public function resetPassword($user, $key, $password)
{
$db = new Database();
$user = Security::escape($user);
$oldKey = Security::escape($key);
$password = Security::escape($password);
$key = Security::generateKey();
$password = Security::encode($password);
$req = "SELECT * FROM accounts WHERE username = ? AND userKey = ?";
$result = $db->execute($req, array($user, $oldKey));
$stmt = $result->fetch();
$req = "UPDATE accounts SET userKey = ? WHERE id = ?";
$db->execute($req, array($key, $stmt['id']));
$req = "UPDATE passwords SET password = ? WHERE account = ?";
$db->execute($req, array($password, $stmt['id']));
}
/**
* Creates a list (an array) of objects of the class, based on the value of a certain field. Offsets, limits, types of search, sort orders and groupings can be specified as well
*
* @param string $sender the class used
* @param string $field the field used to select the values that we want
* @param string $value the value that the field should have
* @param string $order the field by which we should sort the list (if specified)
* @param string $offset an offset used to skip a number of objects (if specified)
* @param string $limit used to limit the number of returned objects (if specified)
* @param string $search if set, this overrides the value and is used instead. uses LIKE '%search%' in sql instead of =
* @param string $way the sort order (asc or desc)
* @param string $group any group by clause
* @uses Security::escape()
* @uses function classToTable to get the correct tablename for the class (the sender parameter)
* @uses DB::query to get a list of matching ids
* @uses function loadByIds to load all objects that are to be returned from the function
* @return array an array of objects based on the parameters
*/
protected static function lister($sender, $field = null, $value = null, $order = null, $offset = null, $limit = null, $search = null, $way = null, $group = null)
{
// returnerar en lista med objekt där ett visst fält ($field) har ett visst värde ($value)
global $db;
$value = Security::escape($value);
$table = self::classToTable($sender);
$sql = "select * from {$table} ";
if ($field != null && $search != null) {
$sql .= "where {$field} like '%{$search}%' ";
} elseif ($field != "" && $value != "") {
$sql .= "where {$field} = '{$value}' ";
}
if ($group) {
$sql .= "group by " . $group . " ";
}
if ($order) {
$sql .= "order by " . $order . " ";
}
if ($way) {
$sql .= $way . " ";
}
if ($offset == null && $limit != null) {
$sql .= "limit 0," . $limit . " ";
} elseif ($offset) {
$sql .= "limit " . $offset . "," . $limit . " ";
}
$res = $db->query($sql);
$objects = array();
while ($row = mysql_fetch_assoc($res)) {
$objects[$row["id"]] = self::__getObj($sender, $row);
}
if (defined("DEBUG") && DEBUG && isset($_GET["mobject_debug"])) {
echo "\n<!--\n";
echo " Running query for {$sender} objects.\n";
echo " SQL: {$sql}\nResults:\n";
var_dump($objects);
echo "\n-->\n";
}
return $objects;
}
<?php
/**
* @author Jaco Ruit
*/
require '../startOrongo.php';
startOrongo();
if (isset($_POST['username']) && isset($_POST['password']) && !isset($_SESSION['orongo-id']) && !isset($_SESSION['orongo-session-id'])) {
