[ Index ]

PHP Cross Reference of MyBB 1.8.12

title

Body

[close]

/ -> xmlhttp.php (source)

   1  <?php
   2  /**
   3   * MyBB 1.8
   4   * Copyright 2014 MyBB Group, All Rights Reserved
   5   *
   6   * Website: http://www.mybb.com
   7   * License: http://www.mybb.com/about/license
   8   *
   9   */
  10  
  11  /**
  12   * The deal with this file is that it handles all of the XML HTTP Requests for MyBB.
  13   *
  14   * It contains a stripped down version of the MyBB core which does not load things
  15   * such as themes, who's online data, all of the language packs and more.
  16   *
  17   * This is done to make response times when using XML HTTP Requests faster and
  18   * less intense on the server.
  19   */
  20  
  21  define("IN_MYBB", 1);
  22  
  23  // We don't want visits here showing up on the Who's Online
  24  define("NO_ONLINE", 1);
  25  
  26  define('THIS_SCRIPT', 'xmlhttp.php');
  27  
  28  // Load MyBB core files
  29  require_once dirname(__FILE__)."/inc/init.php";
  30  
  31  $shutdown_queries = $shutdown_functions = array();
  32  
  33  // Load some of the stock caches we'll be using.
  34  $groupscache = $cache->read("usergroups");
  35  
  36  if(!is_array($groupscache))
  37  {
  38      $cache->update_usergroups();
  39      $groupscache = $cache->read("usergroups");
  40  }
  41  
  42  // Send no cache headers
  43  header("Expires: Sat, 1 Jan 2000 01:00:00 GMT");
  44  header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
  45  header("Cache-Control: no-cache, must-revalidate");
  46  header("Pragma: no-cache");
  47  
  48  // Create the session
  49  require_once  MYBB_ROOT."inc/class_session.php";
  50  $session = new session;
  51  $session->init();
  52  
  53  // Load the language we'll be using
  54  if(!isset($mybb->settings['bblanguage']))
  55  {
  56      $mybb->settings['bblanguage'] = "english";
  57  }
  58  if(isset($mybb->user['language']) && $lang->language_exists($mybb->user['language']))
  59  {
  60      $mybb->settings['bblanguage'] = $mybb->user['language'];
  61  }
  62  $lang->set_language($mybb->settings['bblanguage']);
  63  
  64  if(function_exists('mb_internal_encoding') && !empty($lang->settings['charset']))
  65  {
  66      @mb_internal_encoding($lang->settings['charset']);
  67  }
  68  
  69  // Load the theme
  70  // 1. Check cookies
  71  if(!$mybb->user['uid'] && !empty($mybb->cookies['mybbtheme']))
  72  {
  73      $mybb->user['style'] = (int)$mybb->cookies['mybbtheme'];
  74  }
  75  
  76  // 2. Load style
  77  if(isset($mybb->user['style']) && (int)$mybb->user['style'] != 0)
  78  {
  79      $loadstyle = "tid='".(int)$mybb->user['style']."'";
  80  }
  81  else
  82  {
  83      $loadstyle = "def='1'";
  84  }
  85  
  86  // Load basic theme information that we could be needing.
  87  if($loadstyle != "def='1'")
  88  {
  89      $query = $db->simple_select('themes', 'name, tid, properties, allowedgroups', $loadstyle, array('limit' => 1));
  90      $theme = $db->fetch_array($query);
  91  
  92      if(isset($theme['tid']) && !is_member($theme['allowedgroups']) && $theme['allowedgroups'] != 'all')
  93      {
  94          if(isset($mybb->cookies['mybbtheme']))
  95          {
  96              my_unsetcookie('mybbtheme');
  97          }
  98  
  99          $loadstyle = "def='1'";
 100      }
 101  }
 102  
 103  if($loadstyle == "def='1'")
 104  {
 105      if(!$cache->read('default_theme'))
 106      {
 107          $cache->update_default_theme();
 108      }
 109  
 110      $theme = $cache->read('default_theme');
 111  }
 112  
 113  // No theme was found - we attempt to load the master or any other theme
 114  if(!isset($theme['tid']) || isset($theme['tid']) && !$theme['tid'])
 115  {
 116      // Missing theme was from a user, run a query to set any users using the theme to the default
 117      $db->update_query('users', array('style' => 0), "style = '{$mybb->user['style']}'");
 118  
 119      // Attempt to load the master or any other theme if the master is not available
 120      $query = $db->simple_select('themes', 'name, tid, properties, stylesheets', '', array('order_by' => 'tid', 'limit' => 1));
 121      $theme = $db->fetch_array($query);
 122  }
 123  $theme = @array_merge($theme, my_unserialize($theme['properties']));
 124  
 125  // Set the appropriate image language directory for this theme.
 126  // Are we linking to a remote theme server?
