}
//Deal with items
$deletesql = "delete from {$db_prefix}items where itEventID = {$eventid} and itItemID in(" . ba_db_real_escape_string($link, $_POST['hRemovedItemIDs']) . ")";
ba_db_query($link, $deletesql);
foreach ($_POST as $key => $value) {
if (substr($key, 0, 7) == "hItemID") {
$iItemID = (int) $value;
$ticket = setBoolValue($_POST["chkTicket{$value}"]);
$meal = setBoolValue($_POST["chkMeal{$value}"]);
$bunk = setBoolValue($_POST["chkBunk{$value}"]);
$allowmultiple = setBoolValue($_POST["chkAllowMultiple{$value}"]);
$mandatory = setBoolValue($_POST["chkMandatory{$value}"]);
$itemdescription = ba_db_real_escape_string($link, $_POST["txtItemDescription{$value}"]);
$availability = ba_db_real_escape_string($link, $_POST["cboAvailability{$value}"]);
$availablefrom = ba_db_real_escape_string($link, $_POST["txtAvailableFrom{$value}"]);
$availableto = ba_db_real_escape_string($link, $_POST["txtAvailableTo{$value}"]);
$itemcost = sanitiseAmount($_POST["txtItemCost{$value}"], True);
if ($iItemID > 0) {
$updatequery = "UPDATE {$db_prefix}items set ";
$updatequery .= "itTicket = {$ticket}, ";
$updatequery .= "itMeal = {$meal}, ";
$updatequery .= "itBunk = {$bunk}, ";
$updatequery .= "itAllowMultiple = {$allowmultiple}, ";
$updatequery .= "itMandatory = {$mandatory}, ";
$updatequery .= "itDescription = '{$itemdescription}', ";
$updatequery .= "itAvailability = '{$availability}', ";
$updatequery .= "itAvailableFrom = '{$availablefrom}', ";
$updatequery .= "itAvailableTo = '{$availableto}', ";
$updatequery .= "itItemCost = {$itemcost} ";
$updatequery .= "WHERE itItemID = {$iItemID}";
ba_db_query($link, $updatequery);
$sql = "SELECT plPlayerID FROM {$db_prefix}players " . "WHERE plEmail = '{$sEmail}' AND " . "plPassword = '******'";
$result = ba_db_query($link, $sql);
$row = ba_db_fetch_assoc($result);
$iPlayerID = (int) $row['plPlayerID'];
// Check if IC details were exported
if ($ic == 1) {
// Character details
$sCharacterCSV = explode(",", trim($csv[1]));
$sName = ba_db_real_escape_string($link, $sCharacterCSV[0]);
$sPreferredname = ba_db_real_escape_string($link, $sCharacterCSV[1]);
$sRace = ba_db_real_escape_string($link, $sCharacterCSV[2]);
$sGender = ba_db_real_escape_string($link, $sCharacterCSV[3]);
$sFaction = ba_db_real_escape_string($link, $sCharacterCSV[4]);
$sNpc = ba_db_real_escape_string($link, $sCharacterCSV[5]);
$sNotes = ba_db_real_escape_string($link, $sCharacterCSV[6]);
$sSpecial = ba_db_real_escape_string($link, $sCharacterCSV[7]);
//Build up character SQL
$sql = "INSERT INTO {$db_prefix}characters (" . "chPlayerID, " . "chName, " . "chPreferredName, " . "chRace, " . "chGender, " . "chFaction, " . "chNPC, " . "chNotes, " . "chOSP) " . "VALUES (" . "{$iPlayerID}, " . "'{$sName}', " . "'{$sPreferredname}', " . "'{$sRace}', " . "'{$sGender}', " . "'{$sFaction}', " . "'{$sNpc}', " . "'{$sNotes}', " . "'{$sSpecial}')";
// Insert character details
ba_db_query($link, $sql);
// Guilds
$sGuildCSV = explode(",", trim($csv[2]));
foreach ($sGuildCSV as $guild) {
$sql = "INSERT INTO {$db_prefix}guildmembers (gmPlayerID, gmName) " . "VALUES ({$iPlayerID}, '{$guild}')";
ba_db_query($link, $sql);
}
// Skills
$sSkillsCSV = explode(",", trim($csv[3]));
foreach ($sSkillsCSV as $skill) {
$sql = "INSERT INTO {$db_prefix}skillstaken (stPlayerID, stSkillID) " . "VALUES ({$iPlayerID}, {$skill})";
ba_db_query($link, $sql);
| FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
| details.
|
| You should have received a copy of the GNU General Public License along with
| Bitsand. If not, see <http://www.gnu.org/licenses/>.
