Esempio n. 1
0
        $stmt = $db->prepare($sql);
        $stmt->bindValue(1, $NumLogins, PDO::PARAM_INT);
        $stmt->bindValue(2, $AdminID, PDO::PARAM_INT);
        try {
            $stmt->execute();
        } catch (PDOException $ex) {
            trigger_error($ex->getMessage(), E_USER_ERROR);
        }
        feedback("Login Successful!", "notice");
        if (isset($_SESSION['red']) && $_SESSION['red'] != "") {
            #check to see if we'll be redirecting to a requesting page
            $red = $_SESSION['red'];
            #redirect back to original page
            $_SESSION['red'] == '';
            #clear session var
            myRedirect($red);
        } else {
            myRedirect($config->adminDashboard);
            # successful login! Redirect to admin page
        }
    } else {
        # failed login, redirect
        feedback("Login and/or Password are incorrect.", "warning");
        myRedirect($config->adminLogin);
    }
    unset($result, $db);
    //clear resources
} else {
    feedback("Required data not sent. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
    myRedirect($config->adminLogin);
}
Esempio n. 2
0
function updateExecute()
{
    if (!is_numeric($_POST['CustomerID'])) {
        //data must be alphanumeric only
        feedback("id passed was not a number. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
        myRedirect(THIS_PAGE);
    }
    $iConn = IDB::conn();
    //must have DB as variable to pass to mysqli_real_escape() via iformReq()
    $redirect = THIS_PAGE;
    //global var used for following formReq redirection on failure
    $CustomerID = iformReq('CustomerID', $iConn);
    //calls mysqli_real_escape() internally, to check form data
    $FirstName = strip_tags(iformReq('FirstName', $iConn));
    $LastName = strip_tags(iformReq('LastName', $iConn));
    $Email = strip_tags(iformReq('Email', $iConn));
    //next check for specific issues with data
    if (!ctype_graph($_POST['FirstName']) || !ctype_graph($_POST['LastName'])) {
        //data must be alphanumeric or punctuation only
        feedback("First and Last Name must contain letters, numbers or punctuation", "warning");
        myRedirect(THIS_PAGE);
    }
    if (!onlyEmail($_POST['Email'])) {
        //data must be alphanumeric or punctuation only
        feedback("Data entered for email is not valid", "warning");
        myRedirect(THIS_PAGE);
    }
    //build string for SQL insert with replacement vars, %s for string, %d for digits
    $sql = "UPDATE test_Customers set  \n    FirstName='%s',\n    LastName='%s',\n    Email='%s'\n     WHERE CustomerID=%d";
    # sprintf() allows us to filter (parameterize) form data
    $sql = sprintf($sql, $FirstName, $LastName, $Email, (int) $CustomerID);
    @mysqli_query($iConn, $sql) or die(trigger_error(mysqli_error($iConn), E_USER_ERROR));
    #feedback success or failure of update
    if (mysqli_affected_rows($iConn) > 0) {
        //success!  provide feedback, chance to change another!
        feedback("Data Updated Successfully!", "success");
    } else {
        //Problem!  Provide feedback!
        feedback("Data NOT changed!", "warning");
    }
    myRedirect(THIS_PAGE);
}
Esempio n. 3
0
/**
 * handles POST data and formulates email response.
