From 1e2da98a5a275896c1434ee0347ede36360a61fd Mon Sep 17 00:00:00 2001 From: Jem Turner Date: Mon, 18 Jun 2012 14:51:45 +0100 Subject: [PATCH] redo fixes to update.php / contact.php & fix typos in join.php --- contact.php | 3 +- join.php | 4 +- update.php | 159 +++++++++++++++++++++++++++++++--------------------- 3 files changed, 100 insertions(+), 66 deletions(-) diff --git a/contact.php b/contact.php index f1dea20..b631e54 100644 --- a/contact.php +++ b/contact.php @@ -13,6 +13,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") { $points = (int)0; $badwords = file(SPAMWDS); + $requiredFields = array("name", "email", "comments"); foreach ($badwords as $word) if ( @@ -52,7 +53,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") { $message = "You received this e-mail message through your fanlisting: \n\n"; foreach ($_POST as $key => $val) { - $message .= ucwords($key) . ": " . clean($val) . "\r\n"; + $message .= ucwords($key) . ": " . cleanUp($val) . "\r\n"; } $message .= "\r\n"; $message .= 'IP: '.$_SERVER['REMOTE_ADDR']."\r\n"; diff --git a/join.php b/join.php index 50743fe..545f3c7 100644 --- a/join.php +++ b/join.php @@ -69,7 +69,7 @@ if (isset($_POST['submit'])) { $error_msg .= "That name is not valid. Your name must contain letters only, and must be less than 15 characters. \r\n"; if ($clean['dispemail'] != "yes" && $clean['dispemail'] != "no") $error_msg .= "You didn't choose whether or not you'd like to show your e-mail address on the member list. \r\n"; - if ($clean['fave'] != "" && (!preg_match("/^[a-zA-Z0-9-'\s]*$/", $clean['face']) || strlen($clean['fave']) > 20)) + if ($clean['fave'] != "" && (!preg_match("/^[a-zA-Z0-9-'\s]*$/", $clean['fave']) || strlen($clean['fave']) > 20)) $error_msg .= "Your chosen \"favourite\" is not valid. It must contain letters and numbers only, and must be less than 20 characters. \r\n"; if (!preg_match('/^([a-z0-9])(([-a-z0-9._])*([a-z0-9]))*\@([a-z0-9])(([a-z0-9-])*([a-z0-9]))+' . '(\.([a-z0-9])([-a-z0-9_-])?([a-z0-9])+)+$/i', strtolower($clean['email']))) $error_msg .= "The email address you have used is not valid. \r\n"; @@ -175,7 +175,7 @@ if (!isset($_POST['submit']) || $show_form == true) { if (isset($_POST['country'])) $country = $_POST['country']; else $country = NULL; ?> -

+


" />

" />

diff --git a/update.php b/update.php index e5032bc..7ad5ab4 100644 --- a/update.php +++ b/update.php @@ -1,68 +1,94 @@ The text you entered didn't match the image, please try again.

"; - include('footer.php'); - exit; - } - if (isset($_SESSION['key']) && isset($_COOKIE[session_name()])) { - setcookie(session_name(), '', time()-36000, '/'); - $_SESSION = array(); - session_destroy(); - } - } else { echo "

The text you entered didn't match the image, please try again.

"; include('footer.php'); exit; } - } - include_once('header.php'); - - if (!isset($_POST['submit']) || $_SERVER['REQUEST_METHOD'] != "POST") { - echo "

Accessing this page directly is not allowed.

\n\n"; + if (isset($_SESSION['key']) && isset($_COOKIE[session_name()])) { + setcookie(session_name(), '', time()-36000, '/'); + $_SESSION = array(); + session_destroy(); + } + } else { + echo "

The text you entered didn't match the image, please try again.

"; include('footer.php'); exit; } + } + include_once('header.php'); - $exploits = "/(content-type|bcc:|cc:|document.cookie|onclick|onload)/i"; - foreach ($_POST as $key => $val) { - $clean[$key] = cleanUp($val); + if (!isset($_POST['submit']) || $_SERVER['REQUEST_METHOD'] != "POST") { + echo "

Accessing this page directly is not allowed.

\n\n"; + include('footer.php'); + exit; + } + + if (isBot() !== false) + $error_msg .= "No bots please! UA reported as: ".$_SERVER['HTTP_USER_AGENT'] . "\r\n"; + + if (substr_count($_POST['comments'], 'http://') > 1) + $error_msg .= "Too many URLs; we've assumed you're spam and 'lost' your application. Please try again without any extra URLs if you're a geniune person :)\r\n"; - if (filesize(SPAMWDS) > 0 && (checkTXTfile(SPAMWDS, $val, "spamword") === true)) { - echo "

Your application contains words in the spam list, that means you're not allowed to join at this time. \n

"; - exit(include('footer.php')); - } - if (preg_match($exploits, $val)) { - echo "

No meta injection, please. \n

"; - exit(include('footer.php')); + $exploits = "/(content-type|bcc:|cc:|document.cookie|onclick|onload|javascript|alert)/i"; + if (filesize(SPAMWDS) > 0) $spamlist = file(SPAMWDS); + + foreach ($_POST as $key => $val) { + if (isset($spamlist)) { + foreach ($spamlist as $spamword) { + if (preg_match("/(".trim($spamword).")/i", $val)) { + $error_msg .= "Your updated info contains words in the spam list, please go back and remove references to obvious 'spam' material.\r\n"; + } } } - if ((filesize(MEMBERS) > 0 && checkTXTfile(MEMBERS, breakEmail(strtolower($clean['email'])), "email") === true) || (filesize(NEWBIES) > 0 && checkTXTfile(NEWBIES, breakEmail(strtolower($clean['email'])), "email") === true)) { - if (empty($clean['name']) || empty($clean['email'])) { - echo "

