From a728c19adefed08c6487b83d43876edc4873b923 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Wed, 4 Nov 2020 13:23:27 +0100 Subject: [PATCH] Continued: - // END - foo was an old tradition, let's dump this - also !function_exists('foo') was old here, the lib file should be loaded only once MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Roland Häder --- ctracker.php | 2 +- libs/lib_connect.php | 95 ++++++++------ libs/lib_detector.php | 7 +- libs/lib_general.php | 128 +++++++++---------- libs/lib_updates.php | 2 +- libs/templates/add_ticket.tpl.php | 2 +- libs/templates/de/add_ticket_missing.tpl.php | 4 +- libs/templates/en/add_ticket_missing.tpl.php | 4 +- 8 files changed, 129 insertions(+), 115 deletions(-) diff --git a/ctracker.php b/ctracker.php index 736c336..7957079 100644 --- a/ctracker.php +++ b/ctracker.php @@ -61,7 +61,7 @@ if (!crackerTrackerIsConsole() && isCrackerTrackerWormDetected()) { } elseif (!crackerTrackerIsConsole() && getCrackerTrackerConfig('ctracker_alert_user') == 'Y' && isCrackerTrackerIpSuspicious()) { // This IP is suspicious, so we alert him/her crackerTrackerAlertCurrentUser(); -} // END - if +} // Close any open database links crackerTrackerCloseDatabaseLink(); diff --git a/libs/lib_connect.php b/libs/lib_connect.php index 56f44b6..9f90c5c 100644 --- a/libs/lib_connect.php +++ b/libs/lib_connect.php @@ -36,7 +36,7 @@ function aquireCrackerTrackerDatabaseLink () { } elseif (isCrackerTrackerTableCreated('ctracker_config')) { // Load the config crackerTrackerLoadConfig(); - } // END - if + } } else { // Init fake config crackerTrackerInitFakeConfig(); @@ -78,7 +78,7 @@ function crackerTrackerDatabaseError ($F, $L) { print 'No MySQLi available.
'; } print 'Last SQL : '. $GLOBALS['ctracker_last_sql'] . '
'; - } // END - if + } // Currently only die here crackerTrackerDie(); @@ -86,34 +86,32 @@ function crackerTrackerDatabaseError ($F, $L) { // Closes a maybe open database link function crackerTrackerCloseDatabaseLink () { - // Is the link up? - if (isCrackerTrackerDatabaseLinkUp()) { - // Did it work? - if (!mysqli_close($GLOBALS['ctracker_link'])) { - // Attempt has failed - crackerTrackerDatabaseError(__FUNCTION__, __LINE__); - } // END - if - } // END - if + // The link should be up here + if (!isCrackerTrackerDatabaseLinkUp()) { + // Throw exception + throw new BadFunctionCallException('Link is not up.'); + } + + // Did it work? + if (!mysqli_close($GLOBALS['ctracker_link'])) { + // Attempt has failed + crackerTrackerDatabaseError(__FUNCTION__, __LINE__); + } } // Inserts given array, if IP/check_get combination was not found function crackerTrackerInsertArray ($table, array $rowData) { - // Is there a link up? - if (!isCrackerTrackerDatabaseLinkUp()) { - // Abort silently here - return FALSE; - } // END - if - // Is it found? if (!isCrackerTrackerEntryFound($rowData)) { - // Prepare SQL - $sqlString = 'INSERT INTO `' . $table . '` (`' . implode('`,`', array_keys($rowData)) . '`) VALUES(' . implode_secure($rowData) . ')'; - // Reset insert id $GLOBALS['ctracker_last_insert_id'] = FALSE; // Run it - runCrackerTrackerSql($sqlString, __FUNCTION__, __LINE__); + runCrackerTrackerSql(sprintf("INSERT INTO `%s` (`%s`) VALUES(%s)", + $table, + implode('`,`', array_keys($rowData)), + implode_secure($rowData) + ), __FUNCTION__, __LINE__); // Remember the last insert id $GLOBALS['ctracker_last_insert_id'] = mysqli_insert_id($GLOBALS['ctracker_link']) or crackerTrackerDatabaseError(__FUNCTION__, __LINE__); @@ -125,20 +123,39 @@ function crackerTrackerInsertArray ($table, array $rowData) { // Updates a given entry by just counting it up function updateCrackerTrackerEntry (array $rowData, $countColumn = 'count') { - // Construct the SELECT