function respond()
{
if (validate_fields()) {
build_header();
send();
}
}
<?php
$page_title = 'Returrapport';
$results = '';
require_once 'includes/load.php';
// Checking userlevel
page_require_level(1);
if (isset($_POST['submit'])) {
$req_dates = array('start-date', 'end-date');
validate_fields($req_dates);
$returnCategories = find_all('returnCategory');
if (empty($errors)) {
$idArray = [];
$resultArray = [];
$end_date_storage = [];
$return_total = [];
$start_date = remove_junk($db->escape($_POST['start-date']));
$end_date = remove_junk($db->escape($_POST['end-date']));
//finner alle unike produktid-er der det har vært trades.
$p_id = get_unique_pid_trades($start_date, $end_date);
//Pusher de til array så de kan lett itereres.
foreach ($p_id as $id) {
array_push($idArray, $id);
array_push($return_total, get_trade_total($start_date, $end_date, $id['product_id']));
}
//skal her hente ut returinfo for produktene. har produkt-id, trenger kun hvor mange som har blitt returnert av hver FK_returncategoryID
//må mekke en funksjon som returnerer summen av antallet som har vært returnert. Array i en array? Sjekke for p_id og deretter RC_id per funksjon? Så springe en liten for-loop inne i foreach.
} else {
$session->msg("d", $errors);
redirect('sales_report.php', false);
}
<?php
include_once 'includes/load.php';
$req_fields = array('username', 'password');
validate_fields($req_fields);
$username = remove_junk($_POST['username']);
$password = remove_junk($_POST['password']);
if (empty($errors)) {
$user = authenticate_v2($username, $password);
if ($user) {
//create session with id
$session->login($user['id']);
//Update Sign in time
updateLastLogIn($user['id']);
// redirect user to group home page by user level
if ($user['user_level'] === '1') {
$session->msg("s", "Hello " . $user['username'] . ", Welcome to OSWA-INV.");
redirect('admin.php', false);
} elseif ($user['user_level'] === '2') {
$session->msg("s", "Hello " . $user['username'] . ", Welcome to OSWA-INV.");
redirect('special.php', false);
} else {
$session->msg("s", "Hello " . $user['username'] . ", Welcome to OSWA-INV.");
redirect('home.php', false);
}
} else {
$session->msg("d", "Sorry Username/Password incorrect.");
redirect('index.php', false);
}
} else {
$session->msg("d", $errors);
/**
* Called by administrators; updates the content stored on the "Main" tab in the Edit Form pages.
*
* @param integer $infohash a hash containing the contents of the Edit Form Main tab.
* @return array returns array with indexes:<br/>
* [0]: true/false (success / failure)<br/>
* [1]: message string<br/>
*/
function ft_update_form_main_tab($infohash, $form_id)
{
global $g_table_prefix, $LANG;
$infohash = ft_sanitize($infohash);
extract(ft_process_hook_calls("start", compact("infohash", "form_id"), array("infohash")), EXTR_OVERWRITE);
$success = true;
$message = $LANG["notify_form_updated"];
// check required POST fields
$rules = array();
$rules[] = "required,form_name,{$LANG["validation_no_form_name"]}";
$rules[] = "required,edit_submission_page_label,{$LANG["validation_no_edit_submission_page_label"]}";
$errors = validate_fields($infohash, $rules);
if (!empty($errors)) {
$success = false;
array_walk($errors, create_function('&$el', '$el = "• " . $el;'));
$message = join("<br />", $errors);
return array($success, $message, "");
}
$is_active = "";
if (!empty($infohash["active"])) {
$is_active = "is_active = '{$infohash['active']}',";
}
$form_name = $infohash["form_name"];
$form_type = $infohash["form_type"];
$submission_type = $infohash["submission_type"];
$client_ids = isset($infohash["selected_client_ids"]) ? $infohash["selected_client_ids"] : array();
$is_multi_page_form = isset($infohash["is_multi_page_form"]) ? $infohash["is_multi_page_form"] : "no";
$access_type = $infohash["access_type"];
if ($submission_type == "direct") {
$is_multi_page_form = "no";
}
if ($is_multi_page_form == "yes") {
$form_url = $infohash["multi_page_urls"][0];
