function identify_function()
{
global $func;
if (isset($_GET['func'])) {
$func = escape_string($_GET['func']);
}
}
function db_update_form($table_name)
{
global $conn;
$query = "UPDATE {$table_name} SET ";
$comma = "";
$temp = " WHERE ";
$where = "";
foreach ($_POST as $key => $value) {
$prefix = substr($key, 0, 5);
//die($prefix);
switch ($prefix) {
// with update field
case DB_UPDATE_PREFIX:
$field = substr($key, 5);
$query .= $comma . "{$field} = '" . escape_string($value) . "'";
$comma = ", ";
break;
// with where field
// with where field
case DB_WHERE_PREFIX:
$field = $field = substr($key, 5);
$where .= $temp . "{$field} = '" . escape_string($value) . "' ";
$temp = " AND ";
break;
}
}
mysqli_query($conn, $query);
}
function dumpTable($table, $style, $is_view = false)
{
if ($_POST["format"] == "sql_alter") {
$create = create_sql($table, $_POST["auto_increment"]);
if ($is_view) {
echo substr_replace($create, " OR REPLACE", 6, 0) . ";\n\n";
} else {
echo substr_replace($create, " IF NOT EXISTS", 12, 0) . ";\n\n";
// create procedure which iterates over original columns and adds new and removes old
$query = "SELECT COLUMN_NAME, COLUMN_DEFAULT, IS_NULLABLE, COLLATION_NAME, COLUMN_TYPE, EXTRA, COLUMN_COMMENT FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = DATABASE() AND TABLE_NAME = " . q($table) . " ORDER BY ORDINAL_POSITION";
echo "DELIMITER ;;\nCREATE PROCEDURE adminer_alter (INOUT alter_command text) BEGIN\n\tDECLARE _column_name, _collation_name, after varchar(64) DEFAULT '';\n\tDECLARE _column_type, _column_default text;\n\tDECLARE _is_nullable char(3);\n\tDECLARE _extra varchar(30);\n\tDECLARE _column_comment varchar(255);\n\tDECLARE done, set_after bool DEFAULT 0;\n\tDECLARE add_columns text DEFAULT '";
$fields = array();
$after = "";
foreach (get_rows($query) as $row) {
$default = $row["COLUMN_DEFAULT"];
$row["default"] = $default !== null ? q($default) : "NULL";
$row["after"] = q($after);
//! rgt AFTER lft, lft AFTER id doesn't work
$row["alter"] = escape_string(idf_escape($row["COLUMN_NAME"]) . " {$row['COLUMN_TYPE']}" . ($row["COLLATION_NAME"] ? " COLLATE {$row['COLLATION_NAME']}" : "") . ($default !== null ? " DEFAULT " . ($default == "CURRENT_TIMESTAMP" ? $default : $row["default"]) : "") . ($row["IS_NULLABLE"] == "YES" ? "" : " NOT NULL") . ($row["EXTRA"] ? " {$row['EXTRA']}" : "") . ($row["COLUMN_COMMENT"] ? " COMMENT " . q($row["COLUMN_COMMENT"]) : "") . ($after ? " AFTER " . idf_escape($after) : " FIRST"));
echo ", ADD {$row['alter']}";
$fields[] = $row;
$after = $row["COLUMN_NAME"];
}
echo "';\n\tDECLARE columns CURSOR FOR {$query};\n\tDECLARE CONTINUE HANDLER FOR NOT FOUND SET done = 1;\n\tSET @alter_table = '';\n\tOPEN columns;\n\tREPEAT\n\t\tFETCH columns INTO _column_name, _column_default, _is_nullable, _collation_name, _column_type, _extra, _column_comment;\n\t\tIF NOT done THEN\n\t\t\tSET set_after = 1;\n\t\t\tCASE _column_name";
foreach ($fields as $row) {
echo "\n\t\t\t\tWHEN " . q($row["COLUMN_NAME"]) . " THEN\n\t\t\t\t\tSET add_columns = REPLACE(add_columns, ', ADD {$row['alter']}', IF(\n\t\t\t\t\t\t_column_default <=> {$row['default']} AND _is_nullable = '{$row['IS_NULLABLE']}' AND _collation_name <=> " . (isset($row["COLLATION_NAME"]) ? "'{$row['COLLATION_NAME']}'" : "NULL") . " AND _column_type = " . q($row["COLUMN_TYPE"]) . " AND _extra = '{$row['EXTRA']}' AND _column_comment = " . q($row["COLUMN_COMMENT"]) . " AND after = {$row['after']}\n\t\t\t\t\t, '', ', MODIFY {$row['alter']}'));";
//! don't replace in comment
}
echo "\n\t\t\t\tELSE\n\t\t\t\t\tSET @alter_table = CONCAT(@alter_table, ', DROP ', '`', REPLACE(_column_name, '`', '``'), '`');\n\t\t\t\t\tSET set_after = 0;\n\t\t\tEND CASE;\n\t\t\tIF set_after THEN\n\t\t\t\tSET after = _column_name;\n\t\t\tEND IF;\n\t\tEND IF;\n\tUNTIL done END REPEAT;\n\tCLOSE columns;\n\tIF @alter_table != '' OR add_columns != '' THEN\n\t\tSET alter_command = CONCAT(alter_command, 'ALTER TABLE " . adminer_table($table) . "', SUBSTR(CONCAT(add_columns, @alter_table), 2), ';\\n');\n\tEND IF;\nEND;;\nDELIMITER ;\nCALL adminer_alter(@adminer_alter);\nDROP PROCEDURE adminer_alter;\n\n";
//! indexes
}
return true;
}
}
function request($param)
{
if (isset($_REQUEST[$param])) {
$value = $_REQUEST[$param];
