function edit_block() { global $COLLATE; global $block_id; include 'include/validation_functions.php'; $dbo = getdbo(); $edit = empty($_GET['edit']) ? '' : clean($_GET['edit']); $value = empty($_POST['value']) ? '' : clean($_POST['value']); $username = isset($COLLATE['user']['username']) ? $COLLATE['user']['username'] : '******'; if ($edit == 'name') { $return = validate_text($value, 'blockname'); if ($return['0'] === false) { header("HTTP/1.1 400 Bad Request"); echo $COLLATE['languages']['selected'][$return['error']]; exit; } else { $value = $return['1']; } $sql = "SELECT id FROM blocks WHERE name='{$value}'"; $result = $dbo->query($sql); if ($result->rowCount() != '0') { # a block by this name exists already $existing_block_id = $result->fetchColumn(); if ($existing_block_id !== $block_id) { header("HTTP/1.1 400 Bad Request"); echo $COLLATE['languages']['selected']['duplicatename']; exit; } } $sql = "SELECT name FROM blocks WHERE id='{$block_id}'"; $result = $dbo->query($sql); $name = $result->fetchColumn(); collate_log('4', "Block {$name} has been updated to {$value}"); $sql = "UPDATE blocks SET name='{$value}', modified_by='{$username}', modified_at=NOW() WHERE id='{$block_id}'"; } elseif ($edit == 'note') { $return = validate_text($value, 'note'); if ($return['0'] === false) { header("HTTP/1.1 400 Bad Request"); echo $COLLATE['languages']['selected'][$return['error']]; exit; } else { $value = $return['1']; } $sql = "SELECT name FROM blocks WHERE id='{$block_id}'"; $result = $dbo->query($sql); $name = $result->fetchColumn(); collate_log('4', "Block {$name} note edited"); $sql = "UPDATE blocks SET note='{$value}', modified_by='{$username}', modified_at=NOW() WHERE id='{$block_id}'"; } else { header("HTTP/1.1 400 Bad Request"); echo $COLLATE['languages']['selected']['invalidrequest']; exit; } $dbo->query($sql); echo $value; }
function edit_subnet() { global $COLLATE; global $dbo; include 'include/validation_functions.php'; $subnet_id = empty($_GET['subnet_id']) ? '' : $_GET['subnet_id']; $edit = empty($_GET['edit']) ? '' : $_GET['edit']; $value = empty($_POST['value']) ? '' : $_POST['value']; $username = isset($COLLATE['user']['username']) ? $COLLATE['user']['username'] : '******'; if (empty($subnet_id) || !is_numeric($subnet_id) || !preg_match('/name|note/', $edit)) { header("HTTP/1.1 400 Bad Request"); echo $COLLATE['languages']['selected']['invalidrequest']; exit; } if ($edit == 'name') { $return = validate_text($value, 'subnetname'); } else { $return = validate_text($value, 'note'); } if ($return['0'] === false) { header("HTTP/1.1 400 Bad Request"); echo $COLLATE['languages']['selected'][$return['error']]; exit; } else { $value = $return['1']; } $sql = "SELECT name, start_ip, mask FROM subnets WHERE id='{$subnet_id}'"; $result = $dbo->query($sql); list($name, $subnet, $mask) = $result->fetch(PDO::FETCH_NUM); $cidr = subnet2cidr($subnet, $mask); if ($edit == 'name') { collate_log('3', "Subnet {$name} ({$cidr}) name changed to {$value}"); $sql = "UPDATE subnets SET name='{$value}', modified_by='{$username}', modified_at=NOW() WHERE id='{$subnet_id}'"; } elseif ($edit == 'note') { collate_log('3', "Subnet {$name} ({$cidr}) note edited"); $sql = "UPDATE subnets SET note='{$value}', modified_by='{$username}', modified_at=NOW() WHERE id='{$subnet_id}'"; } else { header("HTTP/1.1 400 Bad Request"); echo $COLLATE['languages']['selected']['shortsubnetname']; exit; } $dbo->query($sql); echo $value; }
