Verified Commit eb476656 authored by noplanman's avatar noplanman

Nicely import $_GET and $_POST parameters, PHP7 style!

Fix all SQL queries, to make sure they use pg_query_params for parameter injection.
Simplify various `if` conditionals to 1-liners.
parent f4fdf9b0
<?php <?php
//Copyright (c) 2011, David Morley. This file is licensed under the Affero General Public License version 3 or later. See the COPYRIGHT file. //Copyright (c) 2011, David Morley. This file is licensed under the Affero General Public License version 3 or later. See the COPYRIGHT file.
$_GET['key'] === '4r45tg' || die; ($_GET['key'] ?? null) === '4r45tg' || die;
// Other parameters.
$_format = $_GET['format'] ?? '';
$_method = $_GET['method'] ?? '';
$_callback = $_GET['callback'] ?? '';
require_once __DIR__ . '/config.php'; require_once __DIR__ . '/config.php';
$dbh = pg_connect("dbname=$pgdb user=$pguser password=$pgpass"); $dbh = pg_connect("dbname=$pgdb user=$pguser password=$pgpass");
$dbh || die('Error in connection: ' . pg_last_error()); $dbh || die('Error in connection: ' . pg_last_error());
if ($_GET['format'] === 'georss') { if ($_format === 'georss') {
echo <<<EOF echo <<<EOF
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:georss="http://www.georss.org/georss"> <feed xmlns="http://www.w3.org/2005/Atom" xmlns:georss="http://www.georss.org/georss">
...@@ -48,7 +53,7 @@ EOF; ...@@ -48,7 +53,7 @@ EOF;
EOF; EOF;
} }
echo '</feed>'; echo '</feed>';
} elseif ($_GET['format'] === 'json') { } elseif ($_format === 'json') {
$sql = 'SELECT id,domain,status,secure,score,userrating,adminrating,city,state,country,lat,long,ip,ipv6,pingdomurl,monthsmonitored,uptimelast7,responsetimelast7,local_posts,comment_counts,dateCreated,dateUpdated,dateLaststats,hidden FROM pods'; $sql = 'SELECT id,domain,status,secure,score,userrating,adminrating,city,state,country,lat,long,ip,ipv6,pingdomurl,monthsmonitored,uptimelast7,responsetimelast7,local_posts,comment_counts,dateCreated,dateUpdated,dateLaststats,hidden FROM pods';
$result = pg_query($dbh, $sql); $result = pg_query($dbh, $sql);
$result || die('Error in SQL query: ' . pg_last_error()); $result || die('Error in SQL query: ' . pg_last_error());
...@@ -62,8 +67,8 @@ EOF; ...@@ -62,8 +67,8 @@ EOF;
'podcount' => $numrows, 'podcount' => $numrows,
'pods' => $rows, 'pods' => $rows,
]; ];
if ($_GET['method'] === 'jsonp') { if ($_method === 'jsonp') {
print $_GET['callback'] . '(' . json_encode($obj) . ')'; print $_callback . '(' . json_encode($obj) . ')';
} else { } else {
print json_encode($obj); print json_encode($obj);
} }
...@@ -87,7 +92,7 @@ EOF; ...@@ -87,7 +92,7 @@ EOF;
$row['country'] $row['country']
); );
} }
pg_free_result($result);
pg_close($dbh);
} }
pg_free_result($result);
pg_close($dbh);
<!-- /* Copyright (c) 2011, David Morley. This file is licensed under the Affero General Public License version 3 or later. See the COPYRIGHT file. */ --> <!-- /* Copyright (c) 2011, David Morley. This file is licensed under the Affero General Public License version 3 or later. See the COPYRIGHT file. */ -->
<?php <?php
$valid = 0;
require_once __DIR__ . '/../logging.php'; require_once __DIR__ . '/../logging.php';
$log = new Logging(); $log = new Logging();
$log->lfile(__DIR__ . $log_dir . '/add.log'); $log->lfile(__DIR__ . $log_dir . '/add.log');
if (!$_POST['url']) { if (!($_domain = $_POST['domain'] ?? null)) {
$log->lwrite('no url given ' . $_POST['domain']); $log->lwrite('no domain given');
