375 lines
11 KiB
PHP
375 lines
11 KiB
PHP
<?php
|
|
# eps.php > comment_confirm.php > eps.php
|
|
require "/home/hpr/php/include.php";
|
|
|
|
$num_get_args = 0;
|
|
|
|
foreach($_GET as $k => $v) {
|
|
++$num_get_args;
|
|
}
|
|
|
|
if ( $num_get_args > 0 ){
|
|
# they didn't supply any arguments
|
|
naughty("9e756ee22b7cdcdb150a5baf167caa25 $num_get_args");
|
|
}
|
|
|
|
if ( empty($_POST["anti_spam_question"]) ) {
|
|
naughty("0601a23e358374c293b086bb75606cca");
|
|
}
|
|
|
|
if ( strlen($_POST["anti_spam_question"]) !== 6 ) {
|
|
naughty("6f51e6e7e6820b3fdda5d4ca0df14db1");
|
|
}
|
|
|
|
if (strcasecmp('public', $_POST["anti_spam_question"]) !== 0) {
|
|
naughty("6aef421ce05e3ac34f4cd91ae3248a45");
|
|
}
|
|
|
|
$comment_directory = "/home/hpr/comments";
|
|
|
|
if ( ! file_exists( $comment_directory ) ) {
|
|
# Looks like the comments directory has not been created
|
|
naughty("d5342ea497f701656433e81fb5eed064");
|
|
}
|
|
|
|
$unprocessed_comments = iterator_count(new FilesystemIterator("$comment_directory", FilesystemIterator::SKIP_DOTS));
|
|
|
|
if( $unprocessed_comments >= 10 ) {
|
|
# There has to be at least one comment here as they are calling the script, and too many is suspicious
|
|
naughty("093f42abee30e69e0e4d5125c70a0f7c");
|
|
}
|
|
|
|
# This is to prevent anything except hits from the web form.
|
|
# Anyone wanting to script uploads can do so via ftp
|
|
if ( $_SERVER['REQUEST_METHOD'] !== 'POST' ) {
|
|
naughty("87613fc139b251b673e1dd51e378e462");
|
|
}
|
|
|
|
if ( empty($_SERVER["REMOTE_ADDR"]) ) {
|
|
naughty("d7d0b6ab9689be244e1b6a8fbe6effba");
|
|
}
|
|
else {
|
|
$ip = $_SERVER["REMOTE_ADDR"];
|
|
}
|
|
|
|
if (count($_POST) !== 8) {
|
|
naughty("086fe155b0588de68fc5d9e4580254a8");
|
|
}
|
|
|
|
// Basic POST Checks
|
|
if ( empty($_POST["comment_author_name"]) or strlen($_POST["comment_author_name"]) > 40 or strtolower($_POST["comment_author_name"]) == "testdog" ) {
|
|
naughty("294356cd36d3f9b75da4d8c0a6108881");
|
|
}
|
|
$comment_author_name = $_POST["comment_author_name"];
|
|
$comment_author_name_json = json_encode( $_POST["comment_author_name"] );
|
|
|
|
if ( $comment_author_name === preg_replace('/[^a-zA-Z0-9_ ]/', '', $comment_author_name) ) {
|
|
$comment_author_name_ascii = "ASCII";
|
|
}
|
|
else {
|
|
$comment_author_name_ascii = "EXTENDED";
|
|
}
|
|
|
|
if ( empty($_POST["comment_title"]) or strlen($_POST["comment_title"]) > 100 ) {
|
|
naughty("a89efb428cfe36996a65b371d5f4e303");
|
|
}
|
|
$comment_title = $_POST["comment_title"];
|
|
$comment_title_json = json_encode( $_POST["comment_title"] );
|
|
|
|
if ( $comment_title === preg_replace('/[^a-zA-Z0-9_ ]/', '', $comment_title) ) {
|
|
$comment_title_ascii = "ASCII";
|
|
}
|
|
else {
|
|
$comment_title_ascii = "EXTENDED";
|
|
}
|
|
|
|
if ( empty($_POST["comment_text"]) or strlen($_POST["comment_text"]) > 2000 or strpos(strtolower($_POST["comment_text"]), "outlook.con") !== false ) {
|
|
naughty("cd57ab4d7b77a131ed3deb441bd93dcd");
|
|
}
|
|
$comment_text = $_POST["comment_text"];
|
|
$comment_text_json = json_encode( $_POST["comment_text"] );
|
|
|
|
if ( $comment_text === preg_replace('/[^a-zA-Z0-9_ ]/', '', $comment_text) ) {
|
|
$comment_text_ascii = "ASCII";
|
|
}
|
|
else {
|
|
$comment_text_ascii = "EXTENDED";
|
|
}
|
|
|
|
if ( empty($_POST["spammer"]) or strcmp($_POST["spammer"], "No") !== 0 ) {
|
|
naughty("b2ec68bd04cee0f64143ce4827a97e7c");
