public function resetPassword($user, $key, $password) { $db = new Database(); $user = Security::escape($user); $oldKey = Security::escape($key); $password = Security::escape($password); $key = Security::generateKey(); $password = Security::encode($password); $req = "SELECT * FROM accounts WHERE username = ? AND userKey = ?"; $result = $db->execute($req, array($user, $oldKey)); $stmt = $result->fetch(); $req = "UPDATE accounts SET userKey = ? WHERE id = ?"; $db->execute($req, array($key, $stmt['id'])); $req = "UPDATE passwords SET password = ? WHERE account = ?"; $db->execute($req, array($password, $stmt['id'])); }
/** * Creates a list (an array) of objects of the class, based on the value of a certain field. Offsets, limits, types of search, sort orders and groupings can be specified as well * * @param string $sender the class used * @param string $field the field used to select the values that we want * @param string $value the value that the field should have * @param string $order the field by which we should sort the list (if specified) * @param string $offset an offset used to skip a number of objects (if specified) * @param string $limit used to limit the number of returned objects (if specified) * @param string $search if set, this overrides the value and is used instead. uses LIKE '%search%' in sql instead of = * @param string $way the sort order (asc or desc) * @param string $group any group by clause * @uses Security::escape() * @uses function classToTable to get the correct tablename for the class (the sender parameter) * @uses DB::query to get a list of matching ids * @uses function loadByIds to load all objects that are to be returned from the function * @return array an array of objects based on the parameters */ protected static function lister($sender, $field = null, $value = null, $order = null, $offset = null, $limit = null, $search = null, $way = null, $group = null) { // returnerar en lista med objekt där ett visst fält ($field) har ett visst värde ($value) global $db; $value = Security::escape($value); $table = self::classToTable($sender); $sql = "select * from {$table} "; if ($field != null && $search != null) { $sql .= "where {$field} like '%{$search}%' "; } elseif ($field != "" && $value != "") { $sql .= "where {$field} = '{$value}' "; } if ($group) { $sql .= "group by " . $group . " "; } if ($order) { $sql .= "order by " . $order . " "; } if ($way) { $sql .= $way . " "; } if ($offset == null && $limit != null) { $sql .= "limit 0," . $limit . " "; } elseif ($offset) { $sql .= "limit " . $offset . "," . $limit . " "; } $res = $db->query($sql); $objects = array(); while ($row = mysql_fetch_assoc($res)) { $objects[$row["id"]] = self::__getObj($sender, $row); } if (defined("DEBUG") && DEBUG && isset($_GET["mobject_debug"])) { echo "\n<!--\n"; echo " Running query for {$sender} objects.\n"; echo " SQL: {$sql}\nResults:\n"; var_dump($objects); echo "\n-->\n"; } return $objects; }
<?php /** * @author Jaco Ruit */ require '../startOrongo.php'; startOrongo(); if (isset($_POST['username']) && isset($_POST['password']) && !isset($_SESSION['orongo-id']) && !isset($_SESSION['orongo-session-id'])) { $username = Security::escape($_POST['username']); $password = Security::hash($_POST['password']); if (User::usernameExists($username)) { $userID = User::getUserID($username); $goodLogin = User::isGoodPassword($userID, $password); if ($goodLogin) { if (!User::userIsActivated($userID)) { header("Location: ../orongo-login.php?msg=7"); exit; } else { $_SESSION['orongo-id'] = $userID; $_SESSION['orongo-session-id'] = Session::createSession($userID); header("Location: ../orongo-admin/"); exit; } } else { header("Location: ../orongo-login.php?msg=0"); exit; } } else { header("Location: ../orongo-login.php?msg=0"); exit; }