} else {
$form_url = $infohash["form_url"];
}
$redirect_url = isset($infohash["redirect_url"]) ? $infohash["redirect_url"] : "";
$auto_delete_submission_files = $infohash["auto_delete_submission_files"];
$submission_strip_tags = $infohash["submission_strip_tags"];
$edit_submission_page_label = $infohash["edit_submission_page_label"];
$add_submission_button_label = $infohash["add_submission_button_label"];
$query = "\n UPDATE {$g_table_prefix}forms\n SET {$is_active}\n form_type = '{$form_type}',\n submission_type = '{$submission_type}',\n is_multi_page_form = '{$is_multi_page_form}',\n form_url = '{$form_url}',\n form_name = '{$form_name}',\n redirect_url = '{$redirect_url}',\n access_type = '{$access_type}',\n auto_delete_submission_files ='{$auto_delete_submission_files}',\n submission_strip_tags = '{$submission_strip_tags}',\n edit_submission_page_label = '{$edit_submission_page_label}',\n add_submission_button_label = '{$add_submission_button_label}'\n WHERE form_id = {$form_id}\n ";
$result = mysql_query($query) or ft_handle_error("Failed query in <b>" . __FUNCTION__ . "</b>, line " . __LINE__ . ": <i>{$query}</i>", mysql_error());
// finally, update the list of clients associated with this form
mysql_query("DELETE FROM {$g_table_prefix}client_forms WHERE form_id = {$form_id}");
foreach ($client_ids as $client_id) {
$query = mysql_query("\n INSERT INTO {$g_table_prefix}client_forms (account_id, form_id)\n VALUES ({$client_id}, {$form_id})\n ");
}
// since the client list may have just changed, do a little cleanup on the database data
switch ($access_type) {
// no changes needed!
case "public":
break;
// delete all client_view, client_form, public_form_omit_list, and public_view_omit_list entries concerning this form &
// it's Views. Since only the administrator can see the form, no client can see any of it's sub-parts
// delete all client_view, client_form, public_form_omit_list, and public_view_omit_list entries concerning this form &
// it's Views. Since only the administrator can see the form, no client can see any of it's sub-parts
case "admin":
mysql_query("DELETE FROM {$g_table_prefix}client_forms WHERE form_id = {$form_id}");
mysql_query("DELETE FROM {$g_table_prefix}public_form_omit_list WHERE form_id = {$form_id}");
$view_ids = ft_get_view_ids($form_id);
foreach ($view_ids as $view_id) {
mysql_query("DELETE FROM {$g_table_prefix}client_views WHERE view_id = {$view_id}");
mysql_query("DELETE FROM {$g_table_prefix}public_view_omit_list WHERE view_id = {$view_id}");
}
break;
// remove any records from the client_view and public_view_omit_list tables concerned clients NOT associated
// with this form.
// remove any records from the client_view and public_view_omit_list tables concerned clients NOT associated
// with this form.
case "private":
mysql_query("DELETE FROM {$g_table_prefix}public_form_omit_list WHERE form_id = {$form_id}");
$client_clauses = array();
foreach ($client_ids as $client_id) {
$client_clauses[] = "account_id != {$client_id}";
}
// there WERE clients associated with this form. Delete the ones that AREN'T associated
if (!empty($client_clauses)) {
$client_id_clause = implode(" AND ", $client_clauses);
mysql_query("DELETE FROM {$g_table_prefix}client_views WHERE form_id = {$form_id} AND {$client_id_clause}");
// also delete any orphaned records in the View omit list
$view_ids = ft_get_view_ids($form_id);
foreach ($view_ids as $view_id) {
mysql_query("DELETE FROM {$g_table_prefix}public_view_omit_list WHERE view_id = {$view_id} AND {$client_id_clause}");
}
} else {
$view_ids = ft_get_view_ids($form_id);
foreach ($view_ids as $view_id) {
mysql_query("DELETE FROM {$g_table_prefix}client_views WHERE view_id = {$view_id}");
mysql_query("DELETE FROM {$g_table_prefix}public_view_omit_list WHERE view_id = {$view_id}");
}
}
break;
}
// update the multi-page form URLs
mysql_query("DELETE FROM {$g_table_prefix}multi_page_form_urls WHERE form_id = {$form_id}");
