zorg Code v4.9.0

cron/tag.php

@@ -25,7 +25,7 @@
 
 	error_log(sprintf('[%s] [NOTICE] <%s> Try including files...', date('d.m.Y H:i:s',time()), __FILE__));
 	define('SITE_ROOT', $wwwroot); // Define own SITE_ROOT before loading general zConfigs
-	require_once( SITE_ROOT.'/includes/config.inc.php');
+	(!require_once( SITE_ROOT.'/includes/config.inc.php')) ?? error_log(sprintf('[%s] [ERROR] <%s> Including %s failed', date('d.m.Y H:i:s',time()), __FILE__, SITE_ROOT.'/includes/config.inc.php'));
 	include_once( INCLUDES_DIR.'addle.inc.php');
 	include_once( INCLUDES_DIR.'hz_game.inc.php');
 	include_once( INCLUDES_DIR.'peter.inc.php');

www/actions/chess.php

@@ -1,102 +1,114 @@
 <?php
 /**
  * Chess game actions
+ *
  * @package zorg\Games\Chess
  */
+
 /**
  * File includes
  */
-require_once dirname(__FILE__).'/../includes/main.inc.php';
+require_once __DIR__.'/../includes/config.inc.php';
 include_once INCLUDES_DIR.'chess.inc.php';
 
-/** move */
-if (isset($_GET['game']) && $_GET['game'] > 0 && isset($_GET['from']) && isset($_GET['to']))
+/** Input validation and sanitization */
+$doAction = filter_input(INPUT_GET, 'do', FILTER_DEFAULT, FILTER_REQUIRE_SCALAR) ?? null; // $_GET['do']
+$gameId = filter_input(INPUT_GET, 'game', FILTER_VALIDATE_INT) ?? 0; // $_GET['game']
+$fromField = filter_input(INPUT_GET, 'from', FILTER_DEFAULT, FILTER_REQUIRE_SCALAR) ?? null; // $_GET['from']
+$toField = filter_input(INPUT_GET, 'to', FILTER_DEFAULT, FILTER_REQUIRE_SCALAR) ?? null; // $_GET['to']
+$viewForm = filter_input(INPUT_POST, 'formid', FILTER_DEFAULT, FILTER_REQUIRE_SCALAR) ?? null; // $_POST['formid']
+$userId = filter_input(INPUT_POST, 'user', FILTER_VALIDATE_INT) ?? null; // $_POST['user']
+
+if (isset($gameId) && $gameId > 0)
 {
-	$e = $db->query('SELECT *, IF(white=next_turn, "w", "b") player
-					FROM chess_games 
-					WHERE id='.$_GET['game'].' AND next_turn='.$user->id,
-					__FILE__, __LINE__, 'move');
-	$d = $db->fetch($e);
+	/** move */
+	if (!empty($fromField) && !empty($toField))
+	{
+		$e = $db->query('SELECT *, IF(white=next_turn, "w", "b") player FROM chess_games WHERE id=? AND next_turn=?',
+						__FILE__, __LINE__, 'move', [$gameId, $user->id]);
+		$d = $db->fetch($e);
 
-
-	if ($d && Chess::is_valid_position($_GET['from']) && Chess::is_valid_position($_GET['to'])
-		&& Chess::do_move($d['id'], $d['player'], $_GET['from'], $_GET['to'])
-	) {
-		unset($_GET['from']);
-		unset($_GET['to']);
-		header('Location: /?'.url_params());
-	}else{
-		echo "Invalid chess move: <br /> game = ".$_GET['game']." <br /> from = ".$_GET['from']." <br /> to = ".$_GET['to'];
+
+		if ($d && $chess->is_valid_position($fromField) && $chess->is_valid_position($toField)
+				&& $chess->do_move($d['id'], $d['player'], $fromField, $toField)
+		) {
+			unset($_GET['from']);
+			unset($_GET['to']);
+			header('Location: /?'.url_params());
+		}else{
+			echo "Invalid chess move: <br /> game = ".$gameId." <br /> from = ".$fromField." <br /> to = ".$toField;
+		}
 		exit;
 	}
-}
 
