backend.php 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572
  1. <?php
  2. set_include_path(get_include_path() . PATH_SEPARATOR .
  3. dirname(__FILE__) ."/include");
  4. /* remove ill effects of magic quotes */
  5. if (get_magic_quotes_gpc()) {
  6. function stripslashes_deep($value) {
  7. $value = is_array($value) ?
  8. array_map('stripslashes_deep', $value) : stripslashes($value);
  9. return $value;
  10. }
  11. $_POST = array_map('stripslashes_deep', $_POST);
  12. $_GET = array_map('stripslashes_deep', $_GET);
  13. $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
  14. $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
  15. }
  16. require_once "functions.php";
  17. require_once "sessions.php";
  18. require_once "db-prefs.php";
  19. require_once "sanity_check.php";
  20. require_once "version.php";
  21. require_once "config.php";
  22. require_once "prefs.php";
  23. require_once "users.php";
  24. $link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);
  25. init_connection($link);
  26. $dt_add = get_script_dt_add();
  27. header('Content-Type: text/json; charset=utf-8');
  28. $op = $_REQUEST["op"];
  29. if (!$_SESSION["uid"] && $op != "fetch-profiles" && $op != "login") {
  30. print json_encode(array("error" => 6));
  31. return;
  32. } else if ($_SESSION["uid"]) {
  33. update_heartbeat($link);
  34. }
  35. if (!sanity_check($link)) { return; }
  36. switch ($op) {
  37. case "create-user":
  38. $login = strtolower(db_escape_string($_REQUEST["login"]));
  39. $rv = array();
  40. if ($_SESSION["access_level"] >= 10) {
  41. $result = db_query($link, "SELECT id FROM ttirc_users WHERE
  42. login = '$login'");
  43. if (db_num_rows($result) == 0) {
  44. $tmp_password = make_password();
  45. $salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
  46. $pwd_hash = db_escape_string(encrypt_password($tmp_password, $salt, true));
  47. $rv[0] = T_sprintf("Created user %s with password <b>%s</b>.",
  48. $login, $tmp_password);
  49. db_query($link, "INSERT INTO ttirc_users
  50. (login, pwd_hash, email, nick, realname, salt)
  51. VALUES
  52. ('$login', '$pwd_hash', '[email protected]', '$login', '$login', '$salt')");
  53. } else {
  54. $rv[0] = T_sprintf("User %s already exists", $login);
  55. }
  56. $rv[1] = format_users($link);
  57. print json_encode($rv);
  58. }
  59. break;
  60. case "reset-password":
  61. $id = db_escape_string($_REQUEST["id"]);
  62. if ($_SESSION["access_level"] >= 10) {
  63. $tmp_password = make_password();
  64. $login = get_user_login($link, $id);
  65. $salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
  66. $pwd_hash = db_escape_string(encrypt_password($tmp_password, $salt, true));
  67. db_query($link, "UPDATE ttirc_users SET pwd_hash = '$pwd_hash', salt = '$salt'
  68. WHERE id = '$id'");
  69. print json_encode(array("message" =>
  70. T_sprintf("Reset password of user %s to <b>%s</b>.", $login,
  71. $tmp_password)));
  72. }
  73. break;
  74. case "delete-user":
  75. $ids = db_escape_string($_REQUEST["ids"]);
  76. if ($_SESSION["access_level"] >= 10) {
  77. db_query($link, "DELETE FROM ttirc_users WHERE
  78. id in ($ids) AND id != " . $_SESSION["uid"]);
  79. print format_users($link);
  80. }
  81. break;
  82. case "users":
  83. if ($_SESSION["access_level"] >= 10) {
  84. show_users($link);
  85. }
  86. break;
  87. case "part-channel":
  88. $last_id = (int) db_escape_string($_REQUEST["last_id"]);
  89. $chan = db_escape_string($_REQUEST["chan"]);
  90. $connection_id = db_escape_string($_REQUEST["connection"]);
  91. if ($chan && valid_connection($link, $connection_id)) {