$username = Security::escape($_POST['username']);
$password = Security::hash($_POST['password']);
if (User::usernameExists($username)) {
$userID = User::getUserID($username);
$goodLogin = User::isGoodPassword($userID, $password);
if ($goodLogin) {
if (!User::userIsActivated($userID)) {
header("Location: ../orongo-login.php?msg=7");
exit;
} else {
$_SESSION['orongo-id'] = $userID;
$_SESSION['orongo-session-id'] = Session::createSession($userID);
header("Location: ../orongo-admin/");
exit;
}
} else {
header("Location: ../orongo-login.php?msg=0");
exit;
}
} else {
header("Location: ../orongo-login.php?msg=0");
exit;
}
exit;
}
if ($_POST['password'] != $_POST['password_again']) {
header("Location: " . orongoURL("orongo-register.php?msg=0"));
exit;
}
if (strlen($_POST['username']) < 4 || strlen($_POST['username']) > 20) {
header("Location: " . orongoURL("orongo-register.php?msg=2"));
exit;
}
if (strlen($_POST['password']) < 6) {
header("Location: " . orongoURL("orongo-register.php?msg=3"));
exit;
}
$name = Security::escape($_POST['username']);
$email = Security::escape($_POST['email']);
$password = Security::hash($_POST['password']);
if (User::usernameExists($name) == false) {
$user = null;
try {
$user = User::registerUser($name, $email, $password, RANK_USER);
} catch (Exception $e) {
header("Location: " . orongoURL("orongo-login.php?msg=3"));
exit;
}
$activationLink = User::generateActivationURL($user->getID());
$mail = MailFactory::generateActivationEmail($user->getName(), $activationLink);
$sendEmail = mail($user->getEmail(), $mail['subject'], $mail['message'], $mail['headers']);
if (!$sendEmail) {
header("Location: " . orongoURL("orongo-login.php?msg=3"));
exit;
define("OK", 31);
function errorDie($paramError, $paramErrorCode)
{
$arrayToJs = array();
$arrayToJs["response"] = $paramError;
$arrayToJs["response_code"] = $paramErrorCode;
die(json_encode($arrayToJs));
}
if (!isset($_POST['article']) || !is_numeric($_POST['article'])) {
errorDie("No article!", NO_ARTICLE);
exit;
}
if (!isset($_POST['content'])) {
errorDie("Comment has no content!", NO_CONTENT);
exit;
}
if (strlen($_POST['content']) < 3) {
errorDie("Content is too short!", TOO_SHORT);
exit;
}
$user = getUser();
if ($user == null) {
errorDie("You need to be logged in in order to post comments.", NOT_LOGGED_IN);
exit;
}
$comment = Comment::createComment(Security::escape($_POST['article']), $user);
$comment->setContent(Security::escape($_POST['content']));
$succesArray = array();
$succesArray["response"] = "Comment posted!";
$succesArray["response_code"] = OK;
die(json_encode($succesArray));
exit;
}
foreach ($lastCommentArr as $comment) {
if ($comment instanceof Comment == false) {
continue;
}
if ($comment->getID() <= $_POST['last_comment_id']) {
errorDie("No new comments! ", NO_NEW_COMMENTS);
exit;
} else {
$newLCID = $comment->getID();
}
}
$newComments = null;
try {
$newComments = orongo_query("action=fetch&object=comment&max=1000000&offset=" . Security::escape($_POST['offset']) . "&order=comment.id,asc&where=article.id:" . Security::escape($_POST['article']));
} catch (Exception $e) {
die("500");
}
$newComments = array_reverse($newComments);