+---------------------------------------------------------------------------*/
//Do not need login check for this page
$bLoginCheck = False;
include 'inc/inc_head_db.php';
$db_prefix = DB_PREFIX;
// Get POST into variables
$email = $_POST['email'];
$password = sha1($_POST['password'] . PW_SALT);
$ic = (int) $_POST['ic'];
//Set up & run query
$sql = "SELECT plPlayerID FROM {$db_prefix}players " . "WHERE plEmail LIKE '" . ba_db_real_escape_string($link, $email) . "' AND plPassword = '******'";
$result = ba_db_query($link, $sql);
if (ba_db_num_rows($result) > 1) {
//Log warning if there was more than one row returned
LogWarning("export.php - more than one result from e-mail and password\n{$sql}");
}
if (ba_db_num_rows($result) > 0) {
//Successfully logged in
$row = ba_db_fetch_assoc($result);
$id = $row['plPlayerID'];
} else {
die("ERROR: Wrong e-mail or password");
}
// Export as a CSV file
header("Content-Type: text/csv");
// Get OOC details
}
}
}
}
}
}
//OSPs list: Delete existing rows from ospstaken, then run INSERT queries
$sql = "DELETE FROM {$db_prefix}ospstaken WHERE otPlayerID = {$PLAYER_ID}";
if (!ba_db_query($link, $sql)) {
$sWarn = "There was a problem updating your IC details";
LogError("Error deleting existing OSPs from ospstaken table during update of IC information. Player ID: {$PLAYER_ID}");
} else {
$os = array();
foreach ($_POST as $key => $value) {
if (substr($key, 0, 6) == "hospID") {
$sql = "INSERT INTO {$db_prefix}ospstaken (otPlayerID, otOspID, otAdditionalText) VALUES ({$PLAYER_ID}, '" . ba_db_real_escape_string($link, $value) . "', '" . ba_db_real_escape_string($link, $_POST["ospAdditionalText{$value}"]) . "')";
if ($sql != '' && !in_array($value, $os)) {
$os[] = $value;
//Run the INSERT query
if (!ba_db_query($link, $sql)) {
$sWarn = "There was a problem updating the IC details";
LogError("Error inserting osps taken (ic_form.php). Player ID: {$PLAYER_ID}");
}
}
}
}
}
$sNonCriticalWarn = IC_Check_NonCritical();
$sWarn .= $sNameWarn . $sSkillWarn . $sNonCriticalWarn;
if ($sWarn != '') {
$sWarn = "The following problems were found:<br>\n" . $sWarn;
} else {
$sMedInfo = ba_db_real_escape_string($link, $_POST['txtMedicalInfo']);
}
//Remove any spaces in car registration
$sCarReg = ba_db_real_escape_string($link, str_replace(' ', '', $_POST['txtCarRegistration']));
//get value of event pack by post
if ($_POST['chkEventPackByPost'] == '') {
$iByPost = 0;
} else {
$iByPost = 1;
}
//Set up UPDATE query
$refnumber = (int) $_POST["txtRefNumber{$value}"];
$marshal = stripslashes($_POST["cboMarshal{$value}"]);
$sEmail = ba_db_real_escape_string($link, SafeEmail($_POST['txtEmail']));
$sql = "UPDATE {$db_prefix}players SET plFirstName = '" . ba_db_real_escape_string($link, $_POST['txtFirstName']) . "', " . "plSurname = '" . ba_db_real_escape_string($link, $_POST['txtSurname']) . "', " . "pleAddress1 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress1']) . "', '{$key}'), " . "pleAddress2 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress2']) . "', '{$key}'), " . "pleAddress3 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress3']) . "', '{$key}'), " . "pleAddress4 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress4']) . "', '{$key}'), " . "plePostcode = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtPostcode']) . "', '{$key}'), " . "pleTelephone = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtPhone']) . "', '{$key}'), " . "pleMobile = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtMobile']) . "', '{$key}'), " . "plEmail = '{$sEmail}', " . "plDOB = '{$dob}', " . "pleMedicalInfo = AES_ENCRYPT('" . ba_db_real_escape_string($link, $sMedInfo) . "', '{$key}'), " . "plEmergencyName = '" . ba_db_real_escape_string($link, $_POST['txtEmergencyName']) . "', " . "pleEmergencyNumber = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtEmergencyNumber']) . "', '{$key}'), " . "plEmergencyRelationship = '" . ba_db_real_escape_string($link, $_POST['txtEmergencyRelationship']) . "', " . "plCarRegistration = '{$sCarReg}', " . "plDietary = '" . ba_db_real_escape_string($link, $_POST['selDiet']) . "', " . "plNotes = '" . ba_db_real_escape_string($link, $_POST['txtNotes']) . "', " . "plAdminNotes = '" . ba_db_real_escape_string($link, $_POST['txtAdminNotes']) . "', ";
$sql .= "plRefNumber = {$refnumber}, plMarshal = '{$marshal}',";
$sql .= "plEventPackByPost = {$iByPost} ";
$sql .= "WHERE plPlayerID = {$admin_player_id}";
//Run UPDATE query
if (ba_db_query($link, $sql)) {
//Query should affect exactly one row. Log a warning if it affected more
if (ba_db_affected_rows($link) > 1) {
LogWarning("More than one row updated during admin OOC update (admin_edit_ooc.php). Player ID: {$admin_player_id}");
}
//Do not redirect if there are any warnings (required fields not filled in, etc)
if ($sWarn == '') {
//Make up URL & redirect
$sURL = fnSystemURL() . "admin_viewdetails.php?pid={$admin_player_id}&green=" . urlencode("OOC details updated");
header("Location: {$sURL}");
}
| (http://github.com/PeteAUK/bitsand)
|
| Bitsand is free software; you can redistribute it and/or modify it under the
| terms of the GNU General Public License as published by the Free Software
| Foundation, either version 3 of the License, or (at your option) any later
| version.
|
| Bitsand is distributed in the hope that it will be useful, but WITHOUT ANY
| WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
| FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
| details.
|
| You should have received a copy of the GNU General Public License along with
| Bitsand. If not, see <http://www.gnu.org/licenses/>.
