 100) {
$query = "DELETE FROM badges WHERE badgeId = 7 AND uid = :uid";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->execute();
}
}
context::sendDiscordMessage("**User logged in** | ".$result['username']);
echo 'success';
exit;
}else{
$query = "SELECT * FROM loginAttempts WHERE ip = :ip";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':ip', $IP, PDO::PARAM_STR);
$stmt->execute();
$delete = false;
if ($stmt->rowCount() == 3) {
$query = "DELETE FROM loginAttempts WHERE ip = :ip;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':ip', $IP, PDO::PARAM_STR);
$stmt->execute();
$delete = true;
}
if ($delete == true) {
$count = 1;
}else{
$count = $stmt->rowCount()+1;
}
$query = "INSERT INTO loginAttempts (`ip`, `uid`, `count`) VALUES (:ip, :uid, :count);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':ip', $IP, PDO::PARAM_STR);
$stmt->bindParam(':uid', $result['id'], PDO::PARAM_INT);
$stmt->bindParam(':count', $count, PDO::PARAM_INT);
$stmt->execute();
echo 'incorrect-password';
exit;
}
}else{
echo 'error';
exit;
}
?>

0
core/func/api/auth/ping.php Normal file
View File

169
core/func/api/auth/register.php Normal file
View File

@ -0,0 +1,169 @@
<?php
if (isset($_POST['username']) && isset($_POST['email']) && isset($_POST['passwd1']) && isset($_POST['passwd2']) && isset($_POST['csrf']) && isset($_POST['captcha'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$username = $_POST['username'];
$email = $_POST['email'];
$password1 = $_POST['passwd1'];
$password2 = $_POST['passwd2'];
$csrf_token = $_POST['csrf'];
$IP = auth::getIP();
if ($csrf_token != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == true) {
echo 'error';
exit;
}
if (strlen($username) == 0 && strlen($email) == 0 && strlen($password1) == 0 && strlen($password2) == 0) {
echo 'missing-info';
exit;
}
$response = json_decode(file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=&response=".$_POST['captcha']."&remoteip=".auth::getIP()), true);
if ($response['success'] == false) {
echo 'incorrect-captcha';
exit;
}
$bad_words = array('nlgga', 'nigga', 'sex', 'raping', 'tits', 'wtf', 'vag', 'diemauer', 'brickopolis', '.com', '.cf', 'dicc', 'nude', 'kesner', 'nobe', 'idiot', 'dildo', 'cheeks', 'anal', 'boob', 'horny', 'tit', 'fucking', 'gay', 'rape', 'rapist', 'incest', 'beastiality', 'cum', 'maggot', 'bloxcity', 'bullshit', 'fuck', 'penis', 'dick', 'vagina', 'faggot', 'fag', 'nigger', 'asshole', 'shit', 'bitch', 'anal', 'stfu', 'cunt', 'pussy', 'hump', 'meatspin', 'redtube', 'porn', 'kys', 'xvideos', 'hentai', 'gangbang', 'milf', 'whore', 'cock', 'masturbate');
$username_check = strtolower($username);
if (context::contains($username_check, $bad_words)) {
echo 'invalid-username';
exit;
}
if (strlen($username) == 0) {
echo 'no-username';
exit;
}
if (strlen($username) < 3) {
echo 'username-too-short';
exit;
}
if (strlen($username) > 20) {
echo 'username-too-long';
exit;
}
if(!preg_match("/^[a-zA-Z0-9][\w\.]+[a-zA-Z0-9]$/", $username) == 1) {
echo 'illegal-username';
exit;
}
if (strlen($email) == 0) {
echo 'no-email';
exit;
}
if (strlen($email) > 128) {
echo 'email-too-long';
exit;
}
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo 'illegal-email';
exit;
}
$domain = substr($email, strpos($email, '@') + 1);
if (checkdnsrr($domain) == false) die("illegal-email");
// Email domain whitelist, to stop disposable and fake emails. Will only be checked at initial register.
$good_emails = array('@outlook', '@protonmail.com', '@xdiscuss.net', '@roblox.com', '@icloud.com', '@protonmail.ch', '@google.com',
"@yahoo.com.br", "@hotmail.com.br", "@outlook.com.br", "@uol.com.br", "@bol.com.br", "@terra.com.br", "@ig.com.br", "@itelefonica.com.br", "@r7.com", "@zipmail.com.br", "@globo.com", "@globomail.com", "@oi.com.br",
"@yahoo.com.mx", "@live.com.mx", "@hotmail.es", "@hotmail.com.mx", "@prodigy.net.mx",
"@hotmail.com.ar", "@live.com.ar", "@yahoo.com.ar", "@fibertel.com.ar", "@speedy.com.ar", "@arnet.com.ar",
"@hotmail.be", "@live.be", "@skynet.be", "@voo.be", "@tvcablenet.be", "@telenet.be",
"@mail.ru", "@rambler.ru", "@yandex.ru", "@ya.ru", "@list.ru",
"@gmx.de", "@hotmail.de", "@live.de", "@online.de", "@t-online.de", "@web.de", "@yahoo.de",
"@hotmail.fr", "@live.fr", "@laposte.net", "@yahoo.fr", "@wanadoo.fr", "@orange.fr", "@gmx.fr", "@sfr.fr", "@neuf.fr", "@free.fr",
"@sina.com", "@qq.com", "@naver.com", "@hanmail.net", "@daum.net", "@nate.com", "@yahoo.co.jp", "@yahoo.co.kr", "@yahoo.co.id", "@yahoo.co.in", "@yahoo.com.sg", "@yahoo.com.ph",
"@btinternet.com", "@virginmedia.com", "@blueyonder.co.uk", "@freeserve.co.uk", "@live.co.uk",
"@ntlworld.com", "@o2.co.uk", "@orange.net", "@sky.com", "@talktalk.co.uk", "@tiscali.co.uk",
"@virgin.net", "@wanadoo.co.uk", "@bt.com", "@bellsouth.net", "@charter.net", "@cox.net", "@earthlink.net", "@juno.com",
"@email.com", "@games.com", "@gmx.net", "@hush.com", "@hushmail.com", "@icloud.com", "@inbox.com",
"@lavabit.com", "@love.com", "@outlook.com", "@pobox.com", "@rocketmail.com",
"@safe-mail.net", "@wow.com", "@ygm.com", "@ymail.com", "@zoho.com", "@fastmail.fm",
"@yandex.com","@iname.com", "@aol.com", "@att.net", "@comcast.net", "@facebook.com", "@gmail.com", "@gmx.com", "@googlemail.com",
"@google.com", "@hotmail.com", "@hotmail.co.uk", "@mac.com", "@me.com", "@mail.com", "@msn.com",
"@live.com", "@sbcglobal.net", "@verizon.net", "@yahoo.com", "@yahoo.co.uk"
);
if (!context::contains(strtolower($email), $good_emails)) die("unknown-email");
if (strlen($password1) == 0) {
echo 'no-password';
exit;
}
if (strlen($password2) == 0) {
echo 'no-password';
exit;
}
if ($password1 != $password2) {
echo 'passwords-mismatch';
exit;
}
if (strlen($password1) < 6) {
echo 'password-too-short';
exit;
}
if (strlen($password1) > 40) {
echo 'password-too-long';
exit;
}
$stmt = $dbcon->prepare("SELECT * FROM users WHERE email = :email;");
$stmt->bindParam(':email', $email, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() > 0) {
echo 'email-already-used';
exit;
}
$stmt = $dbcon->prepare("SELECT * FROM users WHERE username = :username;");
$stmt->bindParam(':username', $username, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() > 0) {
echo 'username-already-used';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT joinDate FROM users WHERE registerIP = :ip ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':ip', $IP, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() > 0) {
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$currentTime = context::getCurrentTime();
$to_time = strtotime($currentTime);
$from_time = strtotime($result['joinDate']);
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince < 1440) {
echo 'rate-limit';
exit;
}
}
// Still here? Continue. Please use password_hash...
$salt = '$2a$07$'.uniqid(mt_rand(), true).'$';
$hash = crypt($password1, $salt);
$stmt = $dbcon->prepare("INSERT INTO users (`username`, `password_hash`, `password_salt`, `email`, `registerIP`, `passwordVersion`) VALUES (:user, :hash, :salt, :email, :ip, 2);");
$stmt->bindParam(':ip', $IP, PDO::PARAM_STR);
$stmt->bindParam(':user', $username, PDO::PARAM_STR);
$stmt->bindParam(':hash', $hash, PDO::PARAM_STR);
$stmt->bindParam(':salt', $salt, PDO::PARAM_STR);
$stmt->bindParam(':email', $email, PDO::PARAM_STR);
$stmt->execute();
context::sendDiscordMessage("**New user registered!** | ".$username);
echo 'success';
}else{
echo 'error';
exit;
}
?>

75
core/func/api/auth/resetPassword.php Normal file
View File

@ -0,0 +1,75 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['password1']) and isset($_POST['password2']) and isset($_POST['key']) and isset($_POST['userID'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$password1 = $_POST['password1'];
$password2 = $_POST['password2'];
$key = $_POST['key'];
$userID = $_POST['userID'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == true) {
echo 'error';
exit;
}
$query = "SELECT * FROM passwordresets WHERE userid = :uid AND `key` = :key";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $userID, PDO::PARAM_INT);
$stmt->bindParam(':key', $key, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($stmt->rowCount() == 0 or $result['used'] == 1) {
echo 'invalid-key';
exit;
}
$currentTime = date('Y-m-d H:i:s');
$to_time = strtotime($currentTime);
$from_time = strtotime($result['date']);
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince > 5) {
echo 'key-expired';
exit;
}
if ($password1 != $password2) {
echo 'password-mismatch';
exit;
}
if (strlen($password1) > 42) {
echo 'password-too-long';
exit;
}
if (strlen($password1) < 6) {
echo 'password-too-short';
exit;
}
$salt = '$2a$07$'.uniqid(mt_rand(), true).'$';
$hash = crypt($password1, $salt);
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET password_salt = :salt WHERE id = :user;");
$stmt->bindParam(':user', $userID, PDO::PARAM_INT);
$stmt->bindParam(':salt', $salt, PDO::PARAM_STR);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET password_hash = :hash WHERE id = :user;");
$stmt->bindParam(':user', $userID, PDO::PARAM_INT);
$stmt->bindParam(':hash', $hash, PDO::PARAM_STR);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE passwordresets SET used = 1 WHERE `key` = :key AND userid = :uid;");
$stmt->bindParam(':key', $key, PDO::PARAM_STR);
$stmt->bindParam(':uid', $userID, PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("DELETE FROM sessions WHERE userId = :uid;");
$stmt->bindParam(':uid', $userID, PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

37
core/func/api/auth/twostep.php Normal file
View File

@ -0,0 +1,37 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['factorCode'])) {
$GLOBALS['bypassRedirect'] = true;
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$factorCode = $_POST['factorCode'];
$factorCode = str_replace(" ", "", $factorCode);
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) {
echo 'error';
exit;
}
if (strlen($factorCode) == 0) {
echo 'missing-info';
exit;
}
if ($GLOBALS['userTable']['2faEnabled'] == 0) {
echo 'error';
exit;
}
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/libs/google/GoogleAuthenticator.php';
$gAuth = new GoogleAuthenticator();
if (!$gAuth->checkCode($GLOBALS['userTable']['authKey'], $factorCode)) {
echo 'wrong-code';
exit;
}else{
$stmt = $GLOBALS['dbcon']->prepare("UPDATE sessions SET factorFinish = 1 WHERE id = :id;");
$stmt->bindParam(':id', $GLOBALS['sessionTable']['id'], PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}
}else{
echo 'error';
}
?>

29
core/func/api/auth/verifyEmail.php Normal file
View File

@ -0,0 +1,29 @@
<?php
if (isset($_POST['emailCode']) && isset($_POST['csrf'])) {
$GLOBALS['bypassRedirect'] = true;
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$emailCode = $_POST['emailCode'];
$csrf_token = $_POST['csrf'];
if ($csrf_token != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) {
echo 'error';
exit;
}
if (security::getUserEmailVerified() == true) {
echo 'error';
exit;
}
$timeSince = round(abs(strtotime(context::getCurrentTime()) - strtotime($GLOBALS['userTable']['emailcodeTime'])) / 60,2);
if (security::getEmailCode() == $emailCode and $timeSince < 5) {
echo 'success';
security::finishEmailVerification();
exit;
}else{
echo 'incorrect-code';
exit;
}
}else{
echo 'error';
exit;
}
?>

19
core/func/api/blog/addPost.php Normal file
View File

@ -0,0 +1,19 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($GLOBALS['loggedIn'] == false || $GLOBALS['userTable']['rank'] != 1) die("Access has been denied, if you believe you should have access please contact an administrator.");
?>
<script>
$(document).ready(function () {
var charactersAllowed = 30000;
$('textarea').keyup(function () {
var left = charactersAllowed - $(this).val().length;
$('#remainingC').html('<br>Characters left: ' + left);
if ($(this).val().length == 0) $("#remainingC").empty();
});
});
</script>
<script>$("#title").html("New Post <div style=\"float:right;color:#158cba;cursor:pointer\" onclick=\"loadMain();\">Back</div>");</script>
<div id="pStatus"></div>
<input type="text" class="form-control" placeholder="Post title" style="display:inline" maxlength="64"/><p id="remainingC" style="display:inline"></p>
<textarea rows="5" class="form-control" placeholder="Post content here" maxlength="30000"></textarea>
<button class="btn btn-primary" onclick="addPost();">Add Post</button>

17
core/func/api/blog/getPosts.php Normal file
View File

@ -0,0 +1,17 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM blogposts ORDER BY id DESC");
$stmt->execute();
foreach($stmt as $result) {
$userSheet = context::getUserSheetByID($result['poster_uid']);
echo '<div class="well profileCard">
<div class="row">
<div class="col-xs-1"><div style="position: relative;border:solid 1px #158cba;height:50px;width:50px;height:50px;border-radius:50%;overflow: hidden;" class="img-circle"><img style="position: absolute;clip: rect(0px, 75px, 50px, 0);left:-18px" src="'.context::getUserImage($userSheet).'" height="100"></div></div>
<div class="col-xs-11">
<h4 onclick="loadPost('.$result['id'].');" style="margin-bottom:0px;color:#158cba;cursor:pointer">'.context::secureString($result['title']).'</h4>
<p>Posted by <a href="/user/profile/'.$userSheet['username'].'">'.$userSheet['username'].'</a>, '.context::humanTimingSince(strtotime($result['date'])).' ago</p>
</div>
</div>
</div>';
}
?>

25
core/func/api/blog/loadPost.php Normal file
View File

@ -0,0 +1,25 @@
<?php
if (!isset($_GET['id'])) die("Invalid post ID");
if (is_array($_GET['id'])) die("Invalid post ID");
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$postId = $_GET['id'];
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM blogposts WHERE id = :id");
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) die("Post not found");
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$userSheet = context::getUserSheetByID($result['poster_uid']);
$content = context::secureString($result['content']);
$content = preg_replace("/\s*[a-zA-Z\/\/:\.]*youtube.com\/watch\?v=([a-zA-Z0-9\-_]+)([a-zA-Z0-9\/\*\-\_\?\&\;\%\=\.]*)/i","<iframe width=\"420\" height=\"315\" src=\"//www.youtube.com/embed/$1\" frameborder=\"0\" allowfullscreen></iframe>", $content);
$content = preg_replace("/https?:\/\/[^ ]+?(?:\.jpg|\.png|\.gif)/",'<img class="img-responsive" src="$0">', $content);
$content = context::showBBcodes($content);
echo '<script>$("#title").html("'.context::secureString($result['title']).'<div style=\"float:right;color:#158cba;cursor:pointer\" onclick=\"loadMain();\">Back</div>");</script>
<div class="well profileCard">
<div class="row">
<div class="col-xs-2 center">'.context::getOnline($userSheet).'<a href="/user/profile/'.$userSheet['username'].'">'.$userSheet['username'].'</a><br><img width="300 height="300" class="img-responsive" style="display:inline" src="'.context::getUserImage($userSheet).'"></div>
<div class="col-xs-10">
<p style="margin-top:5px;word-wrap:break-word;">'.nl2br($content).'</p>
</div>
</div>
</div>';
?>

73
core/func/api/catalog/getItems.php Normal file
View File

@ -0,0 +1,73 @@
<?php
if (isset($_GET['type'])) {
$type = $_GET['type'];
if (is_array($type)) die("Something is wrong");
if ($type != "hats" and $type != "pants" and $type != "shirts" and $type != "decals" and $type != "heads" and $type != "faces" and $type != "tshirts" and $type != "gear") exit;
if (isset($_GET['page'])) {
$page = $_GET['page'];
if (is_numeric($page) == false) exit;
}else{
$page = 0;
}
if (isset($_GET['term'])) {
$term = $_GET['term'];
if (is_array($term)) {
exit;
}
}
if (is_array($page)) {
echo 'Something went wrong.';
exit;
}
$offset = $page*15;
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
echo '<script>type = "'.$type.'";</script>';
if (isset($term) and strlen($term) > 0) {
$searchTermSQL = '%'.$term.'%';
if ($GLOBALS['loggedIn']) $stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM catalog WHERE name LIKE :term AND approved = 1 AND type = :type ORDER BY id DESC LIMIT 16 OFFSET :offset");
if (!$GLOBALS['loggedIn']) $stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM catalog WHERE name LIKE :term AND approved = 1 AND type = :type AND rbxasset = 0 ORDER BY id DESC LIMIT 16 OFFSET :offset");
$stmt->bindParam(':term', $searchTermSQL, PDO::PARAM_STR);
}else{
if ($GLOBALS['loggedIn']) $stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM catalog WHERE type = :type AND buyable = 1 AND approved = 1 ORDER BY id DESC LIMIT 16 OFFSET :offset");
if (!$GLOBALS['loggedIn']) $stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM catalog WHERE type = :type AND buyable = 1 AND approved = 1 AND rbxasset = 0 ORDER BY id DESC LIMIT 16 OFFSET :offset");
}
$stmt->bindParam(':type', $type, PDO::PARAM_STR);
$stmt->bindParam(':offset', $offset, PDO::PARAM_INT);
$stmt->execute();
$count = 0;
echo '<div class="row center">';
foreach($stmt as $result) {
$count++;
if ($count < 16) {
echo '<div class="col-xs-12 col-sm-12 col-md-4"><div class="well profileCard" style="height:150px;margin-bottom:0px;border:0px;">';
echo '<img class="img-responsive" style="max-height:140px;max-width:140px;display:inline;" src="'.context::getItemThumbnailC($type, $result['assetid'], $result['datafile'], $result['fileHash'], $result['imgTime']).'">';
echo '</div>';
$itemName = context::secureString($result['name']);
if (strlen($itemName) >= 40) {
$itemName = substr($itemName, 0, 37). " ... ";
}
echo '<h5 style="float:left;">'.$itemName.'</h5>';
if ($result['type'] != "decals") {
if ($result['currencyType'] == 0) {
echo '<h5 style="color:green;float:right;"><span class="fa fa-money"></span> '.$result['price'].'</h5><br>';
}else{
echo '<h5 style="color:#158cba;float:right;"><span class="fa fa-gg-circle"></span> '.$result['price'].'</h5><br>';
}
}
echo '<a href="/catalog/item/'.$result['id'].'" class="btn btn-primary fullWidth" style="margin-bottom:10px;">Details</a>';
echo '</div>';
}
}
if ($count == 0) {
echo '<p>Nothing found</p>';
}
if ($count > 15) {
echo '<button class="btn btn-primary loadMore" onclick="loadMoreItems(\''.$type.'\', '.($page+1).'); page++;">Load More</button>';
}
echo '</div>';
}else{
echo 'An error occurred';
}
?>

99
core/func/api/catalog/post/buyItem.php Normal file
View File

@ -0,0 +1,99 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['itemId'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$itemId = $_POST['itemId'];
if (is_numeric($itemId) == false) die("error");
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($itemId) == 0 or is_array($itemId)) {
echo 'error';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM ownedItems WHERE uid=:id AND catalogid = :catid");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':catid', $itemId, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() > 0) {
$owned = true;
}else{
$owned = false;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM catalog WHERE id=:id");
$stmt->bindParam(':id', $itemId, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$owneruserID = $result['creator_uid'];
if ($owned == false and $result['buyable'] == 1 and $result['type'] !== "decals" and $result['approved'] == 1) {
if ($result['id'] != $itemId) {
echo 'error';
exit;
}
$canBuy = false;
if ($result['currencyType'] == 0) {
if ($result['price'] < $GLOBALS['userTable']['coins'] or $result['price'] == $GLOBALS['userTable']['coins']) {
$canBuy = true;
}
}
if ($result['currencyType'] == 1) {
if ($result['price'] < $GLOBALS['userTable']['posties'] or $result['price'] == $GLOBALS['userTable']['posties']) {
$canBuy = true;
}
}
if ($canBuy == true) {
if ($result['currencyType'] == 0) {
$newBalance = $GLOBALS['userTable']['coins']-$result['price'];
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET coins = :coins WHERE id = :user;");
$stmt->bindParam(':coins', $newBalance, PDO::PARAM_INT);
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
// If the buyer's account is over 1 week old, award the seller
$timeSince = round(abs(strtotime(context::getCurrentTime()) - strtotime($GLOBALS['userTable']['joinDate'])) / 60,2);
if ($timeSince > 10080) {
$awardPrice = round($result['price']/2);
// Get seller's current coins
$stmt = $GLOBALS['dbcon']->prepare("SELECT coins FROM users WHERE id=:id");
$stmt->bindParam(':id', $owneruserID, PDO::PARAM_INT);
$stmt->execute();
$resultSeller = $stmt->fetch(PDO::FETCH_ASSOC);
$currentSCoins = $resultSeller['coins'];
$newSCoins = $resultSeller['coins']+$awardPrice;
// Award the seller right here
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET coins = :coins WHERE id = :user;");
$stmt->bindParam(':coins', $newSCoins, PDO::PARAM_INT);
$stmt->bindParam(':user', $owneruserID, PDO::PARAM_INT);
$stmt->execute();
}
}else{
$newBalance = $GLOBALS['userTable']['posties']-$result['price'];
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET posties = :coins WHERE id = :user;");
$stmt->bindParam(':coins', $newBalance, PDO::PARAM_INT);
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
}
$stmt = $GLOBALS['dbcon']->prepare("INSERT INTO ownedItems (`uid`, `catalogid`, `type`, `rbxasset`) VALUES (:user, :itemid, :type, :rbxasset);");
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':itemid', $result['id'], PDO::PARAM_INT);
$stmt->bindParam(':rbxasset', $result['rbxasset'], PDO::PARAM_INT);
$stmt->bindParam(':type', $result['type'], PDO::PARAM_STR);
$stmt->execute();
echo $newBalance;
}else{
echo 'error';
}
}else{
echo 'error';
}
}else{
echo 'error';
}
?>

