/**
* adds a news item for class $class, with subject $subject and body $body
*/
function add_news_item($class, $subject, $body)
{
$class = escape_string($class);
// class id should be numeric
if (is_numeric($class) != "true") {
cust_die("Class field was not submitted in the correct way.");
}
$subject = escape_string($subject);
// subject can only be 75 characters long
if (strlen($subject) > 75) {
substr($subject, 0, 75);
print "The subject field was too long, so it was shortened to 75 characters.";
}
// the body field uses a blob, so it doesn't matter how long it is
$body = escape_string($body);
$timestamp = time();
$insert = "INSERT INTO `news` (`class`, `timestamp`, `subject`, `body`) VALUES ('{$class}', '{$timestamp}', '{$subject}', '{$body}')";
connect_sql();
@query($insert) or die("Error adding the news item.");
disconnect_sql();
}
$valid_post = @query("SELECT 1 FROM `posts` WHERE `post_ID`='{$post_id}' LIMIT 1") or die("Error getting information from the database.");
if (num_rows($valid_post) == 0) {
cust_die("Invalid post ID.");
}
// okay, it's valid: delete the post
@query("UPDATE `posts` SET `deleted`='1' WHERE `post_ID`='{$post_id}' LIMIT 1") or die("Error deleting the post.");
print "Done.";
}
}
}
}
print "<table name=\"topics\" class=\"posttable\">";
// display the posts from the topic, if the user has chosen one
if (isset($_GET['topic'])) {
if ($_GET['topic'] == "" && is_numeric($_GET['topic']) === FALSE) {
cust_die("Invalid class ID.");
}
$topic_ID = escape_string($_GET['topic']);
// get the topic's name, and then all its posts
$topic_name = @query("SELECT `name` FROM `topics` WHERE `ID`='{$topic_ID}'") or die("Error getting information from the database.");
$topic_name = result($topic_name);
$topic_name = stripslashes($topic_name->name);
print "<tr><th>{$topic_name}</th></tr>";
$n = 1;
$posts = @query("SELECT * FROM `posts` WHERE `topic_ID`='{$topic_ID}' AND `deleted`='0' ORDER BY `post_ID`") or die("Error getting posts.");
while ($row = result($posts)) {
$body = stripslashes($row->body);
$timestamp = $row->timestamp;
$post_ID = $row->post_ID;
$poster = $row->poster;
// get the poster's name
} else {
cust_die("You need to submit your password.");
}
if (strlen($pass) > 70) {
cust_die("Is your password really <i>that</i> long?");
}
$pass = md5(md5($pass));
// see if the pair is found
connect_sql();
$results = @query("SELECT `ID`, `type`, `firstname`, `surname` FROM `users` WHERE `username`='{$user}' AND `password`='{$pass}' LIMIT 1") or die("Error.");
// if the login failed, log it and tell the user
if (num_rows($results) == 0) {
$timestamp = time();
$ip = $_SERVER['REMOTE_ADDR'];
@query("INSERT INTO `failed` (`user`, `timestamp`, `ip`) VALUES ('{$user}', '{$timestamp}', '{$ip}')");
cust_die("Your login attempt failed. Please try again.");
}
// if it did not fail, let the user access the system
$timestamp = time();
$ip = $_SERVER['REMOTE_ADDR'];
@query("INSERT INTO `logins` (`user`, `timestamp`, `ip`) VALUES ('{$user}', '{$timestamp}', '{$ip}')");
while ($row = result($results)) {
$_SESSION['type'] = $row->type;
$_SESSION['id'] = $row->ID;
$_SESSION['name'] = stripslashes($row->firstname) . " " . stripslashes($row->surname);
$_SESSION['username'] = $user;
}
header("Location: index.php");
print "You are now logged in. If you aren't transferred automatically, please <a href=\"index.php\">click here</a>.";
disconnect_sql();
} else {
// okay, they're allowed to mark the student absent...
// get the timestamp; it's used to see if the user has already been added for the day, and adding 'em if they haven't been
$timestamp = time();
// has the user been added?
