Add files via upload

Author: aj-techsoul

ELI/config.php

@@ -4,11 +4,17 @@
 //------------------------------------
 
 # USER DATABASE
-$GLOBALS['USER']['config']['dbtype'] = "mysql"; // mysql,sqlite
+// $GLOBALS['USER']['config']['dbtype'] = "mysql"; // mysql,sqlite
+// $GLOBALS['USER']['config']['dbhost'] = "localhost"; // FOR SQLITE, Please mention SQLlite File Path
+// $GLOBALS['USER']['config']['dbuser'] = "root";
+// $GLOBALS['USER']['config']['dbpass'] = "";
+// $GLOBALS['USER']['config']['dbname'] = "";// FOR SQLITE, Please mention SQLlite File Path
+$GLOBALS['USER']['config']['dbtype'] = "sqlite"; // mysql,sqlite
 $GLOBALS['USER']['config']['dbhost'] = "localhost"; // FOR SQLITE, Please mention SQLlite File Path
-$GLOBALS['USER']['config']['dbuser'] = "root";
-$GLOBALS['USER']['config']['dbpass'] = "";
-$GLOBALS['USER']['config']['dbname'] = "";// FOR SQLITE, Please mention SQLlite File Path
+$GLOBALS['USER']['config']['dbuser'] = "admin";
+$GLOBALS['USER']['config']['dbpass'] = "admin";
+$GLOBALS['USER']['config']['dbname'] = "db/cmsv3";
+
 
 # CMS Database
 $GLOBALS['CMS']['config']['dbtype'] = "sqlite"; // mysql,sqlite
@@ -68,8 +74,8 @@
 //echo date('d-m-Y h:i a'); //Returns IST
 //------------------------------------
 
-$freepages = "REGISTER,LOGIN,SIGNUP,contact.php,partner.php,test.php";
+$freepages = "REGISTER,LOGIN,SIGNUP,contact.php,partner.php,test.php,tool.php";
 
 // IMPORTANT TO SET
-$websitepath = "ELI-GROUP/ELi-PHP-Framework/";
+$websitepath = "rad/eli-php-framework-main/";
  ?>

ELI/functions.php

@@ -35,28 +35,14 @@ function page($url2)
 <?php
 	function csrf()
     {
-        if(!isset($_SESSION)){
-        session_start();
-        $_SESSION['formStarted'] = true;
-        }
-        if (!isset($_SESSION['token']))
-        {
-            $token = md5(date('Y-m-d-H-i').uniqid(rand(), TRUE));
-            $_SESSION['token'] = $token;            
-        }
-        return @$_SESSION['token'];
+        $s = new SECURITY;
+        return $s->csrf();
     }
 
 	function check_csrf($csrf_got)
     {
-        if ($_SESSION['token'] == $csrf_got)
-        {
-            return TRUE;
-        }
-        else
-        {
-            return FALSE;
-        }
+        $s = new SECURITY;
+        return $s->check_csrf($csrf_got);
     }
 
 /**

ELI/process/api.php

@@ -1,18 +1,23 @@
 <?php
 header("Access-Control-Allow-Origin: *");
+header('Cache-Control: no-cache');
 header('Content-Type: application/json');
 
-$aid = base64_encode("ajib777");
+$aid = base64_encode("aj818");
 $csrf_got = @$_POST['csrf'];
 $validateEmail = false; // VALIDATE EMAIL (true/false)
 $url = page(PAGE);  
 $v = new VALIDATOR;
 $db = new DATABASE;
 $enablelog = TRUE;
 $api = new API;
+$s = new SECURITY;
 
+$validkey = false;
 // working on API Key
-$apikey_default = (isset($_REQUEST['csrf']) && strlen($_REQUEST['csrf']) == 32) ? $_REQUEST['csrf'] : $api->getDefaultAPIKey();
+$apikey_default = (isset($_REQUEST['csrf']) && strlen($_REQUEST['csrf']) >= 32) ? $_REQUEST['csrf'] : $api->getDefaultAPIKey();
+
+// var_dump($_REQUEST['apikey'] == $apikey_default || $_SESSION['token'] == $apikey_default);
 
