function setVariable($string, $myQuery)
{
(string) ($variable = "");
$newString = "'" . $string . "'";
if (isset($_POST[$string])) {
$variable = mysql_fix_string($_POST[$string]);
} else {
return $myQuery;
}
$myQuery = $myQuery . ',' . $string . "='" . $variable . "'";
return $myQuery;
}
function user_is_admin($conn, $username)
{
$username = mysql_fix_string($conn, $username);
$query = "select usertype from users where username='******'";
$result = $conn->query($query);
if (!$result) {
die($conn->error);
}
$result->data_seek(0);
$row = $result->fetch_array(MYSQLI_ASSOC);
if ($row['usertype'] == 'admin') {
return true;
} else {
return false;
}
return true;
}
}
mysql_select_db($db_database) or die("Unable to select database; " . mysql_error());
require_once 'submit_template.php';
//
//if (isset($_POST['key_id'])) {
// $key_id = $_POST['key_id'];
//} else {
// $key_id = "";
//}
if (isset($_POST['applicant_email'])) {
$email = mysql_fix_string($_POST['applicant_email']);
} else {
$email = "(undefined)";
}
if (isset($_POST['title'])) {
$title = mysql_fix_string($_POST['title']);
} else {
$title = "(undefined)";
}
//Enter into Database
$query = "insert into billyx_portal.fiscal(\n\t\tapplicant_email,\n title\n )\n\tvalues(\n\t\t'{$email}',\n '{$title}'\n )";
$result = mysql_query($query);
//look up item applicant key_id and assign to a variable.
$key_id = mysql_insert_id();
// echo 'line id is'.$lineid;
if (!$result) {
die("Database access failed: " . mysql_error());
}
mysql_close($db_server);
session_start();
$_SESSION['key_id'] = $key_id;
<?php
//sanitise.php
//How to safely access MySQL with user input.
$user = mysql_fix_string($_POST['user']);
$pass = mysql_fix_string($_POST['pass']);
$query = "SELECT * FROM users WHERE user='******' AND pass='******'";
function mysql_fix_string($string)
{
if (get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
return mysql_real_escape_string($string);
}
function delete_single_question($examID, $questionID, $questionType)
{
$userID = (int) $_SESSION['userID'];
$questionID = (int) $questionID;
$conn = get_conn();
$userID = mysql_fix_string($conn, $userID);
$questionID = mysql_fix_string($conn, $questionID);
$questionType = mysql_fix_string($conn, $questionType);
$query = "DELETE FROM {$questionType} WHERE questionID={$questionID}";
if (!$conn->query($query)) {
die(__LINE__ . " " . $conn->error);
}
$query = "DELETE FROM questions WHERE userID={$userID} AND questionID={$questionID}";
if (!$conn->query($query)) {
die(__LINE__ . " " . $conn->error);
}
$conn->close();
}
<?php
// checks if the question being entered is unique
session_start();
require_once "../functions/session_functions.php";
require_once "../functions/input.php";
require_once "../functions/sql_functions.php";
if (isset($_POST['question']) && logged_in()) {
$conn = get_conn();
$question = mysql_fix_string($conn, $_POST['question']);
$query = "select question from questions where question='{$question}'";
$result = $conn->query($query);
$rows = $result->num_rows;
$conn->close();
if ($rows) {
echo "<li>The question that you created already exists. Consider rewriting the question or contributing to the question that already exists.</li>";
} else {
echo "";
}
} else {
go_home();
}
// go back to the home page
} else {
$last_name = "(undefined)";
}
if (isset($_POST['uetemp'])) {
$uetemp = $_POST['uetemp'];
} else {
$uetemp = "(undefined)";
}
if (isset($_POST['pwtemp'])) {
$pwtemp = $_POST['pwtemp'];
} else {
$pwtemp = "(undefined)";
}
//sanitize imported variables
$first_name = mysql_fix_string($first_name);
$last_name = mysql_fix_string($last_name);
//$uetemp = mysql_fix_string($uetemp);
//$pwtemp = mysql_fix_string($pwtemp);
require_once 'loginindex.php';
//Enter into Database
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) {
die("Unable to connecto to MySQL: " . mysql_error());
}
mysql_select_db($db_database) or die("Unable to select database; " . mysql_error());
$query = "insert into filmfund.applicant (\n\t\tfname,\n\t\tlname,\n\t\temail,\n\t\tuserpass\n\t\t)\n\tvalues(\n\t\t'{$firstname}',\n\t\t'{$lastname}',\n\t\t'{$email}',\n\t\t'{$userpass}'\n\t)";
$result = mysql_query($query);
//look up item applicant key_id and assign to a variable. Just in case.
