Esempio n. 1
0
/**
 * Escapes all the data in the argument. HO SHITZ IT'S RECURSIVEZ YO!
 * @param	mixed	$data	The data to escape
 * @return	mixed	The escaped data
 */
function escapeData($data)
{
    if (is_array($data)) {
        foreach ($data as $k => $d) {
            $data[$k] = escapeData($d);
        }
        return $data;
    } else {
        return mysql_real_escape_string(trim($data));
    }
}
Esempio n. 2
0
            printf('{ "errorMsg":"Query: %s, Error: %s" }', $noteQ, mysqli_error($DBS['comet']));
        } else {
            echo '{ "success": "success!" }';
        }
    } elseif (isset($_POST['value']) && isset($_POST['id'])) {
        // Parse the threadID from the id. The id is in 'note-#' format.
        $threadArray = explode('-', $_POST['id']);
        $threadID = (int) $threadArray[1];
        // Check the user who wrote the note.
        $threadQ = sprintf("SELECT note, threadID, userID FROM notes WHERE threadID=%u", $threadID);
        $threadR = mysqli_query($DBS['comet'], $threadQ);
        if (!$threadR) {
            printf('Query: %s, Error: %s', $threadQ, mysqli_error($DBS['comet']));
        }
        list($oldValue, $threadID, $userID) = mysqli_fetch_row($threadR);
        // Check the level of the current user. If the user wrote the note or is of level 4 or greater, edit the note.
        if (($userID == $_SESSION['userID'] || $_SESSION['level'] >= 4) && !empty($_POST['value']) && $oldValue != $_POST['value']) {
            $updateQ = sprintf("UPDATE notes SET note = '%s', userID = %u, modified=now() WHERE threadID = %u", escapeData($DBS['comet'], $_POST['value']), $_SESSION['userID'], $threadID);
            $updateR = mysqli_query($DBS['comet'], $updateQ);
            if (!$updateR) {
                printf('Query: %s, Error: %s', $updateQ, mysqli_error($DBS['comet']));
            } else {
                echo $_POST['value'];
            }
        } else {
            echo $oldValue;
        }
    }
} else {
    header('Location: ../index.php');
}
Esempio n. 3
0
     } elseif ($type[0] == 'amount') {
         $_POST['value'] = is_numeric($_POST['value']) ? number_format($_POST['value'], 2) : FALSE;
     }
     if ($oldValue != $_POST['value'] && $_POST['value'] !== FALSE) {
         $updateQ = sprintf("UPDATE payments SET %s = '%s', userID=%u WHERE paymentID = %u", $type[0], escapeData($DBS['comet'], $_POST['value']), $_SESSION['userID'], $paymentID);
         $updateR = mysqli_query($DBS['comet'], $updateQ);
         if (!$updateR) {
             printf('Query: %s, Error: %s', $updateQ, mysqli_error($DBS['comet']));
         } else {
             echo $type[0] == 'date' ? date('m/d/Y', strtotime($_POST['value'])) : $_POST['value'];
         }
     } else {
         echo $type[0] == 'date' ? date('m/d/Y', strtotime($oldValue)) : $oldValue;
     }
 } elseif (isset($_POST['removeID']) && is_numeric($_POST['removeID'])) {
     $paymentQ = sprintf("DELETE FROM payments WHERE paymentID=%u LIMIT 1", escapeData($DBS['comet'], $_POST['removeID']));
     $paymentR = mysqli_query($DBS['comet'], $paymentQ);
     if (!$paymentR) {
         printf('{ "errorMsg":"Query: %s, Error: %s" }', $paymentQ, mysqli_error($DBS['comet']));
     } else {
         echo '{ "success": "success!" }';
     }
     // Non empty, numeric amount, non empty actual date.