$html = "";
if (getStyle()->doCommentHTML()) {
try {
$html = getStyle()->getCommentsHTML($newComments);
} catch (Exception $e) {
foreach ($newComments as $comment) {
$html .= $comment->toHTML();
}
}
} else {
foreach ($newComments as $comment) {
<?php
require_once $_SERVER["DOCUMENT_ROOT"] . "/php/init.php";
Security::demand(USER, null, false);
$smarty = new PopSmarty();
$mid = Security::escape($_GET['id']);
$do = Security::escape($_GET['do']);
$medlem_to_send = Medlem::loadById($mid);
$smarty->assign("medlem_to_send", $medlem_to_send);
$smarty->assign("mid", $mid);
if ($do == 'send') {
$smarty->assign("is_replay", false);
if (isset($_GET['re'])) {
$id = Security::escape($_GET['re']);
$mail_to_read = MotiomeraMail::loadById($id);
$smarty->assign("is_replay", true);
$text_message_decoded = str_replace("<br>", "", $mail_to_read->getMsg());
$text_message_decoded = str_replace("<br />", "", $mail_to_read->getMsg());
$text_message = "\n\n********************\n";
$text_message .= $text_message_decoded;
$smarty->assign("text_message", $text_message);
$smarty->assign("mail_to_read", $mail_to_read);
}
$action = "send";
} else {
if ($do == 'sent') {
$action = "sent";
}
}
$smarty->assign("action", $action);
$smarty->display('send_mail.tpl');
<?php
include $_SERVER["DOCUMENT_ROOT"] . "/php/init.php";
Security::demand(USER);
$id_to_remove = Security::escape($_POST['id_to_remove']);
MotiomeraMail::removeMail($id_to_remove);
/*
$send_to = Security::escape($_POST['mid']);
$amne = isset($_POST['amne']) ? Security::escape($_POST['amne']) : "";
$msg = isset($_POST['msg']) ? $_POST['msg'] : "";
$sent_from = $USER->getId();
$date = date("Y-m-d H:i:s");
$mm_mail = new MotiomeraMail($amne, $msg, $sent_from, $send_to, $date, 0, 0);
header("Location: /pages/mail.php?do=sent&mid=" . $send_to);
*/
<?php
include $_SERVER["DOCUMENT_ROOT"] . "/php/init.php";
Security::demand(USER);
$my_id = Security::escape($_POST['my_id']);
$action = Security::escape($_POST['todo']);
$folder_name = Security::escape($_POST['folder_name']);
if ($action == 'create') {
$motiomeraMail_Folders = new MotiomeraMail_Folders($my_id);
$folder_created = $motiomeraMail_Folders->createFolder(utf8_encode($folder_name));
if ($folder_created) {
echo '1';
exit;
}
echo '0';
exit;
}
if (isset($_GET["id"])) {
// uppdatera bilden
$db->nonquery("\tUPDATE\n\t\t\t\t\t\t\t\tmm_fotoalbumbild\n\t\t\t\t\t\t\tSET\n\t\t\t\t\t\t\t\tnamn = '" . Security::escape($_POST["namn"]) . "',\n\t\t\t\t\t\t\t\tbeskrivning = '" . Security::escape($_POST["beskrivning"]) . "',\n\t\t\t\t\t\t\t\tfotoalbum_id = '" . Security::escape($_POST["fotoalbum"]) . "'\n\t\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\t\tid = '" . $_GET["id"] . "'\n\t\t\t");
if (!empty($_POST['kid']) || !empty($_GET['id'])) {
$tag = new Tagg(array('objekt_table' => 'mm_fotoalbumbild', 'objekt_id' => $_GET["id"], 'objekt_namn' => $_POST['namn'], 'tag_table' => 'mm_kommun', 'tag_id' => $_POST['kid'], 'medlem_id' => $USER->getId()));
}
$urlHandler->redirect("Fotoalbum", URL_VIEW, $_GET["fid"]);
} else {
// uppdatera namn & beskrivningar på fotona
foreach ($_POST["namn"] as $id => $namn) {
