//if data, process it!
 /*
 echo '<pre>';
 var_dump($_POST);
 echo '</pre>';
 */
 $to = '*****@*****.**';
 $message = process_post();
 $subject = 'Contact Form from retro site';
 safeEmail($to, $subject, $message);
 //connect to the database in order to add contact data
 $iConn = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(myerror(__FILE__, __LINE__, mysqli_connect_error()));
 //process each post var, adding slashes, using mysqli_real_escape(), etc.
 $Name = dbIn($_POST['Name'], $iConn);
 $Email = dbIn($_POST['Email'], $iConn);
 $Comments = dbIn($_POST['Comments'], $iConn);
 //place question marks in place of each item to be inserted
 $sql = "INSERT INTO test_Contacts (Name,Email,Comments,DateAdded) VALUES(?,?,?,NOW())";
 $stmt = @mysqli_prepare($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn)));
 /*
  * second parameter of the mysqli_stmt_bind_param below 
  * identifies each data type inserted: 
  *
  * i == integer
  * d == double (floating point)
  * s == string
  * b == blob (file/image)
  *
  *example: an integer, 2 strings, then a double would be: "issd"
  */
 mysqli_stmt_bind_param($stmt, 'sss', $Name, $Email, $Comments);
/**
 * Requires data submitted as isset() and passes dat to 
 * dbIn() which processes per MySQL standards, adding slashes and 
 * attempting to prevent SQL injection.     
 * Upon failure, user is forcibly redirected to global variable,  
 * $redirect, which is applied just before checking a series of form values.
 *
 *<code>
 * $redirect = THIS_PAGE; //global redirect
 * $myVar = formReq($_POST['myVar']);
 * $otherVar = formReq($_POST['otherVar']);
 *</code>
 *
 * @uses dbIn()
 * @param string $var data as entered by user
 * @return string returns data filtered by MySQL, adding slashes, etc.
 * @todo merge formReq (uses global) with form_Req (preferred) below:
 */
function form_Req($var, $redirect)
{
    /**
     * $redirect stores page to redirect user to upon failure 
     * This variable is declared in the page, just before the form fields are tested.
     *
     * @global string $redirect
     */
    global $redirect;
    if (!isset($_POST[$var])) {
        feedback("Required Form Data Not Passed", "error");
        if (!isset($redirect) || $redirect == "") {
            //if no redirect indicated, use the current page!
            myRedirect(THIS_PAGE);
        } else {
            myRedirect($redirect);
        }
    } else {
        return dbIn($_POST[$var]);
    }
}
 //next check for specific issues with data
 if (!ctype_graph($_POST['pw'])) {
     //data must be alphanumeric or punctuation only
     feedback("Illegal characters were entered. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
     header('Location:' . ADMIN_PATH . 'admin_login.php');
     die;
 }
 if (!onlyEmail($_POST['em'])) {
     //login must be a legal email address only
     feedback("Illegal characters were entered. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
     header('Location:' . ADMIN_PATH . 'admin_login.php');
     die;
 }
 $iConn = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(myerror(__FILE__, __LINE__, mysqli_connect_error()));
 $Email = dbIn($_POST['em'], $iConn);
 $MyPass = dbIn($_POST['pw'], $iConn);
 $sql = sprintf("select AdminID,FirstName,Privilege,NumLogins from " . PREFIX . "Admin WHERE Email='%s' AND AdminPW=SHA('%s')", $Email, $MyPass);
 $result = mysqli_query($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn)));
 if (mysqli_num_rows($result) > 0) {
     # valid user, create session vars, redirect!
     $row = mysqli_fetch_array($result);
     #no while statement, should be single record
     startSession();
     #wrapper for session_start()
     $AdminID = (int) $row["AdminID"];
     # use (int) cast to for conversion to integer
     $_SESSION["AdminID"] = $AdminID;
     # create session variables to identify admin
     $_SESSION["FirstName"] = dbOut($row["FirstName"]);
     #use dbOut() to clean strings, replace escaped quotes
     $_SESSION["Privilege"] = dbOut($row["Privilege"]);
Esempio n. 4
0
function updateExecute($nav1 = '')
{
    $iConn = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(myerror(__FILE__, __LINE__, mysqli_connect_error()));
    $params = array('FirstName', 'LastName', 'AdminID', 'Email', 'Privilege');
    #required fields
    if (!required_params($params)) {
        //abort - required fields not sent
        feedback("Data not entered/updated. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
        header('Location:' . ADMIN_PATH . THIS_PAGE);
        die;
    }
    if (isset($_POST['AdminID']) && (int) $_POST['AdminID'] > 0) {
        $AdminID = (int) $_POST['AdminID'];
        #Convert to integer, will equate to zero if fails
    } else {
        feedback("AdminID not numeric", "warning");
        header('Location:' . ADMIN_PATH . THIS_PAGE);
        die;
    }
    $FirstName = dbIn($_POST['FirstName'], $iConn);
    $LastName = dbIn($_POST['LastName'], $iConn);
    $Email = strtolower(dbIn($_POST['Email'], $iConn));
    $Privilege = dbIn($_POST['Privilege'], $iConn);
    #check for duplicate email
    $sql = sprintf("select AdminID from " . PREFIX . "Admin WHERE (Email='%s') and AdminID != %d", $Email, $AdminID);
    $result = mysqli_query($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn)));
