function loadPage($url)
 {
     global $MARKET_mode;
     if ($this->options['enable_pages']) {
         if (preg_match('@^\\d+$@', $url)) {
             $sql = "SELECT page_template.name AS template_name, page.id, title, summary, text, is_type, market_user.name, market_user.surname, market_user.user_email, DATE_FORMAT(updated, '%d/%m/%Y %H:%i') AS date FROM page LEFT JOIN page_ml USING (id) LEFT JOIN page_ps USING (id) LEFT JOIN market_user ON market_user.user_id=creator LEFT JOIN page_template ON page_template.id=page_template_id WHERE page.id='" . sqlEscape($url) . "' AND publish='1' AND page_ml.lang='" . MARKET_LANG . "'";
         } else {
             $sql = "SELECT page_template.name AS template_name, page.id, title, summary, text, is_type, market_user.name, market_user.surname, market_user.user_email, DATE_FORMAT(updated, '%d/%m/%Y %H:%i') AS date FROM page LEFT JOIN page_ml USING (id) LEFT JOIN page_ps USING (id) LEFT JOIN market_user ON market_user.user_id=creator LEFT JOIN page_template ON page_template.id=page_template_id WHERE url='" . sqlEscape($url) . "' AND publish='1' AND page_ml.lang='" . MARKET_LANG . "'";
         }
         if (sqlQuery($sql, $res)) {
             $row = sqlFetchAssoc($res);
             $this->assignGlobal(array('PAGE.Id' => $row['id'], 'PAGE.Summary' => $row['summary'], 'PAGE.Title' => $row['title'], 'PAGE.Text' => $row['text'], 'PAGE.Author' => $row['name'] . ' ' . $row['surname'] . ', ' . MARKET_Filter::noSpam($row['email']), 'PAGE.Mtime' => $row['date']));
             if ($row['is_type'] == 'passthrough') {
                 return substr($url, 0, strrpos($url, '.'));
             } else {
                 if ($row['is_type'] == 'template') {
                     $tname = substr($url, 0, strrpos($url, '.'));
                     $this->preParseTemplate($tname, explode("\n", $row['text']));
                     $this->parseTemplate('PAGE.Text', $tname, MARKET_DO_NOT_APPEND);
                 }
             }
             return $row['template_name'];
         }
     }
     return preg_replace('@\\.html$@', '', $url);
 }
	function sendResetEmail( $username ) {
		
		$username = sqlEscape( $username );
		$sql = "SELECT * FROM users WHERE username='******'";
		$result = tmbo_query( $sql );
		if( mysql_num_rows( $result ) == 1 ) {
			$row = mysql_fetch_assoc( $result );
			$code = hashFromUserRow( $row );
			$message = "Someone (hopefully you) wants to reset your [this might be offensive] password. To reset your password, please visit the following link:

https://".$_SERVER['HTTP_HOST']."/offensive/pwreset.php?x=$code

			";
			
			if( isValidEmail( $row['email'] ) ) {

				mail( $row['email'], "resetting your [this might be offensive] password", $message, "From: offensive@thismight.be (this might be offensive)\r\n"/*bcc:ray@mysocalled.com"*/) or trigger_error("could not send email", E_USER_ERROR);

				echo "An email has been sent containing instructions for resetting your password.";
			}
			else {
				echo "Unfortunately, we don't have a valid email address for that account. There's nothing we can do for you.";
			}

		}

	}
	function getReferrerId( $refcode ) {

		$sql = "SELECT * FROM referrals WHERE referral_code = '".sqlEscape($refcode)."' LIMIT 1";
		$result = tmbo_query( $sql );
		if( mysql_num_rows( $result ) == 1 ) {
			$row = mysql_fetch_assoc( $result );
			return $row['userid'];
		}

		return -1;

