$value = stripslashes($value); $value = str_replace(array("\r", "\n", "%0a", "%0d", "/"), '', $value); $value = strip_tags($value); $value = htmlspecialchars($value); return $value; } //Only process POST requests if ($_SERVER["REQUEST_METHOD"] == "POST") { $name = clean_user_input($_POST["name"]); //email with sanitizer filter $email = clean_user_input(filter_var($_POST["email"], FILTER_SANITIZE_EMAIL)); $tel = clean_user_input($_POST["tel"]); $weddingDate = clean_user_input($_POST["wedding-date"]); $venue = clean_user_input($_POST["venue"]); $message = clean_user_input($_POST["message"]); $marketResearch = clean_user_input($_POST["market-research"]); //FORM VALIDATION //blank fields and email validation(?) if (empty($name) or empty($message) or !filter_var($email, FILTER_VALIDATE_EMAIL)) { //Set a 400 (bad request) response code and exit //http_response_code(400); echo "You must specify a name, valid email address and message"; exit; } //prevent email header injection (see nyphp.org) foreach ($_POST as $value) { if (stripos($value, 'Content-Type:') !== FALSE) { //Set a 400 (bad request) response code and exit //http_response_code(400); echo "There was a problem with the information you entered."; exit;
* record the payment */ $dbconn = PDOconnect('nakaweb', $_SESSION["clientdefaults"]["host"], $logname); foreach ($_SESSION['invoices'] as $key => $value) { // if (key_exists('checkno' . $value, $_POST)) { if ($_POST['checkno' . $value] != '') { logit($logname, ' updataing:' . $value); // create a pg conection try { $theq = " update invoices"; $theq .= " set checknumber=:checknumber"; $theq .= " ,paymentreceived=now()"; $theq .= " ,receivedby=:receivedby"; $theq .= " where invoiceid=:invoiceid"; $pdoquery = $dbconn->prepare($theq); $pdoquery->execute(array(':checknumber' => clean_user_input($_POST['checkno' . $value]), ':receivedby' => $_SESSION["userid"], ':invoiceid' => $value)); } catch (PDOException $e) { logit($logname, ' **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage()); $results->errortext = $e->getMessage(); $cancontinue = FALSE; } } } unset($_SESSION['invoices']); logit($logname, 'GETting back to recordpayment'); header('Location: recordpayment.php'); exit; } else { // get invoices $dbconnw = PDOconnect('nakaweb', $_SESSION["clientdefaults"]["host"], $logname); $theq = " select fullname,invoiceid,invoicedate,paymentreceived,login,invoiceamount,";
GetTheHTMLs('EN-US', 0, $dbconn, $logname); if (key_exists('LOGIN', $_POST) and key_exists('PASSWORD', $_POST)) { logit($logname, 'Login: '******' Password: '******':login' => clean_user_input($_POST["LOGIN"]), ':password' => clean_user_input($_POST["PASSWORD"]))); $row = $pdoquery->fetch(); } catch (PDOException $e) { logit($logname, ' **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage()); $cancontinue = FALSE; } if ($cancontinue) { if (!$row) { // not a valid user/password //logit($logname, __LINE__); $results->errortext = 'Sorry, that username/password is invalid'; } else { // valid user/password if ($row->locked == TRUE) { //logit($logname, __LINE__); $results->errortext = 'Sorry, that user is locked';
} //notes if ($_POST["note-note_text"] != '') { $theq = 'insert into notes(employee, note_text, stu_index, note_timestamp) values'; $theq .= ' (:employee,:note_text,:stu_index,now())'; try { $pdoquerynotes = $dbconn->prepare($theq); $pdoquerynotes->execute(array(':stu_index' => $stu_index, ":employee" => $_SESSION["initials"], ":note_text" => clean_user_input($_POST["note-note_text"]))); } catch (PDOException $e) { logit($logname, ' **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage()); $results->errortext = $e->getMessage(); $cancontinue = FALSE; } } //medical alerts if ($_POST["ma-note_text"] != '') { $theq = 'insert into notes(employee, note_text, stu_index, note_timestamp) values'; $theq .= " ('*MA',:note_text,:stu_index,now())"; try { $pdoquerynotes = $dbconn->prepare($theq); $pdoquerynotes->execute(array(':stu_index' => $stu_index, ":note_text" => clean_user_input($_POST["ma-note_text"]))); } catch (PDOException $e) { logit($logname, ' **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage()); $results->errortext = $e->getMessage(); $cancontinue = FALSE; } } logit($logname, 'going back to main.php'); header('Location: main.php?dlStudent=' . $stu_index); exit; }
