/** * adds a news item for class $class, with subject $subject and body $body */ function add_news_item($class, $subject, $body) { $class = escape_string($class); // class id should be numeric if (is_numeric($class) != "true") { cust_die("Class field was not submitted in the correct way."); } $subject = escape_string($subject); // subject can only be 75 characters long if (strlen($subject) > 75) { substr($subject, 0, 75); print "The subject field was too long, so it was shortened to 75 characters."; } // the body field uses a blob, so it doesn't matter how long it is $body = escape_string($body); $timestamp = time(); $insert = "INSERT INTO `news` (`class`, `timestamp`, `subject`, `body`) VALUES ('{$class}', '{$timestamp}', '{$subject}', '{$body}')"; connect_sql(); @query($insert) or die("Error adding the news item."); disconnect_sql(); }
$valid_post = @query("SELECT 1 FROM `posts` WHERE `post_ID`='{$post_id}' LIMIT 1") or die("Error getting information from the database."); if (num_rows($valid_post) == 0) { cust_die("Invalid post ID."); } // okay, it's valid: delete the post @query("UPDATE `posts` SET `deleted`='1' WHERE `post_ID`='{$post_id}' LIMIT 1") or die("Error deleting the post."); print "Done."; } } } } print "<table name=\"topics\" class=\"posttable\">"; // display the posts from the topic, if the user has chosen one if (isset($_GET['topic'])) { if ($_GET['topic'] == "" && is_numeric($_GET['topic']) === FALSE) { cust_die("Invalid class ID."); } $topic_ID = escape_string($_GET['topic']); // get the topic's name, and then all its posts $topic_name = @query("SELECT `name` FROM `topics` WHERE `ID`='{$topic_ID}'") or die("Error getting information from the database."); $topic_name = result($topic_name); $topic_name = stripslashes($topic_name->name); print "<tr><th>{$topic_name}</th></tr>"; $n = 1; $posts = @query("SELECT * FROM `posts` WHERE `topic_ID`='{$topic_ID}' AND `deleted`='0' ORDER BY `post_ID`") or die("Error getting posts."); while ($row = result($posts)) { $body = stripslashes($row->body); $timestamp = $row->timestamp; $post_ID = $row->post_ID; $poster = $row->poster; // get the poster's name
} else { cust_die("You need to submit your password."); } if (strlen($pass) > 70) { cust_die("Is your password really <i>that</i> long?"); } $pass = md5(md5($pass)); // see if the pair is found connect_sql(); $results = @query("SELECT `ID`, `type`, `firstname`, `surname` FROM `users` WHERE `username`='{$user}' AND `password`='{$pass}' LIMIT 1") or die("Error."); // if the login failed, log it and tell the user if (num_rows($results) == 0) { $timestamp = time(); $ip = $_SERVER['REMOTE_ADDR']; @query("INSERT INTO `failed` (`user`, `timestamp`, `ip`) VALUES ('{$user}', '{$timestamp}', '{$ip}')"); cust_die("Your login attempt failed. Please try again."); } // if it did not fail, let the user access the system $timestamp = time(); $ip = $_SERVER['REMOTE_ADDR']; @query("INSERT INTO `logins` (`user`, `timestamp`, `ip`) VALUES ('{$user}', '{$timestamp}', '{$ip}')"); while ($row = result($results)) { $_SESSION['type'] = $row->type; $_SESSION['id'] = $row->ID; $_SESSION['name'] = stripslashes($row->firstname) . " " . stripslashes($row->surname); $_SESSION['username'] = $user; } header("Location: index.php"); print "You are now logged in. If you aren't transferred automatically, please <a href=\"index.php\">click here</a>."; disconnect_sql(); } else {
// okay, they're allowed to mark the student absent... // get the timestamp; it's used to see if the user has already been added for the day, and adding 'em if they haven't been $timestamp = time(); // has the user been added? $latest_absence = @query("SELECT `timestamp` FROM `absences` WHERE `user_ID`='{$absent_student}' ORDER BY `timestamp` DESC LIMIT 1") or die("Error checking the database."); if (num_rows($latest_absence) != 0) { while ($row = result($latest_absence)) { $old_timestamp = $row->timestamp; // generate the date from the timestamp; compare this to today's date $old_date = date("dMY", $old_timestamp); $new_date = date("dMY", $timestamp); // if the dates don't match, add the user if ($old_date != $new_date) { add_absence($absent_student, $timestamp); } } } else { add_absence($absent_student, $timestamp); } disconnect_sql(); print "Done. <a href=\"attendance.php?add\" title=\"add another\">Add another</a>?"; } else { cust_die("You may not view this page."); } } else { any_errors(); print "Would you like to <a href=\"attendance.php?add\" title=\"add absences\" accesskey=\"s\">a<em>d</em>d absences</a> or <a href=\"attendance.php?view\" title=\"view absences\" accesskey=\"d\">view ab<em>s</em>ences</a>?"; } print "</div>"; display_copyright(); display_footer();