	}
 function saveUserData($var, $val)
 {
     if ($_SESSION['User']['is_loggedin']) {
         if ($val) {
             $_SESSION['User']['data'][$var] = $val;
         } else {
             unset($_SESSION['User']['data'][$var]);
         }
         $sql = "UPDATE market_user SET data='" . sqlEscape(serialize($_SESSION['User']['data'])) . "' WHERE user_id='" . $_SESSION['User']['user_id'] . "'";
         sqlQuery($sql, $res, EXT_DEBUG);
         return true;
     }
     return false;
 }
Example #5
0
         $update_category = true;
     }
     if ($_POST['existing_service'][$i]["'description'"] !== $check_services[$i]['name']) {
         $new_description = sqlEscape($_POST['existing_service'][$i]["'description'"]);
         $update_description_text .= " WHEN {$current} THEN '{$new_description}'";
         $rowsToUpdate .= $current . ',';
         $update_description = true;
     }
     if ($_POST['existing_service'][$i]["'price'"] !== $check_services[$i]['price']) {
         $new_price = sqlEscape($_POST['existing_service'][$i]["'price'"]);
         $update_price_text .= " WHEN {$current} THEN {$new_price}";
         $rowsToUpdate .= $current . ',';
         $update_price = true;
     }
     if ($_POST['existing_service'][$i]["'time'"] !== $check_services[$i]['time']) {
         $new_time = sqlEscape($_POST['existing_service'][$i]["'time'"]);
         $update_time_text .= " WHEN {$current} THEN {$new_time}";
         $rowsToUpdate .= $current . ',';
         $update_time = true;
     }
     // }
 }
 if ($update_description || $update_price || $update_time || $update_category) {
     $update = "UPDATE services SET ";
     if ($update_description) {
         $update .= "name = CASE id {$update_description_text} END, ";
     }
     if ($update_price) {
         $update .= "price = CASE id {$update_price_text} END, ";
     }
     if ($update_time) {
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    session_start();
    require '../../../mysql/query.php';
    $news_type = sqlEscape($_POST['news_type']);
    $userNews = sqlSelect("SELECT users_news_feed.id, have_read, news_type.type, groups.id AS group_id, name AS group_name, story.story_id, title, users.user_id, username FROM users_news_feed LEFT JOIN groups ON groups.id = users_news_feed.group_id LEFT JOIN story ON story.story_id = users_news_feed.story_id LEFT JOIN users ON users.user_id = users_news_feed.writer_id INNER JOIN `news_type` ON news_type.id = users_news_feed.type_id WHERE users_news_feed.user_id = {$_SESSION['me']['id']} AND news_type.type = '{$news_type}' AND have_read = 0;");
    if ($userNews) {
        echo json_encode($userNews);
        die;
    } else {
        echo 'no news';
    }
}
Example #7
0
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    session_start();
    require '../../../mysql/query.php';
    if (!isset($_SESSION['user']) && !is_numeric($_POST['group_id'])) {
        die;
    }
    $group_id = sqlEscape($_POST['group_id']);
    $groupMembers = sqlSelect("SELECT user_id FROM group_members WHERE group_id = {$group_id};");
    if ($groupMembers) {
        echo json_encode($groupMembers);
        die;
    }
}
<?php