// if this is a multi-page form, add the list of pages in the form. One minor thing to note: the first page in the form
// is actually stored in two locations: one in the main "form_url" value in the form, and two, here in the multi_page_form_urls
// table. It's not necessary, of course, but it makes the code a little simpler
if ($is_multi_page_form == "yes") {
$page_num = 1;
foreach ($infohash["multi_page_urls"] as $url) {
if (empty($url)) {
continue;
}
mysql_query("INSERT INTO {$g_table_prefix}multi_page_form_urls (form_id, form_url, page_num) VALUES ({$form_id}, '{$url}', {$page_num})");
$page_num++;
}
}
extract(ft_process_hook_calls("end", compact("infohash", "form_id", "success", "message"), array("success", "message")), EXTR_OVERWRITE);
return array($success, $message);
}
<?php
require_once "functions.php";
require_once "db_connection.php";
require_once "session.php";
if (isset($_SESSION['id'])) {
redirect_to("index.php");
}
if (isset($_POST["register"])) {
$errors = array();
//errors array
validate_fields($_POST);
if (!empty($_FILES["avatar"]["name"])) {
validate_uploaded_image($_FILES["avatar"]);
// validate the extension
}
if (empty($errors)) {
// try to register
$firstname = mysqli_real_escape_string($db, $_POST["firstname"]);
// to avoid SQL INjection
$lastname = mysqli_real_escape_string($db, $_POST["lastname"]);
$password = password_hash($_POST["password"], PASSWORD_DEFAULT);
$email = mysqli_real_escape_string($db, $_POST["email"]);
if ($_FILES["avatar"]["name"] === "") {
$avatar = "uploaded-images/default.jpg";
// need default image at that dir
} else {
$avatar = "uploaded-images/" . $_FILES["avatar"]["name"];
$avatar = $avatar . time();
// append time stamp (3a4an el filename maytkarar4)
resize_image($_FILES["avatar"]["tmp_name"], $avatar, 50, 50);
$rules[] = apn_write_lengthx('<=', '20', 'passportNo', 'Passport No.');
$rules[] = "reg_exp,passportNo,^[a-zA-Z0-9 \\-\\/]*\$,<span class='text-warning'>Passport number</span> should only contain letters/numbers/hyphen(-)/slashes(/).";
//Date of birth
$rules[] = apn_quick_rule('required', 'dateOfBirth', 'Date of birth');
$rules[] = "reg_exp,dateOfBirth,^[0-9\\-\\/]*\$,<span class='text-warning'>Date of birth</span> should be in dd/mm/yyyy format (e.g. 31/01/2013).";
$rules[] = "length<20,dateOfBirth,<span class='text-warning'>Date of birth</span> should be in dd/mm/yyyy format (e.g. 31/01/2013).";
//Nationality
$rules[] = apn_quick_rule('required', 'nationality', 'Nationnality');
//Meal preferences
$rules[] = apn_write_lengthx('<=', '100', 'meal', 'Meal preferences');
//Spam repellent
$rules[] = "length=0,jackpot,<span class='text-warning'>Jackpot</span> must be <b>empty</b> otherwise you are a spam bot...";
/*
* End validation rules setup.
*/
$errors = validate_fields($_POST, $rules);
$dup_criteria = ['passportno' => $_POST['passportNo']];
$params = ['submit_button' => 'register', 'next_page' => 'thankyou.php', 'form_data' => $_POST, 'finalize' => true];
if (!empty($errors)) {
$fields = array_merge($_SESSION['form_tools_form'], $_POST);
} elseif (REGISTRATION_INIT == false) {
if (!ft_api_check_submission_is_unique(THIS_FORM_ID, $dup_criteria, $fields['form_tools_submission_id'])) {
$fields = array_merge($_SESSION['form_tools_form'], $_POST);
$_POST['dup_error'] = 'duplicated';
} else {
ft_api_process_form($params);
}
} else {
ft_api_process_form($params);
}
}
/**
* Called by the administrator from the Themes settings page. It updates the list of enabled
* themes, and which theme is assigned to the administrator and (default) client accounts. Note:
* it doesn't disable any themes that are already assigned to a user account. If that happens,
* it returns a message listing the accounts (each clickable) and an option to bulk assign them
* to a different theme.
*
* @param array $infohash this parameter should be a hash (e.g. $_POST or $_GET) containing the
* various fields from the main settings admin page.