$email = escape_string($_POST['e']); if (is_valid_email($email) == FALSE) { cust_die("..that is not a valid e-mail address."); } $string = escape_string($_POST['s']); connect_sql(); $in_the_database = "SELECT 1 FROM `pass_recovery` WHERE `email`='{$email}' LIMIT 1"; $in_the_database = @query($in_the_database) or die("Error checking the database."); if (num_rows($in_the_database) == 0) { cust_die("That e-mail address is not in the database."); } $real_string = "SELECT `hash` FROM `pass_recovery` WHERE `email`='{$email}' LIMIT 1"; $real_string = @query($real_string) or die("Error checking the database."); $real_string = result($real_string); $real_string = $real_string->hash; if ($real_string != $string) { cust_die("You shouldn't mess with the data. ;D"); } // update their password @query("UPDATE `users` SET `password`='{$cryptpass}' WHERE `email`='{$email}' LIMIT 1") or die("Error updating the database."); disconnect_sql(); print "Your password has been changed. <a href=\"login.php\" title=\"login\">Login here</a>."; } else { any_errors(); print "<p>Did you forget your password? No big deal, you can change it in a few different ways."; print "<ul><li>If you have entered your email address on the options page you can <a href=\"recoverpass.php?email\" title=\"get a new password\">get a new password generated for you</a>.</li><li>If you haven't entered your e-mail address on the options page you'll need to get your administrator to reset it for you. Talk to him or her about it the next chance you get.</li></ul>"; } print "<hr class=\"mainpagehr\" /><a href=\"index.php\" title=\"index page\">index page</a>"; print "</div>"; display_copyright(); display_footer();
foreach ($categories as $part) { if ($part != "") { list($id, $category) = explode(":", $part); // we don't want to include the modified category twice if ($id != $categoryid) { // get the category's weight $weight = @query("SELECT `weight` FROM `categories` WHERE `ID`='{$id}' LIMIT 1") or die("Error checking the database."); while ($row = result($weight)) { $total += $row->weight; } } } } $total += $categoryweight; if ($total > 100) { cust_die("The total weights of your categories will exceed 100; this cannot happen."); } // 'kay, update the database. @query("UPDATE `categories` SET `name`='{$categoryname}', `weight`='{$categoryweight}' WHERE `ID`='{$categoryid}'") or die("Error updating the database."); print "Done. Back to the <a href=\"category.php?teacherid={$teacherid}&classid={$classid}\" title=\"categories page\">class's category page</a>, or the <a href=\"category.php?teacherid={$teacherid}\" title=\"main category page\">main category page</a>?"; } else { any_errors(); $id = $_SESSION['id']; // print some documentation about categories print "<p>Categories are used to weigh assignments differently. For example, you can have tests weighted at 50%, and 50% of a student's grade will come from his or her tests.</p>\n"; print "<p>Currently, you must setup categories for each of your classes. If it is requested, this can be eventually changed so your classes can use the same categories.</p>\n"; print "<p>Below are links to setup or modify your classes' categories.</p>\n"; display_classes(); } disconnect_sql(); print "</div>";
$n = 0; $this_semester = $grading_period; $other_semesters = ""; while (isset($semesters[$n])) { if ($semesters[$n] != $this_semester) { $other_semesters .= "<a href=\"assignment.php?view&id={$class_id}&gp={$semesters[$n]}\" title=\"assignments for grading period {$semesters[$n]}\">{$semesters[$n]}</a> "; } $n++; } } print "{$other_semesters}</div></div>"; disconnect_sql(); } else { any_errors(); if (user_type() != "teacher") { cust_die("There is nothing for you to do here."); } print "<table>\n<tr><th>Grading Period(s)</th><th>Period</th><th>Class Name</th></tr>"; $id = $_SESSION['id']; connect_sql(); $classes = @query("SELECT * FROM `classes` WHERE `teacher`='{$id}' ORDER BY `period`") or die("Error getting your list of classes."); while ($row = result($classes)) { $name = stripslashes($row->name); $period = $row->period; $class_id = $row->ID; $semesters = $row->semester; print "<tr><td>{$semesters}</td><td>{$period}</td><td>{$name}</td><td><a href=\"assignment.php?add&id={$class_id}\" title=\"add an assignment\">add an assignment</a></td><td>|</td><td><a href=\"assignment.php?edit&id={$class_id}\" title=\"edit an assignment\">edit an assignment</a></td></tr>"; } print "</table>"; } print "</div>";
