$value = stripslashes($value);
    $value = str_replace(array("\r", "\n", "%0a", "%0d", "/"), '', $value);
    $value = strip_tags($value);
    $value = htmlspecialchars($value);
    return $value;
}
//Only process POST requests
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $name = clean_user_input($_POST["name"]);
    //email with sanitizer filter
    $email = clean_user_input(filter_var($_POST["email"], FILTER_SANITIZE_EMAIL));
    $tel = clean_user_input($_POST["tel"]);
    $weddingDate = clean_user_input($_POST["wedding-date"]);
    $venue = clean_user_input($_POST["venue"]);
    $message = clean_user_input($_POST["message"]);
    $marketResearch = clean_user_input($_POST["market-research"]);
    //FORM VALIDATION
    //blank fields and email validation(?)
    if (empty($name) or empty($message) or !filter_var($email, FILTER_VALIDATE_EMAIL)) {
        //Set a 400 (bad request) response code and exit
        //http_response_code(400);
        echo "You must specify a name, valid email address and message";
        exit;
    }
    //prevent email header injection (see nyphp.org)
    foreach ($_POST as $value) {
        if (stripos($value, 'Content-Type:') !== FALSE) {
            //Set a 400 (bad request) response code and exit
            //http_response_code(400);
            echo "There was a problem with the information you entered.";
            exit;
Exemple #2
0
     * record the payment
     */
    $dbconn = PDOconnect('nakaweb', $_SESSION["clientdefaults"]["host"], $logname);
    foreach ($_SESSION['invoices'] as $key => $value) {
        //        if (key_exists('checkno' . $value, $_POST)) {
        if ($_POST['checkno' . $value] != '') {
            logit($logname, '  updataing:' . $value);
            // create a pg conection
            try {
                $theq = " update invoices";
                $theq .= " set checknumber=:checknumber";
                $theq .= " ,paymentreceived=now()";
                $theq .= " ,receivedby=:receivedby";
                $theq .= " where invoiceid=:invoiceid";
                $pdoquery = $dbconn->prepare($theq);
                $pdoquery->execute(array(':checknumber' => clean_user_input($_POST['checkno' . $value]), ':receivedby' => $_SESSION["userid"], ':invoiceid' => $value));
            } catch (PDOException $e) {
                logit($logname, '  **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage());
                $results->errortext = $e->getMessage();
                $cancontinue = FALSE;
            }
        }
    }
    unset($_SESSION['invoices']);
    logit($logname, 'GETting back to recordpayment');
    header('Location: recordpayment.php');
    exit;
} else {
    // get invoices
    $dbconnw = PDOconnect('nakaweb', $_SESSION["clientdefaults"]["host"], $logname);
    $theq = " select fullname,invoiceid,invoicedate,paymentreceived,login,invoiceamount,";
Exemple #3
0
GetTheHTMLs('EN-US', 0, $dbconn, $logname);
if (key_exists('LOGIN', $_POST) and key_exists('PASSWORD', $_POST)) {
    logit($logname, 'Login: '******' Password: '******':login' => clean_user_input($_POST["LOGIN"]), ':password' => clean_user_input($_POST["PASSWORD"])));
        $row = $pdoquery->fetch();
    } catch (PDOException $e) {
        logit($logname, '  **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage());
        $cancontinue = FALSE;
    }
    if ($cancontinue) {
        if (!$row) {
            // not a valid user/password
            //logit($logname, __LINE__);
            $results->errortext = 'Sorry, that username/password is invalid';
        } else {
            // valid user/password
            if ($row->locked == TRUE) {
                //logit($logname, __LINE__);
                $results->errortext = 'Sorry, that user is locked';
Exemple #4
0
    }
    //notes
    if ($_POST["note-note_text"] != '') {
        $theq = 'insert into notes(employee, note_text, stu_index, note_timestamp) values';
        $theq .= ' (:employee,:note_text,:stu_index,now())';
        try {
            $pdoquerynotes = $dbconn->prepare($theq);
            $pdoquerynotes->execute(array(':stu_index' => $stu_index, ":employee" => $_SESSION["initials"], ":note_text" => clean_user_input($_POST["note-note_text"])));
        } catch (PDOException $e) {
            logit($logname, '  **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage());
            $results->errortext = $e->getMessage();
            $cancontinue = FALSE;
        }
    }
    //medical alerts
    if ($_POST["ma-note_text"] != '') {
        $theq = 'insert into notes(employee, note_text, stu_index, note_timestamp) values';
        $theq .= " ('*MA',:note_text,:stu_index,now())";
        try {
            $pdoquerynotes = $dbconn->prepare($theq);
            $pdoquerynotes->execute(array(':stu_index' => $stu_index, ":note_text" => clean_user_input($_POST["ma-note_text"])));
        } catch (PDOException $e) {
            logit($logname, '  **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage());
            $results->errortext = $e->getMessage();
            $cancontinue = FALSE;
        }
    }
    logit($logname, 'going back to main.php');
    header('Location: main.php?dlStudent=' . $stu_index);
    exit;
}
Exemple #5
0
 $theq .= " from students s";
 $theq .= " join ranks r on s.stu_index=r.stu_index";
 $theq .= " join sysdef.rank_names rn on rn.srk_index=r.srk_index";
 $theq .= " join sysdef.class_type ct on ct.clt_index=rn.clt_index";
 $theq .= " left join (select stu_index,count(*) as tests from ranks group by 1) rc on rc.stu_index=s.stu_index";
 $theq .= " where current_rank=true";
 $theq .= " and student_type in ('A','ANP','APC')";
 $theq .= " and ct.clt_index=:artid";
 $theq .= ' order by last_name,first_name';
 logit($logname, $theq);
 try {
     $pdoquery = $dbconn->prepare($theq);
     $pdoquery->setFetchMode(PDO::FETCH_OBJ);
     $pdoquery->execute(array(':artid' => $_SESSION['artid']));
     // ?? why assiing another session var to the art id??
