function setVariable($string, $myQuery)
{
    (string) ($variable = "");
    $newString = "'" . $string . "'";
    if (isset($_POST[$string])) {
        $variable = mysql_fix_string($_POST[$string]);
    } else {
        return $myQuery;
    }
    $myQuery = $myQuery . ',' . $string . "='" . $variable . "'";
    return $myQuery;
}
function user_is_admin($conn, $username)
{
    $username = mysql_fix_string($conn, $username);
    $query = "select usertype from users where username='******'";
    $result = $conn->query($query);
    if (!$result) {
        die($conn->error);
    }
    $result->data_seek(0);
    $row = $result->fetch_array(MYSQLI_ASSOC);
    if ($row['usertype'] == 'admin') {
        return true;
    } else {
        return false;
    }
    return true;
}
}
mysql_select_db($db_database) or die("Unable to select database; " . mysql_error());
require_once 'submit_template.php';
//
//if (isset($_POST['key_id'])) {
//    $key_id = $_POST['key_id'];
//} else {
//    $key_id = "";
//}
if (isset($_POST['applicant_email'])) {
    $email = mysql_fix_string($_POST['applicant_email']);
} else {
    $email = "(undefined)";
}
if (isset($_POST['title'])) {
    $title = mysql_fix_string($_POST['title']);
} else {
    $title = "(undefined)";
}
//Enter into Database
$query = "insert into billyx_portal.fiscal(\n\t\tapplicant_email,\n                title\n        )\n\tvalues(\n\t\t'{$email}',\n                '{$title}'\n        )";
$result = mysql_query($query);
//look up item applicant key_id and assign to a variable.
$key_id = mysql_insert_id();
//       echo 'line id is'.$lineid;
if (!$result) {
    die("Database access failed: " . mysql_error());
}
mysql_close($db_server);
session_start();
$_SESSION['key_id'] = $key_id;
Beispiel #4
0
<?php

//sanitise.php
//How to safely access MySQL with user input.
$user = mysql_fix_string($_POST['user']);
$pass = mysql_fix_string($_POST['pass']);
$query = "SELECT * FROM users WHERE user='******' AND pass='******'";
function mysql_fix_string($string)
{
    if (get_magic_quotes_gpc()) {
        $string = stripslashes($string);
    }
    return mysql_real_escape_string($string);
}
function delete_single_question($examID, $questionID, $questionType)
{
    $userID = (int) $_SESSION['userID'];
    $questionID = (int) $questionID;
    $conn = get_conn();
    $userID = mysql_fix_string($conn, $userID);
    $questionID = mysql_fix_string($conn, $questionID);
    $questionType = mysql_fix_string($conn, $questionType);
    $query = "DELETE FROM {$questionType} WHERE questionID={$questionID}";
    if (!$conn->query($query)) {
        die(__LINE__ . " " . $conn->error);
    }
    $query = "DELETE FROM questions WHERE userID={$userID} AND questionID={$questionID}";
    if (!$conn->query($query)) {
        die(__LINE__ . " " . $conn->error);
    }
    $conn->close();
}
<?php