 } elseif (!empty($date) && !empty($amount) && is_numeric($amount) && checkdate(substr($date, 0, 2), substr($date, 3, 2), substr($date, 6, 4))) {
     $year = substr($date, 6, 4);
     $month = substr($date, 0, 2);
     $day = substr($date, 3, 2);
     $date = "{$year}-{$month}-{$day}";
     $checkQ = "SELECT SUM(p.amount), MAX(date), d.nextPayment, d.joined, d.sharePrice, d.paymentPlan, pp.frequency, pp.amount \n\t\t\tFROM payments AS p \n\t\t\t\tRIGHT JOIN details AS d ON (d.cardNo = p.cardNo) \n\t\t\t\tINNER JOIN paymentPlans AS pp ON (d.paymentPlan = pp.planID)\n\t\t\tWHERE d.cardNo={$_SESSION['cardNo']}\n\t\t\tGROUP BY d.cardNo";
     $checkR = mysqli_query($DBS['comet'], $checkQ);
     list($total, $last, $next, $trash, $sPrice, $pPlan, $pFreq, $pAmount) = mysqli_fetch_row($checkR);
Esempio n. 4
0
/**
 * updateDetails function: Updates the details for a record in the database then inserts the updated record. 
 * Returns true on success, false on failure.
 * @param integer $cardNo cardNo of the record to be inserted
 * @param string $address Address of the record to be inserted. Is sanitized by escapeData. If null, old value is used.
 * @param string $phone Phone number of the record to be inserted. If null, old value is used.
 * @param string $city City of the record to be inserted. Is sanitized by escapeData. If null, old value is used.
 * @param string $state State of the record to be inserted. Is sanitized by escapeData. If null, old value is used.
 * @param string $zip Zip code of the record to be inserted. If null, old value is used.
 * @param string $email Email address of the record to be inserted. Is sanitized by escapeData. If null, old value is used.
 * @param boolean $noMail No mail boolean of the record to be inserted. Is cast to an integer. If null, old value is used.
 * @param date $nextDue Next payment due date for the record to be inserted. If null, old value is used.
 * @param integer $plan Payment plan of the record to be inserted. Is cast to an integer. If null, old value is used.
 * @param date $joinDate Join date for the record to be inserted. If null, old value is used.
 * @param decimal $sharePrice Share price for the record to be inserted. If null, old value is used.
 * @param integer $userID User ID of the user who added the record
 * @return boolean true on success, false on failure
 */
function updateDetails($cardNo, $address, $phone, $city, $state, $zip, $email, $noMail, $nextDue, $plan, $joinDate, $sharePrice, $userID)
{
    global $DBS;
    $updateQ = sprintf("UPDATE raw_details SET endDate=curdate() WHERE cardNo=%u AND endDate IS NULL", $cardNo);
    $updateR = mysqli_query($DBS['comet'], $updateQ);
    if ($updateR) {
        $insertQ = sprintf("INSERT INTO raw_details (\n\t\t\t\tSELECT cardNo, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, curdate(), NULL, %s, NULL\n\t\t\t\tFROM raw_details\n\t\t\t\t\tWHERE cardNo = %u\n\t\t\t\tORDER BY id DESC\n\t\t\t\tLIMIT 1)", is_null($address) ? 'address' : "'" . escapeData($DBS['comet'], $address) . "'", is_null($phone) ? 'phone' : "'" . $phone . "'", is_null($city) ? 'city' : "'" . escapeData($DBS['comet'], $city) . "'", is_null($state) ? 'state' : "'" . escapeData($DBS['comet'], $state) . "'", is_null($zip) ? 'zip' : "'" . $zip . "'", is_null($email) ? 'email' : "'" . escapeData($DBS['comet'], $email) . "'", is_null($noMail) ? 'noMail' : (int) $noMail, is_null($nextDue) ? 'nextPayment' : ($nextDue == 'NULL' ? 'NULL' : "'" . $nextDue . "'"), is_null($plan) ? 'paymentPlan' : (int) $plan, is_null($joinDate) ? 'joined' : "'" . $joinDate . "'", is_null($sharePrice) ? 'sharePrice' : "'" . $sharePrice . "'", $userID, $cardNo);
        $insertR = mysqli_query($DBS['comet'], $insertQ);
        if ($insertR) {
            return true;
        } else {
            return false;
        }
    } else {
        return false;
    }
}
Esempio n. 5
0
<?php

session_start();
/**
 * This page feeds the autocomplete for the search fields in the main tab.