if (isset($_POST["fotoalbum"][$id])) {
$album_sql = ", fotoalbum_id = '" . Security::escape($_POST["fotoalbum"][$id]) . "'";
} else {
$album_sql = "";
}
$db->nonquery("\tUPDATE\n\t\t\t\t\t\t\t\t\tmm_fotoalbumbild\n\t\t\t\t\t\t\t\tSET\n\t\t\t\t\t\t\t\t\tnamn = '" . Security::escape($_POST["namn"][$id]) . "',\n\t\t\t\t\t\t\t\t\tbeskrivning = '" . Security::escape($_POST["beskrivning"][$id]) . "'\n\t\t\t\t\t\t\t\t\t{$album_sql}\n\t\t\t\t\t\t\t\tWHERE\n\t\t\t\t\t\t\t\t\tid = '" . $id . "'\n\t\t\t\t");
}
if (!empty($_POST['kid'])) {
$tag = new Tagg(array('objekt_table' => 'mm_fotoalbumbild', 'objekt_id' => $id, 'objekt_namn' => $_POST['namn'], 'tag_table' => 'mm_kommun', 'tag_id' => $_POST['kid'], 'medlem_id' => $USER->getId()));
}
$urlHandler->redirect("Fotoalbum", URL_LIST);
}
break;
case "anslagstavlarad":
if (isset($_POST["aid"])) {
$anslagstavla = Anslagstavla::loadById($_POST["aid"]);
$anslagstavla->addRad($_POST["atext"]);
}
break;
case "newkeys":
if (isset($_GET['foretagsid']) && isset($_GET['orderid']) && isset($_GET['numkeys']) && (int) $_GET['numkeys'] > 0 && Security::authorized(ADMIN)) {
<?php
require_once $_SERVER["DOCUMENT_ROOT"] . "/php/init.php";
Security::demand(USER, null, false);
$smarty = new PopSmarty();
$id = Security::escape($_GET['id']);
$is_inbox = isset($_GET['is_inbox']) ? Security::escape($_GET['is_inbox']) : false;
$mail_to_read = MotiomeraMail::loadById($id);
if (!isset($USER) || !($mail_to_read->getToId() == $USER->getId() or $mail_to_read->getSentFrom() == $USER->getId())) {
throw new UserException('Ett fel har uppstått', 'Mailet du försöker läsa är inte skickat till dig.');
}
if (isset($is_inbox) && $is_inbox == '1') {
$mail_to_read->setIsRead(1);
}
$smarty->assign("id", $id);
$smarty->assign("is_inbox", $is_inbox);
$smarty->assign("mail_to_read", $mail_to_read);
$smarty->assign("my_id", $USER->getId());
global $SETTINGS;
$fromMedlem = Medlem::loadById($mail_to_read->getSentFrom());
$smarty->assign("medlem", $fromMedlem);
$reserverade_anvandare = $SETTINGS["reserverade_anvandare"];
foreach ($reserverade_anvandare as $k => $anv) {
$reserverade_anvandare[$k] = strtolower($anv);
}
if (isset($SETTINGS["reserverade_anvandare"])) {
$replyable = in_array(strtolower($fromMedlem->getANamn()), $reserverade_anvandare) ? 0 : 1;
} else {
$replyable = 1;
}
$smarty->assign("replyable", $replyable);
<?php
include $_SERVER["DOCUMENT_ROOT"] . "/php/init.php";
Security::demand(USER);
$folder_id = Security::escape($_GET['folder_id']);
$move_to = Security::escape($_GET['move_to']);
$nrofmails = Security::escape($_GET['nrofmails']);
if ($nrofmails > 0) {
for ($i = 0; $i < $nrofmails; $i++) {
$getvar = 'mail_id_' . $i;
$mail_id = Security::escape($_GET[$getvar]);
$motiomeraMail = MotiomeraMail::loadById($mail_id);
$motiomeraMail->setToInFolder($move_to);
}
}
header("Location: /pages/mail.php?do=inbox&folder_id=" . $folder_id);
public function escape($string)
{
return Security::escape($string);
}
<?php
require_once $_SERVER["DOCUMENT_ROOT"] . "/php/init.php";
Security::demand(USER, null, false);
$smarty = new PopSmarty();
$id = Security::escape($USER->getId());
$myself = Medlem::loadById($id);
