Ejemplo n.º 1
0
function display_login()
{
    nav_start_outer("Login", "");
    $login_username = sanatize_username($_POST['login_username']);
    $php_self = $_SERVER['PHP_SELF'];
    ?>
<div id="login" class="centerpiece">
<form name="loginform" method="POST" action="<?php 
    echo $php_self;
    ?>
">
<table>
<tr>
   <td>Username:</td>
  <td><input type="text" name="login_username" size="30" autocomplete="no" value="<?php 
    echo $login_username;
    ?>
"></td>
</tr>
<tr>
   <td>Password:</td>
  <td colspan="2"><input type="password" name="login_password" size="30" autocomplete="no">
  <input type="submit" name="submit_login" value="Log in">
  <input type="submit" name="submit_registration" value="Register"></td>
</tr>
</table>
</form>
</div>
<div class="footer warning">
<?php 
    global $login_error;
    echo $login_error;
    ?>
</div>
<script>document.loginform.login_username.focus();</script>
<?php 
    nav_end_outer();
}
Ejemplo n.º 2
0
function display_login()
{
    nav_start_outer("Login");
    ?>
<div></div>
<div id="login" class="centerpiece">
<form name=login_form method=POST action="<?php 
    echo $_SERVER['PHP_SELF'];
    ?>
">
<table>
<tr>
   <td>Username:</td>
  <td><input type=text name=loginusername size=30 autocomplete=no value=<?php 
    echo htmlspecialchars($_POST['loginusername']);
    ?>
></td>
</tr>
<tr>
   <td>Password:</td>
  <td colspan=2><input type=password name=loginpassword size=30 autocomplete=no>
  <input type=submit name=submitlogin value="Log in">
  <input type=submit name=submit_registration value="Register"></td>
</tr>
</table>
</form>
</div>
<div class="footer warning">
<?php 
    global $login_error;
    echo $login_error;
    ?>
</div>
<script>document.login_form.loginusername.focus();</script>
<?php 
    nav_end_outer();
}
Ejemplo n.º 3
0
<?php

require_once "includes/common.php";
nav_start_outer("Home");
nav_start_inner();
?>
<b>Balance:</b> 
<?php 
$sql = "SELECT Zoobars FROM Person WHERE PersonID={$user->id}";
$rs = $db->executeQuery($sql);
$balance = $rs->getValueByNr(0, 0);
echo $balance > 0 ? $balance : 0;
?>
 zoobars<br/>
<b>Your profile:</b>
<form method="POST" name=profile_form
  action="<?php 
echo $_SERVER['PHP_SELF'];
?>
">
<textarea name="profileupdate">
<?php 
if ($_POST['profilesubmit']) {
    // Check for profile submission
    $profile = $_POST['profileupdate'];
    if ($user->id != "*") {
        $sql = "UPDATE Person SET Profile='{$profile}' " . "WHERE PersonID={$user->id}";
        $db->executeQuery($sql);
        // Overwrite profile in database
    }
}
Ejemplo n.º 4
0
<?php

require_once "includes/common.php";
global $php_self;
global $secret_token;
global $form_token;
nav_start_outer("Transfer", $secret_token);
nav_start_inner();
/* UNTRUSTED DATA SANITIZATION */
$recipient = sanatize_username($_POST['recipient']);
/* reflected & used in SQL query */
$submission_status = $_POST['submission'];
/* not reflected or stored */
$zoobars = (int) $_POST['zoobars'];
/* reflected, cast will sanatize */
/* END UNTRUSTED DATA SANITIZATION */
if ($submission_status && $form_token && $form_token == $secret_token) {
    $sql = "SELECT Zoobars FROM Person WHERE PersonID={$user->id}";
    $rs = $db->executeQuery($sql);
    $sender_balance = (int) $rs->getValueByNr(0, 0) - $zoobars;
    $sql = "SELECT PersonID FROM Person WHERE Username='{$recipient}'";
    $rs = $db->executeQuery($sql);
    $recipient_exists = $rs->getValueByNr(0, 0);
    if ($zoobars > 0 && $sender_balance >= 0 && $recipient_exists) {
        $sql = "UPDATE Person SET Zoobars = {$sender_balance} " . "WHERE PersonID={$user->id}";
        $db->executeQuery($sql);
        $sql = "SELECT Zoobars FROM Person WHERE Username='{$recipient}'";
        $rs = $db->executeQuery($sql);
        $recipient_balance = (int) $rs->getValueByNr(0, 0) + $zoobars;
        $sql = "UPDATE Person SET Zoobars = {$recipient_balance} " . "WHERE Username='{$recipient}'";
        $db->executeQuery($sql);
<?php