exit; } if ($_POST['password'] != $_POST['password_again']) { header("Location: " . orongoURL("orongo-register.php?msg=0")); exit; } if (strlen($_POST['username']) < 4 || strlen($_POST['username']) > 20) { header("Location: " . orongoURL("orongo-register.php?msg=2")); exit; } if (strlen($_POST['password']) < 6) { header("Location: " . orongoURL("orongo-register.php?msg=3")); exit; } $name = Security::escape($_POST['username']); $email = Security::escape($_POST['email']); $password = Security::hash($_POST['password']); if (User::usernameExists($name) == false) { $user = null; try { $user = User::registerUser($name, $email, $password, RANK_USER); } catch (Exception $e) { header("Location: " . orongoURL("orongo-login.php?msg=3")); exit; } $activationLink = User::generateActivationURL($user->getID()); $mail = MailFactory::generateActivationEmail($user->getName(), $activationLink); $sendEmail = mail($user->getEmail(), $mail['subject'], $mail['message'], $mail['headers']); if (!$sendEmail) { header("Location: " . orongoURL("orongo-login.php?msg=3")); exit;
define("OK", 31); function errorDie($paramError, $paramErrorCode) { $arrayToJs = array(); $arrayToJs["response"] = $paramError; $arrayToJs["response_code"] = $paramErrorCode; die(json_encode($arrayToJs)); } if (!isset($_POST['article']) || !is_numeric($_POST['article'])) { errorDie("No article!", NO_ARTICLE); exit; } if (!isset($_POST['content'])) { errorDie("Comment has no content!", NO_CONTENT); exit; } if (strlen($_POST['content']) < 3) { errorDie("Content is too short!", TOO_SHORT); exit; } $user = getUser(); if ($user == null) { errorDie("You need to be logged in in order to post comments.", NOT_LOGGED_IN); exit; } $comment = Comment::createComment(Security::escape($_POST['article']), $user); $comment->setContent(Security::escape($_POST['content'])); $succesArray = array(); $succesArray["response"] = "Comment posted!"; $succesArray["response_code"] = OK; die(json_encode($succesArray));
exit; } foreach ($lastCommentArr as $comment) { if ($comment instanceof Comment == false) { continue; } if ($comment->getID() <= $_POST['last_comment_id']) { errorDie("No new comments! ", NO_NEW_COMMENTS); exit; } else { $newLCID = $comment->getID(); } } $newComments = null; try { $newComments = orongo_query("action=fetch&object=comment&max=1000000&offset=" . Security::escape($_POST['offset']) . "&order=comment.id,asc&where=article.id:" . Security::escape($_POST['article'])); } catch (Exception $e) { die("500"); } $newComments = array_reverse($newComments); $html = ""; if (getStyle()->doCommentHTML()) { try { $html = getStyle()->getCommentsHTML($newComments); } catch (Exception $e) { foreach ($newComments as $comment) { $html .= $comment->toHTML(); } } } else { foreach ($newComments as $comment) {
<?php require_once $_SERVER["DOCUMENT_ROOT"] . "/php/init.php"; Security::demand(USER, null, false); $smarty = new PopSmarty(); $mid = Security::escape($_GET['id']); $do = Security::escape($_GET['do']); $medlem_to_send = Medlem::loadById($mid); $smarty->assign("medlem_to_send", $medlem_to_send); $smarty->assign("mid", $mid); if ($do == 'send') { $smarty->assign("is_replay", false); if (isset($_GET['re'])) { $id = Security::escape($_GET['re']); $mail_to_read = MotiomeraMail::loadById($id); $smarty->assign("is_replay", true); $text_message_decoded = str_replace("<br>", "", $mail_to_read->getMsg()); $text_message_decoded = str_replace("<br />", "", $mail_to_read->getMsg()); $text_message = "\n\n********************\n"; $text_message .= $text_message_decoded; $smarty->assign("text_message", $text_message); $smarty->assign("mail_to_read", $mail_to_read); } $action = "send"; } else { if ($do == 'sent') { $action = "sent"; } } $smarty->assign("action", $action); $smarty->display('send_mail.tpl');
