DZ6.0的前台用户名自修改插件

Jul

最近一直在改论坛，于是写个这个页面，其实不算插件了，根本不是当成插件来写的，就是一个简单页面而已。

说过程：

1.进后台创建一个changename的模板，贴上代码后提交：


{template header}

<div id="nav">
<a href="index.php">$bbname</a> <b>&raquo;</b> 用户名修改系统
</div>

<div class="mainbox">
<h1 align="left">修改须知</h1>

<table cellspacing="0" cellpadding="4px" border="0" align="center">
<div align="left">
a.如果没有特别需要，请勿修改用户名；<br>

b.修改用户名需要花费5000论坛币的手续费，请三思而后行；<br>

c.修改完请重新登陆，如果有问题，请及时与管理员联系！
</div>

</table>

</div>

<table cellspacing="0" cellpadding="4px" border="0" align="center">
<form action='?action=changename' method=post>
<font color=blue>新用户名：</font>
<input type=text name=usernamenew maxlength=16 size=60>
<button type="submit" name="submit" value="" class="submit" 
onclick="if(confirm('确定要修改用户名么?')) {return true;}return false;">确 定</button>    
<font color=red>(修改用户名<b>需要花费5000论坛币</b>，请谨慎！)</font>
</form>
</table>

{template footer}

2.将如下代码保存为changename.php,放到论坛根目录下：


<?php
require_once('./include/common.inc.php');
if(!defined('IN_DISCUZ')){exit('Access Denied');}
if($discuz_uid==0 || $discuz_user==""){showmessage("请先登陆！","index.php");}
function writepetlog($filename,$logtxt){
@$fp = fopen(DISCUZ_ROOT.'./log/'.$filename,'a');
@flock($fp, 2);
@fwrite($fp, $logtxt);
@fclose($fp);
}
if (!isset($action)) include template('changename');
if ($action== 'changename' && $discuz_user!='' && $discuz_uid!=0){
$usernameold = addslashes($discuz_user);
if($usernamenew && $usernameold != $usernamenew) {
$query=$db->get_one("select extcredits2 from {$tablepre}members where username='$discuz_user'");
$money=$query?$query['extcredits2']:0;
if($money<5000){
showmessage("您的论坛币不够修改用户名费用，修改用户名需要5000论坛币！",'changename.php');
}else{
$query = $db->query("SELECT uid FROM {$tablepre}members WHERE username='$usernamenew'");
if(($db->result($query, 0)) && ($db->result($query, 0)) != $discuz_uid) {
showmessage("新用户名与现有用户重复，请返回修改。",'changename.php');
}
//DZ，不包含管理员
$db->query("UPDATE {$tablepre}announcements SET author='$usernamenew' WHERE author='$usernameold'");
$db->query("UPDATE {$tablepre}forums SET lastpost=REPLACE(lastpost, '\t$usernameold', '\t$usernamenew')");
$db->query("UPDATE {$tablepre}members SET username='$usernamenew' WHERE uid='$discuz_uid'");
$db->query("UPDATE {$tablepre}pms SET msgfrom='$usernamenew' WHERE msgfromid='$discuz_uid'");
$db->query("UPDATE {$tablepre}posts SET author='$usernamenew' WHERE authorid='$discuz_uid'");
$db->query("UPDATE {$tablepre}threads SET author='$usernamenew' WHERE authorid='$discuz_uid'");
$db->query("UPDATE {$tablepre}threads SET lastposter='$usernamenew' WHERE lastposter='$usernameold'");
$db->query("UPDATE {$tablepre}threadsmod SET username='$usernamenew' WHERE uid='$discuz_uid'");
//无心宠物
$db->query("UPDATE {$tablepre}wxfamily SET username='$usernamenew' WHERE username='$usernameold'");
$db->query("UPDATE {$tablepre}wxfamilyrecord SET username='$usernamenew' 
WHERE username='$usernameold'");
$db->query("UPDATE {$tablepre}wxpetdata SET username='$usernamenew' WHERE username='$usernameold'");
$db->query("UPDATE {$tablepre}wxpetmagic SET username='$usernamenew' WHERE username='$usernameold'");
$db->query("UPDATE {$tablepre}wxrose SET username='$usernamenew' WHERE username='$usernameold'");
$db->query("UPDATE {$tablepre}wxstorage SET username='$usernamenew' WHERE username='$usernameold'");
//结婚系统
$db->query("UPDATE {$tablepre}jie SET username='$usernamenew' WHERE username='$usernameold'");
$db->query("UPDATE {$tablepre}jie SET thename='$usernamenew' WHERE thename='$usernameold'");
$db->query("UPDATE {$tablepre}qiuhun SET username='$usernamenew' WHERE username='$usernameold'");
$db->query("UPDATE {$tablepre}qiuhun SET tousername='$usernamenew' WHERE tousername='$usernameold'");
//扣修改用户名手续费5000
$db->query("UPDATE {$tablepre}members SET extcredits2=extcredits2-5000 WHERE uid='$discuz_uid'");
//写入日志
$givelog="<?PHP exit('Access Denied'); ?>\t".htmlspecialchars($usernameold)."\t".htmlspecialchars($usernamenew)."\t$timestamp\n";
writepetlog('namelog.php',$givelog);
showmessage("成功修改用户名，消耗论坛币5000，最好请重新登陆！",'index.php');
}
}
else{
showmessage("新用户名不能为空，且不能与旧用户名相同！",'changename.php');
}
}
?>