81
core/func/api/catalog/post/deleteItem.php Normal file
View File

@ -0,0 +1,81 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['itemId'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$itemId = $_POST['itemId'];
if (is_numeric($itemId) == false) die("error");
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($itemId) == 0 or $GLOBALS['userTable']['rank'] == 0 or is_array($itemId)) {
echo 'error';
exit;
}
// Get item info again.
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM catalog WHERE id=:id");
$stmt->bindParam(':id', $itemId, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$fileHash = $result['fileHash'];
if ($result['type'] != "tshirts" and $result['type'] != "shirts" and $result['type'] != "pants" and $result['type'] != "decals") {
echo 'error';
exit;
}
// Make deleted true
$stmt = $GLOBALS['dbcon']->prepare("UPDATE catalog SET deleted = 1 WHERE fileHash = :id;");
$stmt->bindParam(':id', $fileHash, PDO::PARAM_STR);
$stmt->execute();
// Make item unbuyable
$stmt = $GLOBALS['dbcon']->prepare("UPDATE catalog SET buyable = 0 WHERE fileHash = :id;");
$stmt->bindParam(':id', $fileHash, PDO::PARAM_STR);
$stmt->execute();
// Set deleted true in owned items with the same file hash
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM catalog WHERE fileHash = :id");
$stmt->bindParam(':id', $fileHash, PDO::PARAM_INT);
$stmt->execute();
foreach($stmt as $result) {
$iID = $result['id'];
$stmt = $GLOBALS['dbcon']->prepare("UPDATE ownedItems SET deleted = 1 WHERE catalogid = :id;");
$stmt->bindParam(':id', $iID, PDO::PARAM_INT);
$stmt->execute();
}
// Delete the actual file
if ($result['type'] == "tshirts" || $result['type'] == "shirts" || $result['type'] == "pants" || $result['type'] == "decals") {
@unlink($_SERVER['DOCUMENT_ROOT'].'/data/assets/uploads/'.$result['fileHash']);
}
if ($result['type'] != "decals") {
// Remove from wearing
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM catalog WHERE fileHash = :id");
$stmt->bindParam(':id', $fileHash, PDO::PARAM_INT);
$stmt->execute();
foreach($stmt as $result) {
$iID2 = $result['id'];
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM wearing WHERE catalogId = :id");
$stmt->bindParam(':id', $iID2, PDO::PARAM_INT);
$stmt->execute();
foreach($stmt as $result) {
// Delete and put a request up in the imageServer
$query = "DELETE FROM `wearing` WHERE `id`=:id";
$stmt = $GLOBALS['dbcon']->prepare($query);
$id = $result['id'];
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->execute();
$uid = $result['uid'];
// Add request to imageServer
$query = "INSERT INTO renders (`render_id`, `type`) VALUES (:id, 'character');";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $uid, PDO::PARAM_INT);
$stmt->execute();
}
}
}
echo 'success';
}else{
echo 'error';
}
?>

223
core/func/api/catalog/post/uploadItem.php Normal file
View File

@ -0,0 +1,223 @@
<?php
if (isset($_FILES['file']) and isset($_POST['itemName']) and isset($_POST['itemDescription']) and isset($_POST['itemType']) and isset($_POST['itemPrice']) and isset($_POST['csrf_token'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf_token'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) die("error");
// Variables
$uploadOk = false;
$itemType = $_POST['itemType'];
$itemPrice = $_POST['itemPrice'];
$itemName = $_POST['itemName'];
$description = $_POST['itemDescription'];
$itemName = preg_replace("/[^ \w]+/", "", $itemName);
$itemName = preg_replace('!\s+!', ' ', $itemName);
$description = preg_replace('!\s+!', ' ', $description);
// itemType check
if ($itemType == 0) {
$typeString = "shirts";
}elseif($itemType == 1) {
$typeString = "pants";
}elseif($itemType == 2) {
$typeString = "tshirts";
}elseif($itemType == 3) {
$typeString = "decals";
}else{
echo 'error';
exit;
}
// Error handling
if (strlen($itemName) > 32) {
echo 'name-too-long';
exit;
}
if (!preg_match("/^[\w*?!\/@#$%\^&*\(\) -]+$/", $itemName) == 1) {
die("name-too-short");
}
if (strlen($itemName) < 5) {
echo 'name-too-short';
exit;
}
if (strlen($description) > 128) {
echo 'description-too-long';
exit;
}
if (is_numeric($itemPrice) == false) die("price-too-low");
if ($itemPrice < 1 && $typeString != "decals") {
echo 'price-too-low';
exit;
}
if ($typeString == "decals") {
$itemPrice = 0;
}
// Check last upload date, if less than a minute return 'rate-limit'
$timeSince = round(abs(strtotime(context::getCurrentTime()) - strtotime($GLOBALS['userTable']['lastUpload'])) / 60,2);
if ($timeSince < 1) {
echo 'rate-limit';
exit;
}
// Get the latest assetID, if nothing, default to 1
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM catalog WHERE type=:dbtype ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':dbtype', $typeString, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($stmt->rowCount() == 0) {
$assetId = 1;
}else{
$assetId = $result['assetid']+1;
}
$uploadDirectory = $_SERVER['DOCUMENT_ROOT'].'/data/assets/uploads/';
// Check the file
$check = @getimagesize($_FILES["file"]["tmp_name"]);
list($width, $height) = @getimagesize($_FILES["file"]["tmp_name"]);
if ($width != 585 && $height != 559) {
if ($typeString == "shirts" or $typeString == "pants") {
echo 'incorrect-size';
exit;
}
}
if (!$check) {
echo 'no-image';
exit;
}
if ($_FILES["file"]["size"] > 1000000) {
echo 'file-too-large';
exit;
}
$imageFileType = pathinfo($_FILES['file']["name"], PATHINFO_EXTENSION);
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['file']['tmp_name']);
if ($imageFileType != "jpg" && $imageFileType != "JPG" && $imageFileType != "png" && $imageFileType != "PNG" && $imageFileType != "jpeg" && $imageFileType != "JPEG" && $mime != "image/png" && $mime != "image/jpeg") {
echo 'incorrect-extension';
exit;
}
if (exif_imagetype($_FILES['file']['tmp_name']) != IMAGETYPE_PNG && exif_imagetype($_FILES['file']['tmp_name']) != IMAGETYPE_JPEG) {
echo 'incorrect-extension';
exit;
}
// Check user balance, should be easy
if ($GLOBALS['userTable']['coins'] < 5) {
echo 'not-enough-coins';
exit;
}
// Check if the file hash is not in badHashes
$fileHash = hash_file('sha512', $_FILES["file"]["tmp_name"]);
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM badHashes WHERE hash=:fileHash");
$stmt->bindParam(':fileHash', $fileHash, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() > 0) {
echo 'bad-hash';
exit;
}
// Move the file to the right directory. Upload complete!
// Only move if it doesn't exist already.
if (!file_exists($uploadDirectory.$fileHash)) {
if (!move_uploaded_file($_FILES["file"]["tmp_name"], $uploadDirectory.$fileHash)) {
echo 'file-upload-error';
exit;
}
}
$newCoins = $GLOBALS['userTable']['coins']-5;
$stmt = $dbcon->prepare("UPDATE users SET coins = :coins WHERE id = :user;");
$stmt->bindParam(':coins', $newCoins, PDO::PARAM_INT);
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
// Set last upload to now, for security purposes.
$stmt = $dbcon->prepare("UPDATE users SET lastUpload = NOW() WHERE id = :user;");
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
// Add to catalog. But keep un-approved until approved, of course, unless the hash is already approved.
// Check if any asset with the same hash is approved or not. Why approve the same file again?
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM catalog WHERE fileHash=:fileHash ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':fileHash', $fileHash, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$approved = 0;
if ($result['approved'] == 1 && $result['fileHash'] == $fileHash && $result['deleted'] == 0) {
$approved = 1;
}
$stmt = $dbcon->prepare("INSERT INTO catalog (`price`, `creator_uid`, `assetid`, `name`, `description`, `type`, `approved`, `fileHash`) VALUES (:price, :user, :assetid, :name, :description, :type, :approved, :fileHash);");
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':price', $itemPrice, PDO::PARAM_INT);
$stmt->bindParam(':type', $typeString, PDO::PARAM_STR);
$stmt->bindParam(':assetid', $assetId, PDO::PARAM_INT);
$stmt->bindParam(':name', $itemName, PDO::PARAM_STR);
$stmt->bindParam(':description', $description, PDO::PARAM_STR);
$stmt->bindParam(':approved', $approved, PDO::PARAM_INT);
$stmt->bindParam(':fileHash', $fileHash, PDO::PARAM_STR);
$stmt->execute();
if ($approved == 0) {
// Send the uploader a message so they can keep track of the progress of approval.
if ($typeString != "decals") {
$message = 'Your asset named <b>'.$itemName.'</b> is pending approval. You will receive another message after approval. Once approved, you will receive the item.';
}else{
$message = 'Your asset named <b>'.$itemName.'</b> is pending approval. You will receive another message after approval. Once approved, the decal will be visible in the catalog.';
}
}else{
$message = 'Your asset named <b>'.$itemName.'</b> has already been approved in the past. So, you can already make use of it and it is visible on the catalog.';
}
$title = 'Asset Approval for '.$itemName;
$query = "INSERT INTO messages (`recv_uid`, `sender_uid`, `title`, `content`) VALUES (:userId2, 10370, :title, :msg);";
$stmt = $dbcon->prepare($query);
$stmt->bindParam(':userId2', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':msg', $message, PDO::PARAM_STR);
$stmt->bindParam(':title', $title, PDO::PARAM_STR);
$stmt->execute();
if ($approved == 1) {
if ($typeString == "shirts" or $typeString == "pants" or $typeString == "tshirts") {
$query = "INSERT INTO renders (`render_id`, `type`) VALUES (:id, :dbtype);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $assetId, PDO::PARAM_INT);
$stmt->bindParam(':dbtype', $typeString, PDO::PARAM_STR);
$stmt->execute();
}
// Get latest asset by this user
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM catalog WHERE creator_uid = :uid ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$catId = $result['id'];
if ($typeString != "decals") {
$query = "INSERT INTO ownedItems (`uid`, `catalogid`, `type`) VALUES (:uid, :catid, :type);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':catid', $catId, PDO::PARAM_INT);
$stmt->bindParam(':type', $typeString, PDO::PARAM_STR);
$stmt->execute();
}
}
// We're done! Yahoo!
echo $newCoins;
}else{
echo 'no-file';
}
?>

134
core/func/api/character/getInventory.php Normal file
View File

@ -0,0 +1,134 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($GLOBALS['loggedIn'] == false) {
exit;
}
if (isset($_GET['type'])) $type = $_GET['type'];
if (!isset($_GET['type'])) exit;
if (is_array($_GET['type'])) exit;
$title = "";
if ($type == "hats") {
$title = "Hats";
}
if ($type == "shirts") {
$title = "Shirts";
}
if ($type == "pants") {
$title = "Pants";
}
if ($type == "gear") {
$title = "Gear";
}
if ($type == "tshirts"){
$title = "T-Shirts";
}
if ($type == "faces") {
$title = "Faces";
}
if ($type == "torso") {
$title = "Torso";
}
if ($type == "leftleg") {
$title = "Left Leg";
}
if ($type == "leftarm") {
$title = "Left Arm";
}
if ($type == "rightleg") {
$title = "Right Leg";
}
if ($type == "rightarm") {
$title = "Right Arm";
}
if ($type == "heads") {
$title = "Heads";
}
if (strlen($title) == 0) die("error");
if (isset($_GET['page'])) {
$page = $_GET['page'];
if (is_numeric($page) == false) exit;
$offset = $page*6;
if ($page == 0){
$page = 0;
$offset = 0;
}
}else{
$page = 0;
$offset = 0;
}
if ($page < 0) exit;
$stmt = $GLOBALS['dbcon']->prepare("SELECT catalogid FROM ownedItems WHERE type = :type AND uid = :uid AND deleted=0 ORDER BY id DESC LIMIT 7 OFFSET :offset;");
$stmt->bindParam(':offset', $offset, PDO::PARAM_INT);
$stmt->bindParam(':type', $type, PDO::PARAM_STR);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'No items found.';
}
$count = 0;
foreach($stmt as $resultOwned) {
$count++;
if ($count < 7) {
$wearing = false;
$disableWear = false;
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM wearing WHERE uid = :uid AND catalogid = :id");
$stmt->bindParam(':id', $resultOwned['catalogid'], PDO::PARAM_INT);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() > 0) {
$wearing = true;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM wearing WHERE uid = :uid AND type = :type");
$stmt->bindParam(':type', $type, PDO::PARAM_STR);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() > 4 and $type == "hats") {
$disableWear = true;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT deleted, name, type, datafile, assetid, id, fileHash, imgTime FROM catalog WHERE id = :id");
$stmt->bindParam(':id', $resultOwned['catalogid'], PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result['deleted'] == 0) {
$itemName = $result['name'];
if (strlen($itemName) > 16) {
$itemName = substr($itemName, 0, 13) . '...';
}
echo '<div class="col-md-4 col-sm-4 col-xs-12 Center"><div style="box-shadow:none;height:170px;">'.htmlentities($itemName, ENT_QUOTES, "UTF-8").'<br>';
echo '<img style="max-height:100px;display:inline" class="img-responsive" src="'.context::getItemThumbnailC($type, $result['assetid'], $result['datafile'], $result['fileHash'], $result['imgTime']).'">';
if ($wearing == true) {
echo '<br><button class="btn btn-primary" name="unwear" onclick="removeItem('.$result['id'].', \''.$result['type'].'\', '.$page.');">Unwear</button>';
}else{
if ($disableWear == false) {
echo '<br><button class="btn btn-primary" name="wear" onclick="wearItem('.$result['id'].', \''.$result['type'].'\', '.$page.');">Wear</button>';
}else{
echo '<br><a class="btn btn-primary disabled">Wear</a>';
}
}
echo '</div></div>';
}
}
}
echo '<div style="margin-left:15px;margin-right:15px;"><div class="btn-group btn-group-justified">';
if ($page > 0) {
echo '<a class="btn fullWidth" onclick="loadPage(\''.$type.'\', '.($page-1).')">&laquo; Previous</a>';
}
if ($count > 6) {
echo '<a class="btn fullWidth" onclick="loadPage(\''.$type.'\', '.($page+1).')">Next &raquo;</a>';
}
if ($count == 0 and $page > 0) {
exit;
}
echo '</div></div>';
?>

93
core/func/api/character/getWearing.php Normal file
View File

@ -0,0 +1,93 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($GLOBALS['loggedIn'] == false) {
exit;
}
if (isset($_GET['type'])) {
$type = $_GET['type'];
}else{
exit;
}
if ($type == "hats") {
$title = "Hats";
}
if ($type == "shirts") {
$title = "Shirts";
}
if ($type == "pants") {
$title = "Pants";
}
if ($type == "gear") {
$title = "Gear";
}
if ($type == "tshirts"){
$title = "T-Shirts";
}
if ($type == "faces") {
$title = "Faces";
}
if ($type == "torso") {
$title = "Torso";
}
if ($type == "leftleg") {
$title = "Left Leg";
}
if ($type == "leftarm") {
$title = "Left Arm";
}
if ($type == "rightleg") {
$title = "Right Leg";
}
if ($type == "rightarm") {
$title = "Right Arm";
}
if ($type == "heads") {
$title = "Heads";
}
if (isset($_GET['page'])) {
$page = $_GET['page'];
if (is_numeric($page) == false) exit;
$offset = $page*6;
if ($page == 0){
$page = 0;
$offset = 0;
}
}else{
$page = 0;
$offset = 0;
}
if ($page < 0) {
exit;
}
if (strlen($title) == 0) die("error");
$stmt = $GLOBALS['dbcon']->prepare("SELECT catalogId FROM wearing WHERE uid = :uid AND type = :type");
$stmt->bindParam(':type', $type, PDO::PARAM_STR);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'You are not wearing any item.';
}
foreach($stmt as $resultWearing) {
$stmt = $GLOBALS['dbcon']->prepare("SELECT id, deleted, datafile, type, assetid, name, fileHash, imgTime FROM catalog WHERE id = :id;");
$stmt->bindParam(':id', $resultWearing['catalogId'], PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result['deleted'] == 0) {
$itemName = $result['name'];
if (strlen($itemName) > 16) {
$itemName = substr($itemName, 0, 13) . '...';
}
echo '<div class="col-md-4 col-sm-4 col-xs-12 Center"><div style="box-shadow:none;height:170px;">'.htmlentities($itemName, ENT_QUOTES, "UTF-8").'<br>';
echo '<img style="max-height:100px;display:inline" class="img-responsive" src="'.context::getItemThumbnailC($type, $result['assetid'], $result['datafile'], $result['fileHash'], $result['imgTime']).'">';
echo '<br><button class="btn btn-primary" name="unwear" onclick="removeItem('.$result['id'].', \''.$result['type'].'\', '.$page.');">Unwear</button>';
echo '</div></div>';
}
}
?>

24
core/func/api/character/post/changePose.php Normal file
View File

@ -0,0 +1,24 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['pose'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$pose = $_POST['pose'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($pose) == 0) die("error");
$poseID = 0;
if ($pose == "walking") $poseID = 1;
if ($pose == "sitting") $poseID = 2;
if ($pose == "overlord") $poseID = 3;
if ($pose == "normal") $poseID = 0;
$query = "UPDATE users SET charap = :pose WHERE id = :uid";
$stmt = $dbcon->prepare($query);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':pose', $poseID, PDO::PARAM_INT);
$stmt->execute();
context::requestImage($GLOBALS['userTable']['id'], "character");
}else{
echo 'error';
}
?>

11
core/func/api/character/post/regenCharacter.php Normal file
View File

@ -0,0 +1,11 @@
<?php
if (isset($_POST['csrf'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) die("error");
context::requestImage($GLOBALS['userTable']['id'], "character");
}else{
echo 'error';
}
?>

21
core/func/api/character/post/removeItem.php Normal file
View File

@ -0,0 +1,21 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['itemId'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($_POST['csrf'] != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) exit;
$catalogId = $_POST['itemId'];
if (is_array($catalogId)) exit;
if (strlen($catalogId) == 0) exit;
if (is_numeric($catalogId) == false) exit;
$stmt = $GLOBALS['dbcon']->prepare("DELETE FROM wearing WHERE catalogId=:id AND uid=:user");
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':id', $catalogId, PDO::PARAM_INT);
$stmt->execute();
$query = "INSERT INTO renders (`render_id`, `type`) VALUES (:uid, 'character');";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
}
?>

81
core/func/api/character/post/wearItem.php Normal file
View File

@ -0,0 +1,81 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['itemId']) and isset($_POST['type'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($_POST['csrf'] != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) {
exit;
}
$type = $_POST['type'];
if (is_array($type)) exit;
if (strlen($type) == 0) exit;
$catalogId = $_POST['itemId'];
if (is_array($catalogId)) exit;
if (strlen($catalogId) == 0) exit;
if (is_numeric($catalogId) == false) exit;
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM wearing WHERE uid = :uid AND catalogid = :id");
$stmt->bindParam(':id', $catalogId, PDO::PARAM_INT);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() > 0) {
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM ownedItems WHERE catalogId = :id AND uid = :uid");
$stmt->bindParam(':id', $catalogId, PDO::PARAM_INT);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT id, deleted, assetid, datafile FROM catalog WHERE id = :id");
$stmt->bindParam(':id', $catalogId, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result['deleted'] == 1) {
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM wearing WHERE uid = :uid AND type = :type");
$stmt->bindParam(':type', $type, PDO::PARAM_STR);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$resultcheck = $stmt->fetch(PDO::FETCH_ASSOC);
if ($type == "hats") {
if ($stmt->rowCount() == 5) {
exit;
}
}else{
if ($stmt->rowCount() > 0) {
$stmt = $GLOBALS['dbcon']->prepare("DELETE FROM wearing WHERE catalogId=:id AND uid=:user");
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':id', $resultcheck['catalogId'], PDO::PARAM_INT);
$stmt->execute();
}
}
if ($type == "hats" or $type == "gear" or $type == "faces" or $type == "heads") {
$aprString = "http://xdiscuss.net/data/assets/".$type."/models/".$result['datafile'];
}
if ($type == "shirts" or $type == "pants" or $type == "tshirts") {
$aprString = "http://xdiscuss.net/data/assets/".$type."/models/get.php?id=".$result['assetid'];
}
if ($type == "torso" or $type == "leftarm" or $type == "leftleg" or $type == "rightarm" or $type == "rightleg") {
$aprString = "http://xdiscuss.net/data/assets/package/models/".$result['datafile'];
}
$stmt = $GLOBALS['dbcon']->prepare("INSERT INTO wearing (`uid`, `catalogid`, `type`, `aprString`) VALUES (:user, :itemid, :type, :aprString);");
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':itemid', $catalogId, PDO::PARAM_INT);
$stmt->bindParam(':type', $type, PDO::PARAM_STR);
$stmt->bindParam(':aprString', $aprString, PDO::PARAM_STR);
$stmt->execute();
$query = "INSERT INTO renders (`render_id`, `type`) VALUES (:uid, 'character');";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':uid', $_COOKIE['auth_uid'], PDO::PARAM_INT);
$stmt->execute();
exit;
}
?>

49
core/func/api/chat/createChat.php Normal file
View File

@ -0,0 +1,49 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if (isset($_POST['chatName']) && isset($_POST['csrfToken']) && $GLOBALS['loggedIn']) {
$chatName = $_POST['chatName'];
$csrfToken = $_POST['csrfToken'];
if ($csrfToken != $GLOBALS['csrf_token']) {
die("error");
}
if (strlen($chatName) == 0) die("no-name");
if (strlen($chatName) > 64) die("chat-name-too-long");
if (context::getTimeSince($GLOBALS['userTable']['lastUpload']) < 5) {
die("rate-limit");
}
$stmt = $GLOBALS['dbcon']->prepare('UPDATE users SET lastUpload = NOW() WHERE id = :uid;');
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$chatKey = context::random_str(32);
$chatJoinKey = context::random_str(8);
$stmt = $GLOBALS['dbcon']->prepare("INSERT INTO chat_sessions (`chatName`, `chatKey`, `chatJoinKey`) VALUES (:chatName, :chatKey, :chatJoinKey);");
$stmt->bindParam(':chatName', $chatName, PDO::PARAM_STR);
$stmt->bindParam(':chatKey', $chatKey, PDO::PARAM_STR);
$stmt->bindParam(':chatJoinKey', $chatJoinKey, PDO::PARAM_STR);
$stmt->execute();
$query = "SELECT id, chatName, chatKey FROM chat_sessions WHERE chatKey = :chatKey";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':chatKey', $chatKey, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$chatID = $result['id'];
$stmt = $GLOBALS['dbcon']->prepare("INSERT INTO chat_members (`chat_id`, `userId`, `rank`) VALUES (:chatId, :userId, 1);");
$stmt->bindParam(':chatId', $chatID, PDO::PARAM_STR);
$stmt->bindParam(':userId', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$rows[] = array('chat_id' => $result['id'],
'chatName' => context::secureString($result['chatName']),
'chatKey' => context::secureString($result['chatKey']));
die(json_encode($rows));
}else{
die("error");
}
?>