* @return array Returns array with indexes:<br/>
* [0]: true/false (success / failure)<br/>
* [1]: message string<br/>
*/
function ft_update_theme_settings($infohash)
{
global $g_table_prefix, $g_root_url, $g_root_dir, $LANG;
// lots to validate! First, check the default admin & client themes have been entered
$rules = array();
$rules[] = "required,admin_theme,{$LANG["validation_no_admin_theme"]}";
$rules[] = "required,default_client_theme,{$LANG["validation_no_default_client_theme"]}";
$errors = validate_fields($infohash, $rules);
if (!isset($infohash["is_enabled"])) {
$errors[] = $LANG["validation_no_enabled_themes"];
}
if (!empty($errors)) {
$success = false;
array_walk($errors, create_function('&$el', '$el = "• " . $el;'));
$message = join("<br />", $errors);
return array($success, $message);
}
$enabled_themes = $infohash["is_enabled"];
// next, check that both the admin and default client themes are enabled
$admin_theme = $infohash["admin_theme"];
$default_client_theme = $infohash["default_client_theme"];
if (!in_array($admin_theme, $enabled_themes) || !in_array($default_client_theme, $enabled_themes)) {
return array(false, $LANG["validation_default_admin_and_client_themes_not_enabled"]);
}
// lastly, if there are already client accounts assigned to disabled themes, we need to sort it out.
// We handle it the same way as deleting the client menus: if anyone is assigned to this theme,
// we generate a list of their names, each a link to their account page (in a _blank link). We
// then inform the user of what's going on, and underneath the name list, give them the option of
// assigning ALL affected accounts to another (enabled) theme.
$theme_clauses = array();
foreach ($enabled_themes as $theme) {
$theme_clauses[] = "theme != '{$theme}'";
}
$theme_clause = join(" AND ", $theme_clauses);
$query = mysql_query("\n SELECT account_id, first_name, last_name\n FROM {$g_table_prefix}accounts\n WHERE {$theme_clause}\n ");
$client_info = array();
while ($row = mysql_fetch_assoc($query)) {
$client_info[] = $row;
}
if (!empty($client_info)) {
$message = $LANG["notify_disabled_theme_already_assigned"];
$placeholder_str = $LANG["phrase_assign_all_listed_client_accounts_to_theme"];
$themes = ft_get_themes(true);
$dd = "<select id=\"mass_update_client_theme\">";
foreach ($themes as $theme) {
$dd .= "<option value=\"{$theme["theme_id"]}\">{$theme["theme_name"]}</option>";
}
$dd .= "</select>";
// a bit bad (hardcoded HTML!), but organize the account list in 3 columns
$client_links_table = "<table cellspacing=\"0\" cellpadding=\"0\" width=\"100%\">\n<tr>";
$num_affected_clients = count($client_info);
for ($i = 0; $i < $num_affected_clients; $i++) {
$account_info = $client_info[$i];
$client_id = $account_info["account_id"];
$first_name = $account_info["first_name"];
$last_name = $account_info["last_name"];
$client_ids[] = $client_id;
if ($i != 0 && $i % 3 == 0) {
$client_links_table .= "</tr>\n<tr>";
}
$client_links_table .= "<td width=\"33%\">• <a href=\"{$g_root_url}/admin/clients/edit.php?page=settings&client_id={$client_id}\" target=\"_blank\">{$first_name} {$last_name}</a></td>\n";
}
$client_id_str = join(",", $client_ids);
// close the table
if ($num_affected_clients % 3 == 1) {
$client_links_table .= "<td colspan=\"2\" width=\"66%\"> </td>";
} else {
if ($num_affected_clients % 3 == 2) {
$client_links_table .= "<td width=\"33%\"> </td>";
}
}
$client_links_table .= "</tr></table>";
$submit_button = "<input type=\"button\" value=\"{$LANG["phrase_update_accounts"]}\" onclick=\"window.location='index.php?page=themes&mass_assign=1&accounts={$client_id_str}&theme_id=' + \$('#mass_update_client_theme').val()\" />";
$placeholders = array("theme_dropdown" => $dd, "submit_button" => $submit_button);
$mass_assign_html = "<div class=\"margin_top_large margin_bottom_large\">" . ft_eval_smarty_string($placeholder_str, $placeholders) . "</div>";
$html = $message . $mass_assign_html . $client_links_table;
return array(false, $html);
}
// hoorah! Validation complete, let's update the bloomin' database at last
// update the admin settings
$admin_id = $_SESSION["ft"]["account"]["account_id"];
$admin_swatch = "";
if (isset($infohash["{$admin_theme}_admin_theme_swatches"])) {
$admin_swatch = $infohash["{$admin_theme}_admin_theme_swatches"];
}
mysql_query("\n UPDATE {$g_table_prefix}accounts\n SET theme = '{$admin_theme}',\n swatch = '{$admin_swatch}'\n WHERE account_id = {$admin_id}\n ");
$_SESSION["ft"]["account"]["theme"] = $admin_theme;
