MyBB PHP Cross Reference Discussion Forums

Source: /xmlhttp.php - 793 lines - 22927 bytes - Summary - Text - Print

Description: MyBB 1.6 Copyright 2010 MyBB Group, All Rights Reserved Website: http://mybb.com License: http://mybb.com/about/license

   1  <?php
   2  /**
   3   * MyBB 1.6
   4   * Copyright 2010 MyBB Group, All Rights Reserved
   5   *
   6   * Website: http://mybb.com
   7   * License: http://mybb.com/about/license
   8   *
   9   * $Id$
  10   */
  11  
  12  /**
  13   * The deal with this file is that it handles all of the XML HTTP Requests for MyBB.
  14   *
  15   * It contains a stripped down version of the MyBB core which does not load things
  16   * such as themes, who's online data, all of the language packs and more.
  17   *
  18   * This is done to make response times when using XML HTTP Requests faster and
  19   * less intense on the server.
  20   */
  21  
  22  define("IN_MYBB", 1);
  23  
  24  // We don't want visits here showing up on the Who's Online
  25  define("NO_ONLINE", 1);
  26  
  27  define('THIS_SCRIPT', 'xmlhttp.php');
  28  
  29  // Load MyBB core files
  30  require_once dirname(__FILE__)."/inc/init.php";
  31  
  32  $shutdown_queries = array();
  33  
  34  // Load some of the stock caches we'll be using.
  35  $groupscache = $cache->read("usergroups");
  36  
  37  if(!is_array($groupscache))
  38  {
  39      $cache->update_usergroups();
  40      $groupscache = $cache->read("usergroups");
  41  }
  42  
  43  // Send no cache headers
  44  header("Expires: Sat, 1 Jan 2000 01:00:00 GMT");
  45  header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
  46  header("Cache-Control: no-cache, must-revalidate");
  47  header("Pragma: no-cache");
  48  
  49  // Create the session
  50  require_once  MYBB_ROOT."inc/class_session.php";
  51  $session = new session;
  52  $session->init();
  53  
  54  // Load the language we'll be using
  55  if(!isset($mybb->settings['bblanguage']))
  56  {
  57      $mybb->settings['bblanguage'] = "english";
  58  }
  59  if(isset($mybb->user['language']) && $lang->language_exists($mybb->user['language']))
  60  {
  61      $mybb->settings['bblanguage'] = $mybb->user['language'];
  62  }
  63  $lang->set_language($mybb->settings['bblanguage']);
  64  
  65  if(function_exists('mb_internal_encoding') && !empty($lang->settings['charset']))
  66  {
  67      @mb_internal_encoding($lang->settings['charset']);
  68  }
  69  
  70  // Load the language pack for this file.
  71  if(isset($mybb->user['style']) && intval($mybb->user['style']) != 0)
  72  {
  73      $loadstyle = "tid='".$mybb->user['style']."'";
  74  }
  75  else
  76  {
  77      $loadstyle = "def=1";
  78  }
  79  
  80  // Load basic theme information that we could be needing.
  81  $query = $db->simple_select("themes", "name, tid, properties", $loadstyle);
  82  $theme = $db->fetch_array($query);
  83  $theme = @array_merge($theme, unserialize($theme['properties']));
  84  
  85  // Set the appropriate image language directory for this theme.
