twin/jul
1
0
Fork 0
mirror of https://github.com/Xkeeper0/jul.git synced 2025-05-19 00:30:21 -07:00
Code Issues Packages Projects Releases Wiki Activity

More or less rewrite the entire registration page

Browse Source 
- Now allows resubmitting the form if you goof
- Shows errors in a more useful format
- Accepts an email address (and validates it)
- Now has... comments

the future is now
This commit is contained in:
Xkeeper 2020-12-28 20:59:22 -08:00
parent 5529238aff
commit 8ef417bcad
No known key found for this signature in database
GPG Key ID: 397C04773ABE4045
1 changed files with 210 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

259
register.php
View File

@ -1,58 +1,73 @@
<?php
if ($_POST['action'] == "Register" && $_POST['homepage']) {
header("Location: http://acmlm.no-ip.org/board/register.php");
// If someone submits the form with the fake homepage field filled,
// just do nothing and send them off elsewhere to spam
header("Location: http://127.0.0.1");
die();
}
require 'lib/function.php';
require 'lib/layout.php';
$ipstart=substr($userip,0,6);
print $header;
if ($adminconfig['registrationdisable'])
if ($adminconfig['registrationdisable']) {
die("$tblstart<br>$tccell2>Registration is disabled. Please contact an admin if you have any questions.$tblend$footer");
if (!$_POST[action]){
$descbr="</b>$smallfont<br></center>&nbsp";
print "
<body onload=window.document.REPLIER.username.focus()>
<form ACTION=register.php NAME=REPLIER METHOD=POST>
<br>$tblstart
$tccellh colspan=2>Login information</td><tr>
$tccell1><b>User name:</b>$descbr The name you want to use on the board.</td>
$tccell2l width=50%>$inpt=name SIZE=25 MAXLENGTH=25><tr>
$tccell1><b>Password:</b>$descbr Enter any password up to 32 characters in length. It can later be changed by editing your profile.<br><br>Warning: Do <b>not</b> use unsecure passwords such as '123456', 'qwerty', or 'pokemon'. It'll result in an instant IP ban.</td>
$tccell2l width=50%>$inpp=pass SIZE=13 MAXLENGTH=64><tr>
$tccellh>&nbsp</td>$tccellh>&nbsp<tr>
$tccell1>&nbsp</td>$tccell2l>
$inph=action VALUE=\"Register\">
$inps=submit VALUE=\"Register account\"></td>
</table>
<div style='visibility: hidden;'><b>Homepage:</b><small> DO NOT FILL IN THIS FIELD. DOING SO WILL RESULT IN INSTANT IP-BAN.</small> - $inpt=homepage SIZE=25 MAXLENGTH=255></div>
</form>
";
}
// Errors for display in the registration form
$error = false;
$errors = [
'name' => "",
'pass' => "",
'email' => "",
];
// If true, won't show the form again on error
$fatal = false;
$registered = false;
$name = trim($_POST['name'] ?? "");
$pass = $_POST['pass'] ?? null;
$email = $_POST['email'] ?? null;
if ($_POST['action'] == 'Register') {
if ($_POST['name'] == "Blaster") {
$sql -> query("INSERT INTO `ipbans` SET `ip` = '". $_SERVER['REMOTE_ADDR'] ."', `date` = '". ctime() ."', `reason` = 'Idiot'");
@xk_ircsend("1|". xk(7) ."Auto-IP banned Blaster with IP ". xk(8) . $_SERVER['REMOTE_ADDR'] . xk(7) ." on registration.");
die("$tccell1>Thank you, $username, for registering your account.<br>".redirect('index.php','the board',0).$footer);
if ($name === "") {
$error = "No username given.";
$errors['name'] = "Required";
}
/* do curl here */
if ($pass === null) {
$error = "No password given.";
$errors['pass'] = "Required";
}
// If e-mail address is given, make sure it is an actual e-mail address
if ($email !== null && !filter_var($email, FILTER_VALIDATE_EMAIL)) {
$error = "Invalid e-mail address.";
$errors['email'] = "Invalid";
}
// Only do any of this if we don't have an issue already
if (!$error) {
// Simple check if the person in question is using some trash proxy
// or other service to get around bans ...
// Do a simple cURL request to their IP address and see if it responds.
// If it does, and contains one of the usual words, throw them out the window
// This used to be a surprisingly good way of catching shitters,
// and it might even still work to this day