 if(isset($_REQUEST['apikey']) && strlen(@$_REQUEST['apikey']) == 32){
   // check for same server use
@@ -22,28 +27,30 @@
 else
 {
    // Check API Key
-  $apikey = @$_REQUEST['apikey'];
+ $apikey = @$_REQUEST['apikey'];
  $chkapi = $db->query("SELECT * FROM apilicense WHERE license='$apikey' AND  expirydate >= date('now')
  ","CMS");
-  if(count($chkapi) > 0){
-      $validkey = true;
-  }
-  else
-  {
-    $validkey = false;
-  }
+    if(count($chkapi) > 0){
+        $validkey = true;
+    }
+    else
+    {
+      $validkey = false;
+    }
   }
 }
-elseif(check_csrf($apikey_default)){
+
+if(check_csrf($apikey_default) || $_SESSION['token'] == $apikey_default){
   // same origin // csrf check
   $validkey = true;
 }
-else
-{
-  $err['error'] = "No API Key Provided";
-  $err['success'] = false;
-  die(json_encode($err));
+
+// FREE CASES 
+$casefree = explode(",","currentcsrf");
+if(isset($url[1]) && in_array($url[1],$casefree)){
+  $validkey = true;
 }
+// =========
 
 if(!$validkey){
   $err['error'] = "API key is not valid";
@@ -57,6 +64,10 @@
 
 switch (@$url[1]){
 
+  case "currentcsrf":
+    echo $s->csrf();
+  break;
+
   case "getprofilext":
     if(isset($_SESSION['user']['id']) && $url[1]!=""){
 
@@ -182,8 +193,7 @@
   case "test":
     $tbl = "users";
     $res = $db->query("SELECT * FROM $tbl WHERE 1");
-    echo "<pre>";
-    print_r($res);
+    echo json_encode($res);
   break;
 
 

ELI/process/post.php

@@ -4,11 +4,30 @@
 $v = new VALIDATOR;
 $mail = new MAILER;
 $db = new DATABASE;
+$req = new REQUEST;
 $postedpage = $page[1];
 
 
 switch ($postedpage)
 {
+case "addusers":
+        $tbl = "users";
+        $formdata = $v->need("name,email,phone,password");
+        $formdata['password'] = md5($formdata['password']);
+        echo $req->addrow($tbl,$formdata,$required="name,email,phone,password",$unique="id",$successmsg="Successfully added data",$failmsg="Unable to add data",$duplicatemsg="Duplicate record found");
+    break;  
+
+case "editusers":
+        $tbl = "users";
+        $formdata = $v->need("id,name,email,phone");
+        echo $req->updaterow($tbl,$formdata,$required="id",$unique="id",$successmsg="Successfully updated data",$failmsg="Unable to update data",$duplicatemsg="Duplicate record found");
+    break;  
+
+
+   case "google":
+        $google = new GOOGLE;   
+        $google->glogin($page[2]);
+    break; 
 
 	case "signup":
                 if (isset($_POST) && $v->required_fields("name,email,phone,password,cpassword") &&
@@ -219,7 +238,7 @@
 
 
     case "delrow":
-        if(isset($_SESSION['user']['id']) && isset($page[2]) && isset($_POST['id']) &&  is_numeric($_POST['id']) && check_csrf($csrf_got))
+        if(isset($_SESSION['user']['id']) && isset($page[2]) && isset($_POST['id']) &&  is_numeric($_POST['id']))
         {
             $id = $_POST['id'];
                        // DELETE

ELI/process/url.php

@@ -8,6 +8,8 @@
 $page = explode('/',str_replace(_BASEURL_,'',@$_GET['url']) );
 //print_r($page);
 
+
+
 switch ($page[0]){
 
         case "p":
@@ -105,6 +107,10 @@
 
         if(isset($_GET['url']) && file_exists($pageurl) && $_GET['url']!="" )
         {
+            if(isset($_SESSION['ssetoken'])){
+              unset($_SESSION['ssetoken']);
+            }
+
             if(!in_array($PG,$avoid))
             {
               if(in_array($PG, $free)){