query - $sqlString = 'UPDATE `ctracker_data` SET `' . $countColumn . '`=`' . $countColumn . '`+1 WHERE (`remote_addr`="' . crackerTrackerEscapeString($rowData['remote_addr']) . '" AND `proxy_addr`="' . crackerTrackerEscapeString($rowData['proxy_addr']) . '") LIMIT 1'; + // The link should be up here + if (!isCrackerTrackerDatabaseLinkUp()) { + // Throw exception + throw new BadFunctionCallException('Link is not up.'); + } // Run the SQL and check if we have one line - runCrackerTrackerSql($sqlString, __FUNCTION__, __LINE__); + runCrackerTrackerSql(sprintf("UPDATE `ctracker_data` SET `%s`=`%s`+1 WHERE (`remote_addr`='%s' AND `proxy_addr`=' . ') LIMIT 1", + $countColumn, + $countColumn, + crackerTrackerEscapeString($rowData['remote_addr']), + crackerTrackerEscapeString($rowData['proxy_addr']) + ), __FUNCTION__, __LINE__); } // Checks if an entry with IP/check_get/domain combination is there function isCrackerTrackerEntryFound (array $rowData) { - // Construct the SELECT query - $sqlString = 'SELECT `id` FROM `ctracker_data` WHERE (`remote_addr`="' . crackerTrackerEscapeString($rowData['remote_addr']) . '" OR `proxy_addr`="' . crackerTrackerEscapeString($rowData['proxy_addr']) . '") AND `check_get` = "' . crackerTrackerEscapeString($rowData['check_get']) . '" AND `server_name`="' . crackerTrackerEscapeString($rowData['server_name']) . '" LIMIT 1'; + // The link should be up here + if (!isCrackerTrackerDatabaseLinkUp()) { + // Throw exception + throw new BadFunctionCallException('Link is not up.'); + } // Run the SQL and check if we have one line - return ((isCrackerTrackerDatabaseLinkUp()) && (mysqli_num_rows(runCrackerTrackerSql($sqlString, __FUNCTION__, __LINE__)) == 1)); + $result = runCrackerTrackerSql(sprintf("SELECT `id` FROM `ctracker_data` WHERE (`remote_addr`='%s' OR `proxy_addr`='%s') AND `check_get` = '%s' AND `server_name`='%s' LIMIT 1'", + crackerTrackerEscapeString($rowData['remote_addr']), + crackerTrackerEscapeString($rowData['proxy_addr']), + crackerTrackerEscapeString($rowData['check_get']), + crackerTrackerEscapeString($rowData['server_name']) + ), __FUNCTION__, __LINE__); + + // Check count of rows + return (mysqli_num_rows($result) == 1); } // Escapes the string @@ -157,7 +174,7 @@ function crackerTrackerEscapeString ($string) { // Return the secured string return $string; -} // END - if +} // Runs an SQL query and checks for errors function runCrackerTrackerSql ($sqlString, $function, $line) { @@ -165,7 +182,7 @@ function runCrackerTrackerSql ($sqlString, $function, $line) { if (!isCrackerTrackerDatabaseLinkUp()) { // Abort here crackerTrackerDie(); - } // END - if + } // Remember last SQL $GLOBALS['ctracker_last_sql'] = $sqlString; @@ -195,8 +212,8 @@ function isCrackerTrackerTableCreated ($table) { // Okay, found. So abort $found = TRUE; break; - } // END - if - } // END - if + } + } // Free result freeCrackerTrackerResult($result); @@ -217,7 +234,7 @@ function crackerTrackerCreateTable ($table, array $columns, array $keys) { foreach ($columns as $column=>$type) { // Add this entry $sqlString .= '`' . $column . '` ' . $type . ', '; - } // END - foreach + } // Add table name as primary key $sqlString .= 'PRIMARY KEY (`' . $table . '`), '; @@ -226,7 +243,7 @@ function crackerTrackerCreateTable ($table, array $columns, array $keys) { foreach ($keys as $key=>$type) { // Add this entry $sqlString .