lainchan/inc/mod.php

<?php
		
	// Creates a small random string for validating moderators' cookies
	function mkhash($length=12) {
		// The method here isn't really important,
		// but I think this generates a relatively
		// unique string that looks cool.
		// If you choose to change this, make sure it cannot include a ':' character.
		return substr(base64_encode(sha1(rand() . time(), true)), 0, $length);
	}
	
	function login($username, $password, $makehash=true) {
		global $sql, $mod;
		
		// SHA1 password
		if($makehash) {
			$password = sha1($password);
		}
		
		$query = prepare("SELECT `id`,`type` FROM `mods` WHERE `username` = :username AND `password` = :password LIMIT 1");
		$query->bindValue(':username', $username);
		$query->bindValue(':password', $password);
		$query->execute();
		
		if($user = $query->fetch()) {
			return $mod = Array(
				'id' => $user['id'],
				'type' => $user['type'],
				'username' => $username,
				'password' => $password,
				'hash' => isset($_SESSION['mod']['hash']) ? $_SESSION['mod']['hash'] : mkhash()
				);
		} else return false;
	}
	
	function setCookies() {
		global $mod;
		if(!$mod) error('setCookies() was called for a non-moderator!');
		
		// MOD_COOKIE contains username:hash
		setcookie(MOD_COOKIE, $mod['username'] . ':' . $mod['hash'], time()+COOKIE_EXPIRE, JAIL_COOKIES?ROOT:'/', null, false, true);
		
		// Put $mod in the session
		$_SESSION['mod'] = $mod;
		
		// Lock sessions to IP addresses
		if(MOD_LOCK_IP)
			$_SESSION['mod']['ip'] = $_SERVER['REMOTE_ADDR'];
	}
	
	function destroyCookies() {
		// Delete the cookies
		setcookie(MOD_COOKIE, 'deleted', time()-COOKIE_EXPIRE, JAIL_COOKIES?ROOT:'/', null, false, true);
		
		// Unset the session
		unset($_SESSION['mod']);
	}
	
	if(isset($_COOKIE['mod']) && isset($_SESSION['mod']) && is_array($_SESSION['mod'])) {
		// Should be username:session hash
		$cookie = explode(':', $_COOKIE['mod']);
		if(count($cookie) != 2) {
			destroyCookies();
			error(ERROR_MALFORMED);
		}
		
		// Validate session
		if(	$cookie[0] != $_SESSION['mod']['username'] ||
			$cookie[1] != $_SESSION['mod']['hash']) {
			// Malformed cookies
			destroyCookies();
			error(ERROR_MALFORMED);
		}
		
		// Open connection
		sql_open();
		
		// Check username/password
		if(!login($_SESSION['mod']['username'], $_SESSION['mod']['password'], false)) {
			destroyCookies();
			error(ERROR_INVALIDAFTER);
		}
		
	}
	
	// Generates a <ul> element with a list of linked
	// boards and their subtitles. (without the <ul> opening and ending tags)
	function ulBoards() {
		global $mod;
		
		$body = '';
		
		// List of boards
		$boards = listBoards();
		
		foreach($boards as &$b) {
			$body .= '<li>' . 
				'<a href="?/' .
						sprintf(BOARD_PATH, $b['uri']) . FILE_INDEX .
						'">' .
					sprintf(BOARD_ABBREVIATION, $b['uri']) .
					'</a> - ' .
					$b['title'] .
					(isset($b['subtitle']) ? '<span class="unimportant"> — ' . $b['subtitle'] . '</span>' : '') . 
				'</li>';
		}
		
		if($mod['type'] >= MOD_NEWBOARD) {
			$body .= '<li style="margin-top:15px;"><a href="?/new"><strong>Create new board</strong></a></li>';
		}
		return $body;
	}
	
	function form_newBoard() {
		return '<fieldset><legend>New board</legend>' . 
					'<form action="?/new" method="post">' . 
						'<table>' .
						'<tr>' . 
							'<th><label for="board">URI:</label></th>' .
							'<td><input type="text" name="uri" id="board" size="3" maxlength="8" />' .
							' <span class="unimportant">(eg. "b"; "mu")</span>' .
						'</tr>' . 
						'<tr>' . 
							'<th><label for="title">Title:</label></th>' .
							'<td><input type="text" name="title" id="title" size="15" maxlength="20" />' .
							' <span class="unimportant">(eg. "Random")</span>' .
						'</tr>' . 
						'<tr>' . 
							'<th><label for="subtitle">Subtitle:</label></th>' .
							'<td><input type="text" name="subtitle" id="subtitle" size="20" maxlength="40" />' .
							' <span class="unimportant">(optional)</span>' .
						'</tr>' . 
						'<tr>' . 
							'<td></td>' . 
							'<td><input name="new_board" type="submit" value="New Board" /></td>' . 
						'</tr>' . 
						'</table>' .
					'</form>' .
				'</fieldset>';
	}
	
