SleepIsDeath/demo/server.php

<?php



global $dps_version;
$dps_version = "1";



// edit settings.php to change server' settings
include( "settings.php" );




// no end-user settings below this point



// no caching
//header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', FALSE);
header('Pragma: no-cache'); 



// enable verbose error reporting to detect uninitialized variables
error_reporting( E_ALL );



// page layout for web-based setup
$setup_header = "
<HTML>
<HEAD><TITLE>Demo Permissions Server Web-based setup</TITLE></HEAD>
<BODY BGCOLOR=#FFFFFF TEXT=#000000 LINK=#0000FF VLINK=#FF0000>

<CENTER>
<TABLE WIDTH=75% BORDER=0 CELLSPACING=0 CELLPADDING=1>
<TR><TD BGCOLOR=#000000>
<TABLE WIDTH=100% BORDER=0 CELLSPACING=0 CELLPADDING=10>
<TR><TD BGCOLOR=#EEEEEE>";

$setup_footer = "
</TD></TR></TABLE>
</TD></TR></TABLE>
</CENTER>
</BODY></HTML>";






// ensure that magic quotes are on (adding slashes before quotes
// so that user-submitted data can be safely submitted in DB queries)
if( !get_magic_quotes_gpc() ) {
    // force magic quotes to be added
    $_GET     = array_map( 'dps_addslashes_deep', $_GET );
    $_POST    = array_map( 'dps_addslashes_deep', $_POST );
    $_REQUEST = array_map( 'dps_addslashes_deep', $_REQUEST );
    $_COOKIE  = array_map( 'dps_addslashes_deep', $_COOKIE );
    }
    





// all calls need to connect to DB, so do it once here
dps_connectToDatabase();

// close connection down below (before function declarations)


// testing:
//sleep( 5 );


// general processing whenver server.php is accessed directly




// grab POST/GET variables
$action = "";
if( isset( $_REQUEST[ "action" ] ) ) {
    $action = $_REQUEST[ "action" ];
    }

$debug = "";
if( isset( $_REQUEST[ "debug" ] ) ) {
    $debug = $_REQUEST[ "debug" ];
    }

$remoteIP = "";
if( isset( $_SERVER[ "REMOTE_ADDR" ] ) ) {
    $remoteIP = $_SERVER[ "REMOTE_ADDR" ];
    }




if( $action == "version" ) {
    global $dps_version;
    echo "$dps_version";
    }
else if( $action == "show_log" ) {
    dps_showLog();
    }
else if( $action == "clear_log" ) {
    dps_clearLog();
    }
else if( $action == "create_demo_id" ) {
    dps_createDemoID();
    }
else if( $action == "block_demo_id" ) {
    dps_blockDemoID();
    }
else if( $action == "delete_demo_id" ) {
    dps_deleteDemoID();
    }
else if( $action == "check_permitted" ) {
    dps_checkPermitted();
    }
else if( $action == "show_data" ) {
    dps_showData();
    }
else if( $action == "show_detail" ) {
    dps_showDetail();
    }
else if( $action == "dps_setup" ) {
    global $setup_header, $setup_footer;
    echo $setup_header; 

    echo "<H2>Demo Permissions Server Web-based Setup</H2>";

    echo "Creating tables:<BR>";

    echo "<CENTER><TABLE BORDER=0 CELLSPACING=0 CELLPADDING=1>
          <TR><TD BGCOLOR=#000000>
          <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=5>
          <TR><TD BGCOLOR=#FFFFFF>";

    dps_setupDatabase();

    echo "</TD></TR></TABLE></TD></TR></TABLE></CENTER><BR><BR>";
    
    echo $setup_footer;
    }
else if( preg_match( "/server\.php/", $_SERVER[ "SCRIPT_NAME" ] ) ) {
    // server.php has been called without an action parameter

    // the preg_match ensures that server.php was called directly and
    // not just included by another script
    
    // quick (and incomplete) test to see if we should show instructions
    global $tableNamePrefix;
    
    // check if our "games" table exists
    $tableName = $tableNamePrefix . "demos";
    
    $exists = dps_doesTableExist( $tableName );
        
    if( $exists  ) {
        echo "Demo Permissions server database setup and ready";
        }
    else {
        // start the setup procedure

        global $setup_header, $setup_footer;
        echo $setup_header; 

        echo "<H2>Demo Permissions Server Web-based Setup</H2>";
    
        echo "Demo Permissions Server will walk you through a " .
            "brief setup process.<BR><BR>";
        
        echo "Step 1: ".
            "<A HREF=\"server.php?action=dps_setup\">".
            "create the database tables</A>";

        echo $setup_footer;
        }
    }



// done processing
// only function declarations below

dps_closeDatabase();