$_SESSION["ft"]["account"]["swatch"] = $admin_swatch;
$default_client_swatch = "";
if (isset($infohash["{$default_client_theme}_default_client_theme_swatches"])) {
$default_client_swatch = $infohash["{$default_client_theme}_default_client_theme_swatches"];
}
// update the default client theme & swatch
$new_settings = array("default_theme" => $default_client_theme, "default_client_swatch" => $default_client_swatch);
ft_set_settings($new_settings);
// finally, update the enabled themes list. Only set the theme as enabled if the
// cache folder is writable
mysql_query("UPDATE {$g_table_prefix}themes SET is_enabled = 'no'");
foreach ($enabled_themes as $theme) {
$cache_folder = "{$g_root_dir}/themes/{$theme}/cache";
// try and set the cache folder as writable
if (!is_writable($cache_folder)) {
@chmod($cache_folder, 0777);
}
if (!is_writable($cache_folder)) {
continue;
}
mysql_query("\n UPDATE {$g_table_prefix}themes\n SET is_enabled = 'yes'\n WHERE theme_folder = '{$theme}'\n ");
}
// reset the settings in sessions
$_SESSION["ft"]["settings"] = ft_get_settings();
$success = true;
$message = $LANG["notify_themes_settings_updated"];
extract(ft_process_hook_calls("end", compact("infohash"), array("success", "message")), EXTR_OVERWRITE);
return array($success, $message);
}
/**
* This is the main server-side validation function, called whenever updating a submission. The current version (Core 2.1.9)
* only performs a subset of the total validation rules; namely, those non-custom ones that
*
* @param array $editable_field_ids - this contains ALL editable field IDs in the form
* @param array $request
* @return array an array of errors, or an empty array if no errors
*/
function ft_validate_submission($form_id, $editable_field_ids, $request)
{
if (empty($editable_field_ids)) {
return array();
}
// get the validation rules for the current page. The use of $request["field_ids"] is a fix for bug #339; this should be handled
// a lot better. The calling page (edit_submission.php amongst other) should be figuring out what fields are editable on that particular
// page and passing THAT info as $editable_field_ids
$editable_field_ids_on_tab = explode(",", $request["field_ids"]);
// return all validation rules for items on tab, including those marked as editable == "no"
$rules = ft_get_php_field_validation_rules($editable_field_ids_on_tab);
// gets all form fields in this View
$form_fields = ft_get_view_fields($request["view_id"]);
// reorganize $form_fields to be a hash of field_id => array(form_name => "", field_tield => "")
$field_info = array();
foreach ($form_fields as $curr_field_info) {
$field_info[$curr_field_info["field_id"]] = array("field_name" => $curr_field_info["field_name"], "field_title" => $curr_field_info["field_title"], "is_editable" => $curr_field_info["is_editable"]);
}
// construct the RSV-friendly validation
$validation = array();
foreach ($rules as $rule_info) {
$rule = $rule_info["rsv_rule"];
$field_id = $rule_info["field_id"];
$field_name = $field_info[$field_id]["field_name"];
$field_title = $field_info[$field_id]["field_title"];
$error_message = $rule_info["error_message"];
// if this field is marked as non-editable, ignore it. We don't need to validate it
if ($field_info[$field_id]["is_editable"] == "no") {
continue;
}
$placeholders = array("field" => $field_title, "field_name" => $field_name);
$error_message = ft_eval_smarty_string($error_message, $placeholders);
$validation[] = "{$rule},{$field_name},{$error_message}";
}
$errors = array();
if (!empty($validation)) {
$form_vals = ft_sanitize($request);
$errors = validate_fields($form_vals, $validation);
}
return $errors;
}
/**
* Updates the administrator account. With the addition of the "UI Language" option, this action
* gets a little more complicated. The problem is that we can't just update the UI language in
* sessions *within* this function, because by the time this function is called, the appropriate
* language file is already in memory and being used. So, to get around this problem, the login
* information form now passes along both the new and old UI languages. If it's different, AFTER
* this function is called, you need to reset sessions and refresh the page. So be aware that
* this problem is NOT handled by this function, see:
* /admin/accounts/index.php to see how it's solved.
*
* @param array $infohash This parameter should be a hash (e.g. $_POST or $_GET) containing the
* following keys: first_name, last_name, user_name, password.
