AriasCreations/AVsitter
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #36 from Sei-Lisa/sei-settings-php-overhaul

Browse source 
Overhaul of settings.php
This commit is contained in:
codeviolet 2017-09-18 21:05:39 +10:00 committed by GitHub
commit ab62e75132
2 changed files with 110 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

14
php/settings-config.inc.php Normal file
View file

@ -0,0 +1,14 @@
<?php
$dbhost = 'localhost'; // database host
$dbuser = '?'; // database user
$dbpass = '?'; // database password
$dbname = '?'; // database name
$avpos_table='avpos';
$email_to="you@yourmail.com"; // your email (for error reporting)
$email_from="you@yourhost.com"; // your server's sending email (for error reporting)
$allow_install = false; // enable to allow action=install (clear/format database)
$check_ip = false; // enable to check the sim ip submitting the data is in the allowed range

169
php/settings.php
View file

@ -29,24 +29,24 @@ header("Content-Type: text/plain; charset=utf-8");
error_reporting(E_ERROR | E_WARNING | E_PARSE);
ini_set('display_errors', '1');
$dbhost = 'localhost'; // database host
$dbuser = '?'; // database user
$dbpass = '?'; // database password
$dbname = '?'; // database name
$avpos_table='avpos';
$email_to="you@yourmail.com"; // your email (for error reporting)
$email_from="you@yourhost.com"; // your server's sending email (for error reporting)
$allow_install = false; // enable to allow action=install (clear/format database)
$check_ip = false; // enable to check the sim ip submitting the data is in the allowed range
require_once("settings-config.inc.php");
$link = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname) or die("Error " . mysqli_error($link));
if (mysqli_connect_errno()) {
die ("Connect failed: " . mysqli_connect_error());
}
// Set the character set for communication with the database
if (!mysqli_set_charset($link, 'utf8mb4')) {
die('Invalid charset: utf8mb4');
}
// Pre-escape $avpos_table for convenience. That's the only variable
// that should go directly into a query. All others should go through
// IntSQL or StrSQL as appropriate.
$avpos_table = IdentSQL($avpos_table);
undo_magic_quotes($_REQUEST);
if($_REQUEST['action']=="install" && $allow_install==true){
$sql = "DROP TABLE IF EXISTS $avpos_table;";
@ -56,11 +56,11 @@ if($_REQUEST['action']=="install" && $allow_install==true){
`webkey` varchar(36) default NULL,
`owner_uuid` varchar(36) default NULL,
`owner_name` varchar(63) default NULL,
`text` TEXT default NULL,
`text` TEXT CHARSET utf8mb4 default NULL,
`keep` tinyint(1) default 0,
`count` int(5) default NULL,
`ip` varbinary(16) default NULL,
`timestamp` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
`timestamp` datetime NOT NULL,
PRIMARY KEY (`id`),
UNIQUE (`webkey`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1;";
@ -73,40 +73,49 @@ if($_REQUEST['action']=="install" && $allow_install==true){
}
}
else if(isset($_REQUEST['w'])){ // write to a record
$given_webkey = mysqli_real_escape_string($link, $_REQUEST['w']);
$given_webkey = $_REQUEST['w'];
$ip_address = $_SERVER['REMOTE_ADDR'];
$ip_packed = mysqli_real_escape_string($link, inet_pton($ip_address));
$ip_packed = inet_pton($ip_address);
if(!isValidGuid($given_webkey)){
echo "INVALID WEBKEY";
}
else{
$headers = parse_llHTTPRequest_headers();
$owner_key = mysqli_real_escape_string($link, $headers['X-SecondLife-Owner-Key']);
$object_name = mysqli_real_escape_string($link, $headers['X-SecondLife-Object-Name']);
$owner_name = mysqli_real_escape_string($link, $headers['X-SecondLife-Owner-Name']);
$object_key = mysqli_real_escape_string($link, $headers['X-SecondLife-Object-Key']);
$region = mysqli_real_escape_string($link, trim(substr($headers['X-SecondLife-Region'],0,strrpos($headers['X-SecondLife-Region'],'('))));
$position_array = explode(', ',substr($_SERVER['HTTP_X_SECONDLIFE_LOCAL_POSITION'],1,-1));