ELI/process/view.php

@@ -1,30 +1,117 @@
 <?php
-$csrf_got = @$_POST['csrf'];
+header("Access-Control-Allow-Origin: *");
+header('Content-Type: text/event-stream');
+header('Cache-Control: no-cache');
+
+
+$db = new DATABASE;
+$sse = new SSE;
+
+$csrf_got = @$_REQUEST['csrf'];
 $validateEmail = false; // VALIDATE EMAIL (true/false)
 $url = page(PAGE);
+$validkey = false;
+
+
+if(check_csrf($csrf_got)){
+  $validkey = true;
+}
+
+// FREE CASES 
+$casefree = explode(",","test");
+if(isset($url[1]) && in_array($url[1],$casefree)){
+  $validkey = true;
+}
+// =========
+
+if(!$validkey){
+  $err['error'] = "Token is not valid";
+  $err['success'] = false;
+  die(json_encode($err));
+}
+
 //print_r($url);
 switch (@$url[1]){
 
-    // Dummy
-    case "categorylist":
-      echo '<option value="0">Main</option>';
-      $db = new DATABASE;
-      $res =  $db->query("SELECT c.id,c.category FROM category as c
-                          WHERE c.pid='0' AND c.status='1'");
-      $tpl=new TEMPLATE;
-      $template='<option value="{{id}}">{{category}}</option>';
-      $list=$tpl->viewer($res,$template);
+    // dummy1
+    case "test":
+      $msx = '<select name="" label="All Users" multiple>';
+      $msx .= $tmp->viewer($db->query("SELECT * FROM users"),'<option value="{{id}}">{{name}}</option>',false,true);
+      $msx .= '</select>';
+
+      $sse->seepreformat($msx);
+    break;
+
+    // dummy2
+    case "tbldata":
+      $sql = @$url[2];
+      $tbtn = @$url[3];
+      $sqlquery = base64_decode($sql);
+      $token = $_SESSION["token"];
+      $template = '<tr template="" id="row{{id}}">
+              <td class="status-field"><span onclick="statusupdate(this)" data-value="{{status}}" data-id="{{id}}" data-action="users" class="status {{statustxt}}">{{statustxt}}</span> {{name}}</td><td>{{email}}</td><td>{{phone}}</td>
+            <td class="elitable-actions">
+              <span class="mdi mdi-pencil btn blue white-text small" onclick="editData(this,\'#editusersmod\',\'getdatajson\')" data-t="users" csrf="'.$token.'" data-id="{{id}}"></span>
+              <span class="mdi mdi-close btn red white-text small" onclick="delrow(this,\'#row\')" csrf="'.$token.'"  data-id="{{id}}" data-action="users"></span>
+            </td>
+            </tr>';
+
+         $templatex = str_replace('template=""',"",$template);   
+      $tbldata = $template;  
+      $tbldata .= $tmp->viewer($db->query($sqlquery),$templatex,false,true);
+
+      $sse->seepreformat($tbldata);
+    break;
+
+    // Option Field
+    case "optionfield":
+      // Example: "v/optionfield/tblname/columns|id|true";
+      $tbl = @$url[2];
+      $col = explode("|",$url[3]);
+
+      $val = (isset($col[1]))?$col[1] : 'id';
+      $txt = (isset($col[0]))?$col[0] : 'id';
+
+      $where = " ";
+      if(isset($col[2]) AND $col[2] == "true"){
+          $where .= " status='1' ";
+      }
+      else
+      {
+        $where .=" 1 ";
+      }
+
+      $xmsg = '<option value=""></option>';      
+      $res =  $db->query("SELECT $val,$txt FROM $tbl
+                          WHERE $where ");
+      $template='<option value="{{'.$val.'}}">{{'.$txt.'}}</option>';
+      $xmsg .= $tmp->viewer($res,$template,false,true);
+
+      $data = array(
+        'message' => base64_encode($xmsg),
+        'timestamp' => time()
+      );
+      $sse->sendSSE($data);
+      // Simulate a delay between updates
+      // sleep(5);
+
     break;
 
     default:
-      $pageurl = VIEW."$page";
+      $pageurl = VIEW.end($url);
       if(file_exists($pageurl))
       {
         include($pageurl);
       }
       else
       {
-        include(VIEW.'404.php');
+        if(file_exists(VIEW.'404.php')){
+          include(VIEW.'404.php');
+        }
+        else
+        {
+          echo "404 Error. Page not Found";
+        }
       }
     break;
 }