********************************************************************
Format a mySQL string correctly for safe mySQL insert
(no mater if magic quotes are on or not)
| public escape ( $str ) |
function makepwd($password)
{
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
if ($db->get_var("SELECT option_value FROM site_options where option_name = 'encrypted_passwords';") == "yes") {
//if encryption is ON
include "includes/PasswordHash.php";
$hasher = "*";
$hasher = new PasswordHash(8, false);
$return_pass = $hasher->HashPassword($password);
//if encryption is OFF
} else {
$return_pass = trim($db->escape($password));
}
return $return_pass;
}
include "includes/header.php";
include "includes/session.php";
include "includes/checksession.php";
include "fhd_config.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
//DELETE FILE
//check nacl
if (isset($_GET['nacl'])) {
if ($_GET['nacl'] != md5(AUTH_KEY . $db->get_var("select last_login from site_users where user_id = {$user_id};"))) {
echo "<div class=\"alert alert-danger\" style=\"max-width: 200px;\"><i class='glyphicon glyphicon-ban-circle'></i> Authentication Error</div>";
exit;
}
} else {
echo "<div class=\"alert alert-danger\" style=\"width: 200px;\"><i class='glyphicon glyphicon-ban-circle'></i> Authentication Error</div>";
exit;
}
if (isset($_GET['delete'])) {
if ($_GET['delete'] == 1) {
$file_id = $db->escape($_GET['file_id']);
$call_id = $db->escape($_GET['call_id']);
$file_ext = $db->get_var("SELECT file_ext FROM site_upload WHERE (id = {$file_id}) AND (call_id = {$call_id}) LIMIT 1;");
$realpath = md5(UPLOAD_KEY . $file_id) . "." . $file_ext;
unlink("upload/" . $realpath);
$db->query("DELETE FROM site_upload where (id = {$file_id}) AND (call_id = {$call_id}) LIMIT 1;");
header("Location: fhd_call_edit.php?call_id={$call_id}");
exit;
}
}
//END DELETE FILE
<?php
include "fhd_config.php";
include "includes/header.php";
include "includes/all-nav.php";
include "includes/functions.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
$actionstatus = "";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
//<ADD>
if (isset($_POST['nacl'])) {
if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select last_login from site_users where user_id = {$user_id};"))) {
//authentication verified, continue.";
$call_status = 0;
$call_date = strtotime(date('n/j/y g:i a'));
$call_first_name = $db->escape($_POST['call_first_name']);
$call_email = $db->escape($_POST['call_email']);
$call_phone = $db->escape($_POST['call_phone']);
$call_department = $db->escape((int) $_POST['call_department']);
$call_request = $db->escape((int) $_POST['call_request']);
$call_device = $db->escape((int) $_POST['call_device']);
$call_details = $db->escape($_POST['call_details']);
$db->query("INSERT INTO site_calls(call_status,call_user,call_date,call_first_name,call_email,call_phone,call_department,call_request,call_device,call_details)VALUES({$call_status},{$user_id},{$call_date},'{$call_first_name}','{$call_email}','{$call_phone}',{$call_department},{$call_request},{$call_device},'{$call_details}');");
$insert_id = $db->insert_id;
//********** manage file upload
if (isset($insert_id)) {
if (FHD_UPLOAD_ALLOW == "yes") {
$file_name = $_FILES['hasupload']['name'];
if ($file_name != '') {
$files_var1 = $_FILES["hasupload"]["name"];
$files_var2 = explode(".", $files_var1);
//limit login tries.
if (isset($_SESSION['hit'])) {
$_SESSION['hit'] += 1;
if ($_SESSION['hit'] > LOGIN_TRIES) {
echo "<p><i class='fa fa-lock fa-2x pull-left'></i> Access Locked</p>";
include "includes/footer.php";
exit;
}
} else {
$_SESSION['hit'] = 0;
}
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
if (isset($_POST['user_login'])) {
$user_login = trim($db->escape($_POST['user_login']));
} else {
echo "<div class='alert alert-warning' style='width: 375px;'><i class='glyphicon glyphicon-info-sign'></i> Username / Email is Required.</div>";
include "includes/footer.php";
exit;
}
if (isset($_POST['user_password'])) {
$user_password = trim($db->escape($_POST['user_password']));
$is_valid = checkpwd($user_password, $user_login);
}
//uesrs can login with either login name or email address.
