$v) { ++$num_get_args; } if ( $num_get_args !== 2 ){ # they are trying to GET on a POST request naughty("638709cc1d7f107c024eb2a663675e8c num_get_args $num_get_args"); } if ( empty($_GET["key"]) or empty($_GET["action"]) ) { naughty("991ce46448d64b90bc8a837b58b7ad20 missing key"); } if ( empty($_GET["key"]) or strlen($_GET["key"]) !== 45 ) { naughty("c9e5ea8d870dda8db08bc570cbed7f84 wrong key length"); } if ( !empty($_GET["key"]) and isset( $_GET['key'] ) and strlen( $_GET['key'] ) === 45 and strlen( htmlspecialchars( stripslashes( strip_tags( $_GET['key'] ) ) ) ) === 45 and ctype_xdigit( $_GET['key'] ) ) { $key = htmlspecialchars( stripslashes( strip_tags( $_GET['key'] ) ) ); } else { naughty("868d9cc49b2f1e4a9319a8e8755d6189 wrong key type"); } if ( !in_array($_GET["action"], array('approve','delete','block'), true ) ) { naughty("c0ca62c918f9bb0ab72da0cdf2f2e8df wrong action"); } else { $action = $_GET["action"]; } $comment_directory = "/home/hpr/comments"; if ( ! file_exists( $comment_directory ) ) { # Looks like the comments directory has not been created naughty("0fdffa1dbe94e0730cef457be93ebf40 cant find comment directory"); } $files = glob( "${comment_directory}/[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]T[0-9][0-9]:[0-9][0-9]:[0-9][0-9]Z_*_${key}.json" ); if (count($files) === 0) { naughty("3efef2971727905064855d7866cb0059 cant find comment file - has the comment already been processed ?"); } else { $file = $files[0]; } list($begin, $file_ip, $end) = explode('_', $file); if ( ! filter_var($file_ip, FILTER_VALIDATE_IP) ) { naughty("70ebe39c92b393c288e41a4d3128b5da not a valid file format"); } if ( $action === 'block' ) { file_put_contents($naughtyfile, date('Y-m-d\TH:i:s\Z') . "\t${file_ip}\tReported as comment spammer\t${key}\n", FILE_APPEND | LOCK_EX ); unlink( "${file}" ); http_response_code(201); exit; } if ( $action === 'delete' ) { unlink( "${file}" ); http_response_code(202); exit; } if ( $action === 'approve' ) { $comment = file_get_contents("$file"); $json = json_decode($comment, true); if ( empty($json["comment_author_name"]) or strlen($json["comment_author_name"]) > 40 ) { naughty("15f377e657196bb8192ec11755b0ca75 empty comment_author_name"); } $comment_author_name = $json["comment_author_name"]; if ( empty($json["comment_title"]) or strlen($json["comment_title"]) > 100) { naughty("ce604e6bf3c1e0aa0ec7ab78ae07e6cb empty comment_title"); } $comment_title = $json["comment_title"]; if ( empty($json["comment_text"]) or strlen($json["comment_text"]) > 2000 ) { naughty("d4101542e2d0264c0cdb8ac4bdf6bf09 empty comment_text"); } $comment_text = $json["comment_text"]; if ( empty($json["justification"]) or strlen($json["justification"]) > 200 or strlen($json["justification"]) < 20 ) { naughty("f87785f8eda5d75de8cb08c386c66c56 empty justification"); } $justification = $json["justification"]; if ( empty($json["key"]) ) { naughty("f87785f8eda5d75de8cb08c386c66c56 empty key"); } if ( $key !