= '' . $type . ' (`' . $key . '`), '; - } // END - foreach + } // Finish SQL $sqlString = substr($sqlString, 0, -2) . ') TYPE=InnoDB'; @@ -247,7 +264,7 @@ function crackerTrackerUpdateDatabaseScheme () { if (!isCrackerTrackerDatabaseLinkUp()) { // Abort here silently return; - } // END - if + } // Is the main config table there? if (!isCrackerTrackerTableCreated('ctracker_config')) { @@ -262,7 +279,7 @@ function crackerTrackerUpdateDatabaseScheme () { // Init that table crackerTrackerInitTable('ctracker_config'); - } // END - if + } // Init update array here crackerTrackerInitUpdates(); @@ -277,7 +294,7 @@ function crackerTrackerUpdateDatabaseScheme () { // And count it up in the config array $GLOBALS['ctracker_config']['ctracker_db_version']++; - } // END - if + } } // Load the configuration @@ -304,7 +321,7 @@ function getCrackerTrackerConfig ($entry) { // die() on production systems die(); } - } // END - if + } // Return it return $GLOBALS['ctracker_config'][$entry]; @@ -316,7 +333,7 @@ function isCrackerTrackerIpSuspicious () { if (!isCrackerTrackerDatabaseLinkUp()) { // Skip this step silently, all is not suspicious return FALSE; - } // END - if + } // Check if an entry is there $result = runCrackerTrackerSql("SELECT COUNT(`id`) AS `cnt` FROM `ctracker_data` USE INDEX (`remote_proxy_last`) WHERE `remote_addr`='" . determineCrackerTrackerRealRemoteAddress() . "' OR `proxy_addr`='" . getenv('REMOTE_ADDR') . "' LIMIT 1", __FUNCTION__, __LINE__); @@ -334,7 +351,7 @@ function isCrackerTrackerIpSuspicious () { // Cache the entry $GLOBALS['ctracker_last_suspicious_entry'] = mysqli_fetch_array($result); - } // END - if + } // Free result freeCrackerTrackerResult($result); @@ -355,7 +372,7 @@ function ifCrackerTrackerIpHasTicket () { if ($found === TRUE) { // Cache the ticket data $GLOBALS['ctracker_last_ticket'] = mysqli_fetch_array($result); - } // END - if + } // Free result freeCrackerTrackerResult($result); diff --git a/libs/lib_detector.php b/libs/lib_detector.php index 400c05f..65062c7 100644 --- a/libs/lib_detector.php +++ b/libs/lib_detector.php @@ -388,7 +388,7 @@ function crackerTrackerDie () { if (!isCrackerTrackerDebug()) { // Sleep a little to waste the attacker's time sleep(mt_rand(10,30)); - } // END - if + } // Bye, bye... if (isCrackerTrackerDebug()) { @@ -414,7 +414,7 @@ function crackerTrackerLogAttack () { if (isCrackerTrackerProxyUsed()) { // Set it $proxyUsed = 'Y'; - } // END - if + } // Prepare array for database insert $rowData = [ @@ -438,6 +438,7 @@ function crackerTrackerLogAttack () { crackerTrackerInsertArray('ctracker_data', $rowData); } +// Increases count of spam-bot accesses for the current IP function ctrackerIncreaseAntiSpambotCount () { // Init row data $rowData = [ @@ -473,7 +474,7 @@ function crackerTrackerAlertCurrentUser () { // Display the form for new ticket crackerTrackerLoadTemplate('add_ticket'); } - } // END - if + } // And stop here die(); diff --git a/libs/lib_general.php b/libs/lib_general.php index 0b1a8fd..55a0fde 100644 --- a/libs/lib_general.php +++ b/libs/lib_general.php @@ -22,56 +22,52 @@ * along with this program. If not, see . */ -if (!function_exists('implode_r')) { - // Implode recursive a multi-dimension array, taken from www.php.net - function implode_r ($glue, $array, $array_name = NULL) { - $return = []; - while (list($key,$value) = @each($array)) { - if (is_array($value)) { - // Is an array again, so call recursive - $return[] = implode_r($glue, $value, (string) $key); +// Implode recursive a multi-dimension array, taken from www.php.net +function implode_r ($glue, $array, $array_name = NULL) { + $return = []; + while (list($key,$value) = @each($array)) { + if (is_array($value)) { + // Is an array again, so call recursive + $return[] = implode_r($glue, $value, (string) $key); + } else { + if ($array_name != NULL) { + $return[] = $array_name . '[' . (string) $key . ']=' . $value . "\n"; } else { - if ($array_name != NULL) { - $return[] = $array_name . '[' . (string) $key . ']=' . $value . "\n"; - } else { - $return[] = $key . '=' . $value."