SleepIsDeath/demo/server.php

915 lines
21 KiB
PHP
Raw Normal View History

<?php
global $dps_version;
$dps_version = "1";
// edit settings.php to change server' settings
include( "settings.php" );
// no end-user settings below this point
// no caching
//header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', FALSE);
header('Pragma: no-cache');
// enable verbose error reporting to detect uninitialized variables
error_reporting( E_ALL );
// page layout for web-based setup
$setup_header = "
<HTML>
<HEAD><TITLE>Demo Permissions Server Web-based setup</TITLE></HEAD>
<BODY BGCOLOR=#FFFFFF TEXT=#000000 LINK=#0000FF VLINK=#FF0000>
<CENTER>
<TABLE WIDTH=75% BORDER=0 CELLSPACING=0 CELLPADDING=1>
<TR><TD BGCOLOR=#000000>
<TABLE WIDTH=100% BORDER=0 CELLSPACING=0 CELLPADDING=10>
<TR><TD BGCOLOR=#EEEEEE>";
$setup_footer = "
</TD></TR></TABLE>
</TD></TR></TABLE>
</CENTER>
</BODY></HTML>";
// ensure that magic quotes are on (adding slashes before quotes
// so that user-submitted data can be safely submitted in DB queries)
if( !get_magic_quotes_gpc() ) {
// force magic quotes to be added
$_GET = array_map( 'dps_addslashes_deep', $_GET );
$_POST = array_map( 'dps_addslashes_deep', $_POST );
$_REQUEST = array_map( 'dps_addslashes_deep', $_REQUEST );
$_COOKIE = array_map( 'dps_addslashes_deep', $_COOKIE );
}
// all calls need to connect to DB, so do it once here
dps_connectToDatabase();
// close connection down below (before function declarations)
// testing:
//sleep( 5 );
// general processing whenver server.php is accessed directly
// grab POST/GET variables
$action = "";
if( isset( $_REQUEST[ "action" ] ) ) {
$action = $_REQUEST[ "action" ];
}
$debug = "";
if( isset( $_REQUEST[ "debug" ] ) ) {
$debug = $_REQUEST[ "debug" ];
}
$remoteIP = "";
if( isset( $_SERVER[ "REMOTE_ADDR" ] ) ) {
$remoteIP = $_SERVER[ "REMOTE_ADDR" ];
}
if( $action == "version" ) {
global $dps_version;
echo "$dps_version";
}
else if( $action == "show_log" ) {
dps_showLog();
}
else if( $action == "clear_log" ) {
dps_clearLog();
}
else if( $action == "create_demo_id" ) {
dps_createDemoID();
}
else if( $action == "block_demo_id" ) {
dps_blockDemoID();
}
else if( $action == "delete_demo_id" ) {
dps_deleteDemoID();
}
else if( $action == "check_permitted" ) {
dps_checkPermitted();
}
else if( $action == "show_data" ) {
dps_showData();
}
else if( $action == "show_detail" ) {
dps_showDetail();
}
else if( $action == "dps_setup" ) {
global $setup_header, $setup_footer;
echo $setup_header;
echo "<H2>Demo Permissions Server Web-based Setup</H2>";
echo "Creating tables:<BR>";
echo "<CENTER><TABLE BORDER=0 CELLSPACING=0 CELLPADDING=1>
<TR><TD BGCOLOR=#000000>
<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=5>
<TR><TD BGCOLOR=#FFFFFF>";
dps_setupDatabase();
echo "</TD></TR></TABLE></TD></TR></TABLE></CENTER><BR><BR>";
echo $setup_footer;
}
else if( preg_match( "/server\.php/", $_SERVER[ "SCRIPT_NAME" ] ) ) {
// server.php has been called without an action parameter
// the preg_match ensures that server.php was called directly and
// not just included by another script
// quick (and incomplete) test to see if we should show instructions
global $tableNamePrefix;
// check if our "games" table exists
$tableName = $tableNamePrefix . "demos";
$exists = dps_doesTableExist( $tableName );
if( $exists ) {
echo "Demo Permissions server database setup and ready";
}
else {
// start the setup procedure
global $setup_header, $setup_footer;
echo $setup_header;
echo "<H2>Demo Permissions Server Web-based Setup</H2>";
echo "Demo Permissions Server will walk you through a " .