$theq .= " from students s"; $theq .= " join ranks r on s.stu_index=r.stu_index"; $theq .= " join sysdef.rank_names rn on rn.srk_index=r.srk_index"; $theq .= " join sysdef.class_type ct on ct.clt_index=rn.clt_index"; $theq .= " left join (select stu_index,count(*) as tests from ranks group by 1) rc on rc.stu_index=s.stu_index"; $theq .= " where current_rank=true"; $theq .= " and student_type in ('A','ANP','APC')"; $theq .= " and ct.clt_index=:artid"; $theq .= ' order by last_name,first_name'; logit($logname, $theq); try { $pdoquery = $dbconn->prepare($theq); $pdoquery->setFetchMode(PDO::FETCH_OBJ); $pdoquery->execute(array(':artid' => $_SESSION['artid'])); // ?? why assiing another session var to the art id?? $_SESSION['recordtestartid'] = clean_user_input($_GET['artid']); $studentdata = $pdoquery->fetchAll(); unset($_SESSION['activestudents']); $i = 0; foreach ($studentdata as $key => $value) { //echo $value -> stu_index.' '; $_SESSION['activestudents'][$i]['stu_index'] = $value->stu_index; $_SESSION['activestudents'][$i]['first_name'] = $value->first_name; $_SESSION['activestudents'][$i]['last_name'] = $value->last_name; $_SESSION['activestudents'][$i]['srk_description'] = $value->srk_description; $_SESSION['activestudents'][$i]['srk_index'] = $value->srk_index; $_SESSION['activestudents'][$i]['srk_seq'] = $value->srk_seq; $i++; } } catch (PDOException $e) { logit($logname, ' **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage());
// dont admit that the username is valid or not $results->errortext = 'If the username you entered is in our system ' . 'you will recieve an email with a temporary ' . 'password sent your email address. ' . 'Don\'t forget to check your spam folder.'; if ($cancontinue) { if (!$row) { // not a valid user/password logit($logname, 'username is invalid'); $results->success = TRUE; } else { // valid user/password logit($logname, 'username is valid'); //record the request $theq = " insert into passwordreset (username,ip,requestts)"; $theq .= " values (:username,:ip,now())"; try { $pdoquery = $dbconn->prepare($theq); $pdoquery->execute(array(':username' => clean_user_input($_POST["reset"]), ':ip' => $_SERVER["REMOTE_ADDR"])); } catch (PDOException $e) { logit($logname, ' **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage()); $cancontinue = FALSE; } // update user's password $newpassword = substr(md5(rand()), 8, 6); logit($logname, ' generated password is:' . $newpassword); $theq = " update users"; $theq .= " set thepassword=:newpassword"; $theq .= " where userid=:userid"; try { $pdoquery = $dbconn->prepare($theq); $pdoquery->execute(array(':newpassword' => $newpassword, ':userid' => $row->userid)); } catch (PDOException $e) { logit($logname, ' **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage());
logit($logname, ' **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage()); $results->errortext = $e->getMessage(); $cancontinue = FALSE; } } $params = array(':userid' => $userid, ':firstname' => clean_user_input($_POST["firstname"]), ':lastname' => clean_user_input($_POST["lastname"]), ':locked' => $_POST["locked"], ':email' => clean_user_input($_POST["email"]), ':address1' => clean_user_input($_POST["address1"]), ':address2' => clean_user_input($_POST["address2"]), ':city' => clean_user_input($_POST["city"]), ':state' => clean_user_input($_POST["state"]), ':zip' => clean_user_input($_POST["zip"]), ':phone' => clean_user_input($_POST["phone"])); logit($logname, ' updating user'); $theq = 'update users'; $theq .= ' set firstname= :firstname,'; $theq .= ' lastname=:lastname,'; if (isset($_POST["login"])) { $params[':login'] = clean_user_input($_POST["login"]); $theq .= ' login=:login,'; } if (isset($_POST["thepassword"])) { $params[':thepassword'] = clean_user_input($_POST["thepassword"]); $theq .= ' thepassword=:thepassword,'; } $theq .= ' email=:email,'; $theq .= ' address1=:address1,'; $theq .= ' address2=:address2,'; $theq .= ' city=:city,'; $theq .= ' state=:state,'; $theq .= ' zip=:zip,'; $theq .= ' phone=:phone,'; $theq .= ' locked=:locked'; $theq .= ' where userid=:userid'; try { $pdoquery = $dbconn->prepare($theq); $pdoquery->setFetchMode(PDO::FETCH_OBJ); $pdoquery->execute($params);