API tools faq
paste
Advertisement
trupsalms

grids.php

trupsalms
Mar 31st, 2019
285
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.38 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. session_start();
  3.  
  4. if(!isset($_SESSION['admin_id']))
  5. exit -1;
  6.  
  7. require(dirname(__FILE__) . '/connect.php');
  8. require(dirname(__FILE__) . '/functions.php');
  9.  
  10.  
  11. // ---------------- SELECT ----------------
  12. if(isset($_GET['select'])){
  13.  
  14. // Select the users
  15. if($_GET['select'] == "user"){
  16. $req = $bdd->prepare('SELECT * FROM user');
  17. $req->execute();
  18.  
  19. if($data = $req->fetch()) {
  20. do {
  21. $list[] = array("user_id" => $data['user_id'],
  22. "user_pass" => $data['user_pass'],
  23. "user_mail" => $data['user_mail'],
  24. "user_phone" => $data['user_phone'],
  25. "user_online" => $data['user_online'],
  26. "user_enable" => $data['user_enable'],
  27. "user_start_date" => $data['user_start_date'],
  28. "user_end_date" => $data['user_end_date']);
  29. } while($data = $req->fetch());
  30.  
  31. echo json_encode($list);
  32. }
  33. // If it is an empty answer, we need to encore an empty json object
  34. else{
  35. $list = array();
  36. echo json_encode($list);
  37. }
  38. }
  39.  
  40. // Select the logs
  41. else if($_GET['select'] == "log" && isset($_GET['offset'], $_GET['limit'])){
  42. $offset = intval($_GET['offset']);
  43. $limit = intval($_GET['limit']);
  44.  
  45. // Creation of the LIMIT for build different pages
  46. $page = "LIMIT $offset, $limit";
  47.  
  48. // ... filtering by the bootstrap table plugin
  49. $filter = isset($_GET['filter']) ? json_decode($_GET['filter'],true) : []; // this is passed by the bootstrap table filter plugin (if a filter was chosen by the user): these are the concrete set filters with their value
  50. $where = !empty($filter)?'WHERE TRUE':'';
  51. $allowed_query_filters = ['user_id', 'log_trusted_ip','log_trusted_port','log_remote_ip','log_remote_port']; // these are valid filters that could be used (defined here for sql security reason)
  52. $query_filters_existing = [];
  53. foreach($filter as $unsanitized_filter_key => $unsanitized_filter_val) {
  54. if(in_array($unsanitized_filter_key, $allowed_query_filters)) { // if this condition does not match: ignore it, because this parameter should not be passed
  55. // if $unsanitized_filter_key is in array $allowed_query_filters its a valid key and can not be harmful, so it can be considered sanitized
  56. $where .= " AND $unsanitized_filter_key = ?";
  57. $query_filters_existing[] = $unsanitized_filter_key;
  58. }
  59. }
  60.  
  61. // Select the logs
  62. $req_string = "SELECT *, (SELECT COUNT(*) FROM log $where) AS nb FROM log $where ORDER BY log_id DESC $page";
  63. $req = $bdd->prepare($req_string);
  64.  
  65. // dynamically bind the params
  66. foreach(array_merge($query_filters_existing,$query_filters_existing) as $i => $query_filter) // array_merge -> duplicated the array contents; this is needed because our where clause is bound two times (in subquery + the outer query)
  67. $req->bindValue($i+1, $filter[$query_filter]);
  68.  
  69. $req->execute();
  70.  
  71. $list = array();
  72.  
  73. $data = $req->fetch();
  74.  
  75. if($data) {
  76. $nb = $data['nb'];
  77.  
  78. do {
  79. // Better in Kb or Mb
  80. $received = ($data['log_received'] > 1000000) ? $data['log_received']/1000000 . " Mo" : $data['log_received']/1000 . " Ko";
  81. $sent = ($data['log_send'] > 1000000) ? $data['log_send']/1000000 . " Mo" : $data['log_send']/1000 . " Ko";
  82.  
  83. // We add to the array the new line of logs
  84. array_push($list, array(
  85. "log_id" => $data['log_id'],
  86. "user_id" => $data['user_id'],
  87. "log_trusted_ip" => $data['log_trusted_ip'],
  88. "log_trusted_port" => $data['log_trusted_port'],
  89. "log_remote_ip" => $data['log_remote_ip'],
  90. "log_remote_port" => $data['log_remote_port'],
  91. "log_start_time" => $data['log_start_time'],
  92. "log_end_time" => $data['log_end_time'],
  93. "log_received" => $received,
  94. "log_send" => $sent));
  95.  
  96. } while ($data = $req->fetch());
  97. }
  98. else {
  99. $nb = 0;
  100. }
  101.  
  102. // We finally print the result
  103. $result = array('total' => intval($nb), 'rows' => $list);
  104.  
  105. echo json_encode($result);
  106. }
  107.  
  108. // Select the admins
  109. else if($_GET['select'] == "admin"){
  110. $req = $bdd->prepare('SELECT * FROM admin');
  111. $req->execute();
  112.  
  113. if($data = $req->fetch()) {
  114. do{
  115. $list[] = array(
  116. "admin_id" => $data['admin_id'],
  117. "admin_pass" => $data['admin_pass']
  118. );
  119. } while($data = $req->fetch());
  120.  
  121. echo json_encode($list);
  122. }
  123. else{
  124. $list = array();
  125. echo json_encode($list);
  126. }
  127. }
  128. }
  129.  