-/** offer remis */
-if (isset($_GET['game']) && $_GET['game'] > 0 && isset($_GET['do']) && $_GET['do'] == 'offer_remis')
-{
-	$e = $db->query('SELECT * FROM chess_games WHERE id='.$_GET['game'].' AND next_turn='.$user->id, __FILE__, __LINE__, 'offer remis');
-	$d = $db->fetch($e);
-	if ($d) {
-		Chess::do_offer_remis($_GET['game']);
-		unset($_GET['do']);
-		header("Location: /?".url_params());
-	}else{
-		echo "'offer remis' is not allowed.";
+	/** offer remis */
+	if ($doAction === 'offer_remis')
+	{
+		$e = $db->query('SELECT * FROM chess_games WHERE id=? AND next_turn=?', __FILE__, __LINE__, 'offer remis', [$gameId, $user->id]);
+		$d = $db->fetch($e);
+		if ($d) {
+			$chess->do_offer_remis($gameId);
+
+			unset($_GET['do']);
+			header("Location: /?".url_params());
+		}else{
+			echo "'offer remis' is not allowed.";
+		}
 		exit;
 	}
-}
 
-/** accept remis */
-if (isset($_GET['game']) && $_GET['game'] > 0 && isset($_GET['do']) && $_GET['do'] == 'accept_remis')
-{
-	$e = $db->query('SELECT * 
-					FROM chess_games 
-					WHERE id='.$_GET['game'].' AND (white='.$user->id.' OR black='.$user->id.') AND next_turn!='.$user->id.' AND offering_remis="1"',
-					__FILE__, __LINE__, 'accept remis');
-	$d = $db->fetch($e);
-	if ($d) {
-		Chess::do_remis($_GET['game']);
-		unset($_GET['do']);
-		header("Location: /?".url_params());
-	}else{
-		echo "'accept remis' is not allowed.";
+	/** accept remis */
+	if ($doAction === 'accept_remis')
+	{
+		$e = $db->query('SELECT * FROM chess_games WHERE id=? AND (white=? OR black=?) AND next_turn!=? AND offering_remis="1"',
+						__FILE__, __LINE__, 'accept remis', [$gameId, $user->id, $user->id, $user->id]);
+		$d = $db->fetch($e);
+		if ($d) {
+			$chess->do_remis($gameId);
+
+			unset($_GET['do']);
+			header("Location: /?".url_params());
+		}else{
+			echo "'accept remis' is not allowed.";
+		}
 		exit;
 	}
-}
 
-/** deny remis */
-if (isset($_GET['game']) && $_GET['game'] > 0 && isset($_GET['do']) && $_GET['do'] == 'deny_remis')
-{
-	$e = $db->query('SELECT *
-					FROM chess_games
-					WHERE id='.$_GET['game'].' AND (white='.$user->id.' OR black='.$user->id.') AND next_turn!='.$user->id.' AND offering_remis="1"',
-					__FILE__, __LINE__, 'deny remis');
-	$d = $db->fetch($e);
-	if ($d) {
-		Chess::deny_remis($_GET['game']);
-		header("Location: /?".url_params());
-	}else{
-		echo "'deny remis' is not allowed";
+	/** deny remis */
+	if ($doAction === 'deny_remis')
+	{
+		$e = $db->query('SELECT * FROM chess_games WHERE id=? AND (white=? OR black=?) AND next_turn!=? AND offering_remis="1"',
+						__FILE__, __LINE__, 'deny remis', [$gameId, $user->id, $user->id, $user->id]);
+		$d = $db->fetch($e);
+		if ($d) {
+			$chess->deny_remis($gameId);
+
+			unset($_GET['do']);
+			header("Location: /?".url_params());
+		}else{
+			echo "'deny remis' is not allowed";
+		}
+		exit;
+	}
+
+	/** aufgeben */
+	if ($doAction === 'aufgeben')
+	{
+		$chess->aufgabe($gameId);
+
+		unset($_GET['do']);
+		header("Location: /tpl/141?".url_params());
 		exit;
 	}
 }
 