$value = escape_string($value);
} else {
return null;
}
}
function PrepareQuery($Query, $Args, $PreNum)
{
$result = '';
$sql_stains = explode('?', $Query);
for ($i = $PreNum; $i < count($Args); $i++) {
$result .= array_shift($sql_stains) . (is_null($Args[$i]) || $Args[$i] === false ? 'NULL' : '\'' . escape_string($Args[$i]) . '\'');
}
$result .= array_shift($sql_stains);
// echo "<code>MySQLQuery: <b>$result</b></code><br>";
return $result;
}
function cart()
{
$total = 0;
$item_quantity = 0;
$item_name = 1;
$item_number = 1;
$amount = 1;
$quantity = 1;
foreach ($_SESSION as $name => $value) {
if ($value > 0) {
if (substr($name, 0, 8) == "product_") {
$length = strlen($name - 8);
$id = substr($name, 8, $length);
$query = query("SELECT * FROM products WHERE product_id = " . escape_string($id) . " ");
confirm($query);
while ($row = fetch_array($query)) {
$sub = $row['product_price'] * $value;
$item_quantity += $value;
$product = <<<DELIMETER
<tr>
<td>{$row['product_title']}</td>
<td>${$row['product_price']}</td>
<td>{$value}</td>
<td>${$sub}</td>
<td>
<a class='btn btn-warning' href="cart.php?remove={$row['product_id']}"><span class='glyphicon glyphicon-minus'></span></a>
<a class='btn btn-success' href="cart.php?add={$row['product_id']}"><span class='glyphicon glyphicon-plus'></span></a>
<a class='btn btn-danger' href="cart.php?delete={$row['product_id']}"><span class='glyphicon glyphicon-remove'></span></a>
</td>
</tr>
<input type="hidden" name="item_name_{$item_name}" value="{$row['product_title']}">
<input type="hidden" name="item_number_{$item_number}" value="{$row['product_id']}">
<input type="hidden" name="amount_{$amount}" value="{$row['product_price']}">
<input type="hidden" name="quantity_{$quantity}" value="{$row['product_quantity']}">
DELIMETER;
echo $product;
$total = 0;
$item_quantity = 0;
$item_name++;
$item_number++;
$amount++;
$quantity++;
}
$_SESSION['item_total'] = $total += $sub;
$_SESSION['item_quantity'] = $item_quantity;
}
}
}
}
function login_user()
{
if (isset($_POST['submit'])) {
$username = escape_string($_POST['username']);
$password = escape_string($_POST['password']);
$query = query("SELECT * FROM user WHERE username = '******' AND password = '******'");
confirm($query);
if (mysqli_num_rows($query) == 0) {
set_message("Contrasena y usuario no es valida.");
redirect("index.php");
} else {
redirect("public/main.php");
}
}
}
/**
* adds a news item for class $class, with subject $subject and body $body
*/
function add_news_item($class, $subject, $body)
{
$class = escape_string($class);
// class id should be numeric
if (is_numeric($class) != "true") {
cust_die("Class field was not submitted in the correct way.");
}
$subject = escape_string($subject);
// subject can only be 75 characters long
if (strlen($subject) > 75) {
substr($subject, 0, 75);
print "The subject field was too long, so it was shortened to 75 characters.";
}
// the body field uses a blob, so it doesn't matter how long it is
$body = escape_string($body);
$timestamp = time();
$insert = "INSERT INTO `news` (`class`, `timestamp`, `subject`, `body`) VALUES ('{$class}', '{$timestamp}', '{$subject}', '{$body}')";
connect_sql();
@query($insert) or die("Error adding the news item.");
disconnect_sql();
}
/**
* Query the database.
*
* @param type $template
* @param type $params
*/
public function query($template, $params = null)
{
// Prefix around?
if ($this->tablePrefix) {
$template = str_replace("}", "", str_replace("{", $this->tablePrefix, $template));
}
// Set params into the SQL template
if ($params != null) {
foreach ($params as $ref => $value) {
$value = escape_string($value);
if (gettype($value) == "string") {
$value = "'" . $value . "'";
}
$template = str_replace($ref, $value, $template);
}
}
// Perform
$result = $this->db - query($template);
if (!$result) {
throw new SQLException("SQL: " . $template . "\nError: " . $this->db->error);
}
}
function processRequestArguments()
{
//20151019, standard V3.
$testing = false;
if ($testing) {
echo "Input arguments: <br>";
}
$values = array();
//Change $_REQUEST to $_POST or $_GET when needed.
foreach ($_REQUEST as $key => $value) {
//Add filtering and processing rules here.
switch ($key) {
default:
$value = escape_string($value);
//Simply do the escaping.