require_once "includes/common.php";
nav_start_outer("Transfer");
nav_start_inner();
if ($_POST['submission']) {
    $recipient = $db->quote($_POST['recipient']);
    $zoobars = (int) $_POST['zoobars'];
    $sql = "SELECT Zoobars FROM Person WHERE PersonID={$user->id}";
    $rs = $db->executeQuery($sql);
    $sender_balance = $rs->getValueByNr(0, 0) - $zoobars;
    $sql = "SELECT PersonID FROM Person WHERE Username='{$recipient}'";
    $rs = $db->executeQuery($sql);
    $recipient_exists = $rs->getValueByNr(0, 0);
    if ($zoobars > 0 && $sender_balance >= 0 && $recipient_exists) {
        $sql = "UPDATE Person SET Zoobars = {$sender_balance} " . "WHERE PersonID={$user->id}";
        $db->executeQuery($sql);
        $sql = "SELECT Zoobars FROM Person WHERE Username='{$recipient}'";
        $rs = $db->executeQuery($sql);
        $recipient_balance = $rs->getValueByNr(0, 0) + $zoobars;
        $sql = "UPDATE Person SET Zoobars = {$recipient_balance} " . "WHERE Username='{$recipient}'";
        $db->executeQuery($sql);
        $result = "Sent {$zoobars} zoobars";
    } else {
        $result = "Transfer to {$recipient} failed.";
    }
}
?>
<p><b>Balance:</b>
<?php 
$sql = "SELECT Zoobars FROM Person WHERE PersonID={$user->id}";
Ejemplo n.º 6
0
<?php

require_once "includes/common.php";
global $php_self;
global $secret_token;
global $form_token;
nav_start_outer("Home", $secret_token);
nav_start_inner();
/* UNTRUSTED DATA SANITIZATION */
$profile_submit = $_POST['profile_submit'];
$profile = sanatize_profile($_POST['profile_update']);
/* END UNTRUSTED DATA SANITIZATION */
?>
<b>Balance:</b> 
<?php 
$sql = "SELECT Zoobars FROM Person WHERE PersonID={$user->id}";
$rs = $db->executeQuery($sql);
$balance = (int) $rs->getValueByNr(0, 0);
echo $balance > 0 ? $balance : 0;
?>
 zoobars<br/>
<b>Your profile:</b>
<form method="POST" name="profileform" action="<?php 
echo $php_self;
?>
">
<textarea name="profile_update">
<?php 
if ($profile_submit && $form_token && $form_token == $secret_token) {
    // Check for profile submission
    $sql = "UPDATE Person SET Profile='{$profile}' " . "WHERE PersonID={$user->id}";
Ejemplo n.º 7
0
<?php

require_once "includes/common.php";
nav_start_outer("Users");
nav_start_inner();
?>
 <form name="profileform" method="GET"
  action="<?php 
echo $_SERVER['PHP_SELF'];
?>
">
 <nobr>User:
 <input type="text" name="user" value="<?php 
echo stripslashes($_GET['user']);
?>
" size=10>
 <input type="submit" value="View"></nobr>
</form>
<div id="profileheader"><!-- user data appears here --></div>
<?php 
$selecteduser = $db->quote($_GET['user']);
$sql = "SELECT Profile, Username, Zoobars FROM Person " . "WHERE Username='{$selecteduser}'";
$rs = $db->executeQuery($sql);
if ($rs->next()) {
    // Sanitize and display profile
    list($profile, $username, $zoobars) = $rs->getCurrentValues();
    echo "<div class=profilecontainer><b>Profile</b>";
    $allowed_tags = '<a><br><b><h1><h2><h3><h4><i><img><li><ol><p><strong><table>' . '<tr><td><th><u><ul><em><span>';
    $profile = strip_tags($profile, $allowed_tags);
    $disallowed = 'javascript:|window|eval|setTimeout|setInterval|target|' . 'onAbort|onBlur|onChange|onClick|onDblClick|' . 'onDragDrop|onError|onFocus|onKeyDown|onKeyPress|' . 'onKeyUp|onLoad|onMouseDown|onMouseMove|onMouseOut|' . 'onMouseOver|onMouseUp|onMove|onReset|onResize|' . 'onSelect|onSubmit|onUnload';
    $profile = preg_replace("/{$disallowed}/i", " ", $profile);
Ejemplo n.º 8
0
<?php

require_once "includes/common.php";
global $php_self;
global $secret_token;
nav_start_outer("Users", $secret_token);
nav_start_inner();
/* UNTRUSTED DATA SANITIZATION */
$selecteduser = sanatize_username($_GET['user']);
// only allow innocuous characters
/* END UNTRUSTED DATA SANITIZATION */
?>
 <form name="profileform" method="GET" action="<?php 
echo $php_self;
?>
">
 <nobr>User:
 <input type="text" name="user" value="<?php 
echo $selecteduser;
?>
" size="10">
 <input type="submit" value="View"></nobr>
</form>
<div id="profileheader"><!-- user data appears here --></div>
<?php 
$sql = "SELECT Profile, Username, Zoobars FROM Person " . "WHERE Username='{$selecteduser}'";
$rs = $db->executeQuery($sql);
if ($rs->next()) {
    // Sanitize and display profile
    list($profile, $username, $zoobars) = $rs->getCurrentValues();
    /* UNTRUSTED DATA SANITIZATION */