From 8ef417bcad638b6e1ecf0751abf76d6cc0e0f8bf Mon Sep 17 00:00:00 2001 From: Xkeeper Date: Mon, 28 Dec 2020 20:59:22 -0800 Subject: [PATCH] More or less rewrite the entire registration page - Now allows resubmitting the form if you goof - Shows errors in a more useful format - Accepts an email address (and validates it) - Now has... comments the future is now --- register.php | 331 ++++++++++++++++++++++++++++++++------------------- 1 file changed, 210 insertions(+), 121 deletions(-) diff --git a/register.php b/register.php index 203b0a4..12295f6 100644 --- a/register.php +++ b/register.php @@ -1,152 +1,241 @@ $tccell2>Registration is disabled. Please contact an admin if you have any questions.$tblend$footer"); - - - if (!$_POST[action]){ - $descbr="$smallfont
 "; - print " - -
-
$tblstart - - $tccellh colspan=2>Login information - $tccell1>User name:$descbr The name you want to use on the board. - $tccell2l width=50%>$inpt=name SIZE=25 MAXLENGTH=25> - $tccell1>Password:$descbr Enter any password up to 32 characters in length. It can later be changed by editing your profile.

Warning: Do not use unsecure passwords such as '123456', 'qwerty', or 'pokemon'. It'll result in an instant IP ban. - $tccell2l width=50%>$inpp=pass SIZE=13 MAXLENGTH=64> - $tccellh> $tccellh>  - $tccell1> $tccell2l> - $inph=action VALUE=\"Register\"> - $inps=submit VALUE=\"Register account\"> - -
Homepage: DO NOT FILL IN THIS FIELD. DOING SO WILL RESULT IN INSTANT IP-BAN. - $inpt=homepage SIZE=25 MAXLENGTH=255>
- -
- - "; } - if ($_POST['action']=='Register') { - if ($_POST['name'] == "Blaster") { - $sql -> query("INSERT INTO `ipbans` SET `ip` = '". $_SERVER['REMOTE_ADDR'] ."', `date` = '". ctime() ."', `reason` = 'Idiot'"); - @xk_ircsend("1|". xk(7) ."Auto-IP banned Blaster with IP ". xk(8) . $_SERVER['REMOTE_ADDR'] . xk(7) ." on registration."); - die("$tccell1>Thank you, $username, for registering your account.
".redirect('index.php','the board',0).$footer); + // Errors for display in the registration form + $error = false; + $errors = [ + 'name' => "", + 'pass' => "", + 'email' => "", + ]; + + // If true, won't show the form again on error + $fatal = false; + $registered = false; + + $name = trim($_POST['name'] ?? ""); + $pass = $_POST['pass'] ?? null; + $email = $_POST['email'] ?? null; + + if ($_POST['action'] == 'Register') { + + if ($name === "") { + $error = "No username given."; + $errors['name'] = "Required"; } - /* do curl here */ - $ch = curl_init(); - curl_setopt ($ch,CURLOPT_URL, "http://". $_SERVER['REMOTE_ADDR']); - curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); - curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 3); // <---- HERE - curl_setopt ($ch, CURLOPT_TIMEOUT, 5); // <---- HERE - $file_contents = curl_exec($ch); - curl_close($ch); + if ($pass === null) { + $error = "No password given."; + $errors['pass'] = "Required"; + } - if ( - stristr($file_contents, "proxy") - || stristr($file_contents, "forbidden") - || stristr($file_contents, "it works") - || stristr($file_contents, "anonymous") - || stristr($file_contents, "filter") - || stristr($file_contents, "panel") - ) { - - $adjectives = array( - "shitlord", - "shitheel", - "shitbag", - "douche", - "douchebag", - "douchenozzle", - "fuckwit", - "FUCKER", - "script-kiddie", - "dumbfuck extraordinare", - ); - - shuffle($adjectives); - - $sql -> query("INSERT INTO `ipbans` SET `ip` = '". $_SERVER['REMOTE_ADDR'] ."', `date` = '". ctime() ."', `reason` = 'Reregistering fuckwit'"); - @xk_ircsend("1|". xk(7) ."Auto-IP banned proxy-abusing $adjectives[0] with IP ". xk(8) . $_SERVER['REMOTE_ADDR'] . xk(7) ." on registration. (Tried to register with username $name)"); - die("$tccell1>Thank you, $name, for registering your account.