function submit_subnet() { global $dbo; include 'include/validation_functions.php'; $block_id = isset($_POST['block_id']) && is_numeric($_POST['block_id']) ? $_POST['block_id'] : ''; $name = isset($_POST['name']) ? $_POST['name'] : ''; $ip = isset($_POST['ip']) ? $_POST['ip'] : ''; $gateway = isset($_POST['gateway']) ? $_POST['gateway'] : ''; $acl_name = isset($_POST['acl_name']) ? $_POST['acl_name'] : ''; $acl_start = isset($_POST['acl_start']) ? $_POST['acl_start'] : ''; $acl_end = isset($_POST['acl_end']) ? $_POST['acl_end'] : ''; $note = isset($_POST['note']) ? $_POST['note'] : ''; $guidance = isset($_POST['guidance']) ? $_POST['guidance'] : ''; if (empty($block_id)) { $notice = 'invalidrequest'; header("Location: blocks.php?notice={$notice}"); exit; } if (empty($name) || empty($ip)) { $notice = "blankfield-notice"; $guidance = urlencode($guidance); header("Location: subnets.php?op=add&block_id={$block_id}&name={$name}&ip={$ip}&gateway={$gateway}&acl_start={$acl_start}&acl_end={$acl_end}¬e={$note}&guidance={$guidance}¬ice={$notice}"); exit; } $result = validate_text($name, 'subnetname'); if ($result['0'] === false) { $notice = $result['error']; $guidance = urlencode($guidance); header("Location: subnets.php?op=add&block_id={$block_id}&name={$name}&ip={$ip}&gateway={$gateway}&acl_start={$acl_start}&acl_end={$acl_end}¬e={$note}&guidance={$guidance}¬ice={$notice}"); exit; } else { $name = $result['1']; } $result = validate_network($ip); if ($result['0'] === false) { $notice = $result['error']; $guidance = urlencode($guidance); header("Location: subnets.php?op=add&block_id={$block_id}&name={$name}&ip={$ip}&gateway={$gateway}&acl_start={$acl_start}&acl_end={$acl_end}¬e={$note}&guidance={$guidance}¬ice={$notice}"); exit; } else { $start_ip = $result['start_ip']; $end_ip = $result['end_ip']; $mask = $result['mask']; $long_start_ip = $result['long_start_ip']; $long_end_ip = $result['long_end_ip']; $long_mask = $result['long_mask']; } $dbo->beginTransaction(); $username = !isset($COLLATE['user']['username']) ? 'system' : $COLLATE['user']['username']; $sql = "INSERT INTO subnets (name, start_ip, end_ip, mask, note, block_id, modified_by, modified_at, guidance) \r\n VALUES('{$name}', '{$long_start_ip}', '{$long_end_ip}', '{$long_mask}', '{$note}', '{$block_id}', '{$username}', now(), '{$guidance}')"; $dbo->query($sql); $subnet_id = $dbo->lastInsertId(); if (!empty($acl_start) && !empty($acl_end)) { $result = validate_ip_range($acl_start, $acl_end, 'acl'); if ($result['0'] === false) { $dbo->rollBack(); $notice = $result['error']; $guidance = urlencode($guidance); header("Location: subnets.php?op=add&block_id={$block_id}&name={$name}&ip={$ip}&gateway={$gateway}&acl_start={$acl_start}&acl_end={$acl_end}¬e={$note}&guidance={$guidance}¬ice={$notice}"); exit; } else { $long_acl_start = $result['long_start_ip']; $long_acl_end = $result['long_end_ip']; } // Add an ACL for the acl range so users don't assign a static IP inside a acl scope. $sql = "INSERT INTO acl (name, start_ip, end_ip, subnet_id) VALUES('{$acl_name}', '{$long_acl_start}', '{$long_acl_end}', '{$subnet_id}')"; $dbo->query($sql); } // Add static IP for the Default Gateway if (!empty($gateway)) { $long_gateway = ip2decimal($gateway); $subnet_test = $long_gateway & $long_mask; if ($subnet_test !== $long_start_ip) { $dbo->rollBack(); $notice = 'invalidip'; $guidance = urlencode($guidance); header("Location: subnets.php?op=add&block_id={$block_id}&name={$name}&ip={$ip}&gateway={$gateway}&acl_start={$acl_start}&acl_end={$acl_end}¬e={$note}&guidance={$guidance}¬ice={$notice}"); exit; } $validate_gateway = validate_static_ip($gateway); if ($validate_gateway['0'] === false) { $dbo->rollBack(); $notice = $validate_gateway['error']; $guidance = urlencode($guidance); header("Location: subnets.php?op=add&block_id={$block_id}&name={$name}&ip={$ip}&gateway={$gateway}&acl_start={$acl_start}&acl_end={$acl_end}¬e={$note}&guidance={$guidance}¬ice={$notice}"); exit; } $sql = "INSERT INTO statics (ip, name, contact, note, subnet_id, modified_by, modified_at) \r\n VALUES('{$long_gateway}', 'Gateway', 'Network Admin', 'Default Gateway', '{$subnet_id}', '{$username}', now())"; $dbo->query($sql); } $dbo->commit(); $cidr = subnet2cidr($long_start_ip, $long_mask); $accesslevel = "3"; $message = "Subnet {$name} ({$cidr}) has been created"; AccessControl($accesslevel, $message); // No need to generate logs when nothing is really happening. This // goes down here where we know stuff has actually been written. Access // Control actually happened before submit_subnet() was called. $notice = "subnetadded-notice"; header("Location: subnets.php?block_id={$block_id}¬ice={$notice}"); exit; }