|
|
}
|
|
|
|
# We check to see if the eps_id has been suplied, that it's a integer, and that it's in our range.
|
|
|
|
if (isset($_POST['eps_id'])){
|
|
$eps_id = intval( $_POST['eps_id'] );
|
|
|
|
$query = "SELECT COUNT(*) FROM eps WHERE id='$eps_id'";
|
|
$result = mysqli_query($connection, "$query");
|
|
$row = mysqli_fetch_array($result, MYSQLI_NUM);
|
|
$total = $row[0];
|
|
if ( !isset($result) or ( $total != 1 ) ) {
|
|
naughty("5348e3c2aee3644730c70d3f000bcb01");
|
|
}
|
|
mysqli_free_result($result);
|
|
|
|
$result = mysqli_query($connection, 'SELECT MAX(id) as max FROM eps;');
|
|
if (!isset($result)) {
|
|
naughty("f00fb1f47affc3286aadc15038cfd5d7");
|
|
}
|
|
while ($row = mysqli_fetch_array($result)) {
|
|
$max_eps = $row['max'];
|
|
}
|
|
mysqli_free_result($result);
|
|
}
|
|
else {
|
|
naughty("02c560adf1ff39b140fe8b7abe02fd31");
|
|
}
|
|
|
|
if ( intval($eps_id) <= 0 ){
|
|
naughty("2903eeac51bb479edb428ae3c896671c");
|
|
}
|
|
|
|
if ( intval($eps_id) > $max_eps ){
|
|
naughty("54aa65c12ba71f3dfc451ff5bc82c798");
|
|
}
|
|
|
|
if ( intval($eps_id) === 0 ) {
|
|
naughty("11fe1f9b76bf9f30e6a3a784832cb738");
|
|
}
|
|
else {
|
|
$eps_id = intval($eps_id);
|
|
}
|
|
|
|
# extra spam checks to see if they supplied the correct host id
|
|
$query = "SELECT hosts.host, eps.title, eps.summary, eps.date, eps.hostid, eps.series, miniseries.name, eps.explicit FROM eps, hosts, miniseries WHERE eps.id='$eps_id' AND eps.valid=1 AND eps.hostid = hosts.hostid AND eps.series = miniseries.id";
|
|
if ($result = mysqli_query($connection, $query)) {
|
|
while ($row = mysqli_fetch_array($result)) {
|
|
$host = $row['host'];
|
|
$title = $row['title'];
|
|
$summary = $row['summary'];
|
|
$ep_date = $row['date'];
|
|
$host_id = $row['hostid'];
|
|
$series_id = $row['series'];
|
|
$series_name = $row['name'];
|
|
$explicit = $row['explicit'];
|
|
}
|
|
}
|
|
else {
|
|
naughty("c34561d684ad97241c95a1287688638b");
|
|
}
|
|
mysqli_free_result($result);
|
|
|
|
if ( empty($_POST["hostid"]) or intval($_POST["hostid"]) != $host_id ) {
|
|
naughty("b4d71481b7055272728094292fd2a562");
|
|
}
|
|
|
|
if ( empty($_POST["justification"]) or strlen($_POST["justification"]) > 200 or strlen($_POST["justification"]) < 20) {
|
|
naughty("156d2d2d5780bd7f4a750f7c162b3394");
|
|
}
|
|
|
|
# Checks to see how old the show is
|
|
#$current_episode_number = GetLatestPublishedShow($connection);
|
|
list ($current_episode_date, $current_episode_number) = GetLatestPublishedShow($connection);
|
|
|
|
if ( ( $eps_id <= $current_episode_number ) and ( $eps_id >= ( $current_episode_number - 20 ) ) ) {
|
|
if ( strcmp($_POST["justification"], "No justification is asked for or required.") !== 0 ) {
|
|
naughty("9357d78bf73b03ee2dd902a4c975f91d");
|
|
}
|
|
else {
|
|
