$sql = "UPDATE {$db_prefix}players SET plLoginCounter = " . ++$iLoginCounter . " " . "WHERE plEmail LIKE '" . ba_db_real_escape_string($link, $sEmail) . "'"; //Log failed login attempt $sLogWarn = "Failed login attempt\nE-mail: {$sEmail}\n" . "Attempt was made from IP address {$_SERVER['REMOTE_ADDR']}"; LogWarning($sLogWarn); //Check for too many failed logins if ($iLoginCounter > LOGIN_TRIES && $row['plPassword'] != 'ACCOUNT DISABLED') { //Change SQL query so that plPassword and plLoginCounter are both updated $sql = "UPDATE {$db_prefix}players SET plPassword = '******', plLoginCounter = " . $iLoginCounter . " WHERE plEmail LIKE '" . ba_db_real_escape_string($link, $sEmail) . "'"; $sMessage = "You have entered an incorrect password too many times. Your account has been disabled.<br>" . "An e-mail has been sent to your e-mail address with instructions on how to re-enable your account."; //E-mail user $sBody = "This is an automated message from " . SYSTEM_NAME . ". Your account has been disabled, because " . "an incorrect password was entered too many times. You can re-enable your account by resetting your " . "password (Follow the 'Get a new password' link from the front page). If you have any problems, " . "please contact " . TECH_CONTACT_NAME . " at " . TECH_CONTACT_MAIL . " to have your account re-enabled.\n\n" . fnSystemURL(); mail($sEmail, SYSTEM_NAME . ' - account disabled', $sBody, "From:" . SYSTEM_NAME . " <" . TECH_CONTACT_MAIL . ">"); //E-mail admin and log a warning $sBody = "Account with e-mail address {$sEmail} has been disabled, after too many failed login attempts.\n" . "Latest attempt was from IP address {$_SERVER['REMOTE_ADDR']}\n" . "An e-mail has been sent to the user.\n\n" . fnSystemURL(); mail(TECH_CONTACT_MAIL, SYSTEM_NAME . ' - account disabled', $sBody, "From:" . SYSTEM_NAME . " <" . TECH_CONTACT_MAIL . ">"); LogWarning($sBody); } elseif ($row['plPassword'] == 'ACCOUNT DISABLED') { //Account has been previously disabled. Just display message - do not send e-mail $sMessage = "Your account has been disabled. To re-enable it, either <a href = 'retrieve.php'>request a new password</a>" . " or e-mail " . TECH_CONTACT_NAME . ", using the link below"; } //Run query to update plLoginCounter (and plPassword, if account is being disabled) ba_db_query($link, $sql) . $sql; } } else { //User is not logging in, so reset login cookies //Cookies are reset here, but values will not be available until next page load. Note that Lynx (and others?) //do not seem to reset cookies when they are set null value, so we set them to zero, then set them to null setcookie('BA_PlayerID', 0); setcookie('BA_PlayerID', ''); setcookie('BA_LoginTime', 0); setcookie('BA_LoginTime', '');
/** * Log a warning message. * @param string $message The message. */ function warn($message) { LogWarning($message, $this); }
| | You should have received a copy of the GNU General Public License along with | Bitsand. If not, see <http://www.gnu.org/licenses/>. +---------------------------------------------------------------------------*/ //Get access level for logged-in user $sql = "SELECT plAccess FROM " . DB_PREFIX . "players WHERE plPlayerID = {$PLAYER_ID}"; LogWarning("SQL to check player is admin:\n{$sql}"); $result = ba_db_query($link, $sql); $row = ba_db_fetch_assoc($result); //Redirect to start page if user is not an admin //Note that root user is also an admin $inc_admin_log = "Checking user is an admin\n"; $inc_admin_log .