  86  if(!empty($mybb->user['language']) && is_dir($theme['imgdir'].'/'.$mybb->user['language']))
  87  {
  88      $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->user['language'];
  89  }
  90  else
  91  {
  92      if(is_dir($theme['imgdir'].'/'.$mybb->settings['bblanguage']))
  93      {
  94          $theme['imglangdir'] = $theme['imgdir'].'/'.$mybb->settings['bblanguage'];
  95      }
  96      else
  97      {
  98          $theme['imglangdir'] = $theme['imgdir'];
  99      }
 100  }
 101  
 102  $templatelist = "postbit_editedby,xmlhttp_inline_post_editor,xmlhttp_buddyselect_online,xmlhttp_buddyselect_offline,xmlhttp_buddyselect";
 103  $templates->cache($db->escape_string($templatelist));
 104  
 105  if($lang->settings['charset'])
 106  {
 107      $charset = $lang->settings['charset'];
 108  }
 109  // If not, revert to UTF-8
 110  else
 111  {
 112      $charset = "UTF-8";
 113  }
 114  
 115  $lang->load("global");
 116  $lang->load("xmlhttp");
 117  
 118  $plugins->run_hooks("xmlhttp");
 119  
 120  // Fetch a list of usernames beginning with a certain string (used for auto completion)
 121  if($mybb->input['action'] == "get_users")
 122  {
 123      // If the string is less than 3 characters, quit.
 124      if(my_strlen($mybb->input['query']) < 3)
 125      {
 126          exit;
 127      }
 128  
 129      // Send our headers.
 130      header("Content-type: text/plain; charset={$charset}");
 131  
 132      // Query for any matching users.
 133      $query_options = array(
 134          "order_by" => "username",
 135          "order_dir" => "asc",
 136          "limit_start" => 0,
 137          "limit" => 15
 138      );
 139  
 140      $query = $db->simple_select("users", "uid, username", "username LIKE '".$db->escape_string_like($mybb->input['query'])."%'", $query_options);
 141      while($user = $db->fetch_array($query))
 142      {
 143          $user['username'] = htmlspecialchars_uni($user['username']);
 144          // Send the result to the browser for this user.
 145          echo "<div>\n";
 146          echo "<span class=\"username\">{$user['username']}</span>\n";
 147          echo "</div>\n";
 148      }
 149  }
 150  else if($mybb->input['action'] == "get_usergroups")
 151  {
 152      // If the string is less than 3 characters, quit.
 153      if(my_strlen($mybb->input['query']) < 3)
 154      {
 155          exit;
 156      }
 157  
 158      // Send our headers.
 159      header("Content-type: text/plain; charset={$charset}");
 160  
 161      // Sanitize the input.
 162      $mybb->input['query'] = str_replace(array("%", "_"), array("\\%", "\\_"), $mybb->input['query']);
 163  
 164      // Query for any matching usergroups.
 165      $query_options = array(
 166          "order_by" => "title",
 167          "order_dir" => "asc",
 168          "limit_start" => 0,
 169          "limit" => 15
 170      );
 171  
 172      $query = $db->simple_select("usergroups", "gid, title", "title LIKE '".$db->escape_string($mybb->input['query'])."%'", $query_options);
 173      while($group = $db->fetch_array($query))
 174      {
 175          $group['title'] = htmlspecialchars_uni($group['title']);
 176          // Send the result to the browser for this usergroup.
 177          echo "<div>\n";
 178          echo "<span class=\"usergroup\">{$group['title']} ({$lang->usergroup} {$group['gid']})</span>\n";
 179          echo "</div>\n";
 180      }
 181  }
 182  // This action provides editing of thread/post subjects from within their respective list pages.
 183  else if($mybb->input['action'] == "edit_subject" && $mybb->request_method == "post")
 184  {
 185      // Verify POST request
 186      if(!verify_post_check($mybb->input['my_post_key'], true))
 187      {
 188          xmlhttp_error($lang->invalid_post_code);
 189      }
 190  
 191      // Editing a post subject.
 192      if($mybb->input['pid'])
 193      {
 194          // Fetch the post from the database.
 195          $post = get_post($mybb->input['pid']);
 196  
 197          // No result, die.
 198          if(!$post['pid'])
 199          {
 200              xmlhttp_error($lang->post_doesnt_exist);
 201          }
 202  
 203          // Fetch the thread associated with this post.
 204          $thread = get_thread($post['tid']);
 205      }
 206  
 207      // We're editing a thread subject.