 127  if(my_validate_url($theme['imgdir']))
 128  {
 129      // If a language directory for the current language exists within the theme - we use it
 130      if(!empty($mybb->user['language']))
 131      {
 132          $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->user['language'];
 133      }
 134      else
 135      {
 136          // Check if a custom language directory exists for this theme
 137          if(!empty($mybb->settings['bblanguage']))
 138          {
 139              $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->settings['bblanguage'];
 140          }
 141          // Otherwise, the image language directory is the same as the language directory for the theme
 142          else
 143          {
 144              $theme['imglangdir'] = $theme['imgdir'];
 145          }
 146      }
 147  }
 148  else
 149  {
 150      $img_directory = $theme['imgdir'];
 151  
 152      if($mybb->settings['usecdn'] && !empty($mybb->settings['cdnpath']))
 153      {
 154          $img_directory = rtrim($mybb->settings['cdnpath'], '/') . '/' . ltrim($theme['imgdir'], '/');
 155      }
 156  
 157      if(!@is_dir($img_directory))
 158      {
 159          $theme['imgdir'] = 'images';
 160      }
 161  
 162      // If a language directory for the current language exists within the theme - we use it
 163      if(!empty($mybb->user['language']) && is_dir($img_directory.'/'.$mybb->user['language']))
 164      {
 165          $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->user['language'];
 166      }
 167      else
 168      {
 169          // Check if a custom language directory exists for this theme
 170          if(is_dir($img_directory.'/'.$mybb->settings['bblanguage']))
 171          {
 172              $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->settings['bblanguage'];
 173          }
 174          // Otherwise, the image language directory is the same as the language directory for the theme
 175          else
 176          {
 177              $theme['imglangdir'] = $theme['imgdir'];
 178          }
 179      }
 180  
 181      $theme['imgdir'] = $mybb->get_asset_url($theme['imgdir']);
 182      $theme['imglangdir'] = $mybb->get_asset_url($theme['imglangdir']);
 183  }
 184  
 185  $templatelist = "postbit_editedby,xmlhttp_buddyselect_online,xmlhttp_buddyselect_offline,xmlhttp_buddyselect";
 186  $templates->cache($db->escape_string($templatelist));
 187  
 188  if($lang->settings['charset'])
 189  {
 190      $charset = $lang->settings['charset'];
 191  }
 192  // If not, revert to UTF-8
 193  else
 194  {
 195      $charset = "UTF-8";
 196  }
 197  
 198  $lang->load("global");
 199  $lang->load("xmlhttp");
 200  
 201  $closed_bypass = array("refresh_captcha", "validate_captcha");
 202  
 203  $mybb->input['action'] = $mybb->get_input('action');
 204  
 205  $plugins->run_hooks("xmlhttp");
 206  
 207  // If the board is closed, the user is not an administrator and they're not trying to login, show the board closed message
 208  if($mybb->settings['boardclosed'] == 1 && $mybb->usergroup['canviewboardclosed'] != 1 && !in_array($mybb->input['action'], $closed_bypass))
 209  {
 210      // Show error
 211      if(!$mybb->settings['boardclosed_reason'])
 212      {
 213          $mybb->settings['boardclosed_reason'] = $lang->boardclosed_reason;
 214      }
 215  
 216      $lang->error_boardclosed .= "<br /><em>{$mybb->settings['boardclosed_reason']}</em>";
 217  
 218      xmlhttp_error($lang->error_boardclosed);
 219  }
 220  
 221  // Fetch a list of usernames beginning with a certain string (used for auto completion)
 222  if($mybb->input['action'] == "get_users")
 223  {
 224      $mybb->input['query'] = ltrim($mybb->get_input('query'));
 225  
 226      // If the string is less than 2 characters, quit.
 227      if(my_strlen($mybb->input['query']) < 2)
 228      {
 229          exit;
 230      }
 231  
 232      if($mybb->get_input('getone', MyBB::INPUT_INT) == 1)
 233      {
 234          $limit = 1;
 235      }
 236      else
 237      {
 238          $limit = 15;
 239      }
 240  
 241      // Send our headers.
 242      header("Content-type: application/json; charset={$charset}");
 243  
 244      // Query for any matching users.
 245      $query_options = array(
 246          "order_by" => "username",
 247          "order_dir" => "asc",
 248          "limit_start" => 0,
 249          "limit" => $limit
 250      );
 251  
 252      $plugins->run_hooks("xmlhttp_get_users_start");
 253  
 254      $query = $db->simple_select("users", "uid, username", "username LIKE '".$db->escape_string_like($mybb->input['query'])."%'", $query_options);
 255      if($limit == 1)
 256      {
 257          $user = $db->fetch_array($query);
 258          $data = array('id' => $user['username'], 'text' => $user['username']);
 259      }
 260      else
 261      {
 262          $data = array();
 263          while($user = $db->fetch_array($query))
 264          {
 265              $data[] = array('id' => $user['username'], 'text' => $user['username']);
 266          }
 267      }
 268  
 269      $plugins->run_hooks("xmlhttp_get_users_end");
 270  
 271      echo json_encode($data);
 272      exit;
 273  }
 274  // This action provides editing of thread/post subjects from within their respective list pages.
 275  else if($mybb->input['action'] == "edit_subject" && $mybb->request_method == "post")
 276  {
 277      // Verify POST request
 278      if(!verify_post_check($mybb->get_input('my_post_key'), true))
 279      {
 280          xmlhttp_error($lang->invalid_post_code);
 281      }
 282  
 283      // We're editing a thread subject.
 284      if($mybb->get_input('tid', MyBB::INPUT_INT))
 285      {
 286          // Fetch the thread.