}
$values[$key] = $value;
if ($testing) {
echo "\t{$key} => {$value}<br>";
}
}
return $values;
}
function pacrypt($pw, $pw_db = "")
{
$ci =& get_instance();
$pw = stripslashes($pw);
$password = "";
$salt = "";
if ($ci->config->item('encrypt') == 'md5crypt') {
$split_salt = preg_split('/\\$/', $pw_db);
if (isset($split_salt[2])) {
$salt = $split_salt[2];
}
$password = md5crypt($pw, $salt);
} elseif ($ci->config->item('encrypt') == 'md5') {
$password = md5($pw);
} elseif ($ci->config->item('encrypt') == 'system') {
if ($pw_db) {
$password = crypt($pw, $pw_db);
} else {
$password = crypt($pw);
}
} elseif ($ci->config->item('encrypt') == 'cleartext') {
$password = $pw;
} elseif ($ci->config->item('encrypt') == 'mysql_encrypt') {
$pw = escape_string($pw);
if ($pw_db != "") {
$salt = escape_string(substr($pw_db, 0, 2));
$res = db_query("SELECT ENCRYPT('" . $pw . "','" . $salt . "');");
} else {
$res = db_query("SELECT ENCRYPT('" . $pw . "');");
}
$l = db_row($res["result"]);
$password = $l[0];
} else {
show_error('unknown/invalid encrypt settings for pacrypt setting: ' . $ci->config->item("encrypt"));
}
return $password;
}
function login($con, $name, $passwd)
{
global $environmentpolicytoken;
//入力内容確認
if (mb_ereg('[^0-9a-zA-Z]', $name) || mb_ereg('[^0-9a-zA-Z]', $passwd)) {
//print "エラー処理\n";
//print "<!-- DEBUG name/passwd format error-->";
redirectlogin();
} else {
//print "正常処理\n";
//db検索
escape_string($name);
escape_string($passwd);
$query = "\n\t\t\tSELECT memberid, userclass, name, passwd1\n\t\t\tFROM foltia_envpolicy\n\t\t\tWHERE foltia_envpolicy.name = '{$name}'\n\t\t\t";
$useraccount = m_query($con, $query, "DBクエリに失敗しました");
$rowdata = $useraccount->fetch();
if (!$rowdata) {
header("HTTP/1.0 401 Unauthorized");
redirectlogin();
}
$memberid = $rowdata[0];
$userclass = $rowdata[1];
$username = $rowdata[2];
$dbpasswd = $rowdata[3];
$rowdata = $useraccount->fetch();
if ($rowdata) {
header("HTTP/1.0 401 Unauthorized");
redirectlogin();
}
// passwdをdbから取りだし
if ($userclass == 0) {
$dbpasswd = "{$dbpasswd}";
} else {
// db passwdとトークンを連結し
$dbpasswd = "{$dbpasswd}" . "{$environmentpolicytoken}";
}
//それが入力と一致すれば認証
if ($passwd == $dbpasswd) {
//print "認証成功<br>$dbpasswd $passwd\n";
} else {
//print "認証失敗<br>$dbpasswd $passwd\n";
header("HTTP/1.0 401 Unauthorized");
//print "<!-- DEBUG passwd unmatch error>";
redirectlogin();
}
}
//end if mb_ereg
}
}
if (!isset($number)) {
$number = 2;
} elseif ($number > JP_AUTHORS) {
$number = JP_AUTHORS;
}
if (isset($_POST['action_x'])) {
$jpnumber = $_POST['jpNumber'];
for ($n = 1; $n <= $jpnumber; $n++) {
$authors[] = $_POST['author' . $n];
}
/* make a string of the authors */
$postAuthors = implode(',', $authors);
$insert = "INSERT INTO sms_posts (postAuthor, postTitle, postLocation, postTimeline, postContent, postPosted, postMission, ";
$insert .= "postStatus, postTag) VALUES (%s, %s, %s, %s, %s, UNIX_TIMESTAMP(), %d, %s, %s)";
$query = sprintf($insert, escape_string($postAuthors), escape_string($_POST['postTitle']), escape_string($_POST['postLocation']), escape_string($_POST['postTimeline']), escape_string($_POST['postContent']), escape_string($_POST['postMission']), escape_string('activated'), escape_string($_POST['postTag']));
$result = mysql_query($query);
for ($i = 1; $i <= $number; $i++) {
/* set the author var */
$author = $_POST['author' . $i];
if (!is_numeric($author)) {
$author = NULL;
}
/* update the player's last post timestamp */
$updateTimestamp = "UPDATE sms_crew SET lastPost = UNIX_TIMESTAMP() WHERE crewid = {$author} LIMIT 1";
$updateTimestampResult = mysql_query($updateTimestamp);
}
/* optimize the crew table */
optimizeSQLTable("sms_crew");
optimizeSQLTable("sms_posts");
/* if the user wants to send the email out, do it */
<?php
require '../../../../core/init.php';
if (isset($_GET['id'])) {
$query = query("DELETE FROM categories WHERE cat_id = " . escape_string($_GET['id']) . " ");
confirm($query);
set_message("Category Deleted");
redirect("/admin?categories");
} else {
redirect("/admin?categories");
}
/**
* @param string $subject
* @param string $body
* @param string $interval_time
* @param date $activeFrom
* @param date $activeUntil
*/
function set_away($subject, $body, $interval_time, $activeFrom, $activeUntil)
{
$this->remove();
// clean out any notifications that might already have been sent.
$E_username = escape_string($this->username);
$activeFrom = date("Y-m-d 00:00:00", strtotime($activeFrom));
# TODO check if result looks like a valid date
$activeUntil = date("Y-m-d 23:59:59", strtotime($activeUntil));
# TODO check if result looks like a valid date
list(, $domain) = explode('@', $this->username);
$vacation_data = array('email' => $this->username, 'domain' => $domain, 'subject' => $subject, 'body' => $body, 'interval_time' => $interval_time, 'active' => db_get_boolean(true), 'activefrom' => $activeFrom, 'activeuntil' => $activeUntil);
// is there an entry in the vacaton table for the user, or do we need to insert?
