function checkUser() { global $dbh; global $response; $response['log'] .= 'checkUser running |'; //echo $response['log']; //$postID=filter_input(INPUT_POST, 'userID', FILTER_SANITIZE_STRING); if (checkVar($_POST['userID'])) { $postID = $_POST['userID']; } else { $postID = false; } if (checkVar($_POST['socialID'])) { $socialID = $_POST['socialID']; } else { $socialID = false; } $response['log'] .= '$postID=' . $postID . ', $socialID=' . $socialID . '|'; $response['success'] = 'init success value, not overwritten'; //$response['query']='no query set'; //database details $dbusername = "******"; $dbpassword = "******"; //emotion2010 $dbhostname = "207.7.92.13"; //connect to database $dbh = mysql_connect($dbhostname, $dbusername, $dbpassword); if (!$dbh) { $response['success'] = 'ERROR: could not connect to mySQL'; generateOutput(); } else { //CHECK USER - what data do we have? Can we find them on the database or create a new user? $response['log'] .= 'checking user|'; //first check: is there a POST id? if ($postID) { $response['log'] .= 'got postID|'; //query database for user data based on POST id getUser($postID, null); } elseif ($socialID) { //no POST id sent - try to load user data based on socialID $response['log'] .= 'no POST id, checking user via socialID|'; getUser(null, $socialID); } else { $response['success'] = 'Error: no userID or socialID sent! Is this a returning user or someone who needs a new account?? I cant tell.'; } } //echo $response['log']; //echo $response['success']; }
public function check_userid() { if (isAjaX()) { $data = array(); $username = cleanInput($_POST['userid']); if (checkVar($username) && !$this->model->username_exists($username)) { $data['result'] = "<div class='message success'>Great! You found a username not in use</div>"; $data['inuse'] = TRUE; } else { $data['result'] = "<div class='message warning'>That username is already in use. (Usernames take 2 minutes without use to expire)</div>"; $data['inuse'] = FALSE; } $this->view->json($data); } }
function db_query($db_name, $sql, $bypass_admin_security, $debug_mode) { $sql = str_replace("#", "", $sql); // basic protection against sql injections // $bypass_admin_security = "yes" when an user is self-registering. // This is the only case where a non-identified user can write to the database // $debug_mode = "yes" shows the sql statement if ($debug_mode == "yes") { echo "<hr>-- Debug info--<br>" . $sql . "<hr>"; } global $db_connection_type, $db_server_address, $db_user, $db_password; $result = false; switch ($db_connection_type) { case "odbc": $db_connection = odbc_connect($db_name, $db_user, $db_password); if (substr($sql, 0, 6) == "SELECT" || substr($sql, 0, 12) == "SHOW COLUMNS" || $bypass_admin_security == "yes") { $result = odbc_exec($db_connection, $sql); } else { if (isset($_COOKIE["bookings_profile_id"]) && intval($_COOKIE["bookings_profile_id"]) > 1) { odbc_exec($db_connection, $sql); $result = true; } } odbc_close($db_connection); break; case "mysql": $db_connection = mysql_connect($db_server_address, $db_user, $db_password); mysql_set_charset("utf8", $db_connection); mysql_select_db($db_name, $db_connection); if (substr($sql, 0, 6) == "SELECT" || substr($sql, 0, 12) == "SHOW COLUMNS" || $bypass_admin_security == "yes") { $result = mysql_query($sql); } else { if (isset($_COOKIE["bookings_user_id"])) { $bookings_user_id = checkVar("sql", $_COOKIE["bookings_user_id"], "int", "", "", "0", ""); if ($bookings_user_id) { $sql = "SELECT profile_id FROM rs_data_users WHERE user_id = " . $bookings_user_id . ";"; $temp = mysql_query($sql); $profile_id = ($temp_ = mysql_fetch_array($temp)) ? $temp_["profile_id"] : 0; if ($profile_id > 1) { $result = mysql_query($sql); } } } } mysql_close($db_connection); } return $result; }