 287          $thread = get_thread($mybb->get_input('tid', MyBB::INPUT_INT));
 288          if(!$thread)
 289          {
 290              xmlhttp_error($lang->thread_doesnt_exist);
 291          }
 292  
 293          // Fetch some of the information from the first post of this thread.
 294          $query_options = array(
 295              "order_by" => "dateline",
 296              "order_dir" => "asc",
 297          );
 298          $query = $db->simple_select("posts", "pid,uid,dateline", "tid='".$thread['tid']."'", $query_options);
 299          $post = $db->fetch_array($query);
 300      }
 301      else
 302      {
 303          exit;
 304      }
 305  
 306      // Fetch the specific forum this thread/post is in.
 307      $forum = get_forum($thread['fid']);
 308  
 309      // Missing thread, invalid forum? Error.
 310      if(!$forum || $forum['type'] != "f")
 311      {
 312          xmlhttp_error($lang->thread_doesnt_exist);
 313      }
 314  
 315      // Fetch forum permissions.
 316      $forumpermissions = forum_permissions($forum['fid']);
 317  
 318      $plugins->run_hooks("xmlhttp_edit_subject_start");
 319  
 320      // If this user is not a moderator with "caneditposts" permissions.
 321      if(!is_moderator($forum['fid'], "caneditposts"))
 322      {
 323          // Thread is closed - no editing allowed.
 324          if($thread['closed'] == 1)
 325          {
 326              xmlhttp_error($lang->thread_closed_edit_subjects);
 327          }
 328          // Forum is not open, user doesn't have permission to edit, or author doesn't match this user - don't allow editing.
 329          else if($forum['open'] == 0 || $forumpermissions['caneditposts'] == 0 || $mybb->user['uid'] != $post['uid'] || $mybb->user['uid'] == 0)
 330          {
 331              xmlhttp_error($lang->no_permission_edit_subject);
 332          }
 333          // If we're past the edit time limit - don't allow editing.
 334          else if($mybb->usergroup['edittimelimit'] != 0 && $post['dateline'] < (TIME_NOW-($mybb->usergroup['edittimelimit']*60)))
 335          {
 336              $lang->edit_time_limit = $lang->sprintf($lang->edit_time_limit, $mybb->usergroup['edittimelimit']);
 337              xmlhttp_error($lang->edit_time_limit);
 338          }
 339          $ismod = false;
 340      }
 341      else
 342      {
 343          $ismod = true;
 344      }
 345      $subject = $mybb->get_input('value');
 346      if(my_strtolower($charset) != "utf-8")
 347      {
 348          if(function_exists("iconv"))
 349          {
 350              $subject = iconv($charset, "UTF-8//IGNORE", $subject);
 351          }
 352          else if(function_exists("mb_convert_encoding"))
 353          {
 354              $subject = @mb_convert_encoding($subject, $charset, "UTF-8");
 355          }
 356          else if(my_strtolower($charset) == "iso-8859-1")
 357          {
 358              $subject = utf8_decode($subject);
 359          }
 360      }
 361  
 362      // Only edit subject if subject has actually been changed
 363      if($thread['subject'] != $subject)
 364      {
 365          // Set up posthandler.
 366          require_once  MYBB_ROOT."inc/datahandlers/post.php";
 367          $posthandler = new PostDataHandler("update");
 368          $posthandler->action = "post";
 369  
 370          // Set the post data that came from the input to the $post array.
 371          $updatepost = array(
 372              "pid" => $post['pid'],
 373              "tid" => $thread['tid'],
 374              "prefix" => $thread['prefix'],
 375              "subject" => $subject,
 376              "edit_uid" => $mybb->user['uid']
 377          );
 378          $posthandler->set_data($updatepost);
 379  
 380          // Now let the post handler do all the hard work.
 381          if(!$posthandler->validate_post())
 382          {
 383              $post_errors = $posthandler->get_friendly_errors();
 384              xmlhttp_error($post_errors);
 385          }
 386          // No errors were found, we can call the update method.
 387          else
 388          {
 389              $posthandler->update_post();
 390              if($ismod == true)
 391              {
 392                  $modlogdata = array(
 393                      "tid" => $thread['tid'],
 394                      "fid" => $forum['fid']
 395                  );
 396                  log_moderator_action($modlogdata, $lang->edited_post);
 397              }
 398          }
 399      }
 400  
 401      require_once  MYBB_ROOT."inc/class_parser.php";
 402      $parser = new postParser;
 403  
 404      // Send our headers.
 405      header("Content-type: application/json; charset={$charset}");
 406  
 407      $plugins->run_hooks("xmlhttp_edit_subject_end");
 408  
 409      $mybb->input['value'] = $parser->parse_badwords($mybb->get_input('value'));
 410  
 411      // Spit the subject back to the browser.
 412      $subject = substr($mybb->input['value'], 0, 120); // 120 is the varchar length for the subject column
 413      echo json_encode(array("subject" => '<a href="'.get_thread_link($thread['tid']).'">'.htmlspecialchars_uni($subject).'</a>'));
 414  
 415      // Close the connection.
 416      exit;
 417  }
 418  else if($mybb->input['action'] == "edit_post")
 419  {
 420      // Fetch the post from the database.
 421      $post = get_post($mybb->get_input('pid', MyBB::INPUT_INT));
 422  
 423      // No result, die.
