Demo Permissions Server Web-based setup

"; $setup_footer = "

"; // ensure that magic quotes are on (adding slashes before quotes // so that user-submitted data can be safely submitted in DB queries) if( !get_magic_quotes_gpc() ) { // force magic quotes to be added $_GET = array_map( 'dps_addslashes_deep', $_GET ); $_POST = array_map( 'dps_addslashes_deep', $_POST ); $_REQUEST = array_map( 'dps_addslashes_deep', $_REQUEST ); $_COOKIE = array_map( 'dps_addslashes_deep', $_COOKIE ); } // all calls need to connect to DB, so do it once here dps_connectToDatabase(); // close connection down below (before function declarations) // testing: //sleep( 5 ); // general processing whenver server.php is accessed directly // grab POST/GET variables $action = ""; if( isset( $_REQUEST[ "action" ] ) ) { $action = $_REQUEST[ "action" ]; } $debug = ""; if( isset( $_REQUEST[ "debug" ] ) ) { $debug = $_REQUEST[ "debug" ]; } $remoteIP = ""; if( isset( $_SERVER[ "REMOTE_ADDR" ] ) ) { $remoteIP = $_SERVER[ "REMOTE_ADDR" ]; } if( $action == "version" ) { global $dps_version; echo "$dps_version"; } else if( $action == "show_log" ) { dps_showLog(); } else if( $action == "clear_log" ) { dps_clearLog(); } else if( $action == "create_demo_id" ) { dps_createDemoID(); } else if( $action == "block_demo_id" ) { dps_blockDemoID(); } else if( $action == "delete_demo_id" ) { dps_deleteDemoID(); } else if( $action == "check_permitted" ) { dps_checkPermitted(); } else if( $action == "show_data" ) { dps_showData(); } else if( $action == "show_detail" ) { dps_showDetail(); } else if( $action == "dps_setup" ) { global $setup_header, $setup_footer; echo $setup_header; echo "

Demo Permissions Server Web-based Setup

"; echo "Creating tables:
"; echo "

"; dps_setupDatabase(); echo "

"; echo $setup_footer; } else if( preg_match( "/server\.php/", $_SERVER[ "SCRIPT_NAME" ] ) ) { // server.php has been called without an action parameter // the preg_match ensures that server.php was called directly and // not just included by another script // quick (and incomplete) test to see if we should show instructions global $tableNamePrefix; // check if our "games" table exists $tableName = $tableNamePrefix . "demos"; $exists = dps_doesTableExist( $tableName ); if( $exists ) { echo "Demo Permissions server database setup and ready"; } else { // start the setup procedure global $setup_header, $setup_footer; echo $setup_header; echo "

Demo Permissions Server Web-based Setup

"; echo "Demo Permissions Server will walk you through a " . "brief setup process.

"; echo "Step 1: ". "". "create the database tables"; echo $setup_footer; } } // done processing // only function declarations below dps_closeDatabase(); /** * Creates the database tables needed by seedBlogs. */ function dps_setupDatabase() { global $tableNamePrefix; $tableName = $tableNamePrefix . "log"; if( ! dps_doesTableExist( $tableName ) ) { // this table contains general info about the server // use INNODB engine so table can be locked $query = "CREATE TABLE $tableName(" . "entry TEXT NOT NULL, ". "entry_time DATETIME NOT NULL );"; $result = dps_queryDatabase( $query ); echo "$tableName table created
"; } else { echo "$tableName table already exists
"; } $tableName = $tableNamePrefix . "demos"; if( ! dps_doesTableExist( $tableName ) ) { // this table contains general info about each game // use INNODB engine so table can be locked $query = "CREATE TABLE $tableName(" . "demo_id CHAR(10) NOT NULL PRIMARY KEY," . "creation_date DATETIME NOT NULL," . "last_run_date DATETIME NOT NULL," . "note CHAR(40) NOT NULL," . "blocked TINYINT NOT NULL," . "run_count INT NOT NULL );"; $result = dps_queryDatabase( $query ); echo "$tableName table created
"; } else { echo "$tableName table already exists
"; } $tableName = $tableNamePrefix . "runs"; if( ! dps_doesTableExist( $tableName ) ) { // this table contains information for each user $query = "CREATE TABLE $tableName(" . "demo_id CHAR(10) NOT NULL," . "run_date DATETIME NOT NULL," . "blocked TINYINT NOT NULL," . "ip_address CHAR(255) NOT NULL," . "PRIMARY KEY( demo_id, run_date ) );"; $result = dps_queryDatabase( $query ); echo "$tableName table created
"; } else { echo "$tableName table already exists
"; } } function dps_showLog() { $password = dps_checkPassword( "show_log" ); echo "[Main]