$my_contacts = $myself->getUsersThatHasMeAsContact(0);
$smarty->assign("my_contacts", $my_contacts);
$smarty->assign("my_id", $USER->getId());
$smarty->display('write_new.tpl');
<?php
include $_SERVER["DOCUMENT_ROOT"] . "/php/init.php";
Security::demand(USER);
$my_id = Security::escape($_POST['my_id']);
$multiple = Security::escape($_POST['multiple']);
if ($multiple == 0) {
$folder_id = Security::escape($_POST['folder_id']);
MotiomeraMail::removeMailFromFolder($folder_id, $my_id);
} else {
$nroffolders = Security::escape($_POST['nroffolders']);
for ($i = 0; $i < $nroffolders; $i++) {
$postvar = 'folder_id_' . $i;
$folder_id = Security::escape($_POST[$postvar]);
MotiomeraMail::removeMailFromFolder($folder_id, $my_id);
}
}
$smarty = new MMSmarty();
$smarty->assign("pagetitle", "Mail");
$do = isset($_GET['do']) ? Security::escape($_GET['do']) : 'inbox';
$my_id = $USER->getId();
$smarty->assign("my_id", $my_id);
$motiomeraMail_Folders = new MotiomeraMail_Folders($my_id);
$folders = $motiomeraMail_Folders->getFolders();
$smarty->assign("folders", $folders);
$folder_id = "0";
$myself = Medlem::loadById($USER->getId());
$my_contacts = $myself->getUsersThatHasMeAsContact(0);
$smarty->assign("my_contacts", $my_contacts);
if ($do == 'inbox') {
$action = "inbox";
if (isset($_GET['folder_id'])) {
$folder_id = Security::escape($_GET['folder_id']);
}
$box_mails = MotiomeraMail::listMailInbox($USER->getId(), $folder_id);
$smarty->assign("box_mails", $box_mails);
$smarty->assign("is_inbox", true);
$smarty->assign("to_include", "mail_box.tpl");
} else {
if ($do == 'outbox') {
$action = "outbox";
$smarty->assign("is_inbox", false);
$box_mails = MotiomeraMail::listMailOutbox($USER->getId());
$smarty->assign("box_mails", $box_mails);
$smarty->assign("to_include", "mail_box.tpl");
} else {
if ($do == 'manage_folders') {
$action = "manage_folders";
private function ljudfilExisterar($url)
{
global $db;
$sql = "SELECT count(*) FROM " . self::classToTable(get_class()) . " WHERE url = '" . Security::escape($url) . "'";
if ($db->value($sql) != "0") {
return true;
} else {
return false;
}
}
if (MedlemsBlockering::verifyBlocked($USER->getId(), $mid)) {
echo 'blockerad_user';
die;
//throw new MedlemsBlockeringException("Kan ej skicka mail till medlemmen, medlemmen har spärrat dig.", 6);
}
if (MedlemsBlockering::verifyBlocked($mid, $USER->getId())) {
echo 'blockerad_target';
die;
//throw new MedlemsBlockeringException("Kan ej skicka mail till medlemmen, du har spärrat medlemmen.", 5);
}
if ($send_to_Obj->getMotiomeraMailBlock() == 'true' && !$send_to_Obj->inAdressbok($USER)) {
/** If user blocks mails from none friends */
echo 'targetBlockMail';
die;
}
if (!$send_to_Obj->synlig()) {
echo 'blockedByProfile';
die;
}
//åtkomst - ingen, foretag, adressbok (kom ihåg adminanvändare)
new MotiomeraMail($amne, $msg, $sent_from, $send_to, $date, 0, 0, $allow_links);
if (isset($_POST['rmid']) && !empty($_POST['rmid'])) {
$reply_to = Security::escape($_POST['rmid']);
$replyToMail = MotiomeraMail::loadById($reply_to);
$replyToMail->setIsAnswered(1);
$replyToMail->commit();
}
echo 'ok';
//header("Location: /pages/mail.php?do=sent&mid=" . $send_to);