// Categories
$sql = "SELECT category FROM directory_ml WHERE lang='" . MARKET_LANG . "' AND category <> '' GROUP BY category ORDER BY category";
if (sqlQuery($sql, $res)) {
    $i = 1;
    while ($row = sqlFetchAssoc($res)) {
        $str = '';
        $sql = "SELECT prof1, prof2, prof3 FROM directory_ml WHERE lang='" . MARKET_LANG . "' AND category='" . sqlEscape($row['category']) . "'";
        if (sqlQuery($sql, $res1)) {
            $tags = array();
            while ($row1 = sqlFetchAssoc($res1)) {
                for ($j = 1; $j <= 3; $j++) {
                    if ($row1['prof' . $j] && !in_array($row1['prof' . $j], $tags)) {
                        $tags[] = $row1['prof' . $j];
                    }
                }
            }
            asort($tags);
            if ($_COOKIE['mplace_menu'] & pow(2, $i - 1)) {
                $str = '<ul id="ul' . $i . '" class="tags in collapse">';
            } else {
                $str = '<ul id="ul' . $i . '" class="tags collapse">';
            }
            foreach ($tags as $tag) {
                $str .= '<li><a href="index.html?content=tag&q=' . urlencode($tag) . '">' . htmlspecialchars($tag) . '</a></li>';
            }
            $str .= '</ul>';
        }
        $this->assignLocal('category', 'ROW', array('ndx' => $i, 'title' => $row['category'], 'tags' => $str));
        $this->lightParseTemplate('CATEGORY', 'category');
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    session_start();
    require '../../../mysql/query.php';
    require '../../../lang/config.php';
    $group_id = sqlEscape($_POST['group_id']);
    $group_name = sqlEscape($_POST['group_name']);
    $group_members = sqlEscape($_POST['group_members']);
    $_SESSION['errors'] = array();
    if (!is_numeric($group_id)) {
        $_SESSION['errors'] = true;
    }
    if (empty($group_members)) {
        array_push($_SESSION['errors'], "<span class=\"ion-android-warning\"> Fyll i fältet");
        header("Location: ../../../groups/{$group_id}/invite");
    }
    if (!empty($group_members)) {
        $users_exists = sqlSelect("SELECT user_id, username FROM `users` WHERE type = 1 AND user_id IN ({$group_members}) OR username IN ('{$group_members}');");
        if (!$users_exists) {
            if (strlen($group_members) >= 3) {
                array_push($_SESSION['errors'], "<span class=\"ion-android-warning\"> Spelarna finns inte");
            }
            if (strlen($group_members) == 1) {
                array_push($_SESSION['errors'], "<span class=\"ion-android-warning\"> Spelaren finns inte");
            }
        } else {
            $members_exists = sqlSelect("SELECT users.user_id, users.username, group_members.status FROM users INNER JOIN `group_members` ON users.user_id = group_members.user_id WHERE group_members.group_id = {$group_id} AND group_members.user_id IN ({$group_members});");
            if ($members_exists) {
                foreach ($members_exists as $member) {
                    if ($member['status'] == 1) {
Example #10
0
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    session_start();
    require '../../../mysql/query.php';
    require '../../../lib/Pusher/config.php';
    $words = sqlEscape($_POST['words']);
    $story = $_POST['story'];
    if (strlen($words) >= 1 && strlen($words) <= 50 && is_numeric($story)) {
        // Check if my turn
        $my_turn = sqlSelect("SELECT id, on_turn, round, story.rounds FROM story_writers INNER JOIN story ON story_writers.story_id = story.story_id WHERE story_writers.story_id = {$story} AND user_id = {$_SESSION['me']['id']};");
        if ($my_turn[0]['on_turn'] != 1) {
            die;
        }
        $insertWords = "INSERT INTO row (user_id, words, story_id, date) VALUES ({$_SESSION['me']['id']}, '{$words}', {$story}, now());";
        $finishMyTurn = "UPDATE `story_writers` SET `on_turn` = 0, round = round + 1, `date` = now() WHERE story_id = {$story} AND user_id = {$_SESSION['me']['id']};";
        $ok = '';
        if (sqlAction($insertWords) && sqlAction($finishMyTurn)) {
            $ok = true;
        } else {
            die;
        }
        // $round = sqlSelect("SELECT MIN(round) AS current, rounds AS end FROM story_writers INNER JOIN story ON story_writers.story_id = story.story_id WHERE story_writers.story_id = {$story};");