= "ROOT_USER_ID: " . ROOT_USER_ID . "\n"; $inc_admin_log .= '$PLAYER_ID: ' . "{$PLAYER_ID}\n"; $inc_admin_log .= '$row ["plAccess"] : ' . $row['plAccess'] . "\n"; if (ROOT_USER_ID == $PLAYER_ID && $PLAYER_ID != 0) { $inc_admin_log .= "User is root\n"; } elseif ($row['plAccess'] == 'admin') { $inc_admin_log .= "User is an admin\n"; } else { $inc_admin_log .= "User is NOT an admin\n"; } LogWarning($inc_admin_log); if (ROOT_USER_ID != $PLAYER_ID && $row['plAccess'] != 'admin') { LogWarning("Player ID {$PLAYER_ID} tried to access an admin-only page (" . basename($_SERVER["SCRIPT_FILENAME"]) . ")\n"); //Make up URL & redirect $sURL = SYSTEM_URL . 'start.php?warn=' . urlencode('You do not have permission to access that page'); header("Location: {$sURL}"); } //If this script is included, then the page is an admin page. Set CSS prefix $CSS_PREFIX = '../';
/** * Submit a PHP log message through this logger. * @param int $errno The PHP error number. * @param string $errmsg The error message. * @param string $filename The file the message originated in. * @param string $linenum The line number in the file the message * originated in. */ function submitFromPHP($errno, $errmsg, $filename, $linenum) { global $PHP_ERRORTYPES; if (array_key_exists($errno, $PHP_ERRORTYPES)) { $errorType = $PHP_ERRORTYPES[$errno]; } else { LogWarning("Unknown PHP error type {$errno}, assuming E_ERROR"); $errorType = $PHP_ERRORTYPES[E_ERROR]; } $this->submit($errorType[0], "{$errno} " . $errorType[1] . " ({$filename}:{$linenum}): {$errmsg}"); }
| Bitsand. If not, see <http://www.gnu.org/licenses/>. +---------------------------------------------------------------------------*/ //Do not need login check for this page $bLoginCheck = False; include 'inc/inc_head_db.php'; $db_prefix = DB_PREFIX; // Get POST into variables $email = $_POST['email']; $password = sha1($_POST['password'] . PW_SALT); $ic = (int) $_POST['ic']; //Set up & run query $sql = "SELECT plPlayerID FROM {$db_prefix}players " . "WHERE plEmail LIKE '" . ba_db_real_escape_string($link, $email) . "' AND plPassword = '******'"; $result = ba_db_query($link, $sql); if (ba_db_num_rows($result) > 1) { //Log warning if there was more than one row returned LogWarning("export.php - more than one result from e-mail and password\n{$sql}"); } if (ba_db_num_rows($result) > 0) { //Successfully logged in $row = ba_db_fetch_assoc($result); $id = $row['plPlayerID']; } else { die("ERROR: Wrong e-mail or password"); } // Export as a CSV file header("Content-Type: text/csv"); // Get OOC details $key = CRYPT_KEY; $sql = "SELECT plFirstName, " . "plSurname, " . "AES_DECRYPT(pleAddress1, '{$key}') AS dAddress1, " . "AES_DECRYPT(pleAddress2, '{$key}') AS dAddress2, " . "AES_DECRYPT(pleAddress3, '{$key}') AS dAddress3, " . "AES_DECRYPT(pleAddress4, '{$key}') AS dAddress4, " . "AES_DECRYPT(plePostcode, '{$key}') AS dPostcode, " . "AES_DECRYPT(pleTelephone, '{$key}') AS dTelephone, " . "AES_DECRYPT(pleMobile, '{$key}') AS dMobile, " . "plEmail, " . "plDOB, " . "AES_DECRYPT(pleMedicalInfo, '{$key}') AS dMedicalInfo, " . "plEmergencyName, " . "AES_DECRYPT(pleEmergencyNumber, '{$key}') AS dEmergencyNumber, " . "plEmergencyRelationship, " . "plCarRegistration, " . "plDietary " . "FROM {$db_prefix}players WHERE plPlayerID = {$id}"; $result = ba_db_query($link, $sql); $row = ba_db_fetch_assoc($result);