 208      else if($mybb->input['tid'])
 209      {
 210          // Fetch the thread.
 211          $thread = get_thread($mybb->input['tid']);
 212  
 213          // Fetch some of the information from the first post of this thread.
 214          $query_options = array(
 215              "order_by" => "dateline",
 216              "order_dir" => "asc",
 217          );
 218          $query = $db->simple_select("posts", "pid,uid,dateline", "tid='".$thread['tid']."'", $query_options);
 219          $post = $db->fetch_array($query);
 220      }
 221      // Fetch the specific forum this thread/post is in.
 222      $forum = get_forum($thread['fid']);
 223  
 224      // Missing thread, invalid forum? Error.
 225      if(!$thread['tid'] || !$forum['fid'] || $forum['type'] != "f")
 226      {
 227          xmlhttp_error($lang->thread_doesnt_exist);
 228      }
 229  
 230      // Fetch forum permissions.
 231      $forumpermissions = forum_permissions($forum['fid']);
 232  
 233      // If this user is not a moderator with "caneditposts" permissions.
 234      if(!is_moderator($forum['fid'], "caneditposts"))
 235      {
 236          // Thread is closed - no editing allowed.
 237          if($thread['closed'] == 1)
 238          {
 239              xmlhttp_error($lang->thread_closed_edit_subjects);
 240          }
 241          // Forum is not open, user doesn't have permission to edit, or author doesn't match this user - don't allow editing.
 242          else if($forum['open'] == 0 || $forumpermissions['caneditposts'] == 0 || $mybb->user['uid'] != $post['uid'] || $mybb->user['uid'] == 0)
 243          {
 244              xmlhttp_error($lang->no_permission_edit_subject);
 245          }
 246          // If we're past the edit time limit - don't allow editing.
 247          else if($mybb->settings['edittimelimit'] != 0 && $post['dateline'] < (TIME_NOW-($mybb->settings['edittimelimit']*60)))
 248          {
 249              $lang->edit_time_limit = $lang->sprintf($lang->edit_time_limit, $mybb->settings['edittimelimit']);
 250              xmlhttp_error($lang->edit_time_limit);
 251          }
 252          $ismod = false;
 253      }
 254      else
 255      {
 256          $ismod = true;
 257      }
 258      $subject = $mybb->input['value'];
 259      if(my_strtolower($charset) != "utf-8")
 260      {
 261          if(function_exists("iconv"))
 262          {
 263              $subject = iconv($charset, "UTF-8//IGNORE", $subject);
 264          }
 265          else if(function_exists("mb_convert_encoding"))
 266          {
 267              $subject = @mb_convert_encoding($subject, $charset, "UTF-8");
 268          }
 269          else if(my_strtolower($charset) == "iso-8859-1")
 270          {
 271              $subject = utf8_decode($subject);
 272          }
 273      }
 274  
 275      // Set up posthandler.
 276      require_once  MYBB_ROOT."inc/datahandlers/post.php";
 277      $posthandler = new PostDataHandler("update");
 278      $posthandler->action = "post";
 279  
 280      // Set the post data that came from the input to the $post array.
 281      $updatepost = array(
 282          "pid" => $post['pid'],
 283          "tid" => $thread['tid'],
 284          "subject" => $subject,
 285          "edit_uid" => $mybb->user['uid']
 286      );
 287      $posthandler->set_data($updatepost);
 288  
 289      // Now let the post handler do all the hard work.
 290      if(!$posthandler->validate_post())
 291      {
 292          $post_errors = $posthandler->get_friendly_errors();
 293          $errors = implode("\n\n", $post_errors);
 294          xmlhttp_error($errors);
 295      }
 296      // No errors were found, we can call the update method.
