2023-07-02 14:47:44 +00:00
< ? php
# request.php > request_confirm.php > upload.php > upload_confirm.php
require " /home/hpr/php/include.php " ;
$query = " SELECT COUNT(*) as total FROM `reservations` WHERE ep_num = 0 " ;
$result = mysqli_query ( $connection , " $query " );
$row = mysqli_fetch_array ( $result , MYSQLI_NUM );
$total = $row [ 0 ];
if ( ! isset ( $total ) or $total > 150 ) {
# This seems to indicate that we are under an attack as we never get 5 shows in the one day from different hosts.
# A host doing bulk upload will need to do them one by one
naughty ( " 5971624889258aefb44e5f7bf8dffbd4 " );
}
# This is to prevent anything except hits from the web form.
if ( $_SERVER [ 'REQUEST_METHOD' ] !== 'POST' ) {
naughty ( " 19e9019c9615f755aec834000892ee9e " );
}
if ( empty ( $_SERVER [ " REMOTE_ADDR " ]) ) {
naughty ( " 9bb147a251e8db132dafa93d98f8487f " );
}
else {
$ip = $_SERVER [ " REMOTE_ADDR " ];
}
if ( count ( $_POST ) !== 2 ) {
naughty ( " 02de1aef3b9490a417c39170d8f06028 " );
}
# This will check to see if there are any existing requests from this ip address
$query = " SELECT * FROM reservations WHERE ip = ' $ip ' and `status` = 'REQUEST_UNVERIFIED' and `verified` = 0 " ;
$result = @ mysqli_query ( $connection , $query );
$db = mysqli_fetch_array ( $result , MYSQLI_ASSOC );
if ( empty ( $db [ " ip " ]) ) {
# the request did not come via the web form
naughty ( " 2162941738512bfdb1d21f288ee7cdb4 " );
}
if ( strtotime ( $db [ 'timestamp' ]) >= $_SERVER [ " REQUEST_TIME " ] ) {
# they are playing with the database or time settings
naughty ( " f0ad965f523b5c2ade071eb20d3618b5 " );
}
if ( strtotime ( $db [ 'timestamp' ]) >= ( $_SERVER [ " REQUEST_TIME " ] ) + 1800 ) {
# There is too long a time entering the form
naughty ( " 6570026fd11fc31ac0cada3e1dae4d0b " );
}
// Basic POST Checks
if ( empty ( $_POST [ " ep_num_date " ]) or strlen ( $_POST [ " ep_num_date " ]) !== 15 ) {
naughty ( " a32fbe5f0494eb7f34034b164739314d " );
}
if ( empty ( $_POST [ " email " ]) ) {
naughty ( " 76eaa1a1556faeadfc14631c35b8590a " );
}
// Getting to the keep section
if ( filter_var ( $_POST [ " email " ], FILTER_VALIDATE_EMAIL ) === false ) {
naughty ( " 8c307efe37146015a35e2d928c2c0f69 " );
}
else {
$email = htmlspecialchars ( filter_var ( $_POST [ " email " ], FILTER_VALIDATE_EMAIL ));
}
if ( strpos ( $_POST [ " ep_num_date " ], '_' ) !== 4 or strpos ( $_POST [ " ep_num_date " ], '-' ) !== 9 or strpos ( $_POST [ " ep_num_date " ], '-' , 10 ) !== 12 ) {
naughty ( " 705f8e26e42a90b31075a110674b19ee " );
}
if ( ! preg_match ( " /^ \ d { 4}_ \ d { 4}- \ d { 2}- \ d { 2} $ / " , $_POST [ " ep_num_date " ]) ) {
naughty ( " ad7f805c2f42be77122ec52f114fe318 " );
}
else {
2023-12-23 20:54:16 +00:00
list ( $ep_num , $ep_date ) = explode ( '_' , $_POST [ " ep_num_date " ]);
2023-07-02 14:47:44 +00:00
}
if ( intval ( $ep_num ) === 0 ) {
naughty ( " 9424f7407b2fb83407760ad763286b53 " );
}
else {
$ep_num = intval ( $ep_num );
}
if ( strtotime ( $ep_date ) === false ) {
naughty ( " 59c7bff340d023773d987d71df545110 " );
}
else {
$ep_date_epoch = strtotime ( $ep_date );
}
$show_array = array ();
$query = " SELECT (
SELECT max ( id )
FROM eps
WHERE eps . date <= UTC_DATE ( )
) AS current_ep_num , (
SELECT max ( date )
FROM eps
WHERE eps . date <= UTC_DATE ( )
) AS current_ep_date , (
SELECT id
FROM eps
WHERE id = $ { ep_num }
) AS valid
" ;
$result = mysqli_query ( $connection , " $query " );
$row = mysqli_fetch_array ( $result , MYSQLI_NUM );
$current_ep_num = $row [ 0 ];
$next_year_ep_num = $current_ep_num + 365 ;
$current_ep_date = $row [ 1 ];
$current_ep_date_epoch = strtotime ( $current_ep_date );
$next_year_ep_date = strtotime ( date ( " Y-m-d " , time ()) . " + 365 day " );
if ( $ep_num == $row [ 2 ] or ! empty ( $row [ 2 ]) ) {