+---------------------------------------------------------------------------*/
error_reporting(E_ALL);
ini_set('display_errors', '1');
include 'inc_head_db.php';
$db_prefix = DB_PREFIX;
$q = strtolower($_GET["term"]);
$q = ba_db_real_escape_string($link, $q);
if (!$q) {
return;
}
$sql = "SELECT * FROM {$db_prefix}osps where ospName like '%" . $q . "%' ORDER BY ospName limit 10";
$result = ba_db_query($link, $sql);
$results = array();
while ($row = ba_db_fetch_assoc($result)) {
$results[] = array(value => $row['ospID'], label => $row['ospName'], allowadditional => $row['ospAllowAdditionalText']);
}
echo json_encode($results);
} else {
$sGreen = "FAQ entry number {$_GET['id']} deleted";
}
} elseif ($_POST['btnEdit'] != '' && CheckReferrer('admin_faq.php')) {
$iNewOrder = (int) $_POST['txtOrder'];
$iOldOrder = (int) $_POST['hOrder'];
$sql = "UPDATE {$db_prefix}faq SET faqOrder = {$iNewOrder}, " . "faqQuestion = '" . ba_db_real_escape_string($link, $_POST['txtQuestion']) . "', " . "faqAnswer = '" . ba_db_real_escape_string($link, $_POST['txtAnswer']) . "' " . "WHERE faqOrder = {$iOldOrder}";
if (ba_db_query($link, $sql) === False) {
$sWarn = "Error updating FAQ entry. Check that the Order number is unique.";
LogError($sWarn);
} else {
$sGreen = "FAQ entry number {$iOldOrder} updated";
}
}
if ($_POST['btnSubmit'] == 'Add' && CheckReferrer('admin_faq.php')) {
$sql = "INSERT INTO {$db_prefix}faq (faqOrder, faqQuestion, faqAnswer) VALUES (" . (int) $_POST['txtOrder'] . ", '" . ba_db_real_escape_string($link, $_POST['txtQuestion']) . "', '" . ba_db_real_escape_string($link, $_POST['txtAnswer']) . "')";
if (ba_db_query($link, $sql) === False) {
$sWarn = "There was an error adding the FAQ item. Check that the Order number is unique.";
$iOrder = (int) $_POST['txtOrder'];
$sQuestion = htmlentities(stripslashes($_POST['txtQuestion']));
$sAnswer = htmlentities(stripslashes($_POST['txtAnswer']));
} else {
$sGreen = "The FAQ item was added successfully.";
}
}
include '../inc/inc_head_html.php';
?>
<h1><?php
echo TITLE;
?>
LogError($sWarn);
} else {
$sGreen = "ancestor updated";
}
}
if ($_POST['btnSubmit'] == 'Add' && CheckReferrer('admin_ancestors.php')) {
$sql = "INSERT INTO {$db_prefix}ancestors (anName) " . "VALUES ('" . ba_db_real_escape_string($link, $_POST['txtAddName']) . "')";
if (ba_db_query($link, $sql) === False) {
$sWarn = "There was an error adding the ancestor.";
$sAddName = $_POST['txtAddName'];
} else {
$sGreen = "The ancestor was added successfully.";
}
}
if ($_POST['btnSubmit'] == 'Assign To Selected' && CheckReferrer('admin_ancestors.php')) {
$sql = "UPDATE {$db_prefix}characters " . "SET chAncestor = '', chAncestorSel = '" . ba_db_real_escape_string($link, $_POST['cboAssign']) . "'" . " WHERE chAncestor = '" . ba_db_real_escape_string($link, $_POST['txtFreeValue']) . "'";
if (ba_db_query($link, $sql) === False) {
$sWarn = "There was an error assigning the ancestor to the linked characters.";
}
}
include '../inc/inc_head_html.php';
?>
<h1><?php
echo TITLE;
?>
- Edit ancestors</h1>
<?php
if ($sGreen != '') {
echo "<p class = 'green'>{$sGreen}</p>";
}
}
//get value of event pack by post
if ($_POST['chkEventPackByPost'] == '') {
$iByPost = 0;
} else {
$iByPost = 1;
}
$refnumber = (int) $_POST["txtRefNumber{$value}"];
$marshal = stripslashes($_POST["cboMarshal{$value}"]);
//Set up UPDATE query
$sql = "UPDATE {$db_prefix}players SET plFirstName = '" . ba_db_real_escape_string($link, $_POST['txtFirstName']) . "', " . "plSurname = '" . ba_db_real_escape_string($link, $_POST['txtSurname']) . "', " . "pleAddress1 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress1']) . "', '{$key}'), " . "pleAddress2 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress2']) . "', '{$key}'), " . "pleAddress3 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress3']) . "', '{$key}'), " . "pleAddress4 = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtAddress4']) . "', '{$key}'), " . "plePostcode = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtPostcode']) . "', '{$key}'), " . "pleTelephone = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtPhone']) . "', '{$key}'), " . "pleMobile = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtMobile']) . "', '{$key}'), " . "plDOB = '{$dob}', " . "pleMedicalInfo = AES_ENCRYPT('" . ba_db_real_escape_string($link, $sMedInfo) . "', '{$key}'), " . "plEmergencyName = '" . ba_db_real_escape_string($link, $_POST['txtEmergencyName']) . "', " . "pleEmergencyNumber = AES_ENCRYPT('" . ba_db_real_escape_string($link, $_POST['txtEmergencyNumber']) . "', '{$key}'), " . "plEmergencyRelationship = '" . ba_db_real_escape_string($link, $_POST['txtEmergencyRelationship']) . "', " . "plCarRegistration = '{$sCarReg}', " . "plDietary = '" . ba_db_real_escape_string($link, $_POST['selDiet']) . "', ";