die('no pod domain given');
}
if (!($_url = $_POST['url'] ?? null)) {
$log->lwrite('no url given ' . $_domain);
die('no url given'); die('no url given');
} }
if (!$_POST['email']) { if (!($_email = $_POST['email'] ?? null)) {
$log->lwrite('no email given ' . $_POST['domain']); $log->lwrite('no email given ' . $_domain);
die('no email given'); die('no email given');
} }
if (!$_POST['domain']) { if (!$_url) {
$log->lwrite('no domain given ' . $_POST['domain']); $log->lwrite('no api given ' . $_domain);
die('no pod domain given');
}
if (!$_POST['url']) {
$log->lwrite('no api given ' . $_POST['domain']);
die('no API key for your stats'); die('no API key for your stats');
} }
if (strlen($_POST['url']) < 14) { if (strlen($_url) < 14) {
$log->lwrite('api key too short ' . $_POST['domain']); $log->lwrite('api key too short ' . $_domain);
die('API key bad needs to be like m58978-80abdb799f6ccf15e3e3787ee'); die('API key bad needs to be like m58978-80abdb799f6ccf15e3e3787ee');
} }
...@@ -31,24 +30,24 @@ require_once __DIR__ . '/../config.php'; ...@@ -31,24 +30,24 @@ require_once __DIR__ . '/../config.php';
$dbh = pg_connect("dbname=$pgdb user=$pguser password=$pgpass"); $dbh = pg_connect("dbname=$pgdb user=$pguser password=$pgpass");
$dbh || die('Error in connection: ' . pg_last_error()); $dbh || die('Error in connection: ' . pg_last_error());
$sql = 'SELECT domain,pingdomurl FROM pods'; $sql = 'SELECT domain, pingdomurl FROM pods';
$result = pg_query($dbh, $sql); $result = pg_query($dbh, $sql);
$result || die('Error in SQL query: ' . pg_last_error()); $result || die('Error in SQL query: ' . pg_last_error());
while ($row = pg_fetch_array($result)) { while ($row = pg_fetch_array($result)) {
if ($row['domain'] == $_POST['domain']) { if ($row['domain'] === $_domain) {
$log->lwrite('domain already exists ' . $_POST['domain']); $log->lwrite('domain already exists ' . $_domain);
die('domain already exists'); die('domain already exists');
} }
if ($row['pingdomurl'] == $_POST['url']) { if ($row['pingdomurl'] === $_url) {
$log->lwrite('API key already exists ' . $_POST['domain']); $log->lwrite('API key already exists ' . $_domain);
die('API key already exists'); die('API key already exists');
} }
} }
//curl the header of pod with and without https //curl the header of pod with and without https
$chss = curl_init(); $chss = curl_init();
curl_setopt($chss, CURLOPT_URL, 'https://' . $_POST['domain'] . '/nodeinfo/1.0'); curl_setopt($chss, CURLOPT_URL, 'https://' . $_domain . '/nodeinfo/1.0');
curl_setopt($chss, CURLOPT_POST, 0); curl_setopt($chss, CURLOPT_POST, 0);
curl_setopt($chss, CURLOPT_HEADER, 0); curl_setopt($chss, CURLOPT_HEADER, 0);
curl_setopt($chss, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($chss, CURLOPT_CONNECTTIMEOUT, 5);
...@@ -58,7 +57,7 @@ $outputssl = curl_exec($chss); ...@@ -58,7 +57,7 @@ $outputssl = curl_exec($chss);
curl_close($chss); curl_close($chss);
$ch = curl_init(); $ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'http://' . $_POST['domain'] . '/nodeinfo/1.0'); curl_setopt($ch, CURLOPT_URL, 'http://' . $_domain . '/nodeinfo/1.0');
curl_setopt($ch, CURLOPT_POST, 0); curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
...@@ -67,32 +66,33 @@ curl_setopt($ch, CURLOPT_NOBODY, 0); ...@@ -67,32 +66,33 @@ curl_setopt($ch, CURLOPT_NOBODY, 0);
$output = curl_exec($ch); $output = curl_exec($ch);
curl_close($ch); curl_close($ch);
$valid = false;
if (stristr($outputssl, 'nodeName')) { if (stristr($outputssl, 'nodeName')) {