//header("Location: /popup/pages/send_mail.php?do=sent&mid=" . $send_to);
}
<?php
/**
* @author Jaco Ruit
*/
require 'startOrongo.php';
startOrongo('orongo-login');
$msg = null;
$msgtype = null;
if (getUser() != null) {
header("Location: orongo-admin");
}
if (isset($_GET['msg'])) {
$msgCode = Security::escape($_GET['msg']);
switch ($msgCode) {
case 0:
$msg = l("LOGIN_MSG_WRONG_DETAILS");
$msgtype = "error";
break;
case 1:
$msg = l("LOGIN_MSG_LOGGED_OUT");
$msgtype = "success";
break;
case 2:
$msg = l("LOGIN_MSG_REG_SUCCESS");
$msgtype = "info";
break;
case 3:
$msg = l("LOGIN_MSG_REG_INTERNAL_ERROR");
$msgtype = "warning";
break;
<?php
include $_SERVER["DOCUMENT_ROOT"] . "/php/init.php";
Security::demand(USER);
$mail_id = Security::escape($_POST['mail_id']);
$remover_id = Security::escape($_POST['remover_id']);
$remover = Security::escape($_POST['remover']);
if (isset($_POST['mails_to_remove'])) {
$mails_to_remove = $_POST['mails_to_remove'];
for ($i = 0; $i < $mails_to_remove; $i++) {
$postvar = 'mail_id_' . $i;
$mail_id = $_POST[$postvar];
MotiomeraMail::removeMail($mail_id, $remover_id, $remover);
}
} else {
MotiomeraMail::removeMail($mail_id, $remover_id, $remover);
}
break;
case "quizalternativ":
$quizFraga = QuizFraga::loadById($_POST["fid"]);
$rattSvar = isset($_POST["rattSvar"]) ? true : false;
new QuizAlternativ($quizFraga, $_POST["text"], $rattSvar);
$urlHandler->getUrl("QuizFraga", URL_ADMIN_EDIT, $quizFraga->getId());
break;
case "minaquiz":
if (empty($_GET["qid"])) {
// Skapa ett nytt quiz
$mittQuiz = new MinaQuiz($_POST, true);
} else {
// Ladda quiz från ID
$mittQuiz = MinaQuiz::loadById($_GET["qid"]);
// Uppdatera variabler
$mittQuiz->setNamn(Security::escape($_POST["namn"]));
$mittQuiz->commit();
// Spara till databasen
// Uppdatera frågorna och lägg till nya
foreach ($_POST['fraga'] as $key => $fraga) {
$fraga = mysql_real_escape_string($fraga);
$svar1 = mysql_real_escape_string(isset($_POST['svar_1'][$key]) ? $_POST['svar_1'][$key] : '');
$svar2 = mysql_real_escape_string(isset($_POST['svar_2'][$key]) ? $_POST['svar_2'][$key] : '');
$svar3 = mysql_real_escape_string(isset($_POST['svar_3'][$key]) ? $_POST['svar_3'][$key] : '');
$ratt_svar = mysql_real_escape_string(isset($_POST['ratt_svar'][$key]) ? $_POST['ratt_svar'][$key] : '');
if (substr_count($key, 'new_')) {
// Detta är en ny fråga
switch ($ratt_svar) {
case 1:
$mittQuiz->addQuestion($fraga, $svar1, $svar2, $svar3);
break;
public static function addFastRutt($namn, $kommunIdArray, $abroad)
{
global $db;
//echo "!". $namn. " ! ";
//echo count($kommunIdArray);
if (strlen($namn) > 3 && count($kommunIdArray) > 1) {
$sql = "INSERT INTO " . self::FASTA_RUTTER_TABLE . " SET namn = '" . Security::escape($namn) . "'";
if ($abroad) {
$sql .= ", abroad = 'true'";
}
$db->query($sql);
$id = mysql_insert_id();
} else {
throw new userException("Fel i inmatning", "Antingen var det bara 1 kommun angiven eller så var inte namnet satt");
}
if ($id) {
foreach ($kommunIdArray as $kommunTill_id) {
if (is_numeric($kommunTill_id)) {
$sql = "INSERT INTO " . self::TABLE . " SET fastRutt_id ={$id}, kommunTill_id={$kommunTill_id}";
$db->query($sql);
}
}
return $id;
}
}
