AriasCreations/AVsitter
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #36 from Sei-Lisa/sei-settings-php-overhaul

Browse source 
Overhaul of settings.php
This commit is contained in:
codeviolet 2017-09-18 21:05:39 +10:00 committed by GitHub
commit ab62e75132
2 changed files with 110 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

14
php/settings-config.inc.php Normal file
View file

@ -0,0 +1,14 @@
<?php
$dbhost = 'localhost'; // database host
$dbuser = '?'; // database user
$dbpass = '?'; // database password
$dbname = '?'; // database name
$avpos_table='avpos';
$email_to="you@yourmail.com"; // your email (for error reporting)
$email_from="you@yourhost.com"; // your server's sending email (for error reporting)
$allow_install = false; // enable to allow action=install (clear/format database)
$check_ip = false; // enable to check the sim ip submitting the data is in the allowed range

169
php/settings.php
View file

@ -29,24 +29,24 @@ header("Content-Type: text/plain; charset=utf-8");
error_reporting(E_ERROR | E_WARNING | E_PARSE); error_reporting(E_ERROR | E_WARNING | E_PARSE);
ini_set('display_errors', '1'); ini_set('display_errors', '1');
$dbhost = 'localhost'; // database host require_once("settings-config.inc.php");
$dbuser = '?'; // database user
$dbpass = '?'; // database password
$dbname = '?'; // database name
$avpos_table='avpos';
$email_to="you@yourmail.com"; // your email (for error reporting)
$email_from="you@yourhost.com"; // your server's sending email (for error reporting)
$allow_install = false; // enable to allow action=install (clear/format database)
$check_ip = false; // enable to check the sim ip submitting the data is in the allowed range
$link = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname) or die("Error " . mysqli_error($link)); $link = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname) or die("Error " . mysqli_error($link));
if (mysqli_connect_errno()) { if (mysqli_connect_errno()) {
die ("Connect failed: " . mysqli_connect_error()); die ("Connect failed: " . mysqli_connect_error());
} }
// Set the character set for communication with the database
if (!mysqli_set_charset($link, 'utf8mb4')) {
die('Invalid charset: utf8mb4');
}
// Pre-escape $avpos_table for convenience. That's the only variable
// that should go directly into a query. All others should go through
// IntSQL or StrSQL as appropriate.
$avpos_table = IdentSQL($avpos_table);
undo_magic_quotes($_REQUEST);
if($_REQUEST['action']=="install" && $allow_install==true){ if($_REQUEST['action']=="install" && $allow_install==true){
$sql = "DROP TABLE IF EXISTS $avpos_table;"; $sql = "DROP TABLE IF EXISTS $avpos_table;";
@ -56,11 +56,11 @@ if($_REQUEST['action']=="install" && $allow_install==true){
`webkey` varchar(36) default NULL, `webkey` varchar(36) default NULL,
`owner_uuid` varchar(36) default NULL, `owner_uuid` varchar(36) default NULL,
`owner_name` varchar(63) default NULL, `owner_name` varchar(63) default NULL,
`text` TEXT default NULL, `text` TEXT CHARSET utf8mb4 default NULL,
`keep` tinyint(1) default 0, `keep` tinyint(1) default 0,
`count` int(5) default NULL, `count` int(5) default NULL,
`ip` varbinary(16) default NULL, `ip` varbinary(16) default NULL,
`timestamp` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, `timestamp` datetime NOT NULL,
PRIMARY KEY (`id`), PRIMARY KEY (`id`),
UNIQUE (`webkey`) UNIQUE (`webkey`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1;"; ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1;";
@ -73,40 +73,49 @@ if($_REQUEST['action']=="install" && $allow_install==true){
} }
} }
else if(isset($_REQUEST['w'])){ // write to a record else if(isset($_REQUEST['w'])){ // write to a record