"; global $tableNamePrefix; $query = "SELECT * FROM $tableNamePrefix"."log ". "ORDER BY entry_time DESC;"; $result = dps_queryDatabase( $query ); $numRows = mysql_numrows( $result ); echo "". "Clear log"; echo "

"; echo "$numRows log entries:

\n"; for( $i=0; $i<$numRows; $i++ ) { $time = mysql_result( $result, $i, "entry_time" ); $entry = mysql_result( $result, $i, "entry" ); echo "$time:
$entry

\n"; } } function dps_clearLog() { $password = dps_checkPassword( "clear_log" ); echo "[Main]
"; global $tableNamePrefix; $query = "DELETE FROM $tableNamePrefix"."log;"; $result = dps_queryDatabase( $query ); if( $result ) { echo "Log cleared."; } else { echo "DELETE operation failed?"; } } function dps_createDemoID() { $password = dps_checkPassword( "create_demo_id" ); global $tableNamePrefix; $note = ""; if( isset( $_REQUEST[ "note" ] ) ) { $note = $_REQUEST[ "note" ]; } $found_unused_id = 0; $salt = 0; while( ! $found_unused_id ) { $randVal = rand(); $hash = md5( $note . uniqid( "$randVal"."$salt", true ) ); $hash = strtoupper( $hash ); $demo_id = substr( $hash, 0, 10 ); // make code more human-friendly (alpha only) $digitArray = array( "0", "1", "2", "3", "4", "5", "6", "7", "8", "9" ); $letterArray = array( "W", "H", "J", "K", "X", "M", "N", "P", "T", "Y" ); $demo_id = str_replace( $digitArray, $letterArray, $demo_id ); $query = "INSERT INTO $tableNamePrefix". "demos VALUES ( " . "'$demo_id', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, ". "'$note', '0', '0' );"; $result = mysql_query( $query ); if( $result ) { $found_unused_id = 1; global $remoteIP; dps_log( "Demo $demo_id created by $remoteIP" ); //echo "$demo_id"; dps_showData(); } else { global $debug; if( $debug == 1 ) { echo "Duplicate ids? Error: " . mysql_error() ."
"; } // try again $salt += 1; } } } function dps_blockDemoID() { $password = dps_checkPassword( "block_demo_id" ); global $tableNamePrefix; $demo_id = ""; if( isset( $_REQUEST[ "demo_id" ] ) ) { $demo_id = $_REQUEST[ "demo_id" ]; } $demo_id = strtoupper( $demo_id ); $blocked = ""; if( isset( $_REQUEST[ "blocked" ] ) ) { $blocked = $_REQUEST[ "blocked" ]; } global $remoteIP; $query = "SELECT * FROM $tableNamePrefix"."demos ". "WHERE demo_id = '$demo_id';"; $result = dps_queryDatabase( $query ); $numRows = mysql_numrows( $result ); if( $numRows == 1 ) { $query = "UPDATE $tableNamePrefix"."demos SET " . "blocked = '$blocked' " . "WHERE demo_id = '$demo_id';"; $result = dps_queryDatabase( $query ); dps_log( "$demo_id block changed to $blocked by $remoteIP" ); dps_showData(); } else { dps_log( "$demo_id not found for $remoteIP" ); echo "$demo_id not found"; } } function dps_deleteDemoID() { $password = dps_checkPassword( "delete_demo_id" ); global $tableNamePrefix, $remoteIP; $demo_id = ""; if( isset( $_REQUEST[ "demo_id" ] ) ) { $demo_id = $_REQUEST[ "demo_id" ]; } $demo_id = strtoupper( $demo_id ); $query = "DELETE FROM $tableNamePrefix"."demos ". "WHERE demo_id = '$demo_id';"; $result = dps_queryDatabase( $query ); if( $result ) { dps_log( "$demo_id deleted by $remoteIP" ); echo "$demo_id deleted.