<?php include $_SERVER["DOCUMENT_ROOT"] . "/php/init.php"; Security::demand(USER); $id_to_remove = Security::escape($_POST['id_to_remove']); MotiomeraMail::removeMail($id_to_remove); /* $send_to = Security::escape($_POST['mid']); $amne = isset($_POST['amne']) ? Security::escape($_POST['amne']) : ""; $msg = isset($_POST['msg']) ? $_POST['msg'] : ""; $sent_from = $USER->getId(); $date = date("Y-m-d H:i:s"); $mm_mail = new MotiomeraMail($amne, $msg, $sent_from, $send_to, $date, 0, 0); header("Location: /pages/mail.php?do=sent&mid=" . $send_to); */
<?php include $_SERVER["DOCUMENT_ROOT"] . "/php/init.php"; Security::demand(USER); $my_id = Security::escape($_POST['my_id']); $action = Security::escape($_POST['todo']); $folder_name = Security::escape($_POST['folder_name']); if ($action == 'create') { $motiomeraMail_Folders = new MotiomeraMail_Folders($my_id); $folder_created = $motiomeraMail_Folders->createFolder(utf8_encode($folder_name)); if ($folder_created) { echo '1'; exit; } echo '0'; exit; }
if (isset($_GET["id"])) { // uppdatera bilden $db->nonquery("\tUPDATE\n\t\t\t\t\t\t\t\tmm_fotoalbumbild\n\t\t\t\t\t\t\tSET\n\t\t\t\t\t\t\t\tnamn = '" . Security::escape($_POST["namn"]) . "',\n\t\t\t\t\t\t\t\tbeskrivning = '" . Security::escape($_POST["beskrivning"]) . "',\n\t\t\t\t\t\t\t\tfotoalbum_id = '" . Security::escape($_POST["fotoalbum"]) . "'\n\t\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\t\tid = '" . $_GET["id"] . "'\n\t\t\t"); if (!empty($_POST['kid']) || !empty($_GET['id'])) { $tag = new Tagg(array('objekt_table' => 'mm_fotoalbumbild', 'objekt_id' => $_GET["id"], 'objekt_namn' => $_POST['namn'], 'tag_table' => 'mm_kommun', 'tag_id' => $_POST['kid'], 'medlem_id' => $USER->getId())); } $urlHandler->redirect("Fotoalbum", URL_VIEW, $_GET["fid"]); } else { // uppdatera namn & beskrivningar på fotona foreach ($_POST["namn"] as $id => $namn) { if (isset($_POST["fotoalbum"][$id])) { $album_sql = ", fotoalbum_id = '" . Security::escape($_POST["fotoalbum"][$id]) . "'"; } else { $album_sql = ""; } $db->nonquery("\tUPDATE\n\t\t\t\t\t\t\t\t\tmm_fotoalbumbild\n\t\t\t\t\t\t\t\tSET\n\t\t\t\t\t\t\t\t\tnamn = '" . Security::escape($_POST["namn"][$id]) . "',\n\t\t\t\t\t\t\t\t\tbeskrivning = '" . Security::escape($_POST["beskrivning"][$id]) . "'\n\t\t\t\t\t\t\t\t\t{$album_sql}\n\t\t\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\t\t\tid = '" . $id . "'\n\t\t\t\t"); } if (!empty($_POST['kid'])) { $tag = new Tagg(array('objekt_table' => 'mm_fotoalbumbild', 'objekt_id' => $id, 'objekt_namn' => $_POST['namn'], 'tag_table' => 'mm_kommun', 'tag_id' => $_POST['kid'], 'medlem_id' => $USER->getId())); } $urlHandler->redirect("Fotoalbum", URL_LIST); } break; case "anslagstavlarad": if (isset($_POST["aid"])) { $anslagstavla = Anslagstavla::loadById($_POST["aid"]); $anslagstavla->addRad($_POST["atext"]); } break; case "newkeys": if (isset($_GET['foretagsid']) && isset($_GET['orderid']) && isset($_GET['numkeys']) && (int) $_GET['numkeys'] > 0 && Security::authorized(ADMIN)) {
<?php require_once $_SERVER["DOCUMENT_ROOT"] . "/php/init.php"; Security::demand(USER, null, false); $smarty = new PopSmarty(); $id = Security::escape($_GET['id']); $is_inbox = isset($_GET['is_inbox']) ? Security::escape($_GET['is_inbox']) : false; $mail_to_read = MotiomeraMail::loadById($id); if (!isset($USER) || !($mail_to_read->getToId() == $USER->getId() or $mail_to_read->getSentFrom() == $USER->getId())) { throw new UserException('Ett fel har uppstått', 'Mailet du försöker läsa är inte skickat till dig.'); } if (isset($is_inbox) && $is_inbox == '1') { $mail_to_read->setIsRead(1); } $smarty->assign("id", $id); $smarty->assign("is_inbox", $is_inbox); $smarty->assign("mail_to_read", $mail_to_read); $smarty->assign("my_id", $USER->getId()); global $SETTINGS; $fromMedlem = Medlem::loadById($mail_to_read->getSentFrom()); $smarty->assign("medlem", $fromMedlem); $reserverade_anvandare = $SETTINGS["reserverade_anvandare"]; foreach ($reserverade_anvandare as $k => $anv) { $reserverade_anvandare[$k] = strtolower($anv); } if (isset($SETTINGS["reserverade_anvandare"])) { $replyable = in_array(strtolower($fromMedlem->getANamn()), $reserverade_anvandare) ? 0 : 1; } else { $replyable = 1; } $smarty->assign("replyable", $replyable);
