//if data, process it! /* echo '<pre>'; var_dump($_POST); echo '</pre>'; */ $to = '*****@*****.**'; $message = process_post(); $subject = 'Contact Form from retro site'; safeEmail($to, $subject, $message); //connect to the database in order to add contact data $iConn = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(myerror(__FILE__, __LINE__, mysqli_connect_error())); //process each post var, adding slashes, using mysqli_real_escape(), etc. $Name = dbIn($_POST['Name'], $iConn); $Email = dbIn($_POST['Email'], $iConn); $Comments = dbIn($_POST['Comments'], $iConn); //place question marks in place of each item to be inserted $sql = "INSERT INTO test_Contacts (Name,Email,Comments,DateAdded) VALUES(?,?,?,NOW())"; $stmt = @mysqli_prepare($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn))); /* * second parameter of the mysqli_stmt_bind_param below * identifies each data type inserted: * * i == integer * d == double (floating point) * s == string * b == blob (file/image) * *example: an integer, 2 strings, then a double would be: "issd" */ mysqli_stmt_bind_param($stmt, 'sss', $Name, $Email, $Comments);
/**
* Requires data submitted as isset() and passes dat to
* dbIn() which processes per MySQL standards, adding slashes and
* attempting to prevent SQL injection.
* Upon failure, user is forcibly redirected to global variable,
* $redirect, which is applied just before checking a series of form values.
*
*<code>
* $redirect = THIS_PAGE; //global redirect
* $myVar = formReq($_POST['myVar']);
* $otherVar = formReq($_POST['otherVar']);
*</code>
*
* @uses dbIn()
* @param string $var data as entered by user
* @return string returns data filtered by MySQL, adding slashes, etc.
* @todo merge formReq (uses global) with form_Req (preferred) below:
*/
function form_Req($var, $redirect)
{
/**
* $redirect stores page to redirect user to upon failure
* This variable is declared in the page, just before the form fields are tested.
*
* @global string $redirect
*/
global $redirect;
if (!isset($_POST[$var])) {
feedback("Required Form Data Not Passed", "error");
if (!isset($redirect) || $redirect == "") {
//if no redirect indicated, use the current page!
myRedirect(THIS_PAGE);
} else {
myRedirect($redirect);
}
} else {
return dbIn($_POST[$var]);
}
}
//next check for specific issues with data
if (!ctype_graph($_POST['pw'])) {
//data must be alphanumeric or punctuation only
feedback("Illegal characters were entered. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
header('Location:' . ADMIN_PATH . 'admin_login.php');
die;
}
if (!onlyEmail($_POST['em'])) {
//login must be a legal email address only
feedback("Illegal characters were entered. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
header('Location:' . ADMIN_PATH . 'admin_login.php');
die;
}
$iConn = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(myerror(__FILE__, __LINE__, mysqli_connect_error()));
$Email = dbIn($_POST['em'], $iConn);
$MyPass = dbIn($_POST['pw'], $iConn);
$sql = sprintf("select AdminID,FirstName,Privilege,NumLogins from " . PREFIX . "Admin WHERE Email='%s' AND AdminPW=SHA('%s')", $Email, $MyPass);
$result = mysqli_query($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn)));
if (mysqli_num_rows($result) > 0) {
# valid user, create session vars, redirect!
$row = mysqli_fetch_array($result);
#no while statement, should be single record
startSession();
#wrapper for session_start()
$AdminID = (int) $row["AdminID"];
# use (int) cast to for conversion to integer
$_SESSION["AdminID"] = $AdminID;
# create session variables to identify admin
$_SESSION["FirstName"] = dbOut($row["FirstName"]);
#use dbOut() to clean strings, replace escaped quotes
$_SESSION["Privilege"] = dbOut($row["Privilege"]);
function updateExecute($nav1 = '')
{
$iConn = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(myerror(__FILE__, __LINE__, mysqli_connect_error()));
$params = array('FirstName', 'LastName', 'AdminID', 'Email', 'Privilege');
#required fields
if (!required_params($params)) {
//abort - required fields not sent
feedback("Data not entered/updated. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
header('Location:' . ADMIN_PATH . THIS_PAGE);
die;
}
if (isset($_POST['AdminID']) && (int) $_POST['AdminID'] > 0) {
$AdminID = (int) $_POST['AdminID'];
#Convert to integer, will equate to zero if fails
} else {
feedback("AdminID not numeric", "warning");
header('Location:' . ADMIN_PATH . THIS_PAGE);
die;
}
$FirstName = dbIn($_POST['FirstName'], $iConn);
$LastName = dbIn($_POST['LastName'], $iConn);
$Email = strtolower(dbIn($_POST['Email'], $iConn));
$Privilege = dbIn($_POST['Privilege'], $iConn);
#check for duplicate email
$sql = sprintf("select AdminID from " . PREFIX . "Admin WHERE (Email='%s') and AdminID != %d", $Email, $AdminID);
$result = mysqli_query($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn)));