  92. handle_command($link, $connection_id, $chan, "/part");
  93. db_query($link, "DELETE FROM ttirc_channels WHERE channel = '$chan'
  94. AND connection_id = '$connection_id'");
  95. }
  96. $lines = get_new_lines($link, $last_id);
  97. $conn = get_conn_info($link);
  98. $chandata = get_chan_data($link, false);
  99. $params = get_misc_params($link);
  100. print json_encode(array($conn, $lines, $chandata, $params));
  101. break;
  102. case "query-user":
  103. $nick = db_escape_string(trim($_REQUEST["nick"]));
  104. $last_id = (int) db_escape_string($_REQUEST["last_id"]);
  105. $connection_id = db_escape_string($_REQUEST["connection"]);
  106. if ($nick && valid_connection($link, $connection_id)) {
  107. handle_command($link, $connection_id, $chan, "/query $nick");
  108. }
  109. $lines = get_new_lines($link, $last_id);
  110. $conn = get_conn_info($link);
  111. $chandata = get_chan_data($link, false);
  112. $params = get_misc_params($link);
  113. print json_encode(array($conn, $lines, $chandata, $params));
  114. break;
  115. case "send":
  116. $message = db_escape_string(trim($_REQUEST["message"]));
  117. $last_id = (int) db_escape_string($_REQUEST["last_id"]);
  118. $chan = db_escape_string($_REQUEST["chan"]);
  119. $connection_id = db_escape_string($_REQUEST["connection"]);
  120. $tab_type = db_escape_string($_REQUEST["tab_type"]);
  121. $send_only = $_REQUEST["send_only"] == "true";
  122. if ($message !== "" && valid_connection($link, $connection_id)) {
  123. if (strpos($message, "/") === 0) {
  124. handle_command($link, $connection_id, $chan, $message);
  125. } else {
  126. $popcon_matches = array();
  127. preg_match_all("/(:[^ :]+:)/", $message, $popcon_matches);
  128. $emoticons_map = get_emoticons_map();
  129. if ($emoticons_map && count($popcon_matches[0]) > 0) {
  130. foreach ($popcon_matches[0] as $emoticon) {
  131. if (isset($emoticons_map[$emoticon])) {
  132. $emoticon = db_escape_string($emoticon);
  133. $result = db_query($link, "SELECT id, times_used FROM ttirc_emoticons_popcon
  134. WHERE emoticon = '$emoticon' AND owner_uid = " . $_SESSION["uid"]);
  135. if (db_num_rows($result) == 0) {
  136. db_query($link, "INSERT INTO ttirc_emoticons_popcon (emoticon, times_used, owner_uid)
  137. VALUES ('$emoticon', 1, ".$_SESSION["uid"].")");
  138. } else {
  139. $ref_id = db_fetch_result($result, 0, "id");
  140. $times_used = db_fetch_result($result, 0, "times_used");
  141. # if ($times_used < 1024) {
  142. db_query($link, "UPDATE ttirc_emoticons_popcon SET times_used = times_used + 1
  143. WHERE id = $ref_id");
  144. # }
  145. }
  146. }
  147. }
  148. }
  149. $lines = explode("\n", $message);
  150. if ($tab_type == "P") {
  151. foreach ($lines as $line)
  152. push_message($link, $connection_id, $chan, $line, false,
  153. MSGT_PRIVATE_PRIVMSG);
  154. } else {
  155. foreach ($lines as $line)
  156. push_message($link, $connection_id, $chan, $line);
  157. }
  158. /* $lines = explode("\n", wordwrap($message, 200, "\n"));
  159. foreach ($lines as $line) {
  160. push_message($link, $connection_id, $chan, $line);
  161. } */
  162. }
  163. }
  164. if (!$send_only) {
  165. $lines = get_new_lines($link, $last_id);
  166. //$conn = get_conn_info($link);
  167. //$chandata = get_chan_data($link, false);
  168. //$params = get_misc_params($link);
  169. $dup = array("duplicate" => true);
  170. print json_encode(array($dup, $lines, $dup, $dup));
  171. }
  172. break;
  173. case "update":
  174. cleanup_session_cache();
  175. $last_id = (int) db_escape_string($_REQUEST["last_id"]);