$sWarn = ''; $db_prefix = DB_PREFIX; if ($_POST['btnSubmit'] != '' && CheckReferrer('ic_form.php')) { $sNameWarn = IC_Check(); //Character details - check if character exists $sql = "SELECT * FROM {$db_prefix}characters WHERE chPlayerID = {$PLAYER_ID}"; $result = ba_db_query($link, $sql); //If character does not exist insert a row so that UPDATE query will work if (ba_db_num_rows($result) == 0) { $sql = "INSERT INTO {$db_prefix}characters (chPlayerID) VALUES ({$PLAYER_ID})"; if (!ba_db_query($link, $sql)) { $sWarn = "There was a problem updating your IC details"; LogError("Error inserting player ID into characters table prior to running UPDATE query.\nPlayer ID: {$PLAYER_ID}"); } } elseif (ba_db_num_rows($result) > 1) { LogWarning("Multiple rows in characters table with player ID {$PLAYER_ID}"); } if ($_POST['selGroup'] == 'Other (enter name below)') { $sSelGroupName = ''; } else { $sSelGroupName = $_POST['selGroup']; } if ($_POST['selAncestor'] == 'Other (enter name below)') { $sSelAncestorName = ''; } else { $sSelAncestorName = $_POST['selAncestor']; } //Build up UPDATE query if ($sNameWarn == '') { //IC Check passed try to save $sql = "UPDATE {$db_prefix}characters SET chName = '" . ba_db_real_escape_string($link, $_POST['txtCharName']) . "', " . "chPreferredName = '" . ba_db_real_escape_string($link, $_POST['txtPreferredName']) . "', " . "chRace = '" . ba_db_real_escape_string($link, $_POST['selRace']) . "', " . "chGender = '" . ba_db_real_escape_string($link, $_POST['selGender']) . "', " . "chGroupSel = '" . ba_db_real_escape_string($link, $sSelGroupName) . "', " . "chGroupText = '" . ba_db_real_escape_string($link, $_POST['txtGroup']) . "', " . "chFaction = '" . ba_db_real_escape_string($link, $_POST['selFaction']) . "', " . "chAncestor = '" . ba_db_real_escape_string($link, $_POST['txtAncestor']) . "', " . "chAncestorSel = '" . ba_db_real_escape_string($link, $sSelAncestorName) . "', " . "chLocation = '" . ba_db_real_escape_string($link, $_POST['selLocation']) . "', " . "chNotes = '" . ba_db_real_escape_string($link, $_POST['txtNotes']) . "', " . "chOSP = '" . ba_db_real_escape_string($link, $_POST['txtSpecial']) . "' " . "WHERE chPlayerID = {$PLAYER_ID}";
} else { $iByPost = 1; } //Set up UPDATE query $refnumber = (int) $_POST["txtRefNumber{$value}"]; $marshal = stripslashes($_POST["cboMarshal{$value}"]); $sEmail = ba_db_real_escape_string($link, SafeEmail($_POST['txtEmail'])); $sql = "UPDATE {$db_prefix}players SET plFirstName = '" . ba_db_real_escape_string($link, $_POST['txtFirstName']) . "', " . "plSurname = '" . ba_db_real_escape_string($link, $_POST['txtSurname']) . "', " . "pleAddress1 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress1']) . "', '{$key}'), " . "pleAddress2 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress2']) . "', '{$key}'), " . "pleAddress3 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress3']) . "', '{$key}'), " . "pleAddress4 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress4']) . "', '{$key}'), " . "plePostcode = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtPostcode']) . "', '{$key}'), " . "pleTelephone = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtPhone']) . "', '{$key}'), " . "pleMobile = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtMobile']) . "', '{$key}'), " . "plEmail = '{$sEmail}', " . "plDOB = '{$dob}', " . "pleMedicalInfo = AES_ENCRYPT('" . ba_db_real_escape_string($link, $sMedInfo) . "', '{$key}'), " . "plEmergencyName = '" . ba_db_real_escape_string($link, $_POST['txtEmergencyName']) . "', " . "pleEmergencyNumber = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtEmergencyNumber']) . "', '{$key}'), " . "plEmergencyRelationship = '" . ba_db_real_escape_string($link, $_POST['txtEmergencyRelationship']) . "', " . "plCarRegistration = '{$sCarReg}', " . "plDietary = '" . ba_db_real_escape_string($link, $_POST['selDiet']) . "', " . "plNotes = '" . ba_db_real_escape_string($link, $_POST['txtNotes']) . "', " . "plAdminNotes = '" . ba_db_real_escape_string($link, $_POST['txtAdminNotes']) . "', "; $sql .= "plRefNumber = {$refnumber}, plMarshal = '{$marshal}',"; $sql .= "plEventPackByPost = {$iByPost} "; $sql .= "WHERE plPlayerID = {$admin_player_id}"; //Run UPDATE query if (ba_db_query($link, $sql)) { //Query should affect exactly one row. Log a warning if it affected more if (ba_db_affected_rows($link) > 1) { LogWarning("More than one row updated during admin OOC update (admin_edit_ooc.php). Player ID: {$admin_player_id}"); } //Do not redirect if there are any warnings (required fields not filled in, etc) if ($sWarn == '') { //Make up URL & redirect $sURL = fnSystemURL() . "admin_viewdetails.php?pid={$admin_player_id}&green=" . urlencode("OOC details updated"); header("Location: {$sURL}"); } } else { $sWarn = "There was a problem updating the OOC details"; LogError("Error updating OOC information (admin_edit_ooc.php). Player ID: {$admin_player_id}"); } } //Get existing details if there are any $sql = "SELECT plFirstName, " . "plSurname, " . "AES_DECRYPT(pleAddress1, '{$key}') AS dAddress1, " . "AES_DECRYPT(pleAddress2, '{$key}') AS dAddress2, " . "AES_DECRYPT(pleAddress3, '{$key}') AS dAddress3, " . "AES_DECRYPT(pleAddress4, '{$key}') AS dAddress4, " . "AES_DECRYPT(plePostcode, '{$key}') AS dPostcode, " . "AES_DECRYPT(pleTelephone, '{$key}') AS dTelephone, " . "AES_DECRYPT(pleMobile, '{$key}') AS dMobile, " . "plEmail, " . "plDOB, " . "AES_DECRYPT(pleMedicalInfo, '{$key}') AS dMedicalInfo, " . "plEmergencyName, " . "AES_DECRYPT(pleEmergencyNumber, '{$key}') AS dEmergencyNumber, " . "plEmergencyRelationship, " . "plCarRegistration, " . "plDietary, " . "plNotes, " . "plAdminNotes, " . "plEventPackByPost, " . "plRefNumber, " . "plMarshal " . "FROM {$db_prefix}players WHERE plPlayerID = {$admin_player_id}"; $result = ba_db_query($link, $sql);
/** * Remove an object. * @param ChunsuObject $removeme The object to remove. * @param DataSource $source The data source to remove the object from. * @return bool TRUE is successful, FALSE otherwise. */ function remove(&$removeme, $source) { parent::remove($removeme, $source); $gen = new SQLGenerator($removeme->getCore()); $removequeries = $gen->delete($this->config); foreach ($removequeries as $rq) { $cursor =& $source->query($rq); $rv = $cursor->getNext(); if (!$rv) { LogError("remove query failed! removing " . print_r($removeme, TRUE)); return FALSE; } } $rv = $cursor->getNext(); if (!$rv) { LogError("Remove failed! Removing " . print_r($removeme, TRUE)); return FALSE; } if ($rows = $cursor->get('affected-rows') > 1) { LogWarning("{$rows} records deleted removing " . print_r($removeme, TRUE)); } $removeme->is_new = $removeme->config->get('create-on-save'); return TRUE; }
