-
Notifications
You must be signed in to change notification settings - Fork 2
/
create.php
142 lines (135 loc) · 5.92 KB
/
create.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
<?php
include 'auth.php';
require_once 'config.php';
$name_valid = true;
$version_valid = true;
$description_valid = true;
$file_valid = TRUE;
$db_success = TRUE;
$move_success = TRUE;
$con = mysqli_connect($sql_server, $sql_user, $sql_pass, $sql_database);
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
exit ;
}
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (!(strlen($_POST["name"]) > 0 && strlen($_POST["name"]) < 50 && preg_match("/^\w+$/", $_POST["name"]) == 1)) {
$name_valid = FALSE;
}
if (!(strlen($_POST["version"]) > 0 && strlen($_POST["version"]) < 15 && preg_match("/^\d+\.\d+\.\d+$/", $_POST["version"]) == 1)) {
$version_valid = FALSE;
}
if (!(strlen($_POST["description"]) > 0 && strlen($_POST["description"]) < 120)) {
$description_valid = FALSE;
}
$extension = substr($_FILES["file"]["name"], strrpos($_FILES["file"]["name"], '.') + 1);
$mimetype = $_FILES["file"]["type"];
if (!(($extension == "xml" || $extension == "mpackage" || $extension == "zip") && $_FILES["file"]["size"] < 20000000 && ($mimetype == "application/octet-stream" || $mimetype == "text/xml" || $mimetype == "application/zip"))) {
$file_valid = FALSE;
}
if ($name_valid && $version_valid && $description_valid && $file_valid) {
$stmt = mysqli_prepare($con, "SELECT count(*) FROM packages WHERE name = ?");
mysqli_stmt_bind_param($stmt, "s", $_POST["name"]);
mysqli_execute($stmt);
mysqli_stmt_bind_result($stmt, $count);
mysqli_stmt_fetch($stmt);
mysqli_stmt_close($stmt);
if (!(($count == 1 && $_POST["mode"] == "modify") || ($count == 0 && $_POST["mode"] == "create"))) {
$name_valid = false;
} else {
$stmt_string = $_POST["mode"] == "modify" ? "UPDATE packages SET version = ?, description = ?, author = ?, extension = ? WHERE name = ?" : "INSERT INTO packages (version, description, author, extension, name) VALUES (?, ?, ?, ?, ?)";
$stmt = mysqli_prepare($con, $stmt_string);
if (!$stmt) {
echo mysqli_stmt_errno($stmt);
exit ;
}
mysqli_stmt_bind_param($stmt, "sssss", $_POST["version"], $_POST["description"], $_SESSION["username"], $extension, $_POST["name"]);
$db_success = mysqli_stmt_execute($stmt);
if ($db_success) {
$move_success = move_uploaded_file($_FILES['file']['tmp_name'], $_POST["name"] . ".dat");
}
}
}
if ($name_valid && $version_valid && $description_valid && $file_valid && $db_success && $move_success) {
if ($_SERVER['SERVER_PROTOCOL'] == 'HTTP/1.1') {
if (php_sapi_name() == 'cgi') {
header('Status: 303 See Other');
} else {
header('HTTP/1.1 303 See Other');
}
}
$hostname = $_SERVER['HTTP_HOST'];
$path = dirname($_SERVER['PHP_SELF']);
header('Location: http://' . $hostname . ($path == '/' ? '' : $path) . '/administer.php');
exit ;
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Restricted access</title>
</head>
<body>
<?php
$name_value;
$version_value;
$description_value;
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (!$db_success) {
echo "Database error. Please try again or contact the administrator.";
} elseif (!$move_success) {
echo "Error while creating the file. Please try again or contact the administrator.";
}
}
if ($_SERVER["REQUEST_METHOD"] == "GET" && $_GET["mode"] == "modify") {
$name_value = $_GET["name"];
$stmt = mysqli_prepare($con, "SELECT version, description FROM packages WHERE name = ? AND author = ?");
if (!$stmt) {
echo mysqli_stmt_error($stmt);
}
mysqli_stmt_bind_param($stmt, "ss", $name_value, $_SESSION["username"]);
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
mysqli_bind_result($stmt, $version_value, $description_value);
if (mysqli_stmt_num_rows($stmt) == 1) {
mysqli_stmt_fetch($stmt);
mysqli_stmt_free_result($stmt);
}else {
echo "Unexpected number of results retrieved. Please contact the administrator.";
mysqli_stmt_free_result($stmt);
exit;
}
}
if ($_SERVER["REQUEST_METHOD"] == "POST"){
$name_value = $_POST["name"];
$description_value = $_POST["description"];
}
$name_value = isset($name_value)?$name_value:"";
$mode_value = $_SERVER["REQUEST_METHOD"] == "GET" ? $_GET["mode"] : $_POST["mode"];
$version_value = isset($_POST["version"]) ? $_POST["version"] : "1.0.0";
$description_value = isset($description_value)?$description_value:"";
?>
<form action="create.php" method="post" enctype="multipart/form-data">
<table>
<tr>
<td>Package name:</td><td><input name="name" type="text" value="<?php echo $name_value ?>"/></td><td><?php echo $name_valid ? "" : "The name should be less than 50 pure ASCII characters long. Additionally make sure there is no Package with that name yet." ?></td>
</tr>
<tr>
<td>Package version:</td><td><input name="version" type="text" value="<?php echo $version_value ?>"/></td><td><?php echo $version_valid ? "" : "The version should be less than 15 characters long and have the format 'd.d.d'." ?></td>
</tr>
<tr>
<td>Package description:</td><td><textarea name="description"><?php echo $description_value ?></textarea></td><td><?php echo $description_valid ? "" : "The description should be less than 120 characters long." ?></td>
</tr>
<tr>
<td>Package file:</td><td><input type="file" name="file"/></td><td><?php echo $file_valid ? "" : "The file should be less than 20 MB big, and of the filetypes zip, mpackage or xml." ?></td>
</tr>
</table>
<input type="hidden" name="MAX_FILE_SIZE" value="20000000" />
<input type="hidden" name="mode" value="<?php echo $mode_value; ?>" />
<input type="submit" value="Submit" /> or <a href="administer.php">Cancel.</a>
</form>
</body>
</html>