$ch = curl_init();
curl_setopt ($ch,CURLOPT_URL, "http://". $_SERVER['REMOTE_ADDR']);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 3); // <---- HERE
curl_setopt ($ch, CURLOPT_TIMEOUT, 5); // <---- HERE
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 3);
curl_setopt ($ch, CURLOPT_TIMEOUT, 5);
$file_contents = curl_exec($ch);
curl_close($ch);
@ -63,57 +78,80 @@
|| stristr($file_contents, "anonymous")
|| stristr($file_contents, "filter")
|| stristr($file_contents, "panel")
|| stristr($file_contents, "apache")
|| stristr($file_contents, "nginx")
) {
$adjectives = array(
"shitlord",
"shitheel",
"shitbag",
"douche",
"douchebag",
"douchenozzle",
"fuckwit",
"FUCKER",
"script-kiddie",
"dumbfuck extraordinare",
);
// $sql -> query("INSERT INTO `ipbans` SET `ip` = '". $_SERVER['REMOTE_ADDR'] ."', `date` = '". ctime() ."', `reason` = 'Reregistering fuckwit'");
// @xk_ircsend("1|". xk(7) ."Auto-IP banned proxy-abusing $adjectives[0] with IP ". xk(8) . $_SERVER['REMOTE_ADDR'] . xk(7) ." on registration. (Tried to register with username $name)");
shuffle($adjectives);
// Rather than IP banning them on principle, though, give them a message
// about why they're not allowed to register, just in case
$sql -> query("INSERT INTO `ipbans` SET `ip` = '". $_SERVER['REMOTE_ADDR'] ."', `date` = '". ctime() ."', `reason` = 'Reregistering fuckwit'");
@xk_ircsend("1|". xk(7) ."Auto-IP banned proxy-abusing $adjectives[0] with IP ". xk(8) . $_SERVER['REMOTE_ADDR'] . xk(7) ." on registration. (Tried to register with username $name)");
die("$tccell1>Thank you, $name, for registering your account.<br>".redirect('index.php','the board',0).$footer);
$error = "It appears you're trying to register through some proxy service or other anonymizing tool.
<br>These have often been abused to get around bans, so we don't allow registering using these.
<br>Try disabling it and registering again, or contact an administrator for help.";
$fatal = true;
// die("$tccell1>Thank you, $name, for registering your account.<br>".redirect('index.php', 'the board',0).$footer);
}
}
// Only do this if we have no other errors already, like the proxy check
if (!$error) {
$users = $sql->query('SELECT name FROM users');
// Check if the username is available
// FIrst, remove all spaces and other nonsense from it
// @TODO This is really bad and should be fixed
$username = substr(trim($name), 0, 25);
$username2 = str_replace(' ', '', $username);
$username2 = str_replace(' ', '', $username2);
$username2 = preg_replace("'&nbsp;'si",'&nbsp',$username2);
$username2 = preg_replace("'&nbsp'si",'',$username2);
$username2 = preg_replace("'&nbsp;?'si", '', $username2);
$username2 = stripslashes($username2);
print $tblstart;
$userid=-1;
while ($user=$sql->fetch($users)) {
$user[name]=str_replace(' ','',$user['name']);
$user[name]=str_replace(' ','',$user['name']);
if (strcasecmp($user[name],$username2)==0) $userid=$u;
}
$nomultis = $sql->fetchq("SELECT * FROM `users` WHERE `lastip` = '$REMOTE_ADDR'");
// $nomultis = false;
$userid = false;
// If 1, user will be registered as an admin.
// This is done so the first user on the board registers as an admin
$admin = 1;
$users = $sql->query('SELECT id, name FROM users');
while ($user = $sql->fetch($users)) {
// We found a user, so no admin for this user
$admin = 0;
$user['name'] = str_replace(' ', '', $user['name']);
$user['name'] = str_replace(' ', '', $user['name']);
if (strcasecmp($user['name'], $username2) == 0) {
$userid = $user['id'];
break;
}
}
// Does anyone else have this IP address? If so, abort (unless they're an admin)
$nomultis = $sql->fetchq("SELECT * FROM `users` WHERE `lastip` = '". mysql_real_escape_string($_SERVER['REMOTE_ADDR']) ."'");
if ($userid === false && $name && $pass && (!$nomultis || $isadmin)) {
if ($userid==-1 and $pass and $pass != "123" and $name && ( !$nomultis || $isadmin )) {
if(!mysql_num_rows($users)) $userlevel=3;
$currenttime = ctime();
