Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- if($_SERVER["REQUEST_METHOD"] == "POST" && $_GET['direct'] == "login"){ //session hash required
- //for reference, $_MONITORED is a sanitized session, and $_SPIN/$_DATA and $_FILTERED are sanitized post and get queries respectively
- $mas1 = mysqli_query($db_main, "SELECT * FROM users WHERE username='$_DATA[usernorm]'"); //call it
- $mas2 = mysqli_fetch_assoc($mas1);
- foreach($mas2 as $keyn => $valuen){
- $mn[$keyn] = $valuen;
- }
- $nick = hash('sha512',$mn['salt'] . $_SPIN['pwrdnorm']);
- $gravy = substr($nick, 0, 40); //make a nice meal
- /*criteria to stop XSS and brute force attacks:
- - Stop consequent logins at X
- - filter characters
- in this case I am going to have a reset of all login_attempt logs in the database each refresh after an hour from the last login attempt. I should probably set it to where you could only have one login attempt per hour on an account if you failed logging in more than 5 times within an hour. That's a little paranoid though
- */
- //reset login attempts
- $difference = (time() - strtotime($mas2['login_att_last']));
- $dialdown = round($difference / 3600);
- if($difference >= 18000) {$dialdown = 0; }
- mysqli_query($db_main, "UPDATE users SET login_attempts='$dialdown' WHERE username='$mas2[username]'");
- if($mas2['login_attempts'] < 5){
- if(compare_dz($gravy,$mn['password'])){ //successful log in
- $_SESSION['login_q'] = $_SPIN['usernorm'];
- $_SESSION['salt_q'] = $mn['password'];
- $_SESSION['db_query'] = "user login";
- setcookie("limbooo[0]", "k", time()+1);
- /* */ redir_process("Location: index.php?phase=2"); /* */
- }else{
- if($mas1){ //login attempts for valid usernames
- $mas3 = ($mas2['login_attempts'] == "0") ? "1" : $mas2['login_attempts']+1;
- $mas4 = mysqli_real_escape_string($db_main, $mas3);
- $ns = mysqli_query($db_main, "UPDATE users SET login_attempts=".$mas4.",login_att_last=now() WHERE username='$mas2[username]'"); // for some weird reason login_attempts is getting edited too
- if(!$ns){
- $_SESSION['que_em'] = mysqli_error($db_main);
- }
- $_SESSION['log_num'] = $mas3;
- setcookie("inc_ombination", "Incorrect user/password combination", time()+1);
- }
- $_SESSION['error' .rand(56,1515)] = extraurl();
- }
- }else{setcookie("inc_ombination", "This account is temporarily locked. Please wait no more than an hour to log in again.", time()+1);
- /* */ redir_process("Location: index.php"); /* */
- $_SESSION['error' .rand(56,1515)] = extraurl(); //Don't want to get it further than that. Such lazy
- }
- mysqli_free_result($mas1);
- }
- if($_SERVER["REQUEST_METHOD"] == "POST" && $_GET['direct'] == "new_post"){ //actual posts
- if(count($_SPIN) > 30){ $_SESSION['error' .rand(56,1515)] = "Nice try DDOS's at ".extraurl();
- redir_process("Location:index.php");} //counter against ddos's
- foreach($_SPIN as $key => $value){ //check for all the snowglobes they want to post in
- if(preg_match("#^sg[_]#",$key) && $_SPIN[$key] == "on"){ $matched[$key] = preg_replace("/^sg_([-_A-Za-z0-9]+)$/","$2",$key);
- if(!isset($snowglobes)){$snowglobes = $matched[$key];}else{$snowglobes = $snowglobes . "," . $matched[$key];}} }
- //snowglobe settings are by default for each individual snowglobe's setting, snowglobe permissions are custom and set by its admin or moderators.
