<?php
//24122008
/******************************************
* AETL - Der Atrahor-Externe-Taubenleser  *
* Das Serverskript zum Clientprogramm     *
* von n2code (Takehon/Takeo/Knightnike)   *
* n2code@herr-der-mails.de                *
******************************************/

error_reporting (E_ALL);
if ((array_key_exists('op', $_GET) == true) AND ($_GET['op'] == "updatecheck")) die("AETL-UPDATECHECK|1.0.0.0|http://www.atrahor.de/get_aetl.php");
$result = "";

define("AETL_ARCHIVED_SUPPORT",true); //auf "true" setzten, wenn der Server das Archivieren von YOMs unterstützt
define("AETL_IP_SUPPORT",true); //auf "true" setzten, wenn der Server das Speichern der IPs in der DB unterstützt
define("AETL_ANSWERSTATE_SUPPORT",false); //auf "true" setzten, wenn der Server den Beantworten-Status (seen=2) unterstützt
define("AETL_SUPERUSERS_ONLY",false); //auf "true" setzten, wenn vorrübergehend nur Superuser den Taubenleser benutzen dürfen (Testphase etc.)

require_once('dbconnect.php');

/*
Fehlercodes erfinden macht Spaß!!! ;-)
Allgemeines: 100 bis 199
Spielintern: ab 200
*/

function aetl_fehler($fehlercode, $zusatz = "", $exit_skript = false){
$fehlercodes = array();
$fehlercodes[100] = "Server nicht erreichbar";
$fehlercodes[101] = "Zeitüberschreitung";
$fehlercodes[102] = "Datenbank nicht erreichbar";
$fehlercodes[103] = "Tabelle nicht gefunden";
$fehlercodes[104] = "SQL-Abfrage-Fehler";
$fehlercodes[105] = "Taubenleser-Dienst vorrübergehend außer Betrieb";
$fehlercodes[199] = "";
$fehlercodes[201] = "Logindaten ungültig";
$fehlercodes[202] = "Operation unbekannt";
$fehlercodes[203] = "Operation fehlgeschlagen";
$fehlercodes[204] = "Empfänger existiert nicht";
$fehlercodes[205] = "Kein Empfänger angegeben";
$fehlercodes[206] = "Logindaten unvollständig";
$fehlercodes[207] = "Zugriff verweigert";
$fehlercodes[208] = "Dieser Account ist einer Verbannung zum Opfer gefallen:";

$rueckgabe = "AETL-Error ".$fehlercode.": ".$fehlercodes[$fehlercode];
if (strlen($zusatz) > 0) $rueckgabe .= "\n".$zusatz;
if ($exit_skript == true) die(htmlentities($rueckgabe));

return $rueckgabe;
}

function aetl_info($infotext, $exit_skript = false){
$rueckgabe = "AETL-Info: ".$infotext;
if ($exit_skript == true) die(htmlentities($rueckgabe));
return $rueckgabe;
}

if ((array_key_exists('client', $_GET) == false) OR (empty($_GET['client']) == true)) die("Zugriff verweigert");
if ((array_key_exists('login', $_POST) == false) OR (array_key_exists('pwhash', $_POST) == false) OR (empty($_POST['login']) == true) OR (empty($_POST['login']) == true)) aetl_fehler(206,"",true);

$dbc = mysql_pconnect($DB_HOST, $DB_USER, $DB_PASS) or aetl_fehler(102,mysql_error($dbc),true);
@mysql_select_db ($DB_NAME) or aetl_fehler(103,mysql_error($dbc),true);

$superusercheck = ((AETL_SUPERUSERS_ONLY == true)?" AND superuser > 0":"");
$sql = "SELECT acctid, login, password, superuser, uniqueid, emailaddress, banoverride FROM accounts WHERE login = '".$_POST['login']."' AND password = '".$_POST['pwhash']."'".$superusercheck." AND locked = 0";
$request = mysql_query($sql, $dbc);

if (mysql_num_rows($request) > 0)
{
	$user = mysql_fetch_array($request);
	$sql = "";