	// Remove file from post
	function deleteFile($id) {
		global $board;
		
		$query = prepare(sprintf("SELECT `thread`,`thumb`,`file` FROM `posts_%s` WHERE `id` = :id AND `thread` IS NOT NULL LIMIT 1", $board['uri']));
		$query->bindValue(':id', $id, PDO::PARAM_INT);
		$query->execute() or error(db_error($query));
		
		if($query->rowCount() < 1) {
			error(ERROR_INVALIDPOST);
		}
		
		$post = $query->fetch();
		
		// Delete thumbnail
		@unlink($board['dir'] . DIR_THUMB . $post['thumb']);
		
		// Delete file
		@unlink($board['dir'] . DIR_IMG . $post['file']);
		
		// Update database
		$query = prepare(sprintf("UPDATE `posts_%s` SET `thumb` = NULL, `thumbwidth` = NULL, `thumbheight` = NULL, `filewidth` = NULL, `fileheight` = NULL, `filesize` = NULL, `filename` = NULL, `filehash` = NULL, `file` = 'deleted' WHERE `id` = :id OR `thread` = :id", $board['uri']));
		$query->bindValue(':id', $id, PDO::PARAM_INT);
		$query->execute() or error(db_error($query));
		
		buildThread($post['thread']);
	}
	
	// Delete a post (reply or thread)
	function deletePost($id) {
		global $board;
		
		// Select post and replies (if thread) in one query
		$query = prepare(sprintf("SELECT `id`,`thread`,`thumb`,`file` FROM `posts_%s` WHERE `id` = :id OR `thread` = :id", $board['uri']));
		$query->bindValue(':id', $id, PDO::PARAM_INT);
		$query->execute() or error(db_error($query));
		
		if($query->rowCount() < 1) {
			error(ERROR_INVALIDPOST);
		}
		
		// Delete posts and maybe replies
		while($post = $query->fetch()) {
			if(!$post['thread']) {
				// Delete thread HTML page
				@unlink($board['dir'] . DIR_RES . sprintf(FILE_PAGE, $post['id']));
			} elseif($query->rowCount() == 1) {
				// Rebuild thread
				$rebuild = $post['thread'];
			}
			if($post['thumb']) {
				// Delete thumbnail
				@unlink($board['dir'] . DIR_THUMB . $post['thumb']);
			}
			if($post['file']) {
				// Delete file
				@unlink($board['dir'] . DIR_IMG . $post['file']);
			}
		}
		
		$query = prepare(sprintf("DELETE FROM `posts_%s` WHERE `id` = :id OR `thread` = :id", $board['uri']));
		$query->bindValue(':id', $id, PDO::PARAM_INT);
		$query->execute() or error(db_error($query));
		
		if(isset($rebuild)) {
			buildThread($rebuild);
		}
	}
?>
Fixed encoding error 2010-12-02 04:57:15 -05:00			`<?php`
Moved "$mod = false" to user.php 2010-12-10 05:03:20 -05:00
"Create board" page 2010-12-02 04:55:56 -05:00			`// Creates a small random string for validating moderators' cookies`
			`function mkhash($length=12) {`
			`// The method here isn't really important,`
			`// but I think this generates a relatively`
			`// unique string that looks cool.`
			`// If you choose to change this, make sure it cannot include a ':' character.`
			`return substr(base64_encode(sha1(rand() . time(), true)), 0, $length);`
			`}`

			`function login($username, $password, $makehash=true) {`
			`global $sql, $mod;`

			`// SHA1 password`
			`if($makehash) {`
			`$password = sha1($password);`
			`}`

Use PDO for databases 2010-12-17 09:18:03 -05:00			$query = prepare("SELECT `id`,`type` FROM `mods` WHERE `username` = :username AND `password` = :password LIMIT 1");
			`$query->bindValue(':username', $username);`
			`$query->bindValue(':password', $password);`
			`$query->execute();`
"Create board" page 2010-12-02 04:55:56 -05:00
Use PDO for databases 2010-12-17 09:18:03 -05:00			`if($user = $query->fetch()) {`
"Create board" page 2010-12-02 04:55:56 -05:00			`return $mod = Array(`
			`'id' => $user['id'],`
			`'type' => $user['type'],`
			`'username' => $username,`
			`'password' => $password,`
			`'hash' => isset($_SESSION['mod']['hash']) ? $_SESSION['mod']['hash'] : mkhash()`
			`);`
			`} else return false;`
			`}`

			`function setCookies() {`
			`global $mod;`
			`if(!$mod) error('setCookies() was called for a non-moderator!');`