$table_vacation = table_by_key('vacation');
$result = db_query("SELECT * FROM {$table_vacation} WHERE email = '{$E_username}'");
if ($result['rows'] == 1) {
$result = db_update('vacation', 'email', $this->username, $vacation_data);
} else {
$result = db_insert('vacation', $vacation_data);
}
# TODO error check
# TODO wrap whole function in db_begin / db_commit (or rollback)?
return $this->updateAlias(1);
}
protected function check_quota($quota)
{
$rval = false;
if (!Config::bool('quota')) {
return true;
# enforcing quotas is disabled - just allow it
}
list(, $domain) = explode('@', $this->id);
$limit = get_domain_properties($domain);
if ($limit['maxquota'] == 0) {
$rval = true;
# maxquota unlimited -> OK, but domain level quota could still be hit
}
if ($limit['maxquota'] < 0 and $quota < 0) {
return true;
# maxquota and $quota are both disabled -> OK, no need for more checks
}
if ($limit['maxquota'] > 0 and $quota == 0) {
return false;
# mailbox with unlimited quota on a domain with maxquota restriction -> not allowed, no more checks needed
}
if ($limit['maxquota'] != 0 && $quota > $limit['maxquota']) {
return false;
# mailbox bigger than maxquota restriction (and maxquota != unlimited) -> not allowed, no more checks needed
} else {
$rval = true;
# mailbox size looks OK, but domain level quota could still be hit
}
if (!$rval) {
return false;
# over quota - no need to check domain_quota
}
# TODO: detailed error message ("domain quota exceeded", "mailbox quota too big" etc.) via flash_error? Or "available quota: xxx MB"?
if (!Config::bool('domain_quota')) {
return true;
# enforcing domain_quota is disabled - just allow it
} elseif ($limit['quota'] <= 0) {
# TODO: CHECK - 0 (unlimited) is fine, not sure about <= -1 (disabled)...
$rval = true;
} elseif ($quota == 0) {
# trying to create an unlimited mailbox, but domain quota is set
return false;
} else {
$table_mailbox = table_by_key('mailbox');
$query = "SELECT SUM(quota) FROM {$table_mailbox} WHERE domain = '" . escape_string($domain) . "'";
$query .= " AND username != '" . escape_string($this->id) . "'";
$result = db_query($query);
$row = db_row($result['result']);
$cur_quota_total = divide_quota($row[0]);
# convert to MB
if ($quota + $cur_quota_total > $limit['quota']) {
$rval = false;
} else {
$rval = true;
}
}
return $rval;
}
function DBRunDelete($number, $site, $contest, $user, $usersite)
{
$c = DBConnect();
DBExec($c, "begin work", "DBRunDelete(transaction)");
$sql = "select * from runtable as r where r.contestnumber={$contest} and " . "r.runsitenumber={$site} and r.runnumber={$number}";
$r = DBExec($c, $sql . " for update", "DBRunDelete(get run for update)");
$n = DBnlines($r);
if ($n != 1) {
DBExec($c, "rollback work", "DBRunDelete(rollback)");
LogLevel("Unable to delete a run. " . "(run={$number}, site={$site}, contest={$contest})", 1);
return false;
}
$temp = DBRow($r, 0);
$tinhabalao = DBBalloon($contest, $site, $temp["usernumber"], $temp["runproblem"], true, $c);
DBExec($c, "update runtable set runstatus='deleted', runjudge={$user}, runjudgesite={$usersite}, updatetime=" . time() . " where contestnumber={$contest} and runnumber={$number} and runsitenumber={$site}", "DBRunDelete(update run)");
$tembalao = DBBalloon($contest, $site, $temp["usernumber"], $temp["runproblem"], true, $c);
if ($tinhabalao && !$tembalao) {
$u = DBUserInfo($contest, $site, $temp["usernumber"], $c);
if ($u['usertype'] == 'team') {
$p = DBGetProblemData($contest, $temp["runproblem"], $c);
DBNewTask_old($contest, $site, $temp["usernumber"], escape_string("\"" . $u["username"] . "\" must have _NO_ balloon for problem " . $p[0]["problemname"] . ": " . $p[0]["fullname"]), "", "", "t", $p[0]["color"], $p[0]["colorname"], $c);
}
}
DBExec($c, "commit work", "DBRunDelete(commit)");
LOGLevel("Run deleted (run={$number}, site={$site}, contest={$contest}, user={$user}(site={$usersite})).", 3);
return true;
}
/**
* Private function for record updating
*
* @return Boolean
*/
function _updateRecord()
{
global $user;
if (empty($this->taet_foo->taet_id)) return $this->_addRecord();
if (!$this->query(
sprintf('UPDATE '.DBPREFIX."taet
SET taet_short_desc = '%s',
taet_full_desc = '%s',
taet_start = %d,
taet_finish = %d,
taet_prpos_id = %d,
taet_changed = %d,
taet_changed_from = %d
WHERE taet_id = %d",
escape_string($this->taet_foo->taet_short_desc),
