Show Posts

1

Web Oriented Coding / modification - anti-spam-captcha

« on: September 08, 2012, 02:13:25 pm »

hi,
can one help me to insert here an anti-spam-captcha, like reCaptcha (http://www.google.com/recaptcha/whyrecaptcha) or an simple math-field (e.g. 5+5 -> 10)?

Code: [Select]

<?php
// Hier werden die Kommentare gespeichert

    if (!function_exists("postComment")) {
    function postComment() {

        global $extension,
               $news_id,
               $options,
               $success,
               $failure,
               $REMOTE_ADDR;
               
        $getvars = array();
        $postvars = array('author' ,'email' ,'title' ,'comment');
        foreach ($getvars as $key=>$elem) { if(isset($_GET[$elem])) { $$elem = $_GET[$elem]; } else { $$elem = ""; } }
        foreach ($postvars as $key=>$elem) { if(isset($_POST[$elem])) { $$elem = $_POST[$elem]; } if(!isset($$elem)) { $$elem = ""; } }

        require("config.inc".$extension);
        require("corebb".$extension);
        
        $dbconn = new Coresql($db_server, $db_database, $db_account, $db_password);
        $result = $dbconn->fetchArray("SELECT * FROM $newstable WHERE id = $news_id");
        if ($result['id'] != "") {
            $ipcheck = $dbconn->fetchArray("SELECT * FROM $commentstable WHERE ip = '$REMOTE_ADDR' ORDER BY time DESC");
            if (($ipcheck['time'] + $options['flood_control']) <= time()) {
                if (($author != "") && (($options['force_email'] == 0 || ($email != "") && ($options['force_email'] == 1))) && ($title != "") && ($comment != "")) {
                    $author = str_replace("'", "\"", htmlspecialchars($author));
                    $email = str_replace("'", "\"", htmlspecialchars($email));
                    $title = str_replace("'", "\"", htmlspecialchars($title));
                    switch ($options['html_bb_allow']) {
                        case 0: $comment2 = htmlspecialchars($comment);                  break;
                        case 1: $comment2 = corebb(htmlspecialchars($comment), "toHTM"); break;
                        case 2: $comment2 = $comment;                                    break;
                        case 3: $comment2 = corebb($comment, "toHTM");                   break;
                    }
                    $comment2 = str_replace("\r\n", "<br />", $comment2);
                    $comment2 = stripslashes($comment2);
                    $comment2 = str_replace("'", "\"", $comment2);
                    $time = time();
                    $dbconn = new Coresql($db_server, $db_database, $db_account, $db_password);
                    $query = $dbconn->execQuery("INSERT INTO $commentstable (news_id, author, email, title, comment, time, ip) VALUES ($news_id, '$author', '$email', '$title', '$comment2', '$time', '$REMOTE_ADDR')");
                    if ($query) {
                        $success = "Kommentar <font color=\"#00BF00\">erfolgreich</font> eingetragen!";
                    } else {
                        $failure = "Kommentar konnte nicht eingetragen werden!";
                    }    
                } elseif ((isset($author)) && ($author == "")) { $failure = "Bitte gib deinen Namen ein!";
                } elseif ((isset($email)) && ($email == "") && ($options['force_email'] == 1)) { $failure = "Bitte gib deine E-Mail ein!";
                } elseif ((isset($title)) && ($title == "")) { $failure = "Bitte gib einen Titel für den Kommentar ein!";
                } elseif ((isset($comment)) && ($comment == "")) { $failure = "Bitte gib ein Kommentar ein!";
                }
            } else {
                if ($options['flood_control'] <= 60) {
                    $wait = $options['flood_control']." Sekunden";
                } else {
                    $wait = (($options['flood_control'] - ($options['flood_control'] % 60)) / 60)." Minuten";
                }
                $failure = "Du musst $wait warten, bis du einen neuen Kommentar absenden darfst!";
            }    
        $close = $dbconn->close();
        }
    }}

// Hier werden die Kommentare ausgegeben

    if (!function_exists("showComments")) {
    function showComments() {

        global $extension,
               $news_id,
               $options,
               $failure,
               $success,
               $styledata;
               
        require("config.inc".$extension);

