/**
* Escapes all the data in the argument. HO SHITZ IT'S RECURSIVEZ YO!
* @param mixed $data The data to escape
* @return mixed The escaped data
*/
function escapeData($data)
{
if (is_array($data)) {
foreach ($data as $k => $d) {
$data[$k] = escapeData($d);
}
return $data;
} else {
return mysql_real_escape_string(trim($data));
}
}
printf('{ "errorMsg":"Query: %s, Error: %s" }', $noteQ, mysqli_error($DBS['comet']));
} else {
echo '{ "success": "success!" }';
}
} elseif (isset($_POST['value']) && isset($_POST['id'])) {
// Parse the threadID from the id. The id is in 'note-#' format.
$threadArray = explode('-', $_POST['id']);
$threadID = (int) $threadArray[1];
// Check the user who wrote the note.
$threadQ = sprintf("SELECT note, threadID, userID FROM notes WHERE threadID=%u", $threadID);
$threadR = mysqli_query($DBS['comet'], $threadQ);
if (!$threadR) {
printf('Query: %s, Error: %s', $threadQ, mysqli_error($DBS['comet']));
}
list($oldValue, $threadID, $userID) = mysqli_fetch_row($threadR);
// Check the level of the current user. If the user wrote the note or is of level 4 or greater, edit the note.
if (($userID == $_SESSION['userID'] || $_SESSION['level'] >= 4) && !empty($_POST['value']) && $oldValue != $_POST['value']) {
$updateQ = sprintf("UPDATE notes SET note = '%s', userID = %u, modified=now() WHERE threadID = %u", escapeData($DBS['comet'], $_POST['value']), $_SESSION['userID'], $threadID);
$updateR = mysqli_query($DBS['comet'], $updateQ);
if (!$updateR) {
printf('Query: %s, Error: %s', $updateQ, mysqli_error($DBS['comet']));
} else {
echo $_POST['value'];
}
} else {
echo $oldValue;
}
}
} else {
header('Location: ../index.php');
}
} elseif ($type[0] == 'amount') {
$_POST['value'] = is_numeric($_POST['value']) ? number_format($_POST['value'], 2) : FALSE;
}
if ($oldValue != $_POST['value'] && $_POST['value'] !== FALSE) {
$updateQ = sprintf("UPDATE payments SET %s = '%s', userID=%u WHERE paymentID = %u", $type[0], escapeData($DBS['comet'], $_POST['value']), $_SESSION['userID'], $paymentID);
$updateR = mysqli_query($DBS['comet'], $updateQ);
if (!$updateR) {
printf('Query: %s, Error: %s', $updateQ, mysqli_error($DBS['comet']));
} else {
echo $type[0] == 'date' ? date('m/d/Y', strtotime($_POST['value'])) : $_POST['value'];
}
} else {
echo $type[0] == 'date' ? date('m/d/Y', strtotime($oldValue)) : $oldValue;
}
} elseif (isset($_POST['removeID']) && is_numeric($_POST['removeID'])) {
$paymentQ = sprintf("DELETE FROM payments WHERE paymentID=%u LIMIT 1", escapeData($DBS['comet'], $_POST['removeID']));
$paymentR = mysqli_query($DBS['comet'], $paymentQ);
if (!$paymentR) {
printf('{ "errorMsg":"Query: %s, Error: %s" }', $paymentQ, mysqli_error($DBS['comet']));
} else {
echo '{ "success": "success!" }';
}
// Non empty, numeric amount, non empty actual date.
} elseif (!empty($date) && !empty($amount) && is_numeric($amount) && checkdate(substr($date, 0, 2), substr($date, 3, 2), substr($date, 6, 4))) {
$year = substr($date, 6, 4);
$month = substr($date, 0, 2);
$day = substr($date, 3, 2);
$date = "{$year}-{$month}-{$day}";
$checkQ = "SELECT SUM(p.amount), MAX(date), d.nextPayment, d.joined, d.sharePrice, d.paymentPlan, pp.frequency, pp.amount \n\t\t\tFROM payments AS p \n\t\t\t\tRIGHT JOIN details AS d ON (d.cardNo = p.cardNo) \n\t\t\t\tINNER JOIN paymentPlans AS pp ON (d.paymentPlan = pp.planID)\n\t\t\tWHERE d.cardNo={$_SESSION['cardNo']}\n\t\t\tGROUP BY d.cardNo";
$checkR = mysqli_query($DBS['comet'], $checkQ);
list($total, $last, $next, $trash, $sPrice, $pPlan, $pFreq, $pAmount) = mysqli_fetch_row($checkR);
/**
* updateDetails function: Updates the details for a record in the database then inserts the updated record.
* Returns true on success, false on failure.
* @param integer $cardNo cardNo of the record to be inserted
* @param string $address Address of the record to be inserted. Is sanitized by escapeData. If null, old value is used.
* @param string $phone Phone number of the record to be inserted. If null, old value is used.
* @param string $city City of the record to be inserted. Is sanitized by escapeData. If null, old value is used.