        $round = sqlSelect("SELECT round AS current, rounds AS end FROM story_writers INNER JOIN story ON story_writers.story_id = story.story_id WHERE story_writers.story_id = {$story} ORDER BY story_writers.id DESC LIMIT 1;");
        // Check if story is finished
        // $rounds_left = $my_turn[0]['rounds'] - $my_turn[0]['round'] - 1;
        $rounds_left = $round[0]['end'] - $round[0]['current'];
        if ($rounds_left == -1) {
            if (sqlAction("UPDATE story SET status = 2 WHERE story_id = {$story};")) {
                $story_writers = sqlSelect("SELECT user_id FROM `story_writers` WHERE story_id = {$story} AND user_id != {$_SESSION['me']['id']};");
                if ($story_writers) {
Example #11
0
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    if (isset($_POST['group_id']) && is_numeric($_POST['group_id'])) {
        $groupId = $_POST['group_id'];
    } else {
        die;
    }
    session_start();
    require '../../../mysql/query.php';
    require '../../../lang/config.php';
    $num_of_errors = 0;
    $title = sqlEscape($_POST['title']);
    $text = sqlEscape($_POST['text']);
    $rounds = sqlEscape($_POST['rounds']);
    $current_round = 1;
    $max_writers = 'null';
    $nonsensmode = 1;
    $public = 'null';
    $with_group = $groupId;
    $story = sqlAction("INSERT INTO story (title, rounds, current_round, max_writers, nonsens_mode, join_public, with_group, status, started_by_user, views) VALUES ('{$title}', {$rounds}, {$current_round}, {$max_writers}, {$nonsensmode}, {$public}, {$with_group}, 1, {$_SESSION['me']['id']}, 0);", $getLastId = true);
    if ($story) {
        if (sqlAction("INSERT INTO row (user_id, words, story_id, date) VALUES ({$_SESSION['me']['id']}, '{$text}', {$story}, now());")) {
            $story_writers = "INSERT INTO story_writers (story_id, user_id, on_turn, round, date) VALUES ({$story}, {$_SESSION['me']['id']}, 0, 2, now()), ";
            $writers = sqlSelect("SELECT user_id FROM group_members WHERE group_id = {$groupId} AND user_id != {$_SESSION['me']['id']};");
            $i = 0;
            foreach ($writers as $writer) {
                if ($i == 0) {
                    $on_turn = 1;
                } else {
                    $on_turn = 0;
Example #12
0
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    session_start();
    require '../../../mysql/query.php';
    require '../../../lang/config.php';
    $friends = sqlEscape($_POST['friends']);
    $_SESSION['errors'] = array();
    if (empty($friends)) {
        array_push($_SESSION['errors'], "<span class=\"ion-android-warning\"> Fyll i fältet");
        header('Location: ../../../profile?view=friends');
    }
    if (!empty($friends)) {
        $users = sqlSelect("SELECT user_id, username FROM `users` WHERE type = 1 AND user_id IN ({$friends}) OR username IN ({$friends});");
        if (!$users) {
            if (strlen($friends) >= 3) {
                array_push($_SESSION['errors'], "<span class=\"ion-android-warning\"> Spelarna finns inte");
            }
            if (strlen($friends) == 1) {
                array_push($_SESSION['errors'], "<span class=\"ion-android-warning\"> Spelaren finns inte");
            }
        } else {
            $already_friends = sqlSelect("SELECT users.user_id, users.username, friends.status, friends.sender FROM users INNER JOIN `friends` ON users.user_id = friends.user_id WHERE friends.user_id IN ({$friends}) UNION SELECT users.user_id, users.username, friends.status, friends.sender FROM users INNER JOIN `friends` ON users.user_id = friends.friend_user_id WHERE friends.friend_user_id IN ({$friends});");
            if ($already_friends) {
                foreach ($already_friends as $friend) {
                    if ($friend['status'] == 1) {
                        array_push($_SESSION['errors'], "<span class=\"ion-android-warning\"> Du är redan vän med <a href=\"profile?view={$friend['user_id']}\">{$friend['username']}</a>");
                    }
                    if ($friend['status'] == 0 && $friend['sender'] == $_SESSION['user']['id']) {
                        array_push($_SESSION['errors'], "<span class=\"ion-android-warning\"> Du har redan skickat vänförfrågan till <a href=\"profile?view={$friend['user_id']}\">{$friend['username']}</a>");
                    }
Example #13
0
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    session_start();
    if (isset($_SESSION['company']['id']) && is_numeric($_SESSION['company']['id']) && isset($_SESSION['me']['id']) && is_numeric($_SESSION['me']['id']) && is_numeric($_POST['id'])) {