//"plBookAs = '" . ba_db_real_escape_string ($link, $_POST ['selBookAs']) . "', ";
//if (AUTO_ASSIGN_BUNKS == False)
// $sql .= "plBunkRequested = $iBunk, ";
$sql .= "plNotes = '" . ba_db_real_escape_string($link, $_POST['txtNotes']) . "', ";
$sql .= "plRefNumber = {$refnumber}, plMarshal = '{$marshal}',";
$sql .= "plEventPackByPost = {$iByPost} " . "WHERE plPlayerID = {$PLAYER_ID}";
//Run UPDATE query
if (ba_db_query($link, $sql)) {
//Query should affect exactly one row. Log a warning if it affected more
if (ba_db_affected_rows($link) > 1) {
LogWarning("More than one row updated during OOC update. Player ID: {$PLAYER_ID}");
}
//Do not redirect if there are any warnings (required fields not filled in, etc)
if ($sWarn == '') {
//Update Monster only if person is playing
//$sql = "update {$db_prefix}players inner join {$db_prefix}characters on plPlayerID = chPlayerID set chMonsterOnly = 0 where plBookAs = 'Player' and plPlayerID = $PLAYER_ID";
//ba_db_query ($link, $sql);
//Send e-mail
$sBody = "Your OOC details have been entered at " . SYSTEM_NAME . ".\n\n" . "Player ID: " . PID_PREFIX . sprintf('%03s', $PLAYER_ID) . "\n" . "OOC Name: " . $_POST['txtFirstName'] . " " . $_POST['txtSurname'] . "\n\n" . fnSystemURL();
}
if ($_POST['btnChangeEmail'] != '' && CheckReferrer('change_password.php')) {
$sNewMail = ba_db_real_escape_string($link, SafeEmail($_POST['txtEmail']));
//Check requested e-mail address does not already exist in database
$sql = "SELECT COUNT(*) AS cMail FROM {$db_prefix}players WHERE plEmail = '{$sNewMail}'";
$result = ba_db_query($link, $sql);
$row = ba_db_fetch_assoc($result);
if ($row['cMail'] != '0') {
$sWarn = "The e-mail address {$sNewMail} is already registered";
} else {
//Get user's current e-mail address
$result = ba_db_query($link, "SELECT plFirstName, plSurname, plEmail FROM {$db_prefix}players WHERE plPlayerID = {$PLAYER_ID}");
$row = ba_db_fetch_assoc($result);
//Run update query & set message
$sCode = RandomString(10, 20);
$sql = "UPDATE {$db_prefix}players SET plNewMail = '{$sNewMail}', plNewMailCode = '" . ba_db_real_escape_string($link, $sCode) . "' " . "WHERE plPlayerID = {$PLAYER_ID}";
$result = ba_db_query($link, $sql);
$sGreen = "A confirmation code has been sent to both your existing, and your new, e-mail addresses.<br>" . "Follow the instructions in the e-mail to confirm the change of e-mail address";
//E-mail user with confirmation code and instructions
$sBody = "A request has been received for your e-mail address to be changed at " . SYSTEM_NAME . ". " . "In order to make this change, you must log on to " . SYSTEM_NAME . " at " . fnSystemURL() . " using your existing e-mail address and password, then go to the 'Change password' page " . "and enter the code below:\n\nCode: {$sCode}\n\n" . "Note that the code must be entered *exactly* as above - it is probably easiest to copy and paste it.\n\n" . "If you have any problems, or questions, e-mail " . TECH_CONTACT_NAME . " at " . TECH_CONTACT_MAIL . "\n\n" . "Player ID: " . PID_PREFIX . sprintf('%03s', $PLAYER_ID) . "\n" . "OOC Name: " . $row['plFirstName'] . " " . $row['plSurname'] . "\n\n" . fnSystemURL();
mail($row['plEmail'], SYSTEM_NAME . ' - email change', $sBody, "From:" . SYSTEM_NAME . " <" . EVENT_CONTACT_MAIL . ">");
mail(SafeEmail($_POST['txtEmail']), SYSTEM_NAME . ' - email change', $sBody, "From:" . SYSTEM_NAME . " <" . EVENT_CONTACT_MAIL . ">");
}
}
if ($_POST['btnConfirm'] != '' && CheckReferrer('change_password.php')) {
//Get user's e-mail address
$result = ba_db_query($link, "SELECT plNewMail, plNewMailCode FROM {$db_prefix}players WHERE plPlayerID = {$PLAYER_ID}");
$row = ba_db_fetch_assoc($result);
if ($row['plNewMailCode'] == $_POST['txtCode']) {
//Run update query & set message
$sql = "UPDATE {$db_prefix}players SET plEmail = '" . SafeEmail($row['plNewMail']) . "', plNewMail = '', plNewMailCode = '' " . "WHERE plPlayerID = {$PLAYER_ID}";
$sWarn = "Error deleting location";
LogError($sWarn);
} else {
$sGreen = "location deleted";
}
} elseif ($_POST['btnEdit'] != '' && CheckReferrer('admin_locations.php')) {