== $json["key"] ) { naughty("9d7f5e1a7a075a925ed1231decc16965 provided key is not matching json key"); } // check ip // // if ( empty($json["ip"]) ) { naughty("025622ea15552a7b8a3ae71405cf1fbf empty ip"); } $ip = $json["ip"]; if ( ! filter_var($ip, FILTER_VALIDATE_IP)) { naughty("571f2d51046da9c923e01ae8bbfc037e not an IP"); } // check ep_num // // if ( empty($json["eps_id"]) ) { naughty("6740e9b34590fe5b8f1829aeb5da099d empty eps_id"); } $ep_num = $json["eps_id"]; if ( intval($ep_num) === 0 ) { naughty("fdae5c63eb5608820b13c9d096166c84 ep_num not int"); } else { $ep_num = intval($ep_num); } if ( ( $ep_num <= 0 ) OR ( $ep_num >= 9999) ) { naughty("eb90a1a69fd531d5c649e3f5367bd570 ep_num outside range"); } $ep_retrieve = "SELECT id FROM eps WHERE id=$ep_num;"; if ($result = mysqli_query($connection, $ep_retrieve)) { if ( ! $result->fetch_assoc()) { naughty("b9ac28c5c661d7ed1c4c009de0279e07 ep_num not a real show"); } } // date // // if ( empty($json["comment_timestamp"]) ) { naughty("bdc8352b3cc66626c3cb9e24b197eea6 empty comment_timestamp"); } $comment_timestamp = $json["comment_timestamp"]; // 2023-12-23T12:21:29Z if ( !preg_match("/\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$/", $comment_timestamp) ) { naughty("ad7f805c2f42be77122ec52f114fe318 comment_timestamp not matching regex"); } if ( strtotime($comment_timestamp) === false ) { naughty("fa8cfb5266783bfb4dc06120bfdf5675 comment_timestamp not a date"); } $comment_timestamp_epoch = strtotime($comment_timestamp); $a_week_ago = strtotime(date("Y-m-d H:i:s", time()) . " -1 week" ); // if ( $comment_timestamp_epoch <= $a_week_ago ) { // naughty("f3fae30aec607f499108db240ec28456 comment_timestamp older than a week"); // } $date = new DateTime( $comment_timestamp ); $comment_timestamp_db = $date->format('Y-m-d H:i:s'); // anti spam if (file_exists($naughty_stings_file)) { $comment = strtolower( "$comment_author_name, $comment_text, $comment_title, $justification" ); $naughty_words = file("$naughty_stings_file", FILE_SKIP_EMPTY_LINES|FILE_IGNORE_NEW_LINES); foreach ( $naughty_words as $naughty_word) { if ( strpos( $comment, strtolower( $naughty_word ) ) !== false ) { naughty("b5fd199bfeb4c1bbd4923b4af5415ce3 fails banned wordcheck \"$naughty_word\""); } } } // OK I believe you if ( strcmp($justification, "No justification is asked for or required.") !== 0 ) { file_put_contents($justification_file, "$justification\n", FILE_APPEND | LOCK_EX ); } $ep_retrieve = "SELECT id FROM comments WHERE comment_timestamp='$comment_timestamp' AND comment_author_name='$comment_author_name'"; if ($result = mysqli_query($connection, $ep_retrieve)) { if ( $result->fetch_assoc()) { naughty("9422f4e06ded59e4e7c2e426e62ffa5e comment already in database. comment_timestamp='$comment_timestamp_db' and comment_author_name='$comment_author_name'"); } } $query_add = "INSERT INTO comments (eps_id,comment_timestamp,comment_author_name,comment_title,comment_text) VALUES ( '{$ep_num}', '{$comment_timestamp_db}', '{$comment_author_name}', '{$comment_title}', '{$comment_text}')"; $result = mysqli_query($connection, $query_add ); if(!$result) { problem("ERROR: DB problem - The comment was not added to the db."); } if (mysqli_errno( $connection )) { $error = "MySQL error ".mysqli_errno( $connection ).": ".mysqli_error()."\n"; problem("ERROR: MySQL error- The comment was not added to the db.\n$error"); } $query = "SELECT * FROM comments WHERE comment_timestamp='$comment_timestamp_db' AND comment_author_name='$comment_author_name'"; $result = @mysqli_query($connection, $query); $db = mysqli_fetch_array($result, MYSQLI_ASSOC); if ( empty($db["id"]) ) { naughty("1caead2716fb4e793b11f978eddd7559 could not find the id of the entry. comment_timestamp='$comment_timestamp_db' and comment_author_name='$comment_author_name'"); } http_response_code(200); header('Content-Type: application/json; charset=utf-8'); echo json_encode($db); unlink( "${file}" ); exit; } // exit; http_response_code(500); ?>