$app_key = mysql_insert_id();
//echo 'line id is'.$lineid;
if (!$result) {
/**
* @param $connection
* @param $var
* @return string
*/
function mysql_entities_fix_string($connection, $var)
{
return htmlentities(mysql_fix_string($connection, $var));
}
$emailflag = FALSE;
} else {
$email = test_input($_POST["email"]);
// check if e-mail address syntax is valid
if (!preg_match("/([\\w\\-]+\\@[\\w\\-]+\\.[\\w\\-]+)/", $email)) {
$emailErr = "Invalid email format";
$emailflag = FALSE;
}
}
//echo $email;
if (empty($_POST["address"])) {
$addressErr = "Address is required";
$addressflag = FALSE;
} else {
$address = test_input($_POST["address"]);
$address = mysql_fix_string($address);
}
//echo $address;
if (empty($_POST["gender"])) {
$genderErr = "Gender is required";
$genderflag = FALSE;
} else {
$gender = test_input($_POST["gender"]);
}
//echo $gender;
//if($_FILES['file']['name'])
//{
//echo "before uploadphotos<br/>";
//$uploadstatus=uploadphoto("photos/",$uname);
//}
/****************************************************/
function edit_task($task, $last_edit, $taskID, $userID)
{
$conn = get_conn();
$userID = (int) mysql_fix_string($conn, $userID);
$task = mysql_fix_string($conn, $task);
$last_edit = mysql_fix_string($conn, $last_edit);
$taskID = (int) mysql_fix_string($conn, $taskID);
$query = "UPDATE ajx_org_todo \n\t\t\t SET task='{$task}', last_edited='{$last_edit}'\n\t\t\t WHERE userID={$userID} AND taskID={$taskID}";
get_result($conn, $query);
$conn->close();
}
}
return $hash;
}
include 'login.php';
$submit_message = "";
if (isset($_POST['submit'])) {
//require_once 'login.php';
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) {
die("Unable to connect to MySQL: " . mysql_error());
}
mysql_select_db($db_database) or die("Unable to select database: " . mysql_error());
if (rpHash($_POST['defaultReal']) == $_POST['defaultRealHash']) {
$first_name = mysql_fix_string($_POST['first']);
$last_name = mysql_fix_string($_POST['last']);
$testimonial = mysql_fix_string($_POST['add']);
$query = "INSERT INTO testimonials_submission VALUES ('" . $first_name . "','" . $last_name . "','" . $testimonial . "', CURDATE() )";
//$query = "INSERT INTO testimonials_submission VALUES ('" . $first_name . "','" .