/**
 * Creates the database tables needed by seedBlogs.
 */
function dps_setupDatabase() {
    global $tableNamePrefix;

    $tableName = $tableNamePrefix . "log";
    if( ! dps_doesTableExist( $tableName ) ) {

        // this table contains general info about the server
        // use INNODB engine so table can be locked
        $query =
            "CREATE TABLE $tableName(" .
            "entry TEXT NOT NULL, ".
            "entry_time DATETIME NOT NULL );";

        $result = dps_queryDatabase( $query );

        echo "<B>$tableName</B> table created<BR>";
        }
    else {
        echo "<B>$tableName</B> table already exists<BR>";
        }

    
    
    $tableName = $tableNamePrefix . "demos";
    if( ! dps_doesTableExist( $tableName ) ) {

        // this table contains general info about each game
        // use INNODB engine so table can be locked
        $query =
            "CREATE TABLE $tableName(" .
            "demo_id CHAR(10) NOT NULL PRIMARY KEY," .
            "creation_date DATETIME NOT NULL," .
            "last_run_date DATETIME NOT NULL," .
            "note CHAR(40) NOT NULL," .
            "blocked TINYINT NOT NULL," .
            "run_count INT NOT NULL );";

        $result = dps_queryDatabase( $query );

        echo "<B>$tableName</B> table created<BR>";
        }
    else {
        echo "<B>$tableName</B> table already exists<BR>";
        }


    
    
    $tableName = $tableNamePrefix . "runs";
    if( ! dps_doesTableExist( $tableName ) ) {

        // this table contains information for each user
        $query =
            "CREATE TABLE $tableName(" .
            "demo_id CHAR(10) NOT NULL," .
            "run_date DATETIME NOT NULL," .
            "blocked TINYINT NOT NULL," .
            "ip_address CHAR(255) NOT NULL," .
            "PRIMARY KEY( demo_id, run_date ) );";
                
        $result = dps_queryDatabase( $query );
        
        echo "<B>$tableName</B> table created<BR>";
        }
    else {
        echo "<B>$tableName</B> table already exists<BR>";
        }
    }



function dps_showLog() {
    $password = dps_checkPassword( "show_log" );

     echo "[<a href=\"server.php?action=show_data&password=$password" .
         "\">Main</a>]<br><br><br>";
    
    global $tableNamePrefix;

    $query = "SELECT * FROM $tableNamePrefix"."log ".
        "ORDER BY entry_time DESC;";
    $result = dps_queryDatabase( $query );

    $numRows = mysql_numrows( $result );



    echo "<a href=\"server.php?action=clear_log&password=$password\">".
        "Clear log</a>";
        
    echo "<hr>";
        
    echo "$numRows log entries:<br><br><br>\n";
        

    for( $i=0; $i<$numRows; $i++ ) {
        $time = mysql_result( $result, $i, "entry_time" );
        $entry = mysql_result( $result, $i, "entry" );

        echo "<b>$time</b>:<br>$entry<hr>\n";
        }
    }



function dps_clearLog() {
    $password = dps_checkPassword( "clear_log" );

     echo "[<a href=\"server.php?action=show_data&password=$password" .
         "\">Main</a>]<br>";
    
    global $tableNamePrefix;

    $query = "DELETE FROM $tableNamePrefix"."log;";
    $result = dps_queryDatabase( $query );
    
    if( $result ) {
        echo "Log cleared.";
        }
    else {
        echo "DELETE operation failed?";
        }
    }







function dps_createDemoID() {
    $password = dps_checkPassword( "create_demo_id" );

    global $tableNamePrefix;
    
    
    $note = "";
    if( isset( $_REQUEST[ "note" ] ) ) {
        $note = $_REQUEST[ "note" ];
        }


    
    $found_unused_id = 0;
    $salt = 0;
    
    
    while( ! $found_unused_id ) {

        $randVal = rand();
        
        $hash = md5( $note . uniqid( "$randVal"."$salt", true ) );

        $hash = strtoupper( $hash );
        
        
        $demo_id = substr( $hash, 0, 10 );


        
        // make code more human-friendly (alpha only)

        $digitArray =
            array( "0", "1", "2", "3", "4", "5", "6", "7", "8", "9" );
        $letterArray =
            array( "W", "H", "J", "K", "X", "M", "N", "P", "T", "Y" );