"; dps_showData(); } else { dps_log( "$demo_id delete failed for $remoteIP" ); echo "DELETE operation failed?"; } } function dps_checkPermitted() { $demo_id = ""; if( isset( $_REQUEST[ "demo_id" ] ) ) { $demo_id = $_REQUEST[ "demo_id" ]; } $demo_id = strtoupper( $demo_id ); $challenge = ""; if( isset( $_REQUEST[ "challenge" ] ) ) { $challenge = $_REQUEST[ "challenge" ]; } global $tableNamePrefix, $remoteIP; $query = "SELECT * FROM $tableNamePrefix"."demos ". "WHERE demo_id = '$demo_id';"; $result = dps_queryDatabase( $query ); $numRows = mysql_numrows( $result ); if( $numRows == 1 ) { $row = mysql_fetch_array( $result, MYSQL_ASSOC ); $blocked = $row[ "blocked" ]; // catalog blocked runs, too $run_count = $row[ "run_count" ]; $run_count ++; $query = "UPDATE $tableNamePrefix"."demos SET " . "last_run_date = CURRENT_TIMESTAMP, " . "run_count = '$run_count' " . "WHERE demo_id = '$demo_id';"; $result = dps_queryDatabase( $query ); $query = "INSERT INTO $tableNamePrefix". "runs VALUES ( " . "'$demo_id', CURRENT_TIMESTAMP, '$blocked', '$remoteIP' );"; $result = mysql_query( $query ); if( !$blocked ) { dps_log( "$demo_id permitted to run by $remoteIP" ); // response to challenge using shared secret global $sharedSecret; $hash = sha1( $challenge . $sharedSecret ); $hash = strtoupper( $hash ); echo "permitted $hash"; return; } } dps_log( "$demo_id denied to run by $remoteIP" ); echo "denied"; } function dps_showData() { $password = dps_checkPassword( "show_data" ); global $tableNamePrefix, $remoteIP; echo "[Main]"; $query = "SELECT * FROM $tableNamePrefix"."demos ". "ORDER BY last_run_date DESC;"; $result = dps_queryDatabase( $query ); $numRows = mysql_numrows( $result ); // form ?>

Create new ID:

\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo ""; echo "\n"; for( $i=0; $i<$numRows; $i++ ) { $demo_id = mysql_result( $result, $i, "demo_id" ); $creation = mysql_result( $result, $i, "creation_date" ); $lastRun = mysql_result( $result, $i, "last_run_date" ); $count = mysql_result( $result, $i, "run_count" ); $note = mysql_result( $result, $i, "note" ); $blocked = mysql_result( $result, $i, "blocked" ); $block_toggle = ""; if( $blocked ) { $blocked = "BLOCKED"; $block_toggle = "unblock"; } else { $blocked = ""; $block_toggle = "block"; } // challenge to include in test link $randVal = rand(); $challenge = md5( $demo_id . uniqid( "$randVal", true ) ); echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo " "; echo ""; echo ""; echo ""; echo "\n"; } echo "

Demo ID	Note	Blocked?	Created	Test	Last Run	Run Count
$demo_id	$note	$blocked [$block_toggle]	$creation	[run test]	$lastRun	$count runs "; echo "[list]

"; echo "

"; echo "". "Show log"; echo "

"; echo "Generated for $remoteIP\n"; } function dps_showDetail() { $password = dps_checkPassword( "show_detail" ); echo "[Main]"; global $tableNamePrefix; $demo_id = ""; if( isset( $_REQUEST[ "demo_id" ] ) ) { $demo_id = $_REQUEST[ "demo_id" ]; } $demo_id = strtoupper( $demo_id ); $query = "SELECT * FROM $tableNamePrefix"."runs ". "WHERE demo_id = '$demo_id' ORDER BY run_date DESC;"; $result = dps_queryDatabase( $query ); $numRows = mysql_numrows( $result ); echo "$numRows runs for $demo_id:"; echo " [DELETE this id]"; echo "