 297      else
 298      {
 299          $posthandler->update_post();
 300          if($ismod == true)
 301          {
 302              $modlogdata = array(
 303                  "tid" => $thread['tid'],
 304                  "pid" => $post['pid'],
 305                  "fid" => $forum['fid']
 306              );
 307              log_moderator_action($modlogdata, $lang->edited_post);
 308          }
 309      }
 310  
 311      require_once  MYBB_ROOT."inc/class_parser.php";
 312      $parser = new postParser;
 313  
 314      // Send our headers.
 315      header("Content-type: text/plain; charset={$charset}");
 316  
 317      $mybb->input['value'] = $parser->parse_badwords($mybb->input['value']);
 318  
 319      // Spit the subject back to the browser.
 320      echo substr($mybb->input['value'], 0, 120); // 120 is the varchar length for the subject column
 321  
 322      // Close the connection.
 323      exit;
 324  }
 325  else if($mybb->input['action'] == "edit_post")
 326  {
 327      // Fetch the post from the database.
 328      $post = get_post($mybb->input['pid']);
 329  
 330      // No result, die.
 331      if(!$post['pid'])
 332      {
 333          xmlhttp_error($lang->post_doesnt_exist);
 334      }
 335  
 336      // Fetch the thread associated with this post.
 337      $thread = get_thread($post['tid']);
 338  
 339      // Fetch the specific forum this thread/post is in.
 340      $forum = get_forum($thread['fid']);
 341  
 342      // Missing thread, invalid forum? Error.
 343      if(!$thread['tid'] || !$forum['fid'] || $forum['type'] != "f")
 344      {
 345          xmlhttp_error($lang->thread_doesnt_exist);
 346      }
 347  
 348      // Fetch forum permissions.
 349      $forumpermissions = forum_permissions($forum['fid']);
 350  
 351      // If this user is not a moderator with "caneditposts" permissions.
 352      if(!is_moderator($forum['fid'], "caneditposts"))
 353      {
 354          // Thread is closed - no editing allowed.
 355          if($thread['closed'] == 1)
 356          {
 357              xmlhttp_error($lang->thread_closed_edit_message);
 358          }
 359          // Forum is not open, user doesn't have permission to edit, or author doesn't match this user - don't allow editing.
 360          else if($forum['open'] == 0 || $forumpermissions['caneditposts'] == 0 || $mybb->user['uid'] != $post['uid'] || $mybb->user['uid'] == 0 || $mybb->user['suspendposting'] == 1)
 361          {
 362              xmlhttp_error($lang->no_permission_edit_post);
 363          }
 364          // If we're past the edit time limit - don't allow editing.
 365          else if($mybb->settings['edittimelimit'] != 0 && $post['dateline'] < (TIME_NOW-($mybb->settings['edittimelimit']*60)))
 366          {
 367              $lang->edit_time_limit = $lang->sprintf($lang->edit_time_limit, $mybb->settings['edittimelimit']);
 368              xmlhttp_error($lang->edit_time_limit);
 369          }
 370          // User can't edit unapproved post
 371          if($post['visible'] == 0)
 372          {
 373              xmlhttp_error($lang->post_moderation);
 374          }
 375  
 376          // Forum is closed - no editing allowed
 377          if($forum['open'] == 0)
 378          {
 379              xmlhttp_error($lang->no_permission_edit_post);
 380          }
 381      }
 382      if($mybb->input['do'] == "get_post")
 383      {
 384          // Send our headers.
 385          header("Content-type: text/xml; charset={$charset}");
 386  
 387          $post['message'] = htmlspecialchars_uni($post['message']);
 388  
 389          // Send the contents of the post.