} } print_mail($stuff); disconnect_sql(); } elseif (isset($_GET['delete'])) { connect_sql(); if (!isset($_GET['id'])) { header("Location: messages.php"); die; } $userid = $_SESSION['id']; $mailid = escape_string($_GET['id']); if (is_numeric($mailid) == FALSE) { cust_die("You shouldn't mess with the ID."); } $message = @query("SELECT * FROM `mail` WHERE `id`='{$mailid}' AND `to`='{$userid}'") or cust_die("You may not access that message."); @query("UPDATE `mail` SET `deleted`='1' WHERE `id`='{$mailid}'") or die("Error updating the database."); print_mail("The message has been deleted."); disconnect_sql(); } elseif (isset($_GET['outbox'])) { connect_sql(); $id = $_SESSION['id']; $messages = @query("SELECT * FROM `mail` WHERE `from`='{$id}'") or die("Error getting information from the database."); if (num_rows($messages) == 0) { $stuff = "You have not sent any messages."; } else { $stuff = "<table><tr><th>To</th><th>Subject</th><th>Date</th></tr>"; $tdcolour = 0; while ($row = result($messages)) { $messageid = $row->id; $to = $row->to;
cust_die("Don't mess with the class ID. ;D"); } $class_id = escape_string($_POST['class']); if (!isset($_POST['subject']) or $_POST['subject'] == "") { cust_die("You must submit a subject."); } if (!isset($_POST['body']) or $_POST['body'] == "") { cust_die("You must submit the body."); } // see if they can add news to the class (not needed if they're an admin) if (user_type() != "admin") { $user_id = $_SESSION['id']; connect_sql(); $query = @query("SELECT 1 FROM `classes` WHERE `ID`='{$class_id}' AND `teacher`='{$user_id}' LIMIT 1") or die("Error checking the database."); if (num_rows($query) == 0) { cust_die("You may not add news to that class."); } disconnect_sql(); } $subject = escape_string(htmlspecialchars($_POST['subject'])); $body = escape_string(htmlspecialchars($_POST['body'])); $timestamp = time(); connect_sql(); add_news_item($class_id, $subject, $body); disconnect_sql(); print "The news item was added. <a href=\"news.php?add\" title=\"add a news item\">Add another</a>?"; } else { any_errors(); if (user_type() == "user") { display_latest_news($_SESSION['id'], 3); } else {
$date_format = escape_string($_POST['date_format']); $time_format = escape_string($_POST['time_format']); $school_name = escape_string($_POST['school_name']); $number_of_periods = escape_string($_POST['number_of_periods']); $number_of_semesters = escape_string($_POST['number_of_semesters']); $enable_forums = escape_string($_POST['enable_forums']); if (is_numeric($enable_forums) == FALSE) { cust_die("Don't mess with that. ;D"); } $track_attendance = escape_string($_POST['track_attendance']); if (is_numeric($track_attendance) == FALSE) { cust_die("Don't mess with that. ;D"); } $current_semester = escape_string($_POST['current_semester']); if (is_numeric($current_semester) == FALSE) { cust_die("Don't mess with that. ;D"); } $content = <<<EOT <?php define("current_version", "0.1.3"); define("server_type", "{$server_type}"); define("server", "{$server}"); define("username", "{$username}"); define("password", "{$password}"); define("database", "{$database}"); define("server_root", "{$server_root}"); define("school_name", "{$school_name}"); define("dateformat", "{$date_format}");
/** * adds a user to the database * * $username is the user's username. * $cryptedpass is his or her password encrypted twice using md5(). i.e. md5(md5($password)) * $type is the user's type: 1 for "user", 2 for "teacher", 3 for "admin", 4 for "parent" * $firstname and $surname are the user's first and surnames * $email is the user's e-mail address */ function add_user($username, $cryptedpass, $type, $firstname, $surname, $gender, $email) { // see if there is already a user with the username of '$username' $query = "SELECT 1 FROM `users` WHERE `username`='{$username}'"; $query = @query($query) or die("Error checking the database."); if (num_rows($query) > 0) { cust_die("The requested username is already in the database. Please select another one."); } $add_query = "INSERT INTO `users` (`username`, `password`, `type`, `firstname`, `surname`, `gender`, `email`) VALUES ('{$username}', '{$cryptedpass}', '{$type}', '{$firstname}', '{$surname}', '{$gender}', '{$email}')"; query($add_query) or die("Error adding the user's information into the database."); }