 * 
 * @param string $skipFields comma separated string of POST elements to be skipped
 * @param boolean $sendEmail indicates whether developer wants email sent or not
 * @param string $fromAddress fallback 'noreply' address for domain hosting page
 * @param string $toAddress address to receive email
 * @param string $website name of website where form was filled out
 * @param string $fromDomain name of website where form was filled out     
 * @return none 
 * @uses show_POST()
 * @todo none
 */
function handle_POST($skipFields, $sendEmail, $toName, $fromAddress, $toAddress, $website, $fromDomain)
{
    $aSkip = explode(",", $skipFields);
    #split form elements to skip into array
    $postData = show_POST($aSkip);
    #loops through and creates select POST data for display/email
    $fromAddress = "";
    //default
    if (is_email($_POST['Email'])) {
        #Only use Email for return address if valid
        $fromAddress = $_POST['Email'];
        # extra email injector paranoia courtesy of DH: http://wiki.dreamhost.com/PHP_mail()#Mail_Header_Injection
        $fromAddress = preg_replace("([\r\n])", "", $fromAddress);
    }
    if ($sendEmail) {
        #create email
        if (isset($_POST['Name'])) {
            $Name = $_POST['Name'];
        } else {
            $Name = "";
        }
        #Name, if used part of subject
        foreach ($_POST as $value) {
            #Content-Type: is too similar to email injection to allow
            $spaceless = str_replace(" ", "", $value);
            #in case hacker is clever enough to remove spaces
            if (stripos($spaceless, 'Content-Type:') !== FALSE) {
                feedback("Incorrect form data. Email NOT sent. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
                myRedirect(THIS_PAGE);
            }
        }
        $Name = safe($Name);
        #Name is part of Subject/header - filter code further for email injection
        if ($Name != "") {
            $SubjectName = " from: " . $Name . ",";
        } else {
            $SubjectName = "";
        }
        #Name, if used part of subject
        $postData = str_replace("<br />", PHP_EOL . PHP_EOL, $postData);
        #replace <br /> tags with double c/r
        $Subject = $website . " message" . $SubjectName . " " . date('F j, Y g:i a');
        $txt = $Subject . PHP_EOL . PHP_EOL . $postData;
        email_handler($toAddress, $toName, $Subject, $txt, $fromAddress, $Name, $website, $fromDomain);
    } else {
        //print data only
        print "Data printed only.  Email <b>not</b> sent!<br />";
        echo $postData;
        #Shows select POST data
        echo '<a href="' . THIS_PAGE . '">Reset Form</a><br />';
    }
}
Esempio n. 4
0
function updateExecute($nav1 = '')
{
    $iConn = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(myerror(__FILE__, __LINE__, mysqli_connect_error()));
    $params = array('FirstName', 'LastName', 'AdminID', 'Email', 'Privilege');
    #required fields
    if (!required_params($params)) {
        //abort - required fields not sent
        feedback("Data not entered/updated. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
        header('Location:' . ADMIN_PATH . THIS_PAGE);
        die;
    }
    if (isset($_POST['AdminID']) && (int) $_POST['AdminID'] > 0) {
        $AdminID = (int) $_POST['AdminID'];
        #Convert to integer, will equate to zero if fails
    } else {
        feedback("AdminID not numeric", "warning");
        header('Location:' . ADMIN_PATH . THIS_PAGE);
        die;
    }
    $FirstName = dbIn($_POST['FirstName'], $iConn);
    $LastName = dbIn($_POST['LastName'], $iConn);
    $Email = strtolower(dbIn($_POST['Email'], $iConn));
    $Privilege = dbIn($_POST['Privilege'], $iConn);
    #check for duplicate email
    $sql = sprintf("select AdminID from " . PREFIX . "Admin WHERE (Email='%s') and AdminID != %d", $Email, $AdminID);
    $result = mysqli_query($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn)));
    if (mysqli_num_rows($result) > 0) {
        # someone already has email!
        feedback("Email already exists - please choose a different email.");
        header('Location:' . ADMIN_PATH . THIS_PAGE);
        die;
    }
    #sprintf() function allows us to filter data by type while inserting DB values.  Illegal data is neutralized, ie: numerics become zero
    $sql = sprintf("UPDATE " . PREFIX . "Admin set FirstName='%s',LastName='%s',Email='%s',Privilege='%s' WHERE AdminID=%d", $FirstName, $LastName, $Email, $Privilege, $AdminID);
    @mysqli_query($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn)));
    //feedback success or failure of insert
    if (mysqli_affected_rows($iConn) > 0) {
        feedback("Successfully Updated!", "notice");
        if ($_SESSION["AdminID"] == $AdminID) {
            #this is me!  update current session info:
            $_SESSION["Privilege"] = $Privilege;
            $_SESSION["FirstName"] = $FirstName;
        }
    } else {
        feedback("Data NOT Updated! (or not changed from original values)");
    }
    include INCLUDE_PATH . 'header.php';
    echo '
		<h1>Edit Administrator</h1>
		<p align="center"><a href="' . ADMIN_PATH . THIS_PAGE . '">Edit More</a></p>
		<p align="center"><a href="' . ADMIN_PATH . 'admin_dashboard.php">Exit To Admin</a></p>
		';
    include INCLUDE_PATH . 'footer.php';
}
Esempio n. 5
0
     //data must be valid email
     feedback("Data entered for email is not valid", "error");
     header('Location:' . ADMIN_PATH . THIS_PAGE);
     die;
 }
 if (!onlyAlphaNum($_POST['PWord1'])) {
     //data must be alphanumeric or punctuation only
     feedback("Password must contain letters and numbers only.", "error");
     header('Location:' . ADMIN_PATH . THIS_PAGE);
     die;
 }
 $params = array('FirstName', 'LastName', 'PWord1', 'Email', 'Privilege');
 #required fields
 if (!required_params($params)) {
     //abort - required fields not sent
     feedback("Data not entered/updated. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
     header('Location:' . ADMIN_PATH . THIS_PAGE);
     die;
 }
 $iConn = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(myerror(__FILE__, __LINE__, mysqli_connect_error()));
 $FirstName = dbIn($_POST['FirstName'], $iConn);
 $LastName = dbIn($_POST['LastName'], $iConn);
 $AdminPW = dbIn($_POST['PWord1'], $iConn);
 $Email = strtolower(dbIn($_POST['Email'], $iConn));
 $Privilege = dbIn($_POST['Privilege'], $iConn);
 #sprintf() function allows us to filter data by type while inserting DB values.