$latest_absence = @query("SELECT `timestamp` FROM `absences` WHERE `user_ID`='{$absent_student}' ORDER BY `timestamp` DESC LIMIT 1") or die("Error checking the database.");
if (num_rows($latest_absence) != 0) {
while ($row = result($latest_absence)) {
$old_timestamp = $row->timestamp;
// generate the date from the timestamp; compare this to today's date
$old_date = date("dMY", $old_timestamp);
$new_date = date("dMY", $timestamp);
// if the dates don't match, add the user
if ($old_date != $new_date) {
add_absence($absent_student, $timestamp);
}
}
} else {
add_absence($absent_student, $timestamp);
}
disconnect_sql();
print "Done. <a href=\"attendance.php?add\" title=\"add another\">Add another</a>?";
} else {
cust_die("You may not view this page.");
}
} else {
any_errors();
print "Would you like to <a href=\"attendance.php?add\" title=\"add absences\" accesskey=\"s\">a<em>d</em>d absences</a> or <a href=\"attendance.php?view\" title=\"view absences\" accesskey=\"d\">view ab<em>s</em>ences</a>?";
}
print "</div>";
display_copyright();
display_footer();
$email = escape_string($_POST['e']);
if (is_valid_email($email) == FALSE) {
cust_die("..that is not a valid e-mail address.");
}
$string = escape_string($_POST['s']);
connect_sql();
$in_the_database = "SELECT 1 FROM `pass_recovery` WHERE `email`='{$email}' LIMIT 1";
$in_the_database = @query($in_the_database) or die("Error checking the database.");
if (num_rows($in_the_database) == 0) {
cust_die("That e-mail address is not in the database.");
}
$real_string = "SELECT `hash` FROM `pass_recovery` WHERE `email`='{$email}' LIMIT 1";
$real_string = @query($real_string) or die("Error checking the database.");
$real_string = result($real_string);
$real_string = $real_string->hash;
if ($real_string != $string) {
cust_die("You shouldn't mess with the data. ;D");
}
// update their password
@query("UPDATE `users` SET `password`='{$cryptpass}' WHERE `email`='{$email}' LIMIT 1") or die("Error updating the database.");
disconnect_sql();
print "Your password has been changed. <a href=\"login.php\" title=\"login\">Login here</a>.";
} else {
any_errors();
print "<p>Did you forget your password? No big deal, you can change it in a few different ways.";
print "<ul><li>If you have entered your email address on the options page you can <a href=\"recoverpass.php?email\" title=\"get a new password\">get a new password generated for you</a>.</li><li>If you haven't entered your e-mail address on the options page you'll need to get your administrator to reset it for you. Talk to him or her about it the next chance you get.</li></ul>";
}
print "<hr class=\"mainpagehr\" /><a href=\"index.php\" title=\"index page\">index page</a>";
print "</div>";
display_copyright();
display_footer();
foreach ($categories as $part) {
if ($part != "") {
list($id, $category) = explode(":", $part);
// we don't want to include the modified category twice
if ($id != $categoryid) {
// get the category's weight
$weight = @query("SELECT `weight` FROM `categories` WHERE `ID`='{$id}' LIMIT 1") or die("Error checking the database.");
while ($row = result($weight)) {
$total += $row->weight;
}
}
}
}
$total += $categoryweight;
if ($total > 100) {
cust_die("The total weights of your categories will exceed 100; this cannot happen.");
}
// 'kay, update the database.
@query("UPDATE `categories` SET `name`='{$categoryname}', `weight`='{$categoryweight}' WHERE `ID`='{$categoryid}'") or die("Error updating the database.");
print "Done. Back to the <a href=\"category.php?teacherid={$teacherid}&classid={$classid}\" title=\"categories page\">class's category page</a>, or the <a href=\"category.php?teacherid={$teacherid}\" title=\"main category page\">main category page</a>?";
} else {
any_errors();
$id = $_SESSION['id'];
// print some documentation about categories
print "<p>Categories are used to weigh assignments differently. For example, you can have tests weighted at 50%, and 50% of a student's grade will come from his or her tests.</p>\n";
print "<p>Currently, you must setup categories for each of your classes. If it is requested, this can be eventually changed so your classes can use the same categories.</p>\n";
print "<p>Below are links to setup or modify your classes' categories.</p>\n";
display_classes();
}
disconnect_sql();
print "</div>";
$n = 0;
$this_semester = $grading_period;
$other_semesters = "";
while (isset($semesters[$n])) {