        $demo_id = str_replace( $digitArray, $letterArray, $demo_id );
        


        $query = "INSERT INTO $tableNamePrefix". "demos VALUES ( " .
            "'$demo_id', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, ".
            "'$note', '0', '0' );";


        $result = mysql_query( $query );

        if( $result ) {
            $found_unused_id = 1;

            global $remoteIP;
            dps_log( "Demo $demo_id created by $remoteIP" );

            
            //echo "$demo_id";
            dps_showData();
            }
        else {
            global $debug;
            if( $debug == 1 ) {
                echo "Duplicate ids?  Error:  " . mysql_error() ."<br>";
                }
            // try again
            $salt += 1;
            }
        }

    }



function dps_blockDemoID() {
    $password = dps_checkPassword( "block_demo_id" );


    global $tableNamePrefix;
        
    $demo_id = "";
    if( isset( $_REQUEST[ "demo_id" ] ) ) {
        $demo_id = $_REQUEST[ "demo_id" ];
        }

    $demo_id = strtoupper( $demo_id );
    

    $blocked = "";
    if( isset( $_REQUEST[ "blocked" ] ) ) {
        $blocked = $_REQUEST[ "blocked" ];
        }

    
    global $remoteIP;

    

    
    $query = "SELECT * FROM $tableNamePrefix"."demos ".
        "WHERE demo_id = '$demo_id';";
    $result = dps_queryDatabase( $query );

    $numRows = mysql_numrows( $result );

    if( $numRows == 1 ) {

        
        $query = "UPDATE $tableNamePrefix"."demos SET " .
            "blocked = '$blocked' " .
            "WHERE demo_id = '$demo_id';";
        
        $result = dps_queryDatabase( $query );

        
        dps_log( "$demo_id block changed to $blocked by $remoteIP" );

        dps_showData();
        }
    else {
        dps_log( "$demo_id not found for $remoteIP" );

        echo "$demo_id not found";
        }    
    }



function dps_deleteDemoID() {
    $password = dps_checkPassword( "delete_demo_id" );

    global $tableNamePrefix, $remoteIP;
        
    $demo_id = "";
    if( isset( $_REQUEST[ "demo_id" ] ) ) {
        $demo_id = $_REQUEST[ "demo_id" ];
        }

    $demo_id = strtoupper( $demo_id );
    

    $query = "DELETE FROM $tableNamePrefix"."demos ".
        "WHERE demo_id = '$demo_id';";
    $result = dps_queryDatabase( $query );
    
    if( $result ) {
        dps_log( "$demo_id deleted by $remoteIP" );

        echo "$demo_id deleted.<hr>";
        
        dps_showData();
        }
    else {
        dps_log( "$demo_id delete failed for $remoteIP" );

        echo "DELETE operation failed?";
        }
    }



function dps_checkPermitted() {
    $demo_id = "";
    if( isset( $_REQUEST[ "demo_id" ] ) ) {
        $demo_id = $_REQUEST[ "demo_id" ];
        }

    $demo_id = strtoupper( $demo_id );
    

    $challenge = "";
    if( isset( $_REQUEST[ "challenge" ] ) ) {
        $challenge = $_REQUEST[ "challenge" ];
        }
    
    
    global $tableNamePrefix, $remoteIP;

    

    
    $query = "SELECT * FROM $tableNamePrefix"."demos ".
        "WHERE demo_id = '$demo_id';";
    $result = dps_queryDatabase( $query );

    $numRows = mysql_numrows( $result );

    if( $numRows == 1 ) {
        
        $row = mysql_fetch_array( $result, MYSQL_ASSOC );

        $blocked = $row[ "blocked" ];


        // catalog blocked runs, too
        $run_count = $row[ "run_count" ];
        
        $run_count ++;
        
        
        $query = "UPDATE $tableNamePrefix"."demos SET " .
            "last_run_date = CURRENT_TIMESTAMP, " .
            "run_count = '$run_count' " .
            "WHERE demo_id = '$demo_id';";
            

        $result = dps_queryDatabase( $query );
        
        $query = "INSERT INTO $tableNamePrefix". "runs VALUES ( " .
            "'$demo_id', CURRENT_TIMESTAMP, '$blocked', '$remoteIP' );";
        
        $result = mysql_query( $query );

        if( !$blocked ) {
            
            dps_log( "$demo_id permitted to run by $remoteIP" );
        

            // response to challenge using shared secret
            
            global $sharedSecret;
            
            $hash = sha1( $challenge . $sharedSecret );