* @param integer $user_id the administrator's user ID
* @return array [0]: true/false (success / failure)
* [1]: message string
*/
function ft_update_admin_account($infohash, $account_id)
{
global $g_table_prefix, $g_root_url, $LANG;
$success = true;
$message = $LANG["notify_account_updated"];
$infohash = ft_sanitize($infohash);
extract(ft_process_hook_calls("start", compact("infohash", "account_id"), array("infohash")), EXTR_OVERWRITE);
$rules = array();
$rules[] = "required,first_name,{$LANG["validation_no_first_name"]}";
$rules[] = "required,last_name,{$LANG["validation_no_last_name"]}";
$rules[] = "required,email,{$LANG["validation_no_email"]}";
$rules[] = "required,theme,{$LANG["validation_no_theme"]}";
$rules[] = "required,login_page,{$LANG["validation_no_login_page"]}";
$rules[] = "required,logout_url,{$LANG["validation_no_account_logout_url"]}";
$rules[] = "required,ui_language,{$LANG["validation_no_ui_language"]}";
$rules[] = "required,sessions_timeout,{$LANG["validation_no_sessions_timeout"]}";
$rules[] = "required,date_format,{$LANG["validation_no_date_format"]}";
$rules[] = "required,username,{$LANG["validation_no_username"]}";
$rules[] = "if:password!=,required,password_2,{$LANG["validation_no_account_password_confirmed"]}";
$rules[] = "if:password!=,same_as,password,password_2,{$LANG["validation_passwords_different"]}";
$errors = validate_fields($infohash, $rules);
if (!empty($errors)) {
$success = false;
array_walk($errors, create_function('&$el', '$el = "• " . $el;'));
$message = implode("<br />", $errors);
return array($success, $message);
}
$first_name = $infohash["first_name"];
$last_name = $infohash["last_name"];
$email = $infohash["email"];
$theme = $infohash["theme"];
$login_page = $infohash["login_page"];
$logout_url = $infohash["logout_url"];
$ui_language = $infohash["ui_language"];
$timezone_offset = $infohash["timezone_offset"];
$sessions_timeout = $infohash["sessions_timeout"];
$date_format = $infohash["date_format"];
$username = $infohash["username"];
$password = $infohash["password"];
$swatch = "";
if (isset($infohash["{$theme}_theme_swatches"])) {
$swatch = $infohash["{$theme}_theme_swatches"];
}
// if the password is defined, md5 it
$password_sql = !empty($password) ? "password = '******', " : "";
// check to see if username is already taken
list($valid_username, $problem) = _ft_is_valid_username($username, $account_id);
if (!$valid_username) {
return array(false, $problem);
}
$query = "\n UPDATE {$g_table_prefix}accounts\n SET {$password_sql}\n first_name = '{$first_name}',\n last_name = '{$last_name}',\n email = '{$email}',\n theme = '{$theme}',\n swatch = '{$swatch}',\n login_page = '{$login_page}',\n logout_url = '{$logout_url}',\n ui_language = '{$ui_language}',\n timezone_offset = '{$timezone_offset}',\n sessions_timeout = '{$sessions_timeout}',\n date_format = '{$date_format}',\n username = '******'\n WHERE account_id = {$account_id}\n ";
mysql_query($query) or ft_handle_error("Failed query in <b>" . __FUNCTION__ . "</b>: <i>{$query}</i>", mysql_error());
// update the settings
$_SESSION["ft"]["settings"] = ft_get_settings();
$_SESSION["ft"]["account"] = ft_get_account_info($account_id);
$_SESSION["ft"]["account"]["is_logged_in"] = true;
// if the password just changed, update sessions and empty any temporary password that happens to have been
// stored
if (!empty($password)) {
$_SESSION["ft"]["account"] = ft_get_account_info($account_id);
$_SESSION["ft"]["account"]["is_logged_in"] = true;
$_SESSION["ft"]["account"]["password"] = md5(md5($password));
mysql_query("UPDATE {$g_table_prefix}accounts SET temp_reset_password = NULL where account_id = {$account_id}");
}
extract(ft_process_hook_calls("end", compact("infohash", "account_id"), array("success", "message")), EXTR_OVERWRITE);
return array($success, $message);
}
/**
* Updates a client account. Used for whomever is currently logged in.
*
* @param array $info This parameter should be a hash (e.g. $_POST or $_GET) containing keys
* named the same as the database fields.