if ($semesters[$n] != $this_semester) {
$other_semesters .= "<a href=\"assignment.php?view&id={$class_id}&gp={$semesters[$n]}\" title=\"assignments for grading period {$semesters[$n]}\">{$semesters[$n]}</a> ";
}
$n++;
}
}
print "{$other_semesters}</div></div>";
disconnect_sql();
} else {
any_errors();
if (user_type() != "teacher") {
cust_die("There is nothing for you to do here.");
}
print "<table>\n<tr><th>Grading Period(s)</th><th>Period</th><th>Class Name</th></tr>";
$id = $_SESSION['id'];
connect_sql();
$classes = @query("SELECT * FROM `classes` WHERE `teacher`='{$id}' ORDER BY `period`") or die("Error getting your list of classes.");
while ($row = result($classes)) {
$name = stripslashes($row->name);
$period = $row->period;
$class_id = $row->ID;
$semesters = $row->semester;
print "<tr><td>{$semesters}</td><td>{$period}</td><td>{$name}</td><td><a href=\"assignment.php?add&id={$class_id}\" title=\"add an assignment\">add an assignment</a></td><td>|</td><td><a href=\"assignment.php?edit&id={$class_id}\" title=\"edit an assignment\">edit an assignment</a></td></tr>";
}
print "</table>";
}
print "</div>";
}
}
print_mail($stuff);
disconnect_sql();
} elseif (isset($_GET['delete'])) {
connect_sql();
if (!isset($_GET['id'])) {
header("Location: messages.php");
die;
}
$userid = $_SESSION['id'];
$mailid = escape_string($_GET['id']);
if (is_numeric($mailid) == FALSE) {
cust_die("You shouldn't mess with the ID.");
}
$message = @query("SELECT * FROM `mail` WHERE `id`='{$mailid}' AND `to`='{$userid}'") or cust_die("You may not access that message.");
@query("UPDATE `mail` SET `deleted`='1' WHERE `id`='{$mailid}'") or die("Error updating the database.");
print_mail("The message has been deleted.");
disconnect_sql();
} elseif (isset($_GET['outbox'])) {
connect_sql();
$id = $_SESSION['id'];
$messages = @query("SELECT * FROM `mail` WHERE `from`='{$id}'") or die("Error getting information from the database.");
if (num_rows($messages) == 0) {
$stuff = "You have not sent any messages.";
} else {
$stuff = "<table><tr><th>To</th><th>Subject</th><th>Date</th></tr>";
$tdcolour = 0;
while ($row = result($messages)) {
$messageid = $row->id;
$to = $row->to;
cust_die("Don't mess with the class ID. ;D");
}
$class_id = escape_string($_POST['class']);
if (!isset($_POST['subject']) or $_POST['subject'] == "") {
cust_die("You must submit a subject.");
}
if (!isset($_POST['body']) or $_POST['body'] == "") {
cust_die("You must submit the body.");
}
// see if they can add news to the class (not needed if they're an admin)
if (user_type() != "admin") {
$user_id = $_SESSION['id'];
connect_sql();
$query = @query("SELECT 1 FROM `classes` WHERE `ID`='{$class_id}' AND `teacher`='{$user_id}' LIMIT 1") or die("Error checking the database.");
if (num_rows($query) == 0) {
cust_die("You may not add news to that class.");
}
disconnect_sql();
}
$subject = escape_string(htmlspecialchars($_POST['subject']));
$body = escape_string(htmlspecialchars($_POST['body']));
$timestamp = time();
connect_sql();
add_news_item($class_id, $subject, $body);
disconnect_sql();
print "The news item was added. <a href=\"news.php?add\" title=\"add a news item\">Add another</a>?";
} else {
any_errors();
if (user_type() == "user") {
display_latest_news($_SESSION['id'], 3);
} else {
$date_format = escape_string($_POST['date_format']);
$time_format = escape_string($_POST['time_format']);
$school_name = escape_string($_POST['school_name']);
$number_of_periods = escape_string($_POST['number_of_periods']);
$number_of_semesters = escape_string($_POST['number_of_semesters']);
$enable_forums = escape_string($_POST['enable_forums']);
if (is_numeric($enable_forums) == FALSE) {
cust_die("Don't mess with that. ;D");
}
$track_attendance = escape_string($_POST['track_attendance']);
if (is_numeric($track_attendance) == FALSE) {
cust_die("Don't mess with that. ;D");
}
$current_semester = escape_string($_POST['current_semester']);
if (is_numeric($current_semester) == FALSE) {
cust_die("Don't mess with that. ;D");
}
$content = <<<EOT
<?php
define("current_version", "0.1.3");
define("server_type", "{$server_type}");
define("server", "{$server}");
define("username", "{$username}");
define("password", "{$password}");
define("database", "{$database}");
define("server_root", "{$server_root}");
define("school_name", "{$school_name}");
define("dateformat", "{$date_format}");
/**
* adds a user to the database
*
* $username is the user's username.
