Login   Register  
PHP Classes
elePHPant
Icontem

File: lib/wisard.inc.php

Recommend this page to a friend!
Stumble It! Stumble It! Bookmark in del.icio.us Bookmark in del.icio.us
  Classes of Roman Shneer  >  PHP Security Scanner  >  lib/wisard.inc.php  >  Download  
File: lib/wisard.inc.php
Role: Class source
Content type: text/plain
Description: Class source
Class: PHP Security Scanner
Stop security attacks blocking malicious values
Author: By
Last change:
Date: 2013-04-04 03:56
Size: 23,100 bytes
 

Contents

Class file image Download
<?
/**
*Class Wisard - P.W.S.M.
*Installer functions
*Author Roman Shneer romanshneer@gmail.com
*1.02.2012
*Any changes at your risk and criminal responsibility
*/
eval(base64_decode('Class Wisard{
var $step=0;
var $tables;
    function Wisard()
    {

    $this->tables['mysql']=Array('pwsm_objects'=>"CREATE TABLE `pwsm_objects` (
  `id` bigint(20) NOT NULL auto_increment,
  `object_source` varchar(1024) collate utf8_bin NOT NULL,
  `object_url` varchar(355) collate utf8_bin NOT NULL,
  `monitor_status` tinyint(4) NOT NULL default '0',
  `created` bigint(9) default NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=14 DEFAULT CHARSET=utf8 COLLATE=utf8_bin AUTO_INCREMENT=1 ;",
'pwsm_requests'=>"CREATE TABLE `pwsm_requests` (
  `id` bigint(20) NOT NULL auto_increment,
  `url` varchar(1024) collate utf8_bin NOT NULL,
  `method` varchar(4) collate utf8_bin NOT NULL,
  `query_string` varchar(500) collate utf8_bin NOT NULL,
  `reason` varchar(512) collate utf8_bin NOT NULL,
  `status` tinyint(4) NOT NULL,
  `object_id` bigint(20) NOT NULL,
  `template_id` bigint(20) NOT NULL,
  `remote_addr` varchar(50) collate utf8_bin NOT NULL,
  `created` bigint(20) NOT NULL,
  PRIMARY KEY  (`id`),
  KEY `folder_id` (`object_id`)
) ENGINE=MyISAM AUTO_INCREMENT=7643 DEFAULT CHARSET=utf8 COLLATE=utf8_bin AUTO_INCREMENT=1 ;",
'pwsm_templates'=>"CREATE TABLE `pwsm_templates` (
  `id` mediumint(9) NOT NULL auto_increment,
  `name` varchar(255) collate utf8_bin NOT NULL,
  `description` text collate utf8_bin NOT NULL,
  `protocol` varchar(32) collate utf8_bin NOT NULL,
  `code` text collate utf8_bin NOT NULL,
  `status` tinyint(4) NOT NULL default '0',
  `reg_date` bigint(20) NOT NULL,
  `start_date` bigint(20) NOT NULL,
  `author` varchar(255) collate utf8_bin NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=13 DEFAULT CHARSET=utf8 COLLATE=utf8_bin AUTO_INCREMENT=1 ;",
'pwsm_templates_objects'=>"CREATE TABLE `pwsm_templates_objects` (
  `id` bigint(20) NOT NULL auto_increment,
  `template_id` bigint(20) NOT NULL,
  `object_id` bigint(20) NOT NULL,
  PRIMARY KEY  (`id`),
  KEY `template_id` (`template_id`,`object_id`)
) ENGINE=MyISAM AUTO_INCREMENT=220 DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;",
'pwsm_users'=>"CREATE TABLE `pwsm_users` (
  `id` mediumint(9) NOT NULL auto_increment,
  `name` varchar(50) collate utf8_bin NOT NULL,
  `pass` varchar(32) collate utf8_bin default NULL,
  `email` varchar(512) collate utf8_bin NOT NULL,
  `created` bigint(20) NOT NULL,
  `chg_pass_time` bigint(20) NOT NULL,
  