cust_die("You must submit the name of the database you'd like to use."); } if (isset($_POST['username']) and $_POST['username'] != "") { $admin_username = escape_string(htmlspecialchars($_POST['username'])); } else { cust_die("You must submit the admin's username."); } if (isset($_POST['pass1']) and isset($_POST['pass2']) && $_POST['pass1'] != $_POST['pass2']) { cust_die("Please make sure the admin's passwords match."); } $admin_password = escape_string(htmlspecialchars($_POST['pass1'])); if (strlen($admin_password) < 5) { cust_die("Your admin password must be at least 6 characters long."); } if ($admin_password == $admin_username) { cust_die("Your admin password may not be your admin username."); } $admin_password = md5(md5($admin_password)); if (isset($_POST['realname']) and $_POST['realname'] != "") { $realname = escape_string(htmlspecialchars($_POST['realname'])); } else { $realname = ""; } if (isset($_POST['emailaddress']) and $_POST['emailaddress'] != "") { $emailaddress = escape_string(htmlspecialchars($_POST['emailaddress'])); } else { $emailaddress = ""; } // split the name into its pieces... list($firstname, $surname) = explode(" ", $realname); // get the set up file
// see if they're in the class $class_list = classes_by_semester($the_student, current_semester); $classes = explode(",", $class_list); // get rid of the empty part of the array $empty = count($classes) - 1; unset($classes[$empty]); foreach ($classes as $class) { $could_be_in_class = 1; if (strpos($class, $requested_class) === false) { $could_be_in_class = 0; } else { break; } } if ($could_be_in_class == 0) { cust_die("Your student is not in that class."); } // okay, they are in the class. Let 'em do what they can do... // get the class's info $class_info = @query("SELECT * FROM `classes` WHERE `ID`='{$requested_class}' LIMIT 1") or die("Error getting the class's information."); while ($row = result($class_info)) { $class_name = stripslashes($row->name); $teacher = $row->teacher; // get the teacher's actual name $teacher_name = @query("SELECT `firstname`,`surname` FROM `users` WHERE `ID`='{$teacher}' LIMIT 1") or die("Error getting the teacher's name."); $result = result($teacher_name); $teacher_name = stripslashes($result->firstname) . " " . stripslashes($result->surname); $room = stripslashes($row->room); $period = $row->period; $semester = $row->semester; print "<div class=\"class_info\"><p>{$class_name}, taught by <a href=\"messages.php?compose&id={$teacher}\" title=\"Send {$teacher_name} a message.\">{$teacher_name}</a>";
print $stuff; } elseif (isset($_POST['addclass'])) { if (!isset($_POST['classname']) or $_POST['classname'] == "") { cust_die("You must specify the class's name."); } if (!isset($_POST['period']) or $_POST['period'] == "") { cust_die("You must specify the period the class takes place during."); } if (!isset($_POST['teacher']) or $_POST['teacher'] == "") { cust_die("You must select a teacher for the class. (Perhaps you need to <a href=\"add.php?teacher\" alt=\"add a teacher\">add a few</a?>?)"); } if (!isset($_POST['room']) or $_POST['room'] == "") { cust_die("You must submit which room the class takes place in."); } if (!isset($_POST['semester']) or $_POST['semester'] == "") { cust_die("You must specify which grading period(s) the class happens during."); } $classname = escape_string($_POST['classname']); $period = escape_string($_POST['period']); $teacher = escape_string($_POST['teacher']); $room = escape_string($_POST['room']); $semester = escape_string($_POST['semester']); connect_sql(); @query("INSERT INTO `classes` (`name`, `teacher`, `room`, `period`, `semester`) VALUES ('{$classname}', '{$teacher}', '{$room}', '{$period}', '{$semester}')") or die("Error updating the database."); disconnect_sql(); print "The class has been added. <a href=\"add.php?class\" title=\"add a class\">Add another</a>?"; } else { any_errors(); print "Would you like to add a <a href=\"add.php?class\" title=\"add a class\">class</a>, <a href=\"add.php?teacher\" title=\"add a teacher\">teacher</a>, or <a href=\"add.php?student\" title=\"add a student\">student</a>?"; } print "</div>";