        require '../../mysql/query.php';
        $start = sqlEscape($_POST['start']);
        if (sqlAction("DELETE FROM bookings WHERE id = {$_POST['id']} AND start = '{$start}';")) {
            echo 1;
            die;
        } else {
            echo 0;
            die;
        }
        // $times = sqlSelect("SELECT id, booked_at, start, end, invoice, webpay, in_place FROM `bookings` WHERE DATE(`start`) = '{$day}' AND company_id = {$_SESSION['company']['id']} AND employer_id = {$_SESSION['me']['id']};");
        // if ($times)
        // 	echo json_encode($times);
        // else
        // 	echo 0;
        // die;
    }
}
Example #14
0
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    session_start();
    require '../../../mysql/query.php';
    $old = sqlEscape($_POST['password']);
    $new = sqlEscape($_POST['new_password']);
    $new_repeat = sqlEscape($_POST['password_confirm']);
    if (strlen($old) > 5 && strlen($old) < 25 && strlen($new) > 5 && strlen($new) < 25 && strlen($new_repeat) > 5 && strlen($new_repeat) < 25 && $new === $new_repeat) {
        $password = sqlSelect("SELECT password FROM users WHERE user_id = {$_SESSION['user']['id']};");
        if (password_verify($old, $password[0]['password'])) {
            $pass = password_hash($new, PASSWORD_DEFAULT);
            if (sqlAction("UPDATE users SET password = '******' WHERE user_id = {$_SESSION['user']['id']};")) {
                echo json_encode(array('success' => true));
                die;
            }
        }
    }
}
Example #15
0
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    session_start();
    require '../../../mysql/query.php';
    if (strlen($_POST['new_password']) < 6) {
        echo json_encode(array('password_too_short' => true));
        die;
    }
    if (strlen($_POST['new_password']) > 25) {
        echo json_encode(array('password_too_long' => true));
        die;
    }
    $password = sqlEscape($_POST['new_password']);
    $email = sqlEscape($_POST['email']);
    $token = sqlEscape($_POST['token']);
    $getUser = sqlSelect("SELECT user_id FROM users WHERE email = '{$email}' AND reset_password_key = '{$token}';");
    if ($getUser) {
        $newPassword = password_hash($password, PASSWORD_DEFAULT);
        if (sqlAction("UPDATE users SET password = '******', reset_password_key = null WHERE user_id = {$getUser[0]['user_id']} AND email = '{$email}' AND reset_password_key = '{$token}';")) {
            echo json_encode(array('success' => true));
            die;
        }
    }
}
 function getSql($mode, $part)
 {
     switch ($part) {
         case 'FULL':
             $sql = 'SELECT ' . $this->cmd['RETURN'] . ' FROM ' . $this->cmd['OF'] . ' WHERE ' . $this->cmd['WHERE'] . ' AND (';
             break;
         case 'WHERE':
             $sql = ' AND (';
             break;
     }
     $tokens = $this->search_for;
     if (preg_match('@^CONCAT@', $this->cmd['SEARCH IN'])) {
         $search_in = array(trim($this->cmd['SEARCH IN']));
     } else {
         $search_in = $this->arrayTrim(explode(',', $this->cmd['SEARCH IN']));
     }
     $search_as = $this->arrayTrim(explode(',', $this->search_as));
     if ($mode == 'multiple') {
         $counti = count($tokens);
         for ($i = 0; $i < $counti; $i++) {
             $in[$i][] = $search_in[$i];
             $as[$i][] = $search_as[$i];
         }
     } else {
         $in[0] = $search_in;
         $as[0] = $search_as;
     }
     $counti = count($tokens);
     for ($i = 0; $i < $counti; $i++) {
         $sql .= "(";
         $countk = count($in[$i]);
         for ($k = 0; $k < $countk; $k++) {
             $countj = count($tokens[$i]);
             for ($j = 0; $j < $countj; $j++) {
                 if (preg_match('@\\*@', $tokens[$i][$j]['token'])) {
                     $tokens[$i][$j]['token'] = preg_replace('@\\*@', '%', $tokens[$i][$j]['token']);
                 }
                 /*
                 if (preg_match('@(.+)_ids$@', $search_in[$j], $matches)) {
                 	$keyword_sql = "SELECT $matches[1].id FROM $matches[1] WHERE title='$tokens[0][$i]'";
                 	$sqp =& $this->getRef('Sql_Parser');
                 	$sqp->parseSQL($keyword_sql);
                 	$keyword_sql = $sqp->getSQL();
                 	if (sqlQuery($keyword_sql, $res)) {
                 		$token = ',' . sqlResult($res, 0) . ',';