// checks if the question being entered is unique
session_start();
require_once "../functions/session_functions.php";
require_once "../functions/input.php";
require_once "../functions/sql_functions.php";
if (isset($_POST['question']) && logged_in()) {
    $conn = get_conn();
    $question = mysql_fix_string($conn, $_POST['question']);
    $query = "select question from questions where question='{$question}'";
    $result = $conn->query($query);
    $rows = $result->num_rows;
    $conn->close();
    if ($rows) {
        echo "<li>The question that you created already exists. Consider rewriting the question or contributing to the question that already exists.</li>";
    } else {
        echo "";
    }
} else {
    go_home();
}
// go back to the home page
} else {
    $last_name = "(undefined)";
}
if (isset($_POST['uetemp'])) {
    $uetemp = $_POST['uetemp'];
} else {
    $uetemp = "(undefined)";
}
if (isset($_POST['pwtemp'])) {
    $pwtemp = $_POST['pwtemp'];
} else {
    $pwtemp = "(undefined)";
}
//sanitize imported variables
$first_name = mysql_fix_string($first_name);
$last_name = mysql_fix_string($last_name);
//$uetemp = mysql_fix_string($uetemp);
//$pwtemp = mysql_fix_string($pwtemp);
require_once 'loginindex.php';
//Enter into Database
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) {
    die("Unable to connecto to MySQL: " . mysql_error());
}
mysql_select_db($db_database) or die("Unable to select database; " . mysql_error());
$query = "insert into filmfund.applicant (\n\t\tfname,\n\t\tlname,\n\t\temail,\n\t\tuserpass\n\t\t)\n\tvalues(\n\t\t'{$firstname}',\n\t\t'{$lastname}',\n\t\t'{$email}',\n\t\t'{$userpass}'\n\t)";
$result = mysql_query($query);
//look up item applicant key_id and assign to a variable. Just in case.
$app_key = mysql_insert_id();
//echo 'line id is'.$lineid;
if (!$result) {
Beispiel #8
0
/**
 * @param $connection
 * @param $var
 * @return string
 */
function mysql_entities_fix_string($connection, $var)
{
    return htmlentities(mysql_fix_string($connection, $var));
}
     $emailflag = FALSE;
 } else {
     $email = test_input($_POST["email"]);
     // check if e-mail address syntax is valid
     if (!preg_match("/([\\w\\-]+\\@[\\w\\-]+\\.[\\w\\-]+)/", $email)) {
         $emailErr = "Invalid email format";
         $emailflag = FALSE;
     }
 }
 //echo $email;
 if (empty($_POST["address"])) {
     $addressErr = "Address is required";
     $addressflag = FALSE;
 } else {
     $address = test_input($_POST["address"]);
     $address = mysql_fix_string($address);
 }
 //echo $address;
 if (empty($_POST["gender"])) {
     $genderErr = "Gender is required";
     $genderflag = FALSE;
 } else {
     $gender = test_input($_POST["gender"]);
 }
 //echo $gender;
 //if($_FILES['file']['name'])
 //{
 //echo "before uploadphotos<br/>";
 //$uploadstatus=uploadphoto("photos/",$uname);
 //}
 /****************************************************/
function edit_task($task, $last_edit, $taskID, $userID)
{
    $conn = get_conn();
    $userID = (int) mysql_fix_string($conn, $userID);
    $task = mysql_fix_string($conn, $task);
    $last_edit = mysql_fix_string($conn, $last_edit);
    $taskID = (int) mysql_fix_string($conn, $taskID);
    $query = "UPDATE ajx_org_todo \n\t\t\t  SET task='{$task}', last_edited='{$last_edit}'\n\t\t\t  WHERE userID={$userID} AND taskID={$taskID}";
    get_result($conn, $query);
    $conn->close();
}
    }
    return $hash;
}
include 'login.php';
$submit_message = "";
if (isset($_POST['submit'])) {
    //require_once 'login.php';
    $db_server = mysql_connect($db_hostname, $db_username, $db_password);
    if (!$db_server) {
        die("Unable to connect to MySQL: " . mysql_error());
    }
    mysql_select_db($db_database) or die("Unable to select database: " . mysql_error());
    if (rpHash($_POST['defaultReal']) == $_POST['defaultRealHash']) {
        $first_name = mysql_fix_string($_POST['first']);
        $last_name = mysql_fix_string($_POST['last']);
        $testimonial = mysql_fix_string($_POST['add']);
        $query = "INSERT INTO testimonials_submission VALUES ('" . $first_name . "','" . $last_name . "','" . $testimonial . "', CURDATE() )";
        //$query = "INSERT INTO testimonials_submission VALUES ('" . $first_name . "','" .
        //		 $last_name . "','" . $testimonial . "')";
        //echo $query;
        $testimonials = mysql_query($query);
        if (!$testimonials) {
            die("Database access failed: " . mysql_error());
        }
        // the message
        $msg = "Testimonial Submission at LasColinasObGyn.com";
        // use wordwrap() if lines are longer than 70 characters
        $msg = wordwrap($msg, 70);
        // send email
        mail("*****@*****.**", "Testimonial", $msg);
        $submit_message = '<p style="color:blue;">Your testimonial has been submitted successfully.</p>';
Beispiel #12
0
    }
    return $hash;
}
$submit_message = "";
if (isset($_POST['submit'])) {
    //print_r($_POST);
    require_once 'login.php';
    $db_server = mysql_connect($db_hostname, $db_username, $db_password);
    if (!$db_server) {
        die("Unable to connect to MySQL: " . mysql_error());
    }
    mysql_select_db($db_database) or die("Unable to select database: " . mysql_error());
    if (rpHash($_POST['defaultReal']) == $_POST['defaultRealHash']) {
        $name = mysql_fix_string($_POST['name']);
        $email = mysql_fix_string($_POST['email']);
        $message = mysql_fix_string($_POST['message']);
        $query = "INSERT INTO contact VALUES('" . $name . "','" . $email . "','" . $message . "', CURDATE() )";
        //$query = "INSERT INTO contact VALUES('" . $name . "','" . $email . "','" . $message . "')";
        //echo $query;
        $result = mysql_query($query);
        if (!$result) {
            die("Database access failed: " . mysql_error());
        }
        // the message
        //$msg = "Contact Form Submission at LasColinasObGyn.com";
        // use wordwrap() if lines are longer than 70 characters
        $msg = wordwrap($msg, 70);
        // send email
        mail("*****@*****.**", "Contact Form", $message);
        $submit_message = '<p style="color:blue;">Submitted Successfully</p>';
    } else {
<?php