 424      if(!$post)
 425      {
 426          xmlhttp_error($lang->post_doesnt_exist);
 427      }
 428  
 429      // Fetch the thread associated with this post.
 430      $thread = get_thread($post['tid']);
 431  
 432      // Fetch the specific forum this thread/post is in.
 433      $forum = get_forum($thread['fid']);
 434  
 435      // Missing thread, invalid forum? Error.
 436      if(!$thread || !$forum || $forum['type'] != "f")
 437      {
 438          xmlhttp_error($lang->thread_doesnt_exist);
 439      }
 440  
 441      // Check if this forum is password protected and we have a valid password
 442      if(check_forum_password($forum['fid'], 0, true))
 443      {
 444          xmlhttp_error($lang->wrong_forum_password);
 445      }
 446  
 447      // Fetch forum permissions.
 448      $forumpermissions = forum_permissions($forum['fid']);
 449  
 450      $plugins->run_hooks("xmlhttp_edit_post_start");
 451  
 452      // If this user is not a moderator with "caneditposts" permissions.
 453      if(!is_moderator($forum['fid'], "caneditposts"))
 454      {
 455          // Thread is closed - no editing allowed.
 456          if($thread['closed'] == 1)
 457          {
 458              xmlhttp_error($lang->thread_closed_edit_message);
 459          }
 460          // Forum is not open, user doesn't have permission to edit, or author doesn't match this user - don't allow editing.
 461          else if($forum['open'] == 0 || $forumpermissions['caneditposts'] == 0 || $mybb->user['uid'] != $post['uid'] || $mybb->user['uid'] == 0 || $mybb->user['suspendposting'] == 1)
 462          {
 463              xmlhttp_error($lang->no_permission_edit_post);
 464          }
 465          // If we're past the edit time limit - don't allow editing.
 466          else if($mybb->usergroup['edittimelimit'] != 0 && $post['dateline'] < (TIME_NOW-($mybb->usergroup['edittimelimit']*60)))
 467          {
 468              $lang->edit_time_limit = $lang->sprintf($lang->edit_time_limit, $mybb->usergroup['edittimelimit']);
 469              xmlhttp_error($lang->edit_time_limit);
 470          }
 471          // User can't edit unapproved post
 472          if($post['visible'] == 0)
 473          {
 474              xmlhttp_error($lang->post_moderation);
 475          }
 476      }
 477  
 478      $plugins->run_hooks("xmlhttp_edit_post_end");
 479  
 480      if($mybb->get_input('do') == "get_post")
 481      {
 482          // Send our headers.
 483          header("Content-type: application/json; charset={$charset}");
 484  
 485          // Send the contents of the post.
 486          echo json_encode($post['message']);
 487          exit;
 488      }
 489      else if($mybb->get_input('do') == "update_post")
 490      {
 491          // Verify POST request
 492          if(!verify_post_check($mybb->get_input('my_post_key'), true))
 493          {
 494              xmlhttp_error($lang->invalid_post_code);
 495          }
 496  
 497          $message = $mybb->get_input('value');
 498          $editreason = $mybb->get_input('editreason');
 499          if(my_strtolower($charset) != "utf-8")
 500          {
 501              if(function_exists("iconv"))
 502              {
 503                  $message = iconv($charset, "UTF-8//IGNORE", $message);
 504                  $editreason = iconv($charset, "UTF-8//IGNORE", $editreason);
 505              }
 506              else if(function_exists("mb_convert_encoding"))
 507              {
 508                  $message = @mb_convert_encoding($message, $charset, "UTF-8");
 509                  $editreason = @mb_convert_encoding($editreason, $charset, "UTF-8");
 510              }
 511              else if(my_strtolower($charset) == "iso-8859-1")
 512              {
 513                  $message = utf8_decode($message);
 514                  $editreason = utf8_decode($editreason);
 515              }
 516          }
 517  
 518          // Set up posthandler.
 519          require_once  MYBB_ROOT."inc/datahandlers/post.php";
 520          $posthandler = new PostDataHandler("update");
 521          $posthandler->action = "post";
 522  
 523          // Set the post data that came from the input to the $post array.
 524          $updatepost = array(
 525              "pid" => $post['pid'],
 526              "message" => $message,
 527              "editreason" => $editreason,
 528              "edit_uid" => $mybb->user['uid']
 529          );
 530  
 531          // If this is the first post set the prefix. If a forum requires a prefix the quick edit would throw an error otherwise
 532          if($post['pid'] == $thread['firstpost'])
 533          {
 534              $updatepost['prefix'] = $thread['prefix'];
 535          }
 536  
 537          $posthandler->set_data($updatepost);
 538  
 539          // Now let the post handler do all the hard work.
 540          if(!$posthandler->validate_post())
 541          {
 542              $post_errors = $posthandler->get_friendly_errors();
 543              xmlhttp_error($post_errors);
 544          }
 545          // No errors were found, we can call the update method.
 546          else
 547          {
 548              $postinfo = $posthandler->update_post();
 549              $visible = $postinfo['visible'];
 550              if($visible == 0 && !is_moderator($post['fid'], "canviewunapprove"))
 551              {
 552                  // Is it the first post?