<?php session_start(); require_once "dbcon.php"; if (checkVar($_SESSION['userid'])) { $getRooms = "SELECT *\n \t\t\t FROM chat_rooms"; $roomResults = mysql_query($getRooms); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Chat Rooms</title> <link rel="stylesheet" type="text/css" href="main.css"/> </head> <body> <div id="page-wrap"> <div id="header"> <h1><a href="/examples/Chat2/">Chat v2</a></h1> <div id="you"><span>Logged in as:</span> <?php echo $_SESSION['userid']; ?>
session_start(); require_once "../chat/dbcon.php"; if (isAjax()) { $data = array(); $username = cleanInput($_POST['userid']); if (checkVar($username)) { $getUsers = "SELECT *\n \t\t\t\t\t FROM chat_users\n \t\t\t\t\t WHERE username = '******'"; if (!hasData($getUsers)) { $data['result'] = "<div class='message success'>Great! You found a username not in use</div>"; $data['inuse'] = "notinuse"; } else { $data['result'] = "<div class='message warning'>That username is already in use. (Usernames take 2 minutes without use to expire)</div>"; $data['inuse'] = "inuse"; } echo json_encode($data); } } else { $username = cleanInput($_POST['userid']); if (checkVar($username)) { $getUsers = "SELECT *\n \t\t\t\t\t FROM chat_users\n \t\t\t\t\t WHERE username = '******'"; if (!hasData($getUsers)) { $now = time(); $postUsers = "INSERT INTO `chat_users` (\n \t\t\t\t\t`id` ,\n \t\t\t\t\t`username` ,\n \t\t\t\t\t`status` ,\n \t\t\t\t\t`time_mod`\n \t\t\t\t\t)\n \t\t\t\t\tVALUES (\n \t\t\t\t\tNULL , '{$username}', '1', '{$now}'\n \t\t\t\t\t)"; mysql_query($postUsers); $_SESSION['userid'] = $username; header('Location: ./chatrooms.php'); } else { header('Location: ./?error=1'); } } }
<meta content="text/html; charset=UTF-8" http-equiv="content-type"> <title><?php echo $app_title . " :: " . Translate("Family", 1); ?> </title> <script type="text/javascript"><!-- <?php includeCommonScripts(); ?> --></script> <?php $family_id = checkVar("sql", $_POST["family_id"], "int", 1, "", "0", ""); if ($family_id == "0") { $action_ = "insert_new_family"; $family_name = ""; $sort_order = ""; } else { $action_ = "update_family"; $sql = "SELECT family_id, family_name, sort_order "; $sql .= "FROM rs_param_families WHERE family_id = " . $family_id . ";"; $temp = db_query($database_name, $sql, "no", "no"); $temp_ = fetch_array($temp); $family_name = $temp_["family_name"]; $sort_order = $temp_["sort_order"]; } // actions if (isset($_POST["action_"])) {
function Translate($english, $special_chars_to_html) { global $database_name; $english = checkVar("sql", $english, "string", "", "", "", "", 0, 0); if (isset($_COOKIE["bookings_user_id"])) { // user is logged -> uses user language setting $language = $_COOKIE["bookings_language"]; } else { // no user logged -> uses app language setting $sql = "SELECT param_value FROM rs_param WHERE param_name = 'language';"; $temp = db_query($database_name, $sql, "no", "no"); $temp_ = fetch_array($temp); $language = $temp_["param_value"]; } $sql = "SELECT " . $language . " FROM rs_param_lang "; $sql .= "WHERE english = '" . $english . "';"; $translation = db_query($database_name, $sql, "no", "no"); if ($translation_ = fetch_array($translation)) { if ($translation_[$language] != "" && !is_null($translation_[$language])) { if ($special_chars_to_html) { $return = $translation_[$language]; } else { $return = $translation_[$language]; // do not convert specials characters to html (usually for javascript alert box) } } else { $return = $english . "*"; } } else { // inserts english if database record is missing. It's a tip to get a list of missing vocabulary while developping the application $sql = "INSERT INTO rs_param_lang ( english ) VALUES ( '" . $english . "' );"; db_query($database_name, $sql, "yes", "no"); $return = $english . "*"; // the star shows translations missing in the database while browsing the app } $return = checkVar("html", $return, "string", "", "", "", "", 0, 0); return $return; }