$slurl = $region . "/" . round($position_array[0]) . "/" . round($position_array[1]) . "/" . round($position_array[2]);
$owner_key = $_SERVER['HTTP_X_SECONDLIFE_OWNER_KEY'];
//$object_name = $_SERVER['HTTP_X_SECONDLIFE_OBJECT_NAME'];
$owner_name = $_SERVER['HTTP_X_SECONDLIFE_OWNER_NAME'];
//$object_key = $_SERVER['HTTP_X_SECONDLIFE_OBJECT_KEY'];
//$region = trim(substr($_SERVER['HTTP_X_SECONDLIFE_REGION'],0,strrpos($_SERVER['HTTP_X_SECONDLIFE_REGION'],'(')));
//$position_array = explode(', ',substr($_SERVER['HTTP_X_SECONDLIFE_LOCAL_POSITION'],1,-1));
//$slurl = rawurlencode($region) . "/" . round($position_array[0]) . "/" . round($position_array[1]) . "/" . round($position_array[2]);
if(!isValidGuid($owner_key)){
echo "INVALID USER";
}
else{
$given_count = intval($_REQUEST['c']);
$given_text = mysqli_real_escape_string($link, $_REQUEST['t']);
$given_text = $_REQUEST['t'];
$sql = "SELECT * FROM $avpos_table WHERE webkey = '$given_webkey'";
$sql = "SELECT * FROM $avpos_table"
. ' WHERE webkey = ' . StrSQL($given_webkey);
$result = mysqli_query($link,$sql) or email_death("ERR01: " . mysqli_error($link));
if(mysqli_num_rows($result) == 0){ // a new webkey
if($given_count == 1){
if(!isAllowedIP($ip_address)){
$response = "BAD IP";
$sql = "INSERT INTO $avpos_table (owner_uuid,owner_name,webkey,text,count,ip,timestamp)
VALUES ('$owner_key','$owner_name','$given_webkey','The IP address of the sim ($ip_address) was not in the allowed range. Please report the problem if you think this is in error.','10001','$ip_packed',NOW())";
$sql = "INSERT INTO $avpos_table"
. ' (owner_uuid,owner_name,webkey,text,count,ip,timestamp)'
. ' VALUES '
. '(' . StrSQL($owner_key)
. ',' . StrSQL($owner_name)
. ',' . StrSQL($given_webkey)
. ',' . StrSQL("The IP address of the sim ($ip_address) was not in the allowed range. Please report the problem if you think this is in error")
. ',10001'
. ',' . StrSQL($ip_packed)
. ',NOW()'
. ')';
}
else{
$response = "ADDED NEW";
@ -114,8 +123,17 @@ else if(isset($_REQUEST['w'])){ // write to a record
$given_count+=10000;
$response = "FINISHING";
}
$sql = "INSERT INTO $avpos_table (owner_uuid,owner_name,webkey,text,count,ip,timestamp)
VALUES ('$owner_key','$owner_name','$given_webkey','$given_text','$given_count','$ip_packed',NOW())";
$sql = "INSERT INTO $avpos_table"
. ' (owner_uuid,owner_name,webkey,text,count,ip,timestamp)'
. ' VALUES '
. '(' . StrSQL($owner_key)
. ',' . StrSQL($owner_name)
. ',' . StrSQL($given_webkey)
. ',' . StrSQL($given_text)
. ',' . IntSQL($given_count)
. ',' . StrSQL($ip_packed)
. ',NOW()'
. ')';
}
$result = mysqli_query($link,$sql) or email_death("ERR02: " . mysqli_error($link));
}
@ -129,7 +147,7 @@ else if(isset($_REQUEST['w'])){ // write to a record
}
else{
$row = mysqli_fetch_assoc($result);
$newtext = mysqli_real_escape_string($link,$row['text']) . $given_text;
$newtext = $row['text'] . $given_text;
if($row['count']+1 == $given_count){
$response = "ADDING";
@ -138,11 +156,11 @@ else if(isset($_REQUEST['w'])){ // write to a record
$response = "FINISHING";
}
$sql = "UPDATE $avpos_table SET
text = '$newtext',
count = '$given_count',
timestamp = NOW()
WHERE webkey = '$given_webkey'";
$sql = "UPDATE $avpos_table"
. ' SET text = ' . StrSQL($newtext)
. ', count = ' . IntSQL($given_count)
. ', timestamp = NOW()'
. ' WHERE webkey = ' . StrSQL($given_webkey);
$result = mysqli_query($link,$sql) or email_death("ERR03: " . mysqli_error($link));
}
@ -157,8 +175,9 @@ else if(isset($_REQUEST['w'])){ // write to a record
}
else if(isset($_REQUEST['q'])){ // read a record
$given_webkey = mysqli_real_escape_string($link, $_REQUEST['q']);
$sql = "SELECT * FROM $avpos_table WHERE webkey = '$given_webkey'";
$given_webkey = $_REQUEST['q'];
$sql = "SELECT * FROM $avpos_table"
. ' WHERE webkey = ' . StrSQL($given_webkey);
$result = mysqli_query($link,$sql) or email_death("ERR04: " . mysqli_error($link));
if(mysqli_num_rows($result) == 0){