  
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=4 DEFAULT CHARSET=utf8 COLLATE=utf8_bin AUTO_INCREMENT=1;"
);
	$this->tables['postgresql']=Array(
'pwsm_objects'=>'CREATE TABLE pwsm_objects
(
  id serial NOT NULL,
  object_source character varying(1024),
  object_url character varying(355),
  monitor_status smallint NOT NULL DEFAULT 0,
  created bigint,
  CONSTRAINT pwsm_objects_id_idx PRIMARY KEY (id)
)
WITH (OIDS=FALSE);',
'pwsm_requests'=>'CREATE TABLE pwsm_requests
(
  id bigserial NOT NULL,
  url character varying(1024),
  method character varying(4),
  query_string character varying(500),
  reason character varying(512),
  status smallint NOT NULL DEFAULT 0,
  object_id bigint,
  template_id bigint,
  remote_addr character varying(50),
  created bigint,
  CONSTRAINT pwsm_requests_id_idx PRIMARY KEY (id)
)
WITH (OIDS=FALSE);',
  'pwsm_templates'=>'CREATE TABLE pwsm_templates
(
  id serial NOT NULL,
  "name" character varying(255),
  protocol character varying(5),
  code text,
  status smallint DEFAULT 0,
  reg_date bigint,
  start_date bigint,
  author character varying(50),
  description text,
  CONSTRAINT pwsm_templates_id_idx PRIMARY KEY (id)
)
WITH (OIDS=FALSE);',
'pwsm_templates_objects'=>'CREATE TABLE pwsm_templates_objects
(
  id bigserial NOT NULL,
  object_id bigint,
  template_id bigint,
  CONSTRAINT pwsm_templates_objects_id_idx PRIMARY KEY (id)
)
WITH (OIDS=FALSE);
--DROP INDEX pwsm_requests_object_id_idx;

CREATE INDEX pwsm_requests_object_id_idx
  ON pwsm_requests
  USING btree
  (object_id);
 CREATE INDEX pwsm_requests_template_id_idx
  ON pwsm_requests
  USING btree
  (template_id); 
  ',
  'pwsm_users'=>'CREATE TABLE pwsm_users
(
  id serial NOT NULL,
  "name" character varying(50),
  pass character varying(32),
  "email" character varying(512),
  created bigint,
  chg_pass_time bigint,
  CONSTRAINT pwsm_users_id_idx PRIMARY KEY (id)
)
WITH (OIDS=FALSE);'
);
    }
    function nextstep()
    {
    	if(!isset($_SESSION['install']['step']))$_SESSION['install']['step']=0;
    	$_SESSION['install']['step']++;
    }
    function step()
    {
    	return (isset($_SESSION['install'])&&$_SESSION['install']['step'])?$_SESSION['install']['step']:0;
    }
    function stepis($step)
    {
    $_SESSION['install']['step']=$step;
    }
    ### wellcome message and start installation ###
    function window_wellcome()
    {
    if(isset($_POST['op'])&&($_POST['op']=='start'))
    {
    	$this->nextstep();
     	return;
    }
     $html='<div class="message"><b>PWSM stell not installed, are you ready to start installation?</b>

     <center><form action="" method="POST"><input type="submit" name="op" value="start" class="start_btn"></form></center></div>';
     return $html;
    }
    #### form for get DB connect information from user and call create config file ###
	function window_create_config_file()
	{
    $html="";
        if(isset($_POST['dbtype'])&&count($_POST))
        {
		if($this->create_configfile($_POST)){$this->nextstep(); return "<div class='message'>conf/config.php file created</div>";}
		else $html.="<div class='error'>Imporstable creete conf/config.php file - please recheck permissions</div>
			    <p><b>Recommendation try ssh command '<code>chown apache conf</code>' or '<code>chmod 777 conf</code>' in webproject folder,or tolk with your webhost administrator   </b></p>";
        }

		$path=substr($_SERVER['REQUEST_URI'],0,strlen($_SERVER['REQUEST_URI'])-8);
       $html.="

