<?php require 'reprofunctions.php'; dbgSquirt("============= Save Modified Resource ==============="); dbgSquirt(dbgShowFile($_POST)); $result = checkCookies($forceLogin, $error, FALSE); if (!$result || $forceLogin) { // we got an error back that occurred while checkCookies was being run, // or authentication failed. Either way, bounce them back to the login screen header("Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/index.php?error={$error}"); exit; } $username = $_COOKIE['user']; $bounceURL = "Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/editresource.php?aor=" . $_POST['aor'] . "&forwardType=" . $_POST['forwardType'] . "&forward=" . $_POST['forward'] . "&voicemail=" . $_POST['voicemail'] . "&error="; // make sure post variables have arrived // note -- can't check for forward because if it was diabled on the previous // screen by clicking No, it will not be sent as a POST variable if (!isset($_POST['resourceId']) || !isset($_POST['aor']) || !isset($_POST['forwardType']) || !isset($_POST['voicemail'])) { header($bounceURL . "The information to modify a resource was not provided. Please enter the information and click Save. If this error reoccurs, contact an administrator."); exit; } // check if the user pressed cancel ... if so, back to user home if ("Cancel" == $_POST['submit']) { header("Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/userhome.php"); exit; } // check that resourceId only contains digits // the valid number check is for security to make sure that no one hacks the // URL and replaces the resourceId param with something designed to screw up // the database. In this case, there is nothing the user can fix, so send them // back to userhome.
<?php require 'reprofunctions.php'; dbgSquirt("============= Modify Resource ==============="); dbgSquirt("GET --" . dbgShowFile($_GET)); dbgSquirt("POST --" . dbgShowFile($_POST)); $result = checkCookies($forceLogin, $error, FALSE); if (!$result || $forceLogin) { // we got an error back that occurred while checkCookies was being run, // or authentication failed. Either way, bounce them back to the login screen header("Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/index.php?error={$error}"); exit; } $username = $_COOKIE['user']; $bounceURL = "Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/userhome.php?error="; // make sure post variables have arrived. We should always get a resourceId, // name, and either an edit or a delete if (!(isset($_POST['resourceId']) && isset($_POST['aor']) && (isset($_POST['edit']) || isset($_POST['delete'])))) { header($bounceURL . "The information to modify a resource was not provided. Please enter the information and click Save. If this error reoccurs, contact an administrator."); exit; } // check that resourceId is non-blank ... this shouldn't happen since this is // a system provided invisible field if (empty($_POST['resourceId']) || empty($_POST['aor'])) { header($bounceURL . "The resource to be modified was not specified. Please click one of the Add or Delete buttons. If you see this message again, please contact an administrator."); exit; } $resourceId = $_POST['resourceId']; $aor = $_POST['aor']; //see if the operation is Edit or Delete if ("Delete" == $_POST['delete']) {
function checkCookies(&$forceLogin, &$error, $ignoreBlanks) { $forceLogin = TRUE; $error = ""; global $sessionDuration; dbgSquirt("==============Function: checkCoookies =============="); dbgSquirt('Cookie --' . dbgShowFile($_COOKIE)); if (isset($_COOKIE['user']) && !empty($_COOKIE['user']) && isset($_COOKIE['authentication']) && !empty($_COOKIE['authentication'])) { // both user and authentication cookies are set and non-blank // dbgSquirt("Cookies set and non-empty"); $userCookie = $_COOKIE['user']; $authenticationCookie = $_COOKIE['authentication']; $time = time(); // dbgSquirt("Getting salt"); if (getSalt($salt)) { // dbgSquirt("...salt gotten"); // dbgSquirt("Encrypting"); if (sha1($userCookie . $salt) == $authenticationCookie) { // authentication passed // so reset expiration on cookies // dbgSquirt("Cookie matches encryption"); // dbgSquirt("Resetting cookies"); // dbgSquirt("Time -- $time"); // dbgSquirt("Time + Duration -- ". ($time+$sessionDuration)); $result = setcookie("user", $userCookie, $time + $sessionDuration); $result1 = setcookie("authentication", $authenticationCookie, $time + $sessionDuration); if (TRUE == $result && TRUE == $result1) { // everything worked // dbgSquirt("Everything worked ... no need to forceLogin"); $forceLogin = FALSE; } else { $error = "Internal error -- problem while creating cookies. Please contact an administrator."; } } else { // credentials in cookies don't match. // dbgSquirt("Cookie does NOT match encryption"); $error = "Authentication error -- The supplied credentials don't match our stored values. Please reauthenticate and try again."; } } else { // dbgSquirt("...error while getting salt"); // error while trying to get salt value $error = "Internal error -- unable to validate supplied credentials. Please reauthenticate and try again."; } } else { // cookies were unset or contained empty values // dbgSquirt("Cookies unset or empty"); if (FALSE == $ignoreBlanks) { $error = "Please log in."; } } dbgSquirt("Returning -- " . empty($error)); return empty($error); }
<?php require 'reprofunctions.php'; dbgSquirt("============= Edit Resource ==============="); dbgSquirt("GET --" . dbgShowFile($_GET)); $result = checkCookies($forceLogin, $error, FALSE); if (!$result || $forceLogin) { // we got an error back that occurred while checkCookies was being run, // or authentication failed. Either way, bounce them back to the login screen header("Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/index.php?error={$error}"); exit; } $username = $_COOKIE['user']; $bounceURL = "Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/userhome.php?error="; // this page is only entered via GET's // all of these should be set all the time, even though they might be // empty... if they aren't set, something is strange about how we got to this // page if (!isset($_GET['resourceId']) || !isset($_GET['aor']) || !isset($_GET['forwardType']) || !isset($_GET['forward']) || !isset($_GET['voicemail'])) { header($bounceURL . "Information missing in request to modify a resource. Please try again. If this error reoccurs, please contact an administrator."); exit; } $resourceId = $_GET['resourceId']; $aor = $_GET['aor']; $forwardType = $_GET['forwardType']; $forward = $_GET['forward']; $voicemail = $_GET['voicemail']; // make sure resourceId isn't blank. Other fields could be blank if (empty($resourceId)) { header($bounceURL . "Information missing in request to modify a resource. Please try again. If this error reoccurs, please contact an administrator."); exit;