function CheckReferrer($Referrer_Check, $Referrer_Check_2 = "") { global $PLAYER_ID; $bForceLogin = True; //Get referrer, minus the query string $sReferrer = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_SCHEME) . '://' . parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) . parse_url($_SERVER['HTTP_REFERER'], PHP_URL_PATH); if ($sReferrer == fnSystemURL() . $Referrer_Check) { $bForceLogin = False; } if ($sReferrer == fnSystemURL() . $Referrer_Check_2) { $bForceLogin = False; } //Special case - start page, with trailing slash but no 'index.php' if (fnSystemURL() == $sReferrer && $Referrer_Check == 'index.php') { $bForceLogin = False; } //Special case - start page, with no trailing slash if (substr(fnSystemURL(), 0, strlen(fnSystemURL()) - 1) == $Referrer && $Referrer_Check == 'index.php') { $bForceLogin = False; } if ($bForceLogin) { //Delete any existing session and force new login $sql = "DELETE FROM " . DB_PREFIX . "sessions WHERE ssPlayerID = {$PLAYER_ID}"; ba_db_query($link, $sql); LogWarning("Form submitted from {$sReferrer} (expected " . fnSystemURL() . "{$Referrer_Check})\nPlayer ID: {$PLAYER_ID}"); ForceLogin(); } else { return True; } }
} $refnumber = (int) $_POST["txtRefNumber{$value}"]; $marshal = stripslashes($_POST["cboMarshal{$value}"]); //Set up UPDATE query $sql = "UPDATE {$db_prefix}players SET plFirstName = '" . ba_db_real_escape_string($link, $_POST['txtFirstName']) . "', " . "plSurname = '" . ba_db_real_escape_string($link, $_POST['txtSurname']) . "', " . "pleAddress1 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress1']) . "', '{$key}'), " . "pleAddress2 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress2']) . "', '{$key}'), " . "pleAddress3 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress3']) . "', '{$key}'), " . "pleAddress4 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress4']) . "', '{$key}'), " . "plePostcode = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtPostcode']) . "', '{$key}'), " . "pleTelephone = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtPhone']) . "', '{$key}'), " . "pleMobile = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtMobile']) . "', '{$key}'), " . "plDOB = '{$dob}', " . "pleMedicalInfo = AES_ENCRYPT('" . ba_db_real_escape_string($link, $sMedInfo) . "', '{$key}'), " . "plEmergencyName = '" . ba_db_real_escape_string($link, $_POST['txtEmergencyName']) . "', " . "pleEmergencyNumber = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtEmergencyNumber']) . "', '{$key}'), " . "plEmergencyRelationship = '" . ba_db_real_escape_string($link, $_POST['txtEmergencyRelationship']) . "', " . "plCarRegistration = '{$sCarReg}', " . "plDietary = '" . ba_db_real_escape_string($link, $_POST['selDiet']) . "', "; //"plBookAs = '" . ba_db_real_escape_string ($link, $_POST ['selBookAs']) . "', "; //if (AUTO_ASSIGN_BUNKS == False) // $sql .= "plBunkRequested = $iBunk, "; $sql .= "plNotes = '" . ba_db_real_escape_string($link, $_POST['txtNotes']) . "', "; $sql .= "plRefNumber = {$refnumber}, plMarshal = '{$marshal}',"; $sql .