#!/usr/bin/perl ################################################################################ # # Script Name : Ultimate Auction # Version : 3.6 # Company : Ultimate Auction # Author : Matt St. Amant ( webmaster@ultimateauction.net ) # Website : www.ultimateauction.net # # Copyright (c) 2001-2002 Ultimate Auction (Matt St Amant) All rights reserved. # # Rules/License: see license.txt that came with distribution. # # This software license prohibits selling, giving away, or otherwise distributing # the source code for any of the scripts contained in this SOFTWARE PRODUCT, # either in full or any subpart thereof. Nor may you use this source code, in full or # any subpart thereof, to create derivative works or as part of another program # that you either sell, give away, or otherwise distribute via any method.You must # not (a) reverse assemble, reverse compile, decode the Software or attempt to # ascertain the source code by any means, to create derivative works by modifying # the source code to include as part of another program that you either sell, give # away, or otherwise distribute via any method, or modify the source code in a way # that the Software looks and performs other functions that it was not designed to; # (b) remove, change or bypass any copyright or Software protection statements # embedded in the Software; or (c) provide bureau services or use the Software in # or for any other company or other legal entity. # # Have Fun Using Ultimate Auction! :) # ################################################################################ use strict; use DBI; use CGI; use IO::Socket; use UltimateAuction qw(%form $couser $copass $db $dbh %config @auction_types); require "variables/variables.cgi"; require "variables/accountvars.cgi"; &UltimateAuction::service; my %cookie = &UltimateAuction::get_cookie(); my $couser = $cookie{'Username'}; my $copass = $cookie{'Password'}; # connect to our database my $db = &UltimateAuction::mysql_connect; my @good_extensions = ( 'gif', 'jpg', 'jpeg', 'GIF', 'JPG', 'JPEG', 'png', 'PNG' ); my $max_num_files = $config{'upload_file_number'}; my $req = CGI->new; # changed by dhoss on 11-27-2007 my $updisp; my $usnm = $req->param('username'); my $pswd = $req->param('password'); my $usf = $req->param('useform') ; # Cannot find this on the page, so my guess is this is from the previous use of this code. ################################################################################ # Vaildation chunk - ################## # This little chunk of code is used to validate the user either via form or # cookies. ################################################################################ # Initialize this variables my ( $usernum, $authuser, $authpass ); # Check for user name ($usnm), password ($pswd), and ($usf)? # This chunk should never get hit as $usf is an unknown to this form on the # current auction script. if ( $usnm and $pswd and $usf ) { ( $usernum, $authuser, $authpass ) = UltimateAuction::authenticate( $usnm, $pswd, 1, 1, $db ); # If the user is logged in via form (Not cookies). } elsif ( $usnm and $pswd and !$usf ) { ( $usernum, $authuser, $authpass ) = UltimateAuction::authenticate( $usnm, $pswd, 0, 1, $db ); # This one is for a cookie user. } else { ( $usernum, $authuser, $authpass ) = UltimateAuction::authenticate( $usnm, $pswd, 0, 0, $db ); } # Checks now to see what 'UltimateAuction::authenticate' returned. If this is # a valid user, then all of the following should be populated. It originally # read !$usernum && !$authuser && !$authpass, but was changed to the current # form to make sure that ALL of these varibles were passed back. If ALL of # them are not passed back, send them to an authentication form. if ( !$usernum || !$authuser || !$authpass ) { &UltimateAuction::auth_form( "", "Post New Item" ); ################################################################################ # End of the Vaildation chunk ################################################################################ } else { ################################################################################ # Image chunk - Notes add by Shawn McKinley 11-18-02 ################## # Set the $method to that used by the form. This will either be 'url' or # 'upload'. 'url' is for users that want to link to a picture they have some # where else on the web. 'upload' is to store the picture on the quicklysell # server. my $method = $req->param("method"); # Set $number to the number of images that will be 'attached' to this auction # item. At this time, the choices are 0-5, but you should only get to this # point if you have selected 1-5. my $number = $req->param("number"); # Delete picture. Not so sure that this should be here, but it was obviously # a catch all to make sure that the picture did not already exist. &delpic; # Initialize the @images array. my @images; ######################### # This part is if the 'url' method was used. ######################### if ( $method eq 'url' ) { # Initialize $urlam. (url amount?) my $confirm; my $hidden; my $urlam = 0; # Iterrate over all the 'numbers' for images on the form for ( my $i = 1 ; $i <= $number ; $i++ ) { # If a url was found in imageX form element, increment $urlam by 1 and push # the url into the @images array. if ( $req->param("image$i") ) { $urlam++; push @images, $req->param("image$i"); } } # No images were selected for upload, so send them back to the previous page. if ( !$urlam ) { print qq~Location: $config{'script_dir'}/itemform.pl?method=none&number=none&username=$authuser&password=$authpass\n\n~; } # Set $word to 'Image'; I modified this to a turnary operation to save # keystrokes, is easier to read, and the fact that it is faster to execute. my $word = 'Image' . ( $urlam > 1 ? 's' : '' ); # my $header=&UltimateAuction::header; # Fetch the header # &UltimateAuction::Display($header); # Display the Header # Modified this to a single satement... Faster, readable, etc... &UltimateAuction::Display(&UltimateAuction::header); # Set this up as a color marker. This will flip-flop ever other row. my $color = 'body1'; # Iterate over each of the $urlam's for ( my $i = 0 ; $i <= $urlam ; $i++ ) { # If there is a URL for this image, then add it to the confirmed section if ( $images[$i] ) { # Make a counter for the URL's my $count = $i + 1; # Add the chunk of HTML to the confirm section $confirm .= qq~Image $count URL: $images[$i]