$given_webkey = mysqli_real_escape_string($link, $_REQUEST['w']); $given_webkey = $_REQUEST['w'];
$ip_address = $_SERVER['REMOTE_ADDR']; $ip_address = $_SERVER['REMOTE_ADDR'];
$ip_packed = mysqli_real_escape_string($link, inet_pton($ip_address)); $ip_packed = inet_pton($ip_address);
if(!isValidGuid($given_webkey)){ if(!isValidGuid($given_webkey)){
echo "INVALID WEBKEY"; echo "INVALID WEBKEY";
} }
else{ else{
$headers = parse_llHTTPRequest_headers(); $owner_key = $_SERVER['HTTP_X_SECONDLIFE_OWNER_KEY'];
$owner_key = mysqli_real_escape_string($link, $headers['X-SecondLife-Owner-Key']); //$object_name = $_SERVER['HTTP_X_SECONDLIFE_OBJECT_NAME'];
$object_name = mysqli_real_escape_string($link, $headers['X-SecondLife-Object-Name']); $owner_name = $_SERVER['HTTP_X_SECONDLIFE_OWNER_NAME'];
$owner_name = mysqli_real_escape_string($link, $headers['X-SecondLife-Owner-Name']); //$object_key = $_SERVER['HTTP_X_SECONDLIFE_OBJECT_KEY'];
$object_key = mysqli_real_escape_string($link, $headers['X-SecondLife-Object-Key']); //$region = trim(substr($_SERVER['HTTP_X_SECONDLIFE_REGION'],0,strrpos($_SERVER['HTTP_X_SECONDLIFE_REGION'],'(')));
$region = mysqli_real_escape_string($link, trim(substr($headers['X-SecondLife-Region'],0,strrpos($headers['X-SecondLife-Region'],'(')))); //$position_array = explode(', ',substr($_SERVER['HTTP_X_SECONDLIFE_LOCAL_POSITION'],1,-1));
$position_array = explode(', ',substr($_SERVER['HTTP_X_SECONDLIFE_LOCAL_POSITION'],1,-1)); //$slurl = rawurlencode($region) . "/" . round($position_array[0]) . "/" . round($position_array[1]) . "/" . round($position_array[2]);
$slurl = $region . "/" . round($position_array[0]) . "/" . round($position_array[1]) . "/" . round($position_array[2]);
if(!isValidGuid($owner_key)){ if(!isValidGuid($owner_key)){
echo "INVALID USER"; echo "INVALID USER";
} }
else{ else{
$given_count = intval($_REQUEST['c']); $given_count = intval($_REQUEST['c']);
$given_text = mysqli_real_escape_string($link, $_REQUEST['t']); $given_text = $_REQUEST['t'];
$sql = "SELECT * FROM $avpos_table WHERE webkey = '$given_webkey'"; $sql = "SELECT * FROM $avpos_table"
. ' WHERE webkey = ' . StrSQL($given_webkey);
$result = mysqli_query($link,$sql) or email_death("ERR01: " . mysqli_error($link)); $result = mysqli_query($link,$sql) or email_death("ERR01: " . mysqli_error($link));
if(mysqli_num_rows($result) == 0){ // a new webkey if(mysqli_num_rows($result) == 0){ // a new webkey
if($given_count == 1){ if($given_count == 1){
if(!isAllowedIP($ip_address)){ if(!isAllowedIP($ip_address)){
$response = "BAD IP"; $response = "BAD IP";
$sql = "INSERT INTO $avpos_table (owner_uuid,owner_name,webkey,text,count,ip,timestamp) $sql = "INSERT INTO $avpos_table"
VALUES ('$owner_key','$owner_name','$given_webkey','The IP address of the sim ($ip_address) was not in the allowed range. Please report the problem if you think this is in error.','10001','$ip_packed',NOW())"; . ' (owner_uuid,owner_name,webkey,text,count,ip,timestamp)'
. ' VALUES '
. '(' . StrSQL($owner_key)
. ',' . StrSQL($owner_name)
. ',' . StrSQL($given_webkey)
. ',' . StrSQL("The IP address of the sim ($ip_address) was not in the allowed range. Please report the problem if you think this is in error")
. ',10001'
. ',' . StrSQL($ip_packed)
. ',NOW()'
. ')';
} }
else{ else{
$response = "ADDED NEW"; $response = "ADDED NEW";
@ -114,8 +123,17 @@ else if(isset($_REQUEST['w'])){ // write to a record
$given_count+=10000; $given_count+=10000;
$response = "FINISHING"; $response = "FINISHING";
} }
$sql = "INSERT INTO $avpos_table (owner_uuid,owner_name,webkey,text,count,ip,timestamp) $sql = "INSERT INTO $avpos_table"
VALUES ('$owner_key','$owner_name','$given_webkey','$given_text','$given_count','$ip_packed',NOW())"; . ' (owner_uuid,owner_name,webkey,text,count,ip,timestamp)'