naughty ( " $ep_num == $row[2] or !empty( $row[2] ) 47d186ad8d5b21ec7d455477ea08b023 " );
}
if ( $ep_num != 9999 ) {
if ( ( $ep_num <= $current_ep_num ) OR ( $ep_num > $next_year_ep_num ) ) {
naughty ( " 7304801e8ce3b9096d28dbe1a0faa642 $ep_num <= $current_ep_num or $ep_num > $next_year_ep_num " );
}
if ( $ep_date_epoch < $current_ep_date_epoch or $ep_date_epoch > $next_year_ep_date ) {
naughty ( " 34c4259b45927da50ba5c49970f880a4 " );
}
for ( $slot = $current_ep_num ; $slot < $next_year_ep_num ; $slot ++ ) {
$shows_slot_date [ " ${ slot } " ] = $current_ep_date ;
$shows_date_slot [ " $current_ep_date " ] = $slot ;
$current_ep_date = date ( 'Y-m-d' , strtotime ( $current_ep_date . ' + 1 weekday' ));
}
if ( empty ( $shows_slot_date [ " $ep_num " ]) or empty ( $shows_date_slot [ " $ep_date " ]) ) {
naughty ( " d0e113355b35f96945124d8e507759a0 " );
}
if ( $ep_date !== $shows_slot_date [ " $ep_num " ] or $ep_num !== $shows_date_slot [ " $ep_date " ] ) {
naughty ( " 434cb53552ce1e2708e74a42f438028c " );
}
} // End of bypass checks
// OK You convinced me.
$db_ip = $db [ 'ip' ];
$db_timestamp = $db [ 'timestamp' ];
$db_key = $db [ 'key' ];
# UPDATE reservations SET `ep_num` = '3203', `ep_date` = '2020-11-11', `email` = 'admin@hackerpublicradio.org', `verified` = '0' WHERE `ip` = '62.251.25.147' AND `timestamp` = '2020-08-20 10:55:44' AND `key` = '20ca69e4d9097d1623399c7b85fc8f475f3e56b01a289' AND `status` = 'REQUEST_EMAIL_SENT'
$email_padded = formatemail ( $email );
$query = " UPDATE reservations SET `ep_num` = ' $ep_num ', `ep_date` = ' $ep_date ', `email` = ' $email_padded ', `verified` = '0', `status` = 'REQUEST_EMAIL_SENT' WHERE `ip` = ' $db_ip ' AND `timestamp` = ' $db_timestamp ' AND `key` = ' $db_key ' " ;
$result = mysqli_query ( $connection , $query );
if ( ! isset ( $result )) {
naughty ( " c7405e79b54f582e8db46c69ec4b0f24 " );
}
use PHPMailer\PHPMailer\PHPMailer ;
use PHPMailer\PHPMailer\Exception ;
use PHPMailer\PHPMailer\SMTP ;
require_once ( '/home/hpr/php/PHPMailer/Exception.php' );
require_once ( '/home/hpr/php/PHPMailer/PHPMailer.php' );
require_once ( '/home/hpr/php/PHPMailer/SMTP.php' );
date_default_timezone_set ( 'Etc/UTC' );
$mailer = new PHPMailer ( true );
$mailer -> isSMTP ();
$mailer -> Host = " $mailerHost " ;
$mailer -> SMTPAuth = true ;
$mailer -> SMTPSecure = " ssl " ;
$mailer -> Port = " 465 " ;
$mailer -> Username = " $mailerUsername " ;
$mailer -> Password = " $mailerPassword " ;
// Set up to, from, and the message body. The body doesn't have to be HTML; check the PHPMailer documentation for details.
$mailer -> Sender = 'robot@hobbypublicradio.com' ;
$mailer -> addReplyTo ( 'admin@hackerpublicradio.org' , 'HPR Admins' );
$mailer -> setFrom ( 'robot@hobbypublicradio.com' , 'HPR Robot' );
$mailer -> addBCC ( 'admin@hackerpublicradio.org' );
$mailer -> addBCC ( 'admin@hobbypublicradio.org' );
$mailer -> addAddress ( " $email " );
if ( $ep_num == 9999 ) {
$mailer -> Subject = " Confirmation of request to submit to the reserve queue " ;
$mailer -> MsgHTML ( " <p>This email is an automatic reply to a request to submit to the reserve queue on the longest running Community Podcast.<br />
< em > If you have not made this request then please ignore this email .</ em >
</ p >
< p >
To confirm your request please confirm by copying and pasting the following link into your browser < br />
< a href = \ " ${ hubBaseurl}/upload.php?key=${db_key}\">${hubBaseurl}/upload.php?key=${db_key } </a>
</ p >
< p >
You have 15 minutes to open this link or your show will automatically be deleted so that the slot can become available to another host . Once you open the link , you have a maximum of 4 Hours to fill in the information .
</ p >
< p >
The upload form works on the assumption you will be posting one show at a time , from the same IP address .
</ p >
< p >
Please keep this key private .
</ p >
< p >
Thanks , < br />
HPR Bot
</ p >
< pre > " . date('Y-m-d \T H:i:s') . " \t " . getUserIP() . " \t " . $db_key . " \t " . $_SERVER["HTTP_USER_AGENT"] . " </ pre > "
);
$mailer -> AltBody = " This email is an automatic reply to a request to submit to the reserve queue on the longest running Community Podcast.
If you have not made this request then please ignore this email .
To confirm your request please confirm by copying and pasting the following link into your browser
$ { hubBaseurl } / upload . php ? key = $ { db_key }
You have 15 minutes to open this link or your show will automatically be deleted so that the slot can become available to another host . Once you open the link , you have a maximum of 4 Hours to fill in the information .
The upload form works on the assumption you will be posting one show at a time , from the same IP address .
Please keep this key private .
Thanks ,
HPR Bot
" . date('Y-m-d \T H:i:s') . " \t " . getUserIP() . " \t " . $db_key . " \t " . $_SERVER["HTTP_USER_AGENT"] . " \n " ;
}
else {
$mailer -> Subject = " Confirmation of request to reserve hpr ${ ep_num } on ${ ep_date } " ;
$mailer -> MsgHTML ( " <p>This email is an automatic reply to a request to reserve a podcast slot hpr ${ ep_num } on ${ ep_date } on the longest running Community Podcast.<br />
< em > If you have not made this request then please ignore this email .</ em >
</ p >
< p >
To confirm your request please confirm by copying and pasting the following link into your browser < br />
< a href = \ " ${ hubBaseurl}/upload.php?key=${db_key}\">${hubBaseurl}/upload.php?key=${db_key } </a>
</ p >
< p >
You have 15 minutes to open this link or your show will automatically be deleted so that the slot can become available to another host . Once you open the link , you have a maximum of 4 Hours to fill in the information .
</ p >
< p >
The upload form works on the assumption you will be posting one show at a time , from the same IP address .
</ p >
< p >
Please keep this key private .
</ p >
< p >
Thanks , < br />
HPR Bot
</ p >
< pre > " . date('Y-m-d \T H:i:s') . " \t " . getUserIP() . " \t " . $db_key . " \t " . $_SERVER["HTTP_USER_AGENT"] . " </ pre > "
);
$mailer -> AltBody = " This email is an automatic reply to a request to reserve a podcast slot hpr ${ ep_num } on ${ ep_date } on the longest running Community Podcast.
If you have not made this request then please ignore this email .
To confirm your request please confirm by copying and pasting the following link into your browser
$ { hubBaseurl } / upload . php ? key = $ { db_key }
You have 15 minutes to open this link or your show will automatically be deleted so that the slot can become available to another host . Once you open the link , you have a maximum of 4 Hours to fill in the information .
The upload form works on the assumption you will be posting one show at a time , from the same IP address .
Please keep this key private .
Thanks ,
HPR Bot
" . date('Y-m-d \T H:i:s') . " \t " . getUserIP() . " \t " . $db_key . " \t " . $_SERVER["HTTP_USER_AGENT"] . " \n " ;
}
$mailer -> isHTML ( false );
// Set up our connection information.
//$mailer->IsSMTP();
// All done!
//print "We are experiencing issues with the upload process. Please try again tomorrow. <br />\n";
//send the message, check for errors
if ( ! $mailer -> send ()) {
echo 'Mailer Error: ' . $mailer -> ErrorInfo ;
}
$body = " give " ;
//$body="index_full";
include 'header.html' ;
?>
< main id = " maincontent " >
< hr />
< article >
< header >
< h1 > Thank you </ h1 >
</ header >
< p >
Thank you for your submission . A confirmation email has been sent to < em >< ? php echo $email ; ?> </em>. Please copy and paste the link into your browser to confirm your email address, and upload your show media.
</ p >
< p > You need to < em > open </ em > the link within < strong > 15 minutes </ strong > or the temporary lock will be released . Once you open the link , you can fill in the information at your leisure .</ p >
< p > The email is sent from the address < strong > robot @ hobbypublicradio . com </ strong > , and should be in your inbox by the time you read this .</ p >
< p > If it is not there by now , then please < strong > spam </ strong > folder . We have had reports that sometimes gmail and hotmail consider the messages as spam . Please consider < a href = " https://onlinegroups.net/blog/2014/02/25/how-to-whitelist-an-email-address/ " target = " _blank " > whitelisting </ a > the email address < em > robot @ hobbypublicradio . com </ em >.</ p >
< p >
< img src = " images/gmail-spam.png " alt = " gmail is blocking us " />
</ p >
< p > Return to the < strong >< a href = " /calendar.php " > calendar </ a ></ strong > page .</ p >
< p >
Thanks , < br />
< br />
HPR Bot
</ p >
< pre >
< pre >
< ? php print date ( 'Y-m-d\TH:i:s' ) . " \t " . getUserIP () . " \t " . $db_key . " \t " . $_SERVER [ " HTTP_USER_AGENT " ]; ?>
</ pre >
</ article >
</ main >
< ? php
include 'footer.html' ;
?>