escape_string($this->taet_foo->taet_full_desc),
(int) $this->taet_foo->taet_start,
(int) $this->taet_foo->taet_finish,
(int) $this->taet_foo->taet_prpos_id,
time(),
(int) $user->empl_id,
(int) $this->taet_foo->taet_id)))
return false;
else
return true;
}
$getPosType = "SELECT positionType FROM sms_positions WHERE positionid = '{$position}' LIMIT 1";
$getPosTypeResult = mysql_query($getPosType);
$positionType = mysql_fetch_row($getPosTypeResult);
/* set the access levels accordingly */
if ($positionType[0] == "senior") {
$accessID = 3;
} else {
$accessID = 4;
}
/* pull the default access levels from the db */
$getGroupLevels = "SELECT * FROM sms_accesslevels WHERE id = {$accessID} LIMIT 1";
$getGroupLevelsResult = mysql_query($getGroupLevels);
$groups = mysql_fetch_array($getGroupLevelsResult);
$update = "UPDATE sms_crew SET accessPost = %s, accessManage = %s, accessReports = %s, accessUser = %s, accessOthers = %s ";
$update .= "WHERE crewid = {$crew} LIMIT 1";
$query = sprintf($update, escape_string($groups[1]), escape_string($groups[2]), escape_string($groups[3]), escape_string($groups[4]), escape_string($groups[5]));
$crewUpdateResult = mysql_query($query);
/* optimize the tables */
optimizeSQLTable("sms_crew");
optimizeSQLTable("sms_positions");
}
if ($oldPosition2 != $position2 && in_array("u_bio3", $sessionAccess)) {
/* update the position they're being given */
update_position($position2, 'give');
update_position($oldPosition2, 'take');
/* optimize the table */
optimizeSQLTable("sms_positions");
}
}
/* close the crewType check */
}
<?php
include "{$page_header}";
?>
<div id="mBody">
<?php
$index = "yes";
include "inc_sidebar.php";
?>
<div id="mainContent">
<?php
$userid = escape_string($_GET["id"]);
$sql = "SELECT * \n FROM `userprofiles` \n WHERE `UserID` = '{$userid}' \n LIMIT 1";
$sql_result = mysql_query($sql, $connection) or trigger_error("MySQL Error " . mysql_errno() . ": " . mysql_error() . "", E_USER_NOTICE);
$row = mysql_fetch_array($sql_result);
$userid = $row["UserID"];
$username = $row["UserName"];
$useremail = $row["UserEmail"];
$userwebsite = $row["UserWebsite"];
$usermode = $row["UserMode"];
$useremailhide = $row["UserEmailHide"];
if ($usermode == "A") {
$usermode_text = "Mozilla Update Administrator";
} else {
if ($usermode == "E") {
$usermode_text = "Mozilla Update Editor";
} else {
AND config_class="' . $class . '"';
} else {
$query = 'SELECT SQL_CALC_FOUND_ROWS
id_item,
attr_value AS entryname
FROM ConfigItems,ConfigValues,ConfigAttrs,ConfigClasses
WHERE id_item=fk_id_item
AND id_attr=fk_id_attr
AND naming_attr="yes"
AND ConfigItems.fk_id_class=id_class
AND config_class="' . $class . '"';
}
if ($filter2 != "") {
# replace * with % for sql search
$filter2 = str_replace("*", "%", $filter2);
$filter2 = escape_string($filter2);
if ($class == "service") {
# search for servername AND servicename on "service"
$query .= ' HAVING CONCAT(hostname,entryname) LIKE "' . $filter2 . '"';
} elseif ($class == "checkcommand") {
# search for default service name and checkcommand name
$query .= 'HAVING default_service_name LIKE "' . $filter2 . '"
OR entryname LIKE "' . $filter2 . '"';
} else {
$query .= ' AND attr_value LIKE "' . $filter2 . '"';
}
}
# XMODE
if (isset($_GET["xmode"]) && $_GET["xmode"] == "pikett") {
if (!empty($ONCALL_GROUPS)) {
# first entry must be AND, all other are part of it with OR
* Responsible for toggling the status of a domain
* Template File: message.php
*
* Template Variables:
*
* tMessage
*
* Form POST \ GET Variables:
*
* fDomain
*/
require_once 'common.php';
authentication_require_role('global-admin');
if ($_SERVER['REQUEST_METHOD'] == "GET") {
if (isset($_GET['domain'])) {
$fDomain = escape_string($_GET['domain']);
}
$sqlSet = 'active=1-active';
if ('pgsql' == $CONF['database_type']) {
$sqlSet = 'active=NOT active';
}
$result = db_query("UPDATE {$table_domain} SET {$sqlSet},modified=NOW() WHERE domain='{$fDomain}'");
if ($result['rows'] != 1) {
$error = 1;
$tMessage = $PALANG['pAdminEdit_domain_result_error'];
}
if ($error != 1) {
header("Location: list-domain.php");
exit;
}
}
$arr = @mysql_fetch_array($sql);
$oldord = (int) @$arr[0];
$form_id = (int) @$arr[1];
mysql_query("UPDATE " . TABLE_QUESTFIELD . " SET public='{$public}', name='{$name}', data='{$data}', type='{$type}', checkfield='{$checkfield}'," . " ord='{$ord}' WHERE field_id='{$field_id}'") or Error(1, __FILE__, __LINE__);