~; $hidden .= qq~~; # Converted this from an if/then/else block. Faster, readable, etc... # We flip-flop the color here. $color = $color eq 'body1' ? 'body2' : 'body1'; } } # Grab out doimageurl template and then replace each tag () with # the appropriate variable. my $content = UltimateAuction::Open_Template("doimageurl.txt"); $content =~ s//$confirm/g; $content =~ s//$hidden/g; $content =~ s//$urlam/g; $content =~ s//$word/g; $content =~ s//$method/g; $content =~ s//$urlam/g; $content =~ s//$authuser/g; $content =~ s//$authpass/g; &UltimateAuction::Display($content); # Display the Page Contents my $footer = &UltimateAuction::footer; # Fetch the Footer &UltimateAuction::Display($footer); # Display the Footer ######################### # This part is if the 'upload' method was used. ######################### } elsif ( $method eq 'upload' ) { # Set up these params # $formfields -> misc form fields?, $upam -> upload amount?, # $current_time,$final_time -> time now with server difference adjustment, # @was_not_good_type, @file_did_save, @did_not_save, @was_too_big -> # reporting arrays. my $formfields; my $upam = 0; my $current_time = time + ( $config{'timediff'} * 3600 ); my $final_time = $current_time; my @was_not_good_type; my @file_did_save; my @did_not_save; my @was_too_big; # Iterate over the maximum number of files allowed. for ( my $a = 1 ; $a <= $max_num_files ; $a++ ) { # If fileN exists, then do the following if ( $req->param("FILE$a") ) { # Set $file and $filename to the current file name my $file = $req->param("FILE$a"); my $filename = $file; # Grab the extension of the filename by spliting the filename all periods # and using the last chunk of data for it. my $extension = ( split( /\./, $filename ) )[-1]; # Set $fntwo (filename 2) to current time plus an underscore plus the current # image number plus a lower case verion of the extension. my $fntwo = $final_time . "_$a." . lc($extension); # Change all '\'s in the filename to '/'s. # $filename=~s/^.*(\\|\/)//; # initialize $proceed_type to 0 my $proceed_type = 0; # Check to see if the @good_extensions array was initialized already and if so # do the following. if (@good_extensions) { # Iterate over all the good extensions for (@good_extensions) { # There was an error here. By adding a '.' in line 2 and adding another '.' in # line 3, this would fail on any filename that was not like filename..gif # 1. my $ext=$_; # 2. $ext=~s/\.//g; # 3. if($filename=~/\.$ext$/) { # 4. $proceed_type=1; # 5. last; # 6. } # Check to see if the $filename ends with the current extension. If so, set # $proceed_type to 1 and exit out of the @good_extensions loop. if ( $filename =~ /\.$_$/ ) { $proceed_type++; last; } } # Unless the filename ended in an acceptable extension, set this file in the # @was_not_good_type array. unless ($proceed_type) { push( @was_not_good_type, $filename ); } # If @good_extensions was not set up, set $proceed_type to 1. This will # in effect let the user upload ANY file type. Not an issue on the current # script set up (as of 11-18-02) since @good_extensions was set up. } else { $proceed_type = 1; } # Check to see if $proceed_type is 1 or greater, if so, do the following if ($proceed_type) { # Open a pipe (OUTFILE) to the directory / filename so we can save our file if ( open( OUTFILE, ">", $config{'image_upload_dir'} . $fntwo ) ) { # Read in the buffer that was sent with the form for this image. while ( my $bytesread = read( $file, my $buffer, 1024 ) ) { # Save (print) the contents of the file. print OUTFILE $buffer; } # Close the pipe (OUTFILE) we created to save the file close(OUTFILE); # Add a hidden form field to $formfields with an image name equalling the # new file name we created. $formfields .= qq~\n~; # Add HTML to the $updisp (upload display?). $updisp .= "
Image $a:
\n"; ################################################################################ # PROBLEM ######### # Add the filename to the @file_did_save array. May be a problem here as we # did NO error checking to see if the file actually got saved. Nor does it # check to make sure that the file was NOT a 0 byte file (dummy). Will have # to look further into this one shortly. ################################################################################ push( @file_did_save, $filename ); # Increment $upam by one $upam++; # Here, if the $proceed_type was not 1 or more, we add the file name to the # @did_not_save array. } else { push( @did_not_save, $filename . ' ' . $! ); } } # Check to see if the script was set to a maximum file size, if so, we check to # see if the file to be uploaded exceeds this. If so, we delete it and add # the filename to the @was_too_big array to be reported later. ################################################################################ # PROBLEM ######### # This should be checked before we actually save the file as a hacker could # flood fill the server with 4GB files until the server was full and effectively # shut the server down completely... ################################################################################ if ( $config{'max_file_size'} ) { if ( ( -s "$config{'image_upload_dir'}/$fntwo" ) > ( $config{'max_file_size'} * 1024 ) ) { push( @was_too_big, $filename ); unlink("$config{'image_upload_dir'}/$fntwo"); $upam--; } } } } # Here we TRY to tell the browser not to cache the image. Works about half the # time with about half of the browsers out there if you are lucky. Not a big # issue since there is no easy reliable way around this, not to mention that a # quick shift-reload (control-reload) will do the same thing with most browsers. print "Pragma: no-cache\n"; # my $header = &UltimateAuction::header; # Fetch the header # &UltimateAuction::Display($header); # Display the Header # Combined these two lines... &UltimateAuction::Display(&UltimateAuction::header); # Initialize some more variables... # $results -> results from the uploading of the images to the server, # $a -> a counter, $file,$filename -> the form version of the filename, # $fntwo (filename 2) -> time + '_' + counter + lower case extension. my $results; my $a = 1; my $file = $req->param("FILE$a"); my $filename = $file; my $extension = ( split( /\./, $filename ) )[-1]; my $fntwo = $final_time . "_$a." . lc($extension); # Not real sure what this does... I will have to ask about, but my guess is it # is an archaic form of loop control. $a <= $max_num_files; # increment $a by one. $a++; # here we check for each of the arrays and if we find a value in them, add # a chunk of HTML with those values in them. Very fast and efficient way # of doing it (nice bit of code here). if (@file_did_save) { $results .= "The following picture(s) were uploaded successfully:

\n"; $results .= join( "
", @file_did_save ); $results .= "
$updisp\n"; } if (@was_not_good_type) { $results .= "The following picture(s) was not uploaded
because the file type is not allowed. Allowed formats are JPG, GIF and PNG images:

\n"; $results .= join( "
", @was_not_good_type ); $results .= ""; } if (@was_too_big) { $results .= "The following picture was deleted,
because it has exceeded the maximum size we allow. The max. size image we allow is $config{'max_file_size'} KB :

\n"; $results .= join( "
", @was_too_big ); $results .= ""; } if (@did_not_save) { $results .= "Can't open the file.
Error:

\n"; $results .= join( "
", @did_not_save ); $results .= ""; } if ( !@file_did_save ) { $results .= "Note for the administrator: Check \$Data Variable and
the absolute path to the image directory.

\n"; } # Grab out doimageupload template and then replace each tag () with # the appropriate variable. my $content = UltimateAuction::Open_Template("doimageupload.txt"); $content =~ s//$results/; $content =~ s//$formfields/; $content =~ s//$method/; $content =~ s//$upam/; $content =~ s//$final_time/; $content =~ s//$authuser/; $content =~ s//$authpass/; &UltimateAuction::Display($content); # Display the Page Contents my $footer = &UltimateAuction::footer; # Fetch the Footer &UltimateAuction::Display($footer); # Display the Footer } # disconnect from our database $dbh->finish; &UltimateAuction::mysql_disconnect($db); } sub delpic { my ( @allfiles, $file, $filedate, $key ); my $checktime = time; opendir PICDIR, "$config{'image_upload_dir'}"; @allfiles = readdir PICDIR; closedir PICDIR; foreach $file (@allfiles) { if ( length($file) == 15 || length($file) == 16 ) { $filedate = substr( $file, 0, 9 ); if ( ( $checktime - $filedate ) > 7200 ) { # 2 hours unlink("$config{'image_upload_dir'}/$file"); } } } }