= "plEventPackByPost = {$iByPost} " . "WHERE plPlayerID = {$PLAYER_ID}"; //Run UPDATE query if (ba_db_query($link, $sql)) { //Query should affect exactly one row. Log a warning if it affected more if (ba_db_affected_rows($link) > 1) { LogWarning("More than one row updated during OOC update. Player ID: {$PLAYER_ID}"); } //Do not redirect if there are any warnings (required fields not filled in, etc) if ($sWarn == '') { //Update Monster only if person is playing //$sql = "update {$db_prefix}players inner join {$db_prefix}characters on plPlayerID = chPlayerID set chMonsterOnly = 0 where plBookAs = 'Player' and plPlayerID = $PLAYER_ID"; //ba_db_query ($link, $sql); //Send e-mail $sBody = "Your OOC details have been entered at " . SYSTEM_NAME . ".\n\n" . "Player ID: " . PID_PREFIX . sprintf('%03s', $PLAYER_ID) . "\n" . "OOC Name: " . $_POST['txtFirstName'] . " " . $_POST['txtSurname'] . "\n\n" . fnSystemURL(); if ($bEmailOOCChange) { $sql = "Select plEmail FROM {$db_prefix}players WHERE plPlayerID = {$PLAYER_ID}"; $result = ba_db_query($link, $sql); $playerrow = ba_db_fetch_assoc($result); mail($playerrow['plEmail'], SYSTEM_NAME . ' - OOC details', $sBody, "From:" . SYSTEM_NAME . " <" . EVENT_CONTACT_MAIL . ">"); } //Make up URL & redirect to index.php with message
if ($_POST['txtPassword1'] != $_POST['txtPassword2']) { $sWarn = "Passwords do not match<br>\n"; } //Check password length if (strlen($_POST['txtPassword1']) < MIN_PASS_LEN) { $sWarn .= "Password must be at least " . MIN_PASS_LEN . " characters long<br>\n"; } if ($sWarn == '') { //Set up UPDATE query $sHashPass = sha1($_POST['txtPassword1'] . PW_SALT); $sql = "UPDATE {$db_prefix}players SET plPassword = '******', plLoginCounter = 0 " . "WHERE plPlayerID = {$admin_player_id}"; //Run UPDATE query if (ba_db_query($link, $sql)) { //Query should affect exactly one row. Log a warning if it affected more if (ba_db_affected_rows($link) > 1) { LogWarning("More than one row updated during password reset (admin_pw_reset.php). Player ID: {$admin_player_id}"); } //Get user's e-mail address $result = ba_db_query($link, "SELECT plEmail FROM {$db_prefix}players WHERE plPlayerID = {$admin_player_id}"); $row = ba_db_fetch_assoc($result); $sEmail = $row['plEmail']; if (SEND_PASSWORD) { //E-mail user with new password $sBody = "Your password for " . SYSTEM_NAME . " has been changed. " . "Your new details are below:\n\n" . "E-mail: {$sEmail}\nPassword: {$_POST[txtPassword1]}\n" . "Player ID: " . PID_PREFIX . sprintf('%03s', $admin_player_id) . "\n" . "OOC Name: " . $row['plFirstName'] . " " . $row['plSurname'] . "\n\n" . fnSystemURL(); mail($sEmail, SYSTEM_NAME . ' - password change', $sBody, "From:" . SYSTEM_NAME . " <" . EVENT_CONTACT_MAIL . ">"); } } else { $sWarn = "There was a problem resetting the password<br>\n"; LogError("Error updating OOC information (admin_pw_reset.php). Player ID: {$admin_player_id}"); } //Redirect to start page
/** * Get all of the configured storage methods . * @param string $pclass Persistent object class. * @return Configuration All configured data sources. */ function &GetStorageMethods($pclass) { global $CONFIGURED_STORAGEMETHODS; $pclass = strtolower($pclass); if (!class_exists($pclass)) { if (IsLogEnabled('WARN')) { LogWarning("Persistent object class {$pclass} does not exist"); } } if (is_null($CONFIGURED_STORAGEMETHODS)) { $CONFIGURED_STORAGEMETHODS = GetConfiguration(); } if (!$CONFIGURED_STORAGEMETHODS->has($pclass)) { $CONFIGURED_STORAGEMETHODS->set(GetConfiguration(), $pclass); } return $CONFIGURED_STORAGEMETHODS->get($pclass); }