        print "<div align=\"center\" class=\"comments\"><br /><h1>Kommentare:</h1></div><br />\r\n";
        $dbconn = new Coresql($db_server, $db_database, $db_account, $db_password);
        $commentdata = $dbconn->fetchMultiple("SELECT * FROM $commentstable WHERE news_id = $news_id ORDER BY id ASC");
        $close = $dbconn->close();
        $comm1_tpl = $styledata['tpl_comm1'];
        if ($commentdata != "") {
            foreach ($commentdata as $key=>$elem) {
                if (($options['show_comm_email']) && ($elem['email'] != "")) {
                    $author = "<a class=\"comments\" href=\"mailto:$elem[email]\"><b>$elem[author]</b></a>";
                } else {
                $author = $elem['author'];
            }
                $comment = $elem['comment']; 
                $comment = str_replace("<a ", "<a class=\"comments\" ", $comment);
                $dbconn = new Coresql($db_server, $db_database, $db_account, $db_password);
                $rows = $dbconn->countRows("SELECT * FROM $smilietable");
                if ($options['comment_smilies'] > 0) {
                    for($smilie_id = 1; $smilie_id <= $rows; $smilie_id ++) {
                        $correctdata = 0;
                        while($correctdata < 1) {
                            $data = $dbconn->fetchArray("SELECT * FROM $smilietable WHERE id = $smilie_id");
                            if ($data['id'] == "") { $smilie_id ++; $rows ++; } else { $correctdata = 1; }
                        }
                        $comment_repl = "<img src=\"$options[smilie_dir]$data[name]\" border=\"0\" alt=\"$data[title]\" />";
                        $comment = str_replace($data['code'], $comment_repl, $comment);
                    }
                }
                $close = $dbconn->close(); 
                $comm1_template = $comm1_tpl;
                $comm1_template = str_replace("{title}", $elem['title'], $comm1_template);
                $comm1_template = str_replace("{author}", $author, $comm1_template);
                $comm1_template = str_replace("{time}", date("G:i", $elem['time']), $comm1_template);
                $comm1_template = str_replace("{date}", date("j. n. Y", $elem['time']), $comm1_template);
                $comm1_template = str_replace("{comment}", $comment, $comm1_template);
                if ($options['php_allowed']) {
                    $comm1_template = str_replace('"', '\"', $comm1_template);
                    $comm1_template = str_replace('?>', 'print "', $comm1_template);
                    $comm1_template = str_replace('<?php', '"; ', $comm1_template);
                    $comm1_template = 'print "'.$comm1_template.'";';
                    $comm1_template = eval($comm1_template);
                }
                print $comm1_template;
            }
        } else { print "<div align=\"center\" class=\"comments\">Noch keine Kommentare vorhanden!</div><br /><br />\r\n"; }
        if(isset($failure)) { print "<br /><div align=\"center\" class=\"comments\"><b><font color=\"#BF0000\">Fehler:</font> $failure</b></div><br /><br />\r\n"; }
        if(isset($success)) { print "<br /><div align=\"center\" class=\"comments\"><b>$success</b></div><br /><br />\r\n"; }
    }}

// Hier wird das Kommentar schreiben Feld erstellt

    if (!function_exists("showPostComment")) {
    function showPostComment() {

        global $extension,
               $options,
               $styledata,
               $news_id,
               $QUERY_STRING,
               $PHP_SELF;
                
        $getvars = array();
        $postvars = array('author' ,'email' ,'title' ,'comment');
        foreach ($getvars as $key=>$elem) { if(isset($_GET[$elem])) { $$elem = $_GET[$elem]; } else { $$elem = ""; } }
        foreach ($postvars as $key=>$elem) { if(isset($_POST[$elem])) { $$elem = $_POST[$elem]; } if(!isset($$elem)) { $$elem = ""; } }

        require("config.inc".$extension);

        $comm2_template = $styledata['tpl_comm2'];
        $formheight = ""; $formwidth = "";
        $form_author ="<input type=\"text\" name=\"author\" maxlength=\"255\" value=\"$author\" />";
        $form_email ="<input type=\"text\" name=\"email\" maxlength=\"255\" value=\"$email\" />";
        $form_title ="<input type=\"text\" name=\"title\" maxlength=\"255\" value=\"$title\" />";
        $form_submit ="<input type=\"submit\" class=\"submit\" value=\"Abschicken\" />\r\n<input type=\"hidden\" name=\"postinit\" value=\"OK\" />";
        if (!$options['force_email']) {+
            $force_mail = " (freiwillig)";
        } else {
            $force_mail = "";
        }
        print "<a name=\"newcomment\"></a>\r\n";
        print "<form action=\"".$PHP_SELF.$QUERY_STRING."&amp;comments=$news_id#newcomment\" method=\"post\" name=\"newcomment\">\r\n"; 
        $comm2_template = preg_replace("/{comment=(\d+),(\d+)}/s", "<textarea name=\"comment\" cols=\"$1\" rows=\"$2\">$comment</textarea>", $comm2_template);
        $comm2_template = str_replace("{author}", $form_author, $comm2_template);
        $comm2_template = str_replace("{email}", $form_email, $comm2_template);
        $comm2_template = str_replace("{force_mail}", $force_mail, $comm2_template);
        $comm2_template = str_replace("{title}", $form_title, $comm2_template);
        $comm2_template = str_replace("{submit}", $form_submit, $comm2_template);
        if ($options['comment_smilies'] > 0) {
            $form_smilies = commentSmilies();
            $comm2_template = str_replace("{smilies}", $form_smilies, $comm2_template);
        } else {
            $comm2_template = str_replace("{smilies}", "", $comm2_template);
        }
        if ($options['php_allowed']) {
            $comm2_template = str_replace('"', '\"', $comm2_template);
            $comm2_template = str_replace('?>', 'print "', $comm2_template);
            $comm2_template = str_replace('<?php', '"; ', $comm2_template);
            $comm2_template = 'print "'.$comm2_template.'";';
            $comm2_template = eval($comm2_template);
        }
        print $comm2_template;
        print "</form>\r\n";   
    }}
    