* $cryptedpass is his or her password encrypted twice using md5(). i.e. md5(md5($password))
* $type is the user's type: 1 for "user", 2 for "teacher", 3 for "admin", 4 for "parent"
* $firstname and $surname are the user's first and surnames
* $email is the user's e-mail address
*/
function add_user($username, $cryptedpass, $type, $firstname, $surname, $gender, $email)
{
// see if there is already a user with the username of '$username'
$query = "SELECT 1 FROM `users` WHERE `username`='{$username}'";
$query = @query($query) or die("Error checking the database.");
if (num_rows($query) > 0) {
cust_die("The requested username is already in the database. Please select another one.");
}
$add_query = "INSERT INTO `users` (`username`, `password`, `type`, `firstname`, `surname`, `gender`, `email`) VALUES ('{$username}', '{$cryptedpass}', '{$type}', '{$firstname}', '{$surname}', '{$gender}', '{$email}')";
query($add_query) or die("Error adding the user's information into the database.");
}
cust_die("You must submit the name of the database you'd like to use.");
}
if (isset($_POST['username']) and $_POST['username'] != "") {
$admin_username = escape_string(htmlspecialchars($_POST['username']));
} else {
cust_die("You must submit the admin's username.");
}
if (isset($_POST['pass1']) and isset($_POST['pass2']) && $_POST['pass1'] != $_POST['pass2']) {
cust_die("Please make sure the admin's passwords match.");
}
$admin_password = escape_string(htmlspecialchars($_POST['pass1']));
if (strlen($admin_password) < 5) {
cust_die("Your admin password must be at least 6 characters long.");
}
if ($admin_password == $admin_username) {
cust_die("Your admin password may not be your admin username.");
}
$admin_password = md5(md5($admin_password));
if (isset($_POST['realname']) and $_POST['realname'] != "") {
$realname = escape_string(htmlspecialchars($_POST['realname']));
} else {
$realname = "";
}
if (isset($_POST['emailaddress']) and $_POST['emailaddress'] != "") {
$emailaddress = escape_string(htmlspecialchars($_POST['emailaddress']));
} else {
$emailaddress = "";
}
// split the name into its pieces...
list($firstname, $surname) = explode(" ", $realname);
// get the set up file
// see if they're in the class
$class_list = classes_by_semester($the_student, current_semester);
$classes = explode(",", $class_list);
// get rid of the empty part of the array
$empty = count($classes) - 1;
unset($classes[$empty]);
foreach ($classes as $class) {
$could_be_in_class = 1;
if (strpos($class, $requested_class) === false) {
$could_be_in_class = 0;
} else {
break;
}
}
if ($could_be_in_class == 0) {
cust_die("Your student is not in that class.");
}
// okay, they are in the class. Let 'em do what they can do...
// get the class's info
$class_info = @query("SELECT * FROM `classes` WHERE `ID`='{$requested_class}' LIMIT 1") or die("Error getting the class's information.");
while ($row = result($class_info)) {
$class_name = stripslashes($row->name);
$teacher = $row->teacher;
// get the teacher's actual name
$teacher_name = @query("SELECT `firstname`,`surname` FROM `users` WHERE `ID`='{$teacher}' LIMIT 1") or die("Error getting the teacher's name.");
$result = result($teacher_name);
$teacher_name = stripslashes($result->firstname) . " " . stripslashes($result->surname);
$room = stripslashes($row->room);
$period = $row->period;
$semester = $row->semester;
print "<div class=\"class_info\"><p>{$class_name}, taught by <a href=\"messages.php?compose&id={$teacher}\" title=\"Send {$teacher_name} a message.\">{$teacher_name}</a>";
print $stuff;
} elseif (isset($_POST['addclass'])) {
if (!isset($_POST['classname']) or $_POST['classname'] == "") {
cust_die("You must specify the class's name.");
}
if (!isset($_POST['period']) or $_POST['period'] == "") {
cust_die("You must specify the period the class takes place during.");
}
if (!isset($_POST['teacher']) or $_POST['teacher'] == "") {
cust_die("You must select a teacher for the class. (Perhaps you need to <a href=\"add.php?teacher\" alt=\"add a teacher\">add a few</a?>?)");
}
if (!isset($_POST['room']) or $_POST['room'] == "") {
cust_die("You must submit which room the class takes place in.");
}
if (!isset($_POST['semester']) or $_POST['semester'] == "") {
cust_die("You must specify which grading period(s) the class happens during.");
}
$classname = escape_string($_POST['classname']);
$period = escape_string($_POST['period']);
$teacher = escape_string($_POST['teacher']);
$room = escape_string($_POST['room']);
$semester = escape_string($_POST['semester']);
connect_sql();
@query("INSERT INTO `classes` (`name`, `teacher`, `room`, `period`, `semester`) VALUES ('{$classname}', '{$teacher}', '{$room}', '{$period}', '{$semester}')") or die("Error updating the database.");
disconnect_sql();
print "The class has been added. <a href=\"add.php?class\" title=\"add a class\">Add another</a>?";
} else {
any_errors();
print "Would you like to add a <a href=\"add.php?class\" title=\"add a class\">class</a>, <a href=\"add.php?teacher\" title=\"add a teacher\">teacher</a>, or <a href=\"add.php?student\" title=\"add a student\">student</a>?";
}
print "</div>";