function edit_acl() { global $COLLATE; $dbo = getdbo(); include 'include/validation_functions.php'; $acl_id = isset($_GET['acl_id']) && is_numeric($_GET['acl_id']) ? $_GET['acl_id'] : ''; $value = isset($_POST['value']) ? $_POST['value'] : ''; if (empty($acl_id)) { header("HTTP/1.1 400 Bad Request"); echo $COLLATE['languages']['selected']['invalidrequest']; exit; } $result = validate_text($value, 'aclname'); if ($result['0'] === false) { header("HTTP/1.1 400 Bad Request"); echo $COLLATE['languages']['selected'][$result['error']]; exit; } else { $value = $result['1']; } $sql = "SELECT name FROM subnets WHERE id=(SELECT subnet_id FROM acl WHERE id='{$acl_id}')"; $result = $dbo->query($sql); if ($result->rowCount() != '1') { header("HTTP/1.1 400 Bad Request"); echo $COLLATE['languages']['selected']['invalidrequest']; exit; } $subnet_name = $result->fetchColumn(); collate_log('3', "ACL statement name updated in {$subnet_name} subnet"); $sql = "UPDATE acl SET name='{$value}' where id='{$acl_id}'"; $dbo->query($sql); echo $value; exit; }
// was really submitted. if (isset($_POST['addcoupon'])) { $selectproduct = $_COOKIE['selectproduct']; //get values from the form $name = $_POST['name']; $amount = $_POST['amount']; $sdate = $_POST['sdate']; $edate = $_POST['edate']; //validation if (!validate_discount($amount)) { error_message("Can't create zero value coupon!"); $valid_discount = 0; } else { $valid_discount = 1; } if (!validate_text($name)) { error_message("Name can't be blank!"); $valid_name = 0; } else { $valid_name = 1; } if (!validate_cost($amount)) { error_message("Amount can't be blank!"); $valid_amount = 0; } else { $valid_amount = 1; } if (!validate_date($sdate)) { error_message("Start date can't be blank!"); $valid_sdate = 0; } else {
//if validation is successful if (!validate_name(htmlspecialchars($_POST['firstname']))) { error_message("Check entry for first name<br/>"); $valid_fname = 0; } else { $firstname = htmlspecialchars($_POST['firstname']); $valid_fname = 1; } if (!validate_name(htmlspecialchars($_POST['lastname']))) { error_message("Check entry for last name<br/>"); $valid_lname = 0; } else { $lastname = htmlspecialchars($_POST['lastname']); $valid_lname = 1; } if (!validate_text(0, htmlspecialchars($_POST['logonName']))) { error_message("Check entry for Logon Username<br/>"); $valid_logonName = 0; } else { $logonName = htmlspecialchars($_POST['logonName']); $valid_logonName = 1; } if (!empty($_POST['password'])) { if ($_POST['password'] != $_POST['confirmpassword']) { error_message("Passwords do not match!"); $valid_password = 0; } if (!validate_password(htmlspecialchars($_POST['password']))) { error_message("Check entry for password"); $valid_password = 0; } else {
function validate_caption($val) { return validate_text($val); }
function chk_address($val) { require_once 'Tuxedo/inc/forbidden_words.inc.php'; if (strlen($val) > 80) { $this->CI->error->set_error('10058'); return false; } if (!validate_text($val)) { $this->CI->error->set_error('10049'); return false; } return true; }
function edit_api_key_description() { global $COLLATE; $dbo = getdbo(); include 'include/validation_functions.php'; $apikey = isset($_GET['apikey']) ? $_GET['apikey'] : ''; $value = isset($_POST['value']) ? $_POST['value'] : ''; $return = validate_api_key($apikey); if ($return['0'] === false) { header("HTTP/1.1 400 Bad Request"); echo $COLLATE['languages']['selected'][$return['error']]; exit; } else { $old_description = $return['description']; } $return = validate_text($value, 'apidescription'); if ($return['0'] === false) { header("HTTP/1.1 400 Bad Request"); echo $COLLATE['languages']['selected'][$return['error']]; exit; } else { $value = $return['1']; } $sql = "update `api-keys` set description='{$value}' where apikey='{$apikey}'"; $result = $dbo->query($sql); echo $value; collate_log('5', "Settings Updated: API key description changed from \"{$old_description}\" to \"{$value}\""); exit; }
