Viewing file: inc_functions.php (57.11 KB) -rw-r--r-- Select action/file-type: (+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
(GPLv2)
or write to the Free Software Foundation, Inc., 51 Franklin Street,
Fifth Floor, Boston, MA02110-1301, USA.
********************************************************************************/
if (stristr(htmlentities($_SERVER['PHP_SELF']), "inc_functions.php")) {
die(" Error: This file cannot be opened directly! | ");
}
if (isset($_GET['newlang'])) {
$newlang = inCode($_GET['newlang']);
if (validate($newlang)) {
if ($newlang != "reset") {
setcookie("language",$newlang,time()+31536000); //1year
} else {
setcookie("language","",time()-31536000); //-1year
}
header("Location: index.php");
}
}
if (isset($_GET['newtemplate'])) {
$newtemplate = inCode($_GET['newtemplate']);
if (validate($newtemplate)) {
if ($newtemplate != "reset") {
setcookie("template",$newtemplate,time()+31536000); //1year
} else {
setcookie("template","",time()-31536000); //-1year
}
header("Location: index.php");
}
}
if (isset($_GET['changerss'])) {
if (isAuth($userid,3)) {
$changerss = intval($_GET['changerss']);
$dblink->query("UPDATE memht_rssreader_links SET inblock=0");
$dblink->query("UPDATE memht_rssreader_links SET inblock=1 WHERE id=$changerss");
}
}
//===========================================
//Security
//===========================================
//Query string protection (Unknown author)
if(isset($_SERVER['QUERY_STRING'])) {
$qS = $_SERVER['QUERY_STRING'];
if (stc($qS,'%20union%20')
OR stc($qS,'/*')
OR stc($qS,'*/union/*')
OR stc($qS,'c2nyaxb0')
OR stc($qS,'+union+')
OR stc($qS,'http://')
//OR stc($qS,'www')
OR (stc($qS,'cmd=') AND !stc($qS,'&cmd'))
OR (stc($qS,'exec') AND !stc($qS,'execu'))
OR stc($qS,'concat')) {
die("Illegal Operation: Query not allowed. | ");
}
}
//Post protection (Unknown author) [MAY BE DISABLED]
if (@$_SERVER['REQUEST_METHOD']=="POST") {
if (isset($_SERVER['HTTP_REFERER'])) {
if (!stc($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])) {
die("Illegal Operation: Posting allowed only from main server. | ");
}
}
}
function stc($haystack, $needle, $offset=0) {
return strpos(strtoupper($haystack), strtoupper($needle), $offset);
}
//Initialize configuration and language
$row_conf = $dblink->get_row("SELECT * FROM memht_config");
if (isset($_COOKIE['language'])) { $siteConfig['language'] = preg_replace('`[^a-zA-Z]`is','',$_COOKIE['language']); } else { $siteConfig['language'] = outCode($row_conf['lingua']); }
//Control if the page name is valid
if (isset($_GET['page'])) {
if (eregi("[^0-9a-zA-Z_-]",$_GET['page'])) {
die("Illegal Operation: Special chars in page name not allowed. | ");
}
$page = inCode($_GET['page']);
}
//Check if there are special chars in the string
function checkCode($code) {
return (eregi("^[0-9a-zA-Z_-]*$",$code)) ? true : false ;
}
//Clean special chars and code tags from the string
function cleanCode($str) {
//<>/\?&`~!@#$%^*()[] bool(false)
|