@ -170,14 +189,16 @@ else if(isset($_REQUEST['q'])){ // read a record
$out.= $row['text'];
if(1==2){ // switch on to 'keep' any record that ever was accessed
$sql = "UPDATE $avpos_table SET
keep = '1'
WHERE webkey = '$given_webkey'";
$sql = "UPDATE $avpos_table"
. ' SET keep = 1'
. ' WHERE webkey = ' . StrSQL($given_webkey);
$result = mysqli_query($link,$sql) or email_death("ERR05: " . mysqli_error($link));
}
// delete all entries older than 10 minutes that are not flagged keep
$sql = "DELETE FROM $avpos_table WHERE timestamp < DATE_SUB(NOW(), INTERVAL 10 MINUTE) AND keep = '0'";
$sql = "DELETE FROM $avpos_table"
. ' WHERE timestamp < DATE_SUB(NOW(), INTERVAL 10 MINUTE)'
. ' AND keep = 0';
$result = mysqli_query($link,$sql) or email_death("ERR06: " . mysqli_error($link));
}
@ -187,43 +208,47 @@ else if(isset($_REQUEST['q'])){ // read a record
}
echo $out;
}
else{
header('HTTP/1.0 400 Bad Request');
die("400 Bad Request: No valid action specified.");
}
function parse_llHTTPRequest_headers(){
$position_array = explode(', ',substr($_SERVER['HTTP_X_SECONDLIFE_LOCAL_POSITION'],1,-1));
$rotation_array = explode(', ',substr($_SERVER['HTTP_X_SECONDLIFE_LOCAL_ROTATION'],1,-1));
$velocity_array = explode(', ',substr($_SERVER['HTTP_X_SECONDLIFE_LOCAL_VELOCITY'],1,-1));
list($global_x,$global_y) = explode(',',trim(substr($_SERVER['HTTP_X_SECONDLIFE_REGION'],$position_of_left_bracket + 1,-1)));
$region_array = array($region_name,(integer)$global_x,(integer)$global_y);
$headers = array('Accept'=>$_SERVER['HTTP_ACCEPT'],
'User-Agent'=>$_SERVER['HTTP_USER_AGENT'],
'X-SecondLife-Shard'=>$_SERVER['HTTP_X_SECONDLIFE_SHARD'],
'X-SecondLife-Object-Name'=>$_SERVER['HTTP_X_SECONDLIFE_OBJECT_NAME'],
'X-SecondLife-Object-Key'=>$_SERVER['HTTP_X_SECONDLIFE_OBJECT_KEY'],
'X-SecondLife-Region'=>$_SERVER['HTTP_X_SECONDLIFE_REGION'],
'X-SecondLife-Region-Array'=> $region_array,
'X-SecondLife-Local-Position'=>array( 'x'=>(float)$position_array[0],'y'=>(float)$position_array[1],'z'=>(float)$position_array[2]),
'X-SecondLife-Local-Rotation'=>array( 'x'=>(float)$rotation_array[0],'y'=>(float)$rotation_array[1],'z'=>(float)$rotation_array[2],'w'=>(float)$rotation_array[3]),
'X-SecondLife-Local-Velocity'=>array( 'x'=>(float)$velocity_array[0],'y'=>(float)$velocity_array[1],'z'=>(float)$velocity_array[2]),
'X-SecondLife-Owner-Name'=>$_SERVER['HTTP_X_SECONDLIFE_OWNER_NAME'],
'X-SecondLife-Owner-Key'=>$_SERVER['HTTP_X_SECONDLIFE_OWNER_KEY']
);
if(!strstr($headers['X-SecondLife-Owner-Name'],' ') && $_POST['X-SecondLife-Owner-Name']){
$headers['X-SecondLife-Owner-Name'] == $_POST['X-SecondLife-Owner-Name'];
}
if(is_array($headers)){
return $headers;
}
else{
return FALSE;
function undo_magic_quotes(&$var)
{
// Does anyone still use these? Probably not but just in case.
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
// This doesn't remove the slashes in the keys, but that doesn't matter for us.
foreach ($var as $k => &$v)
{
if (is_array($v))
undo_magic_quotes($v);
else
$v = stripslashes($v);
}
}
}
function IdentSQL($str){
return '`' . str_replace('`', '``', $str) . '`';
}
function StrSQL($str){
if ($str === null)
return "NULL";
return "'" . mysqli_real_escape_string($GLOBALS['link'], strval($str)) . "'";
}
function IntSQL($int){
return strval(intval($int));
}
function isValidGuid($guid){
return !empty($guid) && preg_match('/^\{?[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}\}?$/', $guid);
return !empty($guid) && preg_match('/^\{?[a-zA-Z0-9]{8}(?:-[a-zA-Z0-9]{4}){4}[a-zA-Z0-9]{8}\}?$/', $guid);
}
function email_death($error){
$body.="\n";
$body="\n";
$body.="\n\$_SERVER\n";
foreach($_SERVER as $key_name => $key_value) {
$body.= $key_name . " = " . $key_value . "\n";
@ -281,5 +306,3 @@ function ip_in_range( $ip, $range ) {
$netmask_decimal = ~ $wildcard_decimal;
return ( ( $ip_decimal & $netmask_decimal ) == ( $range_decimal & $netmask_decimal ) );
}
?>