  130. // ---------------- ADD USER ----------------
  131. else if(isset($_POST['add_user'], $_POST['user_id'], $_POST['user_pass'])){
  132. // Put some default values
  133. $id = $_POST['user_id'];
  134. $pass = hashPass($_POST['user_pass']);
  135. $mail = "";
  136. $phone = "";
  137. $online = 0;
  138. $enable = 1;
  139. $start = NULL;
  140. $end = NULL;
  141.  
  142. $req = $bdd->prepare('INSERT INTO user (user_id, user_pass, user_mail, user_phone, user_online, user_enable, user_start_date, user_end_date)
  143. VALUES (?, ?, ?, ?, ?, ?, ?, ?)');
  144. $req->execute(array($id, $pass, $mail, $phone, $online, $enable, $start, $end));
  145.  
  146. $res = array("user_id" => $id,
  147. "user_pass" => $pass,
  148. "user_mail" => $mail ,
  149. "user_phone" => $phone,
  150. "user_online" => $online,
  151. "user_enable" => $enable,
  152. "user_start_date" => $start,
  153. "user_end_date" => $end
  154. );
  155.  
  156. echo json_encode($res);
  157. }
  158.  
  159. // ---------------- UPDATE USER ----------------
  160. else if(isset($_POST['set_user'])){
  161. $valid = array("user_id", "user_pass", "user_mail", "user_phone", "user_enable", "user_start_date", "user_end_date");
  162.  
  163. $field = $_POST['name'];
  164. $value = $_POST['value'];
  165. $pk = $_POST['pk'];
  166.  
  167. if (!isset($field) || !isset($pk) || !in_array($field, $valid)) {
  168. return;
  169. }
  170.  
  171. if ($field === 'user_pass') {
  172. $value = hashPass($value);
  173. }
  174. else if (($field === 'user_start_date' || $field === 'user_end_date') && $value === '') {
  175. $value = NULL;
  176. }
  177.  
  178. // /!\ SQL injection: field was checked with in_array function
  179. $req_string = 'UPDATE user SET ' . $field . ' = ? WHERE user_id = ?';
  180. $req = $bdd->prepare($req_string);
  181. $req->execute(array($value, $pk));
  182. }
  183.  
  184. // ---------------- REMOVE USER ----------------
  185. else if(isset($_POST['del_user'], $_POST['del_user_id'])){
  186. $req = $bdd->prepare('DELETE FROM user WHERE user_id = ?');
  187. $req->execute(array($_POST['del_user_id']));
  188. }
  189.  
  190. // ---------------- ADD ADMIN ----------------
  191. else if(isset($_POST['add_admin'], $_POST['admin_id'], $_POST['admin_pass'])){
  192. $req = $bdd->prepare('INSERT INTO admin(admin_id, admin_pass) VALUES (?, ?)');
  193. $req->execute(array($_POST['admin_id'], hashPass($_POST['admin_pass'])));
  194. }
  195.  
  196. // ---------------- UPDATE ADMIN ----------------
  197. else if(isset($_POST['set_admin'])){
  198. $valid = array("admin_id", "admin_pass");
  199.  
  200. $field = $_POST['name'];
  201. $value = $_POST['value'];
  202. $pk = $_POST['pk'];
  203.  
  204. if (!isset($field) || !isset($pk) || !in_array($field, $valid)) {
  205. return;
  206. }
  207.  
  208. if ($field === 'admin_pass') {
  209. $value = hashPass($value);
  210. }
  211.  
  212. $req_string = 'UPDATE admin SET ' . $field . ' = ? WHERE admin_id = ?';
  213. $req = $bdd->prepare($req_string);
  214. $req->execute(array($value, $pk));
  215. }
  216.  
  217. // ---------------- REMOVE ADMIN ----------------
  218. else if(isset($_POST['del_admin'], $_POST['del_admin_id'])){
  219. $req = $bdd->prepare('DELETE FROM admin WHERE admin_id = ?');
  220. $req->execute(array($_POST['del_admin_id']));
  221. }
  222.  
  223. // ---------------- UPDATE CONFIG ----------------
  224. else if(isset($_POST['update_config'])){
  225.  
  226. $pathinfo = pathinfo($_POST['config_file']);
  227.  
  228. $config_full_uri = $_POST['config_file']; // the complete path to the file, including the file (name) its self and the fully qualified path
  229. $config_full_path = $pathinfo['dirname']; // path to file (without filename its self)
  230. $config_name = basename($_POST['config_file']); // config file name only (without path)
  231. $config_parent_dir = basename($config_full_path); // name of the dir that contains the config file (without path)
  232.  
  233. /*
  234. * create backup for history
  235. */
  236. if (!file_exists($dir="../$config_full_path/history"))
  237. mkdir($dir, 0777, true);
  238. $ts = time();
  239. copy("../$config_full_uri", "../$config_full_path/history/${ts}_${config_name}");
  240.  
  241. /*
  242. * write config
  243. */
  244. $conf_success = file_put_contents('../'.$_POST['config_file'], $_POST['config_content']);
  245.  
  246. echo json_encode([
  247. 'debug' => [
  248. 'config_file' => $_POST['config_file'],
  249. 'config_content' => $_POST['config_content']
  250. ],
  251. 'config_success' => $conf_success !== false,
  252. ]);
  253. }
  254.  
  255. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!