$log->lwrite('Your pod has ssl and is valid ' . $_POST['domain']); $log->lwrite('Your pod has ssl and is valid ' . $_domain);
echo 'Your pod has ssl and is valid<br>'; echo 'Your pod has ssl and is valid<br>';
$valid = 1; $valid = true;
} }
if (stristr($output, 'nodeName')) { if (stristr($output, 'nodeName')) {
$log->lwrite('Your pod does not have ssl but is a valid pod ' . $_POST['domain']); $log->lwrite('Your pod does not have ssl but is a valid pod ' . $_domain);
echo 'Your pod does not have ssl but is a valid pod<br>'; echo 'Your pod does not have ssl but is a valid pod<br>';
$valid = 1; $valid = true;
} }
if ($valid == '1') { if ($valid) {
$sql = "INSERT INTO pods (domain, pingdomurl, email) VALUES($1, $2, $3)"; $sql = 'INSERT INTO pods (domain, pingdomurl, email) VALUES ($1, $2, $3)';
$result = pg_query_params($dbh, $sql, [$_POST['domain'], $_POST['url'], $_POST['email']]); $result = pg_query_params($dbh, $sql, [$_domain, $_url, $_email]);
$result || die('Error in SQL query: ' . pg_last_error()); $result || die('Error in SQL query: ' . pg_last_error());
$to = $adminemail; $to = $adminemail;
$cc = $_POST['email']; $cc = $_email;
$subject = 'New pod added to podupti.me '; $subject = 'New pod added to podupti.me ';
$message = sprintf( $message = sprintf(
"%1\$s\n\nStats Url: %2\$s\n\nPod: %3\$s\n\n", "%1\$s\n\nStats Url: %2\$s\n\nPod: %3\$s\n\n",
'https://podupti.me', 'https://podupti.me',
'https://api.uptimerobot.com/getMonitors?format=json&customUptimeRatio=7-30-60-90&apiKey=' . $_POST['url'], 'https://api.uptimerobot.com/getMonitors?format=json&customUptimeRatio=7-30-60-90&apiKey=' . $_url,
'https://podupti.me/db/pull.php?debug=1&domain=' . $_POST['domain'] 'https://podupti.me/db/pull.php?debug=1&domain=' . $_domain
); );
$message .= 'Your pod will not show right away, needs to pass a few checks, Give it a few hours!'; $message .= 'Your pod will not show right away, needs to pass a few checks, Give it a few hours!';
$headers = 'From: ' . $_POST['email'] . "\r\nReply-To: " . $_POST['email'] . "\r\nCc: " . $_POST['email'] . "\r\n"; $headers = 'From: ' . $_email . "\r\nReply-To: " . $_email . "\r\nCc: " . $_email . "\r\n";
@mail($to, $subject, $message, $headers); @mail($to, $subject, $message, $headers);
echo 'Data successfully inserted! Your pod will be reviewed and live on the list in a few hours!'; echo 'Data successfully inserted! Your pod will be reviewed and live on the list in a few hours!';
...@@ -101,7 +101,7 @@ if ($valid == '1') { ...@@ -101,7 +101,7 @@ if ($valid == '1') {
pg_close($dbh); pg_close($dbh);
} else { } else {
$log->lwrite('Could not validate your pod on http or https, check your setup! ' . $_POST['domain']); $log->lwrite('Could not validate your pod on http or https, check your setup! ' . $_domain);
echo 'Could not validate your pod on http or https, check your setup!<br>Take a look at <a href="https://' . $_POST['domain'] . '/nodeinfo/1.0">your /nodeinfo</a>'; echo 'Could not validate your pod on http or https, check your setup!<br>Take a look at <a href="https://' . $_domain . '/nodeinfo/1.0">your /nodeinfo</a>';
} }
$log->lclose(); $log->lclose();
<?php <?php
//Copyright (c) 2011, David Morley. This file is licensed under the Affero General Public License version 3 or later. See the COPYRIGHT file. //Copyright (c) 2011, David Morley. This file is licensed under the Affero General Public License version 3 or later. See the COPYRIGHT file.
