phpop3clean.admin.php

一个基于页面实现的pop客户端程序

			$SQLquery .= ' AND (`account` LIKE "'.mysql_escape_string(IsAdminUser() ? '%' : $_COOKIE['phPOP3cleanUSER']).'")';
			mysql_query_safe($SQLquery);
			echo 'Record deleted<br>';
			echo '<script>location = "'.$_SERVER['PHP_SELF'].'?wordadmin='.__LINE__.'&action=list&db='.urlencode($_REQUEST['db']).'&orderby='.urlencode(@$_REQUEST['orderby']).'";</script>';
			unset($word);
			break;

		case 'save':
			if ($_POST['oldword'] == 'new') {
				$SQLquery  = 'INSERT IGNORE INTO `'.mysql_escape_string($_POST['db']).'` (`word`, `account`, `isregex`, `casesensitive`, `added`, `description`) VALUES (';
				$SQLquery .= '"'.mysql_escape_string($_POST['word']).'", ';
				$SQLquery .= '"'.mysql_escape_string(IsAdminUser() ? '' : $_COOKIE['phPOP3cleanUSER']).'", ';
				$SQLquery .= '"'.mysql_escape_string(intval(@$_POST['isregex'])).'", ';
				$SQLquery .= '"'.mysql_escape_string(intval(@$_POST['casesensitive'])).'", ';
				$SQLquery .= '"'.mysql_escape_string(time()).'", ';
				$SQLquery .= '"'.mysql_escape_string($_POST['description']).'")';
			} else {
				$SQLquery  = 'UPDATE `'.mysql_escape_string($_POST['db']).'` SET';
				$SQLquery .= ' `word` = "'.mysql_escape_string($_POST['word']).'",';
				$SQLquery .= ' `isregex` = "'.mysql_escape_string(intval(@$_POST['isregex'])).'",';
				$SQLquery .= ' `casesensitive` = "'.mysql_escape_string(intval(@$_POST['casesensitive'])).'",';
				$SQLquery .= ' `description` = "'.mysql_escape_string($_POST['description']).'"';
				$SQLquery .= ' WHERE `word` = "'.mysql_escape_string($_POST['oldword']).'"';
				$SQLquery .= ' AND (`account` LIKE "'.mysql_escape_string(IsAdminUser() ? '%' : $_COOKIE['phPOP3cleanUSER']).'")';
			}
			mysql_query_safe($SQLquery);
			echo 'Record updated<br><script>location = "'.$_SERVER['PHP_SELF'].'?wordadmin='.__LINE__.'&action=list&db='.urlencode($_REQUEST['db']).'&orderby='.urlencode(@$_REQUEST['orderby']).'";</script>';
			break;

		case 'edit':
			if (@$_REQUEST['word'] == 'new') {

				$row = array('word'=>'', 'description'=>'', 'isregex'=>'0', 'casesensitive'=>'0');

			} else {

				$word = @$_REQUEST['word'];
				$nr_of_matches = preg_match_all('/(http%3A%2F%2F.* ?)/', $word, $matches);
				if (($nr_of_matches !== false) && ($nr_of_matches > 0)) {
					foreach ($matches[1] as $match) {
						$word = str_replace($match, urldecode($match), $word);
					}
				}
				unset($nr_of_matches, $matches, $match);

				$SQLquery  = 'SELECT * FROM `'.mysql_escape_string($_REQUEST['db']).'`';
				$SQLquery .= ' WHERE `word` = "'.mysql_escape_string($word).'"';
				$SQLquery .= ' AND (`account` LIKE "'.mysql_escape_string(IsAdminUser() ? '%' : $_COOKIE['phPOP3cleanUSER']).'")';
				$result = mysql_query_safe($SQLquery);
				$row = mysql_fetch_array($result);
				unset($word);

