Processing page

if($_SERVER["REQUEST_METHOD"] == "POST" && $_GET['direct'] == "login"){ //session hash required
//for reference, $_MONITORED is a sanitized session, and $_SPIN/$_DATA and $_FILTERED are sanitized post and get queries respectively


$mas1 = mysqli_query($db_main, "SELECT * FROM users WHERE username='$_DATA[usernorm]'"); //call it
$mas2 = mysqli_fetch_assoc($mas1);
foreach($mas2 as $keyn => $valuen){
$mn[$keyn] = $valuen;
}

$nick = hash('sha512',$mn['salt'] . $_SPIN['pwrdnorm']);
$gravy = substr($nick, 0, 40);  //make a nice meal

/*criteria to stop XSS and brute force attacks:
- Stop consequent logins at X
- filter characters

in this case I am going to have a reset of all login_attempt logs in the database each refresh after an hour from the last login attempt. I should probably set it to where you could only have one login attempt per hour on an account if you failed logging in more than 5 times within an hour. That's a little paranoid though
*/
 //reset login attempts

$difference = (time() - strtotime($mas2['login_att_last']));
$dialdown = round($difference / 3600);
if($difference >= 18000) {$dialdown = 0; }
mysqli_query($db_main, "UPDATE users SET login_attempts='$dialdown' WHERE username='$mas2[username]'");


if($mas2['login_attempts'] < 5){
if(compare_dz($gravy,$mn['password'])){ //successful log in
$_SESSION['login_q'] = $_SPIN['usernorm'];
$_SESSION['salt_q'] = $mn['password'];
$_SESSION['db_query'] = "user login";
setcookie("limbooo[0]", "k", time()+1);
/*  */ redir_process("Location: index.php?phase=2"); /*  */
}else{

if($mas1){ //login attempts for valid usernames
$mas3 = ($mas2['login_attempts'] == "0") ? "1" : $mas2['login_attempts']+1;
$mas4 = mysqli_real_escape_string($db_main, $mas3);

$ns = mysqli_query($db_main, "UPDATE users SET login_attempts=".$mas4.",login_att_last=now() WHERE username='$mas2[username]'"); // for some weird reason login_attempts is getting edited too

if(!$ns){
$_SESSION['que_em'] = mysqli_error($db_main);
}
$_SESSION['log_num'] = $mas3;
setcookie("inc_ombination", "Incorrect user/password combination", time()+1);
}

 $_SESSION['error' .rand(56,1515)] = extraurl();
}


}else{setcookie("inc_ombination", "This account is temporarily locked. Please wait no more than an hour to log in again.", time()+1);

/*  */ redir_process("Location: index.php"); /*  */
$_SESSION['error' .rand(56,1515)] = extraurl();      //Don't want to get it further than that. Such lazy
}

 mysqli_free_result($mas1);
}

if($_SERVER["REQUEST_METHOD"] == "POST" && $_GET['direct'] == "new_post"){ //actual posts

if(count($_SPIN) > 30){  $_SESSION['error' .rand(56,1515)] = "Nice try DDOS's at ".extraurl();
redir_process("Location:index.php");}   //counter against ddos's
foreach($_SPIN as $key => $value){             //check for all the snowglobes they want to post in
if(preg_match("#^sg[_]#",$key) && $_SPIN[$key] == "on"){  $matched[$key] = preg_replace("/^sg_([-_A-Za-z0-9]+)$/","$2",$key);
if(!isset($snowglobes)){$snowglobes = $matched[$key];}else{$snowglobes = $snowglobes . "," . $matched[$key];}}         }
//snowglobe settings are by default for each individual snowglobe's setting, snowglobe permissions are custom and set by its admin or moderators.
//has to be a valid post. At least one snowglobe, and not match the default text or be empty. If it's a reply, i'll set it accordingly
//access_type under snowglobe permissions will be matched with id under snowglobe settings
if(isset($snowglobes) || isset($_SPIN['parent_comment'])){  //check to see if it's either a new thread or a comment
// $pass_check = mysqli_query($db_main, "SELECT * FROM ")
$_SPIN['tcha1'] = isset($_SPIN['tcha1']) ? $_SPIN['tcha1'] : " ";
$thread_nick = mysqli_real_escape_string($db_main,strtolower(substr(preg_replace("#[^_A-Za-z 0-9-]#","",preg_replace("# #","_",$_SPIN['tcha1'])), 0, 50)));
$topic_hash = mysqli_real_escape_string($db_main,substr(sha1(microtime()),0,10));
$_SESSION['db_query'] = "posted content-anything";
 setcookie("limbooo[0]", "k", time()+1);
if(isset($snowglobes)){//if posting a new thread
//check sg_settings first
//for each one

foreach($matched as $key => $value){    $ze = preg_match("#^[-_A-Za-z0-9]{4,}$#",$value);