if ($ord > $oldord) {
mysql_query("UPDATE " . TABLE_QUESTFIELD . " SET ord=ord-1 " . "WHERE ord>'{$oldord}' AND ord<='{$ord}' AND field_id!='{$field_id}' AND form_id={$form_id}") or Error(1, __FILE__, __LINE__);
} elseif ($ord < $oldord) {
mysql_query("UPDATE " . TABLE_QUESTFIELD . " SET ord=ord+1 " . "WHERE ord>='{$ord}' AND ord<'{$oldord}' AND field_id!='{$field_id}' AND form_id={$form_id}") or Error(1, __FILE__, __LINE__);
}
Header("Location: " . ADMIN_URL . "?p={$part}&field_id={$field_id}");
exit;
}
if (@$saveform) {
$name = escape_string(from_form(@$name));
$butt = escape_string(from_form(@$butt));
$email = escape_string(from_form(@$email));
mysql_query("UPDATE " . TABLE_QUESTIONNAIRE . " SET name='{$name}', butt='{$butt}', email='{$email}' WHERE form_id='{$form_id}'") or Error(1, __FILE__, __LINE__);
Header("Location: " . ADMIN_URL . "?p={$part}&form_id={$form_id}");
exit;
}
$replace = array();
$forms = array();
$sql_form = mysql_query("SELECT form_id, name, butt FROM " . TABLE_QUESTIONNAIRE . " ORDER BY form_id") or Error(1, __FILE__, __LINE__);
while ($info_form = @mysql_fetch_array($sql_form)) {
$sql = mysql_query("SELECT field_id, name, public FROM " . TABLE_QUESTFIELD . " WHERE form_id={$info_form['form_id']} ORDER BY ord") or Error(1, __FILE__, __LINE__);
$fields = array();
$field_name = "";
while ($info = @mysql_fetch_array($sql)) {
$info['name'] = htmlspecialchars($info['name'], ENT_COMPAT, 'cp1251');
if (!$info['name']) {
$info['name'] = NONAME;
if (isset($_POST)) {
/* define the POST variables */
foreach ($_POST as $key => $value) {
${$key} = $value;
}
/* protecting against SQL injection */
if (isset($action_id) && !is_numeric($action_id)) {
$action_id = FALSE;
exit;
}
switch ($action_type) {
case 'edit':
$update = "UPDATE sms_starbase_docking SET dockingShipName = %s, dockingShipRegistry = %s, dockingShipClass = %s, ";
$update .= "dockingShipURL = %s, dockingShipCO = %s, dockingShipCOEmail = %s, dockingDuration = %s, dockingDesc = %s, ";
$update .= "dockingStatus = %s WHERE dockid = {$action_id} LIMIT 1";
$query = sprintf($update, escape_string($_POST['dockingShipName']), escape_string($_POST['dockingShipRegistry']), escape_string($_POST['dockingShipClass']), escape_string($_POST['dockingShipURL']), escape_string($_POST['dockingShipCO']), escape_string($_POST['dockingShipCOEmail']), escape_string($_POST['dockingDuration']), escape_string($_POST['dockingDesc']), escape_string($_POST['dockingStatus']));
$result = mysql_query($query);
$action = "update";
if (isset($_POST['action_tab']) && is_numeric($_POST['action_tab'])) {
$tab = $_POST['action_tab'];
}
break;
case 'delete':
$query = "DELETE FROM sms_starbase_docking WHERE dockid = {$action_id} LIMIT 1";
$result = mysql_query($query);
$action = "delete";
if (isset($_POST['action_tab']) && is_numeric($_POST['action_tab'])) {
$tab = $_POST['action_tab'];
}
break;
}
function nextprevButtons($numRows, $recordsPerPage)
{
global $clan_name;
$pageid = 1;
if (isset($_GET['page'])) {
$pageid = escape_string($_GET['page']);
}
$pagenumber = 1;
if (isset($_GET['pagenumber'])) {
$pagenumber = escape_string($_GET['pagenumber']);
}
$nextpage = $pagenumber + 1;
$prevpage = $pagenumber - 1;
$firstpage = 1;
$totalpages = ceil($numRows / $recordsPerPage);
$url_clan_name = escape_hash($clan_name);
if ($totalpages > 1) {
$range = 10;
$range_min = $range % 2 == 0 ? $range / 2 - 1 : ($range - 1) / 2;
$range_max = $range % 2 == 0 ? $range_min + 1 : $range_min;
$page_min = $pagenumber - $range_min;
$page_max = $pagenumber + $range_max;
$page_min = $page_min < 1 ? 1 : $page_min;
$page_max = $page_max < $page_min + $range - 1 ? $page_min + $range - 1 : $page_max;
if ($page_max > $totalpages) {
$page_min = $page_min > 1 ? $totalpages - $range + 1 : 1;
$page_max = $totalpages;
}
$page_min = $page_min < 1 ? 1 : $page_min;
$pagelink = "index.php?func=show&page={$pageid}";
if ($clan_name != "") {
$pagelink = "index.php?func=clan&filter={$url_clan_name}&page={$pageid}";
}
echo "<tr>";
echo "<td height=\"20\" class=\"line1\" align=\"center\">";
if ($pagenumber != 1) {
echo "<a href=\"{$pagelink}&pagenumber={$firstpage}\"><< </a>  ";
echo "<a href=\"{$pagelink}&pagenumber={$prevpage}\">< </a>  ";
} else {
echo "<font color=\"#888888\"><<   </font>";
echo "<font color=\"#888888\"><   </font>";
}
// echo "   -    Page $pagenumber of $totalpages    -   ";