* @return array [0]: true/false (success / failure)
* [1]: message string
*/
function ft_update_client($account_id, $info)
{
global $g_table_prefix, $LANG, $g_password_special_chars;
$success = true;
$message = $LANG["notify_account_updated"];
$info = ft_sanitize($info);
extract(ft_process_hook_calls("start", compact("account_id", "info"), array("info")), EXTR_OVERWRITE);
$client_info = ft_get_account_info($account_id);
$page = $info["page"];
switch ($page) {
case "main":
$first_name = $info["first_name"];
$last_name = $info["last_name"];
$email = $info["email"];
$username = $info["username"];
$password_clause = "";
$rules = array();
if (!empty($info["password"])) {
$required_password_chars = explode(",", $client_info["settings"]["required_password_chars"]);
if (in_array("uppercase", $required_password_chars)) {
$rules[] = "reg_exp,password,[A-Z],{$LANG["validation_client_password_missing_uppercase"]}";
}
if (in_array("number", $required_password_chars)) {
$rules[] = "reg_exp,password,[0-9],{$LANG["validation_client_password_missing_number"]}";
}
if (in_array("special_char", $required_password_chars)) {
$error = ft_eval_smarty_string($LANG["validation_client_password_missing_special_char"], array("chars" => $g_password_special_chars));
$password_special_chars = preg_quote($g_password_special_chars);
$rules[] = "reg_exp,password,[{$password_special_chars}],{$error}";
}
if (!empty($client_info["settings"]["min_password_length"])) {
$rule = ft_eval_smarty_string($LANG["validation_client_password_too_short"], array("number" => $client_info["settings"]["min_password_length"]));
$rules[] = "length>={$client_info["settings"]["min_password_length"]},password,{$rule}";
}
// encrypt the password on the assumption that it passes validation. It'll be used in the update query
$password = md5(md5($info['password']));
$password_clause = "password = '******',";
}
$errors = validate_fields($info, $rules);
// check to see if username is already taken
list($valid_username, $problem) = _ft_is_valid_username($username, $account_id);
if (!$valid_username) {
$errors[] = $problem;
}
// check the password isn't already in password history (if relevant)
if (!empty($info["password"])) {
if (!empty($client_info["settings"]["num_password_history"])) {
$encrypted_password = md5(md5($info["password"]));
if (ft_password_in_password_history($account_id, $encrypted_password, $client_info["settings"]["num_password_history"])) {
$errors[] = ft_eval_smarty_string($LANG["validation_password_in_password_history"], array("history_size" => $client_info["settings"]["num_password_history"]));
} else {
ft_add_password_to_password_history($account_id, $encrypted_password);
}
}
}
if (!empty($errors)) {
$success = false;
array_walk($errors, create_function('&$el', '$el = "• " . $el;'));
$message = implode("<br />", $errors);
return array($success, $message);
}
$query = "\n UPDATE {$g_table_prefix}accounts\n SET {$password_clause}\n first_name = '{$first_name}',\n last_name = '{$last_name}',\n username = '******',\n email = '{$email}'\n WHERE account_id = {$account_id}\n ";
if (mysql_query($query)) {
// if the password wasn't empty, reset the temporary password, in case it was set
if (!empty($info["password"])) {
mysql_query("UPDATE {$g_table_prefix}accounts SET temp_reset_password = NULL where account_id = {$account_id}");
}
} else {
ft_handle_error("Failed query in <b>" . __FUNCTION__ . "</b>: <i>{$query}</i>", mysql_error());
}
break;
case "settings":
$rules = array();
if ($client_info["settings"]["may_edit_page_titles"] == "yes") {
$rules[] = "required,page_titles,{$LANG["validation_no_titles"]}";
}
if ($client_info["settings"]["may_edit_theme"] == "yes") {
$rules[] = "required,theme,{$LANG["validation_no_theme"]}";
}
if ($client_info["settings"]["may_edit_logout_url"] == "yes") {
$rules[] = "required,logout_url,{$LANG["validation_no_logout_url"]}";
}
if ($client_info["settings"]["may_edit_language"] == "yes") {
$rules[] = "required,ui_language,{$LANG["validation_no_ui_language"]}";
}
if ($client_info["settings"]["may_edit_timezone_offset"] == "yes") {
$rules[] = "required,timezone_offset,{$LANG["validation_no_timezone_offset"]}";
}
if ($client_info["settings"]["may_edit_sessions_timeout"] == "yes") {
$rules[] = "required,sessions_timeout,{$LANG["validation_no_sessions_timeout"]}";