27
core/func/api/chat/getChatInfo.php Normal file
View File

@ -0,0 +1,27 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($GLOBALS['loggedIn'] && isset($_GET['id'])) {
$id = $_GET['id'];
// Check if current user belongs to the chat.
$stmt = $GLOBALS['dbcon']->prepare('SELECT id FROM chat_members WHERE userId = :userId AND chat_id = :id');
$stmt->bindParam(':userId', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) die("error");
$stmt = $GLOBALS['dbcon']->prepare('SELECT chatName, chatJoinKey FROM chat_sessions WHERE id = :chatID');
$stmt->bindParam(':chatID', $id, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$stmt = $GLOBALS['dbcon']->prepare('SELECT id FROM chat_members WHERE chat_id = :chatID');
$stmt->bindParam(':chatID', $id, PDO::PARAM_INT);
$stmt->execute();
$chatMemberCount = $stmt->rowCount();
$rows[] = array('chatMembers' => $chatMemberCount, 'chatName' => context::secureString($result['chatName']), 'joinKey' => context::secureString($result['chatJoinKey']));
die(json_encode($rows));
}else{
die("error");
}
?>

23
core/func/api/chat/getList.php Normal file
View File

@ -0,0 +1,23 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($GLOBALS['loggedIn']) {
$stmt = $GLOBALS['dbcon']->prepare('SELECT chat_id FROM chat_members WHERE userId = :userId');
$stmt->bindParam(':userId', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$rows = array();
foreach($stmt as $result) {
$chatID = $result['chat_id'];
$stmtChat = $GLOBALS['dbcon']->prepare('SELECT id, chatName, chatKey FROM chat_sessions WHERE id = :chatID');
$stmtChat->bindParam(':chatID', $chatID, PDO::PARAM_INT);
$stmtChat->execute();
foreach($stmtChat as $resultChat) {
$rows[] = array('chat_id' => $resultChat['id'],
'chatName' => context::secureString($resultChat['chatName']),
'chatKey' => context::secureString($resultChat['chatKey']));
}
}
die(json_encode($rows));
}else{
die("error");
}
?>

51
core/func/api/chat/getMessages.php Normal file
View File

@ -0,0 +1,51 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($GLOBALS['loggedIn'] && isset($_GET['id']) && isset($_GET['timestamp'])) {
$id = $_GET['id'];
$timestamp = $_GET['timestamp'];
// Check if current user belongs to the chat.
$stmt = $GLOBALS['dbcon']->prepare('SELECT id FROM chat_members WHERE userId = :userId AND chat_id = :id');
$stmt->bindParam(':userId', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) api::returnString("error");
$stmtChat = $GLOBALS['dbcon']->prepare('SELECT * FROM chat_messages WHERE chat_id = :chatID AND date > :timestamp');
$stmtChat->bindParam(':chatID', $id, PDO::PARAM_INT);
$stmtChat->bindParam(':timestamp', $timestamp, PDO::PARAM_INT);
$stmtChat->execute();
$rows = array();
foreach($stmtChat as $resultChat) {
$stmt = $GLOBALS['dbcon']->prepare('SELECT id, username, rank FROM users WHERE id = :userId');
$stmt->bindParam(':userId', $resultChat['userId'], PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$setRight = false;
if ($result['username'] == $GLOBALS['userTable']['username']) $setRight = true;
if ($result['rank'] > 0) {
$color = "red";
$rank = 1;
}else{
$color = "black";
$rank = 0;
}
$message = context::secureString($resultChat['message']);
$message = context::parseEmoticon($message);
$rows[] = array('messageId' => $resultChat['id'],
'userId' => $resultChat['userId'],
'username' => $result['username'],
'staff' => $rank,
'setRight' => $setRight,
'userColor' => $color,
'date' => $resultChat['date'],
'userID' => $result['id'],
'message' => $message);
}
// Get all chat messages
die(json_encode($rows));
}else{
die("error");
}
?>

34
core/func/api/chat/getTyping.php Normal file
View File

@ -0,0 +1,34 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($GLOBALS['loggedIn'] && isset($_GET['chatId'])) {
$chatId = $_GET['chatId'];
if (is_array($chatId)) exit;
$stmt = $GLOBALS['dbcon']->prepare('SELECT lastType, userId FROM chat_members WHERE chat_id = :chatID');
$stmt->bindParam(':chatID', $chatId, PDO::PARAM_INT);
$stmt->execute();
$rows_typing = array();
$usernames = array();
$count = 0;
foreach($stmt as $result) {
if (context::getTimeSince($result['lastType']) < 0.06 && $result['userId'] != $GLOBALS['userTable']['id']) {
$count++;
$username = context::IDToUsername($result['userId']);
$usernames[] = $username;
}
}
if ($count == 0) {
$mode = "none";
}else if ($count < 3) {
$mode = "showTyping";
}else {
$mode = "severalTyping";
}
$rows_typing[] = array('usernames' => $usernames, 'mode' => $mode);
$json = context::jsonToSingle(json_encode($rows_typing));
die($json);
}else{
die("error");
}
?>

49
core/func/api/chat/joinChat.php Normal file
View File

@ -0,0 +1,49 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/libs/aes/GibberishAES.php';
if (isset($_POST['chatCode']) && isset($_POST['csrfToken']) && $GLOBALS['loggedIn']) {
$chatCode = $_POST['chatCode'];
$csrfToken = $_POST['csrfToken'];
if ($csrfToken != $GLOBALS['csrf_token']) die("error");
if (strlen($chatCode) == 0) die("no-code");
if (strlen($chatCode) > 64) die("chat-code-too-long");
$query = "SELECT id, chatJoinKey, chatName, chatKey FROM chat_sessions WHERE chatJoinKey = :chatKey";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':chatKey', $chatCode, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() == 0) die("invalid-code");
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$chatID = $result['id'];
$chatKey = $result['chatKey'];
$query = "SELECT id FROM chat_members WHERE chat_id = :chatId AND userId = :userId";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':chatId', $chatID, PDO::PARAM_INT);
$stmt->bindParam(':userId', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() > 0) die("already-in");
$stmt = $GLOBALS['dbcon']->prepare("INSERT INTO chat_members (`chat_id`, `userId`, `rank`) VALUES (:chatId, :userId, 0);");
$stmt->bindParam(':chatId', $chatID, PDO::PARAM_INT);
$stmt->bindParam(':userId', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$time = time();
$message = $GLOBALS['userTable']['username'].' has joined';
$stmt = $GLOBALS['dbcon']->prepare("INSERT INTO chat_messages (`chat_id`, `userId`, `message`, `bot`, `date`) VALUES (:chatId, 0, :message, 1, :time);");
$stmt->bindParam(':chatId', $chatID, PDO::PARAM_INT);
$stmt->bindParam(':message', $message, PDO::PARAM_STR);
$stmt->bindParam(':time', $time, PDO::PARAM_INT);
$stmt->execute();
$rows[] = array('chat_id' => $result['id'],
'chatName' => context::secureString($result['chatName']),
'chatKey' => context::secureString($result['chatKey']));
die(json_encode($rows));
}else{
die("error");
}
?>

41
core/func/api/chat/sendMessage.php Normal file
View File

@ -0,0 +1,41 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if (isset($_POST['message']) && isset($_POST['chatId']) && isset($_POST['csrfToken']) && $GLOBALS['loggedIn']) {
$csrfToken = $_POST['csrfToken'];
$message = $_POST['message'];
$chatId = $_POST['chatId'];
if ($csrfToken != $GLOBALS['csrf_token']) die("error");
// Check if the chatId is valid and if the chat exists, also obtain decryption/encryption key
$stmt = $GLOBALS['dbcon']->prepare('SELECT id, chatKey FROM chat_sessions WHERE id = :chatId');
$stmt->bindParam(':chatId', $_POST['chatId'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) die("error");
$result = $stmt->fetch(PDO::FETCH_ASSOC);
// Check if everything matches up
if (strlen($message) > 128) die("message-too-long");
if (strlen($message) < 1) die("message-too-short");
// Also check if the current user is indeed in the chat.
$stmt = $GLOBALS['dbcon']->prepare('SELECT id FROM chat_members WHERE userId = :userId AND chat_id = :id');
$stmt->bindParam(':userId', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':id', $chatId, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) die("error");
// If we're still here, we can go and add the message, encrypt message again
$time = time();
$stmt = $GLOBALS['dbcon']->prepare("INSERT INTO chat_messages (`chat_id`, `userId`, `message`, `date`) VALUES (:chatId, :userId, :message, :timestamp);");
$stmt->bindParam(':chatId', $chatId, PDO::PARAM_INT);
$stmt->bindParam(':userId', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':message', $message, PDO::PARAM_STR);
$stmt->bindParam(':timestamp', $time, PDO::PARAM_INT);
$stmt->execute();
die("success");
}else{
die("error");
}
?>

17
core/func/api/chat/sendTyping.php Normal file
View File

@ -0,0 +1,17 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if (isset($_POST['csrfToken']) && $GLOBALS['loggedIn'] && isset($_POST['chatId'])) {
$csrfToken = $_POST['csrfToken'];
$chatId = $_POST['chatId'];
if ($csrfToken != $GLOBALS['csrf_token']) die("error");
$query = "UPDATE `chat_members` SET `lastType`=NOW() WHERE `chat_id`=:chatId AND `userId`=:userId;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':userId', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':chatId', $chatId, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() == 0) die("error");
die("success");
}else{
die("error");
}
?>

BIN
core/func/api/chat/sounds/send.mp3 Normal file
View File

Binary file not shown.

18
core/func/api/forum/doSearch.php Normal file
View File

@ -0,0 +1,18 @@
<?php
if (isset($_GET['id'])) {
$forumId = $_GET['id'];
if (is_array($forumId)) exit;
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$stmt = $GLOBALS['dbcon']->prepare('SELECT name, id FROM forums WHERE id = :id;');
$stmt->bindParam(':id', $forumId, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($stmt->rowCount() == 0) exit;
echo '<script>$(".modalUsername").html("Search in '.context::secureString($result['name']).'")</script>';
echo '<div id="searchError"></div>';
echo '<div class="form-group"><div class="input-group"><input type="text" class="form-control" id="searchboxValue" placeholder="Enter something"></input><span class="input-group-btn"><button class="btn btn-primary" type="button" onclick="doSearch('.$result['id'].');">Search</button></span></div></div>';
echo '<p>Using this utility, you can search for posts. Just enter something and our system will search for you</p>';
}else{
echo 'An error occurred';
}
?>

15
core/func/api/forum/getCatagories.php Normal file
View File

@ -0,0 +1,15 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$stmt = $dbcon->prepare("SELECT name, id FROM catagories WHERE developer = 0");
$stmt->execute();
foreach($stmt as $result) {
echo '<h3 style="font-size:18px">'.context::secureString($result['name']).'</h3><ul>';
$stmt = $dbcon->prepare("SELECT id, name FROM forums WHERE catid = :id");
$stmt->bindParam(':id', $result['id'], PDO::PARAM_INT);
$stmt->execute();
foreach($stmt as $result) {
echo '<li><p><a onclick="loadForum('.$result['id'].')">'.context::secureString($result['name']).'</a></p></li>';
}
echo '</ul>';
}
?>

34
core/func/api/forum/getMiniProfile.php Normal file
View File

@ -0,0 +1,34 @@
<?php
if (isset($_GET['id'])) {
$username = $_GET['id'];
if (is_array($username)) {
exit;
}
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$stmt = $GLOBALS['dbcon']->prepare('SELECT id, imgTime, username, banned, lastSeen, rank, posts FROM users WHERE username = :username;');
$stmt->bindParam(':username', $username, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($stmt->rowCount() == 0 or $result['banned'] == 1) {
echo 'User not found or suspended';
echo '<script>$(".modalUsername").html("")</script>';
exit;
}
echo '<script>$(".modalUsername").html(\''.context::getOnline($result).' '.context::secureString($result['username']).'\')</script>';
echo '<img width="150 height="150" class="img-responsive" style="display:inline" src="'.context::getUserImage($result).'">';
if ($result['rank'] == 1) {
echo '<p style="color:#158cba;margin:0 0 0px"><span class="fa fa-bookmark"></span> <b>Administrator</b></p>';
}
if ($result['rank'] == 2) {
echo '<p style="color:#28b62c;margin:0 0 0px"><span class="fa fa-gavel"></span> <b>Moderator</b></p>';
}
echo '<p><b>Posts</b>: '.$result['posts'].'</p>';
echo '<div class="btn-group btn-group-justified"><a class="btn" href="/user/profile/'.context::secureString($result['username']).'">Full Profile</a>';
if ($GLOBALS['loggedIn'] == true && $GLOBALS['userTable']['username'] != $result['username']) {
echo '<a class="btn" href="/user/messages+'.context::secureString($result['username']).'">Send Message</a>';
}
echo '</div>';
}else{
echo 'An error occurred';
}
?>

195
core/func/api/forum/getPosts.php Normal file
View File

@ -0,0 +1,195 @@
<?php
if (isset($_GET['id'])) {
$id = $_GET['id'];
if (is_array($id)) exit;
if (isset($_GET['page'])) {
$page = $_GET['page'];
if (is_numeric($page) == false) exit;
}else{
$page = 0;
}
if (is_array($page)) die("Something went wrong");
if (isset($_GET['keyword']) && strlen($_GET['keyword']) > 0) {
$keyword = $_GET['keyword'];
if (is_array($keyword)) exit;
$searchTermSQL = '%'.$keyword.'%';
}
$offset = $page*25;
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($page == 0) {
$stmt = $GLOBALS['dbcon']->prepare("SELECT id, posts, replies, name, description, locked FROM forums WHERE id = :fId AND developer = 0");
$stmt->bindParam(':fId', $id, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'Forum not found';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$id = $result['id'];
echo '<div class="nav navbar-nav navbar-right" style="margin-right:15px;">';
echo '<b>Posts</b>: '.$result['posts'].'&nbsp;&nbsp;&nbsp;';
echo '<b>Replies</b>: '.$result['replies'];
echo '</div>';
echo '<h3>'.context::secureString($result['name']).'</h3>';
echo '<div class="nav navbar-nav navbar-right" style="margin-right:15px;">';
if (!isset($keyword) && $GLOBALS['loggedIn']) echo '<button class="btn btn-primary" style="margin:-10px 20px 0px;" onclick="search('.$result['id'].')">Search</button>';
if (!isset($keyword) && $GLOBALS['loggedIn'] == false) echo '<button class="btn btn-primary" style="margin:-10px -15px 0px;" onclick="search('.$result['id'].')">Search</button>';
if (isset($keyword) && $GLOBALS['loggedIn']) echo '<button class="btn btn-primary" style="margin:-10px 20px 0px;" onclick="loadForum('.$result['id'].')">Reset</button>';
if (isset($keyword) && $GLOBALS['loggedIn'] == false) echo '<button class="btn btn-primary" style="margin:-10px -15px 0px;" onclick="loadForum('.$result['id'].')">Reset</button>';
if ($GLOBALS['loggedIn']) {
if ($result['locked'] == 0) {
echo '<button class="btn btn-primary" style="margin:-10px -15px 0px;" onclick="newPost('.$result['id'].')">New Post</button>';
}else{
if ($GLOBALS['userTable']['rank'] == 1) {
echo '<button class="btn btn-primary" style="margin:-10px -15px 0px;" onclick="newPost('.$result['id'].')">New Post</button>';
}
}
}
echo '</div>';
if (!isset($keyword)) echo '<p>'.context::secureString($result['description']).'</p>';
if (isset($keyword)) echo '<p><b>Searching by name</b>: '.context::secureString($_GET['keyword']).'</p>';
}else{
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM forums WHERE id = :fId");
$stmt->bindParam(':fId', $id, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'Forum not found';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$id = $result['id'];
}
function showLockedStatus($locked) {
if ($locked == 1) {
return '<span class="fa fa-lock"></span>';
}
}
function showPinStatus() {
return '<span class="fa fa-thumb-tack"></span>';
}
// Pinned posts
if ($page == 0 && !isset($keyword)) {
$stmt = $GLOBALS['dbcon']->prepare("SELECT id, author_uid, postTime, lastActivity, views, replies, title FROM topics WHERE forumId = :fId AND pinned = 1 ORDER BY lastActivity ASC");
$stmt->bindParam(':fId', $id, PDO::PARAM_INT);
$stmt->execute();
echo '<div class="list-group" style="margin-bottom:0px;">';
$count = 0;
foreach($stmt as $result) {
$count++;
if ($count < 25) {
$userSheet = context::getUserSheetByIDForum($result['author_uid']);
if ($userSheet['rank'] == 0) {
$usern = $userSheet['username'];
}elseif ($userSheet['rank'] == 1) {
$usern = '<b style="color:#158cba"><span class="fa fa-bookmark"></span> '.$userSheet['username'].'</b>';
}elseif ($userSheet['rank'] == 2) {
$usern = '<b style="color:#28b62c"><span class="fa fa-gavel"></span> '.$userSheet['username'].'</b>';
}
echo '<div class="list-group-item" style="border:none;border-bottom:2px solid #eeeeee">';
echo '<div class="row"><div class="col-xs-1"><div style="position: relative;border:solid 1px #158cba;height:50px;width:50px;height:50px;border-radius:50%;overflow: hidden;" class="img-circle"><img style="position: absolute;clip: rect(0px, 75px, 50px, 0);left:-18px" src="'.context::getUserImage($userSheet).'" height="100"></div></div>';
echo '<div class="col-xs-11"><h4 class="list-group-item-heading" onclick="loadPost('.$result['id'].')" style="word-wrap:break-word;display:inline;cursor:pointer">'.showPinStatus().' '.context::secureString($result['title']).'</h4>';
echo '<div class="nav navbar-nav navbar-right" style="margin-right:0px;">';
echo '</div>';
echo '<p class="list-group-item-text">Posted by <a onclick="loadMiniProfile(\''.$userSheet['username'].'\');">'.$usern.'</a></p>';
echo '<div class="nav navbar-nav navbar-right" style="margin-right:0px;display:inline;margin:-26px 0px 0px;">';
echo '<b>Started: </b>'.context::humanTimingSince(strtotime($result['postTime'])).' ago<br>';
echo '<b>Views: </b>'.$result['views'].'&nbsp;&nbsp;&nbsp;';
echo '<b>Replies: </b>'.$result['replies'].'&nbsp;&nbsp;&nbsp;';
echo '</div>';
// Get last poster
$stmtr = $GLOBALS['dbcon']->prepare("SELECT author_uid FROM `replies` WHERE `postId` = :id ORDER BY id DESC LIMIT 1;");
$stmtr->bindParam(':id', $result['id'], PDO::PARAM_INT);
$stmtr->execute();
$resultReplyer = $stmtr->fetch(PDO::FETCH_ASSOC);
if ($stmtr->rowCount() > 0) {
$userID = $resultReplyer['author_uid'];
}else{
$userID = $result['author_uid'];
}
$userSheetLast = context::getUserSheetByID($userID);
if ($userSheetLast['rank'] == 0) {
$usern = $userSheetLast['username'];
}elseif ($userSheetLast['rank'] == 1) {
$usern = '<b style="color:#158cba"><span class="fa fa-bookmark"></span> '.$userSheetLast['username'].'</b>';
}elseif ($userSheetLast['rank'] == 2) {
$usern = '<b style="color:#28b62c"><span class="fa fa-gavel"></span> '.$userSheetLast['username'].'</b>';
}
echo '<b>Last Post: </b>'.context::humanTimingSince(strtotime($result['lastActivity'])).' ago by <a onclick="loadMiniProfile(\''.$userSheetLast['username'].'\');">'.$usern.'</a>';
echo '</div></div></div>';
}
}
}
if (!isset($keyword)) $stmt = $GLOBALS['dbcon']->prepare("SELECT id, author_uid, postTime, lastActivity, views, replies, title FROM topics WHERE forumId = :fId AND pinned = 0 ORDER BY lastActivity DESC LIMIT 26 OFFSET :offset");
if (isset($keyword)) {
$stmt = $GLOBALS['dbcon']->prepare("SELECT id, author_uid, postTime, lastActivity, views, replies, title FROM topics WHERE forumId = :fId AND title LIKE :term ORDER BY lastActivity DESC LIMIT 26 OFFSET :offset");
$stmt->bindParam(':term', $searchTermSQL, PDO::PARAM_STR);
}
$stmt->bindParam(':fId', $id, PDO::PARAM_INT);
$stmt->bindParam(':offset', $offset, PDO::PARAM_INT);
$stmt->execute();
echo '<div class="list-group" style="margin-bottom:0px;">';
$count = 0;
foreach($stmt as $result) {
$count++;
if ($count < 25) {
$userSheet = context::getUserSheetByIDForum($result['author_uid']);
if ($userSheet['rank'] == 0) {
$usern = $userSheet['username'];
}elseif ($userSheet['rank'] == 1) {
$usern = '<b style="color:#158cba"><span class="fa fa-bookmark"></span> '.$userSheet['username'].'</b>';
}elseif ($userSheet['rank'] == 2) {
$usern = '<b style="color:#28b62c"><span class="fa fa-gavel"></span> '.$userSheet['username'].'</b>';
}
echo '<div class="list-group-item" style="border:none;border-bottom:2px solid #eeeeee">';
echo '<div class="row"><div class="col-xs-1"><div style="position: relative;border:solid 1px #158cba;height:50px;width:50px;height:50px;border-radius:50%;overflow: hidden;" class="img-circle"><img style="position: absolute;clip: rect(0px, 75px, 50px, 0);left:-18px" src="'.context::getUserImage($userSheet).'" height="100"></div></div>';
echo '<div class="col-xs-11"><h4 class="list-group-item-heading" onclick="loadPost('.$result['id'].')" style="word-wrap:break-word;display:inline;cursor:pointer">'.showLockedStatus($result['locked']).' '.context::secureString($result['title']).'</h4>';
echo '<div class="nav navbar-nav navbar-right" style="margin-right:0px;">';
echo '</div>';
echo '<p class="list-group-item-text">Posted by <a onclick="loadMiniProfile(\''.$userSheet['username'].'\');">'.$usern.'</a></p>';
echo '<div class="nav navbar-nav navbar-right" style="margin-right:0px;display:inline;margin:-26px 0px 0px;">';
echo '<b>Started: </b>'.context::humanTimingSince(strtotime($result['postTime'])).' ago<br>';
echo '<b>Views: </b>'.$result['views'].'&nbsp;&nbsp;&nbsp;';
echo '<b>Replies: </b>'.$result['replies'].'&nbsp;&nbsp;&nbsp;';
echo '</div>';
// Get last poster
$stmtr = $GLOBALS['dbcon']->prepare("SELECT author_uid FROM `replies` WHERE `postId` = :id ORDER BY id DESC LIMIT 1;");
$stmtr->bindParam(':id', $result['id'], PDO::PARAM_INT);
$stmtr->execute();
$resultReplyer = $stmtr->fetch(PDO::FETCH_ASSOC);
if ($stmtr->rowCount() > 0) {
$userID = $resultReplyer['author_uid'];
}else{
$userID = $result['author_uid'];
}
$userSheetLast = context::getUserSheetByID($userID);
if ($userSheetLast['rank'] == 0) {
$usern = $userSheetLast['username'];
}elseif ($userSheetLast['rank'] == 1) {
$usern = '<b style="color:#158cba"><span class="fa fa-bookmark"></span> '.$userSheetLast['username'].'</b>';
}elseif ($userSheetLast['rank'] == 2) {
$usern = '<b style="color:#28b62c"><span class="fa fa-gavel"></span> '.$userSheetLast['username'].'</b>';
}
echo '<b>Last Post: </b>'.context::humanTimingSince(strtotime($result['lastActivity'])).' ago by <a onclick="loadMiniProfile(\''.$userSheetLast['username'].'\');">'.$usern.'</a>';
echo '</div></div></div>';
}
}
if ($stmt->rowCount() == 0) {
echo 'There seems to be no post in this subforum. You could start the first one!';
}
if ($count > 25) {
if (!isset($keyword)) echo '<button class="btn btn-primary fullWidth loadMore" onclick="loadMoreForum(page, '.$id.')">Load more</button><script>page++;</script>';
if (isset($keyword)) echo '<button class="btn btn-primary fullWidth loadMore" onclick="loadMoreForumSearch(page, '.$id.', \''.context::secureString($keyword).'\')">Load more</button><script>page++;</script>';
}
echo '</div>';
}else{
echo 'An error occurred';
}
?>