// $last_name . "','" . $testimonial . "')";
//echo $query;
$testimonials = mysql_query($query);
if (!$testimonials) {
die("Database access failed: " . mysql_error());
}
// the message
$msg = "Testimonial Submission at LasColinasObGyn.com";
// use wordwrap() if lines are longer than 70 characters
$msg = wordwrap($msg, 70);
// send email
mail("*****@*****.**", "Testimonial", $msg);
$submit_message = '<p style="color:blue;">Your testimonial has been submitted successfully.</p>';
}
return $hash;
}
$submit_message = "";
if (isset($_POST['submit'])) {
//print_r($_POST);
require_once 'login.php';
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) {
die("Unable to connect to MySQL: " . mysql_error());
}
mysql_select_db($db_database) or die("Unable to select database: " . mysql_error());
if (rpHash($_POST['defaultReal']) == $_POST['defaultRealHash']) {
$name = mysql_fix_string($_POST['name']);
$email = mysql_fix_string($_POST['email']);
$message = mysql_fix_string($_POST['message']);
$query = "INSERT INTO contact VALUES('" . $name . "','" . $email . "','" . $message . "', CURDATE() )";
//$query = "INSERT INTO contact VALUES('" . $name . "','" . $email . "','" . $message . "')";
//echo $query;
$result = mysql_query($query);
if (!$result) {
die("Database access failed: " . mysql_error());
}
// the message
//$msg = "Contact Form Submission at LasColinasObGyn.com";
// use wordwrap() if lines are longer than 70 characters
$msg = wordwrap($msg, 70);
// send email
mail("*****@*****.**", "Contact Form", $message);
$submit_message = '<p style="color:blue;">Submitted Successfully</p>';
} else {
<?php
// checks if information given is in correct format and that it matches
session_start();
require_once "../functions/session_functions.php";
require_once "../functions/input.php";
require_once "../functions/sql_functions.php";
if (isset($_POST['username']) && isset($_POST['password'])) {
$conn = get_conn();
$username = mysql_fix_string($conn, $_POST['username']);
$password = mysql_fix_string($conn, $_POST['password']);
$password = encrypt_password($password);
$query = "select username from users where username='******' and password='******'";
$result = $conn->query($query);
$rows = $result->num_rows;
$conn->close();
if (!$rows) {
echo "<li>The details that you have provided are incorrect.</li>";
} else {
echo "";
}
} else {
fail();
}
// go back to login page
<?php
session_start();
require_once '../file-includes.php';
header('Access-Control-Allow-Origin: *');
header('Content-Type: application:json; charset=UTF-8');
$conn = get_conn();
$userID = (int) get_userID_session();
$postdata = file_get_contents("php://input");
$request = json_decode($postdata);
$contactID = (int) mysql_fix_string($conn, $request->contact);
$result = get_result($conn, "SELECT * FROM ajx_org_address_book WHERE userID={$userID} AND contactID={$contactID}");
if ($result->num_rows) {
$return_data = json_encode($result->fetch_array(MYSQLI_ASSOC), TRUE);
$conn->close();
echo $return_data;
}
public function set_categories($categories)
{
foreach ($categories as $category) {
$this->_categories[] = mysql_fix_string($this->_conn, $category);
}
}
<?php
session_start();
require_once "../functions/session_functions.php";
require_once "../functions/input.php";
require_once "../functions/sql_functions.php";
if (isset($_POST['username']) && isset($_POST['email'])) {
$conn = get_conn();
$username = mysql_fix_string($conn, $_POST['username']);
$email = mysql_fix_string($conn, $_POST['email']);
// check that username is unique
$query = "select username from users where username='******'";
$result = $conn->query($query);
$rows = $result->num_rows;
$message = "";
if ($rows) {
$message .= "<li>The username that you have chosen already exists.</li>";
}
// check that emailaddress is unique
$query = "select emailaddress from users where emailaddress='{$email}'";
$result = $conn->query($query);
$rows = $result->num_rows;
if ($rows) {
$message .= "<li>The email address that you have chosen already belongs to a user.</li>";
}
echo $message;
} else {
fail();
}
// go back to login page
function mysql_entities_fix_string($conn, $string)
{
return htmlentities(mysql_fix_string($conn, $string));
}
function sanitizeString($var)
{
$var = stripslashes($var);
$var = htmlentities($var);
$var = strip_tags($var);
return $var;
}
function mysql_fix_string($string)
{
if (get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
return mysql_real_escape_string($string);
}
$uetemp = mysql_fix_string($uetemp);
$pwtemp = mysql_fix_string($pwtemp);
$userpass_check = null;
if ($pwtemp == "") {
header("Location: loginerror.php");
}
//Check Database
require_once 'loginindex.php';
//login to mysql
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) {
die("Unable to connecto to MySQL: " . mysql_error());
}
mysql_select_db($db_database) or die("Unable to select database; " . mysql_error());
$query = "select * from applicant where email='{$uetemp}'";
$result = mysql_query($query);
if (!$result) {