    if (mysqli_num_rows($result) > 0) {
        # someone already has email!
        feedback("Email already exists - please choose a different email.");
        header('Location:' . ADMIN_PATH . THIS_PAGE);
        die;
    }
    #sprintf() function allows us to filter data by type while inserting DB values.  Illegal data is neutralized, ie: numerics become zero
    $sql = sprintf("UPDATE " . PREFIX . "Admin set FirstName='%s',LastName='%s',Email='%s',Privilege='%s' WHERE AdminID=%d", $FirstName, $LastName, $Email, $Privilege, $AdminID);
    @mysqli_query($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn)));
    //feedback success or failure of insert
    if (mysqli_affected_rows($iConn) > 0) {
        feedback("Successfully Updated!", "notice");
        if ($_SESSION["AdminID"] == $AdminID) {
            #this is me!  update current session info:
            $_SESSION["Privilege"] = $Privilege;
            $_SESSION["FirstName"] = $FirstName;
        }
    } else {
        feedback("Data NOT Updated! (or not changed from original values)");
    }
    include INCLUDE_PATH . 'header.php';
    echo '
		<h1>Edit Administrator</h1>
		<p align="center"><a href="' . ADMIN_PATH . THIS_PAGE . '">Edit More</a></p>
		<p align="center"><a href="' . ADMIN_PATH . 'admin_dashboard.php">Exit To Admin</a></p>
		';
    include INCLUDE_PATH . 'footer.php';
}
        die;
    }
    $params = array('FirstName', 'LastName', 'PWord1', 'Email', 'Privilege');
    #required fields
    if (!required_params($params)) {
        //abort - required fields not sent
        feedback("Data not entered/updated. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
        header('Location:' . ADMIN_PATH . THIS_PAGE);
        die;
    }
    $iConn = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(myerror(__FILE__, __LINE__, mysqli_connect_error()));
    $FirstName = dbIn($_POST['FirstName'], $iConn);
    $LastName = dbIn($_POST['LastName'], $iConn);
    $AdminPW = dbIn($_POST['PWord1'], $iConn);
    $Email = strtolower(dbIn($_POST['Email'], $iConn));
    $Privilege = dbIn($_POST['Privilege'], $iConn);
    #sprintf() function allows us to filter data by type while inserting DB values.
    $sql = sprintf("INSERT into " . PREFIX . "Admin (FirstName,LastName,AdminPW,Email,Privilege,DateAdded) VALUES ('%s','%s',SHA('%s'),'%s','%s',NOW())", $FirstName, $LastName, $AdminPW, $Email, $Privilege);
    # insert is done here
    @mysqli_query($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn)));
    # feedback success or failure of insert
    if (mysqli_affected_rows($iConn) > 0) {
        feedback("Administrator Added!", "notice");
    } else {
        feedback("Administrator NOT Added!", "error");
    }
    include INCLUDE_PATH . 'header.php';
    echo '
		<p><h1>Add Administrator</h1></p>
		<p align="center"><a href="' . ADMIN_PATH . THIS_PAGE . '">Add More</a></p>
		<p align="center"><a href="' . ADMIN_PATH . 'admin_dashboard.php">Exit To Admin</a></p>
function updateExecute($nav1 = '')
{
    $params = array('AdminID', 'PWord1');
    #required fields
    if (!required_params($params)) {
        //abort - required fields not sent
        feedback("Data not entered/updated. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
        header('Location:' . ADMIN_PATH . THIS_PAGE);
        die;
    }
    if (isset($_POST['AdminID']) && (int) $_POST['AdminID'] > 0) {
        $AdminID = (int) $_POST['AdminID'];
        #Convert to integer, will equate to zero if fails
    } else {
        feedback("AdminID not numeric", "warning");
        header('Location:' . ADMIN_PATH . THIS_PAGE);
        die;
    }
    if (!onlyAlphaNum($_POST['PWord1'])) {
        //data must be alphanumeric or punctuation only
        feedback("Data entered for password must be alphanumeric only");
        header('Location:' . ADMIN_PATH . THIS_PAGE);
        die;
    }
    $iConn = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(myerror(__FILE__, __LINE__, mysqli_connect_error()));
    $AdminPW = dbIn($_POST['PWord1'], $iConn);
    # SHA() is the MySQL function that encrypts the password
    $sql = sprintf("UPDATE " . PREFIX . "Admin set AdminPW=SHA('%s') WHERE AdminID=%d", $AdminPW, $AdminID);
    @mysqli_query($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn)));
    //feedback success or failure of insert
    if (mysqli_affected_rows($iConn) > 0) {
        feedback("Password Successfully Reset!", "notice");
    } else {
        feedback("Password NOT Reset! (or not changed from original value)");
    }
    @mysqli_close($iConn);
    include INCLUDE_PATH . 'header.php';
    echo '
	<p align="center"><h3>Reset Administrator Password</h3></p>
	<p align="center"><a href="' . ADMIN_PATH . THIS_PAGE . '">Reset More</a></p>
	<p align="center"><a href="' . ADMIN_PATH . 'admin_dashboard.php">Exit To Admin</a></p>
	';
    include INCLUDE_PATH . 'footer.php';
}