     $_SESSION['recordtestartid'] = clean_user_input($_GET['artid']);
     $studentdata = $pdoquery->fetchAll();
     unset($_SESSION['activestudents']);
     $i = 0;
     foreach ($studentdata as $key => $value) {
         //echo $value -> stu_index.' ';
         $_SESSION['activestudents'][$i]['stu_index'] = $value->stu_index;
         $_SESSION['activestudents'][$i]['first_name'] = $value->first_name;
         $_SESSION['activestudents'][$i]['last_name'] = $value->last_name;
         $_SESSION['activestudents'][$i]['srk_description'] = $value->srk_description;
         $_SESSION['activestudents'][$i]['srk_index'] = $value->srk_index;
         $_SESSION['activestudents'][$i]['srk_seq'] = $value->srk_seq;
         $i++;
     }
 } catch (PDOException $e) {
     logit($logname, '  **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage());
Exemple #6
0
 // dont admit that the username is valid or not
 $results->errortext = 'If the username you entered is in our system ' . 'you will recieve an email with a temporary ' . 'password sent your email address. ' . 'Don\'t forget to check your spam folder.';
 if ($cancontinue) {
     if (!$row) {
         // not a valid user/password
         logit($logname, 'username is invalid');
         $results->success = TRUE;
     } else {
         // valid user/password
         logit($logname, 'username is valid');
         //record the request
         $theq = " insert into passwordreset (username,ip,requestts)";
         $theq .= " values (:username,:ip,now())";
         try {
             $pdoquery = $dbconn->prepare($theq);
             $pdoquery->execute(array(':username' => clean_user_input($_POST["reset"]), ':ip' => $_SERVER["REMOTE_ADDR"]));
         } catch (PDOException $e) {
             logit($logname, '  **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage());
             $cancontinue = FALSE;
         }
         // update user's password
         $newpassword = substr(md5(rand()), 8, 6);
         logit($logname, '  generated password is:' . $newpassword);
         $theq = " update users";
         $theq .= " set thepassword=:newpassword";
         $theq .= " where userid=:userid";
         try {
             $pdoquery = $dbconn->prepare($theq);
             $pdoquery->execute(array(':newpassword' => $newpassword, ':userid' => $row->userid));
         } catch (PDOException $e) {
             logit($logname, '  **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage());
Exemple #7
0
         logit($logname, '  **ERROR** on line ' . __LINE__ . ' with query - ' . $theq . ' ' . $e->getMessage());
         $results->errortext = $e->getMessage();
         $cancontinue = FALSE;
     }
 }
 $params = array(':userid' => $userid, ':firstname' => clean_user_input($_POST["firstname"]), ':lastname' => clean_user_input($_POST["lastname"]), ':locked' => $_POST["locked"], ':email' => clean_user_input($_POST["email"]), ':address1' => clean_user_input($_POST["address1"]), ':address2' => clean_user_input($_POST["address2"]), ':city' => clean_user_input($_POST["city"]), ':state' => clean_user_input($_POST["state"]), ':zip' => clean_user_input($_POST["zip"]), ':phone' => clean_user_input($_POST["phone"]));
 logit($logname, '  updating user');
 $theq = 'update users';
 $theq .= ' set firstname= :firstname,';
 $theq .= ' lastname=:lastname,';
 if (isset($_POST["login"])) {
     $params[':login'] = clean_user_input($_POST["login"]);
     $theq .= ' login=:login,';
 }
 if (isset($_POST["thepassword"])) {
     $params[':thepassword'] = clean_user_input($_POST["thepassword"]);
     $theq .= ' thepassword=:thepassword,';
 }
 $theq .= ' email=:email,';
 $theq .= ' address1=:address1,';
 $theq .= ' address2=:address2,';
 $theq .= ' city=:city,';
 $theq .= ' state=:state,';
 $theq .= ' zip=:zip,';
 $theq .= ' phone=:phone,';
 $theq .= ' locked=:locked';
 $theq .= ' where userid=:userid';
 try {
     $pdoquery = $dbconn->prepare($theq);
     $pdoquery->setFetchMode(PDO::FETCH_OBJ);
     $pdoquery->execute($params);