\n"; - } + $return[] = $key . '=' . $value."\n"; } - } // END - while - - // Return resulting array - return implode($glue, $return); - } // END - function -} // END - if - -if (!function_exists('implode_secure')) { - // Implode a simple array with a 'call-back' to our escaper function - function implode_secure (array $array) { - // Return string - $return = ''; - - // Implode all data - foreach ($array as $entry) { - // Don't escape some - if (in_array($entry, array('NOW()'))) { - // Add it with non-string glue - $return .= $entry . ','; - } elseif (empty($entry)) { - // Empty strings need no escaping - $return .= '"",'; - } else { - // Secure this string and add it - $return .= '"' . crackerTrackerEscapeString($entry) . '",'; - } - } // END - foreach + } + } + + // Return resulting array + return implode($glue, $return); +} + +// Implode a simple array with a 'call-back' to our escaper function +function implode_secure (array $array) { + // Return string + $return = ''; + + // Implode all data + foreach ($array as $entry) { + // Don't escape some + if (in_array($entry, array('NOW()'))) { + // Add it with non-string glue + $return .= $entry . ','; + } elseif (empty($entry)) { + // Empty strings need no escaping + $return .= '"",'; + } else { + // Secure this string and add it + $return .= '"' . crackerTrackerEscapeString($entry) . '",'; + } + } - // Remove last char - $return = substr($return, 0, -1); + // Remove last char + $return = substr($return, 0, -1); - // Return this string - return $return; - } // END - function -} // END - if + // Return this string + return $return; +} // Load configuration, if found function crackerTrackerLoadConfiguration () { @@ -82,7 +78,7 @@ function crackerTrackerLoadConfiguration () { if (!isCrackerTrackerFileFound($fqfn)) { // No config file found die(__FUNCTION__.': No configuration file found.'); - } // END - if + } // Load it require $fqfn; @@ -151,13 +147,13 @@ function crackerTrackerUserAgent ($sanitize = FALSE) { if (isset($_SERVER['HTTP_USER_AGENT'])) { // Then use it securely $ua = crackerTrackerSecureString(urldecode($_SERVER['HTTP_USER_AGENT'])); - } // END - if + } // Sanitize it? if ($sanitize === TRUE) { // Sanitize ... $ua = crackerTrackerSanitize($ua); - } // END - if + } // Return it return $ua; @@ -172,13 +168,13 @@ function crackerTrackerScriptName ($sanitize = FALSE) { if (!empty($_SERVER['SCRIPT_NAME'])) { // Return NULL $scriptName = crackerTrackerSecureString($_SERVER['SCRIPT_NAME']); - } // END - if + } // Sanitize it? if ($sanitize === TRUE) { // Sanitize ... $scriptName = crackerTrackerSanitize($scriptName); - } // END - if + } // Return return $scriptName; @@ -202,7 +198,7 @@ function crackerTrackerQueryString ($sanitize = FALSE) { if ((!empty($query)) && ($sanitize === TRUE)) { // Sanitize ... $query = crackerTrackerSanitize($query); - } // END - if + } // Return it return $query; @@ -217,13 +213,13 @@ function crackerTrackerServerName ($sanitize = FALSE) { if (!empty($_SERVER['SERVER_NAME'])) { // Return NULL $serverName = crackerTrackerSecureString($_SERVER['SERVER_NAME']); - } // END - if + } // Sanitize it? if ($sanitize === TRUE) { // Sanitize ... $serverName = crackerTrackerSanitize($serverName); - } // END - if + } // Return it return $serverName; @@ -238,13 +234,13 @@ function crackerTrackerReferer ($sanitize = FALSE) { if (!empty($_SERVER['HTTP_REFERER'])) { // Then use it securely $referer = crackerTrackerSecureString(urldecode($_SERVER['HTTP_REFERER'])); - } // END - if + } // Sanitize it? if ($sanitize === TRUE) { // Sanitize ... $referer = crackerTrackerSanitize($referer); - } // END - if + } // Return it return $referer; @@ -259,7 +255,7 @@ function crackerTrackerRequestMethod () { if (!empty($_SERVER['REQUEST_METHOD'])) { // Then use it $method = $_SERVER['REQUEST_METHOD']; - } // END - if + } // Return it return $method; @@ -359,9 +355,9 @@ function crackerTrackerLanguage () { // Use this language/weight instead $GLOBALS['ctracker_language'] = $langArray[0]; $weight = $langArray[1]; - } // END - if - } // END - foreach - } // END - if + } + } + } // Construct FQFN $FQFN = sprintf('%s/libs/language/%s.php', @@ -376,7 +372,7 @@ function crackerTrackerLanguage () { // Construct FQFN again $FQFN = sprintf('%s/libs/language/en.php', $GLOBALS['ctracker_base_path']); - } // END - if + } // Load the language file require($FQFN); @@ -420,7 +416,7 @@ function getCrackerTrackerLocalized ($message) { if (isset($GLOBALS['ctracker_localized'][$message])) { // Use this instead $output = $GLOBALS['ctracker_localized'][$message]; - } // END - if + } // Return it return $output; @@ -450,7 +446,7 @@ function crackerTrackerCompileCode ($code) { // $content $code = str_replace($match, "\" . \$content['" . $matches[4][$key] . "'] . \"", $code); } - } // END - foreach + } // Return it return $code; @@ -465,7 +461,7 @@ function getCrackerTrackerLanguage ($lang = NULL) { if (!is_null($lang)) { // Then use this instead $language = $lang; - } // END - if + } // Return it return $language; @@ -480,7 +476,7 @@ function getCrackerTrackerTicketId () { if (isset($GLOBALS['ctracker_last_ticket']['ctracker_ticket'])) { // Then use it $id = $GLOBALS['ctracker_last_ticket']['ctracker_ticket']; - } // END - if + } // Return the number return $id; @@ -585,7 +581,7 @@ function unsetCtrackerData () { ) as $key) { // Unset it unset($GLOBALS[$key]); - } // END - foreach + } } // Sanitizes string diff --git a/libs/lib_updates.php b/libs/lib_updates.php index bf84dca..df87a9c 100644 --- a/libs/lib_updates.php +++ b/libs/lib_updates.php @@ -144,5 +144,5 @@ function runCrackerTrackerUpdates ($update) { foreach ($GLOBALS['ctracker_updates'][$update] as $sql) { // Run the SQL command runCrackerTrackerSql($sql, __FUNCTION__, __LINE__); - } // END - foreach + } } diff --git a/libs/templates/add_ticket.tpl.php b/libs/templates/add_ticket.tpl.php index a46354f..80bd833 100644 --- a/libs/templates/add_ticket.tpl.php +++ b/libs/templates/add_ticket.tpl.php @@ -29,7 +29,7 @@ crackerTrackerLoadTemplate('page_header'); if (isset($_POST['ctracker_add_ticket'])) { // Output messages crackerTrackerLoadLocalizedTemplate('add_ticket_missing'); -} // END - if +} // Load form crackerTrackerLoadLocalizedTemplate('add_ticket_form'); diff --git a/libs/templates/de/add_ticket_missing.tpl.php b/libs/templates/de/add_ticket_missing.tpl.php index 990011b..f0d2c5b 100644 --- a/libs/templates/de/add_ticket_missing.tpl.php +++ b/libs/templates/de/add_ticket_missing.tpl.php @@ -11,7 +11,7 @@ if (empty($_POST['name'])) { print '
'; crackerTrackerOutputLocalized('add_ticket_name_missing'); print '
'; -} // END - if +} // Field 'name not filled out? if (empty($_POST['name'])) { @@ -19,6 +19,6 @@ if (empty($_POST['name'])) { print '
'; crackerTrackerOutputLocalized('add_ticket_email_missing'); print '
'; -} // END - if +} ?> diff --git a/libs/templates/en/add_ticket_missing.tpl.php b/libs/templates/en/add_ticket_missing.tpl.php index 6dd0b43..8abd278 100644 --- a/libs/templates/en/add_ticket_missing.tpl.php +++ b/libs/templates/en/add_ticket_missing.tpl.php @@ -11,7 +11,7 @@ if (empty($_POST['name'])) { print '
'; crackerTrackerOutputLocalized('add_ticket_name_missing'); print '
';
-} // END - if
+}
 
 // Field 'name not filled out?
 if (empty($_POST['name'])) {
@@ -19,6 +19,6 @@ if (empty($_POST['name'])) {
 	print '
';
 	crackerTrackerOutputLocalized('add_ticket_email_missing');
 	print '
';
-} // END - if
+}
 ?>
 

-- 
2.39.5