151 lines
4.2 KiB
PHP
151 lines
4.2 KiB
PHP
<?php
|
|
/*
|
|
** device_action.php
|
|
**
|
|
** JavaScript/Ajax/DOM handler
|
|
*/
|
|
|
|
define('CONFIG_DIR', '/etc/di');
|
|
define('DBCONFIG_DIR', CONFIG_DIR . '/database');
|
|
|
|
//
|
|
// Check inputs for SQL statement injection and such.
|
|
// Items not tested below are not vulnerable for SQL statement injection, e.g.
|
|
// a time is always converted using 'strtotime()' and other items are only
|
|
// used in the PHP but never in the composition of an SQL statement
|
|
// [security audit 2013-10-23]
|
|
//
|
|
if(
|
|
(isset($_GET['zkl']) && !is_numeric($_GET['zkl'])) ||
|
|
(isset($_GET['db']) && dirname($_GET['db']) != ".")
|
|
) {
|
|
// don't do anything fancy or interruptive as fiddling with the GET parameters
|
|
// is intended by the author
|
|
die("Parameter error");
|
|
}
|
|
|
|
require_once("../include/cp3000-tcpclient.php");
|
|
|
|
// read the database information
|
|
if( isset($_GET['db']) ) $db_info = read_database(DBCONFIG_DIR, $_GET['db']);
|
|
else $db_info = array();
|
|
if( !isset($db_info['host']) ) $db_info['host'] = "localhost";
|
|
if( !isset($db_info['user']) ) $db_info['user'] = "root";
|
|
if( !isset($db_info['passwd']) ) $db_info['passwd'] = "";
|
|
if( !isset($db_info['db']) ) $db_info['db'] = "di_zkl";
|
|
|
|
// open the database
|
|
$db_data_handle = mysql_connect($db_info['host'], $db_info['user'], $db_info['passwd']);
|
|
if( $db_data_handle === FALSE ) {
|
|
echo mysql_error();
|
|
exit(1);
|
|
}
|
|
mysql_select_db($db_info['database'], $db_data_handle);
|
|
if( $db_info['main'] ) {
|
|
$db_main_info = read_database(DBCONFIG_DIR, $db_info['main']);
|
|
$db_main_handle = mysql_connect($db_main_info['host'], $db_main_info['user'], $db_main_info['passwd'], true);
|
|
if( $db_main_handle === FALSE ) {
|
|
echo mysql_error();
|
|
exit(1);
|
|
}
|
|
mysql_select_db($db_main_info['database'], $db_main_handle);
|
|
}
|
|
else {
|
|
$db_main_handle = $db_data_handle;
|
|
$db_main_info = $db_info;
|
|
}
|
|
|
|
function read_database($dir, $file)
|
|
{
|
|
$path = $dir . "/" . $file;
|
|
if( is_dir($path) ) return false;
|
|
if( ($fp = fopen($path, "r")) === false ) return false;
|
|
|
|
// read the file
|
|
$database = array();
|
|
$database['file'] = $file;
|
|
while( ($line = fgets($fp, 256)) !== false ) {
|
|
// delete comments
|
|
$line = strtok($line, "#");
|
|
if( ($n = strpos($line, "=")) !== false ) {
|
|
$key = trim(substr($line, 0, $n));
|
|
$value = trim(substr($line, $n + 1));
|
|
|
|
if( $key == "type" && ($n = strpos($value, ",")) !== false ) {
|
|
switch( ($database[$key] = substr($value, 0, $n)) ) {
|
|
case 'archive':
|
|
$database['main'] = substr($value, $n + 1);
|
|
break;
|
|
}
|
|
}
|
|
else $database[$key] = $value;
|
|
}
|
|
}
|
|
|
|
// done
|
|
fclose($fp);
|
|
if( !$database['name'] ) {
|
|
$database['name'] = "";
|
|
if( $database['host'] ) {
|
|
$database['name'] .= $database['host'];
|
|
if( $database['port'] ) $database['name'] .= ":" . $database['port'];
|
|
$database['name'] .= ":";
|
|
}
|
|
$database['name'] .= $database['database'];
|
|
}
|
|
return $database;
|
|
}
|
|
|
|
function mysql_run($query, $db_handle) {
|
|
$result = mysql_query($query, $db_handle);
|
|
if( !$result ) {
|
|
error_log($_PHP_SELF . "db-error: " . mysql_error($db_handle) . ", query " . $query);
|
|
}
|
|
return $result;
|
|
}
|
|
|
|
// get information about the device
|
|
$query = "SELECT zkl.serienr,zkl.idcode,zkl.tz,server.adres AS tcp_server,server.adres_ssl AS stcp_server ";
|
|
$query .= "FROM zkl,server ";
|
|
$query .= "WHERE ";
|
|
$query .= " zkl.id=" . $_GET['zkl'] . " AND ";
|
|
$query .= " server.id=zkl.tcp_server";
|
|
$result = mysql_run($query, $db_main_handle);
|
|
$zkl_info = mysql_fetch_assoc($result);
|
|
// login with the TCP-server
|
|
if( isset($zkl_info['stcp_server']) ) {
|
|
$server = $zkl_info['stcp_server'];
|
|
zkl_set_private_key(
|
|
"cert/private/mtinfo.key",
|
|
"cert/private/passphrase"
|
|
);
|
|
zkl_set_public_key(
|
|
"cert/public/mtinfo.crt",
|
|
"cert/public/di-ca.crt"
|
|
);
|
|
}
|
|
else $server = $zkl_info['tcp_server'];
|
|
|
|
if(
|
|
($tcp_channel = zkl_tcplogin($_GET['zkl'], $server)) === FALSE
|
|
) {
|
|
$error_str;
|
|
if( !$_GET['zkl'] || !$server )
|
|
$error_str = "Invalid parameters";
|
|
else
|
|
$error_str = sprintf("%02X: %s", $zkl_status, $zkl_error);
|
|
error_log("device-action: log-in with " . $server . " failed: " . $error_str);
|
|
exit(1);
|
|
}
|
|
|
|
zkl_store($tcp_channel, $_GET['key'], $_GET['value']);
|
|
|
|
// close connection to TCP server
|
|
zkl_tcplogout($tcp_channel);
|
|
|
|
// clean-up
|
|
if( $db_main_info['file'] != $db_info['file'] ) mysql_close($db_main_handle);
|
|
mysql_close($db_data_handle);
|
|
|
|
?>
|