$sql = "UPDATE {$db_prefix}locations " . "SET lnName = '" . ba_db_real_escape_string($link, $_POST['txtName']) . "' " . "WHERE lnID = " . (int) $_POST['hID'];
if (ba_db_query($link, $sql) === False) {
$sWarn = "Error updating location.";
LogError($sWarn);
} else {
$sGreen = "location updated";
}
}
if ($_POST['btnSubmit'] == 'Add' && CheckReferrer('admin_locations.php')) {
$sql = "INSERT INTO {$db_prefix}locations (lnName) " . "VALUES ('" . ba_db_real_escape_string($link, $_POST['txtAddName']) . "')";
if (ba_db_query($link, $sql) === False) {
$sWarn = "There was an error adding the location.";
$sAddName = $_POST['txtAddName'];
} else {
$sGreen = "The location was added successfully.";
}
}
include '../inc/inc_head_html.php';
?>
<h1><?php
echo TITLE;
?>
- Edit Locations</h1>
echo '"' . $row['alDateTime'] . '",';
echo '"' . $row['alPlayerID'] . '",';
if ($bDomain) {
echo '"' . $row['alIP'] . " (" . gethostbyaddr($row['alIP']) . ')",';
} else {
echo '"' . $row['alIP'] . '",';
}
echo '"' . $row['alPage'] . '",';
echo '"' . $row['alGet'] . '",';
echo '"' . $row['dPost'] . "\"\n";
}
exit;
}
include '../inc/inc_head_html.php';
if ($_POST['btnDelete'] != '' && CheckReferrer('root_accesslog.php')) {
$sDeleteDate = ba_db_real_escape_string($link, $_POST['txtDeleteDate']);
$sDeleteSQL = "DELETE FROM {$db_prefix}access_log WHERE alDateTime <= '{$sDeleteDate}'";
$result = ba_db_query($link, $sDeleteSQL);
if ($result === False) {
$sMsg = "<span class = 'warn'>Problem deleting records</span>";
} else {
$sMsg = "<span class = 'green'>Records deleted</span>";
}
}
?>
<script src="../inc/sorttable.js" type="text/javascript"></script>
<h1><?php
echo TITLE;
?>
- Access Log</h1>
$updateQuery .= "cnLOCATIONS_LABEL = '" . ba_db_real_escape_string($link, $_POST['txtLOCATIONS_LABEL']) . "', ";
$updateQuery .= "cnANCESTOR_DROPDOWN = " . setBoolValue($_POST['chkANCESTOR_DROPDOWN']) . ", ";
$updateQuery .= "cnDEFAULT_FACTION = '" . ba_db_real_escape_string($link, $_POST['selDEFAULT_FACTION']) . "', ";
$updateQuery .= "cnNON_DEFAULT_FACTION_NOTES = " . setBoolValue($_POST['chkNON_DEFAULT_FACTION_NOTES']) . ", ";
$updateQuery .= "cnIC_NOTES_TEXT = '" . ba_db_real_escape_string($link, $_POST['txtIC_NOTES_TEXT']) . "', ";
$updateQuery .= "cnLOGIN_TIMEOUT = " . ba_db_real_escape_string($link, (int) $_POST['txtLOGIN_TIMEOUT']) . ", ";
$updateQuery .= "cnLOGIN_TRIES = " . ba_db_real_escape_string($link, (int) $_POST['txtLOGIN_TRIES']) . ", ";
$updateQuery .= "cnMIN_PASS_LEN = " . ba_db_real_escape_string($link, (int) $_POST['txtMIN_PASS_LEN']) . ", ";
$updateQuery .= "cnSEND_PASSWORD = "******", ";
$updateQuery .= "cnUSE_PAY_PAL = " . setBoolValue($_POST['chkUSE_PAY_PAL']) . ", ";
$updateQuery .= "cnPAYPAL_EMAIL = '" . ba_db_real_escape_string($link, $_POST['txtPAYPAL_EMAIL']) . "', ";
$updateQuery .= "cnNPC_LABEL = '" . ba_db_real_escape_string($link, $_POST['txtNPC_LABEL']) . "', ";
$updateQuery .= "cnPAYPAL_AUTO_MARK_PAID = " . setBoolValue($_POST['chkPAYPAL_AUTO_MARK_PAID']) . ", ";
$updateQuery .= "cnUSE_SHORT_OS_NAMES = " . setBoolValue($_POST['chkUSE_SHORT_OS_NAMES']) . ", ";
$updateQuery .= "cnALLOW_EVENT_PACK_BY_POST = " . setBoolValue($_POST['chkALLOW_EVENT_PACK_BY_POST']) . ", ";
$updateQuery .= "cnSTAFF_LABEL = '" . ba_db_real_escape_string($link, $_POST['txtSTAFF_LABEL']) . "', ";
$updateQuery .= "cnQUEUE_OVER_LIMIT = " . setBoolValue($_POST['chkQUEUE_OVER_LIMIT']);
//Update database
$bUpdate = ba_db_query($link, $updateQuery);
}
if ($_POST['btnSubmit'] != '' && CheckReferrer('admin_changeconfig.php')) {
//Get new config information from database
$sql = "SELECT * FROM {$db_prefix}config WHERE cnName = 'Default' ";
$result = ba_db_query($link, $sql);
if (ba_db_num_rows($result) == 1) {
$row = ba_db_fetch_assoc($result);
} else {
$sWarn = "Could not find config information in database";
}
//Compare old & new configs
foreach ($row as $col => $value) {
for ($iPos = 1; $iPos <= $iLen; $iPos++) {
switch (rand(1, 3)) {
case 1:
$sNewPass .= chr(rand(48, 57));
break;
case 2:
$sNewPass .= chr(rand(65, 90));
break;
case 3:
$sNewPass .= chr(rand(97, 122));
break;
}
}
//Get salted hash of new password and run UPDATE query
$sHashPass = sha1($sNewPass . PW_SALT);
$sql = "UPDATE " . DB_PREFIX . "players SET plPassword = '******', plLoginCounter = 0 " . "WHERE plEmail LIKE '" . ba_db_real_escape_string($link, $sEmail) . "'";
$result = ba_db_query($link, $sql);
if (ba_db_affected_rows($link) == 0) {
//No changes made.