            $hash = strtoupper( $hash );
            

            
            echo "permitted $hash";
            return;
            }
        }

    dps_log( "$demo_id denied to run by $remoteIP" );

    echo "denied";
    }





function dps_showData() {
    $password = dps_checkPassword( "show_data" );

    global $tableNamePrefix, $remoteIP;
    

    echo "[<a href=\"server.php?action=show_data&password=$password" .
            "\">Main</a>]";
    
    
    $query = "SELECT * FROM $tableNamePrefix"."demos ".
        "ORDER BY last_run_date DESC;";
    $result = dps_queryDatabase( $query );
    
    $numRows = mysql_numrows( $result );

    // form
        ?>    

        <hr>
        Create new ID:<br>
            <FORM ACTION="server.php" METHOD="post">
    <INPUT TYPE="hidden" NAME="password" VALUE="<?php echo $password;?>">
    <INPUT TYPE="hidden" NAME="action" VALUE="create_demo_id">
    Note:
    <INPUT TYPE="text" MAXLENGTH=40 SIZE=20 NAME="note">
            <INPUT TYPE="Submit" VALUE="Generate">
    </FORM>
        <hr>

        <?php

    
    echo "$numRows active IDs:<br><br><br>\n";

    echo "<table border=1 cellpadding=5>\n";

    echo "<tr><td>Demo ID</td>\n";
    echo "<td>Note</td>\n";
    echo "<td>Blocked?</td>\n";
    echo "<td>Created</td> <td>Test</td> <td>Last Run</td>";
    echo "<td>Run Count</td></tr>\n";


    for( $i=0; $i<$numRows; $i++ ) {
        $demo_id = mysql_result( $result, $i, "demo_id" );
        $creation = mysql_result( $result, $i, "creation_date" );
        $lastRun = mysql_result( $result, $i, "last_run_date" );
        $count = mysql_result( $result, $i, "run_count" );
        $note = mysql_result( $result, $i, "note" );
        $blocked = mysql_result( $result, $i, "blocked" );

        $block_toggle = "";
        
        if( $blocked ) {
            $blocked = "BLOCKED";
            $block_toggle = "<a href=\"server.php?action=block_demo_id&".
                "blocked=0&demo_id=$demo_id&password=$password\">unblock</a>";
            
            }
        else {
            $blocked = "";
            $block_toggle = "<a href=\"server.php?action=block_demo_id&".
                "blocked=1&demo_id=$demo_id&password=$password\">block</a>";
            
            }


        // challenge to include in test link
        $randVal = rand();
        
        $challenge = md5( $demo_id . uniqid( "$randVal", true ) );
        
        
        echo "<tr>\n";
        
        echo "<td><b>$demo_id</b></td>\n";
        echo "<td>$note</td>\n";
        echo "<td align=right>$blocked [$block_toggle]</td>\n";
        echo "<td>$creation</td> ";
        echo "<td>[<a href=\"server.php?action=check_permitted".
            "&demo_id=$demo_id&challenge=$challenge\">run test</a>]</td>";
        echo "<td>$lastRun</td>";
        echo "<td>$count runs ";

        echo "[<a href=\"server.php?action=show_detail&password=$password" .
            "&demo_id=$demo_id\">list</a>]</td>";
        
        echo "</tr>\n";
        }
    echo "</table>";
    echo "<hr>";

    echo "<a href=\"server.php?action=show_log&password=$password\">".
        "Show log</a>";
    echo "<hr>";
    echo "Generated for $remoteIP\n";

    }



function dps_showDetail() {
    $password = dps_checkPassword( "show_detail" );

     echo "[<a href=\"server.php?action=show_data&password=$password" .
         "\">Main</a>]";
    
    global $tableNamePrefix;
    

    $demo_id = "";
    if( isset( $_REQUEST[ "demo_id" ] ) ) {
        $demo_id = $_REQUEST[ "demo_id" ];
        }

    $demo_id = strtoupper( $demo_id );

    
    $query = "SELECT * FROM $tableNamePrefix"."runs ".
        "WHERE demo_id = '$demo_id' ORDER BY run_date DESC;";
    $result = dps_queryDatabase( $query );

    $numRows = mysql_numrows( $result );

    echo "$numRows runs for $demo_id:";

    echo " [<a href=\"server.php?action=delete_demo_id&password=$password" .
        "&demo_id=$demo_id\">DELETE this id</a>]";
    
    echo "<br><br><br>\n";
        

    for( $i=0; $i<$numRows; $i++ ) {
        $date = mysql_result( $result, $i, "run_date" );
        $ipAddress = mysql_result( $result, $i, "ip_address" );