 * @author Matthaus Litteken <*****@*****.**>
 * @version 1.0
 * @package CoMET
 */
require_once '../includes/config.php';
require_once '../includes/functions.php';
if (isset($_GET['q'])) {
    $searchFor = escapeData($DBS['comet'], $_GET['q']);
}
if (isset($_GET['search'])) {
    $searchBy = escapeData($DBS['comet'], $_GET['search']);
}
if (isset($searchBy)) {
    switch ($searchBy) {
        case 'first':
            $searchQ = "SELECT CONCAT(firstName, ' ', lastName, ' [', cardNo, ']') \n\t\t\t\tFROM owners \n\t\t\t\tWHERE firstName LIKE '{$searchFor}%' \n\t\t\t\tORDER BY firstName ASC";
            break;
        case 'last':
            $searchQ = "SELECT CONCAT(lastName, ', ', firstName, ' [', cardNo, ']') \n\t\t\t\tFROM owners \n\t\t\t\tWHERE lastName LIKE '{$searchFor}%' \n\t\t\t\tORDER BY lastName ASC";
            break;
        default:
            $searchQ = NULL;
            break;
    }
}
$results = '';
Esempio n. 6
0
File: sync.php Progetto: haus/CoMET
     $delList .= sprintf('%s<br />', $deleteR ? 'deleted successfully' : 'delete failure');
     $body .= sprintf("Deleted: Card #: %u, Person #%u, First: %s, Last: %s, Discount: %u, Staff: %u, Memtype: %u, Check: %u, Charge: %u, Hours: %u\n", $cardNo, $personNum, $first, $last, $discount, $staff, $memType, $check, $charge, $ssi);
     $count++;
 }
 // Records to be updated...
 $updateListQ = "SELECT cardNo, personNum, firstName, lastName, discount, memType, staff, writeChecks, chargeOk FROM owners\n\t\tWHERE CONCAT_WS(',', cardNo, personNum, firstName, lastName, discount, memType, staff, writeChecks, chargeOk) NOT IN \n\t\t\t(SELECT CONCAT_WS(',', cardNo, personNum, firstName, lastName, discount, memType, staff, writeChecks, chargeOk) \n\t\t\tFROM {$_SESSION['opDB']}.custdata)";
 $updateListR = mysqli_query($DBS['comet'], $updateListQ);
 if (!$updateListR) {
     printf('<h3>Query: %s<br />Error %s</h3>', $updateListQ, mysqli_error($DBS['comet']));
 }
 if (mysqli_num_rows($updateListR) > 0) {
     $upList = '<br /><h3>Records updated:</h3>';
 }
 while (list($cardNo, $personNum, $first, $last, $discount, $memType, $staff, $check, $charge) = mysqli_fetch_row($updateListR)) {
     $upList .= sprintf("Card #: %u, Person #%u, Name: %s %s ", $cardNo, $personNum, $first, $last);
     $updateQ = sprintf("UPDATE custdata\n\t\t\tSET firstname='%s', lastname='%s', discount=%u, memtype=%u, staff=%u, writechecks=%u, chargeok=%u, memdiscountlimit=%u, type='%s'\n\t\t\tWHERE cardNo=%u AND personNum=%u", escapeData($DBS['comet'], $first), escapeData($DBS['comet'], $last), (int) $discount, (int) $memType, (int) $staff, (int) $check, (int) $charge, $charge == 1 ? 9999 : 0, $memType == 0 || $memType == 6 || $memType == 7 ? 'reg' : 'pc', $cardNo, $personNum);
     $updateR = mysqli_query($DBS['is4c_op'], $updateQ);
     if (!$updateR) {
         printf('<h3>Query: %s<br />Error %s</h3>', $updateR, mysqli_error($DBS['is4c_op']));
     }
     $upList .= sprintf('%s<br />', $updateR ? 'updated successfully' : 'update failure');
     $count++;
 }
 // Mail admin...