Name and e-mail are required fields. Please go back and try again.\n

"; - exit(include('footer.php')); - } elseif (!ereg("^[A-Za-z' -]",$clean['name']) || strlen($clean['name']) > 15) { - echo "

That name is not valid. Your name must contain letters only, and must be less than 15 characters. Please go back and try again.\n

"; - exit(include('footer.php')); - } elseif (!ereg("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,6})$", strtolower($clean['email']))) { - echo "

Your old e-mail address is not valid. Please go back and try again.\n

"; - exit(include('footer.php')); - } elseif (!empty($clean['newemail']) && !ereg("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,6})$", strtolower($clean['newemail']))) { - echo "

Your new e-mail address is not valid. Please go back and try again.\n

"; - exit(include('footer.php')); - } + if (preg_match($exploits, $val)) + $error_msg .= "No meta injection, please.\r\n"; + if (preg_match("/(<.*>)/i", $val)) + $error_msg .= "No HTML, please.\r\n"; + + $clean[$key] = cleanUp($val); + } + if ((filesize(MEMBERS) > 0 && checkTXTfile(MEMBERS, breakEmail(strtolower($clean['email'])), "email") === true) || (filesize(NEWBIES) > 0 && checkTXTfile(NEWBIES, breakEmail(strtolower($clean['email'])), "email") === true)) { + // set default values for empty/unset fields + if (empty($clean['dispemail'])) + $clean['dispemail'] = "no"; + + if (!isset($favefield) || $favefield == "no" || !isset($clean['fave'])) + $clean['fave'] = NULL; + + // let's do some security and spam checks + if (empty($clean['name']) || empty($clean['email']) || empty($clean['country'])) + $error_msg .= "Name, e-mail and country are required fields. \r\n"; + if (!preg_match("/^[a-zA-Z-'\s]*$/", $clean['name'])) + $error_msg .= "That name is not valid. Your name must contain letters only, and must be less than 15 characters. \r\n"; + if ($clean['dispemail'] != "yes" && $clean['dispemail'] != "no") + $error_msg .= "You didn't choose whether or not you'd like to show your e-mail address on the member list. \r\n"; + if ($clean['fave'] != "" && (!preg_match("/^[a-zA-Z0-9-'\s]*$/", $clean['fave']) || strlen($clean['fave']) > 20)) + $error_msg .= "Your chosen \"favourite\" is not valid. It must contain letters and numbers only, and must be less than 20 characters. \r\n"; + if (!preg_match('/^([a-z0-9])(([-a-z0-9._])*([a-z0-9]))*\@([a-z0-9])(([a-z0-9-])*([a-z0-9]))+' . '(\.([a-z0-9])([-a-z0-9_-])?([a-z0-9])+)+$/i', strtolower($clean['email']))) + $error_msg .= "The email address you have used is not valid. \r\n"; + if (!empty($clean['newemail']) && !preg_match('/^([a-z0-9])(([-a-z0-9._])*([a-z0-9]))*\@([a-z0-9])(([a-z0-9-])*([a-z0-9]))+' . '(\.([a-z0-9])([-a-z0-9_-])?([a-z0-9])+)+$/i', strtolower($clean['newemail']))) + $error_msg .= "The new email address you have used is not valid. \r\n"; + if (!empty($clean['url']) && !preg_match('/^(http|https):\/\/(([A-Z0-9][A-Z0-9_-]*)(\.[A-Z0-9][A-Z0-9_-]*)+)(:(\d+))?\/?/i', $clean['url'])) + $error_msg .= "The website url you provided is not valid. Please remove and try again or fix the URL.\r\n"; + if ($clean['country'] == "null" || (filesize(COUNTRIES) > 0 && checkTXTfile(COUNTRIES, $clean['country'], "country") === false)) + $error_msg .= "Please select a valid country. \r\n"; + + if ($error_msg == NULL) { + $show_form = false; + $subject = "Update member at $title"; $message = "A member at your $FLsubject fanlisting wants updating with following details: \n\n"; @@ -90,23 +116,31 @@ switch ($page) { } else { echo "

Oops!

\n

Your updated information could not be sent this time, please contact the fanlisting owner.

"; } - } else { - echo "

You're not a member! Only current members can update their information.

\n"; - include('footer.php'); - exit; } - break; - default: - require_once('prefs.php'); - include_once('header.php'); + } else { + echo "

You're not a member! Only current members can update their information.

\n"; + include('footer.php'); + exit; + } +} +if (!isset($_POST['submit']) || $show_form == true) { + require_once('prefs.php'); + include_once('header.php'); ?> -

Update Your Details

-

To update your details, fill in your information below. Please do not use this form to join; use the join form instead.

+

Update Your Details

+

To update your details, fill in your information below. Please do not use this form to join; use the join form instead.

-

(Name, Old E-mail and Country are required fields.)

+

(Name, Old E-mail and Country are required fields.)

-

+ERROR:
"; + echo nl2br($error_msg) . "

"; + } +?> + +







@@ -129,7 +163,6 @@ switch ($page) {

\ No newline at end of file