                 	}
                 	else {
                 		$token = $tokens[0][$i];
                 	}
                 }
                 else {
                 	$token = $tokens[$i][$j];
                 }
                 */
                 if ($tokens[$i][$j]['logic'] == 'NOT') {
                     $token = $tokens[$i][$j]['token'];
                     $equal = '<>';
                     $like = 'NOT LIKE';
                     $and = 'AND';
                 } else {
                     $token = preg_replace('@^\\+@', '', $tokens[$i][$j]['token']);
                     $equal = '=';
                     $like = 'LIKE';
                     if ($mode == 'multiple') {
                         $and = 'OR';
                     } else {
                         if ($mode == 'allwords') {
                             $and = 'OR';
                         } else {
                             $and = 'AND';
                         }
                     }
                 }
                 if (preg_match('@\\%@', $token)) {
                     $search_as = 'nochange';
                 } else {
                     $search_as = $as[$i][$k];
                 }
                 switch ($search_as) {
                     case 'exact':
                         $sql .= $in[$i][$k] . " {$like} '" . sqlEscape($token) . "'";
                         break;
                     case 'nochange':
                         $sql .= $in[$i][$k] . " {$like} '" . sqlEscape($token) . "'";
                         break;
                     case 'start':
                         $sql .= $in[$i][$k] . " {$like} '" . sqlEscape($token) . "%'";
                         break;
                     case 'end':
                         $sql .= $in[$i][$k] . " {$like} '%" . sqlEscape($token) . "'";
                         break;
                     case 'both':
                     default:
                         $sql .= $in[$i][$k] . " {$like} '%" . sqlEscape($token) . "%'";
                 }
                 if ($j < $countj - 1) {
                     $sql .= " {$and} ";
                 }
             }
             if ($k < $countk - 1) {
                 $sql .= ') OR (';
             } else {
                 $sql .= ')';
             }
         }
         if ($i < $counti - 1) {
             $sql .= ') AND (';
         } else {
             $sql .= ')';
         }
     }
     if ($part == 'FULL') {
         if ($this->cmd['GROUP BY']) {
             $sql .= ' GROUP BY ' . $this->cmd['GROUP BY'];
         }
         if ($this->cmd['ORDER BY']) {
             $sql .= ' ORDER BY ' . $this->cmd['ORDER BY'];
         }
     }
     return $sql;
 }
Example #17
0
function rawQuery($query)
{
    global $queries, $querytext, $loguser, $dblink, $debugMode, $logSqlErrors, $dbpref, $loguserid, $mysqlCellClass;
    //	if($debugMode)
    //		$queryStart = usectime();
    $res = @$dblink->query($query);
    if (!$res) {
        $theError = $dblink->error;
        if ($logSqlErrors) {
            $thequery = sqlEscape($query);
            $ip = sqlEscape($_SERVER["REMOTE_ADDR"]);
            $time = time();
            if (!$loguserid) {
                $loguserid = 0;
            }
            $get = sqlEscape(var_export($_GET, true));
            $post = sqlEscape(var_export($_POST, true));
            $cookie = sqlEscape(var_export($_COOKIE, true));
            $theError = sqlEscape($theError);
            $logQuery = "INSERT INTO {$dbpref}queryerrors (`user`,`ip`,`time`,`query`,`get`,`post`,`cookie`, `error`) VALUES ({$loguserid}, '{$ip}', {$time}, '{$thequery}', '{$get}', '{$post}', '{$cookie}', '{$theError}')";
            $res = @$dblink->query($logQuery);
        }
        if ($debugMode) {
            $bt = "";
            if (function_exists("backTrace")) {
                $bt = backTrace();
            }
            die(nl2br($bt) . "<br /><br />" . htmlspecialchars($theError) . "<br /><br />Query was: <code>" . htmlspecialchars($query) . "</code>");
            /*				<br />This could have been caused by a database layout change in a recent git revision. Try running the installer again to fix it. <form action=\"install/doinstall.php\" method=\"POST\"><br />
            			<input type=\"hidden\" name=\"action\" value=\"Install\" />
            			<input type=\"hidden\" name=\"existingSettings\" value=\"true\" />