			}
			if (!empty($row)) {
				echo '<form action="'.$_SERVER['PHP_SELF'].'" method="post">';
				echo '<b>Word:</b> <input type="text" name="word" value="'.htmlentities($row['word'], ENT_QUOTES).'" size="30"> ';
				if (strpos($_REQUEST['db'], 'obfuscated') === false) {
					// regular expressions cannot be used for obfuscated words
					if (IsAdminUser()) {
						// disable user-level regex words until a good validation method is in place
						echo '<input type="checkbox" name="isregex"       value="1"'.($row['isregex']       ? ' CHECKED' : '').'>Regular Expression | ';
					}
					echo '<input type="checkbox" name="casesensitive" value="1"'.($row['casesensitive'] ? ' CHECKED' : '').'>Case-Sensitive<br>';
					echo '<i><ul>';
					echo '<li>Use hex characters for HTML entities in regular expressions, for example "\xA0" instead of "&amp;nbsp;"</li>';
					echo '<li>Use <b>\s</b> instead of a normal space inside bracketed expressions in regex mode (good: [\sa-z]+; bad: [ a-z]+)</li>';
					echo '</ul></i>';
				}
				echo '<br><b>Description (optional):</b><br><textarea name="description" cols="40" rows="3">'.htmlentities($row['description'], ENT_QUOTES).'</textarea><br><br>';
				echo '<input type="hidden" name="wordadmin" value="'.htmlentities($_REQUEST['wordadmin'], ENT_QUOTES).'">';
				echo '<input type="hidden" name="action" value="save">';
				echo '<input type="hidden" name="orderby" value="'.htmlentities(@$_REQUEST['orderby'], ENT_QUOTES).'">';
				echo '<input type="hidden" name="db" value="'.htmlentities($_REQUEST['db'], ENT_QUOTES).'">';
				echo '<input type="hidden" name="oldword" value="'.htmlentities($_REQUEST['word'], ENT_QUOTES).'">';
				echo '<input type="submit" value="Save">';
				echo '</form>';
			} else {
				echo 'Cannot find record for word "'.htmlentities(@$_REQUEST['word']).'"';
			}
			break;

		case 'list':
			$SQLquery  = 'SELECT * FROM `'.mysql_escape_string($_REQUEST['db']).'`';
			$SQLquery .= ' WHERE (`account` LIKE "'.mysql_escape_string(IsAdminUser() ? '%' : $_COOKIE['phPOP3cleanUSER']).'")';
			$SQLquery .= ' ORDER BY `'.(@$_REQUEST['orderby'] ? mysql_escape_string($_REQUEST['orderby']) : 'word').'` '.(@$_REQUEST['orderorder'] ? mysql_escape_string($_REQUEST['orderorder']) : 'DESC');
			$result = mysql_query_safe($SQLquery);
			echo '<a href="'.htmlspecialchars(linkencode($_SERVER['PHP_SELF'].'?wordadmin='.$_REQUEST['wordadmin'].'&db='.$_REQUEST['db'].'&action=edit&word=new&orderby='.@$_REQUEST['orderby']), ENT_QUOTES).'">Add new word</a></br>';
			echo '<table border="1" cellspacing="0" cellpadding="3">';

			$fields = array('word', 'hitcount', 'lasthit', 'added', 'description');
			$invAscDesc = array(''=>'ASC', 'ASC'=>'DESC', 'ASC'=>'');
			echo '<tr><th></th>';
			foreach ($fields as $field) {
				echo '<th><a href="'.htmlspecialchars(linkencode($_SERVER['PHP_SELF'].'?wordadmin='.$_REQUEST['wordadmin'].'&action=list&db='.$_REQUEST['db'].'&orderby='.$field.((@$_REQUEST['orderby'] == $field) ? '&orderorder='.@$invAscDesc[@$_REQUEST['orderorder']] : '')), ENT_QUOTES).'">'.$field.'</a></th>';
			}
			echo '<th nowrap>Popularity</th><th>&nbsp;</th></tr>';

			while ($row = mysql_fetch_array($result)) {
				$word = $row['word'];
				$nr_of_matches = preg_match_all('/(http:\\/\/.* ?)/', $word, $matches);
				if (($nr_of_matches !== false) && ($nr_of_matches > 0)) {
					foreach ($matches[1] as $match) {
						$word = str_replace($match, urlencode($match), $word);
					}
				}
				unset($nr_of_matches, $matches, $match);