 553                  if($thread['firstpost'] == $post['pid'])
 554                  {
 555                      echo json_encode(array("moderation_thread" => $lang->thread_moderation, 'url' => $mybb->settings['bburl'].'/'.get_forum_link($thread['fid']), "message" => $post['message']));
 556                      exit;
 557                  }
 558                  else
 559                  {
 560                      echo json_encode(array("moderation_post" => $lang->post_moderation, 'url' => $mybb->settings['bburl'].'/'.get_thread_link($thread['tid']), "message" => $post['message']));
 561                      exit;
 562                  }
 563              }
 564          }
 565  
 566          require_once  MYBB_ROOT."inc/class_parser.php";
 567          $parser = new postParser;
 568  
 569          $parser_options = array(
 570              "allow_html" => $forum['allowhtml'],
 571              "allow_mycode" => $forum['allowmycode'],
 572              "allow_smilies" => $forum['allowsmilies'],
 573              "allow_imgcode" => $forum['allowimgcode'],
 574              "allow_videocode" => $forum['allowvideocode'],
 575              "me_username" => $post['username'],
 576              "filter_badwords" => 1
 577          );
 578  
 579          $post['username'] = htmlspecialchars_uni($post['username']);
 580  
 581          if($post['smilieoff'] == 1)
 582          {
 583              $parser_options['allow_smilies'] = 0;
 584          }
 585  
 586          if($mybb->user['showimages'] != 1 && $mybb->user['uid'] != 0 || $mybb->settings['guestimages'] != 1 && $mybb->user['uid'] == 0)
 587          {
 588              $parser_options['allow_imgcode'] = 0;
 589          }
 590  
 591          if($mybb->user['showvideos'] != 1 && $mybb->user['uid'] != 0 || $mybb->settings['guestvideos'] != 1 && $mybb->user['uid'] == 0)
 592          {
 593              $parser_options['allow_videocode'] = 0;
 594          }
 595  
 596          $post['message'] = $parser->parse_message($message, $parser_options);
 597  
 598          // Now lets fetch all of the attachments for these posts.
 599          if($mybb->settings['enableattachments'] != 0)
 600          {
 601              $query = $db->simple_select("attachments", "*", "pid='{$post['pid']}'");
 602              while($attachment = $db->fetch_array($query))
 603              {
 604                  $attachcache[$attachment['pid']][$attachment['aid']] = $attachment;
 605              }
 606  
 607              require_once  MYBB_ROOT."inc/functions_post.php";
 608  
 609              get_post_attachments($post['pid'], $post);
 610          }
 611  
 612          // Figure out if we need to show an "edited by" message
 613          // Only show if at least one of "showeditedby" or "showeditedbyadmin" is enabled
 614          if($mybb->settings['showeditedby'] != 0 && $mybb->settings['showeditedbyadmin'] != 0)
 615          {
 616              $post['editdate'] = my_date('relative', TIME_NOW);
 617              $post['editnote'] = $lang->sprintf($lang->postbit_edited, $post['editdate']);
 618              $mybb->user['username'] = htmlspecialchars_uni($mybb->user['username']);
 619              $post['editedprofilelink'] = build_profile_link($mybb->user['username'], $mybb->user['uid']);
 620              $post['editreason'] = trim($editreason);
 621              $editreason = "";
 622              if($post['editreason'] != "")
 623              {
 624                  $post['editreason'] = $parser->parse_badwords($post['editreason']);
 625                  $post['editreason'] = htmlspecialchars_uni($post['editreason']);
 626                  eval("\$editreason = \"".$templates->get("postbit_editedby_editreason")."\";");
 627              }
 628              eval("\$editedmsg = \"".$templates->get("postbit_editedby")."\";");
 629          }
 630  
 631          // Send our headers.
 632          header("Content-type: application/json; charset={$charset}");
 633  
 634          $editedmsg_response = null;
 635          if($editedmsg)
 636          {
 637              $editedmsg_response = str_replace(array("\r", "\n"), "", $editedmsg);
 638          }
 639  
 640          $plugins->run_hooks("xmlhttp_update_post");
 641  
 642          echo json_encode(array("message" => $post['message']."\n", "editedmsg" => $editedmsg_response));
 643          exit;
 644      }
 645  }
 646  // Fetch the list of multiquoted posts which are not in a specific thread
 647  else if($mybb->input['action'] == "get_multiquoted")
 648  {
 649      // If the cookie does not exist, exit
 650      if(!array_key_exists("multiquote", $mybb->cookies))
 651      {
 652          exit;
 653      }
 654      // Divide up the cookie using our delimeter
 655      $multiquoted = explode("|", $mybb->cookies['multiquote']);
 656  
 657      $plugins->run_hooks("xmlhttp_get_multiquoted_start");
 658  
 659      // No values - exit
 660      if(!is_array($multiquoted))
 661      {
 662          exit;
 663      }
 664  
 665      // Loop through each post ID and sanitize it before querying
 666      foreach($multiquoted as $post)
 667      {
 668          $quoted_posts[$post] = (int)$post;
 669      }
 670  
 671      // Join the post IDs back together
 672      $quoted_posts = implode(",", $quoted_posts);
 673  
 674      // Fetch unviewable forums
 675      $unviewable_forums = get_unviewable_forums();
 676      $inactiveforums = get_inactive_forums();
 677      if($unviewable_forums)
 678      {
 679          $unviewable_forums = "AND t.fid NOT IN ({$unviewable_forums})";
 680      }
 681      if($inactiveforums)
 682      {
 683          $inactiveforums = "AND t.fid NOT IN ({$inactiveforums})";
 684      }
 685  
 686      // Check group permissions if we can't view threads not started by us
 687      $group_permissions = forum_permissions();
 688      $onlyusfids = array();
 689      foreach($group_permissions as $gpfid => $forum_permissions)
 690      {
 691          if(isset($forum_permissions['canonlyviewownthreads']) && $forum_permissions['canonlyviewownthreads'] == 1)
 692          {
 693              $onlyusfids[] = $gpfid;
 694          }
 695      }
 696  
 697      $message = '';
 698  
 699      // Are we loading all quoted posts or only those not in the current thread?