"brief setup process.<BR><BR>";
echo "Step 1: ".
"<A HREF=\"server.php?action=dps_setup\">".
"create the database tables</A>";
echo $setup_footer;
}
}
// done processing
// only function declarations below
dps_closeDatabase();
/**
* Creates the database tables needed by seedBlogs.
*/
function dps_setupDatabase() {
global $tableNamePrefix;
$tableName = $tableNamePrefix . "log";
if( ! dps_doesTableExist( $tableName ) ) {
// this table contains general info about the server
// use INNODB engine so table can be locked
$query =
"CREATE TABLE $tableName(" .
"entry TEXT NOT NULL, ".
"entry_time DATETIME NOT NULL );";
$result = dps_queryDatabase( $query );
echo "<B>$tableName</B> table created<BR>";
}
else {
echo "<B>$tableName</B> table already exists<BR>";
}
$tableName = $tableNamePrefix . "demos";
if( ! dps_doesTableExist( $tableName ) ) {
// this table contains general info about each game
// use INNODB engine so table can be locked
$query =
"CREATE TABLE $tableName(" .
"demo_id CHAR(10) NOT NULL PRIMARY KEY," .
"creation_date DATETIME NOT NULL," .
"last_run_date DATETIME NOT NULL," .
"note CHAR(40) NOT NULL," .
"blocked TINYINT NOT NULL," .
"run_count INT NOT NULL );";
$result = dps_queryDatabase( $query );
echo "<B>$tableName</B> table created<BR>";
}
else {
echo "<B>$tableName</B> table already exists<BR>";
}
$tableName = $tableNamePrefix . "runs";
if( ! dps_doesTableExist( $tableName ) ) {
// this table contains information for each user
$query =
"CREATE TABLE $tableName(" .
"demo_id CHAR(10) NOT NULL," .
"run_date DATETIME NOT NULL," .
"blocked TINYINT NOT NULL," .
"ip_address CHAR(255) NOT NULL," .
"PRIMARY KEY( demo_id, run_date ) );";
$result = dps_queryDatabase( $query );
echo "<B>$tableName</B> table created<BR>";
}
else {
echo "<B>$tableName</B> table already exists<BR>";
}
}
function dps_showLog() {
$password = dps_checkPassword( "show_log" );
echo "[<a href=\"server.php?action=show_data&password=$password" .
"\">Main</a>]<br><br><br>";
global $tableNamePrefix;
$query = "SELECT * FROM $tableNamePrefix"."log ".
"ORDER BY entry_time DESC;";
$result = dps_queryDatabase( $query );
$numRows = mysql_numrows( $result );
echo "<a href=\"server.php?action=clear_log&password=$password\">".
"Clear log</a>";
echo "<hr>";
echo "$numRows log entries:<br><br><br>\n";
for( $i=0; $i<$numRows; $i++ ) {
$time = mysql_result( $result, $i, "entry_time" );
$entry = mysql_result( $result, $i, "entry" );
echo "<b>$time</b>:<br>$entry<hr>\n";
}
}
function dps_clearLog() {
$password = dps_checkPassword( "clear_log" );
echo "[<a href=\"server.php?action=show_data&password=$password" .
"\">Main</a>]<br>";
global $tableNamePrefix;
$query = "DELETE FROM $tableNamePrefix"."log;";
$result = dps_queryDatabase( $query );
if( $result ) {
echo "Log cleared.";
}
else {
echo "DELETE operation failed?";
}
}
function dps_createDemoID() {
$password = dps_checkPassword( "create_demo_id" );
global $tableNamePrefix;
$note = "";
if( isset( $_REQUEST[ "note" ] ) ) {
$note = $_REQUEST[ "note" ];
}
$found_unused_id = 0;
$salt = 0;
while( ! $found_unused_id ) {
$randVal = rand();
$hash = md5( $note . uniqid( "$randVal"."$salt", true ) );
$hash = strtoupper( $hash );
$demo_id = substr( $hash, 0, 10 );
// make code more human-friendly (alpha only)
$digitArray =
array( "0", "1", "2", "3", "4", "5", "6", "7", "8", "9" );
$letterArray =
array( "W", "H", "J", "K", "X", "M", "N", "P", "T", "Y" );
$demo_id = str_replace( $digitArray, $letterArray, $demo_id );
$query = "INSERT INTO $tableNamePrefix". "demos VALUES ( " .