23
core/func/api/forum/newPost.php Normal file
View File

@ -0,0 +1,23 @@
<?php
if (isset($_GET['id'])) {
$id = $_GET['id'];
if (is_array($id)) {
exit;
}
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if (!$GLOBALS['loggedIn']) {
echo 'Something went wrong';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM forums WHERE id = :fId AND developer = 0");
$stmt->bindParam(':fId', $id, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) die("Forum not found");
$result = $stmt->fetch(PDO::FETCH_ASSOC);
echo '<h3>Posting in '.context::secureString($result['name']).'</h3>';
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/api/forum/views/newPost.php';
}else{
echo 'An error occurred';
}
?>

25
core/func/api/forum/newReply.php Normal file
View File

@ -0,0 +1,25 @@
<?php
if (isset($_GET['id'])) {
$id = $_GET['id'];
if (is_array($id)) {
exit;
}
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if (!$GLOBALS['loggedIn']) {
echo 'Something went wrong';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM topics WHERE id = :fId AND developer = 0");
$stmt->bindParam(':fId', $id, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'Post could not be found';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
echo '<h3>Replying to '.context::secureString($result['title']).'</h3>';
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/api/forum/views/newReply.php';
}else{
echo 'An error occurred';
}
?>

105
core/func/api/forum/post/deletePost.php Normal file
View File

@ -0,0 +1,105 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['postId'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$postId = $_POST['postId'];
if (is_array($postId)) die("error");
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($postId) == 0 or $GLOBALS['userTable']['rank'] == 0) die("error");
$stmt = $GLOBALS['dbcon']->prepare("SELECT author_uid, forumId FROM topics WHERE id = :id AND developer = 0 ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($stmt->rowCount() == 0) {
echo 'error';
exit;
}
$timeSince = round(abs(strtotime(context::getCurrentTime()) - strtotime($GLOBALS['userTable']['lastUpload'])) / 60,2);
if ($timeSince < 1 && $GLOBALS['userTable']['rank'] != 1) {
echo 'rate-limit';
exit;
}
$forumId = $result['forumId'];
$userId = $result['author_uid'];
$stmt = $GLOBALS['dbcon']->prepare("SELECT posts FROM users WHERE id = :id ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':id', $userId, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$posts = $result['posts']-1;
$query = "UPDATE `users` SET `posts`=:posts WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $userId, PDO::PARAM_INT);
$stmt->bindParam(':posts', $posts, PDO::PARAM_INT);
$stmt->execute();
$query = "DELETE FROM `topics` WHERE `id`=:id";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("SELECT id, author_uid FROM replies WHERE postId = :id");
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
foreach($stmt as $result) {
$userId = $result['author_uid'];
$stmt = $GLOBALS['dbcon']->prepare("SELECT posts FROM users WHERE id = :id ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':id', $userId, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$posts = $result['posts']-1;
$query = "UPDATE `users` SET `posts`=:posts WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $userId, PDO::PARAM_INT);
$stmt->bindParam(':posts', $posts, PDO::PARAM_INT);
$stmt->execute();
}
$query = "DELETE FROM `replies` WHERE `postId`=:id";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
$query = "DELETE FROM `read` WHERE `postId`=:id";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
$query = "SELECT * FROM topics WHERE forumId=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $forumId, PDO::PARAM_INT);
$stmt->execute();
$total = $stmt->rowCount();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE forums SET posts = :posts WHERE id=:id;");
$stmt->bindParam(':id', $forumId, PDO::PARAM_INT);
$stmt->bindParam(':posts', $total, PDO::PARAM_INT);
$stmt->execute();
$query = "SELECT * FROM replies WHERE forumId=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $forumId, PDO::PARAM_INT);
$stmt->execute();
$total = $stmt->rowCount();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE forums SET replies = :posts WHERE id=:id;");
$stmt->bindParam(':id', $forumId, PDO::PARAM_INT);
$stmt->bindParam(':posts', $total, PDO::PARAM_INT);
$stmt->execute();
if ($GLOBALS['userTable']['rank'] != 1) {
$stmt = $dbcon->prepare("UPDATE users SET lastUpload = NOW() WHERE id = :user;");
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
}
echo 'success';
}else{
echo 'error';
}
?>

22
core/func/api/forum/post/lockPost.php Normal file
View File

@ -0,0 +1,22 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['postId'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$postId = $_POST['postId'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($postId) == 0 or $GLOBALS['userTable']['rank'] == 0) die("error");
if (is_array($postId)) die("error");
$query = "UPDATE `topics` SET `locked`=1 WHERE `id`=:id AND `developer` = 0;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
$query = "UPDATE `topics` SET `lockedByStaff`=1 WHERE `id`=:id AND `developer` = 0;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

159
core/func/api/forum/post/newPost.php Normal file
View File

@ -0,0 +1,159 @@
<?php
if (isset($_POST['postTitle']) and isset($_POST['postContent']) and isset($_POST['csrf']) and isset($_POST['forum'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$postTitle = $_POST['postTitle'];
$postContent = $_POST['postContent'];
$titleCheck = preg_replace('!\s+!', ' ', $postTitle);
$titleCheck = strip_tags($titleCheck);
$titleCheck = preg_replace("/&#?[a-z0-9]+;/i","", $titleCheck);
$titleCheck = preg_replace('!\s+!', ' ', $titleCheck);
$titleCheck = strtolower(preg_replace('|[[\/\!]*?[^\[\]]*?]|si', '', $titleCheck));
$titleCheck = preg_replace('/\s+/', '', $titleCheck);
$contentCheck = preg_replace('!\s+!', ' ', $postContent);
$contentCheck = strip_tags($contentCheck);
$contentCheck = preg_replace("/&#?[a-z0-9]+;/i","", $contentCheck);
$contentCheck = preg_replace('!\s+!', ' ', $contentCheck);
$contentCheck = strtolower(preg_replace('|[[\/\!]*?[^\[\]]*?]|si', '', $contentCheck));
$contentCheck = preg_replace('/\s+/', '', $contentCheck);
$badwords = array("fucking", "gay", "rape", "incest", "beastiality", "maggot", "bullshit", "fuck", "penis",
"dick", "vagina", "vag", "faggot", "fag", "nigger", "asshole", "shit", "bitch", "anal", "stfu",
"cunt", "pussy", "hump", "meatspin", "redtube", "porn", "kys", "xvideos", "hentai", "gangbang", "milf",
"n*", "nobelium", "whore", "wtf", "horny", "raping", "s3x", "boob", "nigga", "nlgga", "gt2008",
"cock", "dicc", "idiot", "nibba", "nibber", "nude", "kesner", "brickopolis", "nobe", "diemauer", "nuts");
$csrf = $_POST['csrf'];
$forum = $_POST['forum'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($forum) == 0) {
echo 'error';
exit;
}
if (strtolower($postContent) == strtolower($GLOBALS['userTable']['lastForumContent'])) die('<span style="color:red">You have already posted this</span>');
// Fixes things like "this i>s ex<"
$badwords2 = array("sex", "porn");
if (context::contains($postContent, $badwords2)) {
echo '<span style="color:red">This post contains filtered words.</span>';
exit;
}
// Check without special characters removed, will catch stuff like N*
if (context::contains($contentCheck, $badwords) or context::contains($titleCheck, $badwords)) {
echo '<span style="color:red">This post or post title contains filtered words.</span>';
exit;
}
// Check again but with special characters removed, except *
$titleCheck = preg_replace("/[^A-Za-z0-9*]/", '', $titleCheck);
$contentCheck = preg_replace("/[^A-Za-z0-9*]/", '', $contentCheck);
if (context::contains($contentCheck, $badwords) or context::contains($titleCheck, $badwords)) {
echo '<span style="color:red">This post or post title contains filtered words.</span>';
exit;
}
if (!preg_match("/^[\w*?!\/@',:#$%\^&*\(\) -]+$/", $postTitle) == 1) {
die('<span style="color:red">Invalid characters in title.</span>');
}
if (strlen($postTitle) < 5 or strlen($titleCheck) < 5) {
echo 'title-too-short';
exit;
}
if (strlen($postTitle) > 128) {
echo 'title-too-long';
exit;
}
if (strlen($postContent) < 5 or strlen($contentCheck) < 5) {
echo 'content-too-short';
exit;
}
if (strlen($postContent) > 30000) {
echo 'content-too-long';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT lastPost, joinDate, rank FROM users WHERE id = :id");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$timeSince = round(abs(strtotime(date('Y-m-d H:i:s')) - strtotime($result['lastPost'])) / 60,2);
if ($timeSince < 0.5 and $result['rank'] == 0) {
echo 'rate-limit';
exit;
}
$timeSince = round(abs(strtotime(date('Y-m-d H:i:s')) - strtotime($result['joinDate'])) / 60,2);
if ($timeSince < 1440 and $result['rank'] == 0) {
echo 'account-age';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM forums WHERE id = :id AND developer = 0");
$stmt->bindParam(':id', $forum, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'no-forum';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result['locked'] == 1 and $GLOBALS['userTable']['rank'] != 1) {
echo 'access-denied';
exit;
}
$query = "INSERT INTO topics (`forumId`, `title`, `author_uid`, `content`, `lastActivity`) VALUES (:forumid, :topicname, :poster, :content, NOW());";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':forumid', $forum, PDO::PARAM_INT);
$stmt->bindParam(':topicname', $postTitle, PDO::PARAM_STR);
$stmt->bindParam(':poster', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':content', $postContent, PDO::PARAM_STR);
$stmt->execute();
$query = "UPDATE `users` SET `lastPost`=NOW() WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$query = "UPDATE `users` SET `lastForumContent`=:content WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':content', $postContent, PDO::PARAM_STR);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM forums WHERE id = :id ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':id', $forum, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$posts = $result['posts']+1;
$query = "UPDATE `forums` SET `posts`=:posts WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $forum, PDO::PARAM_INT);
$stmt->bindParam(':posts', $posts, PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("SELECT posts FROM users WHERE id = :id ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$posts = $result['posts']+1;
$query = "UPDATE `users` SET `posts`=:posts WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':posts', $posts, PDO::PARAM_INT);
$stmt->execute();
$stmt = $dbcon->prepare("SELECT id FROM topics WHERE author_uid = :id ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
echo '<script>loadPost('.$result['id'].');</script>';
}else{
echo 'error';
}
?>

158
core/func/api/forum/post/newReply.php Normal file
View File

@ -0,0 +1,158 @@
<?php
if (isset($_POST['replyContent']) and isset($_POST['csrf']) and isset($_POST['postId'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$replyContent = $_POST['replyContent'];
$csrf = $_POST['csrf'];
$postId = $_POST['postId'];
$contentCheck = preg_replace('!\s+!', ' ', $replyContent);
$contentCheck = strip_tags($contentCheck);
$contentCheck = preg_replace("/&#?[a-z0-9]+;/i","", $contentCheck);
$contentCheck = preg_replace('!\s+!', ' ', $contentCheck);
$contentCheck = strtolower(preg_replace('|[[\/\!]*?[^\[\]]*?]|si', '', $contentCheck));
$contentCheck = preg_replace('/\s+/', '', $contentCheck);
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($postId) == 0) {
echo 'error';
exit;
}
if (strtolower($replyContent) == strtolower($GLOBALS['userTable']['lastForumContent'])) die('<span style="color:red">You have already posted this</span>');
$badwords = array("fucking", "gay", "rape", "incest", "beastiality", "cum", "maggot", "bullshit", "fuck", "penis",
"dick", "vagina", "vag", "faggot", "fag", "nigger", "asshole", "shit", "bitch", "anal", "stfu",
"cunt", "pussy", "hump", "meatspin", "redtube", "porn", "kys", "xvideos", "hentai", "gangbang", "milf",
"n*", "nobelium", "whore", "wtf", "horny", "raping", "s3x", "boob", "nigga", "nlgga", "gt2008",
"cock", "dicc", "idiot", "nibba", "nibber", "nude", "kesner", "brickopolis", "nobe", "diemauer", "nuts");
$badwords2 = array("sex", "porn");
if (context::contains($replyContent, $badwords2)) {
echo '<span style="color:red">This reply contains filtered words.</span>';
exit;
}
// Check without special characters removed
if (context::contains($contentCheck, $badwords)) {
echo '<span style="color:red">This reply contains filtered words.</span>';
exit;
}
// Check with special characters removed, except *.
$contentCheck = preg_replace("/[^A-Za-z0-9*]/", '', $contentCheck);
if (context::contains($contentCheck, $badwords)) {
echo '<span style="color:red">This reply contains filtered words.</span>';
exit;
}
if (strlen($replyContent) < 5 or strlen($contentCheck) < 5) {
echo 'content-too-short';
exit;
}
if (strlen($replyContent) > 30000) {
echo 'content-too-long';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT lastPost, joinDate, rank FROM users WHERE id = :id");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$timeSince = round(abs(strtotime(date('Y-m-d H:i:s')) - strtotime($result['lastPost'])) / 60,2);
if ($timeSince < 0.5 and $result['rank'] == 0) {
echo 'rate-limit';
exit;
}
$timeSince = round(abs(strtotime(date('Y-m-d H:i:s')) - strtotime($result['joinDate'])) / 60,2);
if ($timeSince < 1440 and $result['rank'] == 0) {
echo 'account-age';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM topics WHERE id = :id AND developer = 0");
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'no-post';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$postId = $result['id'];
$forumId = $result['forumId'];
if ($result['locked'] == 1 and $GLOBALS['userTable']['rank'] == 0) {
echo 'access-denied';
exit;
}
$query = "INSERT INTO replies (`postId`, `content`, `author_uid`, `forumId`) VALUES (:id, :content, :poster, :forumId);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->bindParam(':poster', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':content', $replyContent, PDO::PARAM_STR);
$stmt->bindParam(':forumId', $forumId, PDO::PARAM_INT);
$stmt->execute();
$query = "UPDATE `topics` SET `lastActivity`=NOW() WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
$query = "UPDATE `users` SET `lastPost`=NOW() WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$query = "UPDATE `users` SET `lastForumContent`=:content WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':content', $replyContent, PDO::PARAM_STR);
$stmt->execute();
$query = "DELETE FROM `read` WHERE `postId`=:id";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("SELECT replies FROM forums WHERE id = :id ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':id', $forumId, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$posts = $result['replies']+1;
$query = "UPDATE `forums` SET `replies`=:posts WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $forumId, PDO::PARAM_INT);
$stmt->bindParam(':posts', $posts, PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("SELECT replies FROM topics WHERE id = :id ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$posts = $result['replies']+1;
$query = "UPDATE `topics` SET `replies`=:posts WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->bindParam(':posts', $posts, PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("SELECT posts FROM users WHERE id = :id ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$posts = $result['posts']+1;
$query = "UPDATE `users` SET `posts`=:posts WHERE `id`=:id;";
$stmt = $dbcon->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':posts', $posts, PDO::PARAM_INT);
$stmt->execute();
echo '<script>loadPost('.$postId.');</script>';
}else{
echo 'error';
}
?>

18
core/func/api/forum/post/pinPost.php Normal file
View File

@ -0,0 +1,18 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['postId'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$postId = $_POST['postId'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($postId) == 0 or $GLOBALS['userTable']['rank'] != 1) {
echo 'error';
exit;
}
$query = "UPDATE `topics` SET `pinned`=1 WHERE `id`=:id AND `developer` = 0;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

23
core/func/api/forum/post/unlockPost.php Normal file
View File

@ -0,0 +1,23 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['postId'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$postId = $_POST['postId'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($postId) == 0 or $GLOBALS['userTable']['rank'] == 0) {
echo 'error';
exit;
}
$query = "UPDATE `topics` SET `locked`=0 WHERE `id`=:id AND `developer`=0;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
$query = "UPDATE `topics` SET `lockedByStaff`=0 WHERE `id`=:id AND `developer`=0;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

18
core/func/api/forum/post/unpinPost.php Normal file
View File

@ -0,0 +1,18 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['postId'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$postId = $_POST['postId'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($postId) == 0 or $GLOBALS['userTable']['rank'] != 1) {
echo 'error';
exit;
}
$query = "UPDATE `topics` SET `pinned`=0 WHERE `id`=:id AND `developer` = 0;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $postId, PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

193
core/func/api/forum/showPost.php Normal file
View File

@ -0,0 +1,193 @@
<style>
.responsiveforum {
display: block;
}
@media screen and (max-width: 767px) {
.responsiveforum {
text-align: center;
}
}
</style>
<?php
if (isset($_GET['id'])) {
$id = $_GET['id'];
if (is_array($id)) {
echo 'Something went wrong.';
exit;
}
if (isset($_GET['page'])) {
$page = $_GET['page'];
if (is_numeric($page) == false) {
exit;
}
}else{
$page = 0;
}
if (is_array($page)) {
echo 'Something went wrong.';
exit;
}
$offset = $page*15;
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($page == 0) {
$stmt = $GLOBALS['dbcon']->prepare("SELECT id, author_uid, postTime, lastActivity, views, replies, title, content, forumId, locked, pinned FROM topics WHERE id = :id AND developer = 0");
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'Topic not found';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$id = $result['id'];
$stmtr = $GLOBALS['dbcon']->prepare("SELECT id FROM `read` WHERE `userId` = :id AND `postId` = :pid;");
$stmtr->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmtr->bindParam(':pid', $id, PDO::PARAM_INT);
$stmtr->execute();
$resultread = $stmt->fetch(PDO::FETCH_ASSOC);
if ($stmtr->rowCount() == 0) {
$read = false;
}else{
$read = true;
}
if ($read == false and $loggedIn == true) {
$query = "INSERT INTO `read` (`userId`, `postId`) VALUES (:userId, :postId);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':postId', $id, PDO::PARAM_INT);
$stmt->bindParam(':userId', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE topics SET views = views + 1 WHERE id = :id");
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->execute();
}
echo '<div class="nav navbar-nav navbar-right" style="margin-right:15px;">';
echo '<div id="pStatus"><b>Replies</b>: '.$result['replies'].'</div>';
echo '</div>';
echo '<h3 style="word-wrap:break-word;">'.context::secureString($result['title']).'</h3>';
echo '<div class="nav navbar-nav navbar-right" style="margin-right:15px;">';
if ($GLOBALS['loggedIn']) {
if ($GLOBALS['userTable']['rank'] > 0) {
echo '<button class="btn btn-danger" style="margin:-10px -15px 0px;" id="deletePost" onclick="deletePost('.$result['id'].', '.$result['forumId'].');"><span class="fa fa-trash-o"></span> Delete Post</button>';
if ($result['locked'] == 1) {
echo '<button class="btn btn-primary" style="margin:-10px 17px 0px;" id="unlockPost" onclick="unlockPost('.$result['id'].');"><span class="fa fa-unlock-alt"></span> Unlock Post</button>';
}else{
echo '<button class="btn btn-primary" style="margin:-10px 17px 0px;" id="lockPost" onclick="lockPost('.$result['id'].');"><span class="fa fa-lock"></span> Lock Post</button>';
}
}
if ($GLOBALS['userTable']['rank'] == 1) {
if ($result['pinned'] == 1) {
echo '<button class="btn btn-primary" style="margin:-10px 17px 0px;" id="unpinPost" onclick="unpinPost('.$result['id'].');"><span class="fa fa-unlock-alt"></span> Unpin Post</button>';
}else{
echo '<button class="btn btn-primary" style="margin:-10px 17px 0px;" id="pinPost" onclick="pinPost('.$result['id'].');"><span class="fa fa-unlock-alt"></span> Pin Post</button>';
}
}
if ($result['locked'] == 0) {
echo '<button class="btn btn-primary" style="margin:-10px -15px 0px;" onclick="newReply('.$result['id'].');"><span class="fa fa-reply"></span> New Reply</button>';
}else{
if ($GLOBALS['userTable']['rank'] > 0) {
echo '<button class="btn btn-primary" style="margin:-10px -15px 0px;" onclick="newReply('.$result['id'].');"><span class="fa fa-reply"></span> New Reply</button>';
}else{
echo '<button class="btn btn-primary disabled" style="margin:-10px -15px 0px;"><span class="fa fa-reply"></span> New Reply</button>';
}
}
}
echo '</div>';
$userSheet = context::getUserSheetByID($result['author_uid']);
if ($userSheet['rank'] == 0) {
$usern = $userSheet['username'];
}elseif ($userSheet['rank'] == 1) {
$usern = '<b style="color:#158cba">'.$userSheet['username'].'</b>';
}elseif ($userSheet['rank'] == 2) {
$usern = '<b style="color:#28b62c">'.$userSheet['username'].'</b>';
}
echo '<p>Started by <a onclick="loadMiniProfile(\''.$userSheet['username'].'\');">'.$usern.'</a></p>';
echo '<div class="list-group-item" style="border:none;border-bottom:2px solid #eeeeee"><div class="row"><div class="col-xs-12 col-sm-12 col-md-2 responsiveforum">
<div class="center">'.context::getOnline($userSheet).'<a onclick="loadMiniProfile(\''.$userSheet['username'].'\');">'.$usern.'</a></div>
<a onclick="loadMiniProfile(\''.$userSheet['username'].'\');"><img height="150" width="150" class="img-responsive" style="display:inline" src="'.context::getUserImage($userSheet).'"></a><br>';
if ($userSheet['rank'] == 1) {
echo '<p style="color:#158cba;margin:0 0 0px"><span class="fa fa-bookmark"></span> <b>Administrator</b></p>';
}
if ($userSheet['rank'] == 2) {
echo '<p style="color:#28b62c;margin:0 0 0px"><span class="fa fa-gavel"></span> <b>Moderator</b></p>';
}
context::checkTopPoster($userSheet['id']);
echo '<b>Joined: </b>'.date('M j Y', strtotime($userSheet['joinDate'])).'<br>
<b>Posts: </b>'.$userSheet['posts'].'
</div>';
$content = strip_tags($result['content']);
$content = context::secureString($content);
$content = preg_replace("/\s*[a-zA-Z\/\/:\.]*youtube.com\/watch\?v=([a-zA-Z0-9\-_]+)([a-zA-Z0-9\/\*\-\_\?\&\;\%\=\.]*)/i","<iframe width=\"420\" height=\"315\" src=\"//www.youtube.com/embed/$1\" frameborder=\"0\" allowfullscreen></iframe>", $content);
if ($userSheet['rank'] > 0) {
$content = preg_replace("/https?:\/\/[^ ]+?(?:\.jpg|\.png|\.gif)/",'<img class="img-responsive" src="$0">', $content);
}
$content = context::showBBcodes($content);
$content = context::parseEmoticon($content);
echo '<div class="col-xs-12 col-sm-12 col-md-10">
<b><span class="fa fa-clock-o"></span> Posted on: </b>'.date('M j Y g:i A', strtotime($result['postTime'])).'<br>
<span style="word-wrap:break-word;">'.nl2br($content).'</span>
</div></div></div>';
}else{
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM topics WHERE id = :id");
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'Topic not found!';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$id = $result['id'];
}
$stmt = $dbcon->prepare("SELECT author_uid, content, post_time FROM replies WHERE postId = :id ORDER BY id DESC LIMIT 16 OFFSET :offset;");
$stmt->bindParam(':offset', $offset, PDO::PARAM_INT);
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->execute();
$count = 0;
foreach($stmt as $result) {
$count++;
if ($count < 16) {
$userSheet = context::getUserSheetByID($result['author_uid']);
if ($userSheet['rank'] == 0) {
$usern = $userSheet['username'];
}elseif ($userSheet['rank'] == 1) {
$usern = '<b style="color:#158cba">'.$userSheet['username'].'</b>';
}elseif ($userSheet['rank'] == 2) {
$usern = '<b style="color:#28b62c">'.$userSheet['username'].'</b>';
}
echo '<div class="list-group-item" style="border:none;border-bottom:2px solid #eeeeee"><div class="row"><div class="col-xs-12 col-sm-12 col-md-2 responsiveforum">
<div class="center">'.context::getOnline($userSheet).'<a onclick="loadMiniProfile(\''.$userSheet['username'].'\');">'.$usern.'</a></div>
<a onclick="loadMiniProfile(\''.$userSheet['username'].'\');"><img width="150 height="150" class="img-responsive" style="display:inline" src="'.context::getUserImage($userSheet).'"></a><br>';
if ($userSheet['rank'] == 1) {
echo '<p style="color:#158cba;margin:0 0 0px"><span class="fa fa-bookmark"></span> <b>Administrator</b></p>';
}
if ($userSheet['rank'] == 2) {
echo '<p style="color:#28b62c;margin:0 0 0px"><span class="fa fa-gavel"></span> <b>Moderator</b></p>';
}
context::checkTopPoster($userSheet['id']);
echo '<b>Joined: </b>'.date('M j Y', strtotime($userSheet['joinDate'])).'<br>
<b>Posts: </b>'.$userSheet['posts'].'
</div>';
$content = strip_tags($result['content']);
$content = context::secureString($content);
$content = preg_replace("/\s*[a-zA-Z\/\/:\.]*youtube.com\/watch\?v=([a-zA-Z0-9\-_]+)([a-zA-Z0-9\/\*\-\_\?\&\;\%\=\.]*)/i","<iframe width=\"420\" height=\"315\" src=\"//www.youtube.com/embed/$1\" frameborder=\"0\" allowfullscreen></iframe>", $content);
if ($userSheet['rank'] > 0) {
$content = preg_replace("/https?:\/\/[^ ]+?(?:\.jpg|\.png|\.gif)/",'<img class="img-responsive" src="$0">', $content);
}
$content = context::showBBcodes($content);
$content = context::parseEmoticon($content);
echo '<div class="col-xs-12 col-sm-12 col-md-10">
<b><span class="fa fa-clock-o"></span> Posted on: </b>'.date('M j Y g:i A', strtotime($result['post_time'])).'<br>
<span style="word-wrap:break-word;">'.nl2br($content).'</span>
</div></div></div>';
}
}
if ($count > 15) {
echo '<button class="btn btn-primary fullWidth loadMore" onclick="loadMore(page, '.$id.')">Load more replies</button><script>page++;</script>';
}
}else{
echo 'An error occurred';
}
?>