//this is just a single api for a pod for the android app to get data //this is just a single api for a pod for the android app to get data
// Required parameters.
($_url = $_GET['url'] ?? null) || die('no url given');
// Other parameters.
$_format = $_GET['format'] ?? '';
require_once __DIR__ . '/../config.php'; require_once __DIR__ . '/../config.php';
$dbh = pg_connect("dbname=$pgdb user=$pguser password=$pgpass"); $dbh = pg_connect("dbname=$pgdb user=$pguser password=$pgpass");
$dbh || die('Error in connection: ' . pg_last_error()); $dbh || die('Error in connection: ' . pg_last_error());
$sql = "SELECT id,domain,status,secure,score,userrating,adminrating,city,state,country,lat,long,ip,ipv6,pingdomurl,monthsmonitored,uptimelast7,responsetimelast7,local_posts,comment_counts,dateCreated,dateUpdated,dateLaststats,hidden FROM pods WHERE domain = $1"; $sql = 'SELECT id,domain,status,secure,score,userrating,adminrating,city,state,country,lat,long,ip,ipv6,pingdomurl,monthsmonitored,uptimelast7,responsetimelast7,local_posts,comment_counts,dateCreated,dateUpdated,dateLaststats,hidden FROM pods WHERE domain = $1';
$result = pg_query_params($dbh, $sql, [$_GET['url']]); $result = pg_query_params($dbh, $sql, [$_url]);
$result || die('Error in SQL query: ' . pg_last_error()); $result || die('Error in SQL query: ' . pg_last_error());
while ($row = pg_fetch_array($result)) { while ($row = pg_fetch_array($result)) {
if ($_GET['format'] === 'json') { if ($_format === 'json') {
echo json_encode($row); echo json_encode($row);
} else { } else {
echo 'Status: ' . $row['status'] . '<br>'; echo 'Status: ' . $row['status'] . '<br>';
......
<?php <?php
$_GET['domain'] || die('no pod domain given'); // Required parameters.
$_GET['token'] || die('no token given'); ($_domain = $_GET['domain'] ?? null) || die('no pod domain given');
strlen($_GET['token']) > 6 || die('bad token'); ($_token = $_GET['token'] ?? null) || die('no token given');
strlen($_token) > 6 || die('bad token');
$domain = $_GET['domain']; // Other parameters.