            			<input type=\"submit\" value=\"Click here to re-run the installation script\" /></form>");*/
        }
        trigger_error("MySQL Error.", E_USER_ERROR);
        die("MySQL Error.");
    }
    $queries++;
    if ($debugMode) {
        $mysqlCellClass = ($mysqlCellClass + 1) % 2;
        $querytext .= "<tr class=\"cell{$mysqlCellClass}\"><td><pre style=\"white-space:pre-wrap;\">" . htmlspecialchars(preg_replace('/^\\s*/m', "", $query)) . "</pre></td><td>";
        if (function_exists("backTrace")) {
            $querytext .= backTrace();
        }
    }
    return $res;
}
Example #18
0
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    session_start();
    if (isset($_SESSION['company']['id']) && is_numeric($_SESSION['company']['id']) && isset($_SESSION['me']['id']) && is_numeric($_SESSION['me']['id'])) {
        require '../../mysql/query.php';
        $day = sqlEscape($_POST['day']);
        $times = sqlSelect("SELECT bookings.id AS booking_id, booked_at, start, end, invoice, webpay, in_place, customers.id AS customer_id, customers.first_name, customers.last_name, category.name FROM `bookings` INNER JOIN customers INNER JOIN services INNER JOIN category ON bookings.customer_id = customers.id AND bookings.service_id = services.id AND services.category_id = category.id WHERE DATE(`start`) = '{$day}' AND bookings.company_id = {$_SESSION['company']['id']} AND employer_id = {$_SESSION['me']['id']};");
        // echo "SELECT id, booked_at, start, end, invoice, webpay, in_place, customers.id, customers.first_name, customers.last_name FROM `bookings` INNER JOIN customers ON bookings.customer_id = customers.id WHERE DATE(`start`) = '{$day}' AND company_id = {$_SESSION['company']['id']} AND employer_id = {$_SESSION['me']['id']};";
        // die;
        // echo "SELECT bookings.id AS booking_id, booked_at, start, end, invoice, webpay, in_place, customers.id AS customer_id, customers.first_name, customers.last_name, services.name FROM `bookings` INNER JOIN customers INNER JOIN services ON bookings.customer_id = customers.id AND bookings.service_id = services.id WHERE DATE(`start`) = '{$day}' AND company_id = {$_SESSION['company']['id']} AND employer_id = {$_SESSION['me']['id']};";
        // die;
        if ($times) {
            echo json_encode($times);
        } else {
            echo 0;
        }
        die;
    }
}
Example #19
0
 case "label":
     break;
 case "text":
 case "textarea":
 case 'themeselector':
     $sets[] = $field . " = '" . SqlEscape($_POST[$field]) . "'";
     break;
 case "password":
     if ($_POST[$field]) {
         $sets[] = $field . " = '" . SqlEscape($_POST[$field]) . "'";
     }
     break;
 case "select":
     $val = $_POST[$field];
     if (array_key_exists($val, $item['options'])) {
         $sets[] = $field . " = '" . sqlEscape($val) . "'";
     }
     break;
 case "number":
     $num = (int) $_POST[$field];
     if ($num < 1) {
         $num = $item['min'];
     } elseif ($num > $item['max']) {
         $num = $item['max'];
     }
     $sets[] = $field . " = " . $num;
     break;
 case "datetime":
     if ($_POST[$item['presetname']] != -1) {
         $_POST[$field] = $_POST[$item['presetname']];
     }
Example #20
0
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    session_start();
    if (isset($_SESSION['company']['id']) && is_numeric($_SESSION['company']['id']) && isset($_SESSION['me']['id']) && is_numeric($_SESSION['me']['id'])) {
        require '../../mysql/query.php';
        $open = sqlEscape($_POST['open']);
        $close = sqlEscape($_POST['close']);
        $start = new DateTime($open);
        $end = new DateTime($close);
        $hourDiff = $start->diff($end);
        if ($hourDiff->i == 30) {
            $hourDiff->h++;
        }
        $array = array();
        for ($i = 1; $i <= $hourDiff->h * 2; $i++) {
            if ($start->format('Y-m-d H:i') != '2016-03-21 12:00' && $start->format('Y-m-d H:i') != '2016-03-21 12:30') {
                array_push($array, $start->format('Y-m-d H:i'));
            }
            $start = $start->modify('+30 minutes');
        }
        echo json_encode($array);
        die;
    }
}
<?php
	set_include_path("..");
	require_once( 'offensive/assets/header.inc' );
	// Include, and check we've got a connection to the database.
	require_once( 'admin/mysqlConnectionInfo.inc' );
	if(!isset($link) || !$link) $link = openDbConnection();
	require_once('offensive/assets/functions.inc');
	