	{ //Pseudo-checkban()
		if ($user['banoverride'] != true){
			$sql = 'SELECT * FROM bans WHERE
					(	 0
					OR ("'.$_SERVER['REMOTE_ADDR'].'"=ipfilter AND ipfilter<>"") '.'
					'.($user['uniqueid'] != "" ? 'OR (uniqueid="'.$user['uniqueid'].'" AND uniqueid<>"") ' : '').'
					'.($user['emailaddress'] != "" ? 'OR (mailfilter="'.mysql_real_escape_string($user['emailaddress']).'" AND mailfilter != "") ' : '').'
					OR (LOWER(loginfilter)="'.mysql_real_escape_string(strtolower($user['login'])).'" AND loginfilter != "") '.'
					)
					AND (banexpire="0000-00-00" OR banexpire>"'.date('Y-m-d').'") LIMIT 1';
			$checkresult = mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
			if (mysql_num_rows($checkresult)>0){
				$row = mysql_fetch_assoc($checkresult);
				$sql = 'UPDATE bans SET last_try = NOW() WHERE id='.$row['id'];
				mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
				
				$zusatzfehlerinfo = $row['banreason']."\n";
				$zusatzfehlerinfo .= (($row['banexpire']=='0000-00-00')?("Die Verbannung ist permanent!"):("Der Bann wird am ".strftime('%e. %B %Y',strtotime($row['banexpire']))." aufgehoben."));
				$zusatzfehlerinfo = preg_replace('/[`]./', '', preg_replace('/[`]n/', "\n", $zusatzfehlerinfo));
				aetl_fehler(208,$zusatzfehlerinfo,true);
			}			
		}
	} //End Pseudo-checkban()