".redirect('index.php','the board',0).$footer); + // If e-mail address is given, make sure it is an actual e-mail address + if ($email !== null && !filter_var($email, FILTER_VALIDATE_EMAIL)) { + $error = "Invalid e-mail address."; + $errors['email'] = "Invalid"; } + // Only do any of this if we don't have an issue already + if (!$error) { + // Simple check if the person in question is using some trash proxy + // or other service to get around bans ... + // Do a simple cURL request to their IP address and see if it responds. + // If it does, and contains one of the usual words, throw them out the window - $users = $sql->query('SELECT name FROM users'); - $username = substr(trim($name),0,25); - $username2 = str_replace(' ','',$username); - $username2 = str_replace(' ','',$username2); - $username2 = preg_replace("' 'si",' ',$username2); - $username2 = preg_replace("' 'si",'',$username2); - $username2 = stripslashes($username2); - print $tblstart; - $userid=-1; - while ($user=$sql->fetch($users)) { - $user[name]=str_replace(' ','',$user['name']); - $user[name]=str_replace(' ','',$user['name']); - if (strcasecmp($user[name],$username2)==0) $userid=$u; - } - $nomultis = $sql->fetchq("SELECT * FROM `users` WHERE `lastip` = '$REMOTE_ADDR'"); - // $nomultis = false; + // This used to be a surprisingly good way of catching shitters, + // and it might even still work to this day - if ($userid==-1 and $pass and $pass != "123" and $name && ( !$nomultis || $isadmin )) { - if(!mysql_num_rows($users)) $userlevel=3; - $currenttime=ctime(); - $ipaddr=getenv("REMOTE_ADDR"); + $ch = curl_init(); + curl_setopt ($ch,CURLOPT_URL, "http://". $_SERVER['REMOTE_ADDR']); + curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); + curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 3); + curl_setopt ($ch, CURLOPT_TIMEOUT, 5); + $file_contents = curl_exec($ch); + curl_close($ch); - $ircout['name'] = stripslashes($name); - $ircout['ip'] = $ipaddr; - - $sql->query("INSERT INTO `users` SET `name` = '$name', `password` = '". md5($pass) ."', `powerlevel` = '0', `postsperpage` = '20', `threadsperpage` = '50', `lastip` = '$ipaddr', `layout` = '1', `scheme` = '0', `lastactivity` = '$currenttime', `regdate` = '$currenttime'") or print mysql_error(); - $newuserid = mysql_insert_id(); - $sql->query("UPDATE users SET `password` = '".getpwhash($pass, $newuserid)."' WHERE `id` = '$newuserid'"); - - $ircout['id'] = $newuserid; - xk_ircout("user", $ircout['name'], $ircout); - - $sql->query("INSERT INTO `users_rpg` (`uid`) VALUES ('". $newuserid ."')") or print mysql_error(); - print "$tccell1>Thank you, $username, for registering your account.
".redirect('index.php','the board',0); - - } else { - - - if ($userid != -1) { - $reason = "That username is already in use."; - } elseif ($nomultis) { - $reason = "You have already registered! (here)"; - } elseif (!$username || !$password) { - $reason = "You haven't entered a username or password."; - } elseif ( - (stripos($username, '3112')) === true - || (stripos($username, '3776')) === true - || (stripos($username, '460')) + if ( + stristr($file_contents, "proxy") + || stristr($file_contents, "forbidden") + || stristr($file_contents, "it works") + || stristr($file_contents, "anonymous") + || stristr($file_contents, "filter") + || stristr($file_contents, "panel") + || stristr($file_contents, "apache") + || stristr($file_contents, "nginx") ) { - $reason = "You have entered a banned username"; - } else { - $reason = "Unknown reason."; + + // $sql -> query("INSERT INTO `ipbans` SET `ip` = '". $_SERVER['REMOTE_ADDR'] ."', `date` = '". ctime() ."', `reason` = 'Reregistering fuckwit'"); + // @xk_ircsend("1|". xk(7) ."Auto-IP banned proxy-abusing $adjectives[0] with IP ". xk(8) . $_SERVER['REMOTE_ADDR'] . xk(7) ." on registration. (Tried to register with username $name)"); + + // Rather than IP banning them on principle, though, give them a message + // about why they're not allowed to register, just in case + + $error = "It appears you're trying to register through some proxy service or other anonymizing tool. +
These have often been abused to get around bans, so we don't allow registering using these. +
Try disabling it and registering again, or contact an administrator for help."; + $fatal = true; + + // die("$tccell1>Thank you, $name, for registering your account.