- //has to be a valid post. At least one snowglobe, and not match the default text or be empty. If it's a reply, i'll set it accordingly
- //access_type under snowglobe permissions will be matched with id under snowglobe settings
- if(isset($snowglobes) || isset($_SPIN['parent_comment'])){ //check to see if it's either a new thread or a comment
- // $pass_check = mysqli_query($db_main, "SELECT * FROM ")
- $_SPIN['tcha1'] = isset($_SPIN['tcha1']) ? $_SPIN['tcha1'] : " ";
- $thread_nick = mysqli_real_escape_string($db_main,strtolower(substr(preg_replace("#[^_A-Za-z 0-9-]#","",preg_replace("# #","_",$_SPIN['tcha1'])), 0, 50)));
- $topic_hash = mysqli_real_escape_string($db_main,substr(sha1(microtime()),0,10));
- $_SESSION['db_query'] = "posted content-anything";
- setcookie("limbooo[0]", "k", time()+1);
- if(isset($snowglobes)){//if posting a new thread
- //check sg_settings first
- //for each one
- foreach($matched as $key => $value){ $ze = preg_match("#^[-_A-Za-z0-9]{4,}$#",$value);
- if($value == "1" || $ze === 1){
- if($ze === 1){ //check for snowglobe permissions
- $snowglobe_search = mysqli_query($db_main,"SELECT * FROM snowglobes WHERE sg_name='".hack_free($value)."'");
- if(mysqli_num_rows($snowglobe_search) > 0){$sg_details = mysqli_fetch_assoc($snowglobe_search);
- if($sg_details['sg_privacy'] == "private"){ //cross-reference to a snowglobe permission
- $sg_perm_check = mysqli_query($db_main, "SELECT * FROM sg_permissions WHERE granted_by='".hack_free($value)."' AND towhom='$_MONITORED[login_q]' AND (snowglobe_access = 'root admin' OR snowglobe_access = 'normal snowglobe')");
- if(mysqli_num_rows($sg_perm_check) == 0){redir_process("Location:index.php");}
- }
- }else{redir_process("Location:index.php");}
- }
- //users posting into their own snowglobe
- if((preg_match("#^(.){3,150}$#", $_SPIN['tcha1']) === 0) || strlen($_SPIN['tcha2']) > 65335 || ($_POST['tcha1'] == $nx['17']) || $_POST['tcha2'] == $nx['18']){ $_SESSION['error' .rand(56,1515)] = extraurl();/* */ redir_process("Location:index.php"); /* */ }
- $post_submission = mysqli_query($db_main, "INSERT INTO posts(content,cnttype,forwhom,parent,postid,stamptime,bywhom,title,thread_nick,topic_hash) VALUES('$_DATA[tcha2]','1','self','0','0',CURRENT_TIMESTAMP,'$_MONITORED[login_q]','$_DATA[tcha1]','$thread_nick','$topic_hash')"); if($post_submission){
- if(isset($_SPIN['poll_question'],$_SPIN['choice_addition'],$_SPIN['choice_selection'])){ //check if a poll was set
- $topic_search = mysqli_query($db_main, "SELECT * FROM posts WHERE bywhom='$_MONITORED[login_q]' ORDER BY stamptime DESC LIMIT 0,2");
- $search_dt = mysqli_fetch_assoc($topic_search);
- mysqli_query($db_main, "INSERT INTO polls(post_id_root,value,define_set) VALUES($search_dt[postid],'$_DATA[poll_question]','question')");
- mysqli_query($db_main, "INSERT into polls(post_id_root,value,define_set) VALUES($search_dt[postid],'$_DATA[choice_selection]','choice_selection');");
- mysqli_query($db_main, "INSERT into polls(post_id_root,value,define_set) VALUES($search_dt[postid],'$_DATA[choice_addition]','choice_addition');");
- foreach($_DATA as $key => $value){
- if(preg_match("#^poll_choice([0-9]+)#",$key)){
- mysqli_query($db_main,"INSERT INTO polls(post_id_root,value,define_set) VALUES($search_dt[postid],'$value','poll_choice')");
- }}
- }
- }else{ echo mysqli_error($db_main); }
- }
- }
- }
- if(isset($_SPIN['parent_comment'])){
- $tree_roots = mysqli_query($db_main, "SELECT * FROM posts WHERE postid='$_SPIN[parent_comment]'");
- $piece = mysqli_fetch_assoc($tree_roots); //get parent of post. Just to recheck, ya know. That's right! For the settings! My goodness I work like a turtle.
- if($piece['settings'] > 4){ $_SESSION['error' .rand(56,1515)] = extraurl();mysqli_free_result($tree_roots);/* */ redir_process("Location:index.php"); /* */ }
- $post_async = mysqli_query($db_main, "SELECT * FROM posts WHERE bywhom='$_MONITORED[login_q]' ORDER BY stamptime DESC LIMIT 0,10");
- $async_dt = mysqli_fetch_assoc($post_async); //get latest post for whatever reference you must.
- $post_nip = mysqli_query($db_main, "INSERT INTO posts(content,cnttype,forwhom,parent,postid,stamptime,bywhom,title,thread_nick,topic_hash,thread_id)
- VALUES('$_SPIN[tcha2]','2','n-a','$piece[postid]','0',CURRENT_TIMESTAMP,'$_MONITORED[login_q]','$_SPIN[tcha1]','$thread_nick','$topic_hash','$_DATA[thread_id]');");
- if($post_nip){mysqli_free_result($tree_roots);redir_process("Location:index.php?phase=2"); /* */
- }else{
- echo mysqli_error($db_main);
- }
- }
- /* */ redir_process("Location:index.php?phase=2"); /* */
- }else{ $_SESSION['error' .rand(56,1515)] = "Failed to recognize snowglobe/reply parent at ". extraurl();
- /* */ redir_process("Location:index.php"); /* */
- }
- }
- }else{if(isset($_GET['verify']) && $_GET['verify'] !== $_SESSION['temp_n']){ $_SESSION['error' .rand(56,1515)] = "Failed session hash at ".extraurl();
- /* */ redir_process("Location:index.php"); /* */
- }}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement