request_confirm.php > upload.php > upload_confirm.php
require "/home/hpr/php/include.php";
$ip = $_SERVER["REMOTE_ADDR"];
$key = uniqid(md5(rand()));
# Remove any stale requests.
# This should be enough to deter attackers while been short enough to allow real hosts to request a show.
$query_delete_old = "DELETE FROM reservations WHERE reservations.timestamp + INTERVAL 1 DAY <= UTC_TIMESTAMP() AND reservations.verified = 0";
$result_delete_old = @mysqli_query($connection, $query_delete_old);
# Remove stale requests from this IP Address after 15 minutes.
# This should be enough to deter attackers while been short enough to allow real hosts to request a show.
$query_delete = "DELETE FROM reservations WHERE reservations.ip = '$ip' AND reservations.timestamp + INTERVAL 15 MINUTE <= UTC_TIMESTAMP() AND reservations.verified = 0";
$result_delete = @mysqli_query($connection, $query_delete);
# Check that this ip is not uploading in another session
$query_dupe = "SELECT COUNT(*), timestamp FROM `reservations` WHERE ip = '$ip' and verified = 0";
$result_dupe = mysqli_query($connection, "$query_dupe");
$row_dupe = mysqli_fetch_array($result_dupe, MYSQLI_NUM);
$num_from_this_ip = $row_dupe[0];
$show_timestamp = strtotime($row_dupe[1]);
if( !isset($row_dupe) or $num_from_this_ip != 0 ) {
header('Cache-Control: no-cache');
header('Pragma: no-cache');
header("Status: 412 Precondition Failed");
echo "
Existing request detected: ";
$timestamp = time()+date("Z");
echo gmdate("Y-m-d\TH:i:s\Z",$timestamp);
echo "
\n";
$localtime = date('l jS \of F Y h:i:s A', $show_timestamp);
echo "It seems another request was made from this ip address\n (${ip}) on ${localtime}.
\n";
echo "This lock is set for 15 minutes to deter attacks and will be released in about " . round(abs(16 - ( $timestamp - $show_timestamp ) / 60 ) ) . " minutes.
\n";
echo "There are several reasons why you would see this page:
\n";
echo "";
echo "- You already made a request for a show.\n
\n
- Check your email inbox and spam folder to see if the message has arrived.
\n
We have had reports that sometimes gmail and hotmail consider the messages as spam.
\n
We recommend white listing the email address robot@hackerpublicradio.org\n
\n
- You may have typed the address into the browser and it \"autofilled\" this old address
\n
- You are using an old version of the calendar page. Press F5 in the calendar page to refresh.
\n
\n
\n";
echo "- The show has already been allocated to another host.
\n";
echo "
\n";
echo "\n";
echo "Return to the calendar page.
\n";
echo "\n";
echo "
\n";
echo "If you are having issues please send the following information to admin @ HPR to assist in troubleshooting the issue:
\n";
echo "\n";
echo "${timestamp}\n";
echo "${show_timestamp}\n";
$agent = $_SERVER['HTTP_USER_AGENT'];
$uri = $_SERVER['REQUEST_URI'];
print "${ip}\n";
print "${agent}\n";
print "${uri}\n";
echo "
\n";
echo "
\n";
file_put_contents($naughtyfile, date('Y-m-d\TH:i:s\Z') . "\t" . getUserIPAdress() . "\tExisting Request\t" . $_SERVER['REQUEST_URI'] . "\t" . $_SERVER["HTTP_USER_AGENT"] . "\n" , FILE_APPEND | LOCK_EX );
exit;
}
# Create a temporary entry for this host.
$query_add = "INSERT INTO reservations VALUES ('$ip', UTC_TIMESTAMP(), '$key', '0', '1970-01-01', 'none@example.com', '0', 'REQUEST_UNVERIFIED' )";
$result = mysqli_query($connection, $query_add ) or die(mysqli_error());
# Check to see if we're under attack
$query = "SELECT COUNT(*) as total FROM `reservations` WHERE ep_num = 0";
$result = mysqli_query($connection, "$query");
$row = mysqli_fetch_array($result, MYSQLI_NUM);
$total = $row[0];
if( !isset($total) or $total > 150 ) {
header("Status: 412 Precondition Failed");
echo "Suspicious activity detected
";
echo "$total Uploads have temporarily been suspended due to suspicious activity.
If you are attacking us why not record a show telling us about what you were trying to do ?
";
echo "While these people have their fun, can we ask you to send your show another way.
Contact admin @ HPR for more information.
";
exit;
}
// Populate the list of posted shows
$show_array = array ();
$ep_retrieve = "(SELECT `id`, `date` FROM eps ) UNION (SELECT `ep_num` AS id, `ep_date` AS date FROM reservations WHERE `ep_num` >0) order by id";
if ($result = mysqli_query($connection, $ep_retrieve)) {
while ($row = mysqli_fetch_array($result)) {
$rowid = $row['id'];
$date = $row['date'];
$show_array[$rowid] = date('Y-m-d', strtotime($date) ) ;
}
}
/*
Entry is either to the page or with the id variable set (default selected)
*/
if (isset($_GET['id'])){
$id = $_GET['id'];
$id = intval($id);
$num_get_args=0;
foreach($_GET as $k => $v) {
++$num_get_args;
}
if ( strval( intval( $id ) ) != strval( $id ) ) {
naughty("e015b7c89da03385a9156d3e5d2eb25d");
}
if ( intval( $id ) <= 0 ) {
naughty("1493a07dec01a006d11bf43d2f17e5aa");
}
if ( $num_get_args > 2 ) {
naughty("79543dbb498ec47404aaed4d56bdc22b");
}
if ( intval($id) > 9999 ) {
naughty("f1f531c768f64404cb00437254b06d71");
}
if ( $id != 9999 ) {
if ( isset( $show_array[$id] ) ) {
naughty("2227263ac7171aca3214d155dec539ad");
}
}
}
else {
$id = "";
}
$query = mysqli_query($connection, "SELECT id, date FROM eps mo
WHERE NOT EXISTS
(
SELECT NULL
FROM eps mi
WHERE mi.id = mo.id + 1
)
ORDER BY
id
LIMIT 1");
$next_show_num_array = mysqli_fetch_row($query);
$next_show_num = $next_show_num_array[0] + 1;
$next_show_date = date('Y-m-d', strtotime($next_show_num_array[1] . ' + 1 weekday'));
$body="give";
//$body="index_full";
include 'header.html';
?>
Requesting a slot for your show.
Please select your desired slot, and enter a valid email address.
See our ">help page for more information
We will send you an email with a link to where you can upload your show.