				echo "\n".'<tr>';
				echo "\n\t".'<td><a href="'.htmlspecialchars(linkencode($_SERVER['PHP_SELF'].'?wordadmin='.$_REQUEST['wordadmin'].'&db='.$_REQUEST['db'].'&action=edit&word='.$word.'&orderby='.@$_REQUEST['orderby']), ENT_QUOTES).'">edit</a></td>';
				echo "\n\t".'<td>'.(@$row['isregex'] ? '<b>' : '').(@$row['casesensitive'] ? '<i>' : '').htmlentities($row['word'], ENT_QUOTES).(@$row['casesensitive'] ? '</i>' : '').(@$row['isregex'] ? '</b>' : '').'</td>';
				echo "\n\t".'<td align="right">'.number_format($row['hitcount']).'</td>';
				if ($row['lasthit']) {
					echo "\n\t".'<td align="right" bgcolor="#'.LastHit2bgcolor($row['lasthit']).'" nowrap>'.date('M-d-Y', $row['lasthit']).'</td>';
					if ($row['added']) {
						echo "\n\t".'<td align="right" nowrap>'.date('M-d-Y', $row['added']).'</td>';
					} else {
						echo "\n\t".'<td align="center">-</td>';
					}
				} else {
					echo "\n\t".'<td align="center">-</td>';
					echo "\n\t".'<td align="right" bgcolor="#'.LastHit2bgcolor($row['added']).'" nowrap>'.date('M-d-Y', $row['added']).'</td>';
				}
				echo "\n\t".'<td>'.htmlentities($row['description'], ENT_QUOTES).'&nbsp;</td>';
				echo "\n\t".'<td align="right">'.($row['lasthit'] ? round($row['hitcount'] * ($row['hitcount'] / (($row['lasthit'] - $row['added']) / 86400)), 1) : '-').'</td>';
				echo "\n\t".'<td><a href="'.htmlspecialchars(linkencode($_SERVER['PHP_SELF'].'?wordadmin='.$_REQUEST['wordadmin'].'&db='.$_REQUEST['db'].'&action=delete&word='.$word.'&orderby='.@$_REQUEST['orderby']), ENT_QUOTES).'" onClick="return confirm(\'Are you SURE you want to delete this word?\');">delete</a></td>';
				echo "\n".'</tr>';
				unset($word);
			}
			echo '</table>';
			break;

		default:
			break;
	}

} elseif (IsAdminUser() && @$_GET['recentdomains']) {

	$SQLquery  = 'SELECT `domain`, COUNT(`domain`) AS `hitcount` FROM `'.PHPOP3CLEAN_TABLE_PREFIX.'domains_recent`';
	$SQLquery .= ' GROUP BY `domain`';
	$result = mysql_query_safe($SQLquery);
	echo '<div id="currentlookupstatus"></div>';
	echo '<table border="1" cellspacing="0" cellpadding="3">';
	echo '<tr><th>domain</th><th>hits</th><th>IPs</th></tr>';
	$DomainsToLookup = array();
	while ($row = mysql_fetch_array($result)) {
		$DomainsToLookup[$row['domain']] = $row['hitcount'];
	}
	foreach ($DomainsToLookup as $domain => $hitcount) {
		echo '<tr>';
		echo '<td><a href="'.htmlspecialchars(linkencode('http://'.$domain), ENT_QUOTES) .'" target="_blank">'.htmlspecialchars($domain, ENT_QUOTES).'</a></td>';
		echo '<td align="right">'.number_format($hitcount).'</td>';
		echo '<td nowrap id="IPs_'.$domain.'" style="font-style: italic; font-family: monospace; background-color: yellow;">waiting...</td>';
		echo '</tr>';
	}
	echo '</table>';
	foreach ($DomainsToLookup as $domain => $hitcount) {
		echo '<script>if (document.getElementById("currentlookupstatus")) document.getElementById("currentlookupstatus").innerHTML = "Looking up: <b>'.$domain.'</b>";</script>';
		flush();
		if ($DomainIPs = SafeGetHostByNameL($domain)) {
			$thisDomainIPs = '';
			foreach ($DomainIPs as $ip) {
				@$_SESSION['domain_lookup_success'][$domain][] = $ip;
				$thisDomainIPs .= '<div align=\"right\"';
				if (IPisBanned($ip)) {
					 $thisDomainIPs .= ' style=\"background-color: #'.PHPOP3CLEAN_COL_BLIST.';\"';
				} elseif (IPisWhitelisted($ip)) {
					 $thisDomainIPs .= ' style=\"background-color: #'.PHPOP3CLEAN_COL_WLIST.';\"';
				}
				$thisDomainIPs .= '><tt>'.PadIPtext($ip, true).'</tt></div>';
			}
			echo '<script>if (document.getElementById("IPs_'.$domain.'")) document.getElementById("IPs_'.$domain.'").innerHTML = "'.PadIPtext($thisDomainIPs, true).'";</script>';
		} else {
			$_SESSION['domain_lookup_failed'][$domain] = true;
			echo '<script>if (document.getElementById("IPs_'.$domain.'")) document.getElementById("IPs_'.$domain.'").innerHTML = "<div style=\"background-color: orange;\">FAILED LOOKUP</div>";</script>';
		}
		echo '<script>if (document.getElementById("IPs_'.$domain.'")) document.getElementById("IPs_'.$domain.'").style.backgroundColor = "white";</script>';
		flush();
	}
	echo '<script>if (document.getElementById("currentlookupstatus")) document.getElementById("currentlookupstatus").innerHTML = "";</script>';