 $from = "CoMET <*****@*****.**>";
 $to = $_SESSION['userEmail'];
 $subject = "CoMET Mail - Deleted Records";
 // Force sync of fannie to lanes using cURL...
 $curlSync = curl_init($_SESSION['syncURL']);
 curl_setopt($curlSync, CURLOPT_RETURNTRANSFER, true);
 if (curl_exec($curlSync) !== false) {
Esempio n. 7
0
	    along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/
session_start();
/**
 * This handler deals with mailer options. It updates the options table in the DB with any changes.
 * @author Matthaus Litteken <*****@*****.**>
 * @version 1.0
 * @package CoMET
 */
require_once '../includes/config.php';
require_once '../includes/functions.php';
$allowed = array('comingDueDays', 'comingDueMsg', 'comingDueSubject', 'pastDueDays', 'pastDueMsg', 'pastDueSubject', 'inactiveDays', 'inactiveMsg', 'inactiveSubject', 'reminderFrom', 'reminderEmail');
if (isset($_POST['id']) && isset($_POST['value']) && in_array($_POST['id'], $allowed)) {
    $id = escapeData($DBS['comet'], $_POST['id']);
    $rawValue = $_POST['value'];
    $value = escapeData($DBS['comet'], $_POST['value']);
} else {
    $id = NULL;
    $value = NULL;
}
if (!empty($id) && $value) {
    $valueQ = "SELECT value FROM options WHERE name='{$id}'";
    $valueR = mysqli_query($DBS['comet'], $valueQ);
    list($oldValue) = mysqli_fetch_row($valueR);
    $oldValue = nl2br($oldValue);
    if (empty($value) || strstr($id, 'Days') !== FALSE && !is_numeric($value)) {
        // If empty or non-numeric when supposed to be then load and display the initial value...
        echo $oldValue;
        exit;
    } else {
        $updateQ = sprintf("UPDATE options SET value='%s' WHERE name='%s'", $value, $id);
Esempio n. 8
0
 }
 if (isset($_POST['firstSearch']) && !empty($_POST['firstSearch'])) {
     $_REQUEST['navButton'] = 'search';
     $search = explode(' ', escapeData($DBS['comet'], $_POST['firstSearch']));
     $count = count($search);
     $_POST['value'] = trim($search[$count - 1], '[');
     $_POST['value'] = trim($_POST['value'], ']');
 } elseif (isset($_POST['lastSearch']) && !empty($_POST['lastSearch'])) {
     $_REQUEST['navButton'] = 'search';
     $search = explode(' ', escapeData($DBS['comet'], $_POST['lastSearch']));
     $count = count($search);
     $_POST['value'] = trim($search[$count - 1], '[');
     $_POST['value'] = trim($_POST['value'], ']');
 }
 // Read the submit type, adjust the $_SESSION['cardNo'] and let the main.php JS handle updating the divs
 $navButton = isset($_REQUEST['navButton']) ? escapeData($DBS['comet'], $_REQUEST['navButton']) : NULL;
 //echo '"errorMsg": "' . $navButton . '", ';
 switch ($navButton) {
     case 'delete':
         deleteOwner($_SESSION['cardNo']);
         deleteDetails($_SESSION['cardNo']);
         $cardQ = "SELECT cardNo FROM owners WHERE cardNo < {$_SESSION['cardNo']} ORDER BY cardNo DESC LIMIT 1";
         $cardR = mysqli_query($DBS['comet'], $cardQ);
         if (mysqli_num_rows($cardR) == 1) {
             list($_SESSION['cardNo']) = mysqli_fetch_row($cardR);
         }
         echo ' "cardNo": "' . $_SESSION['cardNo'] . '" }';
         break;
     case 'search':
         if (is_numeric($_POST['value']) && $_POST['value'] > 0) {
             $_SESSION['cardNo'] = (int) $_POST['value'];