 390          eval("\$inline_editor = \"".$templates->get("xmlhttp_inline_post_editor")."\";");
 391          echo "<?xml version=\"1.0\" encoding=\"{$charset}\"?".">";
 392          echo "<form>".$inline_editor."</form>";
 393          exit;
 394      }
 395      else if($mybb->input['do'] == "update_post")
 396      {
 397          // Verify POST request
 398          if(!verify_post_check($mybb->input['my_post_key'], true))
 399          {
 400              xmlhttp_error($lang->invalid_post_code);
 401          }
 402  
 403          $message = (string)$mybb->input['value'];
 404          if(my_strtolower($charset) != "utf-8")
 405          {
 406              if(function_exists("iconv"))
 407              {
 408                  $message = iconv($charset, "UTF-8//IGNORE", $message);
 409              }
 410              else if(function_exists("mb_convert_encoding"))
 411              {
 412                  $message = @mb_convert_encoding($message, $charset, "UTF-8");
 413              }
 414              else if(my_strtolower($charset) == "iso-8859-1")
 415              {
 416                  $message = utf8_decode($message);
 417              }
 418          }
 419  
 420          // Set up posthandler.
 421          require_once  MYBB_ROOT."inc/datahandlers/post.php";
 422          $posthandler = new PostDataHandler("update");
 423          $posthandler->action = "post";
 424  
 425          // Set the post data that came from the input to the $post array.
 426          $updatepost = array(
 427              "pid" => $mybb->input['pid'],
 428              "message" => $message,
 429              "edit_uid" => $mybb->user['uid']
 430          );
 431          $posthandler->set_data($updatepost);
 432  
 433          // Now let the post handler do all the hard work.
 434          if(!$posthandler->validate_post())
 435          {
 436              $post_errors = $posthandler->get_friendly_errors();
 437              $errors = implode("\n\n", $post_errors);
 438              xmlhttp_error($errors);
 439          }
 440          // No errors were found, we can call the update method.
 441          else
 442          {
 443              $postinfo = $posthandler->update_post();
 444              $visible = $postinfo['visible'];
 445              if($visible == 0 && !is_moderator($post['fid']))
 446              {
 447                  echo "<p>\n";
 448                  echo $lang->post_moderation;
 449                  echo "</p>\n";
 450                  exit;
 451              }
 452          }
 453  
 454          require_once  MYBB_ROOT."inc/class_parser.php";
 455          $parser = new postParser;
 456  
 457          $parser_options = array(
 458              "allow_html" => $forum['allowhtml'],
 459              "allow_mycode" => $forum['allowmycode'],
 460              "allow_smilies" => $forum['allowsmilies'],
 461              "allow_imgcode" => $forum['allowimgcode'],
 462              "allow_videocode" => $forum['allowvideocode'],
 463              "me_username" => $post['username'],
 464              "filter_badwords" => 1
 465          );
 466  
 467          if($post['smilieoff'] == 1)
 468          {
 469              $parser_options['allow_smilies'] = 0;
 470          }
 471  
 472          $post['message'] = $parser->parse_message($message, $parser_options);
 473  
 474          // Now lets fetch all of the attachments for these posts.
 475          $query = $db->simple_select("attachments", "*", "pid='{$post['pid']}'");
 476          while($attachment = $db->fetch_array($query))
 477          {
 478              $attachcache[$attachment['pid']][$attachment['aid']] = $attachment;
 479          }
 480  
 481          require_once  MYBB_ROOT."inc/functions_post.php";
 482  
 483          get_post_attachments($post['pid'], $post);
 484  
 485          // Figure out if we need to show an "edited by" message
 486          // Only show if at least one of "showeditedby" or "showeditedbyadmin" is enabled
 487          if($mybb->settings['showeditedby'] != 0 && $mybb->settings['showeditedbyadmin'] != 0)
 488          {
 489              $post['editdate'] = my_date($mybb->settings['dateformat'], TIME_NOW);
 490              $post['edittime'] = my_date($mybb->settings['timeformat'], TIME_NOW);
 491              $post['editnote'] = $lang->sprintf($lang->postbit_edited, $post['editdate'], $post['edittime']);
 492              $post['editedprofilelink'] = build_profile_link($mybb->user['username'], $mybb->user['uid']);
 493              eval("\$editedmsg = \"".$templates->get("postbit_editedby")."\";");
 494          }
 495  
 496          // Send our headers.