$rules[] = "digits_only,sessions_timeout,{$LANG["validation_invalid_sessions_timeout"]}";
}
if ($client_info["settings"]["may_edit_date_format"] == "yes") {
$rules[] = "required,date_format,{$LANG["validation_no_date_format"]}";
}
$errors = validate_fields($info, $rules);
if (!empty($errors)) {
$success = false;
array_walk($errors, create_function('&$el', '$el = "• " . $el;'));
$message = implode("<br />", $errors);
return array($success, $message);
}
// update the main accounts table. Only update those settings they're ALLOWED to
$settings = array();
if ($client_info["settings"]["may_edit_language"] == "yes") {
$settings["ui_language"] = $info["ui_language"];
}
if ($client_info["settings"]["may_edit_timezone_offset"] == "yes") {
$settings["timezone_offset"] = $info["timezone_offset"];
}
if ($client_info["settings"]["may_edit_logout_url"] == "yes") {
$settings["logout_url"] = $info["logout_url"];
}
if ($client_info["settings"]["may_edit_sessions_timeout"] == "yes") {
$settings["sessions_timeout"] = $info["sessions_timeout"];
}
if ($client_info["settings"]["may_edit_theme"] == "yes") {
$settings["theme"] = $info["theme"];
$settings["swatch"] = "";
if (isset($info["{$info["theme"]}_theme_swatches"])) {
$settings["swatch"] = $info["{$info["theme"]}_theme_swatches"];
}
}
if ($client_info["settings"]["may_edit_date_format"] == "yes") {
$settings["date_format"] = $info["date_format"];
}
if (!empty($settings)) {
$sql_rows = array();
while (list($column, $value) = each($settings)) {
$sql_rows[] = "{$column} = '{$value}'";
}
$sql = implode(",\n", $sql_rows);
$query = "\n UPDATE {$g_table_prefix}accounts\n SET {$sql}\n WHERE account_id = {$account_id}\n ";
mysql_query($query) or ft_handle_error("Failed query in <b>" . __FUNCTION__ . "</b>: <i>{$query}</i>", mysql_error());
}
$settings = array();
if (isset($info["page_titles"])) {
$settings["page_titles"] = $info["page_titles"];
}
if (isset($info["footer_text"])) {
$settings["footer_text"] = $info["footer_text"];
}
if (isset($info["max_failed_login_attempts"])) {
$settings["max_failed_login_attempts"] = $info["max_failed_login_attempts"];
}
if (!empty($settings)) {
ft_set_account_settings($account_id, $settings);
}
break;
}
extract(ft_process_hook_calls("end", compact("account_id", "info"), array("success", "message")), EXTR_OVERWRITE);
// update sessions
$_SESSION["ft"]["settings"] = ft_get_settings();
$_SESSION["ft"]["account"] = ft_get_account_info($account_id);
$_SESSION["ft"]["account"]["is_logged_in"] = true;
return array($success, $message);
}
/**
* Creates the administrator account. This is a bit of a misnomer, really, since the blank administrator account
* always exists with an account ID of 1. This function just updates it.
*
* @param array $info
* @return array
*/
function ft_install_create_admin_account($info)
{
global $g_table_prefix, $g_root_url, $LANG;
$info = ft_install_sanitize_no_db($info);
$rules = array();
$rules[] = "required,first_name,{$LANG["validation_no_first_name"]}";
$rules[] = "required,last_name,{$LANG["validation_no_last_name"]}";
$rules[] = "required,email,{$LANG["validation_no_admin_email"]}";
$rules[] = "valid_email,email,Please enter a valid administrator email address.";
$rules[] = "required,username,{$LANG["validation_no_username"]}";
$rules[] = "required,password,{$LANG["validation_no_password"]}";
$rules[] = "required,password_2,{$LANG["validation_no_second_password"]}";
$rules[] = "same_as,password,password_2,{$LANG["validation_passwords_different"]}";
$errors = validate_fields($info, $rules);
if (!empty($errors)) {
$success = false;
array_walk($errors, create_function('&$el', '$el = "• " . $el;'));
$message = join("<br />", $errors);
return array($success, $message);
}
$first_name = $info["first_name"];
$last_name = $info["last_name"];
$email = $info["email"];
$username = $info["username"];
$password = md5(md5($info["password"]));
$query = mysql_query("\n UPDATE {$g_table_prefix}accounts\n SET first_name = '{$first_name}',\n last_name = '{$last_name}',\n email = '{$email}',\n username = '******',\n password = '******',\n logout_url = '{$g_root_url}'\n WHERE account_id = 1\n ");
$success = "";
$message = "";
if ($query) {
$success = true;
} else {
$success = false;
$message = mysql_error();
}
return array($success, $message);
}