if (mysqli_num_rows($result) > 0) {
# someone already has email!
feedback("Email already exists - please choose a different email.");
header('Location:' . ADMIN_PATH . THIS_PAGE);
die;
}
#sprintf() function allows us to filter data by type while inserting DB values. Illegal data is neutralized, ie: numerics become zero
$sql = sprintf("UPDATE " . PREFIX . "Admin set FirstName='%s',LastName='%s',Email='%s',Privilege='%s' WHERE AdminID=%d", $FirstName, $LastName, $Email, $Privilege, $AdminID);
@mysqli_query($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn)));
//feedback success or failure of insert
if (mysqli_affected_rows($iConn) > 0) {
feedback("Successfully Updated!", "notice");
if ($_SESSION["AdminID"] == $AdminID) {
#this is me! update current session info:
$_SESSION["Privilege"] = $Privilege;
$_SESSION["FirstName"] = $FirstName;
}
} else {
feedback("Data NOT Updated! (or not changed from original values)");
}
include INCLUDE_PATH . 'header.php';
echo '
<h1>Edit Administrator</h1>
<p align="center"><a href="' . ADMIN_PATH . THIS_PAGE . '">Edit More</a></p>
<p align="center"><a href="' . ADMIN_PATH . 'admin_dashboard.php">Exit To Admin</a></p>
';
include INCLUDE_PATH . 'footer.php';
}
die;
}
$params = array('FirstName', 'LastName', 'PWord1', 'Email', 'Privilege');
#required fields
if (!required_params($params)) {
//abort - required fields not sent
feedback("Data not entered/updated. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
header('Location:' . ADMIN_PATH . THIS_PAGE);
die;
}
$iConn = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(myerror(__FILE__, __LINE__, mysqli_connect_error()));
$FirstName = dbIn($_POST['FirstName'], $iConn);
$LastName = dbIn($_POST['LastName'], $iConn);
$AdminPW = dbIn($_POST['PWord1'], $iConn);
$Email = strtolower(dbIn($_POST['Email'], $iConn));
$Privilege = dbIn($_POST['Privilege'], $iConn);
#sprintf() function allows us to filter data by type while inserting DB values.
$sql = sprintf("INSERT into " . PREFIX . "Admin (FirstName,LastName,AdminPW,Email,Privilege,DateAdded) VALUES ('%s','%s',SHA('%s'),'%s','%s',NOW())", $FirstName, $LastName, $AdminPW, $Email, $Privilege);
# insert is done here
@mysqli_query($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn)));
# feedback success or failure of insert
if (mysqli_affected_rows($iConn) > 0) {
feedback("Administrator Added!", "notice");
} else {
feedback("Administrator NOT Added!", "error");
}
include INCLUDE_PATH . 'header.php';
echo '
<p><h1>Add Administrator</h1></p>
<p align="center"><a href="' . ADMIN_PATH . THIS_PAGE . '">Add More</a></p>
<p align="center"><a href="' . ADMIN_PATH . 'admin_dashboard.php">Exit To Admin</a></p>
function updateExecute($nav1 = '')
{
$params = array('AdminID', 'PWord1');
#required fields
if (!required_params($params)) {
//abort - required fields not sent
feedback("Data not entered/updated. (error code #" . createErrorCode(THIS_PAGE, __LINE__) . ")", "error");
header('Location:' . ADMIN_PATH . THIS_PAGE);
die;
}
if (isset($_POST['AdminID']) && (int) $_POST['AdminID'] > 0) {
$AdminID = (int) $_POST['AdminID'];
#Convert to integer, will equate to zero if fails
} else {
feedback("AdminID not numeric", "warning");
header('Location:' . ADMIN_PATH . THIS_PAGE);
die;
}
if (!onlyAlphaNum($_POST['PWord1'])) {
//data must be alphanumeric or punctuation only
feedback("Data entered for password must be alphanumeric only");
header('Location:' . ADMIN_PATH . THIS_PAGE);
die;
}
$iConn = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(myerror(__FILE__, __LINE__, mysqli_connect_error()));
$AdminPW = dbIn($_POST['PWord1'], $iConn);
# SHA() is the MySQL function that encrypts the password
$sql = sprintf("UPDATE " . PREFIX . "Admin set AdminPW=SHA('%s') WHERE AdminID=%d", $AdminPW, $AdminID);
@mysqli_query($iConn, $sql) or die(myerror(__FILE__, __LINE__, mysqli_error($iConn)));
//feedback success or failure of insert
if (mysqli_affected_rows($iConn) > 0) {
feedback("Password Successfully Reset!", "notice");
} else {
feedback("Password NOT Reset! (or not changed from original value)");
}
@mysqli_close($iConn);
include INCLUDE_PATH . 'header.php';
echo '
<p align="center"><h3>Reset Administrator Password</h3></p>
<p align="center"><a href="' . ADMIN_PATH . THIS_PAGE . '">Reset More</a></p>
<p align="center"><a href="' . ADMIN_PATH . 'admin_dashboard.php">Exit To Admin</a></p>
';
include INCLUDE_PATH . 'footer.php';
}