$pos = strrpos($user_login, "@");
if ($pos === false) {
// note: three equal signs
$checkusing = "user_login";
} else {
<head>
<?php
include "ncl/session.php";
include "ncl/checksession.php";
include "ncl/checksessionadmin.php";
include "ncl/head.php";
include "ncl/functions.php";
include "ncl/ez_sql_core.php";
include "ncl/ez_sql_mysqli.php";
$actionstatus = "";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
//<ADD>
if (isset($_POST['nacl'])) {
if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select last_login from site_users where user_id = {$user_id};"))) {
//authentication verified, continue.
$user_login = $db->escape($_POST['user_login']);
$user_email = $db->escape($_POST['user_email']);
//check email exists
$num = $db->get_var("select count(user_email) from site_users where (user_email = '{$user_email}');");
if ($num > 0) {
echo "<div class='alert alert-danger'><strong>Error:</strong> that email address is already in use.</div>";
include "ncl/footer.php";
exit;
}
//password function here
if (strlen($_POST['user_password']) > 4) {
$user_password = makepwd(trim($db->escape($_POST['user_password'])));
} else {
echo "<div class='alert alert-danger'><strong>Error:</strong> password to short.</div>";
include "ncl/footer.php";
exit;
<?php
include "fhd_config.php";
include "includes/header.php";
include "includes/all-nav.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
include "includes/functions.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
// <UPDATE>
if (isset($_POST['update'])) {
if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select user_password from site_users where user_id = {$user_id};"))) {
$note_id = checkid($_POST['note_id']);
$call_id = checkid($_POST['call_id']);
$user_id = $_SESSION['user_id'];
if ($user_id == $db->get_var("select note_post_user from site_notes where note_post_user = {$user_id};")) {
$note_body = trim(htmlentities($db->escape($_POST['note_body'])));
$note_post_ip = $db->escape($_SERVER['REMOTE_ADDR']);
$db->query("UPDATE site_notes SET note_body='{$note_body}',note_post_ip='{$note_post_ip}' WHERE note_id={$note_id};");
header("Location: fhd_call_edit.php?call_id={$call_id}");
//echo exit;
}
} else {
//not verified, warning and exit!
echo "<p>Warning: Verification Error!</p>";
exit;
}
}
// </UPDATE>
// <ADD>
if (isset($_POST['add'])) {
if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select user_password from site_users where user_id = {$user_id};"))) {
include "includes/header.php";
include "includes/all-nav.php";
include "includes/functions.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
$searchquery = "";
$colspan = 2;
$num = "";
if ($user_level == 1) {
$searchquery = " AND call_user = {$user_id}";
$colspan = 1;
}
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
//<SEARCHQUERY>
if (isset($_GET['search'])) {
$call_status = $db->escape((int) $_GET['call_status']);
$call_date1 = strtotime($_GET['call_date1']);
$call_date2 = strtotime($_GET['call_date2']);
if ($call_date2 == "") {
$call_date2 = $call_date1;
}
$call_first_name = $db->escape($_GET['call_first_name']);
$call_email = $db->escape($_GET['call_email']);
$call_phone = $db->escape($_GET['call_phone']);
$call_department = $db->escape((int) $_GET['call_department']);
$call_request = $db->escape((int) $_GET['call_request']);
$call_device = $db->escape((int) $_GET['call_device']);
$call_staff = $db->escape((int) $_GET['call_staff']);
$call_details = $db->escape($_GET['call_details']);
$call_solution = $db->escape($_GET['call_solution']);
if ($_GET['call_status'] != '') {
<?php
include "fhd_config.php";
include "includes/header.php";
include "includes/all-nav.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
include "includes/functions.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
$queryadd = "";
$colspan = 2;
if ($user_level == 1) {
$queryadd = " AND call_user = {$user_id}";
$colspan = 1;
}
if (isset($_GET['user_id'])) {
$queryadd = " AND call_user = "******"SELECT call_id,call_date,call_first_name,call_last_name,call_request,call_department,call_device from site_calls WHERE (call_status = 0) $queryadd order by call_id desc;";
$myquery = "SELECT call_id,call_date,call_first_name,call_last_name,call_request,call_department,call_device from site_calls WHERE (call_status = 0) order by call_id desc;";
$site_calls = $db->get_results($myquery);
$num = $db->num_rows;
//$db->debug();
echo "<h4><i class='fa fa-tags'></i> Laporan Masalah <small>[ {$num} ]</small></h4>";
if ($num > 0) {
?>
<table class="<?php
echo $table_style_1;
?>
" style='width: auto;'>
<tr>
<?php
include "fhd_config.php";
include "includes/header.php";
include "includes/all-nav.php";
include "includes/functions.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
$actionstatus = "";
//<UPDATE>
if (isset($_POST['update'])) {
if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select last_login from site_users where user_id = {$user_id};"))) {
//authentication verified, continue.
