np.phps

<?
error_reporting(E_ALL);

if(isset($_POST['uid']) && ctype_alnum($_POST['uid']) === true && ctype_digit($_POST['Playing']) === true)
{
  mysql_connect(':/var/run/mysqld/mysqld.sock','erik','fisk');
  mysql_select_db('songs') or error_log(mysql_error());
  
  $res = mysql_query('select playing from users where user = "'.sqle($_POST['uid']).'" and pass = "'.sqle($_POST['pass']).'"') or error_log(mysql_error());
  if(mysql_num_rows($res) !== 1)
  { // no user found, yay!
    exit();
  }
  $playing = mysql_fetch_row($res);
  if($playing !== $_POST['Playing'])
  {
    mysql_query('UPDATE users set playing = '.$_POST['Playing']) or error_log(mysql_error());
    if($_POST['Playing'] != '1')
    {
      exit();
    }
  }
  mysql_query('INSERT INTO songs (artist,title,album,genre,length,quality,filename,user,timestamp) VALUES ("'.sqle($_POST['Artist1']).'","'.sqle($_POST['Title1']).'","'.sqle($_POST['Album1']).'","'.sqle($_POST['Genre1']).'","'.sqle($_POST['Length1']).'","'.sqle($_POST['Quality1']).'","'.sqle($_POST['Filename1']).'","'.sqle($_POST['uid']).'",NOW())') or error_log(mysql_error());
} else
{
  die('Invalid request.');
}

function sqle($str)
{
  return mysql_real_escape_string($str);
}

?>