lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-03 14:10:57 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
db4982f8f7cb23025b68ca747b95a13d2bbd632e
nexusphp/public/modrules.php

108 lines
4.9 KiB
PHP
Raw Normal View History

init
2020-12-26 01:42:23 +08:00
<?php
add composer
2021-01-13 19:32:26 +08:00
require_once("../include/bittorrent.php");
init
2020-12-26 01:42:23 +08:00
dbconn();
loggedinorreturn();
if (get_user_class() < UC_ADMINISTRATOR) {
stderr("Error","Only Administrators and above can modify the Rules, sorry.");
}
clear rules + faq cache in time
2022-09-05 15:29:39 +08:00
function clear_rules_cache()
{
\Nexus\Database\NexusDB::cache_del('rules');
}
init
2020-12-26 01:42:23 +08:00
fix warning staffpanel part
2021-01-07 17:35:00 +08:00
if (isset($_GET["act"]) && $_GET["act"] == "newsect")
init
2020-12-26 01:42:23 +08:00
{
stdhead("Add section");
//print("<td valign=top style=\"padding: 10px;\" colspan=2 align=center>");
//begin_main_frame();
print("<h1 align=center>Add Rules</h1>");
print("<form method=\"post\" action=\"modrules.php?act=addsect\">");
print("<table border=\"1\" cellspacing=\"0\" cellpadding=\"10\" align=\"center\">\n");
print("<tr><td>Title:</td><td align=left><input style=\"width: 400px;\" type=\"text\" name=\"title\"/></td></tr>\n");
print("<tr><td style=\"vertical-align: top;\">Rules:</td><td><textarea cols=90 rows=20 name=\"text\"></textarea></td></tr>\n");
$s = "<select name=language>";
$langs = langlist("rule_lang");
foreach ($langs as $row)
{
if($row["site_lang_folder"] == $deflang) $se = " selected"; else $se = "";
$s .= "<option value=". $row["id"] . $se. ">" . htmlspecialchars($row["lang_name"]) . "</option>\n";
}
$s .= "</select>";
print("<tr><td>Language:</td><td align=\"center\">".$s."</td></tr>\n");
print("<tr><td colspan=\"2\" align=\"center\"><input type=\"submit\" value=\"Add\" style=\"width: 60px;\"></td></tr>\n");
print("</table></form>");
print("</td></tr></table>");
stdfoot();
}
fix warning staffpanel part
2021-01-07 17:35:00 +08:00
elseif (isset($_GET["act"]) && $_GET["act"]=="addsect"){
init
2020-12-26 01:42:23 +08:00
$title = $_POST["title"];
$text = $_POST["text"];
$language = $_POST["language"];
sql_query("insert into rules (title, text, lang_id) values(".sqlesc($title).", ".sqlesc($text).", ".sqlesc($language).")") or sqlerr(__FILE__,__LINE__);
clear rules + faq cache in time
2022-09-05 15:29:39 +08:00
clear_rules_cache();
fix: Change Refresh into Location If use Refresh, it will not work on some browser and some protocols (e.g. HTTP/2). So, change Refresh into Location. Signed-off-by: SPC <github@spcsky.com>
2025-02-19 19:46:51 +08:00
header("Location: modrules.php");
init
2020-12-26 01:42:23 +08:00
}
fix warning staffpanel part
2021-01-07 17:35:00 +08:00
elseif (isset($_GET["act"]) && $_GET["act"] == "edit"){
修复3个安全漏洞 (#15) * 修复趣味盒未授权访问漏洞 趣味盒页面未做鉴权游客可以任意查看或发送内容 * 修复sql注入漏洞 * 修复sql注入 详见描述 代码第19行 if (!is_valid_id($class) && $class != 0) 如果class 为"sleep(5)" 虽然过不了is_valid_id校验 但是由于php 弱类型 非数字开头的字符串 最终会判断为 $class = 0 绕过了校验 另外建议is_valid_id 改为更直接的intval 将用户输入的的数据强制转换成int 防止sql注入
2021-05-19 13:49:41 +08:00
$id = intval($_GET["id"]);
init
2020-12-26 01:42:23 +08:00
$res = @mysql_fetch_array(@sql_query("select * from rules where id='$id'"));
stdhead("Edit rules");
//print("<td valign=top style=\"padding: 10px;\" colspan=2 align=center>");
//begin_main_frame();
print("<h1 align=center>Edit Rules</h1>");
print("<form method=\"post\" action=\"modrules.php?act=edited\">");
print("<table border=\"1\" cellspacing=\"0\" cellpadding=\"10\" align=\"center\">\n");
fix imdb class construct
2021-01-07 21:57:37 +08:00