. ' VALUES '
. '(' . StrSQL($owner_key)
. ',' . StrSQL($owner_name)
. ',' . StrSQL($given_webkey)
. ',' . StrSQL($given_text)
. ',' . IntSQL($given_count)
. ',' . StrSQL($ip_packed)
. ',NOW()'
. ')';
} }
$result = mysqli_query($link,$sql) or email_death("ERR02: " . mysqli_error($link)); $result = mysqli_query($link,$sql) or email_death("ERR02: " . mysqli_error($link));
} }
@ -129,7 +147,7 @@ else if(isset($_REQUEST['w'])){ // write to a record
} }
else{ else{
$row = mysqli_fetch_assoc($result); $row = mysqli_fetch_assoc($result);
$newtext = mysqli_real_escape_string($link,$row['text']) . $given_text; $newtext = $row['text'] . $given_text;
if($row['count']+1 == $given_count){ if($row['count']+1 == $given_count){
$response = "ADDING"; $response = "ADDING";
@ -138,11 +156,11 @@ else if(isset($_REQUEST['w'])){ // write to a record
$response = "FINISHING"; $response = "FINISHING";
} }
$sql = "UPDATE $avpos_table SET $sql = "UPDATE $avpos_table"
text = '$newtext', . ' SET text = ' . StrSQL($newtext)
count = '$given_count', . ', count = ' . IntSQL($given_count)
timestamp = NOW() . ', timestamp = NOW()'
WHERE webkey = '$given_webkey'"; . ' WHERE webkey = ' . StrSQL($given_webkey);
$result = mysqli_query($link,$sql) or email_death("ERR03: " . mysqli_error($link)); $result = mysqli_query($link,$sql) or email_death("ERR03: " . mysqli_error($link));
} }
@ -157,8 +175,9 @@ else if(isset($_REQUEST['w'])){ // write to a record
} }
else if(isset($_REQUEST['q'])){ // read a record else if(isset($_REQUEST['q'])){ // read a record
$given_webkey = mysqli_real_escape_string($link, $_REQUEST['q']); $given_webkey = $_REQUEST['q'];
$sql = "SELECT * FROM $avpos_table WHERE webkey = '$given_webkey'"; $sql = "SELECT * FROM $avpos_table"
. ' WHERE webkey = ' . StrSQL($given_webkey);
$result = mysqli_query($link,$sql) or email_death("ERR04: " . mysqli_error($link)); $result = mysqli_query($link,$sql) or email_death("ERR04: " . mysqli_error($link));
if(mysqli_num_rows($result) == 0){ if(mysqli_num_rows($result) == 0){
@ -170,14 +189,16 @@ else if(isset($_REQUEST['q'])){ // read a record
$out.= $row['text']; $out.= $row['text'];
if(1==2){ // switch on to 'keep' any record that ever was accessed if(1==2){ // switch on to 'keep' any record that ever was accessed
$sql = "UPDATE $avpos_table SET $sql = "UPDATE $avpos_table"
keep = '1' . ' SET keep = 1'
WHERE webkey = '$given_webkey'"; . ' WHERE webkey = ' . StrSQL($given_webkey);
$result = mysqli_query($link,$sql) or email_death("ERR05: " . mysqli_error($link)); $result = mysqli_query($link,$sql) or email_death("ERR05: " . mysqli_error($link));
} }
// delete all entries older than 10 minutes that are not flagged keep // delete all entries older than 10 minutes that are not flagged keep
$sql = "DELETE FROM $avpos_table WHERE timestamp < DATE_SUB(NOW(), INTERVAL 10 MINUTE) AND keep = '0'"; $sql = "DELETE FROM $avpos_table"
. ' WHERE timestamp < DATE_SUB(NOW(), INTERVAL 10 MINUTE)'
. ' AND keep = 0';
$result = mysqli_query($link,$sql) or email_death("ERR06: " . mysqli_error($link)); $result = mysqli_query($link,$sql) or email_death("ERR06: " . mysqli_error($link));
} }
@ -187,43 +208,47 @@ else if(isset($_REQUEST['q'])){ // read a record
} }
echo $out; echo $out;
} }
else{
header('HTTP/1.0 400 Bad Request');
die("400 Bad Request: No valid action specified.");
}
function parse_llHTTPRequest_headers(){ function undo_magic_quotes(&$var)
$position_array = explode(', ',substr($_SERVER['HTTP_X_SECONDLIFE_LOCAL_POSITION'],1,-1)); {
$rotation_array = explode(', ',substr($_SERVER['HTTP_X_SECONDLIFE_LOCAL_ROTATION'],1,-1)); // Does anyone still use these? Probably not but just in case.