$_save = $_GET['save'] ?? '';
$_delete = $_GET['delete'] ?? '';
$_weight = $_GET['weight'] ?? '';
$_email = $_GET['email'] ?? '';
$_oldemail = $_GET['oldemail'] ?? '';
$_pingdomurl = $_GET['pingdomurl'] ?? '';
require_once __DIR__ . '/../config.php'; require_once __DIR__ . '/../config.php';
$dbh = pg_connect("dbname=$pgdb user=$pguser password=$pgpass"); $dbh = pg_connect("dbname=$pgdb user=$pguser password=$pgpass");
$dbh || die('Error in connection: ' . pg_last_error()); $dbh || die('Error in connection: ' . pg_last_error());
$sql = "SELECT domain,email,token,tokenexpire,pingdomurl,weight FROM pods WHERE domain = '$domain'"; $sql = 'SELECT domain,email,token,tokenexpire,pingdomurl,weight FROM pods WHERE domain = $1';
$result = pg_query($dbh, $sql); $result = pg_query_params($dbh, $sql, [$_domain]);
$result || die('Error in SQL query: ' . pg_last_error()); $result || die('Error in SQL query: ' . pg_last_error());
while ($row = pg_fetch_array($result)) { while ($row = pg_fetch_array($result)) {
if ($row['token'] <> $_GET['token']) { $row['token'] === $_token || die('token not a match');
die('token not a match'); $row['tokenexpire'] >= date('Y-m-d H:i:s', time()) || die('token expired');
}
if ($row['tokenexpire'] < date('Y-m-d H:i:s', time())) {
die('token expired');
}
//delete pod //delete pod
if ($_GET['delete'] == $row['token']) { if ($_delete === $row['token']) {
$sql = "DELETE FROM pods WHERE domain = $1"; $sql = 'DELETE FROM pods WHERE domain = $1';
$result = pg_query_params($dbh, $sql, [$_GET['domain']]); $result = pg_query_params($dbh, $sql, [$_domain]);
if (!$result) { $result || die('Error in SQL query: ' . pg_last_error());
die('Error in SQL query: ' . pg_last_error());
} else { die('pod removed from DB');
echo 'pod removed from DB';
}
} }
//save and exit //save and exit
if ($_GET['save'] == $row['token']) { if ($_save === $row['token']) {
if ($_GET['weight'] > 10) { $_weight <= 10 || die('10 is max weight');
die('10 is max weight');
} $sql = 'UPDATE pods SET email = $1, pingdomurl = $2, weight = $3 WHERE domain = $4';
$sql = "UPDATE pods SET email=$1, pingdomurl=$2, weight=$3 WHERE domain = $4"; $result = pg_query_params($dbh, $sql, [$_email, $_pingdomurl, $_weight, $_domain]);
$result = pg_query_params($dbh, $sql, [$_GET['email'], $_GET['pingdomurl'], $_GET['weight'], $_GET['domain']]);
if (!$result) { if (!$result) {
die('Error in SQL query: ' . pg_last_error()); die('Error in SQL query: ' . pg_last_error());
} }
$to = $_GET['email']; $to = $_email;
$subject = 'Edit notice from poduptime '; $subject = 'Edit notice from poduptime ';
$message = 'Data for ' . $_GET['domain'] . " Updated. If it was not you reply and let me know! \n\n"; $message = 'Data for ' . $_domain . " Updated. If it was not you reply and let me know! \n\n";
$headers = "From: support@diasp.org\r\nCc:support@diasp.org," . $_GET['oldemail'] . "\r\n"; $headers = "From: support@diasp.org\r\nCc:support@diasp.org," . $_oldemail . "\r\n";
@mail($to, $subject, $message, $headers); @mail($to, $subject, $message, $headers);
pg_free_result($result); pg_free_result($result);
pg_close($dbh); pg_close($dbh);
...@@ -52,12 +54,12 @@ while ($row = pg_fetch_array($result)) { ...@@ -52,12 +54,12 @@ while ($row = pg_fetch_array($result)) {
} }
//form //form
echo 'Authorized to edit <b>' . $domain . '</b> until ' . $row['tokenexpire'] . '<br>'; echo 'Authorized to edit <b>' . $_domain . '</b> until ' . $row['tokenexpire'] . '<br>';
echo '<form action="" method="get">'; echo '<form action="" method="get">';