			`// MOD_COOKIE contains username:hash`
			`setcookie(MOD_COOKIE, $mod['username'] . ':' . $mod['hash'], time()+COOKIE_EXPIRE, JAIL_COOKIES?ROOT:'/', null, false, true);`

			`// Put $mod in the session`
			`$_SESSION['mod'] = $mod;`

			`// Lock sessions to IP addresses`
			`if(MOD_LOCK_IP)`
			`$_SESSION['mod']['ip'] = $_SERVER['REMOTE_ADDR'];`
			`}`

			`function destroyCookies() {`
			`// Delete the cookies`
			`setcookie(MOD_COOKIE, 'deleted', time()-COOKIE_EXPIRE, JAIL_COOKIES?ROOT:'/', null, false, true);`

			`// Unset the session`
			`unset($_SESSION['mod']);`
			`}`

			`if(isset($_COOKIE['mod']) && isset($_SESSION['mod']) && is_array($_SESSION['mod'])) {`
			`// Should be username:session hash`
			`$cookie = explode(':', $_COOKIE['mod']);`
			`if(count($cookie) != 2) {`
			`destroyCookies();`
			`error(ERROR_MALFORMED);`
			`}`

			`// Validate session`
			`if( $cookie[0] != $_SESSION['mod']['username'] \|\|`
			`$cookie[1] != $_SESSION['mod']['hash']) {`
			`// Malformed cookies`
			`destroyCookies();`
			`error(ERROR_MALFORMED);`
			`}`

			`// Open connection`
			`sql_open();`

			`// Check username/password`
			`if(!login($_SESSION['mod']['username'], $_SESSION['mod']['password'], false)) {`
			`destroyCookies();`
			`error(ERROR_INVALIDAFTER);`
			`}`

			`}`

Created basis for mod dashboard 2010-12-02 02:26:09 -05:00			`// Generates a <ul> element with a list of linked`
Mod controls and permissions 2010-12-16 10:20:16 -05:00			`// boards and their subtitles. (without the <ul> opening and ending tags)`
Created basis for mod dashboard 2010-12-02 02:26:09 -05:00			`function ulBoards() {`
"Create board" page 2010-12-02 04:55:56 -05:00			`global $mod;`

Mod controls and permissions 2010-12-16 10:20:16 -05:00			`$body = '';`
Created basis for mod dashboard 2010-12-02 02:26:09 -05:00
			`// List of boards`
			`$boards = listBoards();`

			`foreach($boards as &$b) {`
			`$body .= '<li>' .`
			`'<a href="?/' .`
			`sprintf(BOARD_PATH, $b['uri']) . FILE_INDEX .`
			`'">' .`
			`sprintf(BOARD_ABBREVIATION, $b['uri']) .`
"Create board" page 2010-12-02 04:55:56 -05:00			`'</a> - ' .`
			`$b['title'] .`
			`(isset($b['subtitle']) ? '<span class="unimportant"> — ' . $b['subtitle'] . '</span>' : '') .`
Created basis for mod dashboard 2010-12-02 02:26:09 -05:00			`'</li>';`
			`}`

Mod controls and permissions 2010-12-16 10:20:16 -05:00			`if($mod['type'] >= MOD_NEWBOARD) {`
"Create board" page 2010-12-02 04:55:56 -05:00			`$body .= '<li style="margin-top:15px;"><a href="?/new"><strong>Create new board</strong></a></li>';`
			`}`
Mod controls and permissions 2010-12-16 10:20:16 -05:00			`return $body;`
Created basis for mod dashboard 2010-12-02 02:26:09 -05:00			`}`
"Create board" page 2010-12-02 04:55:56 -05:00
			`function form_newBoard() {`
			`return '<fieldset><legend>New board</legend>' .`
			`'<form action="?/new" method="post">' .`
			`'<table>' .`
			`'<tr>' .`
			`'<th><label for="board">URI:</label></th>' .`
			`'<td><input type="text" name="uri" id="board" size="3" maxlength="8" />' .`
			`' <span class="unimportant">(eg. "b"; "mu")</span>' .`
			`'</tr>' .`
			`'<tr>' .`
			`'<th><label for="title">Title:</label></th>' .`
			`'<td><input type="text" name="title" id="title" size="15" maxlength="20" />' .`
			`' <span class="unimportant">(eg. "Random")</span>' .`
			`'</tr>' .`
			`'<tr>' .`
			`'<th><label for="subtitle">Subtitle:</label></th>' .`
			`'<td><input type="text" name="subtitle" id="subtitle" size="20" maxlength="40" />' .`
			`' <span class="unimportant">(optional)</span>' .`
			`'</tr>' .`
			`'<tr>' .`
			`'<td></td>' .`
			`'<td><input name="new_board" type="submit" value="New Board" /></td>' .`
			`'</tr>' .`
			`'</table>' .`
			`'</form>' .`
			`'</fieldset>';`
			`}`