 497          header("Content-type: text/plain; charset={$charset}");
 498          echo $post['message']."\n";
 499          if($editedmsg)
 500          {
 501              echo str_replace(array("\r", "\n"), "", "<editedmsg>{$editedmsg}</editedmsg>");
 502          }
 503      }
 504  }
 505  // Fetch the list of multiquoted posts which are not in a specific thread
 506  else if($mybb->input['action'] == "get_multiquoted")
 507  {
 508      // If the cookie does not exist, exit
 509      if(!array_key_exists("multiquote", $mybb->cookies))
 510      {
 511          exit;
 512      }
 513      // Divide up the cookie using our delimeter
 514      $multiquoted = explode("|", $mybb->cookies['multiquote']);
 515  
 516      // No values - exit
 517      if(!is_array($multiquoted))
 518      {
 519          exit;
 520      }
 521  
 522      // Loop through each post ID and sanitize it before querying
 523      foreach($multiquoted as $post)
 524      {
 525          $quoted_posts[$post] = intval($post);
 526      }
 527  
 528      // Join the post IDs back together
 529      $quoted_posts = implode(",", $quoted_posts);
 530  
 531      // Fetch unviewable forums
 532      $unviewable_forums = get_unviewable_forums();
 533      if($unviewable_forums)
 534      {
 535          $unviewable_forums = "AND t.fid NOT IN ({$unviewable_forums})";
 536      }
 537      $message = '';
 538  
 539      // Are we loading all quoted posts or only those not in the current thread?
 540      if(!$mybb->input['load_all'])
 541      {
 542          $from_tid = "p.tid != '".intval($mybb->input['tid'])."' AND ";
 543      }
 544      else
 545      {
 546          $from_tid = '';
 547      }
 548  
 549      require_once  MYBB_ROOT."inc/class_parser.php";
 550      $parser = new postParser;
 551  
 552      require_once  MYBB_ROOT."inc/functions_posting.php";
 553  
 554      // Query for any posts in the list which are not within the specified thread
 555      $query = $db->query("
 556          SELECT p.subject, p.message, p.pid, p.tid, p.username, p.dateline, t.fid, p.visible, u.username AS userusername
 557          FROM ".TABLE_PREFIX."posts p
 558          LEFT JOIN ".TABLE_PREFIX."threads t ON (t.tid=p.tid)
 559          LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid=p.uid)
 560          WHERE {$from_tid}p.pid IN ($quoted_posts) {$unviewable_forums}
 561          ORDER BY p.dateline
 562      ");
 563      while($quoted_post = $db->fetch_array($query))
 564      {
 565          if(!is_moderator($quoted_post['fid']) && $quoted_post['visible'] == 0)
 566          {
 567              continue;
 568          }
 569  
 570          $message .= parse_quoted_message($quoted_post, false);
 571      }
 572      if($mybb->settings['maxquotedepth'] != '0')
 573      {
 574          $message = remove_message_quotes($message);
 575      }
 576  
 577      // Send our headers.