       <form action='' method='POST'>
       <div class='message'>For installation process of PWSM (PHP Web Security Monitor) need choise database (MYSQL or PostgreSQL), wanted or exists database and database connection details</div>
       <table style='margin-top:20px;'>
       <tr><td>Type of DB:</td><td><select name='dbtype'>
       			  <option value='mysql'".((isset($_POST['dbtype'])&&($_POST['dbtype']=='mysql'))?" selected":"").">mysql
       			  <option value='postgresql'".((isset($_POST['dbtype'])&&($_POST['dbtype']=='postgresql'))?" selected":"").">postgresql
       			  </select></td></tr>
       <tr><td>DB host:</td><td><input type='text' name='host' value='".(isset($_POST['host'])?$_POST['host']:'localhost')."'></td></tr>
       <tr><td>DB name:</td><td><input type='text' name='dbname' value='".(isset($_POST['dbname'])?$_POST['dbname']:'pwsm')."'></td></tr>
       <tr><td>DB user:</td><td><input type='text' name='user' value='".(isset($_POST['user'])?$_POST['user']:'root')."'></td></tr>
       <tr><td>DB Password:</td><td><input type='password' name='pass'></td></tr>
       <tr><td colspan=2><input type='submit' value='create' class='start_btn'></td></tr>
       </table>
       ";
        #}
        return $html;
	}
	### test connection to specified db server ###
	function chk_db_connect($post)
	{
		if($post['dbtype']=='mysql')
		{
			$conn=@mysql_connect($post['host'],$post['user'],$post['pass']);
			return @mysql_stat($conn);
		}elseif($post['dbtype']=='postgresql')
		{
			$conn=pg_connect("host=".$post['host']." port=5432 dbname=template1 user=".$post['user']." password=".$post['pass']);
			
			return $conn;
		}
	}
	### test connection to specified database resource###
	function chk_if_db_exists($post)
	{
      if($post['dbtype']=='mysql')
      {
      	return mysql_select_db($post['dbname']);
      }else{
      pg_connection_status();
      }
	}
	### checking if config file exists ###
	function chk_configfile()
	{
	return file_exists("../conf/config.php");
	}
	### creation config file via data gived by user ###
	function create_configfile($post)
	{
	//write config file
	$_SESSION['post']=$post;
	$config_file="../conf/config.php";
	$config_file_dir=substr($config_file,0,strlen($config_file)-10);
	if(!is_writable($config_file_dir))
	{
	
	return false;
	}
       $f=fopen($config_file,"w");
       fwrite($f,"<?

       $"."db_host='".$post['host']."';
       $"."db_name='".$post['dbname']."';
       $"."db_user='".$post['user']."';
       $"."db_pass='".$post['pass']."';
       $"."db_type='".$post['dbtype']."';




       ?>");
       fclose($f);
       return file_exists("../conf/config.php");
	}
	### delete config file ###
	function delete_config_file()
	{
		@unlink("../conf/config.php");
	}
	### check & connect to specified database resourse ###
	function db_exists($dbname)
	{
		if($_SESSION['post']['dbtype']=='mysql')
		{
		
		$conn=mysql_connect($_SESSION['post']['host'],$_SESSION['post']['user'],$_SESSION['post']['pass']);
		return mysql_select_db($dbname,$conn)	;
		#return $conn;
		}else{
        $conn=@pg_connect("host=".$_SESSION['post']['host']." port=5432 dbname=".$dbname." user=".$_SESSION['post']['user']." password=".$_SESSION['post']['pass']);
		return $conn;
		}

	}
	### creating new database ###
	function create_new_db($dbname)
	{
	
	$this->nextstep();
	$sql="CREATE DATABASE ".$this->Q($dbname,1);
    $conn=$this->dbconnect_root();
	$res=$this->QUERY($sql,$conn);
	return "<div class='message'>Database <b>".$dbname."</b> created</div>";
	}
	### drop new database ###
	function drop_db($dbname)
	{

	$rez=$this->QUERY("DROP DATABASE ".$this->Q($dbname,1),$this->dbconnect_root());
	return $rez;
	}
	### db connection to main db ###
	function dbconnect_root()
	{
		if($_SESSION['post']['dbtype']=='mysql')
		{