echo '<input type="hidden" name="oldemail" value="' . $row['email'] . '">'; echo '<input type="hidden" name="oldemail" value="' . $row['email'] . '">';
echo '<input type="hidden" name="save" value="' . $_GET['token'] . '">'; echo '<input type="hidden" name="save" value="' . $_token . '">';
echo '<input type="hidden" name="token" value="' . $_GET['token'] . '">'; echo '<input type="hidden" name="token" value="' . $_token . '">';
echo '<input type="hidden" name="domain" value="' . $_GET['domain'] . '">'; echo '<input type="hidden" name="domain" value="' . $_domain . '">';
echo 'Stats Key <input type="text" size="50" name="pingdomurl" value="' . $row['pingdomurl'] . '"">Uptimerobot API key for this monitor<br>'; echo 'Stats Key <input type="text" size="50" name="pingdomurl" value="' . $row['pingdomurl'] . '"">Uptimerobot API key for this monitor<br>';
echo 'Email <input type="text" size="20" name="email" value="' . $row['email'] . '"><br>'; echo 'Email <input type="text" size="20" name="email" value="' . $row['email'] . '"><br>';
echo 'Weight <input type="text" size="2" name="weight" value="' . $row['weight'] . '"> This lets you weight your pod lower on the list if you have too much trafic coming in, 10 is the norm use lower to move down the list.<br>'; echo 'Weight <input type="text" size="2" name="weight" value="' . $row['weight'] . '"> This lets you weight your pod lower on the list if you have too much trafic coming in, 10 is the norm use lower to move down the list.<br>';
...@@ -65,9 +67,9 @@ while ($row = pg_fetch_array($result)) { ...@@ -65,9 +67,9 @@ while ($row = pg_fetch_array($result)) {
echo '</form><br><br><br>'; echo '</form><br><br><br>';
echo '<form action="" method="get">'; echo '<form action="" method="get">';
echo '<input type="hidden" name="delete" value="' . $_GET['token'] . '">'; echo '<input type="hidden" name="delete" value="' . $_token . '">';
echo '<input type="hidden" name="token" value="' . $_GET['token'] . '">'; echo '<input type="hidden" name="token" value="' . $_token . '">';
echo '<input type="hidden" name="domain" value="' . $_GET['domain'] . '">'; echo '<input type="hidden" name="domain" value="' . $_domain . '">';
echo 'WARNING: This can not be undone, you will need to add your pod again if you want back on list: <input type="submit" name="submit" value="delete">'; echo 'WARNING: This can not be undone, you will need to add your pod again if you want back on list: <input type="submit" name="submit" value="delete">';
echo '</form><br><br><br>'; echo '</form><br><br><br>';
} }
<?php <?php
$systemTimeZone = system('date +%Z'); $systemTimeZone = system('date +%Z');
if (!$_POST['domain']) {
die('no pod domain given'); // Required parameters.
} ($_domain = $_POST['domain'] ?? null) || die('no pod domain given');
$domain = $_POST['domain'];
// Other parameters.
$_email = $_POST['email'] ?? '';
require_once __DIR__ . '/../config.php'; require_once __DIR__ . '/../config.php';
$dbh = pg_connect("dbname=$pgdb user=$pguser password=$pgpass"); $dbh = pg_connect("dbname=$pgdb user=$pguser password=$pgpass");
$dbh || die('Error in connection: ' . pg_last_error()); $dbh || die('Error in connection: ' . pg_last_error());
$sql = "SELECT email FROM pods WHERE domain = '$domain'"; $sql = 'SELECT email FROM pods WHERE domain = $1';
$result = pg_query($dbh, $sql); $result = pg_query_params($dbh, $sql, [$_domain]);
$result || die('Error in SQL query: ' . pg_last_error()); $result || die('Error in SQL query: ' . pg_last_error());