// checks if information given is in correct format and that it matches
session_start();
require_once "../functions/session_functions.php";
require_once "../functions/input.php";
require_once "../functions/sql_functions.php";
if (isset($_POST['username']) && isset($_POST['password'])) {
    $conn = get_conn();
    $username = mysql_fix_string($conn, $_POST['username']);
    $password = mysql_fix_string($conn, $_POST['password']);
    $password = encrypt_password($password);
    $query = "select username from users where username='******' and password='******'";
    $result = $conn->query($query);
    $rows = $result->num_rows;
    $conn->close();
    if (!$rows) {
        echo "<li>The details that you have provided are incorrect.</li>";
    } else {
        echo "";
    }
} else {
    fail();
}
// go back to login page
<?php

session_start();
require_once '../file-includes.php';
header('Access-Control-Allow-Origin: *');
header('Content-Type: application:json; charset=UTF-8');
$conn = get_conn();
$userID = (int) get_userID_session();
$postdata = file_get_contents("php://input");
$request = json_decode($postdata);
$contactID = (int) mysql_fix_string($conn, $request->contact);
$result = get_result($conn, "SELECT * FROM ajx_org_address_book WHERE userID={$userID} AND contactID={$contactID}");
if ($result->num_rows) {
    $return_data = json_encode($result->fetch_array(MYSQLI_ASSOC), TRUE);
    $conn->close();
    echo $return_data;
}
 public function set_categories($categories)
 {
     foreach ($categories as $category) {
         $this->_categories[] = mysql_fix_string($this->_conn, $category);
     }
 }
<?php

session_start();
require_once "../functions/session_functions.php";
require_once "../functions/input.php";
require_once "../functions/sql_functions.php";
if (isset($_POST['username']) && isset($_POST['email'])) {
    $conn = get_conn();
    $username = mysql_fix_string($conn, $_POST['username']);
    $email = mysql_fix_string($conn, $_POST['email']);
    // check that username is unique
    $query = "select username from users where username='******'";
    $result = $conn->query($query);
    $rows = $result->num_rows;
    $message = "";
    if ($rows) {
        $message .= "<li>The username that you have chosen already exists.</li>";
    }
    // check that emailaddress is unique
    $query = "select emailaddress from users where emailaddress='{$email}'";
    $result = $conn->query($query);
    $rows = $result->num_rows;
    if ($rows) {
        $message .= "<li>The email address that you have chosen already belongs to a user.</li>";
    }
    echo $message;
} else {
    fail();
}
// go back to login page
function mysql_entities_fix_string($conn, $string)
{
    return htmlentities(mysql_fix_string($conn, $string));
}
Beispiel #18
0
function sanitizeString($var)
{
    $var = stripslashes($var);
    $var = htmlentities($var);
    $var = strip_tags($var);
    return $var;
}
function mysql_fix_string($string)
{
    if (get_magic_quotes_gpc()) {
        $string = stripslashes($string);
    }
    return mysql_real_escape_string($string);
}
$uetemp = mysql_fix_string($uetemp);
$pwtemp = mysql_fix_string($pwtemp);
$userpass_check = null;
if ($pwtemp == "") {
    header("Location: loginerror.php");
}
//Check Database
require_once 'loginindex.php';
//login to mysql
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) {
    die("Unable to connecto to MySQL: " . mysql_error());
}
mysql_select_db($db_database) or die("Unable to select database; " . mysql_error());
$query = "select * from applicant where email='{$uetemp}'";
$result = mysql_query($query);
if (!$result) {