	     $conn=mysql_connect($_SESSION['post']['host'],$_SESSION['post']['user'],$_SESSION['post']['pass']);
		 mysql_select_db($_SESSION['post']['dbname'],$conn);
		}elseif($_SESSION['post']['dbtype']=='postgresql')
		{

			$dbstring="host=".$_SESSION['post']['host']." port=5432 dbname=template1 user=".$_SESSION['post']['user']." password=".$_SESSION['post']['pass'];

			$conn=pg_connect($dbstring);
		}
		return $conn;
	}
	### db connection to specified db ###
	function dbconnect()
	{
		#$post=$_SESSION['post'];
		if($_SESSION['post']['dbtype']=='mysql')
		{
	         $conn=mysql_connect($_SESSION['post']['host'],$_SESSION['post']['user'],$_SESSION['post']['pass']);
		 mysql_select_db($_SESSION['post']['dbname'],$conn);
		 $this->dbtype=$_SESSION['post']['dbtype'];
		}elseif($_SESSION['post']['dbtype']=='postgresql')
		{
		$dbstring="host=".$_SESSION['post']['host']." port=5432 dbname=".$_SESSION['post']['dbname']." user=".$_SESSION['post']['user']." password=".$_SESSION['post']['pass'];
		$conn=pg_connect($dbstring);
		$this->dbtype=$_SESSION['post']['dbtype'];
		}
		return $conn;
	}
	### db func 4 query ###
	function QUERY($sql,$conn)
	{
		#$conn=$this->dbconnect();
		if($_SESSION['post']['dbtype']=='mysql')
		{
		return mysql_query($sql,$conn);
		}elseif($_SESSION['post']['dbtype']=='postgresql')
		{
		return pg_query($conn,$sql) or print ($sql."<hr>".pg_last_error())."<hr>";
		}
	}
	### db func return one element of result - array ###
	function ROW_Q($sql,$conn)
	{
		$result=$this->QUERY($sql,$conn);
		if($this->dbtype=='mysql')
		{
		return mysql_fetch_assoc($result);
		}elseif($this->dbtype=='postgresql'){
		return ($result?pg_fetch_assoc($result):$result);
		}
	}
	### db func for num_rows ###
	function affected_rows($res)
	{
		if($_SESSION['post']['dbtype']=='mysql')
		{
		return mysql_affected_rows($res);
		}elseif($_SESSION['post']['dbtype']=='postgresql')
		{
		return pg_affected_rows($res);
		}
	}
    ### check if specified table exists ###
	function chk_table_exists($table,$conn)
	{

	if($_SESSION['post']['dbtype']=='mysql')
		$rez=$this->QUERY("SELECT 1 FROM ".$this->Q($table,1)."",$conn);
	elseif($_SESSION['post']['dbtype']=='postgresql')
		$rez=$this->QUERY("select * from pg_tables where schemaname='public' and tablename='".$table."';",$conn);
    return @$this->affected_rows($rez);
	}
	### check if tables exists and create if not ###
	function chk_tables_exists()
	{

	$conn=$this->dbconnect();
    $html='';
		foreach($this->tables[trim($_SESSION['post']['dbtype'])] as $table=>$value)
		{
            $r=$this->chk_table_exists($table,$conn);

			if(!$r&&($this->QUERY($value,$conn)))
				{
					#print $r."<hr>";
					$html.='<div class="message">Table '.$table.' created'."</div>";
				}else{
					$html.='<div class="message error">Table '.$table.' already exists'."</div>";
				}

		}
		#die($html);
		$this->nextstep();
		return $html;
	}
	#### db func security for escape string ###
	function Q($value,$str=false)
	{

	if(($str==false)&&(!is_integer($value)))$value=-1;

	if($_SESSION['post']['dbtype']=='mysql')
		{
		return mysql_escape_string($value);
		}elseif($_SESSION['post']['dbtype']=='postgresql')
		{
		return pg_escape_string($value);
		}
	}
	### form 4 creating new db ###
	function window_create_new_db($dbname)
	{
	
    if(isset($_POST['op']))
    {
    $this->nextstep();
		if($_POST['op']=='delete')
		{
	    $this->drop_db($dbname);
		$this->create_new_db($dbname);