for ($i = $page_min; $i <= $page_max; $i++) {
if ($i == $pagenumber) {
echo "<font size=\"2px\" color=\"#555555\">{$i} </font>";
} else {
echo "<a href=\"{$pagelink}&pagenumber={$i}\">{$i}</a> ";
}
}
if ($pagenumber != $totalpages) {
echo "<a href=\"{$pagelink}&pagenumber={$nextpage}\"> ></a>  ";
echo "<a href=\"{$pagelink}&pagenumber={$totalpages}\"> >></a></td>";
} else {
echo "<font color=\"#888888\"> >  </font>";
echo "<font color=\"#888888\"> >></font></td>";
}
}
}
if (!empty($stringAwards[0])) {
$arrayAwards = explode(";", $stringAwards[0]);
} else {
$arrayAwards = array();
}
/* get the date info from PHP */
$now = getdate();
/* make sure there are no semicolons in the reason */
$reason = str_replace(";", ",", $reason);
/* build the new award entry */
$arrayAwards[] = $action_award . "|" . $now[0] . "|" . $reason;
/* put the string back together */
$joinedString = implode(";", $arrayAwards);
/* dump the comma separated field back into the db */
$update = "UPDATE sms_crew SET awards = %s WHERE crewid = {$action_crew} LIMIT 1";
$query = sprintf($update, escape_string($joinedString));
$result = mysql_query($query);
/* optimize the table */
optimizeSQLTable("sms_crew");
}
if (!isset($crew)) {
/* active crew */
$getActive = "SELECT crew.crewid, crew.firstName, crew.lastName, rank.rankName ";
$getActive .= "FROM sms_crew AS crew, sms_ranks AS rank ";
$getActive .= "WHERE crew.rankid = rank.rankid AND crew.crewType = 'active' ";
$getActive .= "ORDER BY crew.rankid ASC";
$getActiveResult = mysql_query($getActive);
$activeCount = mysql_num_rows($getActiveResult);
/* inactive crew */
$getInactive = "SELECT crew.crewid, crew.firstName, crew.lastName, rank.rankName ";
$getInactive .= "FROM sms_crew AS crew, sms_ranks AS rank ";
/**
* Private function for record updating
*
* @return Boolean
*/
function _updateRecord()
{
global $user;
if (empty($this->employees_foo->empl_id)) {
return $this->_addRecord();
}
if (!$this->query(sprintf('UPDATE ' . DBPREFIX . "employees\n SET empl_surname = '%s',\n empl_firstname = '%s',\n empl_login = '******',\n empl_status = %d,\n empl_position = %d,\n empl_changed = %d,\n empl_changed_from = %d,\n empl_comment = '%s'\n WHERE empl_id = %d", escape_string($this->employees_foo->empl_surname), escape_string($this->employees_foo->empl_firstname), escape_string($this->employees_foo->empl_login), (int) $this->employees_foo->empl_status, (int) $this->employees_foo->empl_position, time(), (int) $user->empl_id, escape_string($this->employees_foo->empl_comment), (int) $this->employees_foo->empl_id))) {
return false;
} else {
if (!$this->employees_foo->empl_pwd) {
return true;
}
if (!$this->query(sprintf('UPDATE ' . DBPREFIX . "employees\n SET empl_pwd = '%s'\n WHERE empl_id = %d", $this->employees_foo->empl_pwd, (int) $this->employees_foo->empl_id))) {
return false;
} else {
return true;
}
}
}
}
mysql_query("UPDATE " . TABLE_CARD . " SET card_id=2000000 WHERE card_id={$card_id} AND vip={$vip}") or Error(1, __FILE__, __LINE__);
mysql_query("UPDATE " . TABLE_CARD . " SET card_id={$card_id} WHERE card_id={$change_card_id} AND vip={$vip}") or Error(1, __FILE__, __LINE__);
mysql_query("UPDATE " . TABLE_CARD . " SET card_id={$change_card_id} WHERE card_id=2000000 AND vip={$vip}") or Error(1, __FILE__, __LINE__);
mysql_query("UPDATE " . TABLE_MESSAGE . " SET from_card_id={$change_card_id} WHERE from_card_id={$card_id} AND from_vip={$vip}") or Error(1, __FILE__, __LINE__);
mysql_query("UPDATE " . TABLE_MESSAGE . " SET to_card_id={$change_card_id} WHERE to_card_id={$card_id} AND to_vip={$vip}") or Error(1, __FILE__, __LINE__);
mysql_query("UPDATE " . TABLE_ORDER . " SET card_id={$change_card_id} WHERE card_id={$card_id} AND card_vip={$vip}") or Error(1, __FILE__, __LINE__);
mysql_query("UPDATE " . TABLE_CVISIT . " SET card_id={$change_card_id} WHERE card_id={$card_id} AND card_vip={$vip}") or Error(1, __FILE__, __LINE__);
mysql_query("UPDATE " . TABLE_CLIENT . " SET card_id={$change_card_id} WHERE card_id={$card_id} AND vip={$vip}") or Error(1, __FILE__, __LINE__);
$card_id = $change_card_id;
}
$active = (int) @$active;
$office_id = (int) @$office_id;
$set = "active={$active}, office_id={$office_id}";
foreach ($contact_arr as $v) {
$set .= ", {$v}='" . escape_string(from_form(@${$v})) . "'";
}
//echo $set;