  176. $init = db_escape_string($_REQUEST["init"]);
  177. @$uniqid = db_escape_string($_REQUEST["uniqid"]);
  178. if (!$init) {
  179. $sleep_start = time();
  180. while (time() - $sleep_start < UPDATE_DELAY_MAX &&
  181. !num_new_lines($link, $last_id)) {
  182. sleep(1);
  183. }
  184. }
  185. $lines = get_new_lines($link, $last_id);
  186. $conn = get_conn_info($link);
  187. $chandata = get_chan_data($link, false);
  188. $params = get_misc_params($link, $uniqid);
  189. $emoticons = render_emoticons($link);
  190. if ($uniqid) {
  191. if (serialize($conn) == $_SESSION["cache"][$uniqid]["conn"]) {
  192. $conn = array("duplicate" => true);
  193. } else {
  194. $_SESSION["cache"][$uniqid]["conn"] = serialize($conn);
  195. }
  196. if (serialize($chandata) == $_SESSION["cache"][$uniqid]["chandata"]) {
  197. $chandata = array("duplicate" => true);
  198. } else {
  199. $_SESSION["cache"][$uniqid]["chandata"] = serialize($chandata);
  200. }
  201. if (serialize($params) == $_SESSION["cache"][$uniqid]["params"]) {
  202. $params = array("duplicate" => true);
  203. } else {
  204. $_SESSION["cache"][$uniqid]["params"] = serialize($params);
  205. }
  206. if (serialize($emoticons) == $_SESSION["cache"][$uniqid]["emoticons"]) {
  207. $emoticons = array("duplicate" => true);
  208. } else {
  209. $_SESSION["cache"][$uniqid]["emoticons"] = serialize($emoticons);
  210. }
  211. $_SESSION["cache"][$uniqid]["last"] = time();
  212. }
  213. print json_encode(array($conn, $lines, $chandata, $params, $emoticons));
  214. break;
  215. case "set-topic":
  216. $last_id = (int) db_escape_string($_REQUEST["last_id"]);
  217. $topic = db_escape_string($_REQUEST["topic"]);
  218. $chan = db_escape_string($_REQUEST["chan"]);
  219. $connection_id = db_escape_string($_REQUEST["connection"]);
  220. if ($topic !== FALSE) {
  221. handle_command($link, $connection_id, $chan, "/topic $topic");
  222. }
  223. $lines = get_new_lines($link, $last_id);
  224. $conn = get_conn_info($link);
  225. $chandata = get_chan_data($link, false);
  226. $params = get_misc_params($link);
  227. print json_encode(array($conn, $lines, $chandata, $params));
  228. break;
  229. case "login":
  230. $login = db_escape_string($_REQUEST["user"]);
  231. $password = db_escape_string($_REQUEST["password"]);
  232. $result = db_query($link, "SELECT id FROM ttirc_users WHERE login = '$login'");
  233. if (db_num_rows($result) != 0) {
  234. $uid = db_fetch_result($result, 0, "id");
  235. } else {
  236. $uid = 0;
  237. }
  238. if (!$uid) {
  239. print json_encode(array("error" => 6));
  240. return;
  241. }
  242. if (authenticate_user($link, $login, $password)) {
  243. print json_encode(array("sid" => session_id(), "version" => VERSION,
  244. "uniqid" => uniqid()));
  245. } else {
  246. print json_encode(array("error" => 6));
  247. }
  248. break;
  249. case "init":
  250. $result = db_query($link, "SELECT MAX(ttirc_messages.id) AS max_id
  251. FROM ttirc_messages, ttirc_connections
  252. WHERE connection_id = ttirc_connections.id AND owner_uid = " . $_SESSION["uid"]);
  253. $rv = array();
  254. if (db_num_rows($result) != 0) {
  255. $rv["max_id"] = db_fetch_result($result, 0, "max_id");
  256. } else {
  257. $rv["max_id"] = 0;
  258. }
  259. $rv["status"] = 1;
  260. $rv["theme"] = get_pref($link, "USER_THEME");
  261. $rv["update_delay_max"] = UPDATE_DELAY_MAX;
  262. $rv["uniqid"] = uniqid();
  263. $rv["emoticons"] = get_emoticons_map();
  264. print json_encode($rv);
  265. break;
  266. case "prefs":
  267. main_prefs($link);
  268. break;