$sMsg = 'E-mail not found. Password not reset. Please check and try again';
} else {
//Send e-mail
$sTo = $sEmail;
$sSubject = SYSTEM_NAME . " - password reset";
$sBody = "Hi,\nYour password at " . SYSTEM_NAME . " has been reset. " . "Your new password is:\n{$sNewPass}\nYou can log in using this new password.\n\n" . fnSystemURL();
ini_set("sendmail_from", EVENT_CONTACT_MAIL);
$mail = mail($sTo, $sSubject, $sBody, "From:" . SYSTEM_NAME . " <" . EVENT_CONTACT_MAIL . ">", '-f' . EVENT_CONTACT_MAIL);
if ($mail) {
$sMsg = "A new password has been sent to {$sEmail}. Please check your e-mail for your new password.<br />\n" . "If you do not get the e-mail, check your Junk/Spam folder - it may have been marked as spam " . "(this appears to be particularly common with web-based e-mail services)";
} else {
$sMsg = "There was an error sending your reset email. Please contact <a href = 'mailto:" . Obfuscate(TECH_CONTACT_MAIL) . "'>" . TECH_CONTACT_NAME . "</a> to reset your password manually";
<form action = 'root_admins.php' method = 'post'>
To search for a user to make an admin, enter the first name and/or surname and click Search:<br>
<table border = '0'>
<tr><td>OOC first name:</td><td><input name = 'txtFirstName'></td></tr>
<tr><td>OOC surname:</td><td><input name = 'txtSurname'></td></tr>
<tr><td class = 'mid' colspan = '2'>
<input type = 'submit' name = 'btnSubmit' value = 'Search'>
<input type = 'reset' value = "Reset form">
</td></tr>
</table>
</form>
<?php
if ($_POST['btnSubmit'] == 'Search' && CheckReferrer('root_admins.php')) {
$sFirstName = ba_db_real_escape_string($link, $_POST['txtFirstName']);
$sSurname = ba_db_real_escape_string($link, $_POST['txtSurname']);
$sOR = '';
$sql = "SELECT plPassword, plPlayerID, plFirstName, plSurname, plEmail FROM {$db_prefix}players WHERE plAccess <> 'admin' AND (";
if ($sFirstName != '') {
$sql .= " plFirstName LIKE '%{$sFirstName}%'";
$sOR = ' OR';
}
if ($sSurname != '') {
$sql .= $sOR . " plSurname LIKE '%{$sSurname}%'";
}
$sql .= ")";
if ($sFirstName != '' || $sSurname != '') {
$result = ba_db_query($link, $sql);
}
echo "<h3>Search Results</h3>\n";
if ($sFirstName == '' && $sSurname == '') {
include $CSS_PREFIX . 'inc/inc_forms.php';
include $CSS_PREFIX . 'inc/inc_head_html.php';
//Report all errors except E_NOTICE
error_reporting(E_ALL ^ E_NOTICE);
$db_prefix = DB_PREFIX;
$key = CRYPT_KEY;
if ($_POST['btnSubmit'] != '' && $_POST['txtKey'] == CRYPT_KEY && CheckReferrer('initial_config.php')) {
//Set up update query to change config values
$updateQuery = "UPDATE `{$db_prefix}config` SET ";
$updateQuery .= "cnEVENT_CONTACT_NAME = '" . ba_db_real_escape_string($link, $_POST['txtEVENT_CONTACT_NAME']) . "', ";
$updateQuery .= "cnEVENT_CONTACT_MAIL = '" . ba_db_real_escape_string($link, $_POST['txtEVENT_CONTACT_MAIL']) . "', ";
$updateQuery .= "cnTECH_CONTACT_NAME = '" . ba_db_real_escape_string($link, $_POST['txtTECH_CONTACT_NAME']) . "', ";
$updateQuery .= "cnTECH_CONTACT_MAIL = '" . ba_db_real_escape_string($link, $_POST['txtTECH_CONTACT_MAIL']) . "', ";
$updateQuery .= "cnTITLE = '" . ba_db_real_escape_string($link, $_POST['txtTITLE']) . "', ";
$updateQuery .= "cnSYSTEM_NAME = '" . ba_db_real_escape_string($link, $_POST['txtSYSTEM_NAME']) . "', ";
$updateQuery .= "cnMIN_PASS_LEN = " . ba_db_real_escape_string($link, (int) $_POST['txtMIN_PASS_LEN']) . ", ";
$updateQuery .= "cnSEND_PASSWORD = "******"SELECT plEmail FROM {$db_prefix}players WHERE plPlayerID = " . ROOT_USER_ID;
$result = ba_db_query($link, $sql);
$row = ba_db_fetch_assoc($result);
$root_email = $row['plEmail'];
if (!ba_db_query($link, $updateQuery)) {
$sWarn = "There was a problem updating the config details";
LogError("There was a problem updating the config details. Admin ID: {$PLAYER_ID}");
//E-mail root
$subject = SYSTEM_NAME . " - Error updating config details";