 /** start new game */
-if (isset($_POST['formid']) && $_POST['formid'] == 'chess_start')
+elseif ($viewForm === 'chess_start')
 {
-	if (Chess::new_game($_POST['user'])) {
+	if ($chess->new_game($userId)) {
 		header("Location: /?tpl=139");
 	}else{
-		echo "invalid chess_start: <br /> user = ".$_POST['user'];
-		exit;
+		echo "invalid chess_start: <br /> user = ".$userId;
 	}
-}
-
-/** aufgeben */
-if (isset($_GET['game']) && $_GET['game'] > 0 && isset($_GET['do']) && $_GET['do'] == 'aufgeben')
-{
-	Chess::aufgabe($_GET['game']);
-
-	unset($_GET['do']);
-	header("Location: /tpl/141?".url_params());
+	exit;
 }

www/actions/comment_gotolastunread.php

@@ -1,10 +1,11 @@
 <?php
-require_once dirname(__FILE__).'/../includes/main.inc.php';
+require_once __DIR__.'/../includes/config.inc.php';
+require_once INCLUDES_DIR.'forum.inc.php';
 
-if(Forum::getNumunreadposts($user->id) > 0) { 
+if(Forum::getNumunreadposts($user->id) > 0) {
 	header("Location: ".Forum::getUnreadLink());
-	die();
+	exit();
 } else {
-	header("Location: ../index.php?".session_name()."=".session_id());
-	die();
+	header("Location: /index.php");
+	exit();
 }

www/actions/commenting.php

@@ -1,33 +1,45 @@
 <?php
 /**
  * Commenting Actions
+ *
  * @package zorg\Forum
  */
+
 /**
  * File Includes
  */
-require_once dirname(__FILE__).'/../includes/main.inc.php';
+require_once __DIR__.'/../includes/config.inc.php';
 require_once INCLUDES_DIR.'mysql.inc.php';
 require_once INCLUDES_DIR.'usersystem.inc.php';
 
+/** Input validation & sanitization */
+$doAction = filter_input(INPUT_GET, 'do', FILTER_DEFAULT, FILTER_REQUIRE_SCALAR) ?? null; // $_GET['do']
+$comment = filter_input(INPUT_GET, 'comment_id', FILTER_VALIDATE_INT) ?? 0; // $_GET['comment_id']
+$board = filter_input(INPUT_GET, 'board', FILTER_DEFAULT, FILTER_REQUIRE_SCALAR) ?? null; // $_GET['board']
+$redirect = base64url_decode(filter_input(INPUT_GET, 'url', FILTER_DEFAULT, FILTER_REQUIRE_SCALAR)) ?? null; // $_GET['url']
+
+if (!$user->is_loggedin()) {
+	http_response_code(403); // Set response code 403 (Access denied)
+	user_error('Access denied', E_USER_ERROR);
+}
+if(empty($comment) || $comment <= 0) {
+	http_response_code(404); // Set response code 404 (Not found)
+	user_error('Invalid comment: '.$comment, E_USER_ERROR);
+}
+
 /** Subscribe */
-if(isset($_GET['do']) && $_GET['do'] == 'subscribe')
+if($doAction === 'subscribe')
 {
-	$sql = 'INSERT INTO comments_subscriptions (board, comment_id, user_id)
-			VALUES("'.$_GET['board'].'", '.$_GET['comment_id'].', '.$user->id.')';
-	$db->query($sql, __FILE__, __LINE__, 'Commenting subscribe');
-
-	header("Location: ".base64url_decode($_GET['url']));
-	exit;
+	$sql = 'INSERT INTO comments_subscriptions (board, comment_id, user_id) VALUES(?, ?, ?)';
+	$db->query($sql, __FILE__, __LINE__, 'Commenting subscribe', [$board, $comment, $user->id]);
 }
 