 700      if(empty($mybb->input['load_all']))
 701      {
 702          $from_tid = "p.tid != '".$mybb->get_input('tid', MyBB::INPUT_INT)."' AND ";
 703      }
 704      else
 705      {
 706          $from_tid = '';
 707      }
 708  
 709      require_once  MYBB_ROOT."inc/class_parser.php";
 710      $parser = new postParser;
 711  
 712      require_once  MYBB_ROOT."inc/functions_posting.php";
 713  
 714      $plugins->run_hooks("xmlhttp_get_multiquoted_intermediate");
 715  
 716      // Query for any posts in the list which are not within the specified thread
 717      $query = $db->query("
 718          SELECT p.subject, p.message, p.pid, p.tid, p.username, p.dateline, t.fid, t.uid AS thread_uid, p.visible, u.username AS userusername
 719          FROM ".TABLE_PREFIX."posts p
 720          LEFT JOIN ".TABLE_PREFIX."threads t ON (t.tid=p.tid)
 721          LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid=p.uid)
 722          WHERE {$from_tid}p.pid IN ({$quoted_posts}) {$unviewable_forums} {$inactiveforums}
 723          ORDER BY p.dateline
 724      ");
 725      while($quoted_post = $db->fetch_array($query))
 726      {
 727          if(
 728              (!is_moderator($quoted_post['fid'], "canviewunapprove") && $quoted_post['visible'] == 0) ||
 729              (!is_moderator($quoted_post['fid'], "canviewdeleted") && $quoted_post['visible'] == -1) ||
 730              (in_array($quoted_post['fid'], $onlyusfids) && (!$mybb->user['uid'] || $quoted_post['thread_uid'] != $mybb->user['uid']))
 731          )
 732          {
 733              continue;
 734          }
 735  
 736          $message .= parse_quoted_message($quoted_post, false);
 737      }
 738      if($mybb->settings['maxquotedepth'] != '0')
 739      {
 740          $message = remove_message_quotes($message);
 741      }
 742  
 743      // Send our headers.
 744      header("Content-type: application/json; charset={$charset}");
 745  
 746      $plugins->run_hooks("xmlhttp_get_multiquoted_end");
 747  
 748      echo json_encode(array("message" => $message));
 749      exit;
 750  }
 751  else if($mybb->input['action'] == "refresh_captcha")
 752  {
 753      $imagehash = $db->escape_string($mybb->get_input('imagehash'));
 754      $query = $db->simple_select("captcha", "dateline", "imagehash='$imagehash'");
 755      if($db->num_rows($query) == 0)
 756      {
 757          xmlhttp_error($lang->captcha_not_exists);
 758      }
 759      $db->delete_query("captcha", "imagehash='$imagehash'");
 760      $randomstr = random_str(5);
 761      $imagehash = md5(random_str(12));
 762      $regimagearray = array(
 763          "imagehash" => $imagehash,
 764          "imagestring" => $randomstr,
 765          "dateline" => TIME_NOW
 766      );
 767  
 768      $plugins->run_hooks("xmlhttp_refresh_captcha");
 769  
 770      $db->insert_query("captcha", $regimagearray);
 771      header("Content-type: application/json; charset={$charset}");
 772      echo json_encode(array("imagehash" => $imagehash));
 773      exit;
 774  }
 775  else if($mybb->input['action'] == "validate_captcha")
 776  {
 777      header("Content-type: application/json; charset={$charset}");
 778      $imagehash = $db->escape_string($mybb->get_input('imagehash'));
 779      $query = $db->simple_select("captcha", "imagestring", "imagehash='$imagehash'");
 780      if($db->num_rows($query) == 0)
 781      {
 782          echo json_encode($lang->captcha_valid_not_exists);
 783          exit;
 784      }
 785      $imagestring = $db->fetch_field($query, 'imagestring');
 786  
 787      $plugins->run_hooks("xmlhttp_validate_captcha");
 788  
 789      if(my_strtolower($imagestring) == my_strtolower($mybb->get_input('imagestring')))
 790      {
 791          //echo json_encode(array("success" => $lang->captcha_matches));
 792          echo json_encode("true");
 793          exit;
 794      }
 795      else
 796      {
 797          echo json_encode($lang->captcha_does_not_match);
 798          exit;
 799      }
 800  }
 801  else if($mybb->input['action'] == "refresh_question" && $mybb->settings['securityquestion'])
 802  {
 803      header("Content-type: application/json; charset={$charset}");
 804  
 805      $sid = $db->escape_string($mybb->get_input('question_id'));
 806      $query = $db->query("
 807          SELECT q.qid, s.sid
 808          FROM ".TABLE_PREFIX."questionsessions s
 809          LEFT JOIN ".TABLE_PREFIX."questions q ON (q.qid=s.qid)
 810          WHERE q.active='1' AND s.sid='{$sid}'
 811      ");
 812  
 813      if($db->num_rows($query) == 0)
 814      {