function submit_acl() { global $dbo; include 'include/validation_functions.php'; $subnet_id = isset($_GET['subnet_id']) && is_numeric($_GET['subnet_id']) ? $_GET['subnet_id'] : ''; $acl_name = isset($_POST['acl_name']) ? $_POST['acl_name'] : ''; $acl_start = isset($_POST['acl_start']) ? $_POST['acl_start'] : ''; $acl_end = isset($_POST['acl_end']) ? $_POST['acl_end'] : ''; if (empty($subnet_id)) { $notice = "invalidrequest"; header("Location: blocks.php?notice={$notice}"); exit; } if (empty($acl_name) || empty($acl_start) || empty($acl_end)) { $notice = "blankfield-notice"; header("Location: statics.php?subnet_id={$subnet_id}¬ice={$notice}"); exit; } $result = validate_text($acl_name, 'aclname'); if ($result['0'] === false) { $notice = $result['error']; header("Location: statics.php?subnet_id={$subnet_id}¬ice={$notice}"); exit; } else { $acl_name = $result['1']; } $result = validate_ip_range($acl_start, $acl_end, 'acl', $subnet_id); if ($result['0'] === false) { $notice = $result['error']; header("Location: statics.php?subnet_id={$subnet_id}¬ice={$notice}"); exit; } else { $long_acl_start = $result['long_start_ip']; $long_acl_end = $result['long_end_ip']; $subnet_name = $result['subnet_name']; } AccessControl('3', "{$acl_name} ACL for {$subnet_name} subnet edited"); $sql = "INSERT INTO acl (name, start_ip, end_ip, subnet_id) VALUES ('{$acl_name}', '{$long_acl_start}', '{$long_acl_end}', '{$subnet_id}')"; $dbo->query($sql); $notice = "acladded-notice"; header("Location: statics.php?subnet_id={$subnet_id}¬ice={$notice}"); exit; }
function read_in_csv_row($row) { global $COLLATE; global $dbo; $recordtype = $row['0']; $fieldcount = count($row); $result = array(); /* * Record format: * block: (5 fields) * 'block','$block_name','$start_ip','$end_ip','$block_note' * * subnet: (5 fields) * 'subnet','$block_name','$subnet_name','$subnet','$subnet_note' * * acl: (4 fields) * 'acl','$acl_name','$start_ip','$end_ip' * * static ip: (5 fields) * 'static','$static_name','$ip_address','$static_contact','$static_note' */ if ($recordtype == 'block' && $fieldcount != '5' || $recordtype == 'subnet' && $fieldcount != '5' || $recordtype == 'acl' && $fieldcount != '4' || $recordtype == 'static' && $fieldcount != '5') { $result['error'] = true; $result['errormessage'] = 'badfieldcount'; return $result; } $last_modified_by = !isset($COLLATE['user']['username']) ? 'system' : $COLLATE['user']['username']; if ($recordtype == 'block') { $block_name = $row['1']; $block_start_ip = $row['2']; $block_end_ip = $row['3']; $block_note = $row['4']; $validate = validate_text($block_name, 'blockname'); if ($validate['0'] === false) { $result['error'] = true; $result['errormessage'] = $validate['error']; return $result; } else { $block_name = $validate['1']; } $query_result = $dbo->query("SELECT id from blocks where name='{$block_name}'"); if ($query_result->rowCount() != '0') { $result['error'] = true; $result['errormessage'] = 'duplicatename'; return $result; } if (preg_match('/^\\s*$/', $block_start_ip) && preg_match('/^\\s*$/', $block_end_ip)) { // block with no associated IP information $block_start_ip = ''; $block_long_start_ip = ''; $block_end_ip = ''; $block_long_end_ip = ''; } elseif (empty($block_end_ip) || ip2decimal($block_end_ip) === false) { // subnet $validate = validate_network($block_start_ip, 'block'); if ($validate['0'] === false) { $result['error'] = true; $result['errormessage'] = $validate['error']; return $result; } else { $block_start_ip = $validate['start_ip']; $block_long_start_ip = $validate['long_start_ip']; $block_end_ip = $validate['end_ip']; $block_long_end_ip = $validate['long_end_ip']; } } else { // range $validate = validate_ip_range($block_start_ip, $block_end_ip, 'block'); if ($validate['0'] === false) { $result['error'] = true; $result['errormessage'] = $validate['error']; return $result; } else { $block_start_ip = $validate['start_ip']; $block_long_start_ip = $validate['long_start_ip']; $block_end_ip = $validate['end_ip']; $block_long_end_ip = $validate['long_end_ip']; } } $validate = validate_text($block_note, 'note'); if ($validate['0'] === false) { $result['error'] = true; $result['errormessage'] = $validate['error']; return $result; } else { $block_note = $validate['1']; } $row_result['error'] = false; $row_result['sql'] = "INSERT INTO blocks (name, start_ip, end_ip, note, modified_by, modified_at) \r\n\t VALUES('{$block_name}', '{$block_long_start_ip}', '{$block_long_end_ip}', '{$block_note}', '{$last_modified_by}', now())"; return $row_result; } elseif ($recordtype == 'subnet') { $block_name = $row['1']; $subnet_name = $row['2']; $subnet = $row['3']; $subnet_note = $row['4']; $validate = validate_text($block_name, 'blockname'); if ($validate['0'] === false) { $result['error'] = true; $result['errormessage'] = $validate['error']; return $result; } else { $block_name = $validate['1']; } $query_result = $dbo->query("SELECT id from blocks where name='{$block_name}'"); if ($query_result->rowCount() != '1') { $result['error'] = true; $result['errormessage'] = 'blocknotfound'; return $result; } else { $block_id = $query_result->fetchColumn(); } $validate = validate_text($subnet_name, 'subnetname'); if ($validate['0'] === false) { $result['error'] = true; $result['errormessage'] = $validate['error']; return $result; } else { $subnet_name = $validate['1']; } $validate = validate_network($subnet); if ($validate['0'] === false) { $result['error'] = true; $result['errormessage'] = $validate['error']; return $result; } else { $subnet_start_ip = $validate['start_ip']; $subnet_long_start_ip = $validate['long_start_ip']; $subnet_end_ip = $validate['end_ip']; $subnet_long_end_ip = $validate['long_end_ip']; $subnet_mask = $validate['mask']; $subnet_long_mask = $validate['long_mask']; } $validate = validate_text($subnet_note, 'note'); if ($validate['0'] === false) { $result['error'] = true; $result['errormessage'] = $validate['error']; return $result; } else { $subnet_note = $validate['1']; } $return['error'] = false; $return['sql'] = "INSERT INTO subnets (name, start_ip, end_ip, mask, note, block_id, modified_by, modified_at) \r\n VALUES('{$subnet_name}', '{$subnet_long_start_ip}', '{$subnet_long_end_ip}', '{$subnet_long_mask}', \r\n\t\t\t\t\t '{$subnet_note}', '{$block_id}', '{$last_modified_by}', now())"; return $return; } elseif ($recordtype == 'acl') { $acl_name = $row['1']; $acl_start_ip = $row['2']; $acl_end_ip = $row['3']; $validate = validate_text($acl_name, 'blockname'); if ($validate['0'] === false) { $result['error'] = true; $result['errormessage'] = $validate['error']; return $result; } else { $acl_name = $validate['1']; } $validate = validate_ip_range($acl_start_ip, $acl_end_ip, 'acl', null); if ($validate['0'] === false) { $result['error'] = true; $result['errormessage'] = $validate['error']; return $result; } else { $subnet_id = $validate['subnet_id']; $acl_start_ip = $validate['start_ip']; $acl_long_start_ip = $validate['long_start_ip']; $acl_end_ip = $validate['end_ip']; $acl_long_end_ip = $validate['long_end_ip']; } $return['error'] = false; $return['sql'] = "INSERT INTO acl (name, start_ip, end_ip, subnet_id) \r\n\t VALUES ('{$acl_name}', '{$acl_long_start_ip}', '{$acl_long_end_ip}', '{$subnet_id}')"; return $return; } else { // $recordtype == static $static_name = $row['1']; $static_ip = $row['2']; $static_long_ip = ip2decimal($static_ip); $static_contact = $row['3']; $static_note = $row['4']; $validate = validate_text($static_name, 'staticname'); if ($validate['0'] === false) { $result['error'] = true; $result['errormessage'] = $validate['error']; return $result; } else { $static_name = $validate['1']; } if ($static_long_ip === false) { $result['error'] = true; $result['errormessage'] = 'invalidip'; return $result; } $sql = "SELECT id from subnets where CAST('{$static_long_ip}' AS UNSIGNED) & CAST(mask AS UNSIGNED) = CAST(start_ip AS UNSIGNED)"; $subnet_result = $dbo->query($sql); if ($subnet_result->rowCount() != '1') { $result['error'] = true; $result['errormessage'] = 