<?php include $_SERVER["DOCUMENT_ROOT"] . "/php/init.php"; Security::demand(USER); $folder_id = Security::escape($_GET['folder_id']); $move_to = Security::escape($_GET['move_to']); $nrofmails = Security::escape($_GET['nrofmails']); if ($nrofmails > 0) { for ($i = 0; $i < $nrofmails; $i++) { $getvar = 'mail_id_' . $i; $mail_id = Security::escape($_GET[$getvar]); $motiomeraMail = MotiomeraMail::loadById($mail_id); $motiomeraMail->setToInFolder($move_to); } } header("Location: /pages/mail.php?do=inbox&folder_id=" . $folder_id);
public function escape($string) { return Security::escape($string); }
<?php require_once $_SERVER["DOCUMENT_ROOT"] . "/php/init.php"; Security::demand(USER, null, false); $smarty = new PopSmarty(); $id = Security::escape($USER->getId()); $myself = Medlem::loadById($id); $my_contacts = $myself->getUsersThatHasMeAsContact(0); $smarty->assign("my_contacts", $my_contacts); $smarty->assign("my_id", $USER->getId()); $smarty->display('write_new.tpl');
<?php include $_SERVER["DOCUMENT_ROOT"] . "/php/init.php"; Security::demand(USER); $my_id = Security::escape($_POST['my_id']); $multiple = Security::escape($_POST['multiple']); if ($multiple == 0) { $folder_id = Security::escape($_POST['folder_id']); MotiomeraMail::removeMailFromFolder($folder_id, $my_id); } else { $nroffolders = Security::escape($_POST['nroffolders']); for ($i = 0; $i < $nroffolders; $i++) { $postvar = 'folder_id_' . $i; $folder_id = Security::escape($_POST[$postvar]); MotiomeraMail::removeMailFromFolder($folder_id, $my_id); } }
$smarty = new MMSmarty(); $smarty->assign("pagetitle", "Mail"); $do = isset($_GET['do']) ? Security::escape($_GET['do']) : 'inbox'; $my_id = $USER->getId(); $smarty->assign("my_id", $my_id); $motiomeraMail_Folders = new MotiomeraMail_Folders($my_id); $folders = $motiomeraMail_Folders->getFolders(); $smarty->assign("folders", $folders); $folder_id = "0"; $myself = Medlem::loadById($USER->getId()); $my_contacts = $myself->getUsersThatHasMeAsContact(0); $smarty->assign("my_contacts", $my_contacts); if ($do == 'inbox') { $action = "inbox"; if (isset($_GET['folder_id'])) { $folder_id = Security::escape($_GET['folder_id']); } $box_mails = MotiomeraMail::listMailInbox($USER->getId(), $folder_id); $smarty->assign("box_mails", $box_mails); $smarty->assign("is_inbox", true); $smarty->assign("to_include", "mail_box.tpl"); } else { if ($do == 'outbox') { $action = "outbox"; $smarty->assign("is_inbox", false); $box_mails = MotiomeraMail::listMailOutbox($USER->getId()); $smarty->assign("box_mails", $box_mails); $smarty->assign("to_include", "mail_box.tpl"); } else { if ($do == 'manage_folders') { $action = "manage_folders";
private function ljudfilExisterar($url) { global $db; $sql = "SELECT count(*) FROM " . self::classToTable(get_class()) . " WHERE url = '" . Security::escape($url) . "'"; if ($db->value($sql) != "0") { return true; } else { return false; } }