$url_user_id = valid_user($_POST['url_user_id']);
$user_date = date(time());
$user_login = $db->escape($_POST['user_login']);
//password function here
$user_password_set = "";
if (strlen($_POST['user_password']) > 4) {
$user_password = makepwd(trim($db->escape($_POST['user_password'])));
$user_password_set = "user_password='******',";
}
$user_name = $db->escape($_POST['user_name']);
$user_email = $db->escape($_POST['user_email']);
$user_phone = $db->escape($_POST['user_phone']);
$user_address = $db->escape($_POST['user_address']);
$user_city = $db->escape($_POST['user_city']);
$user_state = $db->escape($_POST['user_state']);
$user_zip = $db->escape($_POST['user_zip']);
$user_country = $db->escape($_POST['user_country']);
$user_level = $db->escape($_POST['user_level']);
<?php
include "fhd_config.php";
include "includes/header.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
include "includes/functions.php";
//initilize db
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
if (ALLOW_REGISTER != "yes") {
echo "<p>Registration is Closed</p>";
include "includes/footer.php";
exit;
}
if (CAPTCHA_REGISTER == "yes") {
$captchasession = $_SESSION['captcha']['code'];
$captcha = $db->escape(trim($_POST['captcha']));
if ($captchasession != $captcha) {
echo "<div class=\"alert alert-danger\" style=\"max-width: 350px;\">Invalid Captcha Code.</div>";
include "includes/footer.php";
exit;
}
}
//IP and DATE field
$ip = $_SERVER['REMOTE_ADDR'];
//EMAIL address
$email = $db->escape(trim($_POST['email']));
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo "<div class=\"alert alert-danger\" style=\"max-width: 350px;\">That email address appears to be invalid.</div>";
include "includes/footer.php";
exit;
}
<html lang="en">
<head>
<meta charset="utf-8">
<title>Forgot Password</title>
<?php
include "fhd_config.php";
include "includes/header.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
include "includes/functions.php";
$thedomain = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
//initilize db
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
//if STEP 2 of the process
if (isset($_GET['action'])) {
$action = $db->escape($_GET['action']);
$key = $db->escape($_GET['key']);
//check if action is to reset password and that the key is not blank.
if ($action == "rp") {
if (!empty($key)) {
$myquery = "SELECT user_id,user_email FROM site_users WHERE user_im_other = '{$key}' limit 1;";
$resets = $db->get_row($myquery);
// if a record is returned then continue
if ($db->num_rows == 1) {
$user_email = $resets->user_email;
$user_id = $resets->user_id;
//generage a new password, set resetcode to blank so link cannot be used again.
$user_password_plain = generatePassword(8, 9);
$user_password = makepwd(trim($db->escape($user_password_plain)));
//update the password in the database.
$db->query("UPDATE site_users set user_password = '******',user_im_other = '' WHERE user_id = {$user_id} limit 1;");
$call_id = checkid($_GET['call_id']);
$db->query("UPDATE site_calls SET call_status = 3 WHERE call_id = {$call_id} limit 1;");
$db->query("UPDATE site_notes SET note_type = 0 WHERE note_relation = {$call_id};");
header("Location: fhd_calls.php");
}
}
}
}
//</DELETE>
//<UPDATE>
if (isset($_POST['nacl'])) {
if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select last_login from site_users where user_id = {$user_id};"))) {
//authentication verified, continue.
