function checkUser()
{
global $dbh;
global $response;
$response['log'] .= 'checkUser running |';
//echo $response['log'];
//$postID=filter_input(INPUT_POST, 'userID', FILTER_SANITIZE_STRING);
if (checkVar($_POST['userID'])) {
$postID = $_POST['userID'];
} else {
$postID = false;
}
if (checkVar($_POST['socialID'])) {
$socialID = $_POST['socialID'];
} else {
$socialID = false;
}
$response['log'] .= '$postID=' . $postID . ', $socialID=' . $socialID . '|';
$response['success'] = 'init success value, not overwritten';
//$response['query']='no query set';
//database details
$dbusername = "******";
$dbpassword = "******";
//emotion2010
$dbhostname = "207.7.92.13";
//connect to database
$dbh = mysql_connect($dbhostname, $dbusername, $dbpassword);
if (!$dbh) {
$response['success'] = 'ERROR: could not connect to mySQL';
generateOutput();
} else {
//CHECK USER - what data do we have? Can we find them on the database or create a new user?
$response['log'] .= 'checking user|';
//first check: is there a POST id?
if ($postID) {
$response['log'] .= 'got postID|';
//query database for user data based on POST id
getUser($postID, null);
} elseif ($socialID) {
//no POST id sent - try to load user data based on socialID
$response['log'] .= 'no POST id, checking user via socialID|';
getUser(null, $socialID);
} else {
$response['success'] = 'Error: no userID or socialID sent! Is this a returning user or someone who needs a new account?? I cant tell.';
}
}
//echo $response['log'];
//echo $response['success'];
}
public function check_userid()
{
if (isAjaX()) {
$data = array();
$username = cleanInput($_POST['userid']);
if (checkVar($username) && !$this->model->username_exists($username)) {
$data['result'] = "<div class='message success'>Great! You found a username not in use</div>";
$data['inuse'] = TRUE;
} else {
$data['result'] = "<div class='message warning'>That username is already in use. (Usernames take 2 minutes without use to expire)</div>";
$data['inuse'] = FALSE;
}
$this->view->json($data);
}
}
function db_query($db_name, $sql, $bypass_admin_security, $debug_mode)
{
$sql = str_replace("#", "", $sql);
// basic protection against sql injections
// $bypass_admin_security = "yes" when an user is self-registering.
// This is the only case where a non-identified user can write to the database
// $debug_mode = "yes" shows the sql statement
if ($debug_mode == "yes") {
echo "<hr>-- Debug info--<br>" . $sql . "<hr>";
}
global $db_connection_type, $db_server_address, $db_user, $db_password;
$result = false;
switch ($db_connection_type) {
case "odbc":
$db_connection = odbc_connect($db_name, $db_user, $db_password);
if (substr($sql, 0, 6) == "SELECT" || substr($sql, 0, 12) == "SHOW COLUMNS" || $bypass_admin_security == "yes") {
$result = odbc_exec($db_connection, $sql);
} else {
if (isset($_COOKIE["bookings_profile_id"]) && intval($_COOKIE["bookings_profile_id"]) > 1) {
odbc_exec($db_connection, $sql);
$result = true;
}
}
odbc_close($db_connection);
break;
case "mysql":
$db_connection = mysql_connect($db_server_address, $db_user, $db_password);
mysql_set_charset("utf8", $db_connection);
mysql_select_db($db_name, $db_connection);
if (substr($sql, 0, 6) == "SELECT" || substr($sql, 0, 12) == "SHOW COLUMNS" || $bypass_admin_security == "yes") {
$result = mysql_query($sql);
} else {
if (isset($_COOKIE["bookings_user_id"])) {
$bookings_user_id = checkVar("sql", $_COOKIE["bookings_user_id"], "int", "", "", "0", "");
if ($bookings_user_id) {
$sql = "SELECT profile_id FROM rs_data_users WHERE user_id = " . $bookings_user_id . ";";
$temp = mysql_query($sql);
$profile_id = ($temp_ = mysql_fetch_array($temp)) ? $temp_["profile_id"] : 0;
if ($profile_id > 1) {
$result = mysql_query($sql);
}
}
}
}
mysql_close($db_connection);
}
return $result;
}
<?php
session_start();
require_once "dbcon.php";
if (checkVar($_SESSION['userid'])) {
$getRooms = "SELECT *\n \t\t\t FROM chat_rooms";