} } else { $sNotes = ba_db_real_escape_string($link, $_POST['txtNotes']); } //Character details - check if character exists $sql = "SELECT * FROM {$db_prefix}characters WHERE chPlayerID = {$admin_player_id}"; $result = ba_db_query($link, $sql); //If character does not exist insert a row so that UPDATE query will work if (ba_db_num_rows($result) == 0) { $sql = "INSERT INTO {$db_prefix}characters (chPlayerID) VALUES ({$admin_player_id})"; if (!ba_db_query($link, $sql)) { $sWarn = "There was a problem updating the IC details"; LogError("Error inserting player ID into characters table prior to running UPDATE query (admin_edit_ic.php). " . "Player ID: {$admin_player_id}"); } } elseif (ba_db_num_rows($result) > 1) { LogWarning("Multiple rows in characters table with player ID (admin_edit_ic.php) {$admin_player_id}"); } if ($_POST['selGroup'] == 'Other (enter name below)') { $sSelGroupName = ''; } else { $sSelGroupName = $_POST['selGroup']; } if ($_POST['selAncestor'] == 'Other (enter name below)') { $sSelAncestorName = ''; } else { $sSelAncestorName = $_POST['selAncestor']; } //Build up UPDATE query $sql = "UPDATE {$db_prefix}characters SET chName = '" . ba_db_real_escape_string($link, $_POST['txtCharName']) . "', " . "chPreferredName = '" . ba_db_real_escape_string($link, $_POST['txtPreferredName']) . "', " . "chRace = '" . ba_db_real_escape_string($link, $_POST['selRace']) . "', " . "chGender = '" . ba_db_real_escape_string($link, $_POST['selGender']) . "', " . "chGroupSel = '" . ba_db_real_escape_string($link, $sSelGroupName) . "', " . "chGroupText = '" . ba_db_real_escape_string($link, $_POST['txtGroup']) . "', " . "chFaction = '" . ba_db_real_escape_string($link, $_POST['selFaction']) . "', " . "chAncestor = '" . ba_db_real_escape_string($link, $_POST['txtAncestor']) . "', " . "chAncestorSel = '" . ba_db_real_escape_string($link, $sSelAncestorName) . "', " . "chLocation = '" . ba_db_real_escape_string($link, $_POST['selLocation']) . "', " . "chNotes = '" . $sNotes . "', " . "chOSP = '" . ba_db_real_escape_string($link, $_POST['txtOSP']) . "' " . "WHERE chPlayerID = {$admin_player_id}"; //Run query if (!ba_db_query($link, $sql)) {
} else { //Send e-mail $sTo = $sEmail; $sSubject = SYSTEM_NAME . " - password reset"; $sBody = "Hi,\nYour password at " . SYSTEM_NAME . " has been reset. " . "Your new password is:\n{$sNewPass}\nYou can log in using this new password.\n\n" . fnSystemURL(); ini_set("sendmail_from", EVENT_CONTACT_MAIL); $mail = mail($sTo, $sSubject, $sBody, "From:" . SYSTEM_NAME . " <" . EVENT_CONTACT_MAIL . ">", '-f' . EVENT_CONTACT_MAIL); if ($mail) { $sMsg = "A new password has been sent to {$sEmail}. Please check your e-mail for your new password.<br />\n" . "If you do not get the e-mail, check your Junk/Spam folder - it may have been marked as spam " . "(this appears to be particularly common with web-based e-mail services)"; } else { $sMsg = "There was an error sending your reset email. Please contact <a href = 'mailto:" . Obfuscate(TECH_CONTACT_MAIL) . "'>" . TECH_CONTACT_NAME . "</a> to reset your password manually"; } } if (ba_db_affected_rows($link) > 1) { //More than one record updated - log warning LogWarning("retrieve.php - Multiple records updated from SQL query\n{$sql}"); } } ?> <h1><?php echo TITLE; ?> - Lost Password</h1> <?php if ($sMsg != '') { echo "<p class = 'green'>{$sMsg}</p>\n"; } ?>