$rows = pg_num_rows($result); $rows = pg_num_rows($result);
if ($rows <= 0) { $rows > 0 || die('domain not found');
die('domain not found');
}
while ($row = pg_fetch_array($result)) { while ($row = pg_fetch_array($result)) {
if ($_POST['email']) { if ($_email) {
if ($row['email'] <> $_POST['email']) { $row['email'] === $_email || die('email not a match');
die('email not a match');
} $uuid = md5(uniqid($_domain, true));
$uuid = md5(uniqid($domain, true));
$expire = date('Y-m-d H:i:s', time() + 2700); $expire = date('Y-m-d H:i:s', time() + 2700);
$sql = "UPDATE pods SET token=$1, tokenexpire=$2 WHERE domain = '$domain'"; $sql = 'UPDATE pods SET token = $1, tokenexpire = $2 WHERE domain = $3';
$result = pg_query_params($dbh, $sql, [$uuid, $expire]); $result = pg_query_params($dbh, $sql, [$uuid, $expire, $_domain]);
if (!$result) { $result || die('Error in SQL query: ' . pg_last_error());
die('Error in SQL query: ' . pg_last_error());
} $to = $_email;
$to = $_POST['email'];
$subject = 'Temporary edit key for podupti.me'; $subject = 'Temporary edit key for podupti.me';
$message = 'Link: https://podupti.me/db/edit.php?domain=' . $_POST['domain'] . '&token=' . $uuid . ' Expires: ' . $expire . ' ' . $systemTimeZone . "\n\n"; $message = 'Link: https://podupti.me/db/edit.php?domain=' . $_domain . '&token=' . $uuid . ' Expires: ' . $expire . ' ' . $systemTimeZone . "\n\n";
$headers = "From: support@diasp.org\r\nBcc: support@diasp.org\r\n"; $headers = "From: support@diasp.org\r\nBcc: support@diasp.org\r\n";
@mail($to, $subject, $message, $headers); @mail($to, $subject, $message, $headers);
echo 'Link sent to your email'; echo 'Link sent to your email';
} elseif (!$_POST['email']) { } else {
$uuid = md5(uniqid($domain, true)); $uuid = md5(uniqid($_domain, true));
$expire = date('Y-m-d H:i:s', time() + 9700); $expire = date('Y-m-d H:i:s', time() + 9700);
$sql = "UPDATE pods SET token=$1, tokenexpire=$2 WHERE domain = '$domain'"; $sql = 'UPDATE pods SET token = $1, tokenexpire = $2 WHERE domain = $3';
$result = pg_query_params($dbh, $sql, [$uuid, $expire]); $result = pg_query_params($dbh, $sql, [$uuid, $expire, $_domain]);
if (!$result) { $result || die('Error in SQL query: ' . pg_last_error());
die('Error in SQL query: ' . pg_last_error());
}
$to = 'support@diasp.org'; $to = 'support@diasp.org';
$subject = 'FORWARD REQUEST: Temporary edit key for podupti.me'; $subject = 'FORWARD REQUEST: Temporary edit key for podupti.me';
$message = 'User trying to edit pod without email address. Email found: ' . $row['email'] . ' Link: https://podupti.me/db/edit.php?domain=' . $_POST['domain'] . '&token=' . $uuid . ' Expires: ' . $expire . ' ' . $systemTimeZone . "\n\n"; $message = 'User trying to edit pod without email address. Email found: ' . $row['email'] . ' Link: https://podupti.me/db/edit.php?domain=' . $_domain . '&token=' . $uuid . ' Expires: ' . $expire . ' ' . $systemTimeZone . "\n\n";
$headers = "From: support@diasp.org\r\nBcc: support@diasp.org\r\n"; $headers = "From: support@diasp.org\r\nBcc: support@diasp.org\r\n";
@mail($to, $subject, $message, $headers); @mail($to, $subject, $message, $headers);
echo 'Link sent to administrator to review and verify, if approved they will forward the edit key to you.'; echo 'Link sent to administrator to review and verify, if approved they will forward the edit key to you.';
} }
pg_free_result($result); pg_free_result($result);
pg_close($dbh);
} }
pg_close($dbh);
<?php <?php
if (!$_POST['domain']) {
die('no pod domain given'); // Required parameters.