$sql = mysql_query("SELECT email FROM " . TABLE_CARD . " WHERE card_id='{$card_id}' AND vip='{$vip}'") or Error(1, __FILE__, __LINE__);
$arr = @mysql_fetch_array($sql);
$email_old = @$arr[0];
mysql_query("UPDATE " . TABLE_CARD . " SET {$set}\n\t\t\tWHERE card_id='{$card_id}' AND vip='{$vip}'") or Error(1, __FILE__, __LINE__);
if ($email_old != $email) {
if (!eregi("^([[:alnum:]]|_|-|\\.)+@([[:alnum:]]|_|-|\\.)+(\\.([[:alnum:]]|-)+)+\$", $email)) {
$_SESSION['message'] = "Неверно указан E-Mail!";
} else {
$sql = mysql_query("SELECT count(*) FROM " . TABLE_DELIVERY . " WHERE email='{$email}'") or Error(1, __FILE__, __LINE__);
$arr = @mysql_fetch_array($sql);
$dg = $vip ? 1 : 2;
$secret = md5(uniqid(rand(), 1));
if (!$arr[0]) {
if (isset($_POST['rankid']) && is_numeric($_POST['rankid'])) {
$rankid = $_POST['rankid'];
} else {
$rankid = NULL;
}
$update = "UPDATE sms_ranks SET rankOrder = %d, rankName = %s, rankImage = %s, rankDisplay = %s, rankClass = %d, ";
$update .= "rankShortName = %s WHERE rankid = {$rankid} LIMIT 1";
$query = sprintf($update, escape_string($_POST['rankOrder']), escape_string($_POST['rankName']), escape_string($_POST['rankImage']), escape_string($_POST['rankDisplay']), escape_string($_POST['rankClass']), escape_string($_POST['rankShortName']));
$result = mysql_query($query);
/* optimize table */
optimizeSQLTable("sms_ranks");
$action = "update";
} elseif (isset($_POST['action_type']) && $_POST['action_type'] == "create") {
$insert = "INSERT INTO sms_ranks (rankOrder, rankName, rankShortName, rankImage, rankDisplay, rankClass) ";
$insert .= "VALUES(%d, %s, %s, %s, %s, %d)";
$query = sprintf($insert, escape_string($_POST['rankOrder']), escape_string($_POST['rankName']), escape_string($_POST['rankShortName']), escape_string($_POST['rankImage']), escape_string($_POST['rankDisplay']), escape_string($_POST['rankClass']));
$result = mysql_query($query);
/* optimize table */
optimizeSQLTable("sms_ranks");
$action = "create";
} elseif (isset($_POST['action_delete_x'])) {
if (isset($_POST['rankid']) && is_numeric($_POST['rankid'])) {
$rankid = $_POST['rankid'];
} else {
$rankid = NULL;
}
/* do the delete query */
$query = "DELETE FROM sms_ranks WHERE rankid = {$rankid} LIMIT 1";
$result = mysql_query($query);
/* optimize table */
optimizeSQLTable("sms_ranks");
$arr_sql = @mysql_fetch_array($sql);
$email = @$arr_sql['email'];
$file = "mail_client_message.htm";
} elseif ($agency_id) {
$sql = mysql_query("SELECT email FROM " . TABLE_AGENCY . " WHERE {$agencycond}") or Error(1, __FILE__, __LINE__);
$arr_sql = @mysql_fetch_array($sql);
$email = @$arr_sql['email'];
$file = "mail_client_message.htm";
}
$mess = get_template("templ/{$file}", array('name' => htmlspecialchars($admin_config['name'], ENT_COMPAT, 'cp1251'), 'theme' => htmlspecialchars($arr['theme'], ENT_COMPAT, 'cp1251'), 'text' => nl2br(htmlspecialchars($arr['text'], ENT_COMPAT, 'cp1251')), 'prev_message' => $prev_message, 'prev_theme' => htmlspecialchars(@$prev_sql['theme'], ENT_COMPAT, 'cp1251'), 'prev_text' => nl2br(htmlspecialchars(@$prev_sql['text'], ENT_COMPAT, 'cp1251'))));
$mail_arr = split(", ?", $email);
foreach ($mail_arr as $mail) {
send_mail($mail, "сообщение от {$admin_config['name']}", $mess);
}
$theme = escape_string($arr['theme']);
$text = escape_string($arr['text']);
$data = $client_id ? "datetime=NOW(), from_user_id='{$_SESSION['admin_id']}', to_user_id='{$user_id}', \n\t\t\tto_card_id='{$client_id}', to_vip='{$client_vip}',\n\t\t\ttheme='{$theme}', text='{$text}', parent_id='{$parent_id}'" : "datetime=NOW(), from_user_id='{$_SESSION['admin_id']}', to_user_id='{$user_id}', \n\t\t\tto_agency_id='{$agency_id}', \n\t\t\ttheme='{$theme}', text='{$text}', parent_id='{$parent_id}'";
if ($parent_id) {
$data .= ", block_id='{$block_id}'";
mysql_query("INSERT INTO " . TABLE_MESSAGE . " SET {$data}") or Error(1, __FILE__, __LINE__);
} else {
mysql_query("INSERT INTO " . TABLE_MESSAGE . " SET {$data}") or Error(1, __FILE__, __LINE__);
$message_id = mysql_insert_id();
mysql_query("UPDATE " . TABLE_MESSAGE . " SET block_id='{$message_id}' WHERE message_id='{$message_id}'") or Error(1, __FILE__, __LINE__);
}
$_SESSION['message_data'] = '';
Header("Location: " . ADMIN_URL . "?p={$part}&user_id={$user_id}&client_id={$client_id}&client_vip={$client_vip}&agency_id={$agency_id}");
exit;
}
$replace = array();
$data_arr = @Unserialize($_SESSION['message_data']);