$justification = "Current Comment";
|
|
$justification_json = json_encode("Current Comment");
|
|
}
|
|
}
|
|
else {
|
|
if ( strcmp($_POST["justification"], "No justification is asked for or required.") === 0 ) {
|
|
print ">" . $_POST["justification"] ."< eps_id: $eps_id, current_episode_number: $current_episode_number, ";
|
|
naughty("df4af9bdd0302f672d6311c76bdc461a");
|
|
}
|
|
else {
|
|
$justification = $_POST["justification"];
|
|
$justification_json = json_encode( $_POST["justification"] );
|
|
}
|
|
}
|
|
|
|
if ( $justification === preg_replace('/[^a-zA-Z0-9_ ]/', '', $justification) ) {
|
|
$justification_ascii = "ASCII";
|
|
}
|
|
else {
|
|
$justification_ascii = "EXTENDED";
|
|
}
|
|
|
|
if ( empty($_SERVER["REMOTE_ADDR"]) ) {
|
|
naughty("611144d4c0d575fffbf8f3ef11f8ad68");
|
|
}
|
|
else {
|
|
$ip = $_SERVER["REMOTE_ADDR"];
|
|
}
|
|
$comment_ip = json_encode( $ip );
|
|
|
|
// OK You convinced me.
|
|
|
|
$key = uniqid(md5(rand()));
|
|
$timestamp = time()+date("Z");
|
|
$timestamp = gmdate("Y-m-d\TH:i:s\Z",$timestamp);
|
|
$comment_file = "${comment_directory}/${timestamp}_${ip}_${key}.json";
|
|
$timestamp = $timestamp;
|
|
$timestamp_json = json_encode($timestamp);
|
|
$comment_key_json = json_encode( $key );
|
|
if ( file_exists( $comment_file ) ) {
|
|
naughty("ef5d14b33b262bfbf5d40544fdeb9ec3");
|
|
}
|
|
|
|
$comment_data = "{
|
|
\"eps_id\": $eps_id,
|
|
\"ip\": \"$ip\",
|
|
\"comment_timestamp\": $timestamp_json,
|
|
\"comment_author_name\": $comment_author_name_json,
|
|
\"comment_title\": $comment_title_json,
|
|
\"comment_text\": $comment_text_json,
|
|
\"justification\": $justification_json,
|
|
\"key\": $comment_key_json
|
|
}";
|
|
|
|
file_put_contents($comment_file, $comment_data );
|
|
|
|
if ( filesize( $comment_file ) > 4000 ) {
|
|
naughty("56e00e793a27168511d1cfda11d3bc55");
|
|
}
|
|
|
|
$user_agent = preg_replace('/ \(/', "\n", $_SERVER["HTTP_USER_AGENT"] );
|
|
$user_agent = preg_replace('/\) /', "\n", $user_agent );
|
|
|
|
// Mail the comment
|
|
|
|
use PHPMailer\PHPMailer\PHPMailer;
|
|
use PHPMailer\PHPMailer\Exception;
|
|
use PHPMailer\PHPMailer\SMTP;
|
|
|
|
require_once('/home/hpr/php/PHPMailer/Exception.php');
|
|
require_once('/home/hpr/php/PHPMailer/PHPMailer.php');
|
|
require_once('/home/hpr/php/PHPMailer/SMTP.php');
|
|
|
|
date_default_timezone_set('Etc/UTC');
|
|
|
|
$mailer = new PHPMailer(true);
|
|
$mailer->isSMTP();
|
|
$mailer->Host = "$mailerHost";
|
|
$mailer->SMTPAuth = true;
|
|
$mailer->SMTPSecure = "ssl";
|
|
$mailer->Port = "465";
|
|
$mailer->CharSet = 'UTF-8';
|
|
$mailer->Username = "$mailerUsername";
|
|
$mailer->Password = "$mailerPassword";
|
|
|
|
|
|
// Set up to, from, and the message body. The body doesn't have to be HTML; check the PHPMailer documentation for details.