 /** Unsubscribe */
-if(isset($_GET['do']) && $_GET['do'] == 'unsubscribe')
+elseif($doAction === 'unsubscribe' && $user->is_loggedin())
 {
-	$sql = 'DELETE FROM comments_subscriptions
-			WHERE board = "'.$_GET['board'].'" AND comment_id = '.$_GET['comment_id'].' AND user_id = '.$user->id;
-	$db->query($sql, __FILE__, __LINE__, 'Commenting unsubscribe');
-
-	header("Location: ".base64url_decode($_GET['url']));
-	exit;
+	$sql = 'DELETE FROM comments_subscriptions WHERE board=? AND comment_id=? AND user_id=?';
+	$db->query($sql, __FILE__, __LINE__, 'Commenting unsubscribe', [$board, $comment, $user->id]);
 }
+
+header("Location: ".$redirect);
+exit;

www/actions/error_action.php

@@ -1,39 +1,52 @@
 <?php
-require_once dirname(__FILE__).'/../includes/main.inc.php';
+require_once __DIR__.'/../includes/config.inc.php';
+require_once INCLUDES_DIR.'mysql.inc.php';
+require_once INCLUDES_DIR.'usersystem.inc.php';
 
-if(count($_POST) > 0)
+if($user->is_loggedin() && count($_POST) > 0)
 {
+	/** Input validation & sanitization */
+	$errorId = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT) ?? null; // $_GET['id']
+	$tplId = filter_input(INPUT_GET, 'tpl', FILTER_VALIDATE_INT) ?? null; // $_GET['tpl']
+	$doDelete = filter_input(INPUT_POST, 'del', FILTER_DEFAULT, FILTER_REQUIRE_SCALAR) ?? null; // $_POST['del']
+	$showQuery = filter_input(INPUT_POST, 'query', FILTER_SANITIZE_FULL_SPECIAL_CHARS) ?? 0; // $_POST['query']
+	$del_ids = filter_input(INPUT_POST, 'to_del', FILTER_DEFAULT, FILTER_REQUIRE_ARRAY) ?? []; // $_POST['to_del']
+	$showNum = filter_input(INPUT_POST, 'num', FILTER_VALIDATE_INT) ?? 0; // $_POST['num']
+	$urlParams = '';
+
 	/** Delete SQL-Error */
-	if($_POST['del'] && !empty($_GET['id']))
+	if($doDelete === 'delete' && $errorId>0)
 	{
-		$sql_del = 'DELETE FROM sql_error WHERE id='.$_GET['id'];
-		$db->query($sql_del, __FILE__, __LINE__, 'Delete SQL-Error');
-		header('Location: /tpl/'.$_GET['tpl']);
-		die();
+		$sql_del = 'DELETE FROM sql_error WHERE id=?';
+		$db->query($sql_del, __FILE__, __LINE__, 'Delete SQL-Error', [$errorId]);
 	}
 
 	/** Show Query details */
-	if($_POST['query'])
+	if(!empty($showQuery))
 	{
-		header('Location: /tpl/'.$_GET['tpl'].'&id='.$_GET['id'].'&query='.base64url_encode($_POST['query']));
-		die();
+		$urlParams = '?id='.$errorId.'&query='.base64url_encode($showQuery);
 	}
 
 	/** Delete multiple SQL-Errors */
-	if(count($_POST['to_del']) > 0)
+	if(count($del_ids) > 0 && $user->type >= USER_MEMBER)
 	{
-		$del_ids = implode(',', $_POST['to_del']);
-		$sql = 'DELETE FROM sql_error WHERE id IN ('.$del_ids.')';
-		$db->query($sql, __FILE__, __LINE__, 'Delete multiple SQL-Errors');
-		header('Location: /tpl/'.$_GET['tpl']);
-		die();
+		$placeholders = implode(',', array_fill(0, count($del_ids), '?'));
+		$sql = 'DELETE FROM sql_error WHERE id IN (' . $placeholders . ')';
+		$params = array_map('intval', $del_ids); // $del_ids must be integers
+		$db->query($sql, __FILE__, __LINE__, 'Delete multiple SQL-Errors', $params);
 	}
 
 	/** Change displayed number of SQL-Error */
-	if($_POST['num'])
+	if($showNum > 0)
 	{
 		$_SESSION['error_num'] = $_POST['num'];
-		header('Location: /tpl/'.$_GET['tpl'].'?error_num='.$_POST['num']);
-		die();
+		$urlParams = '?error_num='.$showNum;
 	}
+
+	header('Location: /tpl/'.$tplId.$urlParams);
+	exit;
+}
+else {
+	http_response_code(403); // Set response code 403 (Access denied)
+	user_error('Access denied', E_USER_ERROR);
 }