function getStrandedUser() { if ($GLOBALS['STRANDED_USER'] != "yes") { return; } // query stranded user record $suserRecords = queryRecord("strandedUser", null, null, "a", "name", null); $count = 0; $GLOBALS['jumpTagOutput'] .= "<a href=\"#suser\">Stranded Users</a></br>\n"; $suserOutput = "<a name=\"suser\"></a>\n"; $suserOutput .= "<b>Stranded Users</b>\n<table border=1>\n"; $suserOutput .= "<tr><th>NAME</th><th>FULL NAME</th><th>SYNCED</th><th>DEPLOYED VMS</th><th>STORED VMS</th></tr>\n"; if (count($suserRecords) != 0) { foreach ($suserRecords as $suser) { $count++; $suserOutput .= "<tr>\n"; $suserOutput .= "<td>" . $suser->get_name() . "</td>"; $suserOutput .= "<td>" . checkVar($suser->get_fullName(), 'str') . "</td>"; $suserOutput .= "<td>" . ($suser->get_isInSync() ? "true" : "false") . "</td>"; $suserOutput .= "<td>" . $suser->get_numberOfDeployedVMs() . "</td>"; $suserOutput .= "<td>" . $suser->get_numberOfStoredVMs() . "</td>"; $suserOutput .= "</tr>\n"; } } $suserOutput .= "</table></br>\n"; $f = fopen($GLOBALS['report'], "a"); fwrite($f, $suserOutput); fclose($f); $GLOBALS['summaryHeaderOutput'] .= "<tr><td><b>Stranded User Count:</b></td><td>" . $count . "</td></tr>\n"; }
<?php $stringVar = 'hello'; checkVar($stringVar); $intVar = 15; checkVar($intVar); $floatVar = 1.234; checkVar($floatVar); $arrayVar = array(1, 2, 3); checkVar($arrayVar); $objectVar = (object) [2, 34]; checkVar($objectVar); function checkVar($variable) { if (is_numeric($variable)) { var_dump($variable); } else { echo gettype($variable) . "\n"; } }
// removes last comma (,) $sql .= " ) ENGINE=MyISAM DEFAULT CHARSET=latin1;"; db_query($database_name, $sql, "no", "no"); while (!feof($file_handle)) { // fills temp table with csv file data $buffer = fgets($file_handle); $array_values = explode(";", $buffer); $sql = "INSERT INTO rs_temp_lang ( "; foreach ($array_columns as $column_name) { $sql .= checkVar("sql", $column_name, "string", "", "", "", "", 0, 1) . ","; } $sql = substr($sql, 0, -1); // removes last comma (,) $sql .= " ) VALUES ( "; foreach ($array_values as $value) { $sql .= checkVar("sql", $value, "string", "", "", "", "", 0, 1) . ","; } $sql = substr($sql, 0, -1); // removes last comma (,) $sql .= ");"; db_query($database_name, $sql, "no", "no"); } fclose($file_handle); // replace localization_table (rs_param_lang) with temp table $sql = "RENAME TABLE rs_param_lang TO rs_backup_lang;"; db_query($database_name, $sql, "no", "no"); $sql = "RENAME TABLE rs_temp_lang TO rs_param_lang;"; db_query($database_name, $sql, "no", "no"); $sql = "DROP TABLE rs_backup_lang;"; db_query($database_name, $sql, "no", "no"); $sql = "DROP TABLE rs_temp_lang";
flush(); } fclose($hd); break; case 'upload': if (!strlen($_SERVER['HTTP_X_FILE_NAME'])) { // classic upload foreach ($_FILES as $file) { $destfile = $file['name']; checkVar($destfile); $target = buildPath($BASE_PATH, $destfile); checkFileExtension($target); if (move_uploaded_file($file['tmp_name'], $target)) { $success = true; } } } else { // HTML5 single file upload $destfile = $_SERVER['HTTP_X_FILE_NAME']; checkVar($destfile); $target = buildPath($BASE_PATH, $destfile); checkFileExtension($target); if (!@file_put_contents($target, file_get_contents("php://input"))) { print jsonResponse(false, 'cannot create file'); break; } $success = true; } print jsonResponse($success); break; }
$manager_name = Translate("None", 1); $manager_email = ""; ?> <tr> <td><?php echo checkVar("html", $available_objets_["object_name"], "string", "", "", "", "", 0, 0); ?> </td> <td><?php $email_ok = $manager_email != "" && checkVar("html", $manager_email, "email", "", "", "", "", 0, 0); if ($email_ok) { echo "<a href=\"mailto:" . $manager_email . "\">"; } echo checkVar("html", $manager_name, "string", "", "", "", "", 0, 0); if ($email_ok) { echo "</a>"; } ?> </td> <td style="text-align:center"><button onClick="openBooking(<?php echo $available_objets_["object_id"]; ?> ,<?php echo $available_objets_["booking_method"]; ?> )"><?php echo Translate("Book it !", 1); ?>