 815          xmlhttp_error($lang->answer_valid_not_exists);
 816      }
 817  
 818      $qsession = $db->fetch_array($query);
 819  
 820      // Delete previous question session
 821      $db->delete_query("questionsessions", "sid='$sid'");
 822  
 823      require_once  MYBB_ROOT."inc/functions_user.php";
 824  
 825      $sid = generate_question($qsession['qid']);
 826      $query = $db->query("
 827          SELECT q.question, s.sid
 828          FROM ".TABLE_PREFIX."questionsessions s
 829          LEFT JOIN ".TABLE_PREFIX."questions q ON (q.qid=s.qid)
 830          WHERE q.active='1' AND s.sid='{$sid}' AND q.qid!='{$qsession['qid']}'
 831      ");
 832  
 833      $plugins->run_hooks("xmlhttp_refresh_question");
 834  
 835      if($db->num_rows($query) > 0)
 836      {
 837          $question = $db->fetch_array($query);
 838  
 839          echo json_encode(array("question" => htmlspecialchars_uni($question['question']), 'sid' => htmlspecialchars_uni($question['sid'])));
 840          exit;
 841      }
 842      else
 843      {
 844          xmlhttp_error($lang->answer_valid_not_exists);
 845      }
 846  }
 847  elseif($mybb->input['action'] == "validate_question" && $mybb->settings['securityquestion'])
 848  {
 849      header("Content-type: application/json; charset={$charset}");
 850      $sid = $db->escape_string($mybb->get_input('question'));
 851      $answer = $db->escape_string($mybb->get_input('answer'));
 852  
 853      $query = $db->query("
 854          SELECT q.*, s.sid
 855          FROM ".TABLE_PREFIX."questionsessions s
 856          LEFT JOIN ".TABLE_PREFIX."questions q ON (q.qid=s.qid)
 857          WHERE q.active='1' AND s.sid='{$sid}'
 858      ");
 859  
 860      if($db->num_rows($query) == 0)
 861      {
 862          echo json_encode($lang->answer_valid_not_exists);
 863          exit;
 864      }
 865      else
 866      {
 867          $question = $db->fetch_array($query);
 868          $valid_answers = preg_split("/\r\n|\n|\r/", $question['answer']);
 869          $validated = 0;
 870  
 871          foreach($valid_answers as $answers)
 872          {
 873              if(my_strtolower($answers) == my_strtolower($answer))
 874              {
 875                  $validated = 1;
 876              }
 877          }
 878  
 879          $plugins->run_hooks("xmlhttp_validate_question");
 880  
 881          if($validated != 1)
 882          {
 883              echo json_encode($lang->answer_does_not_match);
 884              exit;
 885          }
 886          else
 887          {
 888              echo json_encode("true");
 889              exit;
 890          }
 891      }
 892  
 893      exit;
 894  }
 895  else if($mybb->input['action'] == "complex_password")
 896  {
 897      $password = trim($mybb->get_input('password'));
 898      $password = str_replace(array(unichr(160), unichr(173), unichr(0xCA), dec_to_utf8(8238), dec_to_utf8(8237), dec_to_utf8(8203)), array(" ", "-", "", "", "", ""), $password);
 899  
 900      header("Content-type: application/json; charset={$charset}");
 901  
 902      $plugins->run_hooks("xmlhttp_complex_password");
 903  
 904      if(!preg_match("/^.*(?=.{".$mybb->settings['minpasswordlength'].",})(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).*$/", $password))
 905      {
 906          echo json_encode($lang->complex_password_fails);
 907      }
 908      else
 909      {
 910          // Return nothing but an OK password if passes regex
 911          echo json_encode("true");
 912      }
 913  
 914      exit;
 915  }
 916  else if($mybb->input['action'] == "username_availability")
 917  {
 918      if(!verify_post_check($mybb->get_input('my_post_key'), true))
 919      {
 920          xmlhttp_error($lang->invalid_post_code);
 921      }
 922  
 923      require_once  MYBB_ROOT."inc/functions_user.php";
 924      $username = $mybb->get_input('username');
 925  
 926      // Fix bad characters
 927      $username = trim_blank_chrs($username);
 928      $username = str_replace(array(unichr(160), unichr(173), unichr(0xCA), dec_to_utf8(8238), dec_to_utf8(8237), dec_to_utf8(8203)), array(" ", "-", "", "", "", ""), $username);
 929  
 930      // Remove multiple spaces from the username
 931      $username = preg_replace("#\s{2,}#", " ", $username);
 932  
 933      header("Content-type: application/json; charset={$charset}");
 934  
 935      if(empty($username))
 936      {
 937          echo json_encode($lang->banned_characters_username);
 938          exit;
 939      }
 940  
 941      // Check if the username belongs to the list of banned usernames.