if (MedlemsBlockering::verifyBlocked($USER->getId(), $mid)) { echo 'blockerad_user'; die; //throw new MedlemsBlockeringException("Kan ej skicka mail till medlemmen, medlemmen har spärrat dig.", 6); } if (MedlemsBlockering::verifyBlocked($mid, $USER->getId())) { echo 'blockerad_target'; die; //throw new MedlemsBlockeringException("Kan ej skicka mail till medlemmen, du har spärrat medlemmen.", 5); } if ($send_to_Obj->getMotiomeraMailBlock() == 'true' && !$send_to_Obj->inAdressbok($USER)) { /** If user blocks mails from none friends */ echo 'targetBlockMail'; die; } if (!$send_to_Obj->synlig()) { echo 'blockedByProfile'; die; } //åtkomst - ingen, foretag, adressbok (kom ihåg adminanvändare) new MotiomeraMail($amne, $msg, $sent_from, $send_to, $date, 0, 0, $allow_links); if (isset($_POST['rmid']) && !empty($_POST['rmid'])) { $reply_to = Security::escape($_POST['rmid']); $replyToMail = MotiomeraMail::loadById($reply_to); $replyToMail->setIsAnswered(1); $replyToMail->commit(); } echo 'ok'; //header("Location: /pages/mail.php?do=sent&mid=" . $send_to); //header("Location: /popup/pages/send_mail.php?do=sent&mid=" . $send_to); }
<?php /** * @author Jaco Ruit */ require 'startOrongo.php'; startOrongo('orongo-login'); $msg = null; $msgtype = null; if (getUser() != null) { header("Location: orongo-admin"); } if (isset($_GET['msg'])) { $msgCode = Security::escape($_GET['msg']); switch ($msgCode) { case 0: $msg = l("LOGIN_MSG_WRONG_DETAILS"); $msgtype = "error"; break; case 1: $msg = l("LOGIN_MSG_LOGGED_OUT"); $msgtype = "success"; break; case 2: $msg = l("LOGIN_MSG_REG_SUCCESS"); $msgtype = "info"; break; case 3: $msg = l("LOGIN_MSG_REG_INTERNAL_ERROR"); $msgtype = "warning"; break;
<?php include $_SERVER["DOCUMENT_ROOT"] . "/php/init.php"; Security::demand(USER); $mail_id = Security::escape($_POST['mail_id']); $remover_id = Security::escape($_POST['remover_id']); $remover = Security::escape($_POST['remover']); if (isset($_POST['mails_to_remove'])) { $mails_to_remove = $_POST['mails_to_remove']; for ($i = 0; $i < $mails_to_remove; $i++) { $postvar = 'mail_id_' . $i; $mail_id = $_POST[$postvar]; MotiomeraMail::removeMail($mail_id, $remover_id, $remover); } } else { MotiomeraMail::removeMail($mail_id, $remover_id, $remover); }
break; case "quizalternativ": $quizFraga = QuizFraga::loadById($_POST["fid"]); $rattSvar = isset($_POST["rattSvar"]) ? true : false; new QuizAlternativ($quizFraga, $_POST["text"], $rattSvar); $urlHandler->getUrl("QuizFraga", URL_ADMIN_EDIT, $quizFraga->getId()); break; case "minaquiz": if (empty($_GET["qid"])) { // Skapa ett nytt quiz $mittQuiz = new MinaQuiz($_POST, true); } else { // Ladda quiz från ID $mittQuiz = MinaQuiz::loadById($_GET["qid"]); // Uppdatera variabler $mittQuiz->setNamn(Security::escape($_POST["namn"])); $mittQuiz->commit(); // Spara till databasen // Uppdatera frågorna och lägg till nya foreach ($_POST['fraga'] as $key => $fraga) { $fraga = mysql_real_escape_string($fraga); $svar1 = mysql_real_escape_string(isset($_POST['svar_1'][$key]) ? $_POST['svar_1'][$key] : ''); $svar2 = mysql_real_escape_string(isset($_POST['svar_2'][$key]) ? $_POST['svar_2'][$key] : ''); $svar3 = mysql_real_escape_string(isset($_POST['svar_3'][$key]) ? $_POST['svar_3'][$key] : ''); $ratt_svar = mysql_real_escape_string(isset($_POST['ratt_svar'][$key]) ? $_POST['ratt_svar'][$key] : ''); if (substr_count($key, 'new_')) { // Detta är en ny fråga switch ($ratt_svar) { case 1: $mittQuiz->addQuestion($fraga, $svar1, $svar2, $svar3); break;
public static function addFastRutt($namn, $kommunIdArray, $abroad) { global $db; //echo "!". $namn. " ! "; //echo count($kommunIdArray); if (strlen($namn) > 3 && count($kommunIdArray) > 1) { $sql = "INSERT INTO " . self::FASTA_RUTTER_TABLE . " SET namn = '" . Security::escape($namn) . "'"; if ($abroad) { $sql .= ", abroad = 'true'"; } $db->query($sql); $id = mysql_insert_id(); } else { throw new userException("Fel i inmatning", "Antingen var det bara 1 kommun angiven eller så var inte namnet satt"); } if ($id) { foreach ($kommunIdArray as $kommunTill_id) { if (is_numeric($kommunTill_id)) { $sql = "INSERT INTO " . self::TABLE . " SET fastRutt_id ={$id}, kommunTill_id={$kommunTill_id}"; $db->query($sql); } } return $id; } }