print("<tr><td>Title:</td><td align=left><input style=\"width: 400px;\" type=\"text\" name=\"title\" value=\"".htmlspecialchars($res['title'])."\" /></td></tr>\n");
print("<tr><td style=\"vertical-align: top;\">Rules:</td><td><textarea cols=90 rows=20 name=\"text\">{$res['text']}</textarea></td></tr>\n");
init
2020-12-26 01:42:23 +08:00
$s = "<select name=language>";
$langs = langlist("site_lang");
foreach ($langs as $row)
{
if ($row['id'] == $res['lang_id']) $se = " selected"; else $se = "";
$s .= "<option value=". $row["id"] . $se. ">" . htmlspecialchars($row["lang_name"]) . "</option>\n";
}
$s .= "</select>";
print("<tr><td>Language:</td><td align=\"center\">".$s."</td></tr>\n");
print("<tr><td colspan=\"2\" align=\"center\"><input type=hidden value=$res[id] name=id><input type=\"submit\" value=\"Save\" style=\"width: 60px;\"></td></tr>\n");
print("</table>");
print("</td></tr></table>");
stdfoot();
}
fix warning staffpanel part
2021-01-07 17:35:00 +08:00
elseif (isset($_GET["act"]) && $_GET["act"]=="edited"){
keep some default value be integer 2
2021-01-06 02:19:03 +08:00
$id = intval($_POST["id"] ?? 0);
init
2020-12-26 01:42:23 +08:00
$title = $_POST["title"];
$text = $_POST["text"];
$language = $_POST["language"];
sql_query("update rules set title=".sqlesc($title).", text=".sqlesc($text).", lang_id = ".sqlesc($language)." where id=".sqlesc($id)) or sqlerr(__FILE__,__LINE__);
clear rules + faq cache in time
2022-09-05 15:29:39 +08:00
clear_rules_cache();
fix: Change Refresh into Location If use Refresh, it will not work on some browser and some protocols (e.g. HTTP/2). So, change Refresh into Location. Signed-off-by: SPC <github@spcsky.com>
2025-02-19 19:46:51 +08:00
header("Location: modrules.php");
init
2020-12-26 01:42:23 +08:00
}
fix warning staffpanel part
2021-01-07 17:35:00 +08:00
elseif (isset($_GET["act"]) && $_GET["act"]=="del"){
fix warning
2020-12-29 21:49:37 +08:00
$id = (int)$_GET["id"];
keep some default value be integer 2
2021-01-06 02:19:03 +08:00
$sure = intval($_GET["sure"] ?? 0);
init
2020-12-26 01:42:23 +08:00
if (!$sure)
{
stderr("Delete Rule","You are about to delete a rule. Click <a class=altlink href=?act=del&id=$id&sure=1>here</a> if you are sure.",false);
}
sql_query("DELETE FROM rules WHERE id=".sqlesc($id)) or sqlerr(__FILE__, __LINE__);
clear rules + faq cache in time
2022-09-05 15:29:39 +08:00
clear_rules_cache();
fix: Change Refresh into Location If use Refresh, it will not work on some browser and some protocols (e.g. HTTP/2). So, change Refresh into Location. Signed-off-by: SPC <github@spcsky.com>
2025-02-19 19:46:51 +08:00
header("Location: modrules.php");
init
2020-12-26 01:42:23 +08:00
}
else{
$res = sql_query("select rules.*, lang_name from rules left join language on rules.lang_id = language.id order by lang_name, id");
stdhead("Rules Manangement");
//print("<td valign=top style=\"padding: 10px;\" colspan=2 align=center>");
print("<h1 align=center>Rules Manangement</h1>");
print("<br /><table width=940 border=0 cellspacing=0 cellpadding=5>");
print("<tr><td align=center><a href=modrules.php?act=newsect>Add Section</a></td></tr></table>\n");
while ($arr=mysql_fetch_assoc($res)){
print("<br /><table width=940 border=1 cellspacing=0 cellpadding=5>");
print("<tr><td class=colhead>$arr[title] - $arr[lang_name]</td></tr>\n");
print("<tr><td align=left>" . format_comment($arr["text"])."</td></tr>");
print("<tr><td align=left><a href=?act=edit&id=$arr[id]>Edit</a>&nbsp;&nbsp;<a href=?act=del&id=$arr[id]>Delete</a></td></tr></table>");
//end_main_frame();
}
//print("");
print("</td></tr></table>");
stdfoot();
}
Reference in New Issue Copy Permalink