escape() public method

******************************************************************** Format a mySQL string correctly for safe mySQL insert (no mater if magic quotes are on or not)
public escape ( $str )
Esempio n. 1
function makepwd($password)
    $db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
    if ($db->get_var("SELECT option_value FROM site_options where option_name = 'encrypted_passwords';") == "yes") {
        //if encryption is ON
        include "includes/PasswordHash.php";
        $hasher = "*";
        $hasher = new PasswordHash(8, false);
        $return_pass = $hasher->HashPassword($password);
        //if encryption is OFF
    } else {
        $return_pass = trim($db->escape($password));
    return $return_pass;
Esempio n. 2
include "includes/header.php";
include "includes/session.php";
include "includes/checksession.php";
include "fhd_config.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
//check nacl
if (isset($_GET['nacl'])) {
    if ($_GET['nacl'] != md5(AUTH_KEY . $db->get_var("select last_login from site_users where user_id = {$user_id};"))) {
        echo "<div class=\"alert alert-danger\" style=\"max-width: 200px;\"><i class='glyphicon glyphicon-ban-circle'></i> Authentication Error</div>";
} else {
    echo "<div class=\"alert alert-danger\" style=\"width: 200px;\"><i class='glyphicon glyphicon-ban-circle'></i> Authentication Error</div>";
if (isset($_GET['delete'])) {
    if ($_GET['delete'] == 1) {
        $file_id = $db->escape($_GET['file_id']);
        $call_id = $db->escape($_GET['call_id']);
        $file_ext = $db->get_var("SELECT file_ext FROM site_upload WHERE (id = {$file_id}) AND (call_id = {$call_id}) LIMIT 1;");
        $realpath = md5(UPLOAD_KEY . $file_id) . "." . $file_ext;
        unlink("upload/" . $realpath);
        $db->query("DELETE FROM site_upload where (id = {$file_id}) AND (call_id = {$call_id}) LIMIT 1;");
        header("Location: fhd_call_edit.php?call_id={$call_id}");
include "fhd_config.php";
include "includes/header.php";
include "includes/all-nav.php";
include "includes/functions.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
$actionstatus = "";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
if (isset($_POST['nacl'])) {
    if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select last_login from site_users where user_id = {$user_id};"))) {
        //authentication verified, continue.";
        $call_status = 0;
        $call_date = strtotime(date('n/j/y g:i a'));
        $call_first_name = $db->escape($_POST['call_first_name']);
        $call_email = $db->escape($_POST['call_email']);
        $call_phone = $db->escape($_POST['call_phone']);
        $call_department = $db->escape((int) $_POST['call_department']);
        $call_request = $db->escape((int) $_POST['call_request']);
        $call_device = $db->escape((int) $_POST['call_device']);
        $call_details = $db->escape($_POST['call_details']);
        $db->query("INSERT INTO site_calls(call_status,call_user,call_date,call_first_name,call_email,call_phone,call_department,call_request,call_device,call_details)VALUES({$call_status},{$user_id},{$call_date},'{$call_first_name}','{$call_email}','{$call_phone}',{$call_department},{$call_request},{$call_device},'{$call_details}');");
        $insert_id = $db->insert_id;
        //********** manage file upload
        if (isset($insert_id)) {
            if (FHD_UPLOAD_ALLOW == "yes") {
                $file_name = $_FILES['hasupload']['name'];
                if ($file_name != '') {
                    $files_var1 = $_FILES["hasupload"]["name"];
                    $files_var2 = explode(".", $files_var1);
Esempio n. 4
//limit login tries.
if (isset($_SESSION['hit'])) {
    $_SESSION['hit'] += 1;
    if ($_SESSION['hit'] > LOGIN_TRIES) {
        echo "<p><i class='fa fa-lock fa-2x pull-left'></i> Access Locked</p>";
        include "includes/footer.php";
} else {
    $_SESSION['hit'] = 0;
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
if (isset($_POST['user_login'])) {
    $user_login = trim($db->escape($_POST['user_login']));
} else {
    echo "<div class='alert alert-warning' style='width: 375px;'><i class='glyphicon glyphicon-info-sign'></i> Username / Email is Required.</div>";
    include "includes/footer.php";
if (isset($_POST['user_password'])) {
    $user_password = trim($db->escape($_POST['user_password']));
    $is_valid = checkpwd($user_password, $user_login);
//uesrs can login with either login name or email address.