$call_id = checkid($_POST['call_id']);
//call details
$call_first_name = $db->escape($_POST['call_first_name']);
$call_email = $db->escape($_POST['call_email']);
$call_phone = $db->escape($_POST['call_phone']);
$call_department = $db->escape($_POST['call_department']);
$call_request = $db->escape($_POST['call_request']);
$call_device = $db->escape($_POST['call_device']);
$call_details = $db->escape($_POST['call_details']);
$call_solution = $db->escape($_POST['call_solution']);
$call_staff = $db->escape($_POST['call_staff']);
//call status
$call_status = $db->escape($_POST['call_status']);
$call_status_now = $db->escape($_POST['call_status_now']);
if (isset($_POST['call_date2'])) {
$call_date2 = strtotime($_POST['call_date2']);
}
// if no status change
<head>
<title>Settings</title>
<?php
include "fhd_config.php";
include "includes/header.php";
include "includes/all-nav.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
include "includes/functions.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
//<DELETE>
if (isset($_GET['nacl'])) {
if ($_GET['nacl'] == md5(AUTH_KEY . $db->get_var("select last_login from site_users where user_id = {$user_id};"))) {
//authentication verified, continue.
$type_id = checkid($_GET['type_id']);
$action = $db->escape($_GET['action']);
$type = checkid($_GET['type']);
if ($action == 'delete') {
$db->query("DELETE FROM site_types where type_id = {$type_id};");
header("Location: fhd_settings_action.php?type={$type}");
}
}
}
//</DELETE>
//check type variable
$type = checkid($_GET['type']);
?>
<p><a href="fhd_settings.php">Settings</a></p>
<h4><?php
show_type_name($type);
<head>
<title>Add</title>
<?php
include "fhd_config.php";
include "includes/header.php";
include "includes/all-nav.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
include "includes/functions.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
// <ADD>
if (isset($_POST['nacl'])) {
if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select user_password from site_users where user_id = {$user_id};"))) {
//authentication verified, continue.
$type = checkid($_POST['type']);
$type_name = $db->escape($_POST['type_name']);
$type_email = $db->escape($_POST['type_email']);
$type_location = $db->escape($_POST['type_location']);
$type_phone = $db->escape($_POST['type_phone']);
$db->query("INSERT INTO site_types(type,type_name,type_email,type_location,type_phone) VALUES( {$type},'{$type_name}','{$type_email}','{$type_location}','{$type_phone}');");
header("Location: fhd_settings_action.php?type={$type}");
} else {
//not verified, warning and exit!
echo "<p class='save'>Warning: Verification Error!</p>";
exit;
}
}
// </ADD>
//check type variable
$type = checkid($_GET['type']);
$nacl = md5(AUTH_KEY . $db->get_var("select user_password from site_users where user_id = {$user_id};"));
<?php
include "fhd_config.php";
if (ALLOW_REGISTER == "yes") {
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
$q = $db->escape($_GET["q"]);
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
$q = $db->escape($q);
$num = $db->get_var("select count(user_login) from site_users where user_login = '******';");
if ($num == 0) {
echo "<i class='glyphicon glyphicon-ok'></i> <small><em>available</em></small>";
} else {
echo "<i class='glyphicon glyphicon-ban-circle'></i> <small><em>name not available</em></small>";
}
}
<?php
include "fhd_config.php";
include "includes/header.php";
include "includes/all-nav.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
include "includes/functions.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
$actionstatus = "";
// <UPDATE>
//to do: need to check for duplicates...
if (isset($_POST['nacl'])) {
if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select last_login from site_users where user_id = {$user_id};"))) {
//authentication verified, continue.
$type_id = checkid($_POST['type_id']);
$type_name = $db->escape($_POST['type_name']);
// $type_email = $db->escape($_POST['type_email']);
// $type_location = $db->escape($_POST['type_location']);
// $type_phone = $db->escape($_POST['type_phone']);
// $db->query("UPDATE site_types SET type_name='$type_name',type_email='$type_email',type_location='$type_location',type_phone='$type_phone' WHERE type_id = $type_id;");
$db->query("UPDATE site_types SET type_name='{$type_name}' WHERE type_id = {$type_id};");
$actionstatus = "<div class=\"alert alert-success\" style=\"max-width: 250px;\">\n <button type=\"button\" class=\"close\" data-dismiss=\"alert\">×</button>\n Updated.\n </div>";
}
}
// </UPDATE>
//check type variable
$type_id = checkid($_GET['id']);
$num = $db->get_var("select count(type_id) from site_types where type_id = {$type_id};");
if ($num == 0) {
echo "<p>Type does not exist (error 2)</p>";
include "includes/footer.php";