|
|
$mailer->Sender = 'robot@hobbypublicradio.com';
|
|
$mailer->addReplyTo('admin@hackerpublicradio.org', 'HPR Admins');
|
|
$mailer->setFrom('robot@hobbypublicradio.com', 'HPR Robot');
|
|
$mailer->addBCC('admin@hackerpublicradio.org');
|
|
$mailer->addBCC('admin@hobbypublicradio.org');
|
|
$mailer->AddAddress('comments@hackerpublicradio.org');
|
|
$mailer->isHTML(false);
|
|
$mailer->Subject = "New Comment for show hpr${eps_id} on ${ep_date} ${key}";
|
|
$mailer->MsgHTML("<p>hpr${eps_id} on ${ep_date} by ${host} with the title <strong>${title}</strong> \"${summary}\"</p>
|
|
<p>
|
|
See attachment for the json comment file.
|
|
</p>
|
|
<p>
|
|
<a href=\"https://hub.hackerpublicradio.org/cms/comment_process.php?key=$key&action=block\">Block</a>,
|
|
<a href=\"https://hub.hackerpublicradio.org/cms/comment_process.php?key=$key&action=delete\">Delete</a>, or
|
|
<a href=\"https://hub.hackerpublicradio.org/cms/comment_process.php?key=$key&action=approve\">Approve</a>.
|
|
</p>
|
|
|
|
<p>
|
|
There are now " . ++$unprocessed_comments . " unprocessed comments.
|
|
</p>
|
|
<p>
|
|
Thanks,<br />
|
|
HPR Bot
|
|
</p>
|
|
<pre>
|
|
$timestamp
|
|
$ip
|
|
$key
|
|
$user_agent
|
|
</pre>
|
|
<hr />
|
|
<p>
|
|
<strong>Comment on eps_id</strong>: $eps_id,<br />
|
|
<br />
|
|
<strong>comment_author_name</strong> ($comment_author_name_ascii): $comment_author_name,<br />
|
|
<strong>comment_title</strong> ($comment_title_ascii): $comment_title,<br />
|
|
<strong>comment_text</strong> ($comment_text_ascii):
|
|
<pre>
|
|
$comment_text
|
|
</pre>
|
|
<strong>justification</strong> ($justification_ascii):
|
|
<pre>
|
|
$justification
|
|
</pre>
|
|
</p>
|
|
<hr />
|
|
<strong>comment_title_json</strong>: $comment_title_json,<br />
|
|
<strong>comment_text_json</strong>: $comment_text_json,<br />
|
|
<strong>justification_json</strong>: $justification_json,<br />
|
|
<hr />"
|
|
);
|
|
$mailer->AltBody = "hpr${eps_id} on ${ep_date} by ${host} with the title ${title} \"${summary}\"</p>
|
|
|
|
See attachment for the json comment file.
|
|
|
|
There are now ${unprocessed_comments} unprocessed comments.
|
|
|
|
Thanks,
|
|
HPR Bot
|
|
$timestamp
|
|
$ip
|
|
$key
|
|
$user_agent
|
|
";
|
|
$mailer->addAttachment($comment_file, "${key}.json", "base64", "application/json");
|
|
|
|
//send the message, check for errors
|
|
if (!$mailer->send()) {
|
|
echo 'Mailer Error: ' . $mailer->ErrorInfo;
|
|
}
|
|
|
|
$body="give";
|
|
//$body="index_full";
|
|
include 'header.html';
|
|
|
|
?>
|
|
|
|
<main id="maincontent">
|
|
<hr />
|
|
<article>
|
|
<header>
|
|
<h1>Thank you</h1>
|
|
</header>
|
|
<p>
|
|
Thank you for your comment. A moderator will get to your comment at some point.
|
|
</p>
|
|
<p>
|
|
Thanks,<br />
|
|
<br />
|
|
HPR Bot
|
|
</p>
|
|
<pre>
|
|
<pre>
|
|
<?php echo date('Y-m-d\TH:i:s') . "\n" . getUserIP() . "\n" . $_SERVER["HTTP_USER_AGENT"]; ?>
|
|
</pre>
|
|
</article>
|
|
</main>
|
|
|
|
<?php
|
|
|
|
include 'footer.html';
|
|
|
|
logextra( "Finished comment_confirm.php");
|
|
|
|
?>
|
|
|