  269. case "prefs-conn-save":
  270. $title = db_escape_string($_REQUEST["title"]);
  271. $autojoin = db_escape_string($_REQUEST["autojoin"]);
  272. $connect_cmd = db_escape_string($_REQUEST["connect_cmd"]);
  273. $encoding = db_escape_string($_REQUEST["encoding"]);
  274. $nick = db_escape_string($_REQUEST["nick"]);
  275. $auto_connect = bool_to_sql_bool(db_escape_string($_REQUEST["auto_connect"]));
  276. $permanent = bool_to_sql_bool(db_escape_string($_REQUEST["permanent"]));
  277. $connection_id = db_escape_string($_REQUEST["connection_id"]);
  278. $visible = bool_to_sql_bool(db_escape_string($_REQUEST["visible"]));
  279. $server_password = db_escape_string($_REQUEST["server_password"]);
  280. $use_ssl = bool_to_sql_bool(db_escape_string($_REQUEST["use_ssl"]));
  281. if (!$title) $title = __("[Untitled]");
  282. if (valid_connection($link, $connection_id)) {
  283. db_query($link, "UPDATE ttirc_connections SET title = '$title',
  284. autojoin = '$autojoin',
  285. connect_cmd = '$connect_cmd',
  286. auto_connect = $auto_connect,
  287. server_password = '$server_password',
  288. visible = $visible,
  289. use_ssl = $use_ssl,
  290. nick = '$nick',
  291. encoding = '$encoding',
  292. permanent = $permanent
  293. WHERE id = '$connection_id'");
  294. //print json_encode(array("error" => "Function not implemented."));
  295. }
  296. break;
  297. case "prefs-save":
  298. //print json_encode(array("error" => "Function not implemented."));
  299. $realname = db_escape_string($_REQUEST["realname"]);
  300. $quit_message = db_escape_string($_REQUEST["quit_message"]);
  301. $new_password = db_escape_string($_REQUEST["new_password"]);
  302. $confirm_password = db_escape_string($_REQUEST["confirm_password"]);
  303. $nick = db_escape_string($_REQUEST["nick"]);
  304. $email = db_escape_string($_REQUEST["email"]);
  305. $theme = db_escape_string($_REQUEST["theme"]);
  306. $highlight_on = db_escape_string($_REQUEST["highlight_on"]);
  307. $hide_join_part = bool_to_sql_bool(db_escape_string($_REQUEST["hide_join_part"]));
  308. $disable_image_preview = bool_to_sql_bool(db_escape_string($_REQUEST["disable_image_preview"]));
  309. $theme_changed = false;
  310. $_SESSION["prefs_cache"] = false;
  311. if (get_user_theme($link) != $theme) {
  312. set_pref($link, "USER_THEME", $theme);
  313. $theme_changed = true;
  314. }
  315. set_pref($link, "HIGHLIGHT_ON", $highlight_on);
  316. set_pref($link, "DISABLE_IMAGE_PREVIEW", $disable_image_preview);
  317. db_query($link, "UPDATE ttirc_users SET realname = '$realname',
  318. quit_message = '$quit_message',
  319. email = '$email',
  320. hide_join_part = $hide_join_part,
  321. nick = '$nick' WHERE id = " . $_SESSION["uid"]);
  322. if ($new_password != $confirm_password) {
  323. print json_encode(array("error" => "Passwords do not match."));
  324. return;
  325. }
  326. if ($confirm_password == $new_password && $new_password) {
  327. $salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
  328. $pwd_hash = encrypt_password($new_password, $salt, true);
  329. db_query($link, "UPDATE ttirc_users SET pwd_hash = '$pwd_hash', salt = '$salt'
  330. WHERE id = ". $_SESSION["uid"]);
  331. }
  332. if ($theme_changed) {
  333. print json_encode(array("message" => "THEME_CHANGED"));
  334. return;
  335. }
  336. break;
  337. case "prefs-edit-con":
  338. $connection_id = (int) db_escape_string($_REQUEST["id"]);
  339. connection_editor($link, $connection_id);
  340. break;
  341. case "prefs-customize-css":
  342. css_editor($link);
  343. break;
  344. case "prefs-save-css":