'subnetnotfound'; return $result; } else { $subnet_id = $subnet_result->fetchColumn(); } // Make sure the static IP isn't in use already or excluded from use via an ACL $validate = validate_static_ip($static_ip); if ($validate['0'] === false) { $result['error'] = true; $result['errormessage'] = $validate['error']; return $result; } $validate = validate_text($static_contact, 'contact'); if ($validate['0'] === false) { $result['error'] = true; $result['errormessage'] = $validate['error']; return $result; } else { $static_contact = $validate['1']; } $validate = validate_text($static_note, 'note'); if ($validate['0'] === false) { $result['error'] = true; $result['errormessage'] = $validate['error']; return $result; } else { $static_note = $validate['1']; } $return['error'] = false; $return['sql'] = "INSERT INTO statics (ip, name, contact, note, subnet_id, modified_by, modified_at)\r\n VALUES('{$static_long_ip}', '{$static_name}', '{$static_contact}', '{$static_note}', \r\n\t\t\t\t\t '{$subnet_id}', '{$last_modified_by}', now())"; return $return; } // We should never get here exit; }
function submit_block() { #validation here might look messy, but it's essentially in order of parameters listed below by # 1. all checks that don't require db lookups # 2. all other checks global $COLLATE; global $dbo; include 'include/validation_functions.php'; $block_id = isset($_POST['block_id']) ? $_POST['block_id'] : ''; $name = isset($_POST['name']) ? $_POST['name'] : ''; $note = isset($_POST['note']) ? $_POST['note'] : ''; # this input is optional $ip = isset($_POST['ip']) ? $_POST['ip'] : ''; $end_ip = isset($_POST['end_ip']) ? $_POST['end_ip'] : ''; $username = empty($_SESSION['username']) ? 'system' : $_SESSION['username']; $update_block = isset($_POST['update_block']) ? $_POST['update_block'] : false; $submit_op = $update_block == 'true' ? "modify&block_id={$block_id}" : 'add'; $parent_block = isset($_POST['parent_block']) ? $_POST['parent_block'] : ''; $block_type = isset($_POST['block_type']) ? $_POST['block_type'] : ''; if ($block_type == 'container') { #containers don't have IP ranges associated with them $ip = ''; $end_ip = ''; } if (empty($name) || !empty($end_ip) && empty($ip) || empty($block_type)) { $notice = "missingfield-notice"; header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}&block_type={$block_type}&parent_block={$parent_block}¬ice={$notice}"); exit; } if (empty($parent_block) || !preg_match("/[0-9]*/", $parent_block) && $parent_block != 'null') { $notice = "invalidrequest"; header("Location: blocks.php?notice={$notice}"); exit; } $return = validate_text($name, 'blockname'); if ($return['0'] === false) { $notice = $return['error']; header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}&block_type={$block_type}&parent_block={$parent_block}¬ice={$notice}"); exit; } else { $name = $return['1']; } unset($return); if (!preg_match('/^container$|^ipv4$/', $block_type)) { $notice = 'invalidrequest'; header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}&parent_block={$parent_block}¬ice={$notice}"); exit; } if ($update_block === false) { # checking for duplicate block name $sql = "SELECT id from blocks where name='{$name}'"; $result = $dbo->query($sql); if ($result->rowCount() != '0') { header("HTTP/1.1 400 Bad Request"); $notice = 'duplicatename'; header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}&block_type={$block_type}&parent_block={$parent_block}¬ice={$notice}"); exit; } } else { # checking that we're updating a block that actually exists $sql = "SELECT name FROM blocks WHERE id='{$block_id}'"; $result = $dbo->query($sql); if ($result->rowCount() != '1') { header("HTTP/1.1 400 Bad Request"); $notice = 'selectblock'; header("Location: blocks.php?notice={$notice}"); exit; } $old_block_name = $result->fetchColumn(); } $return = validate_text($note, 'note'); if ($return['0'] === false) { $notice = $return['error']; header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}&block_type={$block_type}&parent_block={$parent_block}¬ice={$notice}"); exit; } else { $note = $return['1']; } unset($return); if (empty($end_ip) && !empty($ip)) { # subnet supplied $return = validate_network($ip, 'block', $block_id); } elseif (!empty($ip)) { # range supplied $return = validate_ip_range($ip, $end_ip, 'block', $block_id); } if (isset($return) && $return['0'] === false) { $notice = $return['error']; header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}&block_type={$block_type}&parent_block={$parent_block}¬ice={$notice}"); exit; } elseif (isset($return)) { $long_start_ip = $return['long_start_ip']; $long_end_ip = $return['long_end_ip']; } unset($return); $result = ''; if ($parent_block != 'null') { $sql = "SELECT id FROM blocks WHERE id='{$parent_block}'"; $result = $dbo->query($sql); if ($result->rowCount() != '1') { $notice = "invalidrequest"; header("Location: blocks.php?notice={$notice}"); exit; } $parent_id = "'{$parent_block}'"; } else { $parent_id = 'null'; } if ($update_block === false) { # new block $old_parent_block = $parent_block; #we're going to redirect the user to the block they put this block into } else { $sql = "SELECT parent_id FROM blocks WHERE id='{$block_id}'"; $result = $dbo->query($sql); $old_parent_block = $result->fetchColumn(); } # If we're changing an existing block, we must make sure we don't orphan a child object if ($update_block !== false) { if ($block_type == 'ipv4' && find_child_blocks($block_id) !== false) { $notice = 'wouldorphanblocks'; header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}¬ice={$notice}"); exit; } elseif ($block_type == 'container') { # just check this block for subnets $sql = "SELECT count(*) FROM subnets where block_id='{$block_id}'"; $result = $dbo->query($sql); if ($result->fetchColumn() != '0') { $notice = 'wouldorphansubnets'; header("Location: blocks.php?op={$submit_op}&name={$name}&ip={$ip}&end_ip={$end_ip}¬e={$note}&parent_block={$parent_block}¬ice={$notice}"); exit; } } } if ($update_block) { $sql = "UPDATE blocks SET name='{$name}', start_ip='{$long_start_ip}', end_ip='{$long_end_ip}', note='{$note}', modified_by='{$username}', modified_at=now(),\r\n parent_id={$parent_id}, type='{$block_type}' WHERE id='{$block_id}'"; } else { $sql = "INSERT INTO blocks (name, start_ip, end_ip, note, modified_by, modified_at, parent_id, type) \r\n\t VALUES('{$name}', '{$long_start_ip}', '{$long_end_ip}', '{$note}', '{$username}', now(), {$parent_id}, '{$block_type}')"; } $accesslevel = "4"; $message = $update_block ? "IP Block updated: {$name}" : "IP Block added: {$name}"; $message .= $name != $old_block_name ? "(previously {$old_block_name})" : ''; AccessControl($accesslevel, $message); // We don't want to generate logs when nothing is really happening, so this goes down here. $dbo->query($sql); $notice = $update_block ? 'blockupdated-notice' : 'blockadded-notice'; if ($old_parent_block == 'null') { header("Location: blocks.php?notice={$notice}"); } else { header("Location: blocks.php?block_id={$old_parent_block}¬ice={$notice}"); } exit; }
<?php require_once 'include/common.php'; AccessControl('5', null, false); # null means no log, false means don't redirect include 'include/validation_functions.php'; $op = empty($_GET['op']) ? 'default' : $_GET['op']; $username = isset($_GET['username']) ? $_GET['username'] : ''; $result = validate_text($username, 'username'); if ($result['0'] === false) { header("HTTP/1.1 400 Bad Request"); echo $COLLATE['languages']['selected'][$result['error']]; exit; } else { $username = $result['1']; } $sql = "select count(*) from users where username='******'"; $result = $dbo->query($sql); $count = $result->fetchColumn(); if ($count != '1') { header("HTTP/1.1 400 Bad Request"); echo $COLLATE['languages']['selected']['invalidrequest']; exit; } switch ($op) { case "deleteuser": delete_user(); break; default: exit; }