"'$demo_id', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, ".
"'$note', '0', '0' );";
$result = mysql_query( $query );
if( $result ) {
$found_unused_id = 1;
global $remoteIP;
dps_log( "Demo $demo_id created by $remoteIP" );
//echo "$demo_id";
dps_showData();
}
else {
global $debug;
if( $debug == 1 ) {
echo "Duplicate ids? Error: " . mysql_error() ."<br>";
}
// try again
$salt += 1;
}
}
}
function dps_blockDemoID() {
$password = dps_checkPassword( "block_demo_id" );
global $tableNamePrefix;
$demo_id = "";
if( isset( $_REQUEST[ "demo_id" ] ) ) {
$demo_id = $_REQUEST[ "demo_id" ];
}
$demo_id = strtoupper( $demo_id );
$blocked = "";
if( isset( $_REQUEST[ "blocked" ] ) ) {
$blocked = $_REQUEST[ "blocked" ];
}
global $remoteIP;
$query = "SELECT * FROM $tableNamePrefix"."demos ".
"WHERE demo_id = '$demo_id';";
$result = dps_queryDatabase( $query );
$numRows = mysql_numrows( $result );
if( $numRows == 1 ) {
$query = "UPDATE $tableNamePrefix"."demos SET " .
"blocked = '$blocked' " .
"WHERE demo_id = '$demo_id';";
$result = dps_queryDatabase( $query );
dps_log( "$demo_id block changed to $blocked by $remoteIP" );
dps_showData();
}
else {
dps_log( "$demo_id not found for $remoteIP" );
echo "$demo_id not found";
}
}
function dps_deleteDemoID() {
$password = dps_checkPassword( "delete_demo_id" );
global $tableNamePrefix, $remoteIP;
$demo_id = "";
if( isset( $_REQUEST[ "demo_id" ] ) ) {
$demo_id = $_REQUEST[ "demo_id" ];
}
$demo_id = strtoupper( $demo_id );
$query = "DELETE FROM $tableNamePrefix"."demos ".
"WHERE demo_id = '$demo_id';";
$result = dps_queryDatabase( $query );
if( $result ) {
dps_log( "$demo_id deleted by $remoteIP" );
echo "$demo_id deleted.<hr>";
dps_showData();
}
else {
dps_log( "$demo_id delete failed for $remoteIP" );
echo "DELETE operation failed?";
}
}
function dps_checkPermitted() {
$demo_id = "";
if( isset( $_REQUEST[ "demo_id" ] ) ) {
$demo_id = $_REQUEST[ "demo_id" ];
}
$demo_id = strtoupper( $demo_id );
$challenge = "";
if( isset( $_REQUEST[ "challenge" ] ) ) {
$challenge = $_REQUEST[ "challenge" ];
}
global $tableNamePrefix, $remoteIP;
$query = "SELECT * FROM $tableNamePrefix"."demos ".
"WHERE demo_id = '$demo_id';";
$result = dps_queryDatabase( $query );
$numRows = mysql_numrows( $result );
if( $numRows == 1 ) {
$row = mysql_fetch_array( $result, MYSQL_ASSOC );
$blocked = $row[ "blocked" ];
// catalog blocked runs, too
$run_count = $row[ "run_count" ];
$run_count ++;
$query = "UPDATE $tableNamePrefix"."demos SET " .
"last_run_date = CURRENT_TIMESTAMP, " .
"run_count = '$run_count' " .
"WHERE demo_id = '$demo_id';";
$result = dps_queryDatabase( $query );
$query = "INSERT INTO $tableNamePrefix". "runs VALUES ( " .