".redirect('index.php', 'the board',0).$footer); + } + } + + // Only do this if we have no other errors already, like the proxy check + if (!$error) { + + // Check if the username is available + // FIrst, remove all spaces and other nonsense from it + // @TODO This is really bad and should be fixed + $username = substr(trim($name), 0, 25); + $username2 = str_replace(' ', '', $username); + $username2 = str_replace(' ', '', $username2); + $username2 = preg_replace("' ?'si", '', $username2); + $username2 = stripslashes($username2); + $userid = false; + + // If 1, user will be registered as an admin. + // This is done so the first user on the board registers as an admin + $admin = 1; + + $users = $sql->query('SELECT id, name FROM users'); + while ($user = $sql->fetch($users)) { + // We found a user, so no admin for this user + $admin = 0; + $user['name'] = str_replace(' ', '', $user['name']); + $user['name'] = str_replace(' ', '', $user['name']); + if (strcasecmp($user['name'], $username2) == 0) { + $userid = $user['id']; + break; + } + } + + // Does anyone else have this IP address? If so, abort (unless they're an admin) + $nomultis = $sql->fetchq("SELECT * FROM `users` WHERE `lastip` = '". mysql_real_escape_string($_SERVER['REMOTE_ADDR']) ."'"); + + if ($userid === false && $name && $pass && (!$nomultis || $isadmin)) { + + $currenttime = ctime(); + $ipaddr = $_SERVER['REMOTE_ADDR']; + + $ircout['name'] = stripslashes($name); + $ircout['ip'] = $ipaddr; + + $succ = $sql->query(" + INSERT INTO `users` + SET + `name` = '". mysql_real_escape_string($name) ."', + ". ($email !== null ? "`email` = '". mysql_real_escape_string($email) ."'," : "") ." + `powerlevel` = '". ($admin ? 3 : 0) ."', + `postsperpage` = '20', + `threadsperpage` = '50', + `lastip` = '". mysql_real_escape_string($ipaddr) ."', + `layout` = '1', + `scheme` = '0', + `lastactivity` = '$currenttime', + `regdate` = '$currenttime' + "); + + $newuserid = mysql_insert_id(); + $sql->query("UPDATE users SET `password` = '".getpwhash($pass, $newuserid)."' WHERE `id` = '$newuserid'"); + + $ircout['id'] = $newuserid; + xk_ircout("user", $ircout['name'], $ircout); + + $sql->query("INSERT INTO `users_rpg` (`uid`) VALUES ('". $newuserid ."')") or print mysql_error(); + + print "
$tblstart$tccell1>Your new account, $name, has been registered.
".redirect('login.php', 'log in',0); + $registered = true; + + } else { + + if ($userid !== false) { + $error = "The username '". htmlspecialchars($name) ."' is already in use."; + $errors['name'] = "In use"; + + } elseif ($nomultis) { + $error = "You may have an account already as '$nomultis[name]'.
If this is incorrect, please contact an administrator."; + $fatal = true; + + } else { + $error = "Unknown reason. Please contact an administrator."; + $fatal = true; + } + } - print " - $tccell1>Couldn't register the account. $reason -
".redirect("index.php","the board",0); - } print $tblend; + + } + } + + if ($error) { + print << + $tblstart + $tccellh>Error registering account + $tccell1>$error + $tblend +HTML; + } + + + // If we didn't register and/or we don't have a fatal error, show the form + if (!$registered && !$fatal) { + $descbr="$smallfont
 "; + + $namev = htmlspecialchars($name); + $emailv = htmlspecialchars($email); + + print << +
+ $tblstart + + $tccellh colspan="2">Login information + + $tccell1>User name:$descbr The name you want to use on the board. + $tccell2l width=50%>$inpt=name size="25" maxlength="25" id="name" value="$namev"> {$errors['name']} + + $tccell1>Password:$descbr Enter any password up to 32 characters in length. It can later be changed by editing your profile. + $tccell2l width=50%>$inpp=pass size="25" maxlength="64"> {$errors['pass']} + + $tccell1>E-mail address:$descbr Your e-mail address. This will only be used for recovering your account. (optional) + $tccell2l width=50%>$inpt=email size="50" maxlength="60" value="$emailv"> {$errors['email']} + + $tccellh colspan="2">  + $tccell1> $tccell2l> + $inph=action value="Register"> + $inps=submit value="Register account"> + + +
Homepage: DO NOT FILL IN THIS FIELD. DOING SO WILL RESULT IN INSTANT IP-BAN. - $inpt=homepage SIZE=25 MAXLENGTH=255>
+ + + + + +HTML; + } print $footer;