} elseif (@$_REQUEST['emailwhitelistadmin']) {

	echo '<h3>Whitelist admin - Email</h3>';

	switch (@$_REQUEST['action']) {
		case 'add':
			echo '<form action="'.$_SERVER['PHP_SELF'].'" method="post">';
			echo '<i>entered value is matched against end of incoming email addresses, you can put "@example.com" to wildcard-match all addresses at any domain</i><br>';
			echo 'emails (one per line):<br><textarea name="email" rows="8" cols="40">'.htmlentities(@$_REQUEST['email'], ENT_QUOTES).'</textarea><br>';
			if (IsAdminUser()) {
				echo 'account: <input type="text" name="account" value="'.htmlentities(@$_REQUEST['account'], ENT_QUOTES).'"> (optional)<br>';
			}
			echo '<input type="hidden" name="emailwhitelistadmin" value="1">';
			echo '<input type="hidden" name="action" value="insert">';
			echo '<input type="submit" value="Insert">';
			echo '</form>';
			break;

		case 'edit':
			echo '<form action="'.$_SERVER['PHP_SELF'].'" method="post">';
			echo '<i>entered value is matched against end of incoming email addresses, you can put "@example.com" to wildcard-match all addresses at any domain</i><br>';
			echo 'email: <input type="text" name="email" value="'.htmlentities(@$_REQUEST['email'], ENT_QUOTES).'"><br>';
			if (IsAdminUser()) {
				echo 'account: <input type="text" name="account" value="'.htmlentities(@$_REQUEST['account'], ENT_QUOTES).'"> (optional)<br>';
			}
			echo '<input type="hidden" name="oldemail" value="'.htmlentities(@$_REQUEST['email'], ENT_QUOTES).'">';
			echo '<input type="hidden" name="emailwhitelistadmin" value="1">';
			echo '<input type="hidden" name="action" value="update">';
			echo '<input type="submit" value="Update">';
			echo '</form>';
			break;

		case 'insert':
			$insert_emails = explode("\n", $_REQUEST['email']);
			foreach ($insert_emails as $dirty_email) {
				$clean_email = SanitizeEmailAddress($dirty_email);
				$SQLquery  = 'INSERT IGNORE INTO `'.PHPOP3CLEAN_TABLE_PREFIX.'whitelist_email` (`email`, `account`, `added`) VALUES (';
				$SQLquery .= '"'.mysql_escape_string($clean_email).'", ';
				$SQLquery .= '"'.mysql_escape_string(IsAdminUser() ? $_POST['account'] : $_COOKIE['phPOP3cleanUSER']).'", ';
				$SQLquery .= '"'.mysql_escape_string(time()).'")';
				mysql_query_safe($SQLquery);
				unset($dirty_email, $clean_email, $SQLquery);
			}
			echo 'Inserted '.count($insert_emails).' emails.<br><br>';
			echo '<a href="'.htmlspecialchars(linkencode($_SERVER['PHP_SELF'].'?emailwhitelistadmin='.__LINE__), ENT_QUOTES).'">continue</a><br>';
			echo '<script>location = "'.$_SERVER['PHP_SELF'].'?emailwhitelistadmin='.__LINE__.'&orderby='.urlencode(@$_REQUEST['orderby']).'";</script>';
			exit;
			break;

		case 'update':
			$SQLquery  = 'UPDATE `'.PHPOP3CLEAN_TABLE_PREFIX.'whitelist_email` SET ';
			$SQLquery .= '`email` = "'.mysql_escape_string($_POST['email']).'"';
			if (IsAdminUser()) {