function SetTags($id, $Tags, $TagsType, $conn) { sanitizeIn($id); if ($TagsType === 'Feedback') { $TABLE = 'FeedbackTags'; $ID_COL = 'FeedbackID'; } else { if ($TagsType === 'Subscriptions') { $TABLE = 'Subscriptions'; $ID_COL = 'UserID'; } else { return; } } //TODO: check that each tag is valid $sql = "INSERT INTO `" . $TABLE . "` (`" . $ID_COL . "`, `TName`) VALUES "; foreach ($Tags as $Tag) { sanitizeIn($Tag); $sql = $sql . "('" . $id . "', '" . $Tag . "'), "; } $conn->query("START TRANSACTION"); $del = CheckedQuery("DELETE FROM `" . $TABLE . "` WHERE `" . $ID_COL . "`='" . $id . "'", $conn); //delete all existing tags (if any) if (count($Tags) == 0) { $success = true; } else { $success = CheckedQuery(substr($sql, 0, -2), $conn); } if ($success) { $conn->query("COMMIT"); } else { $conn->query("ROLLBACK"); } return $del && $success; }
function onSigninPost() { ///first, see if this page is responding to a login attempt $email = $_POST["Email"]; $password = $_POST["Password"]; if (empty($email) || empty($password)) { return; //if not, quit } sanitizeIn($email); sanitizeIn($password); ///if we are dealing with a real login attempt, setup the session state $user = getUser(); ///then (finally) try to log in, and print success or failure to the screen if ($user->tryLogin($email, $password)) { $data = $user->getData(); //redirect to the previous page, IFF it is in our website (TODO: can they use an @ or similar?) if (startsWith($_POST["referer"], WEBSITE_LOCATION)) { $_SESSION['Header'] = '<meta http-equiv="refresh" content="0; ' . $_POST["referer"] . '" />'; } $_SESSION['OnLoginMessage'] = "<h6><center>Welcome, " . sanitizeOut($data['FirstName']) . " " . sanitizeOut($data['LastName']) . "!</center></h6>"; $_SESSION['user'] = $user; //because I'm pretty sure $user isn't passed-by-reference } else { $_SESSION['OnLoginMessage'] = "<h6><center>Email or Password incorrect.</center></h6>"; } }
function setTagPrmpt($category, $tag, $prompt) { sanitizeIn($category); sanitizeIn($tag); sanitizeIn($prompt); $conn = connectToDB(); $sql = "UPDATE `Tags` SET TEntryAdvice='" . $prompt . "' WHERE CName='" . $cat . "' AND TName='" . $tag . "'"; CheckedQuery($sql, $conn); $conn->close(); }
function setProfile($id, $FirstName, $MiddleName, $LastName, $Email, $Website, $Address, $Phone) { sanitizeIn($FirstName); sanitizeIn($MiddleName); sanitizeIn($LastName); sanitizeIn($Email); sanitizeIn($Website); sanitizeIn($Address); sanitizeIn($Phone); $conn = connectToDB(); $sql = "UPDATE `Users` SET FirstName='" . $FirstName . "', MiddleName='" . $MiddleName . "', LastName='" . $LastName . "', EmailAddress='" . $Email . "', Website='" . $Website . "', MailingAddress='" . $Address . "', Phone='" . $Phone . "' WHERE UserID=" . $id; CheckedQuery($sql, $conn); $conn->close(); }
function leaveFeedback($Feedback, $Tags, $Anon) { $user = getUser(); if (!$user->isStudent()) { //TODO: log die("Cannot leave feedback as a non-student. :P"); //TODO: this doesn't seem to display to the screen... } //TODO: feedbacks per time sanitizeIn($Feedback); $conn = connectToDB(); //NB: Anonymous value (0/1) MUST NOT BE QUOTED $id = CheckedQueryAndGetID("INSERT INTO `Feedbacks` (`UserID`, `Text`, `Anonymous`, `Edited`) VALUES ('" . $user->userID . "', '" . $Feedback . "', " . $Anon . ", NOW())", $conn); //Now apply any tags to the feedback if (isset($id) && count($Tags) != 0) { SetTags($id, $Tags, "Feedback", $conn); } $conn->close(); }
function onChangeEmailPost() { $email = $_POST["Email"]; $code = $_POST["Code"]; $password = $_POST["Password"]; sanitizeIn($email); sanitizeIn($code); sanitizeIn($password); if (empty($email)) { return; } if (empty($code) || empty($password)) { changeEmailMessage(); return; } return; }
function makeDegreesSQL($id) { //remove whitespace, then remove empty trimAll($this->Majors); trimAll($this->Minors); $this->Majors = array_filter($this->Majors); $this->Minors = array_filter($this->Minors); if (count($this->Majors) + count($this->Minors) == 0) { return ""; } //TODO: I think this is only supposed to add degrees that exist in the Degrees table... $sql = "INSERT INTO `UserDegrees` (UserID, DegName, IsMajor) VALUES "; foreach ($this->Majors as $deg) { sanitizeIn($deg); //TODO: checkme!!! Does this work properly? $sql = $sql . "('" . $id . "', '" . $deg . "', 1), "; } foreach ($this->Minors as $deg) { sanitizeIn($deg); //TODO: checkme!!! Does this work properly? $sql = $sql . "('" . $id . "', '" . $deg . "', 0), "; } return substr($sql, 0, -2); }