"'$demo_id', CURRENT_TIMESTAMP, '$blocked', '$remoteIP' );";
$result = mysql_query( $query );
if( !$blocked ) {
dps_log( "$demo_id permitted to run by $remoteIP" );
// response to challenge using shared secret
global $sharedSecret;
$hash = sha1( $challenge . $sharedSecret );
$hash = strtoupper( $hash );
echo "permitted $hash";
return;
}
}
dps_log( "$demo_id denied to run by $remoteIP" );
echo "denied";
}
function dps_showData() {
$password = dps_checkPassword( "show_data" );
global $tableNamePrefix, $remoteIP;
echo "[<a href=\"server.php?action=show_data&password=$password" .
"\">Main</a>]";
$query = "SELECT * FROM $tableNamePrefix"."demos ".
"ORDER BY last_run_date DESC;";
$result = dps_queryDatabase( $query );
$numRows = mysql_numrows( $result );
// form
?>
<hr>
Create new ID:<br>
<FORM ACTION="server.php" METHOD="post">
<INPUT TYPE="hidden" NAME="password" VALUE="<?php echo $password;?>">
<INPUT TYPE="hidden" NAME="action" VALUE="create_demo_id">
Note:
<INPUT TYPE="text" MAXLENGTH=40 SIZE=20 NAME="note">
<INPUT TYPE="Submit" VALUE="Generate">
</FORM>
<hr>
<?php
echo "$numRows active IDs:<br><br><br>\n";
echo "<table border=1 cellpadding=5>\n";
echo "<tr><td>Demo ID</td>\n";
echo "<td>Note</td>\n";
echo "<td>Blocked?</td>\n";
echo "<td>Created</td> <td>Test</td> <td>Last Run</td>";
echo "<td>Run Count</td></tr>\n";
for( $i=0; $i<$numRows; $i++ ) {
$demo_id = mysql_result( $result, $i, "demo_id" );
$creation = mysql_result( $result, $i, "creation_date" );
$lastRun = mysql_result( $result, $i, "last_run_date" );
$count = mysql_result( $result, $i, "run_count" );
$note = mysql_result( $result, $i, "note" );
$blocked = mysql_result( $result, $i, "blocked" );
$block_toggle = "";
if( $blocked ) {
$blocked = "BLOCKED";
$block_toggle = "<a href=\"server.php?action=block_demo_id&".
"blocked=0&demo_id=$demo_id&password=$password\">unblock</a>";
}
else {
$blocked = "";
$block_toggle = "<a href=\"server.php?action=block_demo_id&".
"blocked=1&demo_id=$demo_id&password=$password\">block</a>";
}
// challenge to include in test link
$randVal = rand();
$challenge = md5( $demo_id . uniqid( "$randVal", true ) );
echo "<tr>\n";
echo "<td><b>$demo_id</b></td>\n";
echo "<td>$note</td>\n";
echo "<td align=right>$blocked [$block_toggle]</td>\n";
echo "<td>$creation</td> ";
echo "<td>[<a href=\"server.php?action=check_permitted".
"&demo_id=$demo_id&challenge=$challenge\">run test</a>]</td>";
echo "<td>$lastRun</td>";
echo "<td>$count runs ";
echo "[<a href=\"server.php?action=show_detail&password=$password" .
"&demo_id=$demo_id\">list</a>]</td>";
echo "</tr>\n";
}
echo "</table>";
echo "<hr>";
echo "<a href=\"server.php?action=show_log&password=$password\">".
"Show log</a>";
echo "<hr>";
echo "Generated for $remoteIP\n";
}
function dps_showDetail() {
$password = dps_checkPassword( "show_detail" );
echo "[<a href=\"server.php?action=show_data&password=$password" .
"\">Main</a>]";
global $tableNamePrefix;
$demo_id = "";
if( isset( $_REQUEST[ "demo_id" ] ) ) {
$demo_id = $_REQUEST[ "demo_id" ];
}
$demo_id = strtoupper( $demo_id );
$query = "SELECT * FROM $tableNamePrefix"."runs ".
"WHERE demo_id = '$demo_id' ORDER BY run_date DESC;";
$result = dps_queryDatabase( $query );
$numRows = mysql_numrows( $result );
echo "$numRows runs for $demo_id:";
echo " [<a href=\"server.php?action=delete_demo_id&password=$password" .