19
core/func/api/forum/views/newPost.php Normal file
View File

@ -0,0 +1,19 @@
<?php
if (!defined('IN_PHP')) {
exit;
}
?>
<script>
$(document).ready(function () {
var charactersAllowed = 30000;
$('textarea').keyup(function () {
var left = charactersAllowed - $(this).val().length;
$('#remainingC').html('<br>Characters left: ' + left);
if ($(this).val().length == 0) $("#remainingC").empty();
});
});
</script>
<div id="pStatus"></div>
<input class="form-control" maxlength="128" id="postTitle" type="text" placeholder="Post title" style="display:inline"><p id="remainingC" style="display:inline"></p>
<textarea rows="10" maxlength="30000" class="form-control" id="postContent" placeholder="Post here"></textarea>
<button class="btn btn-primary" id="postMessage" onclick="postMessage(<?php echo $result['id'];?>)">Post</button>

19
core/func/api/forum/views/newReply.php Normal file
View File

@ -0,0 +1,19 @@
<?php
if (!defined('IN_PHP')) {
exit;
}
?>
<script>
$(document).ready(function () {
var charactersAllowed = 30000;
$('textarea').keyup(function () {
var left = charactersAllowed - $(this).val().length;
$('#remainingC').html('Characters left: ' + left);
if ($(this).val().length == 0) $("#remainingC").empty();
});
});
</script>
<div id="rStatus"></div>
<p id="remainingC"></p>
<textarea rows="10" maxlength="30000" class="form-control" id="replyContent" placeholder="Reply here"></textarea>
<button class="btn btn-primary" id="postReply" onclick="postReply(<?php echo $result['id'];?>)">Reply</button>

65
core/func/api/friends/get/getFriends.php Normal file
View File

@ -0,0 +1,65 @@
<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
if (is_numeric($page) == false) exit;
if (is_array($page)) {
exit;
}
$offset = $page*10;
if ($page == 0){
$page = 0;
$offset = 0;
}
}else{
$page = 0;
$offset = 0;
}
if ($page < 0) {
exit;
}
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($GLOBALS['loggedIn'] == false) {
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM `friends` WHERE `userId1` = :id ORDER BY id DESC LIMIT 10 OFFSET :offset;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':offset', $offset, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0 && $page == 0) {
echo 'You have no Graphictoria friends. Why not make some?';
}
echo '<div class="row center">';
$count = 0;
foreach($stmt as $result) {
$count++;
if ($count < 10) {
$userId = $result['userId2'];
$stmt = $dbcon->prepare("SELECT username, imgTime, id, lastSeen FROM users WHERE id = :id;");
$stmt->bindParam(':id', $userId, PDO::PARAM_INT);
$stmt->execute();
$resultuser = $stmt->fetch(PDO::FETCH_ASSOC);
$username = $resultuser['username'];
if (strlen($username) > 10) {
$username = substr($username, 0, 7) . '...';
}
echo '<div class="col-xs-4"><a href="/user/profile/'.$resultuser['username'].'"><img width="100" src="'.context::getUserImage($resultuser).'"></a><br>';
echo context::getOnline($resultuser);
echo '<a href="/user/profile/'.$resultuser['username'].'"><b>'.context::secureString($username).'</b></a>
<br><button value="'.$resultuser['id'].'" onclick="removeFriend('.$resultuser['id'].', '.$page.');" class="btn btn-danger btn-xs rmFr">Remove friend</button><br><br></div>';
}
}
echo '</div>';
echo '<div style="margin-left:15px;margin-right:15px;"><div class="btn-group btn-group-justified">';
if ($page > 0) {
echo '<a class="btn fullWidth" onclick="loadFriends('.($page-1).')">&laquo; Previous</a>';
}
if ($count > 9) {
echo '<a class="btn fullWidth" onclick="loadFriends('.($page+1).')">Next &raquo;</a>';
}
if ($count == 0 and $page > 0) {
exit;
}
echo '</div></div>';
?>

65
core/func/api/friends/get/getRequests.php Normal file
View File

@ -0,0 +1,65 @@
<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
if (is_numeric($page) == false) exit;
if (is_array($page)) {
exit;
}
$offset = $page*10;
if ($page == 0){
$page = 0;
$offset = 0;
}
}else{
$page = 0;
$offset = 0;
}
if ($page < 0) {
exit;
}
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($GLOBALS['loggedIn'] == false) {
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM `friendRequests` WHERE `recvuid` = :id ORDER BY id DESC LIMIT 10 OFFSET :offset;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':offset', $offset, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0 && $page == 0) {
echo 'You do not have any friend request inbound.';
}
echo '<div class="row center">';
$count = 0;
foreach($stmt as $result) {
$count++;
if ($count < 10) {
$userId = $result['senduid'];
$stmt = $dbcon->prepare("SELECT username, imgTime, id, lastSeen FROM users WHERE id = :id;");
$stmt->bindParam(':id', $userId, PDO::PARAM_INT);
$stmt->execute();
$resultuser = $stmt->fetch(PDO::FETCH_ASSOC);
$username = $resultuser['username'];
if (strlen($username) > 10) {
$username = substr($username, 0, 7) . '...';
}
echo '<div class="col-xs-4"><a href="/user/profile/'.$resultuser['username'].'"><img width="100" src="'.context::getUserImage($resultuser).'"></a><br>';
echo context::getOnline($resultuser);
echo '<a href="/user/profile/'.$resultuser['username'].'"><b>'.context::secureString($username).'</b></a>
<br><button value="'.$resultuser['id'].'ignore" onclick="ignoreRequest('.$resultuser['id'].', '.$page.');" class="btn btn-danger btn-xs">Ignore</button><button value="'.$resultuser['id'].'" onclick="acceptRequest('.$resultuser['id'].', '.$page.');" class="btn btn-success btn-xs">Add Friend</button><br><br></div>';
}
}
echo '</div>';
echo '<div style="margin-left:15px;margin-right:15px;"><div class="btn-group btn-group-justified">';
if ($page > 0) {
echo '<a class="btn fullWidth" onclick="loadRequests('.($page-1).')">&laquo; Previous</a>';
}
if ($count > 9) {
echo '<a class="btn fullWidth" onclick="loadRequests('.($page+1).')">Next &raquo;</a>';
}
if ($count == 0 and $page > 0) {
exit;
}
echo '</div></div>';
?>

79
core/func/api/friends/get/showFriends.php Normal file
View File

@ -0,0 +1,79 @@
<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
if (is_numeric($page) == false) exit;
if (is_array($page)) {
exit;
}
$offset = $page*10;
if ($page == 0){
$page = 0;
$offset = 0;
}
}else{
$page = 0;
$offset = 0;
}
if ($page < 0) {
exit;
}
if (isset($_GET['userid'])) {
$userid = $_GET['userid'];
if (is_array($userid)) {
exit;
}
}else{
exit;
}
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM users WHERE id = :id;");
$stmt->bindParam(':id', $userid, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$userid = $result['id'];
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM `friends` WHERE `userId1` = :id ORDER BY id DESC LIMIT 10 OFFSET :offset;");
$stmt->bindParam(':id', $userid, PDO::PARAM_INT);
$stmt->bindParam(':offset', $offset, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0 && $page == 0) {
echo 'This user has no friends.';
}
echo '<div class="row center">';
$count = 0;
foreach($stmt as $result) {
$count++;
if ($count < 10) {
$userId = $result['userId2'];
$stmt = $dbcon->prepare("SELECT username, imgTime, id, lastSeen FROM users WHERE id = :id;");
$stmt->bindParam(':id', $userId, PDO::PARAM_INT);
$stmt->execute();
$resultuser = $stmt->fetch(PDO::FETCH_ASSOC);
$username = $resultuser['username'];
if (strlen($username) > 10) {
$username = substr($username, 0, 7) . '...';
}
echo '<div class="col-xs-4"><a href="/user/profile/'.$resultuser['username'].'"><img width="100" src="'.context::getUserImage($resultuser).'"></a><br>';
echo context::getOnline($resultuser);
echo '<a href="/user/profile/'.$resultuser['username'].'"><b>'.context::secureString($username).'</b></a><br><br></div>';
}
}
echo '</div>';
echo '<div style="margin-left:15px;margin-right:15px;"><div class="btn-group btn-group-justified">';
if ($page > 0) {
echo '<a class="btn fullWidth" onclick="loadFriends(\''.$userid.'\', '.($page-1).')">&laquo; Previous</a>';
}
if ($count > 9) {
echo '<a class="btn fullWidth" onclick="loadFriends(\''.$userid.'\', '.($page+1).')">Next &raquo;</a>';
}
if ($count == 0 and $page > 0) {
exit;
}
echo '</div></div>';
?>

100
core/func/api/friends/post/acceptRequest.php Normal file
View File

@ -0,0 +1,100 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['userID'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$userID = $_POST['userID'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($userID) == 0) {
echo 'error';
exit;
}
if ($userID == $GLOBALS['userTable']['id']) {
echo 'error';
exit;
}
$query = "SELECT * FROM `friendRequests` WHERE `recvuid` = :id AND `senduid` = :sid";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':sid', $userID, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($stmt->rowCount() == 0) {
echo 'error';
exit;
}
if ($result['senduid'] == $GLOBALS['userTable']['id'] and $stmt->rowCount() > 0) {
$query = "DELETE FROM `friendRequests` WHERE `senduid` = :sid AND `recvuid` = :id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':sid', $userID, PDO::PARAM_INT);
$stmt->execute();
echo 'error';
exit;
}
$query = "SELECT * FROM `friends` WHERE `userId1` = :id AND `userId2` = :sid";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':sid', $userID, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() > 0) {
$query = "DELETE FROM `friendRequests` WHERE `senduid` = :sid AND `recvuid` = :id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':sid', $userID, PDO::PARAM_INT);
$stmt->execute();
echo 'error';
exit;
}
$query = "SELECT * FROM `friends` WHERE `userId1` = :sid AND `userId2` = :id";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':sid', $userID, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() > 0) {
$query = "DELETE FROM `friendRequests` WHERE `senduid` = :id AND `recvuid` = :sid;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':sid', $userID, PDO::PARAM_INT);
$stmt->execute();
echo 'error';
exit;
}
$query = "INSERT INTO friends (`userId1`, `userId2`) VALUES (:userId1, :userId2);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':userId1', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':userId2', $userID, PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':userId1', $userID, PDO::PARAM_INT);
$stmt->bindParam(':userId2', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$query = "DELETE FROM `friendRequests` WHERE `senduid` = :sid AND `recvuid` = :id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':sid', $userID, PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM users WHERE id = :id");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$resultuinfo = $stmt->fetch(PDO::FETCH_ASSOC);
$message = '<b><a href="/profile.php?id='.$resultuinfo['id'].'">'.htmlentities($resultuinfo['username'], ENT_QUOTES, "UTF-8").'</a></b> has accepted your friend request. Start a conversation by replying!';
$query = "INSERT INTO messages (`recv_uid`, `sender_uid`, `title`, `content`) VALUES (:userId1, :userId2, 'Friend Request Accepted', :msg);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':userId1', $userID, PDO::PARAM_INT);
$stmt->bindParam(':userId2', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':msg', $message, PDO::PARAM_STR);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

21
core/func/api/friends/post/ignoreRequest.php Normal file
View File

@ -0,0 +1,21 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['userID'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$userID = $_POST['userID'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($userID) == 0) {
echo 'error';
exit;
}
$query = "DELETE FROM `friendRequests` WHERE `senduid` = :sid AND `recvuid` = :id;";
$stmt = $dbcon->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':sid', $userID, PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

26
core/func/api/friends/post/removeFriend.php Normal file
View File

@ -0,0 +1,26 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['userID'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$userID = $_POST['userID'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($userID) == 0) {
echo 'error';
exit;
}
$query = "DELETE FROM `friends` WHERE `userId1` = :sid AND `userId2` = :id;";
$stmt = $dbcon->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':sid', $userID, PDO::PARAM_INT);
$stmt->execute();
$stmt = $dbcon->prepare($query);
$stmt->bindParam(':id', $userID, PDO::PARAM_INT);
$stmt->bindParam(':sid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

60
core/func/api/friends/post/sendRequest.php Normal file
View File

@ -0,0 +1,60 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['userID'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$userID = $_POST['userID'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($userID) == 0) {
echo 'error';
exit;
}
if ($userID == $GLOBALS['userTable']['id']) {
echo 'error';
exit;
}
$query = "SELECT * FROM `friends` WHERE `userId1` = :id AND `userId2` = :sid";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':sid', $userID, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() > 0) {
echo 'error';
exit;
}
$query = "SELECT * FROM `friendRequests` WHERE `senduid` = :id AND `recvuid` = :sid";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':sid', $userID, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() > 0) {
echo 'error';
exit;
}
$currentTime = context::getCurrentTime();
$from_time = strtotime($GLOBALS['userTable']['lastFR']);
$to_time = strtotime($currentTime);
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince < 1) {
echo 'rate-limit';
exit;
}else{
$query = "UPDATE users SET lastFR = NOW() WHERE id=:id";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
}
$query = "INSERT INTO friendRequests (`senduid`, `recvuid`) VALUES (:userId1, :userId2);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':userId1', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':userId2', $userID, PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

44
core/func/api/games/addKey.php Normal file
View File

@ -0,0 +1,44 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($GLOBALS['loggedIn']) {
if (isset($_POST['key'])) {
$key = $_POST['key'];
$err = false;
if (strlen($key) == 0) {
echo '<div class="alert" style="background-color:red;margin-bottom:0px;border-radius:0px;padding:5px;;color:white">Please enter a key.</div>';
$err = true;
}
if ($err == false) {
$stmt = $dbcon->prepare("SELECT * FROM games WHERE `key` = :key");
$stmt->bindParam(':key', $key, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo '<div class="alert" style="background-color:red;margin-bottom:0px;border-radius:0px;padding:5px;;color:white">Invalid key.</div>';
}else{
// Check if already submitted.
$stmt = $dbcon->prepare("SELECT * FROM gameKeys WHERE `key` = :key AND userid = :uid");
$stmt->bindParam(':key', $key, PDO::PARAM_STR);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
$stmt = $dbcon->prepare("INSERT INTO `gameKeys` (`userid`, `key`) VALUES (:uid, :key);");
$stmt->bindParam(':key', $key, PDO::PARAM_STR);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
echo '<div class="alert" style="background-color:green;margin-bottom:0px;border-radius:0px;padding:5px;color:white">Key added!</div>';
}else{
echo '<div class="alert" style="background-color:red;margin-bottom:0px;border-radius:0px;padding:5px;;color:white">You have already submitted this key.</div>';
}
}
}
}else{
echo '<div class="alert" style="background-color:red;margin-bottom:0px;border-radius:0px;padding:5px;;color:white">Something happened.</div>';
}
}else{
echo '<div class="alert" style="background-color:red;margin-bottom:0px;border-radius:0px;padding:5px;;color:white">You need to be signed in to add a server to your list.</div>';
}
?>

30
core/func/api/games/deleteServer.php Normal file
View File

@ -0,0 +1,30 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['serverID'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$serverID = $_POST['serverID'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($serverID) == 0) {
echo 'error';
exit;
}
$stmt = $dbcon->prepare("SELECT * FROM games WHERE id = :id;");
$stmt->bindParam(':id', $serverID, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result['creator_uid'] != $GLOBALS['userTable']['id'] && $GLOBALS['userTable']['rank'] == 0) {
echo 'error';
}
if ($result['dedi'] == 1 && $GLOBALS['userTable']['rank'] != 1) die("error");
$stmt = $dbcon->prepare("DELETE FROM games WHERE id = :id;");
$stmt->bindParam(':id', $serverID, PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

69
core/func/api/games/getLatestServer.php Normal file
View File

@ -0,0 +1,69 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
function getOnline($ping) {
$currentTime = date('Y-m-d H:i:s');
$from_time = strtotime($ping);
$to_time = strtotime($currentTime);
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince > 5){
return '<font color="grey">Offline</font>';
}else{
return '<font color="green">Online</font>';
}
}
function getOnline2($ping) {
$currentTime = date('Y-m-d H:i:s');
$from_time = strtotime($ping);
$to_time = strtotime($currentTime);
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince > 2) {
return false;
}else{
return true;
}
}
function getPlayerCount($serverID, $dbcon) {
$count = 0;
$stmt = $GLOBALS['dbcon']->prepare("SELECT lastSeen, inGame FROM users WHERE inGameId = :id");
$stmt->bindParam(':id', $serverID, PDO::PARAM_INT);
$stmt->execute();
foreach($stmt as $result) {
if (getOnline2($result['lastSeen']) == true and $result['inGame'] == 1) {
$count++;
}
}
return $count;
}
function getDescription($description) {
if (strlen($description) > 0) {
return htmlentities($description, ENT_QUOTES, "UTF-8");
}else{
return '<font color="grey">No description.</font>';
}
}
if ($GLOBALS['loggedIn']) {
$stmt = $dbcon->prepare("SELECT * FROM games WHERE `creator_uid` = :id ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo '<div class="well profileCard"><h4><span class="fa fa-frown-o"></span> Nothing found</h4><p>Looks like there is nothing here</p></div>';
}
foreach($stmt as $result) {
$creator = $result['creator_uid'];
$stmt = $dbcon->prepare("SELECT * FROM users WHERE id = :id");
$stmt->bindParam(':id', $creator, PDO::PARAM_INT);
$stmt->execute();
$result2 = $stmt->fetch(PDO::FETCH_ASSOC);
echo '<div class="col-xs-12 col-sm-12 col-md-4 center" style="word-wrap:break-word;"><div class="well profileCard">';
echo '<h4>'.htmlentities(user::filter($result['name']), ENT_QUOTES, "UTF-8").'</h4><b>Creator</b> : <a href="/user/profile/'.$result2['username'].'">'.$result2['username'].'</a><br><img width="75" src="'.context::getUserImage($result2).'"><br><b>Status :</b> '.getOnline($result['lastPing']).'<br><b>Online Players :</b> '.getPlayerCount($result['id'], $dbcon).'<br><a href="/games/view/'.$result['id'].'" class="btn btn-success">View</a></div>';
echo '</div>';
}
}else{
echo '<div class="well profileCard"><h4><span class="fa fa-frown-o"></span> You need to be logged in</h4><p>Please login and try again.</p></div>';
}
?>

88
core/func/api/games/getMy.php Normal file
View File

@ -0,0 +1,88 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
function getOnline($ping) {
$currentTime = date('Y-m-d H:i:s');
$from_time = strtotime($ping);
$to_time = strtotime($currentTime);
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince > 5){
return '<font color="grey">Offline</font>';
}else{
return '<font color="green">Online</font>';
}
}
function getDescription($description) {
if (strlen($description) > 0) {
return htmlentities($description, ENT_QUOTES, "UTF-8");
}else{
return '<font color="grey">No description.</font>';
}
}
function getOnline2($ping) {
$currentTime = date('Y-m-d H:i:s');
$from_time = strtotime($ping);
$to_time = strtotime($currentTime);
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince > 2) {
return false;
}else{
return true;
}
}
function getPlayerCount($serverID, $dbcon) {
$count = 0;
$stmt = $GLOBALS['dbcon']->prepare("SELECT lastSeen, inGame FROM users WHERE inGameId = :id");
$stmt->bindParam(':id', $serverID, PDO::PARAM_INT);
$stmt->execute();
foreach($stmt as $result) {
if (getOnline2($result['lastSeen']) == true and $result['inGame'] == 1) {
$count++;
}
}
return $count;
}
if ($GLOBALS['loggedIn']) {
$stmt = $dbcon->prepare("SELECT * FROM gameKeys WHERE userid = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$count = 0;
foreach($stmt as $result) {
if (isset($_GET['version'])) {
$version = $_GET['version'];
if (is_array($version) == true) exit;
if ($version != 1 && $version != 0 && $version != 2) exit;
$gameId = $result['key'];
$stmt = $dbcon->prepare("SELECT * FROM games WHERE `key` = :key AND `version` = :version;");
$stmt->bindParam(':version', $version, PDO::PARAM_INT);
$stmt->bindParam(':key', $gameId, PDO::PARAM_STR);
}else{
$stmt = $dbcon->prepare("SELECT * FROM games WHERE `key` = :key;");
$stmt->bindParam(':key', $gameId, PDO::PARAM_STR);
}
$stmt->execute();
if ($stmt->rowCount() > 0) {
$count++;
}
foreach($stmt as $result) {
$creator = $result['creator_uid'];
$stmt = $dbcon->prepare("SELECT * FROM users WHERE id = :id");
$stmt->bindParam(':id', $creator, PDO::PARAM_INT);
$stmt->execute();
$result2 = $stmt->fetch(PDO::FETCH_ASSOC);
echo '<div class="col-xs-12 col-sm-12 col-md-4 center" style="word-wrap:break-word;"><div class="well profileCard">';
echo '<h4>'.htmlentities(user::filter($result['name']), ENT_QUOTES, "UTF-8").'</h4><b>Creator</b> : <a href="/user/profile/'.$result2['username'].'">'.$result2['username'].'</a><br><img width="75" src="'.context::getUserImage($result2).'"><br><b>Status :</b> '.getOnline($result['lastPing']).'<br><b>Online Players :</b> '.getPlayerCount($result['id'], $dbcon).'<br><a href="/games/view/'.$result['id'].'" class="btn btn-success">View</a></div>';
echo '</div>';
}
}
if ($count == 0) {
echo '<div class="well profileCard"><h4><span class="fa fa-frown-o"></span> Nothing found</h4><p>Looks like there is nothing here</p></div>';
}
}else{
echo '<div class="well profileCard"><h4><span class="fa fa-frown-o"></span> You need to be logged in</h4><p>Please login and try again.</p></div>';
}
?>