$pos = strrpos($user_login, "@");
if ($pos === false) {
    // note: three equal signs
    $checkusing = "user_login";
} else {
Esempio n. 5
include "ncl/session.php";
include "ncl/checksession.php";
include "ncl/checksessionadmin.php";
include "ncl/head.php";
include "ncl/functions.php";
include "ncl/ez_sql_core.php";
include "ncl/ez_sql_mysqli.php";
$actionstatus = "";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
if (isset($_POST['nacl'])) {
    if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select last_login from site_users where user_id = {$user_id};"))) {
        //authentication verified, continue.
        $user_login = $db->escape($_POST['user_login']);
        $user_email = $db->escape($_POST['user_email']);
        //check email exists
        $num = $db->get_var("select count(user_email) from site_users where (user_email = '{$user_email}');");
        if ($num > 0) {
            echo "<div class='alert alert-danger'><strong>Error:</strong> that email address is already in use.</div>";
            include "ncl/footer.php";
        //password function here
        if (strlen($_POST['user_password']) > 4) {
            $user_password = makepwd(trim($db->escape($_POST['user_password'])));
        } else {
            echo "<div class='alert alert-danger'><strong>Error:</strong> password to short.</div>";
            include "ncl/footer.php";
Esempio n. 6
include "fhd_config.php";
include "includes/header.php";
include "includes/all-nav.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
include "includes/functions.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
if (isset($_POST['update'])) {
    if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select user_password from site_users where user_id = {$user_id};"))) {
        $note_id = checkid($_POST['note_id']);
        $call_id = checkid($_POST['call_id']);
        $user_id = $_SESSION['user_id'];
        if ($user_id == $db->get_var("select note_post_user from site_notes where note_post_user = {$user_id};")) {
            $note_body = trim(htmlentities($db->escape($_POST['note_body'])));
            $note_post_ip = $db->escape($_SERVER['REMOTE_ADDR']);
            $db->query("UPDATE site_notes SET note_body='{$note_body}',note_post_ip='{$note_post_ip}' WHERE note_id={$note_id};");
            header("Location: fhd_call_edit.php?call_id={$call_id}");
            //echo exit;
    } else {
        //not verified, warning and exit!
        echo "<p>Warning: Verification Error!</p>";
// </UPDATE>
// <ADD>
if (isset($_POST['add'])) {
    if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select user_password from site_users where user_id = {$user_id};"))) {
Esempio n. 7
include "includes/header.php";
include "includes/all-nav.php";
include "includes/functions.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
$searchquery = "";
$colspan = 2;
$num = "";
if ($user_level == 1) {
    $searchquery = " AND call_user = {$user_id}";
    $colspan = 1;
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
if (isset($_GET['search'])) {
    $call_status = $db->escape((int) $_GET['call_status']);
    $call_date1 = strtotime($_GET['call_date1']);
    $call_date2 = strtotime($_GET['call_date2']);
    if ($call_date2 == "") {
        $call_date2 = $call_date1;
    $call_first_name = $db->escape($_GET['call_first_name']);
    $call_email = $db->escape($_GET['call_email']);
    $call_phone = $db->escape($_GET['call_phone']);
    $call_department = $db->escape((int) $_GET['call_department']);
    $call_request = $db->escape((int) $_GET['call_request']);
    $call_device = $db->escape((int) $_GET['call_device']);
    $call_staff = $db->escape((int) $_GET['call_staff']);
    $call_details = $db->escape($_GET['call_details']);
    $call_solution = $db->escape($_GET['call_solution']);
    if ($_GET['call_status'] != '') {
Esempio n. 8
include "fhd_config.php";
include "includes/header.php";
include "includes/all-nav.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
include "includes/functions.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
$queryadd = "";
$colspan = 2;
if ($user_level == 1) {
    $queryadd = " AND call_user = {$user_id}";
    $colspan = 1;
if (isset($_GET['user_id'])) {
    $queryadd = " AND call_user = "******"SELECT call_id,call_date,call_first_name,call_last_name,call_request,call_department,call_device from site_calls WHERE (call_status = 0) $queryadd order by call_id desc;";
$myquery = "SELECT call_id,call_date,call_first_name,call_last_name,call_request,call_department,call_device from site_calls WHERE (call_status = 0) order by call_id desc;";
$site_calls = $db->get_results($myquery);
$num = $db->num_rows;
echo "<h4><i class='fa fa-tags'></i> &nbsp; Laporan Masalah <small>[ {$num} ]</small></h4>";
if ($num > 0) {
<table class="<?php 
    echo $table_style_1;
" style='width: auto;'>
Esempio n. 9
include "fhd_config.php";
include "includes/header.php";
include "includes/all-nav.php";
include "includes/functions.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
$actionstatus = "";
if (isset($_POST['update'])) {
    if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select last_login from site_users where user_id = {$user_id};"))) {
        //authentication verified, continue.