"&demo_id=$demo_id\">DELETE this id</a>]";
echo "<br><br><br>\n";
for( $i=0; $i<$numRows; $i++ ) {
$date = mysql_result( $result, $i, "run_date" );
$ipAddress = mysql_result( $result, $i, "ip_address" );
$blocked = mysql_result( $result, $i, "blocked" );
if( $blocked ) {
$blocked = "BLOCKED";
}
else {
$blocked = "";
}
echo "<b>$date</b>: $ipAddress $blocked<hr>\n";
}
}
// general-purpose functions down here, many copied from seedBlogs
/**
* Connects to the database according to the database variables.
*/
function dps_connectToDatabase() {
global $databaseServer,
$databaseUsername, $databasePassword, $databaseName;
mysql_connect( $databaseServer, $databaseUsername, $databasePassword )
or dps_fatalError( "Could not connect to database server: " .
mysql_error() );
mysql_select_db( $databaseName )
or dps_fatalError( "Could not select $databaseName database: " .
mysql_error() );
}
/**
* Closes the database connection.
*/
function dps_closeDatabase() {
mysql_close();
}
/**
* Queries the database, and dies with an error message on failure.
*
* @param $inQueryString the SQL query string.
*
* @return a result handle that can be passed to other mysql functions.
*/
function dps_queryDatabase( $inQueryString ) {
$result = mysql_query( $inQueryString )
or dps_fatalError( "Database query failed:<BR>$inQueryString<BR><BR>" .
mysql_error() );
return $result;
}
/**
* Checks whether a table exists in the currently-connected database.
*
* @param $inTableName the name of the table to look for.
*
* @return 1 if the table exists, or 0 if not.
*/
function dps_doesTableExist( $inTableName ) {
// check if our table exists
$tableExists = 0;
$query = "SHOW TABLES";
$result = dps_queryDatabase( $query );
$numRows = mysql_numrows( $result );
for( $i=0; $i<$numRows && ! $tableExists; $i++ ) {
$tableName = mysql_result( $result, $i, 0 );
if( $tableName == $inTableName ) {
$tableExists = 1;
}
}
return $tableExists;
}
function dps_log( $message ) {
global $enableLog, $tableNamePrefix;
$slashedMessage = addslashes( $message );
if( $enableLog ) {
$query = "INSERT INTO $tableNamePrefix"."log VALUES ( " .
"'$slashedMessage', CURRENT_TIMESTAMP );";
$result = dps_queryDatabase( $query );
}
}
/**
* Displays the error page and dies.
*
* @param $message the error message to display on the error page.
*/
function dps_fatalError( $message ) {
//global $errorMessage;
// set the variable that is displayed inside error.php
//$errorMessage = $message;
//include_once( "error.php" );
// for now, just print error message
$logMessage = "Fatal error: $message";
echo( $logMessage );
dps_log( $logMessage );
die();
}
/**
* Displays the operation error message and dies.
*
* @param $message the error message to display.
*/
function dps_operationError( $message ) {
// for now, just print error message
echo( "ERROR: $message" );
die();
}
/**
* Recursively applies the addslashes function to arrays of arrays.
* This effectively forces magic_quote escaping behavior, eliminating
* a slew of possible database security issues.
*
* @inValue the value or array to addslashes to.
*
* @return the value or array with slashes added.
*/
function dps_addslashes_deep( $inValue ) {
return
( is_array( $inValue )
? array_map( 'dps_addslashes_deep', $inValue )
: addslashes( $inValue ) );
}
/**
* Recursively applies the stripslashes function to arrays of arrays.
* This effectively disables magic_quote escaping behavior.
*
* @inValue the value or array to stripslashes from.
*
* @return the value or array with slashes removed.
*/
function dps_stripslashes_deep( $inValue ) {
return
( is_array( $inValue )
? array_map( 'sb_stripslashes_deep', $inValue )
: stripslashes( $inValue ) );
}
function dps_checkPassword( $inFunctionName ) {
$password = "";
if( isset( $_REQUEST[ "password" ] ) ) {
$password = $_REQUEST[ "password" ];
}
global $accessPassword, $tableNamePrefix, $remoteIP;
if( $password != $accessPassword ) {
echo "Incorrect password.";
dps_log( "Failed $inFunctionName access with password: $password" );
die();
}
return $password;
}
?>