function handleEditPage() { include_once 'login.php'; include_once 'showEventFunction.php'; $backURL = "<br/><a href = \"index.php\">Back to Home</a>"; // client side validation, if error, disable submit // if form is set and not empty, continue $showError = true; $errOutput = isFormFilled($showError); if ($errOutput) { $output = "<h1>Error</h1>"; return $output . $errOutput . $backURL; } $event = array(); $errMsg = array(); // prevent sql injection & data sanitize foreach ($_POST as $field => $value) { $event[$field] = sanitizeData($value); } include_once 'database_conn.php'; $columnLengthSql = "\n\t\tSELECT COLUMN_NAME, CHARACTER_MAXIMUM_LENGTH\n\t\tFROM INFORMATION_SCHEMA.COLUMNS\n\t\tWHERE TABLE_NAME = 'te_events'\n\t\tAND (column_name = 'eventTitle'\n\t\tOR column_name = 'eventDescription')"; //, DATA_TYPE $COLUMN_LENGTH = getColumnLength($conn, $columnLengthSql); // check data type and length validation $isError = false; $errMsg[] = validateStringLength($event['title'], $COLUMN_LENGTH['eventTitle']); //title $errMsg[] = validateStringLength($event['desc'], $COLUMN_LENGTH['eventDescription']); //desc $errMsg[] = validateDate($event['startTime']); //startTime $errMsg[] = validateDate($event['endTime']); //endTime $errMsg[] = validateDecimal($event['price']); //price for ($i = 0; $i < count($errMsg); $i++) { if (!($errMsg[$i] === true)) { $pageHeader = "Error"; $output = "<h1>{$pageHeader}</h1>"; $output . "{$errMsg[$i]}"; $isError = true; } } //if contain error, halt continue executing the code if ($isError) { return $output . $backURL; } // prepare sql statement $sql = "UPDATE te_events SET \n\t\teventTitle=?, eventDescription=?, \n\t\tvenueID=?, catID=?, eventStartDate=?, \n\t\teventEndDate=?, eventPrice=? WHERE eventID=?;"; $stmt = mysqli_prepare($conn, $sql); mysqli_stmt_bind_param($stmt, "ssssssss", $event['title'], $event['desc'], $event['venue'], $event['category'], $event['startTime'], $event['endTime'], $event['price'], $event['e_id']); // execute update statement mysqli_stmt_execute($stmt); // check is it sucess update if (mysqli_stmt_affected_rows($stmt)) { $output = "<h1>{$event['title']} was successfully updated.</h1>"; return $output . $backURL; } else { $output = "<h1>Nothing update for {$event['title']}</h1>"; return $output . $backURL; } echo "<br/>"; return; }
function login() { include_once 'database_conn.php'; // check is form filled if (isFormFilled()) { // if not filled, stop return; } $uid = sanitizeData($_POST['username']); $pswd = sanitizeData($_POST['password']); $columnLengthSql = "\n\t\t\tSELECT COLUMN_NAME, CHARACTER_MAXIMUM_LENGTH\n\t\t\tFROM INFORMATION_SCHEMA.COLUMNS\n\t\t\tWHERE TABLE_NAME = 'te_users'\n\t\t\tAND (column_name = 'username'\n\t\t\tOR column_name = 'passwd')"; $COLUMN_LENGTH = getColumnLength($conn, $columnLengthSql); $isError = false; $errMsg[] = validateStringLength($uid, $COLUMN_LENGTH['username']); //uid $errMsg[] = validateStringLength($pswd, $COLUMN_LENGTH['passwd']); //pswd for ($i = 0; $i < count($errMsg); $i++) { if (!($errMsg[$i] === true)) { echo "{$errMsg[$i]}"; $isError = true; } } //if contain error, halt continue executing the code if ($isError) { return; } // check is uid exist $checkUIDSql = "SELECT passwd, salt FROM te_users WHERE username = ?"; $stmt = mysqli_prepare($conn, $checkUIDSql); mysqli_stmt_bind_param($stmt, "s", $uid); mysqli_stmt_execute($stmt); mysqli_stmt_store_result($stmt); if (mysqli_stmt_num_rows($stmt) <= 0) { echo "Sorry we don't seem to have that username."; return; } mysqli_stmt_bind_result($stmt, $getHashpswd, $getSalt); while (mysqli_stmt_fetch($stmt)) { $hashPswd = $getHashpswd; $salt = $getSalt; } // if exist, then get salt and db hashed password // create hash based on password // hash pswd using sha256 algorithm // concat salt in db by uid // hash using sha256 algorithm $pswd = hash("sha256", $salt . hash("sha256", $pswd)); // check does it match with hased password from db if (strcmp($pswd, $hashPswd) === 0) { echo "Success login<br/>"; // add session $_SESSION['logged-in'] = $uid; // go to url $url = $_SERVER['REQUEST_URI']; header("Location: {$url}"); } else { echo "Fail login<br/>"; } }
<td> <input type="hidden" name="amount" id="amount_input" value="15" /> <div id="amount_div">15 $</div> </td> </tr> </table> <input type="submit" value="Book ticket" /> </form> <br/><br/><br/><br/><br/> <h3>People who already bought hackathon tickets:</h3> <?php error_log("Checking"); require_once 'ticket_booking.php'; function isFormFilled() { return isset($_POST["name"], $_POST["email"], $_POST["tickets"], $_POST["amount"]); } if (isFormFilled()) { book_ticket($_POST["name"], $_POST["email"], $_POST["tickets"], $_POST["amount"]); } echo list_all_hackers(); ?> <center> </body> </html>