        $blocked = mysql_result( $result, $i, "blocked" );

        if( $blocked ) {
            $blocked = "BLOCKED";
            }
        else {
            $blocked = "";
            }
        
        echo "<b>$date</b>: $ipAddress $blocked<hr>\n";
        }
    }






// general-purpose functions down here, many copied from seedBlogs

/**
 * Connects to the database according to the database variables.
 */  
function dps_connectToDatabase() {
    global $databaseServer,
        $databaseUsername, $databasePassword, $databaseName;
    
    
    mysql_connect( $databaseServer, $databaseUsername, $databasePassword )
        or dps_fatalError( "Could not connect to database server: " .
                       mysql_error() );
    
	mysql_select_db( $databaseName )
        or dps_fatalError( "Could not select $databaseName database: " .
                       mysql_error() );
    }


 
/**
 * Closes the database connection.
 */
function dps_closeDatabase() {
    mysql_close();
    }



/**
 * Queries the database, and dies with an error message on failure.
 *
 * @param $inQueryString the SQL query string.
 *
 * @return a result handle that can be passed to other mysql functions.
 */
function dps_queryDatabase( $inQueryString ) {

    $result = mysql_query( $inQueryString )
        or dps_fatalError( "Database query failed:<BR>$inQueryString<BR><BR>" .
                       mysql_error() );

    return $result;
    }



/**
 * Checks whether a table exists in the currently-connected database.
 *
 * @param $inTableName the name of the table to look for.
 *
 * @return 1 if the table exists, or 0 if not.
 */
function dps_doesTableExist( $inTableName ) {
    // check if our table exists
    $tableExists = 0;
    
    $query = "SHOW TABLES";
    $result = dps_queryDatabase( $query );

    $numRows = mysql_numrows( $result );


    for( $i=0; $i<$numRows && ! $tableExists; $i++ ) {

        $tableName = mysql_result( $result, $i, 0 );
        
        if( $tableName == $inTableName ) {
            $tableExists = 1;
            }
        }
    return $tableExists;
    }



function dps_log( $message ) {
    global $enableLog, $tableNamePrefix;

    $slashedMessage = addslashes( $message );
    
    if( $enableLog ) {
        $query = "INSERT INTO $tableNamePrefix"."log VALUES ( " .
            "'$slashedMessage', CURRENT_TIMESTAMP );";
        $result = dps_queryDatabase( $query );
        }
    }



/**
 * Displays the error page and dies.
 *
 * @param $message the error message to display on the error page.
 */
function dps_fatalError( $message ) {
    //global $errorMessage;

    // set the variable that is displayed inside error.php
    //$errorMessage = $message;
    
    //include_once( "error.php" );

    // for now, just print error message
    $logMessage = "Fatal error:  $message";
    
    echo( $logMessage );

    dps_log( $logMessage );
    
    die();
    }



/**
 * Displays the operation error message and dies.
 *
 * @param $message the error message to display.
 */
function dps_operationError( $message ) {
    
    // for now, just print error message
    echo( "ERROR:  $message" );
    die();
    }


/**
 * Recursively applies the addslashes function to arrays of arrays.
 * This effectively forces magic_quote escaping behavior, eliminating
 * a slew of possible database security issues. 
 *
 * @inValue the value or array to addslashes to.
 *
 * @return the value or array with slashes added.
 */
function dps_addslashes_deep( $inValue ) {
    return
        ( is_array( $inValue )
          ? array_map( 'dps_addslashes_deep', $inValue )
          : addslashes( $inValue ) );
    }



/**
 * Recursively applies the stripslashes function to arrays of arrays.
 * This effectively disables magic_quote escaping behavior. 
 *
 * @inValue the value or array to stripslashes from.
 *
 * @return the value or array with slashes removed.
 */
function dps_stripslashes_deep( $inValue ) {
    return
        ( is_array( $inValue )
          ? array_map( 'sb_stripslashes_deep', $inValue )
          : stripslashes( $inValue ) );
    }



function dps_checkPassword( $inFunctionName ) {
    $password = "";
    if( isset( $_REQUEST[ "password" ] ) ) {
        $password = $_REQUEST[ "password" ];
        }

    global $accessPassword, $tableNamePrefix, $remoteIP;
    
    if( $password != $accessPassword ) {
        echo "Incorrect password.";

        dps_log( "Failed $inFunctionName access with password:  $password" );

        die();
        }

    return $password;
    }


?>