	if (array_key_exists('op', $_GET) == false) $result = aetl_fehler(202,"",true);
	switch ($_GET['op'])
	{
		case 'login':
			$result = "Login erfolgreich!";
			break;
		case 'checkout':
			$put_what = $_GET['putwhat'];
			$get_what = (($_GET['putwhat'] == "login")?("acctid"):("login"));
			$search_for = $_POST['data'];
			$sql = "SELECT acctid, login FROM accounts WHERE ".$put_what." = '".$search_for."'";
			$sql_result = mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
			if (mysql_num_rows($sql_result) > 0){
				$found = mysql_fetch_array($sql_result);
				$result = $found[$get_what];
			} else {
				$result = "N/A";
			}
			break;
		case 'delete':
		case 'setanswered':
		case 'setunread':
		case 'setread':
			$taube_id_pattern = '/<\s*taube\s+id\s*=\s*"([0-9]+)"\s*\/\s*>/';
			$workdata = stripslashes($_POST['data']);
			preg_match_all($taube_id_pattern,$workdata,$ergebnis);
			$aktion = " bearbeitet.";
			foreach($ergebnis[1] as $mailid){
				switch ($_GET['op']){
					case 'delete':
						$sql = "DELETE FROM mail WHERE msgto = '".$user['acctid']."' AND messageid = '".$mailid."' LIMIT 1";
						$aktion = " gelöscht!";
						break;
					case 'setunread':
						$sql = "UPDATE mail SET seen = '0' WHERE msgto = '".$user['acctid']."' AND messageid = '".$mailid."' LIMIT 1";
						$aktion = " auf den Status 'Ungelesen' gesetzt!";
						break;
					case 'setread':
						$save_answerstate = ((AETL_ANSWERSTATE_SUPPORT == true)?" AND seen < 2":"");
						$sql = "UPDATE mail SET seen = '1' WHERE msgto = '".$user['acctid']."' AND messageid = '".$mailid."'".$save_answerstate." LIMIT 1";
						$aktion = " auf den Status 'Gelesen' gesetzt!";
						break;
					case 'setanswered':
						$sql = "UPDATE mail SET seen = '2' WHERE msgto = '".$user['acctid']."' AND messageid = '".$mailid."' LIMIT 1";
						$aktion = " auf den Status 'Beantwortet' gesetzt!";
						break;
				}
				if (strlen($sql) > 0){
					mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
				}
			}
			$anzahl = count($ergebnis[1]);
			$result = $anzahl." Mail".(($anzahl == 1)?(""):("s"))." wurde".(($anzahl == 1)?(""):("n")).$aktion;
			break;
		case 'sendmail':
			$workdata = stripslashes($_POST['data']);
			//Regex: <\s*to\s*>(\d*)<\s*\/to\s*>
			$taube_to_pattern = '/<\s*to\s*>(\d*)<\s*\/to\s*>/';
			$taube_answerid_pattern = '/<\s*answerid\s*>(\d*)<\s*\/answerid\s*>/';
			//Regex:  <\s*subject\s*><!\[CDATA\[(.*)]]><\s*\/\s*subject\s*> samt Modifier "s" bzw. "subject" durch "body" ersetzen
			$taube_subject_pattern = '/<\s*subject\s*><!\[CDATA\[(.*)]]><\s*\/\s*subject\s*>/s';
			$taube_body_pattern = '/<\s*body\s*><!\[CDATA\[(.*)]]><\s*\/\s*body\s*>/s';
			$ergebnis = array();
			if (preg_match($taube_to_pattern, $workdata, $ergebnis) > 0){
				$sql = "SELECT acctid, login, name FROM accounts WHERE acctid = '".$ergebnis[1]."'";
				$sql_result = mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
				if (mysql_num_rows($sql_result) > 0){
					$empfaenger = mysql_fetch_array($sql_result);
					$taube_to = $empfaenger['acctid'];
				} else {
					$result = aetl_fehler(204);
					break;
				}
			} else {
				$result = aetl_fehler(205);
				break;
			}
			$taube_subject = "";
			if (preg_match($taube_subject_pattern, $workdata, $ergebnis) > 0) $taube_subject = $ergebnis[1];
			$taube_body = "";
			if (preg_match($taube_body_pattern, $workdata, $ergebnis) > 0) $taube_body = $ergebnis[1];
			$taube_answerid = "";
			if (preg_match($taube_answerid_pattern, $workdata, $ergebnis) > 0) $taube_answerid = $ergebnis[1];
			$taube_body = str_replace("`n","\n",$taube_body);
			$taube_body = str_replace("\r\n","\n",$taube_body);
			$taube_body = str_replace("\r","\n",$taube_body);
			$taube_body = utf8_decode($taube_body);
			$taube_subject = utf8_decode($taube_subject);
			$taube_body = mysql_real_escape_string($taube_body,$dbc);
			$taube_subject = mysql_real_escape_string($taube_subject,$dbc);
			$taube_date = date("Y-m-d H:i:s");
			$taube_from = $user['acctid'];
			$taube_ip = $_SERVER['REMOTE_ADDR'];
			$sql = "INSERT INTO `mail` (`messageid`, `msgfrom`, `msgto`, `subject`, `body`, `sent`, `seen`";
			if (AETL_ARCHIVED_SUPPORT == true) $sql .= ", `archived`";
			if (AETL_IP_SUPPORT == true) $sql .= ", `ip`";
			$sql .= ") VALUES (NULL, '".$taube_from."', '".$taube_to."', '".$taube_subject."', '".$taube_body."', '".$taube_date."', '0'";
			if (AETL_ARCHIVED_SUPPORT == true) $sql .= ", '0'";
			if (AETL_IP_SUPPORT == true) $sql .= ", '".$taube_ip."'";
			$sql .= ");";
			$sql_result = mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
			$aktion = "versandt";
			if ((AETL_ANSWERSTATE_SUPPORT == true) && (strlen($taube_answerid) > 0)){
				$sql = "UPDATE mail SET seen = '2' WHERE messageid = '".$taube_answerid."' LIMIT 1";
				$sql_result = mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
				$aktion = "beantwortet";
			}
			$result = "Mail ".$aktion."!";
			break;
		case 'getmails':
			$sql = "SELECT * FROM mail WHERE msgto = '".$user['acctid']."' ORDER BY seen ASC, sent DESC";
			$sql_result = mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
			$result = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n<aetl>\n";
			while ($row = mysql_fetch_assoc($sql_result)){
				$row["subject"] = str_replace("\n","`n",$row["subject"]);
				$row["body"] = str_replace("`n","\n",$row["body"]);
				if ($row['msgfrom'] == 0){
					$from_details = array();
					$from_details["login"] = "System";
					$from_details["name"] = "System";
				} else {
					$sql = "SELECT acctid, login, name FROM accounts WHERE acctid = '".$row['msgfrom']."'";
					$sql_from_result = mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
					$from_details = mysql_fetch_assoc($sql_from_result);
				}
				if (AETL_ARCHIVED_SUPPORT == false) $row["archived"]=0;
				if (AETL_IP_SUPPORT == false) $row["ip"]="0.0.0.0";
$xml_struct_taube = <<<TAUBEXML
	<taube>
		<header>
			<id>{$row["messageid"]}</id>
			<from>{$row["msgfrom"]}</from>
			<fromlogin><![CDATA[{$from_details["login"]}]]></fromlogin>
			<fromname><![CDATA[{$from_details["name"]}]]></fromname>
			<to>{$row["msgto"]}</to>
			<seen value="{$row["seen"]}" />
			<date>{$row["sent"]}</date>
			<archived value="{$row["archived"]}" />
			<subject><![CDATA[{$row["subject"]}]]></subject>
			<ip>{$row["ip"]}</ip>
		</header>
		<body><![CDATA[{$row["body"]}]]></body>
	</taube>
TAUBEXML;
				$result .= $xml_struct_taube."\n";
			}
			$result .= "</aetl>";
			break;
		