 578      header("Content-type: text/plain; charset={$charset}");
 579      echo $message;
 580      exit;
 581  }
 582  else if($mybb->input['action'] == "refresh_captcha")
 583  {
 584      $imagehash = $db->escape_string($mybb->input['imagehash']);
 585      $query = $db->simple_select("captcha", "dateline", "imagehash='$imagehash'");
 586      if($db->num_rows($query) == 0)
 587      {
 588          xmlhttp_error($lang->captcha_not_exists);
 589      }
 590      $db->delete_query("captcha", "imagehash='$imagehash'");
 591      $randomstr = random_str(5);
 592      $imagehash = md5(random_str(12));
 593      $regimagearray = array(
 594          "imagehash" => $imagehash,
 595          "imagestring" => $randomstr,
 596          "dateline" => TIME_NOW
 597      );
 598      $db->insert_query("captcha", $regimagearray);
 599      header("Content-type: text/plain; charset={$charset}");
 600      echo $imagehash;
 601  }
 602  else if($mybb->input['action'] == "validate_captcha")
 603  {
 604      header("Content-type: text/xml; charset={$charset}");
 605      $imagehash = $db->escape_string($mybb->input['imagehash']);
 606      $query = $db->simple_select("captcha", "imagestring", "imagehash='$imagehash'");
 607      if($db->num_rows($query) == 0)
 608      {
 609          echo "<fail>{$lang->captcha_valid_not_exists}</fail>";
 610          exit;
 611      }
 612      $imagestring = $db->fetch_field($query, 'imagestring');
 613  
 614      if(my_strtolower($imagestring) == my_strtolower($mybb->input['value']))
 615      {
 616          echo "<success>{$lang->captcha_matches}</success>";
 617          exit;
 618      }
 619      else
 620      {
 621          echo "<fail>{$lang->captcha_does_not_match}</fail>";
 622          exit;
 623      }
 624  }
 625  else if($mybb->input['action'] == "complex_password")
 626  {
 627      $password = trim($mybb->input['value']);
 628      $password = str_replace(array(unichr(160), unichr(173), unichr(0xCA), dec_to_utf8(8238), dec_to_utf8(8237), dec_to_utf8(8203)), array(" ", "-", "", "", "", ""), $password);
 629  
 630      header("Content-type: text/xml; charset={$charset}");
 631      if(!preg_match("/^.*(?=.{".$mybb->settings['minpasswordlength'].",})(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).*$/", $password))
 632      {
 633          echo "<fail>{$lang->complex_password_fails}</fail>";
 634      }
 635      else
 636      {
 637          // Return nothing but an OK password if passes regex
 638          echo "<success></success>";
 639      }
 640  
 641      exit;
 642  }
 643  else if($mybb->input['action'] == "username_availability")
 644  {
 645      if(!verify_post_check($mybb->input['my_post_key'], true))
 646      {
 647          xmlhttp_error($lang->invalid_post_code);
 648      }
 649  
 650      require_once  MYBB_ROOT."inc/functions_user.php";
 651      $username = $mybb->input['value'];
 652  
 653      // Fix bad characters
 654      $username = trim($username);
 655      $username = str_replace(array(unichr(160), unichr(173), unichr(0xCA), dec_to_utf8(8238), dec_to_utf8(8237), dec_to_utf8(8203)), array(" ", "-", "", "", "", ""), $username);
 656  
 657      // Remove multiple spaces from the username
 658      $username = preg_replace("#\s{2,}#", " ", $username);
 659  
 660      header("Content-type: text/xml; charset={$charset}");
 661  
 662      if(empty($username))
 663      {
 664          echo "<fail>{$lang->banned_characters_username}</fail>";
 665          exit;
 666      }
 667  
 668      // Check if the username belongs to the list of banned usernames.