78
core/func/api/games/getMyS.php Normal file
View File

@ -0,0 +1,78 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
function getOnline($ping) {
$currentTime = date('Y-m-d H:i:s');
$from_time = strtotime($ping);
$to_time = strtotime($currentTime);
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince > 5){
return '<font color="grey">Offline</font>';
}else{
return '<font color="green">Online</font>';
}
}
function getOnline2($ping) {
$currentTime = date('Y-m-d H:i:s');
$from_time = strtotime($ping);
$to_time = strtotime($currentTime);
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince > 2) {
return false;
}else{
return true;
}
}
function getPlayerCount($serverID, $dbcon) {
$count = 0;
$stmt = $GLOBALS['dbcon']->prepare("SELECT lastSeen, inGame FROM users WHERE inGameId = :id");
$stmt->bindParam(':id', $serverID, PDO::PARAM_INT);
$stmt->execute();
foreach($stmt as $result) {
if (getOnline2($result['lastSeen']) == true and $result['inGame'] == 1) {
$count++;
}
}
return $count;
}
function getDescription($description) {
if (strlen($description) > 0) {
return htmlentities($description, ENT_QUOTES, "UTF-8");
}else{
return '<font color="grey">No description.</font>';
}
}
if ($GLOBALS['loggedIn']) {
if (isset($_GET['version'])) {
$version = $_GET['version'];
if (is_array($version) == true) exit;
if ($version != 1 && $version != 0 && $version != 2) exit;
$stmt = $dbcon->prepare("SELECT * FROM games WHERE `creator_uid` = :id AND `version` = :version;");
$stmt->bindParam(':version', $version, PDO::PARAM_INT);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
}else{
$stmt = $dbcon->prepare("SELECT * FROM games WHERE `creator_uid` = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
}
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo '<div class="well profileCard"><h4><span class="fa fa-frown-o"></span> Nothing found</h4><p>Looks like there is nothing here</p></div>';
}
foreach($stmt as $result) {
$creator = $result['creator_uid'];
$stmt = $dbcon->prepare("SELECT * FROM users WHERE id = :id");
$stmt->bindParam(':id', $creator, PDO::PARAM_INT);
$stmt->execute();
$result2 = $stmt->fetch(PDO::FETCH_ASSOC);
echo '<div class="col-xs-12 col-sm-12 col-md-4 center" style="word-wrap:break-word;"><div class="well profileCard">';
echo '<h4>'.htmlentities(user::filter($result['name']), ENT_QUOTES, "UTF-8").'</h4><b>Creator</b> : <a href="/user/profile/'.$result2['username'].'">'.$result2['username'].'</a><br><img width="75" src="'.context::getUserImage($result2).'"><br><b>Status :</b> '.getOnline($result['lastPing']).'<br><b>Online Players :</b> '.getPlayerCount($result['id'], $dbcon).'<br><a href="/games/view/'.$result['id'].'" class="btn btn-success">View</a></div>';
echo '</div>';
}
}else{
echo '<div class="well profileCard"><h4><span class="fa fa-frown-o"></span> You need to be logged in</h4><p>Please login and try again.</p></div>';
}
?>

136
core/func/api/games/getPublic.php Normal file
View File

@ -0,0 +1,136 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if (isset($_GET['version'])) {
$version = $_GET['version'];
if (is_array($version) == true) exit;
if ($version == 0) {
$version = 0;
}elseif ($version == 1) {
$version = 1;
}elseif ($version == 2) {
$version = 2;
}else{
$version = 4; // All
}
}else{
$version = 4; // All
}
$GLOBALS['gameVersion'] = $version;
if ($version == 0) {
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM games WHERE public = 1 AND version = 0 ORDER BY id DESC");
}elseif($version == 1) {
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM games WHERE public = 1 AND version = 1 ORDER BY id DESC");
}elseif ($version == 2) {
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM games WHERE public = 1 AND version = 2 ORDER BY id DESC");
}else{
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM games WHERE public = 1 ORDER BY id DESC");
}
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo '<div class="well profileCard"><h4><span class="fa fa-frown-o"></span> Looks like there are no public games for this version!</h4><p>You could try adding your own server and setting it to public.</p></div>';
exit;
}
function getOnline($ping) {
$currentTime = date('Y-m-d H:i:s');
$from_time = strtotime($ping);
$to_time = strtotime($currentTime);
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince > 2){
return '<font color="grey">Offline</font>';
}else{
return '<font color="green">Online</font>';
}
}
function getOnline2($ping) {
$currentTime = date('Y-m-d H:i:s');
$from_time = strtotime($ping);
$to_time = strtotime($currentTime);
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince > 2) {
return false;
}else{
return true;
}
}
function getDedicated($dedi) {
if ($dedi == 1) return '<span class="fa fa-server" data-toggle="tooltip" data-placement="bottom" data-original-title="Dedicated Server"></span> ';
return '';
}
function getPlayerCount($serverID, $dbcon, $dedicated, $pCount) {
if ($dedicated == 0) {
$count = 0;
$stmt = $GLOBALS['dbcon']->prepare("SELECT lastSeen, inGame FROM users WHERE inGameId = :id");
$stmt->bindParam(':id', $serverID, PDO::PARAM_INT);
$stmt->execute();
foreach($stmt as $result) {
if (getOnline2($result['lastSeen']) == true and $result['inGame'] == 1) {
$count++;
}
}
return $count;
}else{
return $pCount;
}
}
function getDescription($description) {
if (strlen($description) > 0) {
return htmlentities($description, ENT_QUOTES, "UTF-8");
}else{
return '<font color="grey">No description.</font>';
}
}
function getImage($result2, $serverID, $imgTime) {
if (file_exists("/var/www/api/imageServer/server/".$serverID.".png") && $GLOBALS['loggedIn']) {
return "https://api.xdiscuss.net/imageServer/server/".$serverID.".png?v=".strtotime($imgTime);
}else{
return context::getUserImage($result2);
}
}
function getVersion($gVersion) {
if ($GLOBALS['gameVersion'] == 4) {
if ($gVersion == 0) $versionString = "2009";
if ($gVersion == 1) $versionString = "2008";
if ($gVersion == 2) $versionString = "2011";
if ($gVersion == 3) $versionString = "2010";
return '<b>Version : </b>'.$versionString.'<br>';
}
}
$count = 0;
if ($stmt->rowCount() > 0) {
echo '<div class="row">';
}
foreach($stmt as $result) {
if (getOnline2($result['lastPing']) == true) {
$count++;
$creator = $result['creator_uid'];
$stmt = $GLOBALS['dbcon']->prepare("SELECT username, id, imgTime FROM users WHERE id = :id");
$stmt->bindParam(':id', $creator, PDO::PARAM_INT);
$stmt->execute();
$result2 = $stmt->fetch(PDO::FETCH_ASSOC);
$gameName = context::secureString($result['name']);
if (strlen($gameName) >= 20) {
$gameName = substr($gameName, 0, 17). " ... ";
}
echo '<div class="col-xs-12 col-sm-12 col-md-4 center" style="word-wrap:break-word;height:250px;max-height:250px;min-height:250px;margin-bottom:5px"><div class="well profileCard" style="height:250px;max-height:250px;min-height:250px">';
echo '<h4>'.getDedicated($result['dedi']).$gameName.'</h4><b>Creator</b> : <a href="/user/profile/'.$result2['username'].'">'.$result2['username'].'</a><br><img width="75" src="'.getImage($result2, $result['id'], $result['imgTime']).'"><br><b>Status :</b> '.getOnline($result['lastPing']).'<br><b>Online Players :</b> '.getPlayerCount($result['id'], $dbcon, $result['dedi'], $result['numPlayers']).'<br>'.getVersion($result['version']).'<a onclick="viewGame('.$result['id'].');" class="btn btn-success">View</a></div>';
echo '</div>';
}
}
if ($stmt->rowCount() > 0) {
echo '</div>';
}
if ($count == 0) {
echo '<div class="well profileCard"><h4><span class="fa fa-frown-o"></span> Looks like there are no online games for this version!</h4><p>You could try adding your own server and setting it to public.</p></div>';
}
echo '<script>$("[data-toggle=\'tooltip\']").tooltip();</script>';
?>

101
core/func/api/games/post/addServer.php Normal file
View File

@ -0,0 +1,101 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['serverName']) and isset($_POST['serverDescription']) and isset($_POST['serverIP']) and isset($_POST['serverPort']) and isset($_POST['privacyType']) and isset($_POST['gameVersion'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$serverName = $_POST['serverName'];
$serverDescription = $_POST['serverDescription'];
$serverIP = $_POST['serverIP'];
$serverPort = $_POST['serverPort'];
$privacyType = $_POST['privacyType'];
$gameVersion = $_POST['gameVersion'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) {
echo 'error';
exit;
}
$nameCheck = preg_replace("/[^ \w]+/", "", $serverName);
$nameCheck = preg_replace('!\s+!', ' ', $nameCheck);
$descriptionCheck = preg_replace("/[^ \w]+/", "", $serverDescription);
$descriptionCheck = preg_replace('/\s+/', '', $descriptionCheck);
if (strlen($serverName) > 32) {
echo 'server-name-too-long';
exit;
}
if (strlen($serverName) < 4) {
echo 'server-name-too-short';
exit;
}
if (!preg_match("/^[\w*?!\/@',:#$%\^&*\(\) -]+$/", $serverName) == 1) {
die("server-name-too-short");
}
if (strlen($serverName) > 128) {
echo 'server-description-too-long';
exit;
}
if (strlen($serverIP) == 0) {
echo 'server-ip-too-short';
exit;
}
if (strlen($serverIP) > 64) {
echo 'server-ip-too-long';
exit;
}
if (strlen($serverPort) == 0) {
echo 'server-port-too-short';
exit;
}
if (strlen($serverPort) > 5) {
echo 'server-port-too-long';
exit;
}
if (is_numeric($serverPort == false) || $serverPort > 64000) die("invalid-port");
if (filter_var($serverIP, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) == false) {
echo 'invalid-ip';
exit;
}
if ($privacyType != 0 && $privacyType != 1) {
echo 'invalid-privacy';
exit;
}
if ($gameVersion != 0 && $gameVersion != 1 && $gameVersion != 2) {
echo 'invalid-version';
exit;
}
$key = md5(microtime().rand());
$serverkey = md5(microtime().rand());
$stmt = $dbcon->prepare("INSERT INTO games (`public`, `creator_uid`, `name`, `description`, `ip`, `port`, `key`, `privatekey`, `version`) VALUES (:public, :user, :name, :description, :ip, :port, :key, :serverkey, :version);");
$stmt->bindParam(':public', $privacyType, PDO::PARAM_INT);
$stmt->bindParam(':version', $gameVersion, PDO::PARAM_INT);
$stmt->bindParam(':serverkey', $serverkey, PDO::PARAM_STR);
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':name', $serverName, PDO::PARAM_STR);
$stmt->bindParam(':description', $serverDescription, PDO::PARAM_STR);
$stmt->bindParam(':ip', $serverIP, PDO::PARAM_STR);
$stmt->bindParam(':port', $serverPort, PDO::PARAM_INT);
$stmt->bindParam(':key', $key, PDO::PARAM_STR);
$stmt->execute();
$stmt = $dbcon->prepare("SELECT * FROM games WHERE `creator_uid`=:uid ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$id = $result['id'];
echo $id;
}else{
echo 'error';
}
?>

114
core/func/api/games/post/addServerDedicated.php Normal file
View File

@ -0,0 +1,114 @@
<?php
if (isset($_POST['csrf_token']) and isset($_POST['serverName']) and isset($_POST['serverDescription']) and isset($_POST['versionType']) and isset($_POST['privacyType'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf_token'];
$serverName = $_POST['serverName'];
$serverDescription = $_POST['serverDescription'];
$serverName = str_replace("-", "", $serverName);
$serverDescription = str_replace("-", "", $serverDescription);
$version = $_POST['versionType'];
$privacyType = $_POST['privacyType'];
if ($version != 0 && $version != 2 && $version != 1) die("error");
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) {
echo 'error';
exit;
}
$timeSince = round(abs(strtotime(context::getCurrentTime()) - strtotime($GLOBALS['userTable']['lastUpload'])) / 60,2);
if ($timeSince < 5 && $GLOBALS['userTable']['rank'] != 1) {
echo 'rate-limit';
exit;
}
$genPlace = 0;
if (isset($_POST['genPlace'])) $genPlace = $_POST['genPlace'];
if (is_array($genPlace)) die("error");
// Do never use generic places if a place file is present.
if (isset($_FILES['placeFile'])) {
$genPlace = 0;
}
// Check if genplace exists
if ($genPlace != 0 && $genPlace != 1) die("error");
$nameCheck = preg_replace("/[^ \w]+/", "", $serverName);
$nameCheck = preg_replace('!\s+!', ' ', $nameCheck);
$descriptionCheck = preg_replace("/[^ \w]+/", "", $serverDescription);
$descriptionCheck = preg_replace('/\s+/', '', $descriptionCheck);
if (strlen($serverName) > 32) {
echo 'server-name-too-long';
exit;
}
if (!preg_match("/^[\w*?!\/@',:#$%\^&*\(\) -]+$/", $serverName) == 1) {
die("server-name-too-short");
}
if (strlen($serverName) < 4) {
echo 'server-name-too-short';
exit;
}
if ($privacyType != 0 && $privacyType != 1) {
echo 'invalid-privacy';
exit;
}
if (strlen($serverDescription) > 128) {
echo 'server-description-too-long';
exit;
}
if (isset($_FILES['placeFile'])) {
// Upload the place file properly.
$fileContent = @file_get_contents($_FILES['placeFile']['tmp_name']);
if (strpos($fileContent, 'xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"') == false) {
die("invalid-placefile");
}
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['placeFile']['tmp_name']);
if ($mime != "text/plain") {
die("invalid-placefile");
}
$imageFileType = pathinfo($_FILES['placeFile']["name"], PATHINFO_EXTENSION);
if ($imageFileType != "rbxl" && $imageFileType != "RBXL") die("invalid-placefile");
// Still alive? Proceed to upload the place file.
$uploadDirectory = $_SERVER['DOCUMENT_ROOT'].'/data/assets/uploads/';
$fileHash = hash_file('sha512', $_FILES["placeFile"]["tmp_name"]);
if (!file_exists($uploadDirectory.$fileHash)) {
if (!move_uploaded_file($_FILES["placeFile"]["tmp_name"], $uploadDirectory.$fileHash)) {
die("file-move-error");
}
}
$webDirectory = "http://xdiscuss.net/data/assets/uploads/".$fileHash;
}else{
if ($genPlace == 0) die("error");
if ($genPlace == 1) $webDirectory = "http://api.xdiscuss.net/places/baseplate.rbxl";
}
// If we're still here, we can continue to request the server.
$stmt = $dbcon->prepare("INSERT INTO serverRequests (`placeLocation`, `serverName`, `serverDescription`, `serverVersion`, `userID`, `serverPrivacy`) VALUES (:placeLocation, :serverName, :serverDescription, :version, :userID, :privacy);");
$stmt->bindParam(':placeLocation', $webDirectory, PDO::PARAM_STR);
$stmt->bindParam(':serverName', $serverName, PDO::PARAM_STR);
$stmt->bindParam(':userID', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':version', $version, PDO::PARAM_INT);
$stmt->bindParam(':privacy', $privacyType, PDO::PARAM_INT);
$stmt->bindParam(':serverDescription', $serverDescription, PDO::PARAM_STR);
$stmt->execute();
$stmt = $dbcon->prepare("UPDATE users SET lastUpload = NOW() WHERE id = :user;");
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

29
core/func/api/games/post/deleteServer.php Normal file
View File

@ -0,0 +1,29 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['serverID'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$serverID = $_POST['serverID'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($serverID) == 0) {
echo 'error';
exit;
}
$stmt = $dbcon->prepare("SELECT * FROM games WHERE id = :id;");
$stmt->bindParam(':id', $serverID, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result['creator_uid'] != $GLOBALS['userTable']['id'] && $GLOBALS['userTable']['rank'] == 0) {
echo 'error';
exit;
}
$stmt = $dbcon->prepare("DELETE FROM games WHERE id = :id;");
$stmt->bindParam(':id', $serverID, PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

78
core/func/api/games/viewGame.php Normal file
View File

@ -0,0 +1,78 @@
<?php
function getOnline($ping) {
$currentTime = date('Y-m-d H:i:s');
$from_time = strtotime($ping);
$to_time = strtotime($currentTime);
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince > 2) {
return false;
}else{
return true;
}
}
function getPlayerCount($serverID, $dbcon) {
$count = 0;
$stmt = $GLOBALS['dbcon']->prepare("SELECT lastSeen, inGame FROM users WHERE inGameId = :id");
$stmt->bindParam(':id', $serverID, PDO::PARAM_INT);
$stmt->execute();
foreach($stmt as $result) {
if (getOnline($result['lastSeen']) == true and $result['inGame'] == 1) {
$count++;
}
}
return $count;
}
if (isset($_GET['id'])) {
$gameID = $_GET['id'];
if (is_array($gameID)) {
exit;
}
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$stmt = $GLOBALS['dbcon']->prepare('SELECT * FROM games WHERE id= :id');
$stmt->bindParam(':id', $gameID, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($stmt->rowCount() == 0) {
echo 'Game not found!';
echo '<script>$(".gameTitle").html("Error")</script>';
exit;
}
echo '<script>$(".gameTitle").html(\''.context::secureString($result['name']).'\')</script>';
$stmt = $dbcon->prepare("SELECT username, id, imgTime FROM users WHERE id = :id");
$stmt->bindParam(':id', $result['creator_uid'], PDO::PARAM_INT);
$stmt->execute();
$resultuser = $stmt->fetch(PDO::FETCH_ASSOC);
echo '<div class="col-xs-6">';
if (file_exists("/var/www/api/imageServer/server/".$result['id'].".png") && $GLOBALS['loggedIn']) {
echo "<img style=\"max-height:100%;max-width:100%\" src=\"https://api.xdiscuss.net/imageServer/server/".$result['id'].".png?v=".strtotime($result['imgTime'])."\">";
}
echo '</div>';
echo '<div class="col-xs-6">';
echo '<a href="/user/profile/'.$resultuser['username'].'"><img width="150" height="150" src="'.context::getUserImage($resultuser).'"></a><br>';
echo '<b>Creator</b> : <a href="/user/profile/'.$resultuser['username'].'">'.$resultuser['username'].'</a><br>';
echo '<b>Created</b> : '.date('M j Y g:i A', strtotime($result['date'])).'<br>';
if (getOnline($result['lastPing'])) {
echo '<b>Status</b> : <span style="color:green">Online</span><br>';
}else{
echo '<b>Status</b> : <span style="color:grey">Offline</span><br>';
}
if ($result['dedi'] == 0)
echo '<b>Online Players</b> : '.getPlayerCount($result['id'], $GLOBALS['dbcon']).'<br>';
if ($result['dedi'] == 1) {
echo '<b>Online Players</b> : '.$result['numPlayers'].'<br>';
}
if ($GLOBALS['loggedIn']) {
if ($result['version'] == 0) echo '<a class="btn btn-success fullWidth" href="GraphictoriaClient://'.$GLOBALS['userTable']['gameKey'].';'.$result['id'].';'.$GLOBALS['userTable']['id'].'">Play</a>';
if ($result['version'] == 1) echo '<a class="btn btn-success fullWidth" href="GraphictoriaClient2://'.$GLOBALS['userTable']['gameKey'].';'.$result['id'].';'.$GLOBALS['userTable']['id'].'">Play</a>';
if ($result['version'] == 2) echo '<a class="btn btn-success fullWidth" href="GraphictoriaClient3://'.$GLOBALS['userTable']['gameKey'].';'.$result['id'].';'.$GLOBALS['userTable']['id'].'">Play</a>';
}else{
echo '<a class="btn btn-success disabled fullWidth">Play</a>';
}
echo '<a style="margin-top:5px" class="btn btn-warning fullWidth" href="/games/view/'.$result['id'].'">Full Page</a>';
echo '</div></div>';
}else{
echo 'An error occurred';
}
?>

69
core/func/api/groups/get/getMembers.php Normal file
View File

@ -0,0 +1,69 @@
<?php
if (isset($_GET['gid'])) {
$groupId = $_GET['gid'];
if (is_array($groupId)) {
exit;
}
}
if (isset($_GET['page'])) {
$page = $_GET['page'];
}else{
$page = 0;
}
if (is_array($page)) {
exit;
}
if (is_numeric($page) == false) {
exit;
}
if (is_numeric($groupId) == false) {
exit;
}
$offset = $page*9;
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM group_members WHERE gid = :id ORDER BY id DESC LIMIT 9 OFFSET :offset;");
$stmt->bindParam(':offset', $offset, PDO::PARAM_INT);
$stmt->bindParam(':id', $groupId, PDO::PARAM_INT);
$stmt->execute();
$stmtc = $GLOBALS['dbcon']->prepare("SELECT id FROM group_members WHERE gid = :id");
$stmtc->bindParam(':id', $groupId, PDO::PARAM_INT);
$stmtc->execute();
echo '<script>$("#memberCount").html("Members ('.$stmtc->rowCount().')");</script>';
$count = 0;
if ($stmt->rowCount() == 0) {
echo 'No members found';
}
echo '<div class="row">';
foreach($stmt as $result) {
$count++;
if ($count < 9) {
$userId = $result['uid'];
$stmt = $GLOBALS['dbcon']->prepare("SELECT username, imgTime, lastSeen, id FROM users WHERE id = :id");
$stmt->bindParam(':id', $userId, PDO::PARAM_INT);
$stmt->execute();
$resultuser = $stmt->fetch(PDO::FETCH_ASSOC);
$username = $resultuser['username'];
if (strlen($username) > 10) {
$username = substr($username, 0, 7) . '...';
}
echo '<div class="col-xs-12 col-sm-12 col-md-3 center"><br>';
echo '<a href="/user/profile/'.$resultuser['username'].'"><img width="120" src="'.context::getUserImage($resultuser).'"></a><br>';
echo context::getOnline($resultuser);
echo '<a href="/user/profile/'.$resultuser['username'].'"><b>'.htmlentities($username, ENT_QUOTES, "UTF-8").'</b></a><br><br></div>';
}
}
echo '<div style="margin-left:15px;margin-right:15px;"><div class="btn-group btn-group-justified">';
if ($page > 0) {
echo '<a class="btn fullWidth" onclick="getMembers(\''.$groupId.'\', '.($page-1).')">&laquo; Previous</a>';
}
if ($count > 6) {
echo '<a class="btn fullWidth" onclick="getMembers(\''.$groupId.'\', '.($page+1).')">Next &raquo;</a>';
}
if ($count == 0 and $page > 0) {
exit;
}
echo '</div></div></div>';
?>