} ($_domain = $_POST['domain'] ?? null) || die('no pod domain given');
if (!$_POST['adminkey']) { ($_adminkey = $_POST['adminkey'] ?? null) || die('no token given');
die('no token given'); ($_action = $_POST['action'] ?? null) || die('no action selected');
}
if (!$_POST['action']) { // Other parameters.
die('no action selected'); $_comments = $_POST['comments'] ?? '';
}
$domain = $_POST['domain'];
require_once __DIR__ . '/../config.php'; require_once __DIR__ . '/../config.php';
$dbh = pg_connect("dbname=$pgdb user=$pguser password=$pgpass"); $dbh = pg_connect("dbname=$pgdb user=$pguser password=$pgpass");
$dbh || die('Error in connection: ' . pg_last_error()); $dbh || die('Error in connection: ' . pg_last_error());
$sql = "SELECT email FROM pods WHERE domain = '$domain'"; $sql = 'SELECT email FROM pods WHERE domain = $1';
$result = pg_query($dbh, $sql); $result = pg_query_params($dbh, $sql, [$_domain]);
$result || die('one Error in SQL query: ' . pg_last_error()); $result || die('one Error in SQL query: ' . pg_last_error());
while ($row = pg_fetch_array($result)) { while ($row = pg_fetch_array($result)) {
if ($adminkey <> $_POST['adminkey']) { $adminkey === $_adminkey || die('admin key fail');
die('admin key fail');
}
//save and exit //save and exit
if ($_POST['action'] == 'delete') { if ($_action === 'delete') {
$sql = "DELETE from pods WHERE domain = $1"; $sql = 'DELETE FROM pods WHERE domain = $1';
$result = pg_query_params($dbh, $sql, [$domain]); $result = pg_query_params($dbh, $sql, [$_domain]);
if (!$result) { $result || die('two Error in SQL query: ' . pg_last_error());
die('two Error in SQL query: ' . pg_last_error());
}
if ($row['email']) { if ($row['email']) {
$to = $row['email']; $to = $row['email'];
$subject = 'Pod deleted from poduptime '; $subject = 'Pod deleted from poduptime ';
$message = 'Pod ' . $_POST['domain'] . ' was deleted from podupti.me as it was dead on the list. ' . $_POST['comments'] . " Feel free to add back at any time. \n\n"; $message = 'Pod ' . $_domain . ' was deleted from podupti.me as it was dead on the list. ' . $_comments . " Feel free to add back at any time. \n\n";
$headers = "From: support@diasp.org\r\nCc:support@diasp.org," . $row['email'] . "\r\n"; $headers = "From: support@diasp.org\r\nCc:support@diasp.org," . $row['email'] . "\r\n";
@mail($to, $subject, $message, $headers); @mail($to, $subject, $message, $headers);
} }
pg_free_result($result); pg_free_result($result);
pg_close($dbh); } elseif ($_action === 'warn') {
} elseif ($_POST['action'] == 'warn') {
if ($row['email']) { if ($row['email']) {
$to = $row['email']; $to = $row['email'];
$subject = 'Pod removal warning from poduptime '; $subject = 'Pod removal warning from poduptime ';
$message = 'Pod ' . $_POST['domain'] . ' is on the list to be deleted now because: ' . $_POST['comments'] . ". \n\n Please let me know if you need help fixing before it is removed. \n\n"; $message = 'Pod ' . $_domain . ' is on the list to be deleted now because: ' . $_comments . ". \n\n Please let me know if you need help fixing before it is removed. \n\n";
$headers = "From: support@diasp.org\r\nCc:support@diasp.org," . $row['email'] . "\r\n"; $headers = "From: support@diasp.org\r\nCc:support@diasp.org," . $row['email'] . "\r\n";
@mail($to, $subject, $message, $headers); @mail($to, $subject, $message, $headers);
} }
} }
echo $result; echo $result;
} }
pg_close($dbh);