$roomResults = mysql_query($getRooms);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Chat Rooms</title>
<link rel="stylesheet" type="text/css" href="main.css"/>
</head>
<body>
<div id="page-wrap">
<div id="header">
<h1><a href="/examples/Chat2/">Chat v2</a></h1>
<div id="you"><span>Logged in as:</span> <?php
echo $_SESSION['userid'];
?>
session_start();
require_once "../chat/dbcon.php";
if (isAjax()) {
$data = array();
$username = cleanInput($_POST['userid']);
if (checkVar($username)) {
$getUsers = "SELECT *\n \t\t\t\t\t FROM chat_users\n \t\t\t\t\t WHERE username = '******'";
if (!hasData($getUsers)) {
$data['result'] = "<div class='message success'>Great! You found a username not in use</div>";
$data['inuse'] = "notinuse";
} else {
$data['result'] = "<div class='message warning'>That username is already in use. (Usernames take 2 minutes without use to expire)</div>";
$data['inuse'] = "inuse";
}
echo json_encode($data);
}
} else {
$username = cleanInput($_POST['userid']);
if (checkVar($username)) {
$getUsers = "SELECT *\n \t\t\t\t\t FROM chat_users\n \t\t\t\t\t WHERE username = '******'";
if (!hasData($getUsers)) {
$now = time();
$postUsers = "INSERT INTO `chat_users` (\n \t\t\t\t\t`id` ,\n \t\t\t\t\t`username` ,\n \t\t\t\t\t`status` ,\n \t\t\t\t\t`time_mod`\n \t\t\t\t\t)\n \t\t\t\t\tVALUES (\n \t\t\t\t\tNULL , '{$username}', '1', '{$now}'\n \t\t\t\t\t)";
mysql_query($postUsers);
$_SESSION['userid'] = $username;
header('Location: ./chatrooms.php');
} else {
header('Location: ./?error=1');
}
}
}
<meta content="text/html; charset=UTF-8" http-equiv="content-type">
<title><?php
echo $app_title . " :: " . Translate("Family", 1);
?>
</title>
<script type="text/javascript"><!--
<?php
includeCommonScripts();
?>
--></script>
<?php
$family_id = checkVar("sql", $_POST["family_id"], "int", 1, "", "0", "");
if ($family_id == "0") {
$action_ = "insert_new_family";
$family_name = "";
$sort_order = "";
} else {
$action_ = "update_family";
$sql = "SELECT family_id, family_name, sort_order ";
$sql .= "FROM rs_param_families WHERE family_id = " . $family_id . ";";
$temp = db_query($database_name, $sql, "no", "no");
$temp_ = fetch_array($temp);
$family_name = $temp_["family_name"];
$sort_order = $temp_["sort_order"];
}
// actions
if (isset($_POST["action_"])) {
function Translate($english, $special_chars_to_html)
{
global $database_name;
$english = checkVar("sql", $english, "string", "", "", "", "", 0, 0);
if (isset($_COOKIE["bookings_user_id"])) {
// user is logged -> uses user language setting
$language = $_COOKIE["bookings_language"];
} else {
// no user logged -> uses app language setting
$sql = "SELECT param_value FROM rs_param WHERE param_name = 'language';";
$temp = db_query($database_name, $sql, "no", "no");
$temp_ = fetch_array($temp);
$language = $temp_["param_value"];
}
$sql = "SELECT " . $language . " FROM rs_param_lang ";
$sql .= "WHERE english = '" . $english . "';";
$translation = db_query($database_name, $sql, "no", "no");
if ($translation_ = fetch_array($translation)) {
if ($translation_[$language] != "" && !is_null($translation_[$language])) {
if ($special_chars_to_html) {
$return = $translation_[$language];
} else {
$return = $translation_[$language];
// do not convert specials characters to html (usually for javascript alert box)
}
} else {
$return = $english . "*";
}
} else {
// inserts english if database record is missing. It's a tip to get a list of missing vocabulary while developping the application
$sql = "INSERT INTO rs_param_lang ( english ) VALUES ( '" . $english . "' );";
db_query($database_name, $sql, "yes", "no");
$return = $english . "*";
// the star shows translations missing in the database while browsing the app
}
$return = checkVar("html", $return, "string", "", "", "", "", 0, 0);
return $return;
}
function getStrandedUser()
{
if ($GLOBALS['STRANDED_USER'] != "yes") {
return;
}
// query stranded user record