$body = "Someone tried to change the config details, but an error was encountered. See the log for more details";
mail($root_email, $subject, $body, "From:" . SYSTEM_NAME . " <" . EVENT_CONTACT_MAIL . ">");
} else {
$sMessage = "The config settings have been successfully updated.";
$sMessage .= "<br>\n";
}
$sMessage .= "Wrong e-mail/password. Please try again";
//Increment login count and store in players table
$sql = "SELECT plPassword, plLoginCounter FROM {$db_prefix}players " . "WHERE plEmail LIKE '" . ba_db_real_escape_string($link, $sEmail) . "'";
$result = ba_db_query($link, $sql);
$row = ba_db_fetch_assoc($result);
$iLoginCounter = $row['plLoginCounter'];
$sql = "UPDATE {$db_prefix}players SET plLoginCounter = " . ++$iLoginCounter . " " . "WHERE plEmail LIKE '" . ba_db_real_escape_string($link, $sEmail) . "'";
//Log failed login attempt
$sLogWarn = "Failed login attempt\nE-mail: {$sEmail}\n" . "Attempt was made from IP address {$_SERVER['REMOTE_ADDR']}";
LogWarning($sLogWarn);
//Check for too many failed logins
if ($iLoginCounter > LOGIN_TRIES && $row['plPassword'] != 'ACCOUNT DISABLED') {
//Change SQL query so that plPassword and plLoginCounter are both updated
$sql = "UPDATE {$db_prefix}players SET plPassword = '******', plLoginCounter = " . $iLoginCounter . " WHERE plEmail LIKE '" . ba_db_real_escape_string($link, $sEmail) . "'";
$sMessage = "You have entered an incorrect password too many times. Your account has been disabled.<br>" . "An e-mail has been sent to your e-mail address with instructions on how to re-enable your account.";
//E-mail user
$sBody = "This is an automated message from " . SYSTEM_NAME . ". Your account has been disabled, because " . "an incorrect password was entered too many times. You can re-enable your account by resetting your " . "password (Follow the 'Get a new password' link from the front page). If you have any problems, " . "please contact " . TECH_CONTACT_NAME . " at " . TECH_CONTACT_MAIL . " to have your account re-enabled.\n\n" . fnSystemURL();
mail($sEmail, SYSTEM_NAME . ' - account disabled', $sBody, "From:" . SYSTEM_NAME . " <" . TECH_CONTACT_MAIL . ">");
//E-mail admin and log a warning
$sBody = "Account with e-mail address {$sEmail} has been disabled, after too many failed login attempts.\n" . "Latest attempt was from IP address {$_SERVER['REMOTE_ADDR']}\n" . "An e-mail has been sent to the user.\n\n" . fnSystemURL();
mail(TECH_CONTACT_MAIL, SYSTEM_NAME . ' - account disabled', $sBody, "From:" . SYSTEM_NAME . " <" . TECH_CONTACT_MAIL . ">");
LogWarning($sBody);
} elseif ($row['plPassword'] == 'ACCOUNT DISABLED') {
//Account has been previously disabled. Just display message - do not send e-mail
$sMessage = "Your account has been disabled. To re-enable it, either <a href = 'retrieve.php'>request a new password</a>" . " or e-mail " . TECH_CONTACT_NAME . ", using the link below";
}
//Run query to update plLoginCounter (and plPassword, if account is being disabled)
ba_db_query($link, $sql) . $sql;
}
$key = CRYPT_KEY;
$sql = "INSERT INTO " . DB_PREFIX . "access_log (alPlayerID, alIP, alPage, alGet, alePost) " . "VALUES ({$PLAYER_ID}, '" . ba_db_real_escape_string($link, $_SERVER['REMOTE_ADDR']) . "', '" . ba_db_real_escape_string($link, $_SERVER["PHP_SELF"]) . "', '" . ba_db_real_escape_string($link, print_r($_GET, True)) . "', " . "AES_ENCRYPT('" . ba_db_real_escape_string($link, print_r($aPost, True)) . "', '{$key}'))";
ba_db_query($link, $sql);
//Check for cookie that shows that user is logged in. If user is not logged in, go to index.php
//Do not check if $bLoginCheck == 'FALSE' - this allows some pages to not require login, but defaults to login being required
if ($bLoginCheck !== False) {
if ($_COOKIE['BA_PlayerID'] == '' || $_COOKIE['BA_PlayerID'] == 0) {
//User is not logged in, and must be logged in to access this page.