\n"; for( $i=0; $i<$numRows; $i++ ) { $date = mysql_result( $result, $i, "run_date" ); $ipAddress = mysql_result( $result, $i, "ip_address" ); $blocked = mysql_result( $result, $i, "blocked" ); if( $blocked ) { $blocked = "BLOCKED"; } else { $blocked = ""; } echo "$date: $ipAddress $blocked

\n"; } } // general-purpose functions down here, many copied from seedBlogs /** * Connects to the database according to the database variables. */ function dps_connectToDatabase() { global $databaseServer, $databaseUsername, $databasePassword, $databaseName; mysql_connect( $databaseServer, $databaseUsername, $databasePassword ) or dps_fatalError( "Could not connect to database server: " . mysql_error() ); mysql_select_db( $databaseName ) or dps_fatalError( "Could not select $databaseName database: " . mysql_error() ); } /** * Closes the database connection. */ function dps_closeDatabase() { mysql_close(); } /** * Queries the database, and dies with an error message on failure. * * @param $inQueryString the SQL query string. * * @return a result handle that can be passed to other mysql functions. */ function dps_queryDatabase( $inQueryString ) { $result = mysql_query( $inQueryString ) or dps_fatalError( "Database query failed:
$inQueryString

" . mysql_error() ); return $result; } /** * Checks whether a table exists in the currently-connected database. * * @param $inTableName the name of the table to look for. * * @return 1 if the table exists, or 0 if not. */ function dps_doesTableExist( $inTableName ) { // check if our table exists $tableExists = 0; $query = "SHOW TABLES"; $result = dps_queryDatabase( $query ); $numRows = mysql_numrows( $result ); for( $i=0; $i<$numRows && ! $tableExists; $i++ ) { $tableName = mysql_result( $result, $i, 0 ); if( $tableName == $inTableName ) { $tableExists = 1; } } return $tableExists; } function dps_log( $message ) { global $enableLog, $tableNamePrefix; $slashedMessage = addslashes( $message ); if( $enableLog ) { $query = "INSERT INTO $tableNamePrefix"."log VALUES ( " . "'$slashedMessage', CURRENT_TIMESTAMP );"; $result = dps_queryDatabase( $query ); } } /** * Displays the error page and dies. * * @param $message the error message to display on the error page. */ function dps_fatalError( $message ) { //global $errorMessage; // set the variable that is displayed inside error.php //$errorMessage = $message; //include_once( "error.php" ); // for now, just print error message $logMessage = "Fatal error: $message"; echo( $logMessage ); dps_log( $logMessage ); die(); } /** * Displays the operation error message and dies. * * @param $message the error message to display. */ function dps_operationError( $message ) { // for now, just print error message echo( "ERROR: $message" ); die(); } /** * Recursively applies the addslashes function to arrays of arrays. * This effectively forces magic_quote escaping behavior, eliminating * a slew of possible database security issues. * * @inValue the value or array to addslashes to. * * @return the value or array with slashes added. */ function dps_addslashes_deep( $inValue ) { return ( is_array( $inValue ) ? array_map( 'dps_addslashes_deep', $inValue ) : addslashes( $inValue ) ); } /** * Recursively applies the stripslashes function to arrays of arrays. * This effectively disables magic_quote escaping behavior. * * @inValue the value or array to stripslashes from. * * @return the value or array with slashes removed. */ function dps_stripslashes_deep( $inValue ) { return ( is_array( $inValue ) ? array_map( 'sb_stripslashes_deep', $inValue ) : stripslashes( $inValue ) ); } function dps_checkPassword( $inFunctionName ) { $password = ""; if( isset( $_REQUEST[ "password" ] ) ) { $password = $_REQUEST[ "password" ]; } global $accessPassword, $tableNamePrefix, $remoteIP; if( $password != $accessPassword ) { echo "Incorrect password."; dps_log( "Failed $inFunctionName access with password: $password" ); die(); } return $password; } ?>