// Helper für "showPostComment", der die Smilies erzeugt

    if (!function_exists("commentSmilies")) {
    function commentSmilies() {

        global $extension,
               $options,
               $styledata;
                
        require("config.inc".$extension);
        $num_smilies = $options['comment_smilies'];
        $form_smilies = "";
        $dbconn = new Coresql($db_server, $db_database, $db_account, $db_password);
        for($smilie_id = 1; $smilie_id <= $num_smilies; $smilie_id ++) {
            $smilie_desc = $dbconn->fetchArray("SELECT * FROM $csmilietable WHERE id = $smilie_id");
            $smilie_data = $dbconn->fetchArray("SELECT * FROM $smilietable WHERE id = $smilie_desc[smilie_id]");
            $form_smilies = $form_smilies."    <td class=\"cncomments\">\r\n";
            $form_smilies = $form_smilies."      <a href=\"javascript:document.newcomment.comment.value = document.newcomment.comment.value + ' $smilie_data[code]'; document.newcomment.comment.focus();\"\r\n";
            $form_smilies = $form_smilies."\t  onmouseover=\"status='$smilie_data[title]';return true;\"  onmouseout=\"status='';return true;\">\r\n";
            $form_smilies = $form_smilies."    <img src=\"$options[smilie_dir]$smilie_data[name]\" border=\"0\" alt=\"$smilie_data[title]\" /></a>\r\n";
            $form_smilies = $form_smilies."    </td>\r\n";
            if ($smilie_id == ($num_smilies / 2)) {
                $form_smilies = $form_smilies."  </tr>\r\n  <tr>\r\n";
            }    
        }
        $close = $dbconn->close(); 
        $form_smilies = "<table border=\"0\" cellpadding=\"3\" cellspacing=\"0\">\r\n  <tr>\r\n$form_smilies  </tr>\r\n</table>";
        return $form_smilies;
    }}
?>

2

Web Oriented Coding / Re: [php] HELP me with "include($_GET['site']);"

« on: January 06, 2012, 07:46:59 pm »

hm... okay, i must create an list for my content-files (*.php), but i have many content-files and the list where a long-long-list... is there an other way to include secure?

btw: my url-link are at the moment so: http://xxxxx.com/?site=demo.php ... Can I maintain the left path so?

3

Web Oriented Coding / Re: [php] HELP me with "include($_GET['site']);"

« on: January 02, 2012, 06:25:05 pm »

the first line include the news-script (shownews.php), the other lines are normal php-files (content)

hm....... can i have an exemple?

sry i'm a noob in this... a ananymous guy tell me this

4

Web Oriented Coding / [php] HELP me with "include($_GET['site']);"

« on: January 02, 2012, 06:14:16 pm »

Hey everyone!
Can one help me to make the code secure?

Code: [Select]

<?php
               if($_GET['site'] == "")
               {
                  chdir("news");
                  $show = "main";
                  include("shownews.php");
                  chdir("..");
               }
               else
               {
                  if(file_exists($_GET['site']))
                  {
                     if(strstr($_GET['site'], "http://"))
                     {
                        echo "External files cannot be integrated.";
                     }
                     else
                     {
                        include($_GET['site']);
                     }
                  }
                  else
                  {
                     echo "FILE NOT FOUND";
                  }
               }
            ?>

EvilZone

News:

Messages - scofield

Web Oriented Coding / modification - anti-spam-captcha

Web Oriented Coding / Re: [php] HELP me with "include($_GET['site']);"

Web Oriented Coding / Re: [php] HELP me with "include($_GET['site']);"

Web Oriented Coding / [php] HELP me with "include($_GET['site']);"