36
core/func/api/groups/post/changeDescription.php Normal file
View File

@ -0,0 +1,36 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['descriptionValue']) and isset($_POST['groupId'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$descriptionValue = $_POST['descriptionValue'];
$groupId = $_POST['groupId'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) {
echo 'error';
exit;
}
$descriptionCheck = preg_replace("/[^ \w]+/", "", $descriptionValue);
$descriptionCheck = preg_replace('/\s+/', '', $descriptionCheck);
if (strlen($descriptionCheck) > 256 or strlen($descriptionValue) > 256) {
echo 'description-too-long';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM groups WHERE id = :id");
$stmt->bindParam(':id', $groupId, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result['cuid'] != $GLOBALS['userTable']['id'] and $GLOBALS['userTable']['rank'] == 0) {
echo 'error';
exit;
}
$query = "UPDATE `groups` SET `description`=:description WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $groupId, PDO::PARAM_INT);
$stmt->bindParam(':description', $descriptionValue, PDO::PARAM_STR);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

82
core/func/api/groups/post/createGroup.php Normal file
View File

@ -0,0 +1,82 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['groupName']) and isset($_POST['groupDescription'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$groupName = $_POST['groupName'];
$groupDescription = $_POST['groupDescription'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) {
echo 'error';
exit;
}
$nameCheck = preg_replace("/[^ \w]+/", "", $groupName);
$nameCheck = preg_replace('!\s+!', ' ', $nameCheck);
if (strlen($nameCheck) == 0) {
echo 'no-name';
exit;
}
if (!preg_match("/^[\w*?!\/@#$%\^&*\(\) -]+$/", $groupName) == 1) {
die("group-name-too-short");
}
if (strlen($nameCheck) < 5) {
echo 'group-name-too-short';
exit;
}
if (strlen($nameCheck) > 32 or strlen($groupName) > 32) {
echo 'group-name-too-long';
exit;
}
$descriptionCheck = preg_replace("/[^ \w]+/", "", $groupDescription);
$descriptionCheck = preg_replace('/\s+/', '', $descriptionCheck);
if (strlen($descriptionCheck) > 256 or strlen($groupDescription) > 256) {
echo 'description-too-long';
exit;
}
if ($GLOBALS['userTable']['coins'] < 50) {
echo 'no-coins';
exit;
}
$count = 0;
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM group_members WHERE uid = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$count = $count + $stmt->rowCount();
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM groups WHERE cuid = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$count = $count + $stmt->rowCount();
if ($count > 9) {
echo 'in-too-many-groups';
exit;
}
$newCoins = $GLOBALS['userTable']['coins']-50;
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET coins = :coins WHERE id = :user;");
$stmt->bindParam(':coins', $newCoins, PDO::PARAM_INT);
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$query = "INSERT INTO groups (`cuid`, `name`, `description`) VALUES (:cuid, :name, :description);";
$stmt = $dbcon->prepare($query);
$stmt->bindParam(':cuid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':name', $groupName, PDO::PARAM_STR);
$stmt->bindParam(':description', $groupDescription, PDO::PARAM_STR);
$stmt->execute();
$stmt = $dbcon->prepare("SELECT * FROM groups WHERE cuid = :id ORDER BY id DESC LIMIT 1;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
echo $result['id'];
}else{
echo 'error';
}
?>

58
core/func/api/groups/post/joinGroup.php Normal file
View File

@ -0,0 +1,58 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['groupId'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$groupId = $_POST['groupId'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($groupId) == 0) {
echo 'error';
exit;
}
// Check if not already a member.
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM group_members WHERE uid = :uid AND gid = :id");
$stmt->bindParam(':id', $groupId, PDO::PARAM_INT);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() > 0) {
echo 'error';
exit;
}
// Get all group information.
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM groups WHERE id = :id");
$stmt->bindParam(':id', $groupId, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
// Check if owned by this user.
if ($GLOBALS['userTable']['id'] == $result['cuid']) {
echo 'error';
exit;
}
$count = 0;
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM group_members WHERE uid = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$count = $count + $stmt->rowCount();
$stmt = $GLOBALS['dbcon']->prepare("SELECT id FROM groups WHERE cuid = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$count = $count + $stmt->rowCount();
if ($count > 9) {
echo 'in-too-many-groups';
exit;
}
// Join group
$query = "INSERT INTO group_members (`uid`, `gid`) VALUES (:uid, :gid);";
$stmt = $dbcon->prepare($query);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':gid', $groupId, PDO::PARAM_STR);
$stmt->execute();
}else{
echo 'error';
}
?>

48
core/func/api/groups/post/leaveDelete.php Normal file
View File

@ -0,0 +1,48 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['groupId'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$groupId = $_POST['groupId'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($groupId) == 0) {
echo 'error';
exit;
}
// Get all group information.
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM groups WHERE id = :id");
$stmt->bindParam(':id', $groupId, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
// Check if not owned by this user.
if ($GLOBALS['userTable']['id'] != $result['cuid']) {
echo 'error';
exit;
}
// Check if not a member.
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM group_members WHERE uid = :uid AND gid = :id");
$stmt->bindParam(':id', $groupId, PDO::PARAM_INT);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() > 0) {
echo 'error';
exit;
}
// Delete group and all its members.
$query = "DELETE FROM `group_members` WHERE `gid`=:groupId;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':groupId', $groupId, PDO::PARAM_INT);
$stmt->execute();
$query = "DELETE FROM `groups` WHERE `id`=:groupId;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':groupId', $groupId, PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

43
core/func/api/groups/post/leaveGroup.php Normal file
View File

@ -0,0 +1,43 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['groupId'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$groupId = $_POST['groupId'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($groupId) == 0) {
echo 'error';
exit;
}
// Get all group information.
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM groups WHERE id = :id");
$stmt->bindParam(':id', $groupId, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
// Check if owned by this user.
if ($GLOBALS['userTable']['id'] == $result['cuid']) {
echo 'error';
exit;
}
// Check if member.
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM group_members WHERE uid = :uid AND gid = :id");
$stmt->bindParam(':id', $groupId, PDO::PARAM_INT);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'error';
exit;
}
// Leave group
$query = "DELETE FROM `group_members` WHERE `gid`=:groupId AND `uid`=:userId;";
$stmt = $dbcon->prepare($query);
$stmt->bindParam(':groupId', $groupId, PDO::PARAM_INT);
$stmt->bindParam(':userId', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

54
core/func/api/groups/searchGroup.php Normal file
View File

@ -0,0 +1,54 @@
<?php
if (isset($_GET['term'])) {
$searchTerm = $_GET['term'];
}else{
exit;
}
if (isset($_GET['page'])) {
$page = $_GET['page'];
if (is_array($page)) {
exit;
}
$offset = $page*12;
}else{
$page = 0;
$offset = 0;
}
if (is_numeric($page) == false) exit;
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$searchTermSQL = '%'.$searchTerm.'%';
if (strlen($searchTerm) == 0) {
$stmt = $dbcon->prepare("SELECT * FROM groups WHERE name LIKE :term ORDER BY id DESC LIMIT 11 OFFSET :offset;");
}else{
$stmt = $dbcon->prepare("SELECT * FROM groups WHERE name LIKE :term ORDER BY name ASC LIMIT 11 OFFSET :offset;");
}
$stmt->bindParam(':term', $searchTermSQL, PDO::PARAM_STR);
$stmt->bindParam(':offset', $offset, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo '<div class="well profileCard">Nothing found.</div>';
}
$count = 0;
foreach($stmt as $result) {
$count++;
if ($count < 11) {
echo '<div class="well profileCard">';
echo '<div class="row">';
echo '<div class="col-xs-3">';
echo '<a href="/groups/view/'.$result['id'].'"><img height="150" width="150" src="'.context::getGroupImage($result['cuid']).'"></a>';
echo '</div>';
echo '<div class="col-xs-9">';
if ($result['description'] == NULL) {
$description = "<i>This user has not configured anything to display here</i>";
}else{
$description = '<span style="word-wrap:break-word;">'.context::secureString($result['description']).'</span>';
}
echo '<h4><a href="/groups/view/'.$result['id'].'">'.$result['name'].'</h4></a><b style="display:inline">Description: </b><p style="display:inline">'.$description.'</p>';
echo '</div></div></div>';
}
}
if ($count > 10) {
echo '<button class="btn btn-primary fullWidth searchGroup" onclick="loadMore('.($page+1).', \''.context::secureString($searchTerm).'\');">Load More</button>';
}
?>

91
core/func/api/messages/getMessages.php Normal file
View File

@ -0,0 +1,91 @@
<?php
if (isset($_GET['filter'])) {
$filter = $_GET['filter'];
if (is_array($filter)) {
exit;
}
if (isset($_GET['page'])) {
$page = $_GET['page'];
}else{
$page = 0;
}
if (is_numeric($page) == false) exit;
if (is_numeric($filter) == false) exit;
if (is_array($page)) {
echo 'Something went wrong.';
exit;
}
if ($page == 0) {
echo '<h3>Messages</h3>';
}
function showReadStatus($read) {
if ($read == 0) {
return '<span style="color:#158cba" class="fa fa-envelope-open-o"></span>';
}
}
$offset = $page*25;
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($GLOBALS['loggedIn'] == false) {
exit;
}
if ($filter == 0) {
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM messages WHERE recv_uid = :rId ORDER BY id DESC LIMIT 26 OFFSET :offset");
}elseif ($filter == 1) {
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM messages WHERE recv_uid = :rId AND `read` = 0 ORDER BY id DESC LIMIT 26 OFFSET :offset");
}elseif ($filter == 2) {
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM messages WHERE recv_uid = :rId AND `read` = 1 ORDER BY id DESC LIMIT 26 OFFSET :offset");
}elseif ($filter == 3) {
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM messages WHERE sender_uid = :rId ORDER BY id DESC LIMIT 26 OFFSET :offset");
}else{
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM messages WHERE recv_uid = :rId ORDER BY id DESC LIMIT 26 OFFSET :offset");
}
$stmt->bindParam(':rId', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':offset', $offset, PDO::PARAM_INT);
$stmt->execute();
echo '<div class="list-group" style="margin-bottom:0px;">';
$count = 0;
foreach($stmt as $result) {
$count++;
if ($count < 25) {
if ($filter == 3) {
$userSheet = context::getUserSheetByID($result['recv_uid']);
}else{
$userSheet = context::getUserSheetByID($result['sender_uid']);
}
if ($userSheet['rank'] == 0) {
$usern = $userSheet['username'];
}elseif ($userSheet['rank'] == 1) {
$usern = '<b style="color:#158cba">'.$userSheet['username'].'</b>';
}elseif ($userSheet['rank'] == 2) {
$usern = '<b style="color:#28b62c">'.$userSheet['username'].'</b>';
}
echo '<div class="list-group-item" style="border:none;border-bottom:2px solid #eeeeee">';
echo '<h4 class="list-group-item-heading" onclick="loadMessage('.$result['id'].')" style="display:inline">'.showReadStatus($result['read']).' '.context::secureString($result['title']).'</h4>';
echo '<div class="nav navbar-nav navbar-right" style="margin-right:0px;">';
echo '<b>Date: </b>'.date('M j Y g:i A', strtotime($result['date']));
echo '</div>';
if ($filter == 3) {
echo '<p class="list-group-item-text">Sent to <a href="/user/profile/'.$userSheet['username'].'">'.$usern.'</a></p>';
}else{
echo '<p class="list-group-item-text">Sent by <a href="/user/profile/'.$userSheet['username'].'">'.$usern.'</a></p>';
}
echo '<div class="nav navbar-nav navbar-right" style="margin-right:0px;display:inline;margin:-15px 0px 0px;">';
echo '</div></div>';
}
}
if ($stmt->rowCount() == 0) {
echo 'You do not have any message';
}
if ($count > 25) {
echo '<button class="btn btn-primary fullWidth loadMore" onclick="loadMore(page, '.$filter.')">Load more</button><script>page++;</script>';
}
echo '</div>';
}else{
echo 'An error occurred';
}
?>

33
core/func/api/messages/newMessage.php Normal file
View File

@ -0,0 +1,33 @@
<?php
if (isset($_GET['username'])) {
$username = $_GET['username'];
if (is_array($username)) {
exit;
}
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if (!$GLOBALS['loggedIn']) {
echo 'Something went wrong';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM users WHERE username = :fId");
$stmt->bindParam(':fId', $username, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'User not found';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result['id'] == $GLOBALS['userTable']['id']) {
echo 'You can not send messages to yourself';
exit;
}
if ($result['banned'] == 1) {
echo 'You can not send messages to a banned user';
exit;
}
echo '<h3>Sending a new message to '.context::secureString($result['username']).'</h3>';
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/api/messages/views/newMessage.php';
}else{
echo 'An error occurred';
}
?>

73
core/func/api/messages/post/newMessage.php Normal file
View File

@ -0,0 +1,73 @@
<?php
if (isset($_POST['messageTitle']) and isset($_POST['messageContent']) and isset($_POST['csrf']) and isset($_POST['userID'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$messageTitle = $_POST['messageTitle'];
$messageContent = $_POST['messageContent'];
$csrf = $_POST['csrf'];
$userID = $_POST['userID'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false or strlen($userID) == 0) {
echo 'error';
exit;
}
if (strlen($messageTitle) < 5) {
echo 'title-too-short';
exit;
}
if (strlen($messageTitle) > 128) {
echo 'title-too-long';
exit;
}
if (strlen($messageContent) < 5) {
echo 'content-too-short';
exit;
}
if (strlen($messageContent) > 30000) {
echo 'content-too-long';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT lastPost, joinDate, rank FROM users WHERE id = :id");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$timeSince = round(abs(strtotime(date('Y-m-d H:i:s')) - strtotime($result['lastPost'])) / 60,2);
if ($timeSince < 0.2 and $result['rank'] == 0) {
echo 'rate-limit';
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT id, banned FROM users WHERE id = :id");
$stmt->bindParam(':id', $userID, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'no-user';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result['banned'] == 1) {
echo 'user-banned';
exit;
}
$query = "INSERT INTO messages (`recv_uid`, `sender_uid`, `title`, `content`) VALUES (:recv_uid, :sender_uid, :title, :content);";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':sender_uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':recv_uid', $userID, PDO::PARAM_INT);
$stmt->bindParam(':title', $messageTitle, PDO::PARAM_STR);
$stmt->bindParam(':content', $messageContent, PDO::PARAM_STR);
$stmt->execute();
$query = "UPDATE `users` SET `lastPost`=NOW() WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

84
core/func/api/messages/showMessage.php Normal file
View File

@ -0,0 +1,84 @@
<?php
if (isset($_GET['id'])) {
$id = $_GET['id'];
if (is_array($id)) {
echo 'Something went wrong.';
exit;
}
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($GLOBALS['loggedIn'] == false) {
exit;
}
$stmt = $GLOBALS['dbcon']->prepare("SELECT * FROM messages WHERE id = :id");
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'Message not found';
exit;
}
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result['recv_uid'] != $GLOBALS['userTable']['id'] && $result['sender_uid'] != $GLOBALS['userTable']['id']) {
echo 'Message not found!';
exit;
}
if ($result['read'] == 0) {
$read = false;
}else{
$read = true;
}
if ($read == false and $loggedIn == true) {
if ($result['recv_uid'] == $GLOBALS['userTable']['id']) {
$stmt = $GLOBALS['dbcon']->prepare("UPDATE messages SET `read` = 1 WHERE id = :id");
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->execute();
}
}
$id = $result['id'];
if ($result['recv_uid'] == $GLOBALS['userTable']['id']) {
$userSheet = context::getUserSheetByID($result['sender_uid']);
}else{
$userSheet = context::getUserSheetByID($result['recv_uid']);
}
echo '<div class="nav navbar-nav navbar-right" style="margin-right:15px;">';
if ($result['recv_uid'] == $GLOBALS['userTable']['id']) {
echo '<a style="margin:-2px -15px 5px;" class="btn btn-primary" href="/user/messages/+'.$userSheet['username'].'">Reply</a>';
}
echo '<div id="pStatus"></div>';
echo '</div>';
echo '<h3>'.context::secureString($result['title']).'</h3>';
echo '<div class="nav navbar-nav navbar-right" style="margin-right:15px;">';
echo '</div>';
if ($userSheet['rank'] == 0) {
$usern = $userSheet['username'];
}elseif ($userSheet['rank'] == 1) {
$usern = '<b style="color:#158cba">'.$userSheet['username'].'</b>';
}elseif ($userSheet['rank'] == 2) {
$usern = '<b style="color:#28b62c">'.$userSheet['username'].'</b>';
}
echo '<div class="list-group-item" style="border:none;border-bottom:2px solid #eeeeee"><div class="row"><div class="col-xs-12 col-sm-12 col-md-2 center">
<div class="center">'.context::getOnline($userSheet).'<a href="/user/profile/'.$userSheet['username'].'">'.$usern.'</a></div>
<a href="/user/profile/'.$userSheet['username'].'"><img height="150" width="150" class="img-responsive" style="display:inline" src="'.context::getUserImage($userSheet).'"></a><br>';
if ($userSheet['rank'] == 1) {
echo '<p style="color:#158cba;margin:0 0 0px"><span class="fa fa-bookmark"></span> <b>Administrator</b></p>';
}
if ($userSheet['rank'] == 2) {
echo '<p style="color:#28b62c;margin:0 0 0px"><span class="fa fa-gavel"></span> <b>Moderator</b></p>';
}
echo '<b>Posts: </b>'.$userSheet['posts'].'<br>
<b>Joined: </b>'.date('M j Y', strtotime($userSheet['joinDate'])).'
</div>';
$content = strip_tags($result['content']);
$content = context::secureString($content);
if ($userSheet['rank'] > 0) {
$content = preg_replace("/\s*[a-zA-Z\/\/:\.]*youtube.com\/watch\?v=([a-zA-Z0-9\-_]+)([a-zA-Z0-9\/\*\-\_\?\&\;\%\=\.]*)/i","<iframe width=\"420\" height=\"315\" src=\"//www.youtube.com/embed/$1\" frameborder=\"0\" allowfullscreen></iframe>", $content);
$content = preg_replace("/https?:\/\/[^ ]+?(?:\.jpg|\.png|\.gif)/",'<img class="img-responsive" src="$0">', $content);
}
echo '<div class="col-xs-10">
<b><span class="fa fa-clock-o"></span> Sent on: </b>'.date('M j Y g:i A', strtotime($result['date'])).'<br>
'.nl2br($content).'
</div></div></div>';
}else{
echo 'An error occurred';
}
?>

9
core/func/api/messages/views/newMessage.php Normal file
View File

@ -0,0 +1,9 @@
<?php
if (!defined('IN_PHP')) {
exit;
}
?>
<div id="pStatus"></div>
<input class="form-control" maxlength="128" id="messageTitle" type="text" placeholder="Message Title">
<textarea rows="10" maxlength="30000" class="form-control" id="messageContent" placeholder="Message here"></textarea>
<button class="btn btn-primary" id="sendMessage" onclick="sendMessagePost(<?php echo $result['id'];?>)">Send Message</button>

114
core/func/api/profile/getInventory.php Normal file
View File

@ -0,0 +1,114 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if (!isset($_GET['userId']) || is_array($_GET['userId'])) exit;
$userId = $_GET['userId'];
if (isset($_GET['type'])) $type = $_GET['type'];
if (!isset($_GET['type'])) exit;
if (is_array($_GET['type'])) exit;
$title = "";
if ($type == "hats") {
$title = "Hats";
}
if ($type == "shirts") {
$title = "Shirts";
}
if ($type == "pants") {
$title = "Pants";
}
if ($type == "gear") {
$title = "Gear";
}
if ($type == "tshirts"){
$title = "T-Shirts";
}
if ($type == "faces") {
$title = "Faces";
}
if ($type == "torso") {
$title = "Torso";
}
if ($type == "leftleg") {
$title = "Left Leg";
}
if ($type == "leftarm") {
$title = "Left Arm";
}
if ($type == "rightleg") {
$title = "Right Leg";
}
if ($type == "rightarm") {
$title = "Right Arm";
}
if ($type == "heads") {
$title = "Heads";
}
if (strlen($title) == 0) die("error");
if (isset($_GET['page'])) {
$page = $_GET['page'];
if (is_numeric($page) == false) exit;
$offset = $page*6;
if ($page == 0){
$page = 0;
$offset = 0;
}
}else{
$page = 0;
$offset = 0;
}
if ($page < 0) {
exit;
}
if ($GLOBALS['loggedIn'])
$stmt = $GLOBALS['dbcon']->prepare("SELECT catalogid FROM ownedItems WHERE type = :type AND uid = :uid AND deleted=0 ORDER BY id DESC LIMIT 7 OFFSET :offset;");
if (!$GLOBALS['loggedIn'])
$stmt = $GLOBALS['dbcon']->prepare("SELECT catalogid FROM ownedItems WHERE type = :type AND uid = :uid AND deleted=0 AND rbxasset=0 ORDER BY id DESC LIMIT 7 OFFSET :offset;");
$stmt->bindParam(':offset', $offset, PDO::PARAM_INT);
$stmt->bindParam(':type', $type, PDO::PARAM_STR);
$stmt->bindParam(':uid', $userId, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo 'No items found.';
}
$count = 0;
foreach($stmt as $resultOwned) {
$count++;
if ($count < 7) {
$stmt = $GLOBALS['dbcon']->prepare("SELECT deleted, name, type, datafile, assetid, id, fileHash, imgTime, rbxasset FROM catalog WHERE id = :id AND type = :type");
$stmt->bindParam(':id', $resultOwned['catalogid'], PDO::PARAM_INT);
$stmt->bindParam(':type', $type, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result['deleted'] == 0 && $result['type'] == $type) {
$itemName = $result['name'];
if (strlen($itemName) > 16) {
$itemName = substr($itemName, 0, 13) . '...';
}
echo '<div class="col-md-4 col-sm-4 col-xs-12 Center"><div style="box-shadow:none;height:170px;">'.htmlentities($itemName, ENT_QUOTES, "UTF-8").'<br>';
echo '<img style="max-height:100px;display:inline" class="img-responsive" src="'.context::getItemThumbnailC($type, $result['assetid'], $result['datafile'], $result['fileHash'], $result['imgTime']).'">';
echo '<br><a href="/catalog/item/'.$result['id'].'" class="btn btn-primary">Details</a>';
echo '</div></div>';
}
}
}
echo '<div style="margin-left:15px;margin-right:15px;"><div class="btn-group btn-group-justified">';
if ($page > 0) {
echo '<a class="btn fullWidth" onclick="loadPage(\''.$type.'\', '.($page-1).')">&laquo; Previous</a>';
}
if ($count > 6) {
echo '<a class="btn fullWidth" onclick="loadPage(\''.$type.'\', '.($page+1).')">Next &raquo;</a>';
}
if ($count == 0 and $page > 0) {
exit;
}
echo '</div></div>';
?>