ForceLogin('You must be logged in to access that page');
} else {
//Check player ID and login time against database sessions table
$PLAYER_ID = (int) $_COOKIE['BA_PlayerID'];
$sLoginTime = $_COOKIE['BA_LoginTime'];
//Only first two octets of remote IP are stored to avoid issue with dial-up etc (see issue 170)
$aIP = explode(".", $_SERVER['REMOTE_ADDR']);
$sIP = ba_db_real_escape_string($link, $aIP[0] . "." . $aIP[1]);
$sql = "SELECT ssPlayerID, ssLastAccess FROM " . DB_PREFIX . "sessions " . "WHERE ssPlayerID = {$PLAYER_ID} AND ssLoginTime = '{$sLoginTime}' AND " . "ssIP = '{$sIP}'";
LogWarning("SQL to check player is logged in:\n{$sql}");
$result = ba_db_query($link, $sql);
//$result will be False if SQL returned no rows
if ($result !== False) {
$row = ba_db_fetch_assoc($result);
//User is logged in. Check time difference since ssLastAccess
$iNow = time();
$iDiff = $iNow - $row['ssLastAccess'];
//Get time difference in minutes
$iDiff = (int) $iDiff / 60;
if ($iDiff > LOGIN_TIMEOUT) {
//User has been inactive for too long. Delete session and force new login
$sql = "DELETE FROM " . DB_PREFIX . "sessions WHERE ssPlayerID = {$PLAYER_ID}";
ba_db_query($link, $sql);
| details.
|
| You should have received a copy of the GNU General Public License along with
| Bitsand. If not, see <http://www.gnu.org/licenses/>.
+---------------------------------------------------------------------------*/
include '../inc/inc_head_db.php';
include '../inc/inc_admin.php';
include '../inc/inc_head_html.php';
if ($_GET['btnSubmit'] != '') {
$db_prefix = DB_PREFIX;
$iID = (int) ba_db_real_escape_string($link, str_replace(PID_PREFIX, '', $_GET['txtID']));
$sFirst = ba_db_real_escape_string($link, $_GET['txtFirstName']);
$sSurname = ba_db_real_escape_string($link, $_GET['txtSurname']);
$sMail = SafeEmail($_GET['txtEmail']);
$sCar = ba_db_real_escape_string($link, str_replace(' ', '', $_GET['txtCarRegistration']));
$sCharName = ba_db_real_escape_string($link, $_GET['txtCharName']);
$sql = "SELECT plPlayerID, plFirstName, plSurname, plEmail, plCarRegistration, plPassword, chName " . "FROM {$db_prefix}players LEFT JOIN {$db_prefix}characters ON plPlayerID = chPlayerID ";
//$sOR is used to add OR if required
$sOR = '';
$sCond = '';
if ($iID != 0) {
$sCond .= " plPlayerID = {$iID}";
$sOR = ' OR';
}
if ($sFirst != '') {
$sCond .= $sOR . " plFirstName LIKE '%{$sFirst}%'";
$sOR = ' OR';
}
if ($sSurname != '') {
$sCond .= $sOR . " plSurname LIKE '%{$sSurname}%'";
$sOR = ' OR';
$sNewPass .= chr(rand(97, 122));
break;
}
}
//Get salted hash of password
$sHashPass = sha1($sNewPass . PW_SALT);
//Check e-mail address is not already registered
$sql = "SELECT plEmail FROM {$db_prefix}players WHERE plEmail " . "LIKE '" . ba_db_real_escape_string($link, $sEmail) . "'";
$result = ba_db_query($link, $sql);
if (ba_db_num_rows($result) > 0) {
$sProblem .= "The e-mail address " . htmlentities($sEmail) . " is already registered<br>\n";
}
//If there are no problems, register user
if ($sProblem == '') {
//Set up INSERT SQL query
$sql = "INSERT INTO {$db_prefix}players (plEmail, plPassword) VALUES ('" . ba_db_real_escape_string($link, $sEmail) . "', '{$sHashPass}')";
//Run query
ba_db_query($link, $sql);
//E-mail user
$sBody = "You are now registered at " . SYSTEM_NAME . ". " . "You can use the following details to log in:\n\n" . "E-mail: {$sEmail}\nPassword: {$sNewPass}\n\n" . "Once you are logged in, you will be able to change your password to something else.\n\n" . fnSystemURL();
ini_set("sendmail_from", EVENT_CONTACT_MAIL);
$mail = mail($sEmail, SYSTEM_NAME . ' - registered', $sBody, "From:" . SYSTEM_NAME . " <" . EVENT_CONTACT_MAIL . ">", '-f' . EVENT_CONTACT_MAIL);
if ($mail) {
$msg = 'Registration successful. Please check your e-mail, and use the supplied password to log in';
} else {
$msg = 'Registration successful. Email sending failed, please contact the system admin for assistance';
}
//Make up URL & redirect to index.php with message
$sURL = fnSystemURL() . 'index.php' . '?green=' . urlencode($msg);
header("Location: {$sURL}");
}