$ipaddr=getenv("REMOTE_ADDR");
$ipaddr = $_SERVER['REMOTE_ADDR'];
$ircout['name'] = stripslashes($name);
$ircout['ip'] = $ipaddr;
$sql->query("INSERT INTO `users` SET `name` = '$name', `password` = '". md5($pass) ."', `powerlevel` = '0', `postsperpage` = '20', `threadsperpage` = '50', `lastip` = '$ipaddr', `layout` = '1', `scheme` = '0', `lastactivity` = '$currenttime', `regdate` = '$currenttime'") or print mysql_error();
$succ = $sql->query("
INSERT INTO `users`
SET
`name` = '". mysql_real_escape_string($name) ."',
". ($email !== null ? "`email` = '". mysql_real_escape_string($email) ."'," : "") ."
`powerlevel` = '". ($admin ? 3 : 0) ."',
`postsperpage` = '20',
`threadsperpage` = '50',
`lastip` = '". mysql_real_escape_string($ipaddr) ."',
`layout` = '1',
`scheme` = '0',
`lastactivity` = '$currenttime',
`regdate` = '$currenttime'
");
$newuserid = mysql_insert_id();
$sql->query("UPDATE users SET `password` = '".getpwhash($pass, $newuserid)."' WHERE `id` = '$newuserid'");
@ -121,32 +159,83 @@
xk_ircout("user", $ircout['name'], $ircout);
$sql->query("INSERT INTO `users_rpg` (`uid`) VALUES ('". $newuserid ."')") or print mysql_error();
print "$tccell1>Thank you, $username, for registering your account.<br>".redirect('index.php','the board',0);
print "<br>$tblstart$tccell1>Your new account, $name, has been registered.<br>".redirect('login.php', 'log in',0);
$registered = true;
} else {
if ($userid !== false) {
$error = "The username '". htmlspecialchars($name) ."' is already <a href='profile.php?id=$userid'>in use</a>.";
$errors['name'] = "In use";
if ($userid != -1) {
$reason = "That username is already in use.";
} elseif ($nomultis) {
$reason = "You have already registered! (<a href=profile.php?id=$nomultis[id]>here</a>)";
} elseif (!$username || !$password) {
$reason = "You haven't entered a username or password.";
} elseif (
(stripos($username, '3112')) === true
|| (stripos($username, '3776')) === true
|| (stripos($username, '460'))
) {
$reason = "You have entered a banned username";
$error = "You may have an account already as '<a href=profile.php?id=$nomultis[id]>$nomultis[name]</a>'.<br>If this is incorrect, please contact an administrator.";
$fatal = true;
} else {
$reason = "Unknown reason.";
$error = "Unknown reason. Please contact an administrator.";
$fatal = true;
}
print "
$tccell1>Couldn't register the account. $reason
<br>".redirect("index.php","the board",0);
}
print $tblend;
}
}
if ($error) {
print <<<HTML
<br>
$tblstart
<tr>$tccellh>Error registering account</td>
<tr>$tccell1>$error
$tblend
HTML;
}
// If we didn't register and/or we don't have a fatal error, show the form
if (!$registered && !$fatal) {
$descbr="</b>$smallfont<br></center>&nbsp";
$namev = htmlspecialchars($name);
$emailv = htmlspecialchars($email);
print <<<HTML
<form action="register.php" method="post">
<br>
$tblstart
$tccellh colspan="2">Login information</td>
<tr>
$tccell1><b>User name:</b>$descbr The name you want to use on the board.</td>
$tccell2l width=50%>$inpt=name size="25" maxlength="25" id="name" value="$namev"> {$errors['name']}
<tr>
$tccell1><b>Password:</b>$descbr Enter any password up to 32 characters in length. It can later be changed by editing your profile.</td>
$tccell2l width=50%>$inpp=pass size="25" maxlength="64"> {$errors['pass']}
<tr>
$tccell1><b>E-mail address:</b>$descbr Your e-mail address. This will only be used for recovering your account. (optional)</td>
$tccell2l width=50%>$inpt=email size="50" maxlength="60" value="$emailv"> {$errors['email']}
<tr>
$tccellh colspan="2">&nbsp;<tr>
$tccell1>&nbsp;</td>$tccell2l>
$inph=action value="Register">
$inps=submit value="Register account"></td>
</table>
<div style='visibility: hidden;'><b>Homepage:</b><small> DO NOT FILL IN THIS FIELD. DOING SO WILL RESULT IN INSTANT IP-BAN.</small> - $inpt=homepage SIZE=25 MAXLENGTH=255></div>
</form>
<script>
document.getElementById("name").focus();
</script>
HTML;
}
print $footer;