代码很简单，但是还是蛮实用的~~~

以前搞站，经历没舍得写，结果都忘干净了，于是好久没写blog，用这个小代码凑篇日志！

共有5条评论

飞豆订阅: Jul,17th,2008

你好，欣赏你的博客，觉得你的内容挺不错的
希望能同贵blog合作，同更多的朋友一起分享您的内容
感兴趣的话，可以直接跟我联系，
QQ 120877855
keylee: Jul,29th,2008

经常看你写的安全类文章，学习了不少东西，感觉阁下的PHP水平不错，能否用PHP帮我写个过滤自定义CSS（比如校内网那种）危险字符的东西呢？
QQ:943304722
keylee: Jul,29th,2008

给个过滤思路也成，我实在是没有把握
oldjun: Jul,29th,2008

function filter($str){
$file="keywords.txt";
$fp=fopen($file,"rb");
$content=fread($fp,filesize($file));
fclose($fp);
$keywords = explode("\n",$content);
foreach($keywords as $keys) {
$keys = str_replace(array("\n","\r"),"",$keys);
if(strpos($str,$keys)===false) {
continue;
}else {
$str="Bad words！";
break;
}
}
return $str;
}
很简单的思路，keywords.txt里把所有容易被XSS利用的关键词放进去，此法亦可以进行关键词过滤！
oldjun: Jul,29th,2008

找了个国外牛人的代码，学习下吧：
function RemoveXSS($val) {
　// remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
　// this prevents some character re-spacing such as
　// note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
　$val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val);
　// straight replacements, the user should never need these since they're normal characters
　// this prevents like
　$search = 'abcdefghijklmnopqrstuvwxyz';
　$search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
　$search .= '1234567890!@#$%^&*()';
　$search .= '~`";:?+/={}[]-_|\'\\';
　for ($i = 0; $i < strlen($search); $i++) {
// ;? matches the ;, which is optional
// 0{0,7} matches any padded zeros, which are optional and go up to 8 chars
// @ @ search for the hex values
$val = preg_replace('/(&#[x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i',$search[$i], $val); // with a ;
// @ @ 0{0,7} matches '0' zero to seven times
$val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i],
$val); // with a ;
　}
　// now the only remaining whitespace attacks are \t, \n, and \r
$ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml',
'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame',
'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');
$ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate',
'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate',
'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload',
'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick',
'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable',
'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate',
'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart',
'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus',
'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup',
'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter',
'onmouseleave', 'onmousemove', 'onmouseout','onmouseover', 'onmouseup',
'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange',
'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart',
'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect',
'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
　$ra = array_merge($ra1, $ra2);
　$found = true; // keep replacing as long as the previous round replaced something
　while ($found == true) {
$val_before = $val;
for ($i = 0; $i < sizeof($ra); $i++) {
　$pattern = '/';
　for ($j = 0; $j < strlen($ra[$i]); $j++) {
if ($j > 0) {
　$pattern .= '(';
　$pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?';
　$pattern .= '|(�{0,8}([9][10][13]);?)?';
　$pattern .= ')?';
}
　$pattern .= $ra[$i][$j];
}
$pattern .= '/i';
$replacement = substr($ra[$i], 0, 2).''.substr($ra[$i], 2); // add in
to nerf the tag
$val = preg_replace($pattern, $replacement, $val); // filter out the hex tags
if ($val_before == $val) {
　// no replacements were made, so exit the loop
　$found = false;
}
}
}
}

DZ6.0的前台用户名自修改插件

共有5条评论

Categories

Recent Posts

Recent Comments

website

Feed