if($value == "1" || $ze === 1){

if($ze === 1){ //check for snowglobe permissions
$snowglobe_search = mysqli_query($db_main,"SELECT * FROM snowglobes WHERE sg_name='".hack_free($value)."'");
if(mysqli_num_rows($snowglobe_search) > 0){$sg_details = mysqli_fetch_assoc($snowglobe_search);
if($sg_details['sg_privacy'] == "private"){  //cross-reference to a snowglobe permission
$sg_perm_check = mysqli_query($db_main, "SELECT * FROM sg_permissions WHERE granted_by='".hack_free($value)."' AND towhom='$_MONITORED[login_q]' AND (snowglobe_access = 'root admin' OR snowglobe_access = 'normal snowglobe')");
if(mysqli_num_rows($sg_perm_check) == 0){redir_process("Location:index.php");}

}
}else{redir_process("Location:index.php");}
}


 //users posting into their own snowglobe

if((preg_match("#^(.){3,150}$#", $_SPIN['tcha1']) === 0) || strlen($_SPIN['tcha2']) > 65335 || ($_POST['tcha1'] == $nx['17']) || $_POST['tcha2'] == $nx['18']){ $_SESSION['error' .rand(56,1515)] = extraurl();/*  */ redir_process("Location:index.php"); /*  */  }


$post_submission = mysqli_query($db_main, "INSERT INTO posts(content,cnttype,forwhom,parent,postid,stamptime,bywhom,title,thread_nick,topic_hash) VALUES('$_DATA[tcha2]','1','self','0','0',CURRENT_TIMESTAMP,'$_MONITORED[login_q]','$_DATA[tcha1]','$thread_nick','$topic_hash')");      if($post_submission){

if(isset($_SPIN['poll_question'],$_SPIN['choice_addition'],$_SPIN['choice_selection'])){    //check if a poll was set
$topic_search = mysqli_query($db_main, "SELECT * FROM posts WHERE bywhom='$_MONITORED[login_q]' ORDER BY stamptime DESC LIMIT 0,2");
$search_dt = mysqli_fetch_assoc($topic_search);
mysqli_query($db_main, "INSERT INTO polls(post_id_root,value,define_set) VALUES($search_dt[postid],'$_DATA[poll_question]','question')");

mysqli_query($db_main, "INSERT into polls(post_id_root,value,define_set) VALUES($search_dt[postid],'$_DATA[choice_selection]','choice_selection');");

mysqli_query($db_main, "INSERT into polls(post_id_root,value,define_set) VALUES($search_dt[postid],'$_DATA[choice_addition]','choice_addition');");

foreach($_DATA as $key => $value){
if(preg_match("#^poll_choice([0-9]+)#",$key)){
mysqli_query($db_main,"INSERT INTO polls(post_id_root,value,define_set) VALUES($search_dt[postid],'$value','poll_choice')");
}}

}


         }else{    echo mysqli_error($db_main);  }
}

}

}

if(isset($_SPIN['parent_comment'])){
$tree_roots = mysqli_query($db_main, "SELECT * FROM posts WHERE postid='$_SPIN[parent_comment]'");
$piece = mysqli_fetch_assoc($tree_roots);      //get parent of post. Just to recheck, ya know. That's right! For the settings! My goodness I work like a turtle.
if($piece['settings'] > 4){  $_SESSION['error' .rand(56,1515)] = extraurl();mysqli_free_result($tree_roots);/*  */ redir_process("Location:index.php"); /*  */ }

$post_async = mysqli_query($db_main, "SELECT * FROM posts WHERE bywhom='$_MONITORED[login_q]' ORDER BY stamptime DESC LIMIT 0,10");
$async_dt = mysqli_fetch_assoc($post_async); //get latest post for whatever reference you must.


$post_nip = mysqli_query($db_main, "INSERT INTO posts(content,cnttype,forwhom,parent,postid,stamptime,bywhom,title,thread_nick,topic_hash,thread_id)
VALUES('$_SPIN[tcha2]','2','n-a','$piece[postid]','0',CURRENT_TIMESTAMP,'$_MONITORED[login_q]','$_SPIN[tcha1]','$thread_nick','$topic_hash','$_DATA[thread_id]');");
if($post_nip){mysqli_free_result($tree_roots);redir_process("Location:index.php?phase=2"); /*  */


}else{

echo mysqli_error($db_main);

}
}
 /*  */ redir_process("Location:index.php?phase=2"); /*  */
}else{                                 $_SESSION['error' .rand(56,1515)] = "Failed to recognize snowglobe/reply parent at ". extraurl();
 /*  */ redir_process("Location:index.php"); /*  */
}

}

}else{if(isset($_GET['verify']) && $_GET['verify'] !== $_SESSION['temp_n']){  $_SESSION['error' .rand(56,1515)] = "Failed session hash at ".extraurl();
 /*  */ redir_process("Location:index.php"); /*  */
}}