function submit_user() { global $COLLATE; global $dbo; include 'include/validation_functions.php'; # validations are organized by all checks that don't require db lookups, then all that do # in the order that the vars are listed below $username = isset($_POST['username']) ? $_POST['username'] : ''; $tmppasswd = isset($_POST['tmppasswd']) && !empty($_POST['tmppasswd']) ? sha1(clean($_POST['tmppasswd'])) : ''; $phone = isset($_POST['phone']) ? $_POST['phone'] : ''; $email = isset($_POST['email']) ? $_POST['email'] : ''; $language = isset($_POST['languages']) ? $_POST['languages'] : ''; $perms = isset($_POST['perms']) && preg_match("/^[012345]{1}\$/", $_POST['perms']) ? $_POST['perms'] : ''; $locked = isset($_POST['locked']) ? 'on' : 'off'; $loginattempts = $locked == 'on' ? '9' : '0'; $ldapexempt = isset($_POST['ldapexempt']) && $_POST['ldapexempt'] == "on" ? true : false; $edit = isset($_GET['edit']) && preg_match("/true|false/", $_GET['edit']) ? true : false; $logged_in_user = isset($COLLATE['user']['username']) ? $COLLATE['user']['username'] : ''; if ($logged_in_user != $username) { AccessControl('5', null); } if ($edit === false) { $return = validate_text($username, 'username'); if ($return['0'] === false) { $notice = $return['error']; header("Location: users.php?op=add&username={$username}&phone={$phone}&email={$email}¬ice={$notice}"); exit; } $action = 'add'; } else { $action = 'edit'; } $return = validate_text($phone, 'phone'); if ($return['0'] === false) { $notice = $return['error']; header("Location: users.php?op={$action}&username={$username}&phone={$phone}&email={$email}¬ice={$notice}"); exit; } $return = validate_text($email, 'email'); if ($return['0'] === false) { $notice = $return['error']; header("Location: users.php?op={$action}&username={$username}&phone={$phone}&email={$email}¬ice={$notice}"); exit; } if (empty($email) && empty($phone)) { $notice = "onecontact"; header("Location: users.php?op={$action}&username={$username}&phone={$phone}&email={$email}¬ice={$notice}"); exit; } foreach (glob("languages/*.php") as $filename) { include $filename; } if (!isset($languages[$language]['isocode']) || $language != $languages[$language]['isocode']) { header("Location: users.php?op={$action}&username={$username}&phone={$phone}&email={$email}¬ice=invalidrequest"); exit; } $test = $dbo->query("SELECT id FROM users WHERE username='******'"); if ($test->rowCount() > "0" && $edit === false) { #duplicate user $notice = "nameconflict-notice"; header("Location: users.php?op=add&username={$username}&phone={$phone}&email={$email}¬ice={$notice}"); exit; } elseif ($test->rowCount() !== 1 && $edit !== false) { #can't edit a user that doesn't exist $notice = "invalidrequest"; header("Location: users.php?op=add&username={$username}&phone={$phone}&email={$email}¬ice={$notice}"); exit; } if ($edit === false) { $sql = "INSERT INTO users (username, tmppasswd, accesslevel, phone, email, loginattempts, ldapexempt, language) \r\n VALUES('{$username}', '{$tmppasswd}', '{$perms}', '{$phone}', '{$email}', '{$loginattempts}', '{$ldapexempt}', '{$language}')"; } else { if ($COLLATE['user']['accesslevel'] == '5' || $COLLATE['settings']['perms'] > '5') { #can update all vars if (empty($tmppasswd)) { $sql = "UPDATE users SET accesslevel='{$perms}', phone='{$phone}', email='{$email}', loginattempts='{$loginattempts}', \r\n\t\t ldapexempt='{$ldapexempt}', language='{$language}' \r\n\t WHERE username='******'"; } else { $sql = "UPDATE users SET tmppasswd='{$tmppasswd}', accesslevel='{$perms}', phone='{$phone}',\r\n\t email='{$email}', loginattempts='{$loginattempts}', ldapexempt='{$ldapexempt}', language='{$language}' \r\n\t WHERE username='******'"; } } else { # can only update basic info $sql = "UPDATE users SET username='******', phone='{$phone}', email='{$email}', language='{$language}' \r\n\t WHERE username='******'"; } } if ($edit === false) { $message = "User added: {$username}"; $notice = "useradded-notice"; } else { $message = "User updated: {$username}"; $notice = "userupdated-notice"; } collate_log('5', $message); // adds and modifications are always logged $dbo->query($sql); header("Location: users.php?op=edit&username={$username}¬ice={$notice}"); exit; }