Rebuild threads after a post is deleted 2011-01-01 05:42:22 -05:00			`// Remove file from post`
			`function deleteFile($id) {`
			`global $board;`

Remove files 2011-01-01 05:44:11 -05:00			$query = prepare(sprintf("SELECT `thread`,`thumb`,`file` FROM `posts_%s` WHERE `id` = :id AND `thread` IS NOT NULL LIMIT 1", $board['uri']));
Rebuild threads after a post is deleted 2011-01-01 05:42:22 -05:00			`$query->bindValue(':id', $id, PDO::PARAM_INT);`
			`$query->execute() or error(db_error($query));`

			`if($query->rowCount() < 1) {`
			`error(ERROR_INVALIDPOST);`
			`}`
Remove files 2011-01-01 05:44:11 -05:00
			`$post = $query->fetch();`

			`// Delete thumbnail`
			`@unlink($board['dir'] . DIR_THUMB . $post['thumb']);`

			`// Delete file`
			`@unlink($board['dir'] . DIR_IMG . $post['file']);`

Fixed major security bug and image deleting 2011-01-01 06:12:31 -05:00			`// Update database`
			$query = prepare(sprintf("UPDATE `posts_%s` SET `thumb` = NULL, `thumbwidth` = NULL, `thumbheight` = NULL, `filewidth` = NULL, `fileheight` = NULL, `filesize` = NULL, `filename` = NULL, `filehash` = NULL, `file` = 'deleted' WHERE `id` = :id OR `thread` = :id", $board['uri']));
			`$query->bindValue(':id', $id, PDO::PARAM_INT);`
			`$query->execute() or error(db_error($query));`
Remove files 2011-01-01 05:44:11 -05:00
Fixed major security bug and image deleting 2011-01-01 06:12:31 -05:00			`buildThread($post['thread']);`
Rebuild threads after a post is deleted 2011-01-01 05:42:22 -05:00			`}`

deleteThread() function 2010-12-16 00:36:33 -05:00			`// Delete a post (reply or thread)`
			`function deletePost($id) {`
Use PDO for databases 2010-12-17 09:18:03 -05:00			`global $board;`
deleteThread() function 2010-12-16 00:36:33 -05:00
			`// Select post and replies (if thread) in one query`
Use PDO for databases 2010-12-17 09:18:03 -05:00			$query = prepare(sprintf("SELECT `id`,`thread`,`thumb`,`file` FROM `posts_%s` WHERE `id` = :id OR `thread` = :id", $board['uri']));
			`$query->bindValue(':id', $id, PDO::PARAM_INT);`
			`$query->execute() or error(db_error($query));`

			`if($query->rowCount() < 1) {`
Check if post exists when deleting 2010-12-16 01:05:29 -05:00			`error(ERROR_INVALIDPOST);`
			`}`

deleteThread() function 2010-12-16 00:36:33 -05:00			`// Delete posts and maybe replies`
Use PDO for databases 2010-12-17 09:18:03 -05:00			`while($post = $query->fetch()) {`
deleteThread() function 2010-12-16 00:36:33 -05:00			`if(!$post['thread']) {`
			`// Delete thread HTML page`
			`@unlink($board['dir'] . DIR_RES . sprintf(FILE_PAGE, $post['id']));`
Rebuild threads after a post is deleted 2011-01-01 05:42:22 -05:00			`} elseif($query->rowCount() == 1) {`
			`// Rebuild thread`
			`$rebuild = $post['thread'];`
deleteThread() function 2010-12-16 00:36:33 -05:00			`}`
			`if($post['thumb']) {`
			`// Delete thumbnail`
			`@unlink($board['dir'] . DIR_THUMB . $post['thumb']);`
			`}`
			`if($post['file']) {`
			`// Delete file`
			`@unlink($board['dir'] . DIR_IMG . $post['file']);`
			`}`
			`}`
Moved several DELETE queries into one 2010-12-16 04:29:35 -05:00
Use PDO for databases 2010-12-17 09:18:03 -05:00			$query = prepare(sprintf("DELETE FROM `posts_%s` WHERE `id` = :id OR `thread` = :id", $board['uri']));
			`$query->bindValue(':id', $id, PDO::PARAM_INT);`
			`$query->execute() or error(db_error($query));`
Rebuild threads after a post is deleted 2011-01-01 05:42:22 -05:00
			`if(isset($rebuild)) {`
			`buildThread($rebuild);`
			`}`
deleteThread() function 2010-12-16 00:36:33 -05:00			`}`
Created basis for mod dashboard 2010-12-02 02:26:09 -05:00			`?>`