 942      $banned_username = is_banned_username($username, true);
 943      if($banned_username)
 944      {
 945          echo json_encode($lang->banned_username);
 946          exit;
 947      }
 948  
 949      // Check for certain characters in username (<, >, &, and slashes)
 950      if(strpos($username, "<") !== false || strpos($username, ">") !== false || strpos($username, "&") !== false || my_strpos($username, "\\") !== false || strpos($username, ";") !== false || strpos($username, ",") !== false || !validate_utf8_string($username, false, false))
 951      {
 952          echo json_encode($lang->banned_characters_username);
 953          exit;
 954      }
 955  
 956      // Check if the username is actually already in use
 957      $user = get_user_by_username($username);
 958  
 959      $plugins->run_hooks("xmlhttp_username_availability");
 960  
 961      if($user['uid'])
 962      {
 963          $lang->username_taken = $lang->sprintf($lang->username_taken, htmlspecialchars_uni($username));
 964          echo json_encode($lang->username_taken);
 965          exit;
 966      }
 967      else
 968      {
 969          //$lang->username_available = $lang->sprintf($lang->username_available, htmlspecialchars_uni($username));
 970          echo json_encode("true");
 971          exit;
 972      }
 973  }
 974  else if($mybb->input['action'] == "username_exists")
 975  {
 976      if(!verify_post_check($mybb->get_input('my_post_key'), true))
 977      {
 978          xmlhttp_error($lang->invalid_post_code);
 979      }
 980  
 981      require_once  MYBB_ROOT."inc/functions_user.php";
 982      $username = $mybb->get_input('value');
 983  
 984      header("Content-type: application/json; charset={$charset}");
 985  
 986      if(!trim($username))
 987      {
 988          echo json_encode(array("success" => 1));
 989          exit;
 990      }
 991  
 992      // Check if the username actually exists
 993      $user = get_user_by_username($username);
 994  
 995      $plugins->run_hooks("xmlhttp_username_exists");
 996  
 997      if($user['uid'])
 998      {
 999          $lang->valid_username = $lang->sprintf($lang->valid_username, htmlspecialchars_uni($username));
1000          echo json_encode(array("success" => $lang->valid_username));
1001          exit;
1002      }
1003      else
1004      {
1005          $lang->invalid_username = $lang->sprintf($lang->invalid_username, htmlspecialchars_uni($username));
1006          echo json_encode($lang->invalid_username);
1007          exit;
1008      }
1009  }
1010  else if($mybb->input['action'] == "get_buddyselect")
1011  {
1012      // Send our headers.
1013      header("Content-type: text/plain; charset={$charset}");
1014  
1015      if($mybb->user['buddylist'] != "")
1016      {
1017          $query_options = array(
1018              "order_by" => "username",
1019              "order_dir" => "asc"
1020          );
1021  
1022          $plugins->run_hooks("xmlhttp_get_buddyselect_start");
1023  
1024          $timecut = TIME_NOW - $mybb->settings['wolcutoff'];
1025          $query = $db->simple_select("users", "uid, username, usergroup, displaygroup, lastactive, lastvisit, invisible", "uid IN ({$mybb->user['buddylist']})", $query_options);
1026          $online = array();
1027          $offline = array();
1028          while($buddy = $db->fetch_array($query))
1029          {
1030              $buddy['username'] = htmlspecialchars_uni($buddy['username']);
1031              $buddy_name = format_name($buddy['username'], $buddy['usergroup'], $buddy['displaygroup']);
1032              $profile_link = build_profile_link($buddy_name, $buddy['uid'], '_blank');
1033              if($buddy['lastactive'] > $timecut && ($buddy['invisible'] == 0 || $mybb->user['usergroup'] == 4) && $buddy['lastvisit'] != $buddy['lastactive'])
1034              {
1035                  eval("\$online[] = \"".$templates->get("xmlhttp_buddyselect_online")."\";");
1036              }
1037              else
1038              {
1039                  eval("\$offline[] = \"".$templates->get("xmlhttp_buddyselect_offline")."\";");
1040              }
1041          }
1042          $online = implode("", $online);
1043          $offline = implode("", $offline);
1044  
1045          $plugins->run_hooks("xmlhttp_get_buddyselect_end");
1046  
1047          eval("\$buddy_select = \"".$templates->get("xmlhttp_buddyselect")."\";");
1048          echo $buddy_select;
1049      }
1050      else
1051      {
1052          xmlhttp_error($lang->buddylist_error);
1053      }
1054  }
1055  
1056  /**
1057   * Spits an XML Http based error message back to the browser
1058   *
1059   * @param string $message The message to send back.
1060   */
1061  function xmlhttp_error($message)
1062  {
1063      global $charset;
1064  
1065      // Send our headers.
1066      header("Content-type: application/json; charset={$charset}");
1067  
1068      // Do we have an array of messages?
1069      if(is_array($message))
1070      {
1071          $response = array();
1072          foreach($message as $error)
1073          {
1074              $response[] = $error;
1075          }
1076  
1077          // Send the error messages.
1078          echo json_encode(array("errors" => array($response)));
1079  
1080          exit;
1081      }
1082  
1083      // Just a single error? Send it along.
1084      echo json_encode(array("errors" => array($message)));
1085  
1086      exit;
1087  }


2005 - 2016 © MyBB.de | Alle Rechte vorbehalten! | Sponsor: netcup Cross-referenced by PHPXref 0.7.1