		default:
			$result = aetl_fehler(202);
			break;
	}
	
}
else {

	$request = mysql_query("SELECT acctid FROM accounts WHERE login = '".$_POST['login']."'", $dbc) or aetl_fehler(104,mysql_error($dbc),true);
	$zusatzfehlerinfo = "";
	if (mysql_num_rows($request) > 0){
		$zusatzfehlerinfo = "Der Fehlversuch wurde registriert.";
		while ($row = mysql_fetch_assoc($request)){
			$sql = "INSERT INTO faillog VALUES (0,now(),'".addslashes(serialize($_POST))."','{$_SERVER['REMOTE_ADDR']}','{$row['acctid']}','')";
			mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
			$sql = "SELECT faillog.*,accounts.superuser,name,login FROM faillog INNER JOIN accounts ON accounts.acctid=faillog.acctid WHERE ip='{$_SERVER['REMOTE_ADDR']}' AND date>'".date("Y-m-d H:i:s",strtotime(date("r")."-1 day"))."'";
			$request2 = mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
			$versuche = 0;
			$warnung = "";
			$is_superuser = false;
			while ($row2 = mysql_fetch_assoc($request2)){
				if ($row2['superuser'] > 0){
					$versuche++;
					$is_superuser = true;
				}
				$versuche++;
				$warnung .= "`3{$row2['date']}`7: Fehlgeschlagener Versuch von `&{$row2['ip']}`7 [`3{$row2['id']}`7] sich einzuloggen als `^{$row2['login']}`7 ({$row2['name']}`7)`n";
			}
			if ($versuche >= 20){
				{ //Pseudo-setban()
					$str_reason = "Automatischer Systembann: Zu viele fehlgeschlagene Loginversuche.";
					$date_expire = date("Y-m-d H:i:s",strtotime(date("r")."+".($versuche*3)." hours"));
					$str_ip = $_SERVER['REMOTE_ADDR'];
					$sql = "UPDATE bans SET banexpire = '".$date_expire."', last_try = NOW() WHERE banreason = '".$str_reason."' AND ipfilter = '".$str_ip."' AND uniqueid='' AND loginfilter='' AND mailfilter='' LIMIT 1";
					mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
					if (mysql_affected_rows($dbc) <= 0){
						$sql = 'INSERT INTO bans SET banreason="'.$str_reason.'",banexpire="'.$date_expire.'",ipfilter="'.addslashes($str_ip).'",uniqueid="",loginfilter="",mailfilter=""';
						mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
					}
				} //End Pseudo-setban()
				if ($is_superuser){
					$sql = "SELECT acctid FROM accounts WHERE superuser > 0";
					$request2 = mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
					$systemmail_betreff = "`#{$_SERVER['REMOTE_ADDR']} - Zu viele misslungene Loginversuche!";
					for ($i = 0; $i < mysql_num_rows($request2); $i++)
					{
						$row2 = mysql_fetch_assoc($request2);
						$sql = "DELETE FROM mail WHERE msgto={$row2['acctid']} AND msgfrom=0 AND subject = '".$systemmail_betreff."' AND seen=0";
						mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
						{ //Pseudo-systemmail()
							$systemmail_from = 0;
							$systemmail_to = $row2['acctid'];
							$systemmail_subject = $systemmail_betreff;
							$systemmail_body = preg_replace('/([^\\\\])(["\'])/s',"\\1\\\\\\2","This message is generated as a result of one or more of the accounts having been a superuser account.  Log Follows:`n`n".$warnung);
							$sql = 'INSERT INTO mail (msgfrom,msgto,subject,body,sent,ip) VALUES ('.(int)$systemmail_from.','.(int)$systemmail_to.',"'.$systemmail_subject.'","'.$systemmail_body.'",now(),"'.$_SERVER['REMOTE_ADDR'].'")';
							mysql_query($sql, $dbc) or aetl_fehler(104,mysql_error($dbc),true);
						} //End Pseudo-systemmail()
					}
				}
			}
		}
	}
	$result = aetl_fehler(201,$zusatzfehlerinfo);
}

print(htmlentities($result));
?>