		return $dbname." Deleted and created new";
		}else{ return " using exists db ".$dbname;}
    }
	$html="Are you want delete old Database ".$dbname." or Repair old?<br>
	<form action='' method='post'><input type='submit' name='op' value='delete'><input type='submit' name='op' value='use old'></form>";
    return $html;
	}
    ### window for check & registering new user
	function window_create_user()
	{
	$html='';
	$conn=$this->dbconnect();
	if(isset($_POST['name'])&&isset($_POST['password']))
	{
	if($_POST['start_btn']=='login')
	{
	$olduser=$this->ROW_Q("SELECT * FROM pwsm_users WHERE (name='".$this->Q($_POST['name'],1)."' OR email='".$this->Q($_POST['name'],1)."') and pass='".md5($_POST['password'])."'",$conn);
	  if(!$olduser)$html.="<div class='message error'>Login incorrect, you can register new user and edit later your old one</div>";
	  else{
	      $this->nextstep();
	      return "<div class='message'>User Logined</div>";
	      } 
	}elseif($_POST['start_btn']=='save')
	{
	$someuser=$this->ROW_Q("SELECT count(*) as num FROM pwsm_users WHERE name='".$this->Q($_POST['name'],1)."' OR email='".$this->Q($_POST['email'],1)."'",$conn);
	if($someuser['num']>0)
	  {
	  $html.="<div class='message error'>The user with some name or email already exists, please type different one.</div>";
	  }elseif(strlen(trim($_POST['password']))&&($_POST['password']==$_POST['password1']))
		{
		  $this->QUERY("INSERT INTO pwsm_users (name,email, pass,created) VALUES ('".$this->Q($_POST['name'],1)."','".$this->Q($_POST['email'],1)."','".md5($this->Q($_POST['password'],1))."',".time().")",$conn);
		  $this->nextstep();
		  return "<div class='message'>User registered</div>";

		  
		}elseif($_POST['password']!=$_POST['password1'])
		{
		$html.="<div class='message error'>Please password and retype again the some password.</div>";
		}
	}
		
	 } 
		//check if user already exists
		
	
		$countuser=$this->ROW_Q("SELECT count(id) as num FROM pwsm_users where length(name)>0 and length(pass)>0",$conn);
		#die($countuser['num']);
		$html.="";
		if($countuser['num']>0)
		{
		#print_r($_POST);
		$html.="<form method='post'><TABLE>
		<caption><b>Try login for old installation user</b></caption>
		<tr><td>Name or email</td><td><input type='text' name='name' value='".(((isset($_POST['start_btn']))&&($_POST['start_btn']=='login')&&isset($_POST['name']))?$_POST['name']:'')."'></td></tr>
		<tr><td>Password</td><td><input type='password' name='password' value=''></td></tr>
		<tr><td colspan=2><input type='submit' value='login' name='start_btn' class='start_btn'></td></tr>
		</TABLE><p>&nbsp;</p></form>";
		
		}
		$html.="<form method='post'><table>
		<caption><b><font color='red'>OR</font> Register first administrator user</b></caption>
		<tr><td>Name</td><td><input type='text' name='name' value='".((isset($_POST['start_btn'])&&($_POST['start_btn']=='save')&&isset($_POST['name']))?$_POST['name']:'')."'></td></tr>
		<tr><td>Email</td><td><input type='text' name='email' value='".((isset($_POST['start_btn'])&&($_POST['start_btn']=='save')&&isset($_POST['email']))?$_POST['email']:'')."'></td></tr>
		<tr><td>Password</td><td><input type='password' name='password' value=''></td></tr>
		<tr><td>Retype Password</td><td><input type='password' name='password1' value=''></td></tr>
		<tr><td colspan=2><input type='submit' value='save' name='start_btn' class='start_btn'></td></tr>
		</table>
		</form>
		";
		return $html;
	}
	### redirect after finalization ###
	function finall_installation()
	{
    header("Location: ".substr($_SERVER['REQUEST_URI'],0,strlen($_SERVER['REQUEST_URI'])-8));
	}
}'));
?>