$suserRecords = queryRecord("strandedUser", null, null, "a", "name", null);
$count = 0;
$GLOBALS['jumpTagOutput'] .= "<a href=\"#suser\">Stranded Users</a></br>\n";
$suserOutput = "<a name=\"suser\"></a>\n";
$suserOutput .= "<b>Stranded Users</b>\n<table border=1>\n";
$suserOutput .= "<tr><th>NAME</th><th>FULL NAME</th><th>SYNCED</th><th>DEPLOYED VMS</th><th>STORED VMS</th></tr>\n";
if (count($suserRecords) != 0) {
foreach ($suserRecords as $suser) {
$count++;
$suserOutput .= "<tr>\n";
$suserOutput .= "<td>" . $suser->get_name() . "</td>";
$suserOutput .= "<td>" . checkVar($suser->get_fullName(), 'str') . "</td>";
$suserOutput .= "<td>" . ($suser->get_isInSync() ? "true" : "false") . "</td>";
$suserOutput .= "<td>" . $suser->get_numberOfDeployedVMs() . "</td>";
$suserOutput .= "<td>" . $suser->get_numberOfStoredVMs() . "</td>";
$suserOutput .= "</tr>\n";
}
}
$suserOutput .= "</table></br>\n";
$f = fopen($GLOBALS['report'], "a");
fwrite($f, $suserOutput);
fclose($f);
$GLOBALS['summaryHeaderOutput'] .= "<tr><td><b>Stranded User Count:</b></td><td>" . $count . "</td></tr>\n";
}
<?php
$stringVar = 'hello';
checkVar($stringVar);
$intVar = 15;
checkVar($intVar);
$floatVar = 1.234;
checkVar($floatVar);
$arrayVar = array(1, 2, 3);
checkVar($arrayVar);
$objectVar = (object) [2, 34];
checkVar($objectVar);
function checkVar($variable)
{
if (is_numeric($variable)) {
var_dump($variable);
} else {
echo gettype($variable) . "\n";
}
}
// removes last comma (,)
$sql .= " ) ENGINE=MyISAM DEFAULT CHARSET=latin1;";
db_query($database_name, $sql, "no", "no");
while (!feof($file_handle)) {
// fills temp table with csv file data
$buffer = fgets($file_handle);
$array_values = explode(";", $buffer);
$sql = "INSERT INTO rs_temp_lang ( ";
foreach ($array_columns as $column_name) {
$sql .= checkVar("sql", $column_name, "string", "", "", "", "", 0, 1) . ",";
}
$sql = substr($sql, 0, -1);
// removes last comma (,)
$sql .= " ) VALUES ( ";
foreach ($array_values as $value) {
$sql .= checkVar("sql", $value, "string", "", "", "", "", 0, 1) . ",";
}
$sql = substr($sql, 0, -1);
// removes last comma (,)
$sql .= ");";
db_query($database_name, $sql, "no", "no");
}
fclose($file_handle);
// replace localization_table (rs_param_lang) with temp table
$sql = "RENAME TABLE rs_param_lang TO rs_backup_lang;";
db_query($database_name, $sql, "no", "no");
$sql = "RENAME TABLE rs_temp_lang TO rs_param_lang;";
db_query($database_name, $sql, "no", "no");
$sql = "DROP TABLE rs_backup_lang;";
db_query($database_name, $sql, "no", "no");
$sql = "DROP TABLE rs_temp_lang";
flush();
}
fclose($hd);
break;
case 'upload':
if (!strlen($_SERVER['HTTP_X_FILE_NAME'])) {
// classic upload
foreach ($_FILES as $file) {
$destfile = $file['name'];
checkVar($destfile);
$target = buildPath($BASE_PATH, $destfile);
checkFileExtension($target);
if (move_uploaded_file($file['tmp_name'], $target)) {
$success = true;
}
}
} else {
// HTML5 single file upload
$destfile = $_SERVER['HTTP_X_FILE_NAME'];
checkVar($destfile);
$target = buildPath($BASE_PATH, $destfile);
checkFileExtension($target);
if (!@file_put_contents($target, file_get_contents("php://input"))) {
print jsonResponse(false, 'cannot create file');
break;
}
$success = true;
}
print jsonResponse($success);
break;
}
$manager_name = Translate("None", 1);
$manager_email = "";
?>
<tr>
<td><?php
echo checkVar("html", $available_objets_["object_name"], "string", "", "", "", "", 0, 0);
?>
</td>
<td><?php
$email_ok = $manager_email != "" && checkVar("html", $manager_email, "email", "", "", "", "", 0, 0);
if ($email_ok) {
echo "<a href=\"mailto:" . $manager_email . "\">";
}
echo checkVar("html", $manager_name, "string", "", "", "", "", 0, 0);
if ($email_ok) {
echo "</a>";
}
?>
</td>
<td style="text-align:center"><button onClick="openBooking(<?php
echo $available_objets_["object_id"];
?>
,<?php
echo $available_objets_["booking_method"];
?>
)"><?php
echo Translate("Book it !", 1);
?>