  345. $user_css = db_escape_string($_REQUEST["user_css"]);
  346. set_pref($link, "USER_STYLESHEET", $user_css);
  347. //print json_encode(array("error" => "Function not implemented."));
  348. break;
  349. case "create-server":
  350. $connection_id = (int) db_escape_string($_REQUEST["connection_id"]);
  351. list($server, $port) = explode(":", db_escape_string($_REQUEST["data"]));
  352. if (valid_connection($link, $connection_id)) {
  353. if ($server && $port) {
  354. db_query($link, "INSERT INTO ttirc_servers (server, port, connection_id)
  355. VALUES ('$server', '$port', '$connection_id')");
  356. print_servers($link, $connection_id);
  357. } else {
  358. $error = T_sprintf("Couldn't add server (%s:%d): Invalid syntax.",
  359. $server, $port);
  360. print json_encode(array("error" => $error));
  361. }
  362. }
  363. break;
  364. case "delete-server":
  365. $ids = db_escape_string($_REQUEST["ids"]);
  366. $connection_id = (int) db_escape_string($_REQUEST["connection_id"]);
  367. if (valid_connection($link, $connection_id)) {
  368. db_query($link, "DELETE FROM ttirc_servers WHERE
  369. id in ($ids) AND connection_id = '$connection_id'");
  370. print_servers($link, $connection_id);
  371. }
  372. break;
  373. case "delete-connection":
  374. $ids = db_escape_string($_REQUEST["ids"]);
  375. db_query($link, "DELETE FROM ttirc_connections WHERE
  376. id IN ($ids) AND status = 0 AND owner_uid = ".$_SESSION["uid"]);
  377. print_connections($link);
  378. break;
  379. case "create-connection":
  380. $title = db_escape_string(trim($_REQUEST["title"]));
  381. if ($title) {
  382. db_query($link, "INSERT INTO ttirc_connections (enabled, title, owner_uid)
  383. VALUES ('false', '$title', '".$_SESSION["uid"]."')");
  384. }
  385. print_connections($link);
  386. break;
  387. case "fetch-profiles":
  388. $login = db_escape_string($_REQUEST["login"]);
  389. $password = db_escape_string($_REQUEST["password"]);
  390. if (authenticate_user($link, $login, $password)) {
  391. $result = db_query($link, "SELECT * FROM ttirc_settings_profiles
  392. WHERE owner_uid = " . $_SESSION["uid"] . " ORDER BY title");
  393. print "<select style='width: 100%' name='profile'>";
  394. print "<option value='0'>" . __("Default profile") . "</option>";
  395. while ($line = db_fetch_assoc($result)) {
  396. $id = $line["id"];
  397. $title = $line["title"];
  398. print "<option value='$id'>$title</option>";
  399. }
  400. print "</select>";
  401. $_SESSION = array();
  402. }
  403. break;
  404. case "toggle-connection":
  405. $connection_id = (int) db_escape_string($_REQUEST["connection_id"]);
  406. $status = bool_to_sql_bool(db_escape_string($_REQUEST["set_enabled"]));
  407. db_query($link, "UPDATE ttirc_connections SET enabled = $status
  408. WHERE id = '$connection_id' AND owner_uid = " . $_SESSION["uid"]);
  409. print json_encode(array("status" => $status));
  410. break;
  411. case "prefs-edit-notify":
  412. notification_editor($link);
  413. break;
  414. case "prefs-save-notify":
  415. $notify_events = json_encode($_REQUEST["notify_event"]);
  416. set_pref($link, "NOTIFY_ON", $notify_events);
  417. break;
  418. case "preview":
  419. $url = htmlspecialchars($_REQUEST["url"]);
  420. header("Location: $url");
  421. break;
  422. case "emoticons":
  423. print json_encode(get_emoticons_map());
  424. break;
  425. case "emoticons_list":
  426. header('Content-Type: text/html; charset=utf-8');
  427. render_emoticons_full();
  428. break;
  429. case "logout":
  430. logout_user();
  431. header("Location: index.php");
  432. break;
  433. }
  434. ?>