27
core/func/api/settings/get/twoStep.php Normal file
View File

@ -0,0 +1,27 @@
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
if ($GLOBALS['loggedIn'] == false) {
exit;
}
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/libs/google/GoogleAuthenticator.php';
if ($GLOBALS['userTable']['2faEnabled'] == 0 and $GLOBALS['userTable']['2faInit'] == 0) {
echo '<p>Click the button below to activate two step authentication. You will be asked to test your key before it will be fully enabled.<p>
<button id="enableTwo" class="btn btn-success">Enable Two Step Authentication</button>';
}else{
$gAuth = new GoogleAuthenticator();
if ($GLOBALS['userTable']['2faEnabled'] == 0 and $GLOBALS['userTable']['2faInit'] == 1) {
echo '<p>Your secret key is <code>'.$GLOBALS['userTable']['authKey'].'</code></p>';
echo '<p>You can also use the QR code to add your secret key automatically.</p>';
echo '<img src="'.$gAuth->getURL($GLOBALS['userTable']['username'], 'xdiscuss.net', $GLOBALS['userTable']['authKey']).'"><br><br>';
echo '<p>Because you have not yet verified if this works, you will not be asked for a code the next time you login. Please finish the setup.</p>';
echo '<input type="text" id="finalCode" class="form-control" placeholder="Enter your verification code you have generated here"></input>';
echo '<button id="enableTwoFinal" onclick="enableTwoFinal()" class="btn btn-primary fullWidth">Finish Two Step Authentication Setup</button>';
}else{
echo '<p>Your secret key is <code>'.$GLOBALS['userTable']['authKey'].'</code></p>';
echo '<p>You can also use the QR code to add your secret key automatically.</p>';
echo '<img src="'.$gAuth->getURL($GLOBALS['userTable']['username'], 'xdiscuss.net', $GLOBALS['userTable']['authKey']).'"><br>';
echo '<button id="disableTwo" onclick="disableFactor()" class="btn btn-danger">Disable Two Step Authentication</button>';
}
}
?>

77
core/func/api/settings/post/changeEmail.php Normal file
View File

@ -0,0 +1,77 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['newEmail']) and isset($_POST['currentPassword'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$newEmail = $_POST['newEmail'];
$currentPassword = $_POST['currentPassword'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) {
echo 'error';
exit;
}
if (strlen($newEmail) == 0 or strlen($currentPassword) == 0) {
echo 'missing-info';
exit;
}
$auth_hash = crypt($currentPassword, $GLOBALS['userTable']['password_salt']);
if ($auth_hash != $GLOBALS['userTable']['password_hash']) {
echo 'wrong-password';
exit;
}
$from_time = strtotime($GLOBALS['userTable']['emailcodeTime']);
$to_time = strtotime(context::getCurrentTime());
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince < 5) die("rate-limit");
// Email domain whitelist, to stop disposable and fake emails.
$good_emails = array('@outlook', '@protonmail.com', '@xdiscuss.net', '@roblox.com', '@icloud.com', '@protonmail.ch', '@google.com',
"@yahoo.com.br", "@hotmail.com.br", "@outlook.com.br", "@uol.com.br", "@bol.com.br", "@terra.com.br", "@ig.com.br", "@itelefonica.com.br", "@r7.com", "@zipmail.com.br", "@globo.com", "@globomail.com", "@oi.com.br",
"@yahoo.com.mx", "@live.com.mx", "@hotmail.es", "@hotmail.com.mx", "@prodigy.net.mx",
"@hotmail.com.ar", "@live.com.ar", "@yahoo.com.ar", "@fibertel.com.ar", "@speedy.com.ar", "@arnet.com.ar",
"@hotmail.be", "@live.be", "@skynet.be", "@voo.be", "@tvcablenet.be", "@telenet.be",
"@mail.ru", "@rambler.ru", "@yandex.ru", "@ya.ru", "@list.ru",
"@gmx.de", "@hotmail.de", "@live.de", "@online.de", "@t-online.de", "@web.de", "@yahoo.de",
"@hotmail.fr", "@live.fr", "@laposte.net", "@yahoo.fr", "@wanadoo.fr", "@orange.fr", "@gmx.fr", "@sfr.fr", "@neuf.fr", "@free.fr",
"@sina.com", "@qq.com", "@naver.com", "@hanmail.net", "@daum.net", "@nate.com", "@yahoo.co.jp", "@yahoo.co.kr", "@yahoo.co.id", "@yahoo.co.in", "@yahoo.com.sg", "@yahoo.com.ph",
"@btinternet.com", "@virginmedia.com", "@blueyonder.co.uk", "@freeserve.co.uk", "@live.co.uk",
"@ntlworld.com", "@o2.co.uk", "@orange.net", "@sky.com", "@talktalk.co.uk", "@tiscali.co.uk",
"@virgin.net", "@wanadoo.co.uk", "@bt.com", "@bellsouth.net", "@charter.net", "@cox.net", "@earthlink.net", "@juno.com",
"@email.com", "@games.com", "@gmx.net", "@hush.com", "@hushmail.com", "@icloud.com", "@inbox.com",
"@lavabit.com", "@love.com", "@outlook.com", "@pobox.com", "@rocketmail.com",
"@safe-mail.net", "@wow.com", "@ygm.com", "@ymail.com", "@zoho.com", "@fastmail.fm",
"@yandex.com","@iname.com", "@aol.com", "@att.net", "@comcast.net", "@facebook.com", "@gmail.com", "@gmx.com", "@googlemail.com",
"@google.com", "@hotmail.com", "@hotmail.co.uk", "@mac.com", "@me.com", "@mail.com", "@msn.com",
"@live.com", "@sbcglobal.net", "@verizon.net", "@yahoo.com", "@yahoo.co.uk"
);
if (!context::contains(strtolower($newEmail), $good_emails)) die("unknown-email");
$stmt = $dbcon->prepare("SELECT email FROM users WHERE email = :email;");
$stmt->bindParam(':email', $newEmail, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount() > 0) die("email-in-use");
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET email = :email WHERE id = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':email', $newEmail, PDO::PARAM_STR);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET lastUpload = NOW() WHERE id = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET emailverified = 0 WHERE id = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET emailcodeTime = NULL WHERE id = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

76
core/func/api/settings/post/changePassword.php Normal file
View File

@ -0,0 +1,76 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['newPassword1']) and isset($_POST['newPassword2']) and isset($_POST['currentPassword'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$newPassword1 = $_POST['newPassword1'];
$newPassword2 = $_POST['newPassword2'];
$currentPassword = $_POST['currentPassword'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) {
echo 'error';
exit;
}
if (strlen($newPassword1) == 0 or strlen($newPassword2) == 0 or strlen($currentPassword) == 0) {
echo 'missing-info';
exit;
}
if ($newPassword1 != $newPassword2) {
echo 'confirm-failed';
exit;
}
if (strlen($newPassword1) < 6) {
echo 'password-too-short';
exit;
}
if (strlen($newPassword1) > 40) {
echo 'password-too-long';
exit;
}
$auth_hash = crypt($currentPassword, $GLOBALS['userTable']['password_salt']);
if ($auth_hash != $GLOBALS['userTable']['password_hash']) {
echo 'wrong-password';
exit;
}
$salt = '$2a$07$'.uniqid(mt_rand(), true).'$';
$hash = crypt($newPassword1, $salt);
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET password_salt = :salt WHERE id = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':salt', $salt, PDO::PARAM_STR);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET password_hash = :hash WHERE id = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':hash', $hash, PDO::PARAM_STR);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET passwordVersion = 2 WHERE id = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET password = NULL WHERE id = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET passwordChangeIP = :ip WHERE id = :id;");
$IP = auth::getIP();
$stmt->bindParam(':ip', $IP, PDO::PARAM_STR);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET passwordChangeDate = NOW() WHERE id = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("DELETE FROM sessions WHERE userId = :userId");
$stmt->bindParam(':userId', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

34
core/func/api/settings/post/disableTwo.php Normal file
View File

@ -0,0 +1,34 @@
<?php
if (isset($_POST['csrf'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) {
echo 'error';
exit;
}
if ($GLOBALS['userTable']['2faInit'] == 0 and $GLOBALS['userTable']['2faEnabled'] == 0) {
echo 'error';
exit;
}else{
if ($GLOBALS['userTable']['rank'] == 0) {
$query = "UPDATE `users` SET `2faEnabled`=0 WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$query = "UPDATE `users` SET `2faInit`=0 WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'staff-block';
exit;
}
}
}else{
echo 'error';
}
?>

33
core/func/api/settings/post/enableTwo.php Normal file
View File

@ -0,0 +1,33 @@
<?php
if (isset($_POST['csrf'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) {
echo 'error';
exit;
}
if ($GLOBALS['userTable']['2faInit'] == 1 or $GLOBALS['userTable']['2faEnabled'] == 1) {
echo 'error';
exit;
}else{
$query = "UPDATE `users` SET `2faInit`=1 WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/libs/google/GoogleAuthenticator.php';
$gAuth = new GoogleAuthenticator();
$code = $gAuth->generateSecret();
$query = "UPDATE users SET `authKey`=:code WHERE `id`=:uid;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':code', $code, PDO::PARAM_STR);
$stmt->bindParam(':uid', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
}
echo 'success';
}else{
echo 'error';
}
?>

47
core/func/api/settings/post/enableTwoFinal.php Normal file
View File

@ -0,0 +1,47 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['finalCode'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$finalCode = $_POST['finalCode'];
$finalCode = str_replace(" ", "", $finalCode);
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) {
echo 'error';
exit;
}
if (strlen($finalCode) == 0) {
echo 'missing-info';
exit;
}
if ($GLOBALS['userTable']['2faInit'] == 0 or $GLOBALS['userTable']['2faEnabled'] == 1) {
echo 'error';
exit;
}else{
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/libs/google/GoogleAuthenticator.php';
$gAuth = new GoogleAuthenticator();
if (!$gAuth->checkCode($GLOBALS['userTable']['authKey'], $finalCode)) {
echo 'wrong-code';
exit;
}
$query = "UPDATE `users` SET `2faInit`=1 WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$query = "UPDATE `users` SET `2faEnabled`=1 WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$query = "UPDATE `sessions` SET `factorFinish`=1 WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['sessionTable']['id'], PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}
}else{
echo 'error';
}
?>

40
core/func/api/settings/post/updateAbout.php Normal file
View File

@ -0,0 +1,40 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['aboutContent'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$aboutContent = $_POST['aboutContent'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) die("error");
if (strlen($aboutContent) > 256) die("error");
// Apparently, we'll need filters here too since users can't just shut their mouths.
$badwords = array("fucking", "gay", "rape", "incest", "beastiality", "cum", "maggot", "bullshit", "fuck", "penis",
"dick", "vagina", "vag", "faggot", "fag", "nigger", "asshole", "shit", "bitch", "anal", "stfu",
"cunt", "pussy", "hump", "meatspin", "redtube", "porn", "kys", "xvideos", "hentai", "gangbang", "milf",
"n*", "nobelium", "whore", "wtf", "horny", "raping", "s3x", "boob", "nigga", "nlgga", "gt2008",
"cock", "dicc", "idiot", "nibba", "nibber", "nude", "kesner", "brickopolis", "nobe", "diemauer");
$badwords2 = array("sex", "porn");
$contentCheck = preg_replace('!\s+!', ' ', $aboutContent);
$contentCheck = strip_tags($contentCheck);
$contentCheck = preg_replace("/&#?[a-z0-9]+;/i","", $contentCheck);
$contentCheck = preg_replace('!\s+!', ' ', $contentCheck);
$contentCheck = strtolower(preg_replace('|[[\/\!]*?[^\[\]]*?]|si', '', $contentCheck));
$contentCheck = preg_replace('/\s+/', '', $contentCheck);
if (context::contains($contentCheck, $badwords2)) die("filtered");
// Check without special characters removed
if (context::contains($contentCheck, $badwords)) die("filtered");
if(!preg_match("/^[\w*?!\/@',#$%\"'_.=\[\]\^&*\(\)\r\n -]+$/", $aboutContent) == 1 && strlen($aboutContent) != 0) die("filtered");
$query = "UPDATE `users` SET `about`=:about WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':about', $aboutContent, PDO::PARAM_STR);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

19
core/func/api/settings/post/updateTheme.php Normal file
View File

@ -0,0 +1,19 @@
<?php
if (isset($_POST['csrf']) and isset($_POST['theme'])) {
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$csrf = $_POST['csrf'];
$theme = $_POST['theme'];
if ($csrf != $GLOBALS['csrf_token'] or $GLOBALS['loggedIn'] == false) die("error");
if ($theme != 0 && $theme != 1) die("error");
$query = "UPDATE `users` SET `themeChoice`=:theme WHERE `id`=:id;";
$stmt = $GLOBALS['dbcon']->prepare($query);
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->bindParam(':theme', $theme, PDO::PARAM_INT);
$stmt->execute();
echo 'success';
}else{
echo 'error';
}
?>

36
core/func/api/users/getOnline.php Normal file
View File

@ -0,0 +1,36 @@
<div class="panel panel-primary">
<div class="panel-heading" id="count"><span class="fa fa-user"></span> Users currently online</div>
<div class="panel-body">
<?php
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$currentTime = date('Y-m-d H:i:s');
$to_time = strtotime($currentTime);
$stmt = $GLOBALS['dbcon']->prepare("SELECT lastSeen, id, username, inGame, rank FROM users WHERE banned = 0 AND hideStatus = 0 ORDER BY id ASC;");
$stmt->execute();
$count = 0;
foreach($stmt as $result) {
$from_time = strtotime($result['lastSeen']);
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince < 5){
$count++;
if ($result['inGame'] == 1) {
if ($result['rank'] == 0) {
echo '<a style="color:inherit;color:#e601ff;text-decoration: none;" href="/user/profile/'.$result['username'].'">'.$result['username'].' </a>';
}else{
echo '<b><a style="color:inherit;color:#e601ff;text-decoration: none;" href="/user/profile/'.$result['username'].'">'.$result['username'].' </a></b>';
}
}elseif ($result['rank'] > 0) {
echo '<b><a style="color:inherit;text-decoration: none;" href="/user/profile/'.$result['username'].'">'.$result['username'].' </a></b>';
}else{
echo '<a style="color:inherit;text-decoration: none;" href="/user/profile/'.$result['username'].'">'.$result['username'].' </a>';
}
}
}
if ($count == 0) {
echo '<font color="grey">There are no users online at this moment.</font>';
}
echo '<script>$("#count").html("<span class=\"fa fa-user\"></span> Users currently online ('.$count.')");</script>';
?>
</div>
</div>

60
core/func/api/users/searchUser.php Normal file
View File

@ -0,0 +1,60 @@
<?php
if (isset($_GET['term'])) {
$searchTerm = $_GET['term'];
}else{
exit;
}
if (isset($_GET['page'])) {
$page = $_GET['page'];
if (is_numeric($page) == false) exit;
if (is_array($page)) {
exit;
}
$offset = $page*12;
}else{
$page = 0;
$offset = 0;
}
include_once $_SERVER['DOCUMENT_ROOT'].'/core/func/includes.php';
$searchTermSQL = '%'.$searchTerm.'%';
if (strlen($searchTerm) == 0) {
$stmt = $dbcon->prepare("SELECT * FROM users WHERE username LIKE :term AND banned = 0 ORDER BY lastSeen DESC LIMIT 11 OFFSET :offset;");
}else{
$stmt = $dbcon->prepare("SELECT * FROM users WHERE username LIKE :term AND banned = 0 ORDER BY username ASC LIMIT 11 OFFSET :offset;");
}
$stmt->bindParam(':term', $searchTermSQL, PDO::PARAM_STR);
$stmt->bindParam(':offset', $offset, PDO::PARAM_INT);
$stmt->execute();
if ($stmt->rowCount() == 0) {
echo '<div class="well profileCard">Nothing found.</div>';
}
$count = 0;
foreach($stmt as $result) {
$count++;
if ($count < 11) {
echo '<div class="well profileCard">';
echo '<div class="row">';
echo '<div class="col-xs-3">';
echo '<a href="/user/profile/'.$result['username'].'"><img height="150" width="150" src="'.context::getUserImage($result).'"></a>';
echo '</div>';
echo '<div class="col-xs-9">';
if ($result['lastSeen'] == NULL) {
$lastSeen = "Never";
}else{
$lastSeen = date('M j Y g:i A', strtotime($result['lastSeen']));
}
if ($result['about'] == NULL) {
$about = "<i>This user has not configured anything to display here</i>";
}else{
$about = '<span style="word-wrap:break-word;">'.context::secureString($result['about']).'</span>';
}
echo '<h4>'.context::getOnline($result).' <a href="/user/profile/'.$result['username'].'">'.$result['username'].'</h4></a><b>Last seen:</b> '.$lastSeen.'<br><b style="display:inline">About: </b><p style="display:inline">'.$about.'</p>';
echo '</div></div></div>';
}
}
if ($count > 10) {
echo '<button class="btn btn-primary fullWidth searchUser" onclick="loadMore('.($page+1).', \''.context::secureString($searchTerm).'\');">Load More</button>';
}
?>

11
core/func/auth/main.php Normal file
View File

@ -0,0 +1,11 @@
<?php
// This file contains all code for authentication such as getting an IP.
class auth {
public static function getIP() {
if (isset($_SERVER["HTTP_CF_CONNECTING_IP"])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER["HTTP_CF_CONNECTING_IP"];
}
return $_SERVER['REMOTE_ADDR'];
}
}
?>

118
core/func/auth/sessionHandler.php Normal file
View File

@ -0,0 +1,118 @@
<?php
$GLOBALS['loggedIn'] = false;
$GLOBALS['csrf_token'] = null;
if (isset($_COOKIE['auth_uid']) && isset($_COOKIE['a_id'])) {
$stmt = $GLOBALS['dbcon']->prepare('SELECT lastUsed, id, csrfToken, factorFinish, location, userId, useragent FROM sessions WHERE userId = :userId AND sessionId = :sessionId LIMIT 1;');
$stmt->bindParam(':userId', $_COOKIE['auth_uid'], PDO::PARAM_INT);
$stmt->bindParam(':sessionId', $_COOKIE['a_id'], PDO::PARAM_STR);
$stmt->execute();
$resultSession = $stmt->fetch(PDO::FETCH_ASSOC);
$removeSession = false;
$sesexpired = false;
if ($stmt->rowCount() > 0) {
$from_time = strtotime($resultSession['lastUsed']);
$sessionId = $resultSession['id'];
$to_time = strtotime(context::getCurrentTime());
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince > 1440 || $removeSession == true) {
$sesexpired = true;
$stmt = $GLOBALS['dbcon']->prepare('DELETE FROM sessions WHERE id=:id;');
$stmt->bindParam(':id', $sessionId, PDO::PARAM_INT);
$stmt->execute();
}
}
if ($stmt->rowCount() > 0 && $sesexpired == false) {
$GLOBALS['loggedIn'] = true;
$query = "SELECT * FROM users WHERE id = :id LIMIT 1;";
$stmt = $dbcon->prepare($query);
$stmt->bindParam(':id', $_COOKIE['auth_uid'], PDO::PARAM_STR);
$stmt->execute();
$GLOBALS['userTable'] = $stmt->fetch(PDO::FETCH_ASSOC);
$GLOBALS['sessionTable'] = $resultSession;
$GLOBALS['csrf_token'] = $resultSession['csrfToken'];
$IP = auth::getIP();
if ($GLOBALS['userTable']['lastIP'] != $IP) {
$stmt = $dbcon->prepare("UPDATE users SET lastIP = :ip WHERE username = :user;");
$stmt->bindParam(':user', $GLOBALS['userTable']['username'], PDO::PARAM_STR);
$stmt->bindParam(':ip', $IP, PDO::PARAM_STR);
$stmt->execute();
}
if ($GLOBALS['userTable']['banned'] == 1 && strpos($_SERVER['SCRIPT_NAME'], "banned.php") == false) {
if (!isset($GLOBALS['bypassRedirect'])) {
header("Location: /account/suspended");
exit;
}
}
if (security::getUserEmailVerified() == false && $GLOBALS['userTable']['banned'] == 0) {
$timeSince = round(abs(strtotime(context::getCurrentTime()) - strtotime($GLOBALS['userTable']['emailcodeTime'])) / 60,2);
if ($timeSince > 15) {
security::sendEmailVerificationMessage();
}
if (strpos($_SERVER['SCRIPT_NAME'], "verifyEmail.php") == false) {
if (!isset($GLOBALS['bypassRedirect'])) {
header("Location: /account/verification/email");
exit;
}
}
}
if ($GLOBALS['sessionTable']['factorFinish'] == 0 && $GLOBALS['userTable']['banned'] == 0 && $GLOBALS['userTable']['2faEnabled'] == 1 && security::getUserEmailVerified() == true && strpos($_SERVER['SCRIPT_NAME'], "twostepauth.php") == false) {
if (!isset($GLOBALS['bypassRedirect'])) {
header("Location: /account/verification/twostepauth");
exit;
}
}
$from_time = strtotime($GLOBALS['userTable']['lastAward']);
$to_time = strtotime(context::getCurrentTime());
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince > 1440) {
$newCoins = $GLOBALS['userTable']['coins']+15;
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET coins = :coins WHERE id = :user;");
$stmt->bindParam(':coins', $newCoins, PDO::PARAM_INT);
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET lastAward = NOW() WHERE id = :user;");
$stmt->bindParam(':user', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
}
$from_time = strtotime($GLOBALS['sessionTable']['lastUsed']);
$to_time = strtotime(context::getCurrentTime());
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince > 3) {
$stmt = $GLOBALS['dbcon']->prepare("UPDATE sessions SET lastUsed = NOW() WHERE id = :sid;");
$stmt->bindParam(':sid', $GLOBALS['sessionTable']['id'], PDO::PARAM_STR);
$stmt->execute();
}
$from_time = strtotime($GLOBALS['userTable']['lastSeen']);
$to_time = strtotime(context::getCurrentTime());
$timeSince = round(abs($to_time - $from_time) / 60,2);
if ($timeSince > 3) {
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET lastSeen = NOW() WHERE id = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
}
if ($GLOBALS['userTable']['inGame'] == 1 and !isset($GLOBALS['ignoreGame'])) {
$stmt = $GLOBALS['dbcon']->prepare("UPDATE users SET inGame = 0 WHERE id = :id;");
$stmt->bindParam(':id', $GLOBALS['userTable']['id'], PDO::PARAM_INT);
$stmt->execute();
}
}
if ($GLOBALS['loggedIn'] == false) {
$GLOBALS['csrf_token'] = sha1(auth::getIP());
if (isset($_COOKIE['auth_uid']) || isset($_COOKIE['a_id'])) {
setcookie('auth_uid', "", time() - 3600);
setcookie('a_id', "", time() - 3600);
}
}
}
?>

Some files were not shown because too many files have changed in this diff Show More