$velocity_array = explode(', ',substr($_SERVER['HTTP_X_SECONDLIFE_LOCAL_VELOCITY'],1,-1)); if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
list($global_x,$global_y) = explode(',',trim(substr($_SERVER['HTTP_X_SECONDLIFE_REGION'],$position_of_left_bracket + 1,-1))); {
$region_array = array($region_name,(integer)$global_x,(integer)$global_y); // This doesn't remove the slashes in the keys, but that doesn't matter for us.
$headers = array('Accept'=>$_SERVER['HTTP_ACCEPT'], foreach ($var as $k => &$v)
'User-Agent'=>$_SERVER['HTTP_USER_AGENT'], {
'X-SecondLife-Shard'=>$_SERVER['HTTP_X_SECONDLIFE_SHARD'], if (is_array($v))
'X-SecondLife-Object-Name'=>$_SERVER['HTTP_X_SECONDLIFE_OBJECT_NAME'], undo_magic_quotes($v);
'X-SecondLife-Object-Key'=>$_SERVER['HTTP_X_SECONDLIFE_OBJECT_KEY'], else
'X-SecondLife-Region'=>$_SERVER['HTTP_X_SECONDLIFE_REGION'], $v = stripslashes($v);
'X-SecondLife-Region-Array'=> $region_array, }
'X-SecondLife-Local-Position'=>array( 'x'=>(float)$position_array[0],'y'=>(float)$position_array[1],'z'=>(float)$position_array[2]),
'X-SecondLife-Local-Rotation'=>array( 'x'=>(float)$rotation_array[0],'y'=>(float)$rotation_array[1],'z'=>(float)$rotation_array[2],'w'=>(float)$rotation_array[3]),
'X-SecondLife-Local-Velocity'=>array( 'x'=>(float)$velocity_array[0],'y'=>(float)$velocity_array[1],'z'=>(float)$velocity_array[2]),
'X-SecondLife-Owner-Name'=>$_SERVER['HTTP_X_SECONDLIFE_OWNER_NAME'],
'X-SecondLife-Owner-Key'=>$_SERVER['HTTP_X_SECONDLIFE_OWNER_KEY']
);
if(!strstr($headers['X-SecondLife-Owner-Name'],' ') && $_POST['X-SecondLife-Owner-Name']){
$headers['X-SecondLife-Owner-Name'] == $_POST['X-SecondLife-Owner-Name'];
}
if(is_array($headers)){
return $headers;
}
else{
return FALSE;
} }
} }
function IdentSQL($str){
return '`' . str_replace('`', '``', $str) . '`';
}
function StrSQL($str){
if ($str === null)
return "NULL";
return "'" . mysqli_real_escape_string($GLOBALS['link'], strval($str)) . "'";
}
function IntSQL($int){
return strval(intval($int));
}
function isValidGuid($guid){ function isValidGuid($guid){
return !empty($guid) && preg_match('/^\{?[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}\}?$/', $guid); return !empty($guid) && preg_match('/^\{?[a-zA-Z0-9]{8}(?:-[a-zA-Z0-9]{4}){4}[a-zA-Z0-9]{8}\}?$/', $guid);
} }
function email_death($error){ function email_death($error){
$body.="\n"; $body="\n";
$body.="\n\$_SERVER\n"; $body.="\n\$_SERVER\n";
foreach($_SERVER as $key_name => $key_value) { foreach($_SERVER as $key_name => $key_value) {
$body.= $key_name . " = " . $key_value . "\n"; $body.= $key_name . " = " . $key_value . "\n";
@ -281,5 +306,3 @@ function ip_in_range( $ip, $range ) {
$netmask_decimal = ~ $wildcard_decimal; $netmask_decimal = ~ $wildcard_decimal;
return ( ( $ip_decimal & $netmask_decimal ) == ( $range_decimal & $netmask_decimal ) ); return ( ( $ip_decimal & $netmask_decimal ) == ( $range_decimal & $netmask_decimal ) );
} }
?>