        $url_user_id = valid_user($_POST['url_user_id']);
        $user_date = date(time());
        $user_login = $db->escape($_POST['user_login']);
        //password function here
        $user_password_set = "";
        if (strlen($_POST['user_password']) > 4) {
            $user_password = makepwd(trim($db->escape($_POST['user_password'])));
            $user_password_set = "user_password='******',";
        $user_name = $db->escape($_POST['user_name']);
        $user_email = $db->escape($_POST['user_email']);
        $user_phone = $db->escape($_POST['user_phone']);
        $user_address = $db->escape($_POST['user_address']);
        $user_city = $db->escape($_POST['user_city']);
        $user_state = $db->escape($_POST['user_state']);
        $user_zip = $db->escape($_POST['user_zip']);
        $user_country = $db->escape($_POST['user_country']);
        $user_level = $db->escape($_POST['user_level']);
include "fhd_config.php";
include "includes/header.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
include "includes/functions.php";
//initilize db
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
if (ALLOW_REGISTER != "yes") {
    echo "<p>Registration is Closed</p>";
    include "includes/footer.php";
if (CAPTCHA_REGISTER == "yes") {
    $captchasession = $_SESSION['captcha']['code'];
    $captcha = $db->escape(trim($_POST['captcha']));
    if ($captchasession != $captcha) {
        echo "<div class=\"alert alert-danger\" style=\"max-width: 350px;\">Invalid Captcha Code.</div>";
        include "includes/footer.php";
//IP and DATE field
//EMAIL address
$email = $db->escape(trim($_POST['email']));
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    echo "<div class=\"alert alert-danger\" style=\"max-width: 350px;\">That email address appears to be invalid.</div>";
    include "includes/footer.php";
Esempio n. 11
<html lang="en">
<meta charset="utf-8">
	<title>Forgot Password</title>
include "fhd_config.php";
include "includes/header.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
include "includes/functions.php";
$thedomain = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
//initilize db
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
//if STEP 2 of the process
if (isset($_GET['action'])) {
    $action = $db->escape($_GET['action']);
    $key = $db->escape($_GET['key']);
    //check if action is to reset password and that the key is not blank.
    if ($action == "rp") {
        if (!empty($key)) {
            $myquery = "SELECT user_id,user_email FROM site_users WHERE user_im_other = '{$key}' limit 1;";
            $resets = $db->get_row($myquery);
            // if a record is returned then continue
            if ($db->num_rows == 1) {
                $user_email = $resets->user_email;
                $user_id = $resets->user_id;
                //generage a new password, set resetcode to blank so link cannot be used again.
                $user_password_plain = generatePassword(8, 9);
                $user_password = makepwd(trim($db->escape($user_password_plain)));
                //update the password in the database.
                $db->query("UPDATE site_users set user_password = '******',user_im_other = '' WHERE user_id = {$user_id} limit 1;");
Esempio n. 12
                $call_id = checkid($_GET['call_id']);
                $db->query("UPDATE site_calls SET call_status = 3 WHERE call_id = {$call_id} limit 1;");
                $db->query("UPDATE site_notes SET note_type = 0 WHERE note_relation = {$call_id};");
                header("Location: fhd_calls.php");
if (isset($_POST['nacl'])) {
    if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select last_login from site_users where user_id = {$user_id};"))) {
        //authentication verified, continue.