 $sql = sprintf("INSERT into " . PREFIX . "Admin (FirstName,LastName,AdminPW,Email,Privilege,DateAdded) VALUES ('%s','%s',SHA('%s'),'%s','%s',NOW())", $FirstName, $LastName, $AdminPW, $Email, $Privilege);
 # insert is done here
 @mysqli_query($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn)));
 # feedback success or failure of insert
 if (mysqli_affected_rows($iConn) > 0) {
Esempio n. 6
0
/**
 * Prints a customized public error message
 *
 * Will use a custom error code created by calling 
 * createErrorCode() function, and display it to the user
 *  
 * @param string $myFile file name provided by PHP error handler
 * @param string $myLine line number of error provided by PHP error handler
 * @return void
 * @see createErrorCode()
 * @see printDeveloperError()  
 * @todo none
 */
function printUserError($myFile, $myLine)
{
    $errorCode = createErrorCode($myFile, $myLine);
    //Create error code out of file name & line number
    echo '<h2 align="center">Our page has encountered an error!</h2>';
    echo '<table align="center" width="50%" style="border:#F00 1px solid;"><tr><td align="center">';
    echo 'Please try again, or email support at <b>' . SUPPORT_EMAIL . '</b>,<br /> and let us know you are receiving ';
    echo 'the following Error Code: <b>' . $errorCode . '</b><br />';
    echo 'This will help us identify the problem, and fix it as quickly as possible.<br />';
    echo 'Thank you for your assistance and understanding!<br />';
    echo 'Sincerely,<br />Support Staff<br />';
    echo '<a href="index.php">Exit</a></td></tr></table>';
    get_footer();
    #add footer info!
    die;
    #one error is enough!
}
Esempio n. 7
0
function updateExecute($nav1 = '')
{
    $params = array('AdminID', 'PWord1');
    #required fields
    if (!required_params($params)) {
        //abort - required fields not sent
        feedback("Data not entered/updated. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
        header('Location:' . ADMIN_PATH . THIS_PAGE);
        die;
    }
    if (isset($_POST['AdminID']) && (int) $_POST['AdminID'] > 0) {
        $AdminID = (int) $_POST['AdminID'];
        #Convert to integer, will equate to zero if fails
    } else {
        feedback("AdminID not numeric", "warning");
        header('Location:' . ADMIN_PATH . THIS_PAGE);
        die;
    }
    if (!onlyAlphaNum($_POST['PWord1'])) {
        //data must be alphanumeric or punctuation only
        feedback("Data entered for password must be alphanumeric only");
        header('Location:' . ADMIN_PATH . THIS_PAGE);
        die;
    }
    $iConn = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(myerror(__FILE__, __LINE__, mysqli_connect_error()));
    $AdminPW = dbIn($_POST['PWord1'], $iConn);
    # SHA() is the MySQL function that encrypts the password
    $sql = sprintf("UPDATE " . PREFIX . "Admin set AdminPW=SHA('%s') WHERE AdminID=%d", $AdminPW, $AdminID);
    @mysqli_query($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn)));
    //feedback success or failure of insert
    if (mysqli_affected_rows($iConn) > 0) {
        feedback("Password Successfully Reset!", "notice");
    } else {
        feedback("Password NOT Reset! (or not changed from original value)");
    }
    @mysqli_close($iConn);
    include INCLUDE_PATH . 'header.php';
    echo '
	<p align="center"><h3>Reset Administrator Password</h3></p>
	<p align="center"><a href="' . ADMIN_PATH . THIS_PAGE . '">Reset More</a></p>
	<p align="center"><a href="' . ADMIN_PATH . 'admin_dashboard.php">Exit To Admin</a></p>
	';
    include INCLUDE_PATH . 'footer.php';
}