* @param string $state State of the record to be inserted. Is sanitized by escapeData. If null, old value is used.
* @param string $zip Zip code of the record to be inserted. If null, old value is used.
* @param string $email Email address of the record to be inserted. Is sanitized by escapeData. If null, old value is used.
* @param boolean $noMail No mail boolean of the record to be inserted. Is cast to an integer. If null, old value is used.
* @param date $nextDue Next payment due date for the record to be inserted. If null, old value is used.
* @param integer $plan Payment plan of the record to be inserted. Is cast to an integer. If null, old value is used.
* @param date $joinDate Join date for the record to be inserted. If null, old value is used.
* @param decimal $sharePrice Share price for the record to be inserted. If null, old value is used.
* @param integer $userID User ID of the user who added the record
* @return boolean true on success, false on failure
*/
function updateDetails($cardNo, $address, $phone, $city, $state, $zip, $email, $noMail, $nextDue, $plan, $joinDate, $sharePrice, $userID)
{
global $DBS;
$updateQ = sprintf("UPDATE raw_details SET endDate=curdate() WHERE cardNo=%u AND endDate IS NULL", $cardNo);
$updateR = mysqli_query($DBS['comet'], $updateQ);
if ($updateR) {
$insertQ = sprintf("INSERT INTO raw_details (\n\t\t\t\tSELECT cardNo, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, curdate(), NULL, %s, NULL\n\t\t\t\tFROM raw_details\n\t\t\t\t\tWHERE cardNo = %u\n\t\t\t\tORDER BY id DESC\n\t\t\t\tLIMIT 1)", is_null($address) ? 'address' : "'" . escapeData($DBS['comet'], $address) . "'", is_null($phone) ? 'phone' : "'" . $phone . "'", is_null($city) ? 'city' : "'" . escapeData($DBS['comet'], $city) . "'", is_null($state) ? 'state' : "'" . escapeData($DBS['comet'], $state) . "'", is_null($zip) ? 'zip' : "'" . $zip . "'", is_null($email) ? 'email' : "'" . escapeData($DBS['comet'], $email) . "'", is_null($noMail) ? 'noMail' : (int) $noMail, is_null($nextDue) ? 'nextPayment' : ($nextDue == 'NULL' ? 'NULL' : "'" . $nextDue . "'"), is_null($plan) ? 'paymentPlan' : (int) $plan, is_null($joinDate) ? 'joined' : "'" . $joinDate . "'", is_null($sharePrice) ? 'sharePrice' : "'" . $sharePrice . "'", $userID, $cardNo);
$insertR = mysqli_query($DBS['comet'], $insertQ);
if ($insertR) {
return true;
} else {
return false;
}
} else {
return false;
}
}
<?php
session_start();
/**
* This page feeds the autocomplete for the search fields in the main tab.
* @author Matthaus Litteken <*****@*****.**>
* @version 1.0
* @package CoMET
*/
require_once '../includes/config.php';
require_once '../includes/functions.php';
if (isset($_GET['q'])) {
$searchFor = escapeData($DBS['comet'], $_GET['q']);
}
if (isset($_GET['search'])) {
$searchBy = escapeData($DBS['comet'], $_GET['search']);
}
if (isset($searchBy)) {
switch ($searchBy) {
case 'first':
$searchQ = "SELECT CONCAT(firstName, ' ', lastName, ' [', cardNo, ']') \n\t\t\t\tFROM owners \n\t\t\t\tWHERE firstName LIKE '{$searchFor}%' \n\t\t\t\tORDER BY firstName ASC";
break;
case 'last':
$searchQ = "SELECT CONCAT(lastName, ', ', firstName, ' [', cardNo, ']') \n\t\t\t\tFROM owners \n\t\t\t\tWHERE lastName LIKE '{$searchFor}%' \n\t\t\t\tORDER BY lastName ASC";
break;
default:
$searchQ = NULL;
break;
}
}
$results = '';
$delList .= sprintf('%s<br />', $deleteR ? 'deleted successfully' : 'delete failure');
$body .= sprintf("Deleted: Card #: %u, Person #%u, First: %s, Last: %s, Discount: %u, Staff: %u, Memtype: %u, Check: %u, Charge: %u, Hours: %u\n", $cardNo, $personNum, $first, $last, $discount, $staff, $memType, $check, $charge, $ssi);
$count++;
}
// Records to be updated...