        $call_id = checkid($_POST['call_id']);
        //call details
        $call_first_name = $db->escape($_POST['call_first_name']);
        $call_email = $db->escape($_POST['call_email']);
        $call_phone = $db->escape($_POST['call_phone']);
        $call_department = $db->escape($_POST['call_department']);
        $call_request = $db->escape($_POST['call_request']);
        $call_device = $db->escape($_POST['call_device']);
        $call_details = $db->escape($_POST['call_details']);
        $call_solution = $db->escape($_POST['call_solution']);
        $call_staff = $db->escape($_POST['call_staff']);
        //call status
        $call_status = $db->escape($_POST['call_status']);
        $call_status_now = $db->escape($_POST['call_status_now']);
        if (isset($_POST['call_date2'])) {
            $call_date2 = strtotime($_POST['call_date2']);
        // if no status change
include "fhd_config.php";
include "includes/header.php";
include "includes/all-nav.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
include "includes/functions.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
if (isset($_GET['nacl'])) {
    if ($_GET['nacl'] == md5(AUTH_KEY . $db->get_var("select last_login from site_users where user_id = {$user_id};"))) {
        //authentication verified, continue.
        $type_id = checkid($_GET['type_id']);
        $action = $db->escape($_GET['action']);
        $type = checkid($_GET['type']);
        if ($action == 'delete') {
            $db->query("DELETE FROM site_types where type_id = {$type_id};");
            header("Location: fhd_settings_action.php?type={$type}");
//check type variable
$type = checkid($_GET['type']);
<p><a href="fhd_settings.php">Settings</a></p>

Esempio n. 14
include "fhd_config.php";
include "includes/header.php";
include "includes/all-nav.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
include "includes/functions.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
// <ADD>
if (isset($_POST['nacl'])) {
    if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select user_password from site_users where user_id = {$user_id};"))) {
        //authentication verified, continue.
        $type = checkid($_POST['type']);
        $type_name = $db->escape($_POST['type_name']);
        $type_email = $db->escape($_POST['type_email']);
        $type_location = $db->escape($_POST['type_location']);
        $type_phone = $db->escape($_POST['type_phone']);
        $db->query("INSERT INTO site_types(type,type_name,type_email,type_location,type_phone) VALUES( {$type},'{$type_name}','{$type_email}','{$type_location}','{$type_phone}');");
        header("Location: fhd_settings_action.php?type={$type}");
    } else {
        //not verified, warning and exit!
        echo "<p class='save'>Warning: Verification Error!</p>";
// </ADD>
//check type variable
$type = checkid($_GET['type']);
$nacl = md5(AUTH_KEY . $db->get_var("select user_password from site_users where user_id = {$user_id};"));
Esempio n. 15

include "fhd_config.php";
if (ALLOW_REGISTER == "yes") {
    include "includes/ez_sql_core.php";
    include "includes/ez_sql_mysqli.php";
    $db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
    $q = $db->escape($_GET["q"]);
    $db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
    $q = $db->escape($q);
    $num = $db->get_var("select count(user_login) from site_users where user_login = '******';");
    if ($num == 0) {
        echo "<i class='glyphicon glyphicon-ok'></i> <small><em>available</em></small>";
    } else {
        echo "<i class='glyphicon glyphicon-ban-circle'></i> <small><em>name not available</em></small>";
Esempio n. 16
include "fhd_config.php";
include "includes/header.php";
include "includes/all-nav.php";
include "includes/ez_sql_core.php";
include "includes/ez_sql_mysqli.php";
include "includes/functions.php";
$db = new ezSQL_mysqli(db_user, db_password, db_name, db_host);
$actionstatus = "";
//to do: need to check for duplicates...
if (isset($_POST['nacl'])) {
    if ($_POST['nacl'] == md5(AUTH_KEY . $db->get_var("select last_login from site_users where user_id = {$user_id};"))) {
        //authentication verified, continue.
        $type_id = checkid($_POST['type_id']);
        $type_name = $db->escape($_POST['type_name']);
        //	$type_email = $db->escape($_POST['type_email']);
        //	$type_location = $db->escape($_POST['type_location']);
        //	$type_phone = $db->escape($_POST['type_phone']);
        //	$db->query("UPDATE site_types SET type_name='$type_name',type_email='$type_email',type_location='$type_location',type_phone='$type_phone' WHERE type_id = $type_id;");
        $db->query("UPDATE site_types SET type_name='{$type_name}' WHERE type_id = {$type_id};");
        $actionstatus = "<div class=\"alert alert-success\" style=\"max-width: 250px;\">\n    <button type=\"button\" class=\"close\" data-dismiss=\"alert\">&times;</button>\n    Updated.\n    </div>";
// </UPDATE>
//check type variable
$type_id = checkid($_GET['id']);
$num = $db->get_var("select count(type_id) from site_types where type_id = {$type_id};");
if ($num == 0) {
    echo "<p>Type does not exist (error 2)</p>";
    include "includes/footer.php";