 669      $banned_username = is_banned_username($username, true);
 670      if($banned_username)
 671      {
 672          echo "<fail>{$lang->banned_username}</fail>";
 673          exit;
 674      }
 675  
 676      // Check for certain characters in username (<, >, &, and slashes)
 677      if(strpos($username, "<") !== false || strpos($username, ">") !== false || strpos($username, "&") !== false || my_strpos($username, "\\") !== false || strpos($username, ";") !== false || !validate_utf8_string($username, false, false))
 678      {
 679          echo "<fail>{$lang->banned_characters_username}</fail>";
 680          exit;
 681      }
 682  
 683      // Check if the username is actually already in use
 684      $query = $db->simple_select("users", "uid", "LOWER(username)='".$db->escape_string(my_strtolower($username))."'");
 685      $user = $db->fetch_array($query);
 686  
 687      if($user['uid'])
 688      {
 689          $lang->username_taken = $lang->sprintf($lang->username_taken, htmlspecialchars_uni($username));
 690          echo "<fail>{$lang->username_taken}</fail>";
 691          exit;
 692      }
 693      else
 694      {
 695          $lang->username_available = $lang->sprintf($lang->username_available, htmlspecialchars_uni($username));
 696          echo "<success>{$lang->username_available}</success>";
 697          exit;
 698      }
 699  }
 700  else if($mybb->input['action'] == "username_exists")
 701  {
 702      if(!verify_post_check($mybb->input['my_post_key'], true))
 703      {
 704          xmlhttp_error($lang->invalid_post_code);
 705      }
 706  
 707      require_once  MYBB_ROOT."inc/functions_user.php";
 708      $username = $mybb->input['value'];
 709  
 710      header("Content-type: text/xml; charset={$charset}");
 711  
 712      if(!trim($username))
 713      {
 714          echo "<success></success>";
 715          exit;
 716      }
 717  
 718      // Check if the username actually exists
 719      $query = $db->simple_select("users", "uid", "LOWER(username)='".$db->escape_string(my_strtolower($username))."'");
 720      $user = $db->fetch_array($query);
 721  
 722      if($user['uid'])
 723      {
 724          $lang->valid_username = $lang->sprintf($lang->valid_username, htmlspecialchars_uni($username));
 725          echo "<success>{$lang->valid_username}</success>";
 726          exit;
 727      }
 728      else
 729      {
 730          $lang->invalid_username = htmlspecialchars_uni($lang->sprintf($lang->invalid_username, htmlspecialchars_uni($username)));
 731          echo "<fail>{$lang->invalid_username}</fail>";
 732          exit;
 733      }
 734  }
 735  else if($mybb->input['action'] == "get_buddyselect")
 736  {
 737      // Send our headers.
 738      header("Content-type: text/plain; charset={$charset}");
 739  
 740      if($mybb->user['buddylist'] != "")
 741      {
 742          $query_options = array(
 743              "order_by" => "username",
 744              "order_dir" => "asc"
 745          );
 746          $timecut = TIME_NOW - $mybb->settings['wolcutoff'];
 747          $query = $db->simple_select("users", "uid, username, usergroup, displaygroup, lastactive, lastvisit, invisible", "uid IN ({$mybb->user['buddylist']})", $query_options);
 748          $online = array();
 749          $offline = array();
 750          while($buddy = $db->fetch_array($query))
 751          {
 752              $buddy_name = format_name($buddy['username'], $buddy['usergroup'], $buddy['displaygroup']);
 753              $profile_link = build_profile_link($buddy_name, $buddy['uid'], '_blank');
 754              if($buddy['lastactive'] > $timecut && ($buddy['invisible'] == 0 || $mybb->user['usergroup'] == 4) && $buddy['lastvisit'] != $buddy['lastactive'])
 755              {
 756                  eval("\$online[] = \"".$templates->get("xmlhttp_buddyselect_online")."\";");
 757              }
 758              else
 759              {
 760                  eval("\$offline[] = \"".$templates->get("xmlhttp_buddyselect_offline")."\";");
 761              }
 762          }
 763          $online = implode("", $online);
 764          $offline = implode("", $offline);
 765          eval("\$buddy_select = \"".$templates->get("xmlhttp_buddyselect")."\";");
 766          echo $buddy_select;
 767      }
 768      else
 769      {
 770          xmlhttp_error($lang->buddylist_error);
 771      }
 772  }
 773  
 774  /**
 775   * Spits an XML Http based error message back to the browser
 776   *
 777   * @param string The message to send back.
 778   */
 779  function xmlhttp_error($message)
 780  {
 781      global $charset;
 782  
 783      // Send our headers.
 784      header("Content-type: text/xml; charset={$charset}");
 785  
 786      // Send the error message.
 787      echo "<error>".$message."</error>";
 788  
 789      // Exit
 790      exit;
 791  }
 792  
 793  ?>

title

Description

title

Description

title

Description

title

title

Body