$updateListQ = "SELECT cardNo, personNum, firstName, lastName, discount, memType, staff, writeChecks, chargeOk FROM owners\n\t\tWHERE CONCAT_WS(',', cardNo, personNum, firstName, lastName, discount, memType, staff, writeChecks, chargeOk) NOT IN \n\t\t\t(SELECT CONCAT_WS(',', cardNo, personNum, firstName, lastName, discount, memType, staff, writeChecks, chargeOk) \n\t\t\tFROM {$_SESSION['opDB']}.custdata)";
$updateListR = mysqli_query($DBS['comet'], $updateListQ);
if (!$updateListR) {
printf('<h3>Query: %s<br />Error %s</h3>', $updateListQ, mysqli_error($DBS['comet']));
}
if (mysqli_num_rows($updateListR) > 0) {
$upList = '<br /><h3>Records updated:</h3>';
}
while (list($cardNo, $personNum, $first, $last, $discount, $memType, $staff, $check, $charge) = mysqli_fetch_row($updateListR)) {
$upList .= sprintf("Card #: %u, Person #%u, Name: %s %s ", $cardNo, $personNum, $first, $last);
$updateQ = sprintf("UPDATE custdata\n\t\t\tSET firstname='%s', lastname='%s', discount=%u, memtype=%u, staff=%u, writechecks=%u, chargeok=%u, memdiscountlimit=%u, type='%s'\n\t\t\tWHERE cardNo=%u AND personNum=%u", escapeData($DBS['comet'], $first), escapeData($DBS['comet'], $last), (int) $discount, (int) $memType, (int) $staff, (int) $check, (int) $charge, $charge == 1 ? 9999 : 0, $memType == 0 || $memType == 6 || $memType == 7 ? 'reg' : 'pc', $cardNo, $personNum);
$updateR = mysqli_query($DBS['is4c_op'], $updateQ);
if (!$updateR) {
printf('<h3>Query: %s<br />Error %s</h3>', $updateR, mysqli_error($DBS['is4c_op']));
}
$upList .= sprintf('%s<br />', $updateR ? 'updated successfully' : 'update failure');
$count++;
}
// Mail admin...
$from = "CoMET <*****@*****.**>";
$to = $_SESSION['userEmail'];
$subject = "CoMET Mail - Deleted Records";
// Force sync of fannie to lanes using cURL...
$curlSync = curl_init($_SESSION['syncURL']);
curl_setopt($curlSync, CURLOPT_RETURNTRANSFER, true);
if (curl_exec($curlSync) !== false) {
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
session_start();
/**
* This handler deals with mailer options. It updates the options table in the DB with any changes.
* @author Matthaus Litteken <*****@*****.**>
* @version 1.0
* @package CoMET
*/
require_once '../includes/config.php';
require_once '../includes/functions.php';
$allowed = array('comingDueDays', 'comingDueMsg', 'comingDueSubject', 'pastDueDays', 'pastDueMsg', 'pastDueSubject', 'inactiveDays', 'inactiveMsg', 'inactiveSubject', 'reminderFrom', 'reminderEmail');
if (isset($_POST['id']) && isset($_POST['value']) && in_array($_POST['id'], $allowed)) {
$id = escapeData($DBS['comet'], $_POST['id']);
$rawValue = $_POST['value'];
$value = escapeData($DBS['comet'], $_POST['value']);
} else {
$id = NULL;
$value = NULL;
}
if (!empty($id) && $value) {
$valueQ = "SELECT value FROM options WHERE name='{$id}'";
$valueR = mysqli_query($DBS['comet'], $valueQ);
list($oldValue) = mysqli_fetch_row($valueR);
$oldValue = nl2br($oldValue);
if (empty($value) || strstr($id, 'Days') !== FALSE && !is_numeric($value)) {
// If empty or non-numeric when supposed to be then load and display the initial value...
echo $oldValue;
exit;
} else {
$updateQ = sprintf("UPDATE options SET value='%s' WHERE name='%s'", $value, $id);
}
if (isset($_POST['firstSearch']) && !empty($_POST['firstSearch'])) {
$_REQUEST['navButton'] = 'search';
$search = explode(' ', escapeData($DBS['comet'], $_POST['firstSearch']));
$count = count($search);
$_POST['value'] = trim($search[$count - 1], '[');
$_POST['value'] = trim($_POST['value'], ']');
} elseif (isset($_POST['lastSearch']) && !empty($_POST['lastSearch'])) {
$_REQUEST['navButton'] = 'search';
$search = explode(' ', escapeData($DBS['comet'], $_POST['lastSearch']));
$count = count($search);
$_POST['value'] = trim($search[$count - 1], '[');
$_POST['value'] = trim($_POST['value'], ']');
}
// Read the submit type, adjust the $_SESSION['cardNo'] and let the main.php JS handle updating the divs
$navButton = isset($_REQUEST['navButton']) ? escapeData($DBS['comet'], $_REQUEST['navButton']) : NULL;
//echo '"errorMsg": "' . $navButton . '", ';
switch ($navButton) {
case 'delete':
deleteOwner($_SESSION['cardNo']);
deleteDetails($_SESSION['cardNo']);
$cardQ = "SELECT cardNo FROM owners WHERE cardNo < {$_SESSION['cardNo']} ORDER BY cardNo DESC LIMIT 1";
$cardR = mysqli_query($DBS['comet'], $cardQ);
if (mysqli_num_rows($cardR) == 1) {
list($_SESSION['cardNo']) = mysqli_fetch_row($cardR);
}
echo ' "cardNo": "' . $_SESSION['cardNo'] . '" }';
break;
case 'search':
if (is_numeric($_POST['value']) && $_POST['value'] > 0) {
$_SESSION['cardNo'] = (int) $_POST['value'];