	$sql = "SELECT userid FROM users WHERE username LIKE '" . sqlEscape($_REQUEST['finduser']) . "'";

	$result = tmbo_query($sql);
	$row = mysql_fetch_array( $result );

	if( mysql_num_rows( $result ) == 1 ) {
		header("Location: ".Link::user($row['userid']));
	}
	else {
		header("Location: ".$_SERVER['HTTP_REFERER']);
	}

?>
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    session_start();
    require '../../../mysql/query.php';
    if (isset($_POST['description'])) {
        $text = sqlEscape($_POST['description']);
        if (sqlAction("UPDATE users SET personal_text = '{$text}' WHERE user_id = {$_SESSION['user']['id']};")) {
            echo json_encode(array('success' => true));
            die;
        }
    }
}
Example #23
0
<?php

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Headers: X-Requested-With, Content-Type');
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $postdata = file_get_contents('php://input');
    $request = json_decode($postdata);
    require '../../../mysql/query.php';
    require '../../../lang/config.php';
    $user = sqlEscape($request->user);
    $password = sqlEscape($request->password);
    $user_exists = sqlSelect("SELECT user_id, username, password, profile_img FROM `users` WHERE type = 1 AND username = '******' OR email = '{$user}';");
    if (!$user_exists) {
        echo 'Fel användarnamn';
    } else {
        $pwd = $user_exists[0]['password'];
        if (password_verify($password, $pwd)) {
            $data['user']['id'] = $user_exists[0]['user_id'];
            $data['user']['name'] = $user_exists[0]['username'];
            $data['user']['img'] = $user_exists[0]['profile_img'];
            echo json_encode($data['user']);
        } else {
            echo 'Fel lösenord';
        }
    }
}
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    session_start();
    require '../../../mysql/query.php';
    require '../../../lang/config.php';
    $group_id = sqlEscape($_POST['group_id']);
    $group_name = sqlEscape($_POST['group_name']);
    $group_description = sqlEscape($_POST['group_description']);
    if (sqlAction("UPDATE groups SET description = '{$group_description}' WHERE id = {$group_id};") && sqlAction("INSERT INTO group_news_feed (group_id, user_id, type, what, date) VALUES ({$group_id}, {$_SESSION['user']['id']}, 'edited_description', 'null', now());")) {
        // require '../../group_members.php';
        // $members = getGroupMembers($group_id);
        header("Location: ../../../groups/{$group_id}/description");
    }
}
Example #25
0
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    session_start();
    require '../../mysql/query.php';
    $mail = sqlEscape($_POST['mail']);
    $password = sqlEscape($_POST['password']);
    // $company_exists = sqlSelect("SELECT id, Bolagsnamn, password FROM companies WHERE Bolagsnamn = 'Testfrisör';");
    $user_exists = sqlSelect("SELECT companies_employers.id, first_name, last_name, mail, companies_employers.password, companies.id AS company_id, companies.Bolagsnamn FROM `companies_employers` INNER JOIN companies ON companies_employers.company_id = companies.id WHERE mail = '{$mail}';");
    if ($user_exists) {
        $pwd = $user_exists[0]['password'];
        if (password_verify($password, $pwd)) {
            $_SESSION['me'] = array('id' => $user_exists[0]['id'], 'first_name' => $user_exists[0]['first_name'], 'last_name' => $user_exists[0]['last_name'], 'mail' => $user_exists[0]['mail']);
            $_SESSION['company'] = array('id' => $user_exists[0]['company_id'], 'name' => $user_exists[0]['Bolagsnamn']);
            header('Location: ../../company/todo');
        } else {
            header('Location: ../../login');
        }
    } else {
        header('Location: ../../login');
    }
}
Example #26
0
                echo "[{\"id\":\"{$term}\",\"name\":\"{$term}\"}]";
                // echo '[{"id":0,"name":"Test"}]';
                // echo json_encode(array('id' => $services['id'], 'name' => $services['name']));
            }
        }
        if ($search == 'my_services') {
            $my_services = sqlSelect("SELECT services.id, services.name AS service_name, price, time, category.name AS category_name FROM `companies_employers_services` INNER JOIN services INNER JOIN category ON companies_employers_services.service_id = services.id AND services.category_id = category.id WHERE companies_employers_services.employer_id = {$_SESSION['me']['id']} AND category.name LIKE '%{$term}%';");
            if ($my_services) {
                echo json_encode($my_services);
            }
        }
        if ($search == 'timestamp' && !empty($_POST['timestamp'])) {
            $date = sqlEscape($_POST['timestamp']);
            $times = sqlSelect("SELECT schedule.id, timestamp, booked, customers.first_name, customers.last_name, customers.mail FROM `schedule` LEFT JOIN customers ON schedule.customer_id = customers.id WHERE DATE(timestamp) = '{$date}' AND company_id = {$_SESSION['company']['id']} ORDER BY timestamp;");
            if ($times) {
                echo json_encode($times);
            } else {
                echo 0;
            }
        }
        if ($search == 'personnr') {
            $personnr = sqlEscape($_POST['term']);
            $customer = sqlSelect("SELECT id, first_name, last_name, mail, tel FROM customers WHERE person_nr = '{$personnr}';");
            if ($customer) {
                echo json_encode($customer);
            } else {
                echo 0;
            }
        }
    }
}
Example #27
0
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    session_start();
    require '../../mysql/query.php';
    $input = json_decode($_POST['login']);
    $user = sqlEscape($input->user);
    $password = sqlEscape($input->password);
    $user_exists = sqlSelect("SELECT id, person_nr, first_name, last_name, mail, tel, password FROM customers WHERE person_nr = '{$user}' OR mail = '{$user}';");
    if ($user_exists) {
        $pwd = $user_exists[0]['password'];
        if (password_verify($password, $pwd)) {
            $_SESSION['me'] = array('id' => $user_exists[0]['id'], 'personnr' => $user_exists[0]['person_nr'], 'first_name' => $user_exists[0]['first_name'], 'last_name' => $user_exists[0]['last_name'], 'mail' => $user_exists[0]['mail'], 'tel' => $user_exists[0]['id']);
            echo 1;
        } else {
            echo 'wrong password';
        }
    } else {
        echo 'wrong username';
    }
}
Example #28
0
function bb2_db_escape($string)
{
    // return mysql_real_escape_string($string);
    return sqlEscape($string);
    // No-op when database not in use.
}
function logEvent($type, $str, $user_id = 0)
{
    if (!$user_id) {
        $user_id = $_SESSION['User']['user_id'];
    }
    $sql = "INSERT INTO log (id, user_id, type, text, tstamp) VALUES ('', '" . sqlEscape($user_id) . "', '" . sqlEscape($type) . "', '" . sqlEscape($str) . "', NOW())";
    sqlQuery($sql, $res);
}
Example #30
0
<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    session_start();
    require '../../mysql/query.php';
    if (isset($_SESSION['company']['id']) && is_numeric($_SESSION['company']['id']) && isset($_POST['timestamp'])) {
        $timestamp = sqlEscape($_POST['timestamp']);
        $insert = sqlAction("INSERT INTO schedule (timestamp, booked, company_id, employer_id) VALUES ('{$timestamp}', 0, {$_SESSION['company']['id']}, {$_SESSION['me']['id']});", true);
        if (is_numeric($insert)) {
            echo $insert;
        }
    }
}